Direct.
Indirect.
Truly direct.
In the context of Banking-as-a-Service (BaaS) partnership models, what do these three have in common?
Answer: None of them describes a partnership model that inherently addresses bank examiners’ concerns about the safety and soundness of BaaS partnerships.
In August 2022, I wrote about how regulatory scrutiny on the weaknesses of the bank-fintech relationship was casting a shadow on the BaaS space. Since then, a handful of events have underscored the significance of the issues I raised. To highlight a few:
Regulatory actions have targeted banks for insufficient compliance and risk management practices related to their partner banking activities, as seen with Blue Ridge Bank, Lineage Bank, and First Fed Bank.
Several banks and platforms have reevaluated their BaaS strategies or exited the space entirely — Metropolitan Commercial Bank (MCB) withdrew from the space, Piermont Bank discontinued its partnership with Unit, and Treasury Prime pivoted to a “bank-direct” model.
Operational breakdowns plagued Synapse and Evolve Bank & Trust’s relationship, Choice Financial Group (Choice) entered into a consent order, and CBW Bank (CBW) is for sale.
With each new consent order or negative news report, the supervisory directive seemed straightforward: Banks must ensure these partnerships do not adversely impact the banks’ ability to manage risk and fulfill compliance obligations.
However, a new narrative is emerging in panel discussions, industry thinkpieces, and my LinkedIn feed. A narrative built around the concepts of “indirect”, “direct”, and even “truly direct” partnerships. The narrative is that regulators are cracking down on “indirect” BaaS partnerships and demanding “direct” relationships between banks and fintechs. Presumably, regulators are also giving top marks for “truly direct” partnerships?
This perspective misses the point and creates a dangerous misdirection in the market.
Let us first examine what might be meant by a “direct” partnership. Naturally, the starting point should be the relevant regulators. After a review of all public consent orders referenced above, here are the closest references to a supervisory request for “direct” partnership models:
First is the Office of the Comptroller of the Currency’s (OCC) cease and desist order against Blue Ridge Bank. The public consent order does not explicitly endorse a specific "direct" partnership model by name, nor does it provide a regulatory definition for such. It does suggest that the OCC expects the bank to actively manage, and have substantial insight and control over, the activities and compliance of its fintech partners.
Next is MCB’s settlement with the Federal Reserve Board and the New York Department of Financial Services (NYDFS). Again, the settlement neither provides or approves a specific definition of “direct” BaaS partnerships, nor explicitly states that regulators are pushing for this model.
Third, the Federal Deposit Insurance Corporation’s (FDIC) consent order against Lineage Bank. Oh-for-three. The consent order emphasizes MCB’s need to manage and be accountable for these partnerships, but it does not use the term “direct”.
What about the FDIC’s consent order against CBW? Nope. While the order mandates comprehensive reforms across various aspects of CBW's operations, particularly focusing on transactions involving foreign financial institutions and cross-border activities, it doesn't appear to endorse “direct” partnerships.
Lastly, Choice’s consent order from the FDIC. Several aspects of the order highlight the bank's responsibilities in managing its third-party relationships. However, no mention or endorsement of a “direct” partnership.
So far, at least explicitly, none of the public actions either define or endorse a “direct” partnership. So it’s not coming from the regulators.
Next, let’s turn to the industry. Within the industry, the following distinctions are often made: “indirect” partnerships typically refer to arrangements where a BaaS provider owns and manages the relationship with fintechs, acting as a middleman. “Direct” partnerships see the BaaS provider serving as technological middleware, facilitating but not controlling the bank-fintech relationship. Finally, as far as I can tell, “truly direct” is what a BaaS platform says to emphasize that it is more direct than other supposedly “direct” BaaS platforms. Additionally, a “direct” partnership is said to encompass the following traits:
The bank-fintech relationship needs to be at the center of all operations, eliminating an existing reliance on BaaS providers or middlemen to manage those relationships.
The bank handles the entirety of their relationships with fintech clients.
The BaaS platform focuses on enabling banks to directly sell and serve fintechs and other embedded banking brands.
There can be no gatekeepers that inhibit communication between banks and programs.
Read together, you might abstract the following working definition: A “direct” BaaS partnership is one where the bank maintains complete ownership and control of all aspects of the fintech relationship, eliminating any intermediary BaaS platforms.
Is that true? Are prudential regulators pushing for the “elimination” of any intermediaries? That doesn’t seem accurate. Two principal pieces of evidence dispute this:
First, banks with varying partnership arrangements have survived supervisory examinations. While we anticipate more regulatory action in the months ahead, many banks with different partner banking structures have come out of supervisory examinations unscathed.
Second, the concept of a non-bank technology services company that facilitates delivery of a financial service is long-standing and well-established. Take merchant acquiring, for example. A typical merchant acquiring flow can look like the below:
Many parties sit between the card issuer, merchant, and customer. Yet, there is generally clear understanding of risk and compliance roles and responsibilities, and thus fewer gaps in risk and compliance control execution. I suspect that Fiserv, Visa, Mastercard, Stripe, Paypal, Marqeta, Square, and many others are scratching their heads at recent reports about the need for “direct” relationships.
So again, I ask: What is a “direct” or “truly direct” bank partnership, and what supports the assertion that regulators are explicitly or implicitly pushing for this model?
