Part One: Why the Fintech compliance stack is ripe for disruption
This is Part One of a two-part series we are publishing on the state of play of the fintech compliance stack.
The explosive growth in the number of fintechs over the last decade is a well-documented trend; a less discussed consequence of said explosive growth is the material increase in compliance complexity within organizations and across multi-stakeholder value chains. To wit, legacy compliance solutions have not evolved to solve the emerging compliance challenges with the proper transparency and ease stakeholders’ need to make the most informed decisions. Subsequently, we see myriad challenges within the current solution set and are excited by the opportunity for innovative new technology to address these gaps.
Earlier this fall, on September 1, the Office of the Comptroller of the Currency (OCC) ordered Blue Ridge Bank, a chartered Virginia-based bank, to improve oversight of fintech partners and strengthen anti-money laundering risk management and suspicious activity reporting.
We believe this is the first of many actions by the OCC, and other regulators, to update the compliance standards needed for the fintech + bank partner model. This clarity on what needs to be solved lets innovators focus on the how – which is why we think we are at a very compelling inflection point for modern compliance solutions.
Breaking down the Durbin Amendment
Historically, securing a banking charter is no simple matter. It takes time and money. SoFi waited five years and was ultimately compelled to acquire Golden Pacific Bancorp to attain its national charter.
The Durbin Amendment ushered in a path for innovative entrepreneurs looking to break into the traditional banking system.
Like most of the regulations of the era, the 2010 Durbin Amendment was designed to protect consumers from manipulative pricing or practices by large financial institutions by capping interchange fees on debit card transactions for banks with more than $10 billion in assets.
This delineation engrained a meaningful competitive advantage to smaller banks, like Blue Ridge, by allowing them to earn significantly more than larger banks on any given debit card transaction. (Exhibit 1). These Durbin-exempt banks recognized this advantage but knew that adding customers (and their assets) threatened the very status that gave them the edge. They needed to find a different avenue forward.
Forward-thinking exempt banks looked to capitalize on their economic advantage over large banks by extending the use of their charter through partnership. Entrepreneurs seeking to address the digital gap and build better front-end consumer banking experiences had a path to offer the underlying financial products without acquiring a license independently.
How seismic was the Durbin Amendment? Between 2000 and 2009, 132 new banks opened per year, on average. Post-2010, when the amendment passed, that number averaged six per year. No surprise since these partnerships are extremely synergistic. Fintechs get a revenue advantage because of the interchange arbitrage and a cost advantage because they avoid the heavy infrastructure investment needed to be a charter holder. In contrast, partner banks add incremental revenue from their charter while avoiding the cost of securing end consumer deposits (the responsibility of fintechs) and limiting investment into program management and compliance.
Here’s where it gets (more) interesting. Despite the obvious economics, there are significant operational hurdles for the fintechs. For example, to accelerate technical integration and simplify customer account opening, fintechs utilized “For the benefit of” (FBO) accounts with partner banks.
FBO accounts are virtual subaccounts held within a single ledger account that pools end-user accounts (Exhibit 2). When a fintech acquires a new customer, they add another FBO account that sits within the fintech’s single account at the partner bank. This abstraction solves many technical problems but also obfuscates the visibility a partner bank has into its end customers. Traditionally, compliance functions sat with the charter holder, who owned the customer. The rise of fintechs has blurred these lines.
The Compliance Challenge
To scale as quickly as possible, fintechs outsourced the infrastructure stack to banking-as-a-service (BaaS) providers and point solutions that allow them to address mission-critical needs in an abstracted compliance chain. BaaS provides connectivity between fintech and partner banks, while the point solutions check a different box across the compliance journey (Exhibit 3). Pre-Durbin amendment, the charter holder’s compliance team managed all three phases – onboarding, transaction monitoring, and investigations – of the compliance journey. That no longer holds true.
Partner banks are legally obligated to meet regulatory requirements and remain financially liable. Fintechs are operationally obligated to follow compliance programs dictated by their partner banks and are financially exposed. For many fintechs, compliance is not a core competency, with many relying on ten or more-point solutions stitched together running their compliance programs.
This disparate web of providers creates even greater dissonance between the partner bank and end customers, which opens new points of vulnerability and attack vectors for bad actors to target. This has distributed the key compliance data across many stakeholders, making the design of a single-view compliance posture nearly impossible.
So why is all this important?
These compliance challenges are playing out today, and key stakeholders are taking notice. The widening separation of compliance responsibility was never going to be a stable end-state – we believe we are nearing the inflection point where significant change will occur because it must.
Let’s tackle onboarding as an example. Stolen and synthetic identity fraud at account opening has led to more than $75 billion in annual losses and is expected to grow. This problem is more acute when opening an account digitally versus in person. Despite this, competitive pressure leads fintechs to aggressively offer faster digital account opening options to the customers demanding them. In the arms race towards instant onboarding, Chime reigns supreme, bringing their time down to roughly five minutes, while others, such as Revolut or Wise, onboard customers in 10 to 15 minutes. Traditional banks have measured these processes in days, so minutes is a previously impossible task. The speediness doesn’t come without issue, as evidenced by data compiled by Aite-Novarica Group; fintechs experience an average fraud rate nearly double the historical rate, and digital fraud has increased by 52% since 2020.
It’s also important to note that the COVID-19 pandemic accelerated the digitization of banking products, which opened new pathways for cybercriminals. A key example is the proliferation of real-time money-transfer platforms and the ensuing regulatory oversight we are now seeing. As real-time payments soared during the pandemic, so did scams. Zelle, in particular, has received heavy scrutiny. In July 2022, The Wall Street Journal reported that the Consumer Financial Protection Bureau is preparing new guidance that would force banks to cover the losses of customers that were victims of scams on Zelle. Legacy compliance tooling wasn’t built to make determinations on instant money movement and settlement. We see these issues become more apparent as real-time payments continue to grow in the U.S.
Regulatory pressure – including the FDIC and Federal Reserve issuing guidance forcing fintechs to improve internal compliance/security controls before engaging BaaS providers and the OCC’s action against Blue Ridge – offers a clear example of the changing landscape and need for an enhanced focus on compliance. But that need is accentuated when consumers can no longer use the fintech products they signed up for in the manner they expect. We see this with merchants like Enterprise and Hertz and hotel chains like Marriot Courtyard who, according to a report by Forbes, imposed specific bans on fintech cards, blocking those tied to Chime, with some locations also rejecting cards issued by Cash App, PayPal, and Venmo. These policy changes result from the challenges fintechs face in building robust fraud/compliance infrastructure and have a substantial negative impact on end consumers who experience major inconveniences when trying to utilize their money daily.
At Jump, we believe the fragmented nature of the fintech compliance tech stack, increased consumer demand for digital-first financial solutions, growth of real-time payments, and heightened regulatory scrutiny around fintech makes this the perfect time for forward-thinking entrepreneurs to build the next generation of sophisticated risk/fraud platforms and software tools. In Part Two of this series, we’ll share our predictions and look at what solutions and opportunities might emerge from this state of play.
We loosely define (1) “fintechs” as customer-facing brands building direct relationships with customers; (2) “partner banks” as Durbin-exempt banks that lend out their charter, enabling fintechs to legally offer underlying financial products, (3) “BaaS providers” as the technology solutions that provide middleware connectivity, or the plumbing) between partner banks and fintechs to enable product delivery, and (4) “point solutions” as technology providers that do the adjacent “jobs to be done” (i.e. account opening) needed to efficiently and effectively offer products.