EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Discover how EY can help the banking & capital markets, insurance, wealth & asset management and private equity sectors tackle the challenges of risk management.
Read more
Reporting
The flow of information up and down the reporting chain is vital to ensure effective communication between the bank and the BaaS partner and to direct the flow of resources to the areas of the program with the most need. As previously mentioned, the bank’s board and senior management are responsible for setting and communicating standards and policies down the reporting chain, and the business is responsible for escalating key performance and risk indicators and detailed information up the chain. Not only should a bank define the metrics it deems important and communicate those guidelines to the BaaS partner, but the reporting framework should include what type of information is required for executive decision-making and the appropriate level of detail for reporting packages at each level.
Offboarding
Banks should maintain plans to transition BaaS partners off the platform with minimal consumer impact, in the event of a partner’s noncompliance with requirements and in accordance with contractual escalation and consequence clauses.
Each pillar of a firm’s risk management framework does not function in isolation — they work in conjunction with each other, building, informing and maturing at every step. Successful BaaS providers have developed frameworks to holistically assess, monitor and report risk related to individual BaaS partners (and across their BaaS line of business) in a scorecard-like fashion, enabling the business, compliance function and board to readily identify BaaS partners posing the highest risk, detect upcoming risk appetite breaches, and adjust the bank’s risk management program to the highest-risk BaaS partners and high-risk areas.
Across all elements of the risk management lifecycle and risk areas, banks should consider the following as they assess their capabilities across people, processes and technology:
People
Banks should allow adequate staffing to manage day-to-day operations, compliance and risk management activities associated with their BaaS relationships. BaaS partners often experience customer and transaction volume growth orders of magnitude faster than the traditional banking sector, which presents a critical challenge to a smaller community bank supporting these relationships. Banks should consider the use of third parties to address rapid needs for scale while managing cost. For banks that are able to hire personnel at sufficient rates to match business growth, maintaining operational and risk management excellence through high growth periods and with new personnel is a challenge, as is attracting sufficient levels of talent with the required skill sets and experience.
Technology
Banks should identify key data points required to effectively assess and monitor risks related to their BaaS relationships on an ongoing basis and should allow that they have appropriate mechanisms to capture, store and manipulate data for risk measurement and reporting, including data provided by their BaaS partners. This is in addition to setting minimum data standards for the bank to fulfill minimum regulatory obligations, such as executing transaction monitoring or responding to customer disputes.
Process
Banks should understand the operational burden associated with their BaaS relationships and should factor these direct and indirect costs into their agreements with BaaS partners to ensure sustainable business growth. Prudent risk management does not need to come at the expense of profitability to the bank. For example, leading institutions have undertaken an analysis to identify operational units of work (e.g., compliance testing, transaction monitoring investigations) and quantify the cost of those units, with the aim of passing those risk management costs through to their BaaS partners. In addition, banks should embrace process innovation and look for ways to gain efficiency without sacrificing quality. Processes that may be suitable for a community bank’s core banking activity may not be suitable for servicing a BaaS relationship, through which the bank serves hundreds of thousands of consumers.
Conclusion
As financial institutions continue to weather economic uncertainty, increasing regulatory expectations and shifting consumer expectations, banks have increasingly adopted the BaaS model to increase exposure to wider demographics, offer a broader array of products, and capture new revenue and profit growth opportunities. With innovation and the opportunity for greater reward comes a higher level of regulatory scrutiny. Positioning the institution to sustain this growth responsibly requires a shift in focus to maintain effective oversight of new partners, a dedication to scaling risk management activities and programs to match the accelerated business growth, and a thoughtful connection with regulators to demonstrate that these activities can be undertaken in a way that does not jeopardize the safety and soundness of the institution.