Banking-as-a-Service (BaaS) is a critical alternative source of non-interest income and cheap deposits for sponsor banks. It is increasingly clear the competitive advantage in BaaS is the ability of banks to automate fraud, compliance, and risk controls effectively for their partner programs in a way that scales and meets growing regulatory requirements.
However, many banks often lack the resourcing or technology to scale these controls on their programs, accelerating operational and reputational risks as their BaaS offering grows. As a result, sponsor banks often rely on multiple fraud detection and compliance providers for KYC, BSA/AML, transaction monitoring, etc., to support their programs. Multiple vendors silo critical compliance data, limit automation, and create a visibility gap for banks that need help seeing their risk position across their program portfolio.
To meet this need, Sardine has launched a new service that provides an operating system for sponsor banks that integrates fraud, compliance, and risk tooling for programs. It also provides visibility to the sponsor banks of their programs' fraud and compliance performance at the portfolio level.
BaaS and embedded finance have just begun
Though BaaS has recently undergone scrutiny from regulators and the industry at large, most banks still rate BaaS as one of their strategic priorities in the coming years. A 2022 Finastra report found that 85% of 1,600 senior banking executives intend to implement BaaS in the next 18 months.
This prioritization results from increased demand for embedded finance, or payment or lending services provided directly to consumers by companies that aren’t in financial services. According to Cornerstone Advisors, 32% of consumers spend more with brands they access financial services from, and 60 to 64% of Gen X and Y are interested in accessing financial products from brands they like.
For sponsor banks, there are two primary BaaS models to choose from:
- Direct – The bank provides the technology and APIs to programs to connect directly to the bank’s core or account ledger for deposit accounts or card issuing.
- Indirect – The bank works with a third-party middleware provider (a.k.a. BaaS provider for deposit services or issuer processor for card services) who sources programs and supplies the technology and APIs to connect the program to the sponsor bank.
The bank will then need to decide how these programs integrate. On the one hand, banks can offer programs on-core accounts, where accounts are opened directly in the end-users name. On the other hand, banks can offer “For the benefit of” (FBO) accounts, which are umbrella accounts that allow the program to issue virtual sub-accounts that pool funds of end users into one account at the bank.
All sponsor banks have some variation of these two decisions. Since many banks don’t have the internal resources to manage BaaS directly with on-core accounts, combining the indirect model and FBO accounts has been the most popular strategy. The combination allows banks of all sizes to enter the market and scale their BaaS offering quickly. In the last five years, it has been incredibly successful in growing deposit accounts and card interchange.
However this combination often clouds the visibility of a sponsor bank on its end customers, which inhibits it from fully meeting its compliance requirements. Consequently, this has led to the recent crackdown by the Office of the Comptroller of the Currency (OCC) and state banking regulatory agencies on sponsor banks that need to maintain proper oversight of their partner programs.
How compliance works today
The core premise of financial services regulation is that banks are responsible to the regulator for all compliance, fraud, and risk-related activity and reporting. In a BaaS model, banks must:
- Ensure programs are compliant with Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) rules
- Ensure programs are compliant with liquidity, operational counterparty, and credit risk
- Assess third parties for their transaction monitoring and AML risk regularly
- Monitor for any risks and have plans to wind down a program relationship, if required
- Have an adequate process for managing program non-compliance
Since sponsor banks must meet these regulations and remain financially liable for end-user activity, they impose strict obligations on their programs as part of their partnership. As a result, programs whose core competency is not fraud detection or compliance will outsource this responsibility to either their BaaS provider and issuer processor or they will manage multiple point solutions themselves.
Programs outsourcing fraud and compliance create an even more significant visibility gap between the sponsor bank and the end user due to the ever-increasing number of vendor layers between them. Not only does this create more operational inefficiencies due to the increasing amount of vendor due diligence a bank must conduct, but it also makes it nearly impossible to fully view their risk posture across their program portfolio.
The BaaS visibility gap
This visibility gap between a sponsor bank and the end user of one of their programs leads to several challenges that prevent efficient and scalable compliance oversight:
1) Compliance data is fragmented
The fraud detection and compliance market is increasingly specialized, with incumbents and an endless stream of new entrants competing to service banks, infrastructure companies, fintechs, and more. Consequently, businesses hire more and more vendors, which siloes data and further segregates their fraud prevention and compliance journey.
Banks have historically had a tough time dealing with data siloed within their accounts, and the problem gets exponentially worse when applied to BaaS and embedded finance. Each program must collect KYC/AML information, manage any associated risk, and report this directly to their sponsor bank or via a third party.
In turn, the sponsor bank has to make sense of this data coming from various sources and ensure their systems can oversee any risk. Unfortunately, existing bank systems were not built to take data from multiple sources and provide a single view.
2) Compliance lacks automation & existing tools introduce privacy risks
With all of this fragmented data, it's no wonder compliance, fraud, and risk officer jobs in a sponsor bank are often highly manual. For example, when a sponsor bank or BaaS provider needs to conduct a Request for Information (RFI) or Enhanced Due Diligence (EDD) about a particular program’s customer, they often do it via secure email. This leads to personal data leakage into emails and creates hacking of these entities an attractive target for bad actors.
Moreover, programs must often deliver compliance data to the sponsor bank in spreadsheets and archived without a clear look-through of all the programs in the portfolio. To make matters worse, regulators often lack supervisory technology (“SupTech”) and require the banks to send spreadsheets themselves.
Without automation, it’s increasingly difficult for a sponsor bank to understand the risk presented to itself and its customers in real time. Compliance becomes a one-to-many problem where a bank is increasingly blind to the risks posed by the worst-performing programs they have partnered with directly or indirectly due to the lack of clear oversight.