Let’s make one last attempt; if we can’t read the definition anywhere, perhaps we can imagine it. Consider the illustrations below. Take a moment, and attempt to label each of these with “indirect”, “direct”, and “truly direct”.
Partnership Model 1
Partnership Model 2
Partnership Model 3
Partnership Model 4
If you wrote something down, you failed.
It is a trick question. These are just illustrations. In fact, each of these illustrations could probably be labeled interchangeably with the three BaaS partnership models. They are designed to get to the heart of the misunderstanding: compliance effectiveness transcends the structural makeup of BaaS partnerships. While graphs are helpful to visualize relationships, they risk oversimplifying BaaS structures, misleadingly implying that technical setups guarantee compliance.
As I alluded to at the top of this article, none of these BaaS partnership models is inherently bad or good. None of these models inherently guarantees the structural capacity for, or the consistent execution of, proper compliance obligations. Both “direct” and “indirect” partnership arrangements have been subject to consent orders, and both ‘direct’ and ‘indirect’ partnership arrangements have survived regulatory examinations. Banks with established compliance functions, risk management practices, and experience with fintech partnerships are better positioned to manage bank partnerships successfully, even with intermediaries (i.e., “indirectly”). Similarly, a BaaS platform with sophisticated risk management, compliance expertise and staffing, and a clear understanding of regulatory requirements can take on the contractual ownership and responsibility for executing those obligations. Of course, the investment necessary to achieve this may not be financially viable for most BaaS platforms, but it can be done.
What is true now, has always been true: Banks must ensure they manage risk and fulfill compliance obligations. Whether a bank does this through one contractual agreement or two – or “directly” or “indirectly” – is immaterial. They just have to do it, and do it effectively.
Now, let’s discuss the takeaways. There are a few thresholding points I want to make:
Change in trajectory, but not direction. First, the industry will not move backwards. The recent wave of regulatory action has altered the trajectory of change, but it will not fundamentally alter the direction of change. The future of banking lies in seamless integration with the everyday workflows of consumers and businesses. Once you control for the other risk variables, this distribution model satisfies Daniel Goldon’s “faster, better, cheaper” philosophy. Therefore, the market will demand it.
BaaS partnerships have forced the industry’s hand. BaaS platforms deserve much credit for advancing the industry. By focusing on delivering services through API-based architectures, they have given everyone a taste of the future; banks have experienced what it is like to reach a high number of customers at a lower cost; businesses have experienced what it is like to embed financial services into new or existing products and services with little barrier to execution; and customers have experienced what it is like to access financial services in a seamless manner. This is the new normal.
This is the cost of financial services innovation. Consider distinguishing consent orders into two categories: “isolated” and “structural”. Isolated consent orders target specific failures within individual banks. Structural consent orders, on the other hand, generally address broader changes that shape industry practices. Under this framework, the recent and forthcoming partner banking-related consent orders could be considered structural. As regulators clarify their standards in a rapidly changing space, some early adopters will inevitably face adjustments. These adjustments act as feedback mechanisms that drive refinement, and create a path toward widespread adoption. Structural consent orders are the cost of innovation.
All that said, banks are being reprimanded, BaaS platforms partnerships are being wound down, and fintech companies are losing enabling partners. How should the industry respond?
Below is the exact same bank partnership table I provided in my 2022 article. It illustrates, at a high level, how fintechs and banks should think about building partnership programs that withstand regulatory scrutiny in the areas of concern.
Note that, in certain areas, the table contemplates instances where the BaaS platform owns the execution of certain compliance responsibilities of the program, which is very different from the current message making its way through the industry.
I stand by this.
A bank that knows each of its customers, understands all of their use cases, demonstrates execution of its regulatory obligations, and provides the data and reports as proof, will survive a supervisory examination — regardless of whether it partners with a BaaS platform.
Finally, everyone loves predictions. So let’s make some. I suspect that, over the next 12-36 months, the following will happen (in no particular order):
Many banks will exit the partner banking space. Or, at least, take a breather. An analysis from FedFis found there to be 136 BaaS Sponsor Banks as of Q4 of 2023. This is up from 116 in Q4 of 2022 (a 17.24% increase), which was itself up from 78 in Q1 of 2022 (a 48.72% increase). In other words, banks entered the partner banking space at a rate that was 64.61% slower in 2023 than in 2022. I suspect this number will be even lower come Q4 of 2024.
The rent will continue to rise. This one is simple: Supply and demand. The banks that remain in the partner banking space, or enter it anew, will both (i) have pricing power, and (ii) seek to recoup the costs of investments made to meet the heightened (read: same old) regulatory standards and expectations. I suspect some of these costs will be passed on to the platforms and end customers, driving up the operational costs associated with this model.
BaaS or middleware platforms will adapt. They have no choice.
I recently read an article that claimed regulatory compliance is not a competitive advantage in the BaaS platform banking space, and that regulatory compliance is table stakes.
This perspective misses the mark, because it suggests that regulatory compliance is the thing that everyone can do well. It is not. In that sense, it is a little like saying “Breathing while running is not a competitive advantage, because breathing is table stakes”. Sure, but, if everyone around you can’t breathe….
If you are building a product or service that predominantly relies on a regulated financial services institution for delivery, regulatory compliance is your oxygen. Technology may be how you make your money, but regulatory compliance is how you stay alive.
Compliance is the hard part.
