Matt Kunkel is CEO of LogicGate, a GRC process automation platform that enables organizations to transform risk and compliance programs.
Over the past five years, nearly every industry has undergone a significant digital transformation—and the banking and finance industry is no exception. Banking isn’t always thought of as the most cutting-edge industry (it’s been around for hundreds of years, after all), but recent technological and societal changes have resulted in a surprisingly rapid modernization. Millennials and Gen Z were trending away from in-person banking even before the Covid-19 pandemic accelerated the process—and that fact has led to significant innovation.
Banks, credit unions and institutions across the financial spectrum now offer a wide range of mobile banking options. Mobile trading apps like Robinhood have gained prominence, accessing a user base that might never previously have engaged with the stock market. Crypto exchanges and other decentralized finance (DeFi) services are increasingly common. And banking as a service (BaaS) has emerged, allowing financial institutions to provide banking infrastructure and services to other businesses while handling back-end concerns like security and compliance.
Of course, tackling security and compliance means BaaS providers are assuming a significant level of risk—and the FDIC’s recent consent orders aimed at non-compliant financial institutions underscore the fact that these businesses need a comprehensive plan for governance, risk and compliance (GRC).
Explaining The Rise Of BaaS
Major banks are increasingly leveraging BaaS capabilities via mobile apps, and a growing number of as-a-service-style banks are popping up independent of these larger brands. Big names like JP Morgan are already making a name for themselves in the BaaS space, which likely implies a significant degree of capital expenditure into BaaS-type applications and facilities designed to be more attractive to the “modern” banker. Slowly but surely, these banks are modernizing their services to remain competitive and align with the lifestyles of millennials and Gen Z.
In a way, BaaS is like Uber for the banking world. If you’re under 40, you’re probably not hailing a taxi. You’re going to pull up an app on your phone and summon a vehicle directly to your location. BaaS product lines provide financial institutions with a similar competitive differentiator, and those that invest in them will almost certainly see a significant influx of younger users seeking a more frictionless banking experience. And by the way—it’s working. BaaS sales are “projected to grow from $32.7 billion in 2024 to $73.06 billion by 2032.” Suffice it to say, it’s a growth industry.
Understanding The Risks Associated With BaaS
BaaS companies provide back-end services—and anytime you grant a third-party organization access to your systems and data, it will carry significant risks. With so many BaaS providers in today’s market, it isn’t always easy to discern authentic capabilities from empty promises. Which providers have the best security solutions in place? Which are going above and beyond regulatory requirements as opposed to just adhering to the letter of the law? For potential customers, getting answers to these questions is critical. For BaaS providers, it’s equally important to have an easy way to convey security and compliance capabilities.
Ultimately, there’s a heavy emphasis on third-party risk management (TPRM). Businesses looking to partner with BaaS providers will almost certainly engage in an extensive vetting process. They’ll want to know what security solutions and processes you have in place and how prepared you are to defend against (and recover from) breaches. This means it’s absolutely critical to understand the different industries potential customers are operating in, as well as the specific risks and regulatory burdens they may face. The ability to quickly and easily gauge how well your security and compliance solutions align with those different regulations and frameworks is essential—particularly as regulators take notice of the emerging BaaS industry. Customers want to know they’re protected, and the quicker you can demonstrate your compliance prowess, the better.
Limiting BaaS Risk
There’s a wide range of data and privacy frameworks that BaaS providers need to adhere to, but financial institutions also need to focus on the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) series of regulations, which establishes clear reporting requirements for the financial industry. These regulations are wide-ranging, and they provide a solid baseline against which BaaS and other financial organizations can measure themselves. This further underscores the importance of investing in strong GRC capabilities: By understanding how your organization stacks up against frameworks and regulations, it becomes easier to identify where gaps exist and make a plan to close them. This doesn’t just help BaaS companies avoid regulatory penalties—it helps allay the fears of potential partners and customers, too.
It also helps plan for the future. For example, a BaaS company looking to penetrate a digital vertical will need to align with the regulations that apply to that vertical. GRC teams will factor heavily into determining whether the company’s existing solutions and processes align with those new frameworks or if changes will need to be made. GRC teams can also help determine what new risks the company might be assuming and whether they exceed the stated risk appetite. Is that additional risk acceptable? Are there new investments or partnerships that could help limit it? These are important questions, and BaaS companies need to give GRC teams the resources to answer them. If new security and risk management measures are enacted, it’s important to be able to communicate them to customers in a straightforward manner.
Limiting Surprises In The BaaS Space
At the end of the day, BaaS risk management is about limiting surprises. BaaS companies need to understand that risk management is an extension of the core business—ultimately, the buck stops here when it comes to security and compliance. That means BaaS providers need to understand not just their own risk appetite but that of their customers, as well. By enabling GRC teams and continually assessing risk, BaaS companies can successfully navigate the complex risk and compliance landscape while giving their partners and customers the proof points they need to move forward with confidence—and staying off regulators’ radar.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
