In recent years, Banking as a Service (BaaS) has revolutionized the financial industry, enabling non-banking entities to offer banking services. However, this innovation also introduces significant Anti-Money Laundering (AML) and fraud prevention challenges. As BaaS continues to grow, regulatory scrutiny has intensified, particularly around the compliance capabilities of third parties. Recent enforcement actions highlight the importance of robust due diligence, continuous monitoring, and advanced compliance solutions to mitigate AML risks.

BaaS providers must navigate a complex landscape of high transaction volumes, global operations, and emerging fintech use cases, all while ensuring transparency and accountability. By addressing these challenges proactively, BaaS providers can maintain compliance, safeguard against fraud, protect their reputation, and contribute to a safer financial ecosystem.

Key Features of BaaS

1. API-Driven Integration: Banks expose their infrastructure and services through APIs (Application Programming Interfaces), enabling third parties, such as fintechs, non-financial businesses, or startups, to integrate banking functionalities into their platforms.
2. White-Label Solutions: Third-party companies can rebrand and offer banking services (e.g., payment processing, loans, accounts) under their own brand without needing to become a fully licensed bank.
3. Regulatory Compliance: One important barrier to entry for non-banks into the financial services space is the ability to manage regulatory compliance, BaaS bank providers help address that barrier for their partners.
4. Modular Services: Businesses can select specific services (e.g., account creation, card issuance, lending) that fit their needs without adopting the entire banking stack.

Services Typically Offered via BaaS

• Account Management: Savings, checking, or virtual accounts
• Payment Processing: ACH, wire transfers, or real-time payments
• Card Issuance: Debit or credit card creation and management
• Lending: Access to loans, credit scoring, and underwriting
• Compliance Tools: KYC (Know Your Customer), AML, and fraud detection services

Benefits of BaaS

1. For Businesses:
   • Faster time-to-market for financial services
   • Reduced cost and complexity of building banking infrastructure
   • Focus on core business strengths while leveraging banking services
2. For Banks:
   • New revenue streams through fees and partnerships
   • Broader reach and customer acquisition through third-party platforms
3. For Consumers:
   • Enhanced access to financial services through innovative platforms
   • Tailored solutions integrated with other products and services

Examples of BaaS in Action

1. Fintech Startups: Companies like Chime or Revolut leverage BaaS to offer banking services without needing to become a licensed bank.
2. Non-Banking Businesses: Companies, such as retailers or ride-share operators like Shopify and Uber, can integrate banking services like digital wallets, branded payment cards, or loans into their ecosystem, effectively embedding finance into their offerings with the support of BaaS.

BaaS is a cornerstone of the embedded finance revolution, enabling businesses to seamlessly integrate financial services into their existing offerings. However, BaaS introduces specific AML risks due to its reliance on third-party partnerships and the complex ecosystem of services.

Key AML Risks Associated with BaaS:

Third-Party Dependency

• Risk: BaaS providers rely on fintechs and non-banking third parties to handle customer interactions, including onboarding and transaction monitoring. These third parties may have varying levels of AML expertise and controls.
• Challenge: Ensuring all third parties comply with AML regulations and maintain robust processes.
• Mitigation: Establish robust due diligence and ongoing monitoring of third parties, including audits and risk assessments. Implement strong software tools to manage third-party risks. Ensure a better understanding of which third parties require enhanced due diligence by incorporating technological solutions with an integrated risk rating system.

High Transaction Volumes

• Risk: BaaS enables large-scale, low-value transactions, which can make it easier for criminals to structure transactions to avoid detection.
• Challenge: Identifying patterns of suspicious activity in high-velocity environments.
• Mitigation: Employ advanced analytics, AI, and machine learning for real-time fraud monitoring. For AML monitoring, BaaS providers should use compliance technology that enables sophisticated rule creation that can be applied across a wide range of services and product types. These tools should be flexible enough for rules to be applied either equally across the entirety of their business or targeted specifically at product subcategories based on risk levels. The rules engine should allow rules to cover risks across all third parties, despite different data fields and services.

Global Reach

• Risk: BaaS platforms often operate internationally, exposing them to jurisdictional risks where AML regulations may vary.
• Challenge: Ensuring compliance with multiple regulatory regimes and managing cross-border risks.
• Mitigation: Implement jurisdiction-specific AML policies and conduct enhanced due diligence for cross-border transactions. Employ compliance solutions with the ability to manage these varying circumstances.

Layering Risks

• Risk: The separation of roles between BaaS providers and their partners can create opacity, making it harder to track money laundering schemes.
• Challenge: Detecting suspicious layering activities where funds are moved between accounts or jurisdictions to obscure their origin.
• Mitigation: Require transparency in all transactions and establish clear reporting lines for suspicious activities. Couple this approach with a software tool that will allow the BaaS provider to monitor across all third parties and identify bad actors that are trying to leverage multiple organizations for illicit conduct and to hide financial crimes. Advanced entity resolution features can be essential for tracking individual customer activity when they are operating across multiple products and services offered by different third parties under the same BaaS provider.

Emerging Fintech Use Cases

• Risk: Fintechs may introduce novel financial products (e.g., cryptocurrency services, embedded finance) that are not fully understood by the BaaS provider, increasing the risk of exploitation by bad actors.
• Challenge: Identifying and addressing AML vulnerabilities in new use cases.
• Mitigation: Stay updated on emerging risks and technologies and ensure fintech partners comply with regulatory guidance.

Outsourcing Risks

• Risk: Some BaaS providers outsource critical AML functions, such as transaction monitoring, to their partners, which can lead to gaps in oversight.
• Challenge: Maintaining accountability for AML compliance when functions are outsourced.
• Mitigation: Establish clear roles and responsibilities in service agreements and conduct regular audits.

Insufficient Data Sharing

• Risk: Limited data sharing between BaaS providers and third parties can hinder the detection of suspicious activities.
• Challenge: Ensuring seamless data exchange without breaching privacy laws.
• Mitigation: Implement secure data-sharing protocols and clarify data access rights in agreements.

Reputational Risks

• Risk: If a BaaS partner fails to meet AML obligations, the provider’s reputation can be damaged.
• Challenge: Managing public perception and regulatory scrutiny in case of breaches.
• Mitigation: Monitor third-party activities and have a robust incident response plan.

Summary of Mitigation Strategies

1. Robust Due Diligence: Vet third parties thoroughly before onboarding.
2. Ongoing Monitoring: Regularly review third parties’ compliance processes.
3. Technology Investment: Invest in advanced compliance solutions that offer the capabilities to effectively monitor against the AML and fraud risks associated with BaaS. Incorporate compliance tools with robust entity resolution processes to identify transactional activity across all partnerships and services/products. Leverage compliance solutions with AI and machine learning for enhanced efficiency.
4. Clear Agreements: Define AML responsibilities in contracts with third parties.
5. Regulatory Collaboration: Engage with regulators to ensure best practices.

By proactively addressing these risks, BaaS providers can ensure compliance, protect against fraud, maintain trust, and prevent exploitation of their platforms for money laundering. This proactive approach not only safeguards the integrity of the financial system but also enhances the reputation of BaaS providers as reliable and responsible partners in the financial industry. As the landscape of financial services continues to evolve, staying vigilant and adaptive to new challenges will be crucial for the sustained success and growth of BaaS platforms.

Interested in learning more about the benefits of Skylight, our risk and compliance solution for AML transaction monitoring, customer risk rating, case management, and fraud detection? Click this link to contact us for more information or to request a demo today!

 

For additional information on current regulatory policies relating to financial technology, visit the occ.gov financial technology resource center.