BaaS: 3 Cs the industry must consider for long-term success
In May, Tesla announced it was recalling over a million of its vehicles in China due to safety concerns. Mass production and interchangeable parts may have enabled incredible innovation, but if there’s something awry with a part or the design, there will be a problem with everything that’s been produced, sometimes resulting in the need to claw back every sold product.
We can see the same problems in software development. No one builds anything out of whole cloth, they instead build on what has gone before. Unfortunately, the risks of this are sometimes very clear. Log4j was a simple logging tool embedded in almost every online server that suddenly became a huge liability when it was found to be vulnerable to attack. It was as if every car was found to have a faulty part. There was no need for a mass recall, but every system with this piece of software needed to be patched—and plenty remain that have not received this vital attention.
The rise of fintech has meant technical enhancements such as a better user experience, better access to services, continuous development, and much more. But it has also added risk—particularly with the rise of Banking-as-a-Service (BaaS).
The terms BaaS, embedded finance and embedded banking are sometimes used interchangeably but are not quite the same. BaaS refers to the provision of banking services to a third party and does not necessarily have to be provided by a licensed bank—e-money institutions can also offer services such as accounts, virtual and physical cards, access to payment rails, and more. With embedded banking and finance, services such as payments or lending are provided by a fully licensed bank and integrated into services.
Research by Aite-Novarica found that BaaS is used by a massive 82% of fintechs, with BaaS-related services pulling in an average of 45% of a fintech’s overall revenue stream. But it’s also used by many non-fintech consumer-facing brands and increasingly by B2B businesses. As a new and growing sector, there can be confusion over what services are expected and what is provided—while many other banking products have been around for a long time, people either know what they want or can find advice easily. BaaS customers—both the service provider and the end user—may find they are not receiving the service they expect.
But there are other, potentially more significant risks. Everyone knows the name Wirecard, which essentially provided BaaS services. Railsr is another high-profile player that had to be rescued after going into administration. Others have faced regulatory attention and oversight, partly due to compliance concerns and partly down to caution over the rapid growth of these businesses—being new, can they be as resilient as institutions that have been around for decades?
Are regulators right to be concerned? Perhaps. Like a machined piece of hardware fitted to every model of a particular car, or open-source software built into every server, BaaS has the potential to be a single point of failure. If something goes wrong, it could touch every business that uses these services.
Recent financial panics, such as those over Silicon Valley Bank, are only heightening these fears. The market has evolved to a point where a number of BaaS providers now underpin hundreds of financial products and services for financial and non-financial providers. If one collapses, is found to be operating without the right safeguards, or has other underlying problems, the effects could be extended far beyond a single provider.
There is no simple, quick fix to solve these issues. BaaS is big, is predicted to get even bigger, and has the potential to create real change and innovation in sectors far beyond fintech. Regulators who have worked hard to support the changes wrought by fintech are unlikely to want to curb businesses safely and thoughtfully providing BaaS.
At the same time, an uncertain economic climate and market contraction can potentially disrupt the market. In balancing the demands of supporting innovation and ensuring stability, we believe there are three “Cs” that regulators and BaaS providers need to focus on.
Clarity: While BaaS is relatively new, it has been around long enough that regulators have had time to understand this market and how it should work to the benefit of all. Regulations must be clear on what BaaS providers need to do to be compliant and keep their customers safe. For instance, some BaaS providers have a full banking licence, while others do not. Some BaaS providers have partnered with banks, while others have been acquired by banks, and these will enjoy the benefits of more experienced compliance departments. So how do firms offering bank-like services ensure their clients and their client’s customers are fully protected?
However, demanding that BaaS providers have access to a banking licence may be a step too far—is there a middle ground, and can it be outlined in clear regulation? The new Consumer Duty, which encompasses manufacturers, including BaaS providers, is a step in the right direction, but more needs to be done.
Consistency: A key consideration is how to apply regulation consistently in a market with many different players with different offerings, from card issuing to full FSCS-insured bank accounts for end customers. Any regulation will need to take this into account and ensure both consistency and fairness. Smaller startups could be stifled by having to take on board the same regulatory requirements as a multinational bank. At the same time, they cannot shirk their responsibilities when it comes to, for example, anti-money laundering checks. An equitable rather than equal playing field where everyone can compete will be a big challenge for any regulator.
Complexity: BaaS services are still evolving, with new use cases being created and providers adding new offerings as their customers demand them. It is not only a growing market but a shifting one—especially as uncertainty requires that some providers shift their focus or pivot completely. Proposals must consider this and be future-looking, covering all aspects of BaaS today and what new services may arise tomorrow.
It’s no small ask—regulation needs to cover many different types of providers while at the same time encouraging innovation and competition. But even as we see a few high-profile failures in the market, we also see consolidation and growth as the market builds on its promise and offers the opportunity for any brand to be a financial services provider. Sensible and measured regulation can ensure that BaaS customers are protected while this sector grows—perhaps even to a point where it can be adequately defined. But the onus should not be on regulators alone. BaaS providers are responsible for showing that they are not a single point of failure, operate to the highest standards and provide reassurances to all that this growing market is safe and resilient.
Emma Hagan is Chief Risk and Compliance Officer at ClearBank overseeing all risk and compliance-related activities. Emma has over 15 years of experience in commercial and corporate banking in both first and second lines of defence.
A version of this article first appeared in Retail Banker International.