バンキング・アズ・ア・サービスにおけるリスク(続編)
In May 2023 I posted a blog entitled, Misadventures in BaaS – Back to Basics in Partner Management that highlighted the risks of banking as a service (BaaS) following increased oversight by the OCC.
To dispel any thoughts that the regulators are being heavy handed, the latest OCC Semiannual Risk Perspective (Fall 2023) indicates three areas of increased supervisory concerns that create operational risk. The OCC specifically highlighted cybersecurity, innovation, and third party risk in their report.
Cybersecurity should come as no surprise. Implementing industrial-grade cybersecurity tools and best practices for employees, systems, and clients is an imperative for the safety of every bank. But innovation? How times have changed! Innovation with third parties/fintechs is a tenet of open banking, embedded finance, and BaaS. Regardless of business model, in its simplest form this means data is exchanged between financial and non-financial institutions to create to new financial products and services. It is essential that the physical connectivity for data exchange between partners is managed securely, but also that banks vet and supervise fintech partner activity rigorously.
In fact, the OCC cites operational risks as the top category for MRAs (matters requiring attention) written to banks in the US that fall under their purview. What? Innovation is subject of MRAs? In this case we are talking about “unsafe” innovation practices that lead primarily to operational risk issues.
These “Dear John/Joan” letters to bank CEOs are serious. The issues include lack of partner supervision, lax KYC and onboarding, and reconciliation issues with virtual accounts managed between the bank and the fintech. Of course, this does not mean that all these operational and innovation issues relate specifically to open banking and BaaS. However, the fact that the OCC publication dedicated three pages to cybersecurity, innovation, and third party risks underscores their concerns about banks neglecting risk management in the pursuit of innovation.
The Federal Reserve has now weighed in too – no doubt to help defend the payments infrastructure that is so mission critical to the US (and global) financial systems. In August 2023 the Fed announced it will supervise “novel activities” in the banks it oversees. Supervisory scope of the Novel Activities Supervision Program includes “complex, technology-driven partnerships with non-banks to provide banking services to customers.” This is a broad, sweeping statement of scope and pretty much covers a bank’s innovation strategy!
Whatever the local banking regulations on innovative fintech solutions and partnerships, it is in the best interests of banks to adopt a strong risk framework with their partners and to proactively engage regulators as needed.
- Banks must hope (and advocate) for alignment on overlapping items of oversight from the regulators (primarily the role and management of fintech partnerships). Ensure the firm’s risk framework covers fintech innovation and modify if needed.
- Fintechs can probably expect increased vendor management rigor and due diligence from bank partners. Understand and anticipate extensive onboarding and due diligence processes.
Whatever the innovation solution, the basic principles of banking risk management cannot be ignored.