3) Reputational and regulatory risk
Sponsor banks face considerable risk when program end users complain to regulators and other consumer protection agencies about banking services. Often enough, regulatory investigations will zero in on the worst-performing programs within a portfolio which then casts a shadow on the bank and its other programs.
While compliance mistakes can be masked when account or transaction volumes are low, the pace of growth in fintech can be exponential. Small cracks in a program's compliance foundation can become significant if a program generates millions of customers in 24 months or less.
Unfortunately, sponsor banks often cannot offboard a program that isn’t fully compliant because they lack the visibility to measure compliance meaningfully. Banks must be more active in providing controls for programs that ensure visibility into their continued compliance.
A new operating system for BaaS
As a provider of real-time fraud detection, KYC/KYB, AML, transaction monitoring, case management, and more, Sardine has launched a new service specifically for banks that provides an operating system to manage their BaaS offering proactively:
- The all-in-one fraud and compliance stack for programs: Employ Sardine with all fintechs, brands, financial institutions, and other programs using your BaaS solution to de-risk your partners with best-in-class fraud prevention and compliance technology.
- The real-time oversight dashboard for sponsor banks: Receive transparent oversight of your program’s fraud and compliance analytics, rule performance, case management, and more in one consolidated dashboard from Sardine.
1) The all-in-one fraud and compliance stack for programs
By preferring Sardine amongst programs, sponsor banks offer both best-in-class risk management and operational efficiency:
- Sardine prevents the most common fraud vectors, including account takeover, identity fraud, friendly fraud, and imposter scams, by offering a full-stack service that covers the entire fraud detection and compliance journey. This comprehensiveness allows for robust, AI-driven data models that identify suspicious actors, locate anomalies and prevent fraudulent behavior before initiating a transaction.
- By having just one service provider, sponsor banks remove due diligence requirements on many vendors every time they sign a new program. Sardine also simplifies contract management and technical integrations.
Banks can obligate Sardine’s services across fraud detection and compliance use cases relevant to any program as part of their sponsorship agreement. Sardine then works directly with the program on integration.
2) The real-time oversight dashboard for sponsor banks
The benefits don’t end there. Since Sardine instantly sees user actions and transactional data, we can provide sponsor banks with real-time oversight and management of their program portfolio. Capabilities include:
- Monitoring fraud and compliance analytics – Review performance key fraud prevention and compliance metrics as they occur for specific programs or across their portfolio.
- Implementing rules collectively or individually – Utilize a parent-child rule builder where the bank can implement fraud and compliance rules collectively across all programs or at an individual level for ongoing monitoring.
- Scaling case management and requirements - Receive a consolidated way to ensure case management and regulatory reporting requirements are being met by programs and review portfolio performance.
With Sardine, sponsors, programs, and other BaaS providers can share a single source of truth in one dashboard. Sponsor banks or their BaaS providers can issue an RFI or specific EDD queues within the dashboard to ensure their programs collect enough information on those customers and provide that information securely and in a privacy-preserving way. Additionally, the dashboard allows fraud operations and compliance teams to push KYC policies and AML transaction monitoring rules across all their programs in one place.
Sardine breaks down data silos and enables compliance teams to identify poor performers for remediation and quickly pull together and share relevant data with regulators or examiners when required.
Monitor fraud and compliance analytics
Sardine’s portfolio dashboard provides fraud prevention and compliance performance metrics, operational statistics, and health check indicators across all teams and programs. Data includes:
- User and transaction volume
- Transaction and event-based approval, review, and decline rates
- Fraud rates and rule performance
- Return rates (ACH, card, etc.)
- KYC/KYB approval rates
- OFAC check volume
- Sanction alert rates
- Number of UAR/SAR filings
Sponsor banks can compare how programs perform in relation to one another and Sardine’s broader customer base and industry trends, set alerts when certain KPIs go above or below baseline levels, and share this information easily internally and externally.
Implement rules collectively or individually
Sardine’s no-code rule builder can be used at a parent-child level to set universal fraud and compliance rules that all programs must follow. Additional features include:
- Manage permissions and lockdown rules for programs
- Apply new rules to all or select programs or modify them for specific organizations
- Monitor how rules perform across various use cases
Scale case management and requirements
The final part of the compliance journey is investigations. Sardine provides an easy way for sponsor banks to conduct case management at scale via:
Managing and assigning cases within queues for individual programs
- Communicate directly with programs in-app to address concerns and maintain accountability
- Flagging cases for investigation or SAR filing and e-file to FinCEN directly within the dashboard
Risk management at the speed of digital
Sponsor banks have an incredible opportunity to deepen their partnerships with programs and meaningfully strengthen confidence in BaaS and FinTech by prioritizing compliance.
Banks that will succeed in this new environment must be able to:
- Continue to innovate at the speed of digital
- Review and manage fintech risk without increasing headcount
This is possible by applying new technology and innovation to existing challenges. Sponsor banks can obligate programs to improve their fraud and compliance performance dramatically.
The best way for sponsor banks to do this is to find best-in-class providers that can be foundational partners in their BaaS offering and scale with it. Banks and regulators can then be confident that their programs manage risk as best as possible by default.
If you’d like to learn more about Sardine’s services for sponsor banks, please contact us today.
Sardine is an all-in-one fraud detection, compliance, and risk management platform. An experienced team with deep banking and fraud prevention experience enabling the company to build innovative compliance and risk management services for financial institutions. For more information, visit www.sardine.ai and follow us on LinkedIn and Twitter.