Part One: Why the Fintech compliance stack is ripe for disruption
In the second of our two-part blog series, we dive into specific areas of the fintech compliance stack we believe are ripe for disruption and share our predictions for the solutions that will emerge into this evolving landscape.
In the first part of this series, we delved into the explosive growth of the “fintech + partner bank” model. The natural increase in counterparty interdependence because of that structure has both created new and exacerbated compliance challenges.
We believe deeply that the “fintech + partner bank” model will persist but that there will be much stricter expectations about compliance applied by regulators and market participants, like merchants. Here, our focus is identifying i) where the urgency to close compliance gaps is most acute and ii) what existing compliance risks are likely to grow exponentially if not solved.
Most fintechs leverage partners to scale quickly – BaaS solutions for core infrastructure, partner banks for licensing, and point solutions for specific jobs like compliance. Within many compliance programs, fintechs are now reliant on as many as ten distinct vendors to satisfy the core functions - onboarding, transaction monitoring, and case management. These modern solutions work well in isolation but rarely sync well with one another – let alone with the full suite of point solutions used by any given fintech. Risk and compliance teams needing to log in and manage data across several portals and manually build logic flows across the customer journey does not scale and creates material control gaps.
The early wave of solutions, like Alloy and Unit21, developed an orchestration solution that allowed fintechs to manage their vendors through a single portal. Bringing every vendor into a single pane of glass allowed for better visibility via rules engines and workflow builders throughout the entire customer journey. While these first-wave solutions have seen tremendous progress, massive opportunity exists for new solutions to win share – both because of existing product gaps and incredibly underpenetrated segments.
The core product limitation we keep hearing about from the market are vestiges of when and how these v1 orchestration players developed. Almost all the big successful fintechs of today started by attacking traditional financial services providers by offering a single product to a target, underserved demographic – Sofi, Affirm, Venmo. These v1 orchestration players grew with their customers' use case by use case – a compliance program for unsecured lending, a compliance program for P2P payments, and so on.
The market has shifted significantly. Fintechs are no longer focused predominantly on customer acquisition but on expansion of services to existing customers and sustainable unit-level economics.
For v2 of orchestration, cross-product risk/fraud management (for a single user) is vitally important, and secondarily, so is the ability to add new products into the compliance program seamlessly.
These new use cases require fintechs to leverage different data sources, create entirely new sets of onboarding workflows, and the orchestration layers used must be incredibly flexible to allow for customization and must be built on modern infrastructure to avoid the issues that come with batch processing. Alloy and Unit21 are formidable players and continue to iterate on their offerings, but plenty of space exists for new entrants to emerge.
What these startups created - and the ensuing market response has been nothing short of remarkable. Still, we believe there is still room to build (and disrupt). Existing solutions work well for the US market, but what if a fintech is looking to expand into a new geography? Even if they continue focusing on the US, what if a fintech started as a deposit account for consumers but wants to launch credit cards or BNPL? And how will these fintechs manage fraud if more money is moved instantly/in real-time?
As evidenced by the OCC’s recent ruling against Blue Ridge Bank and rumors circulating on Column, partner banks are under increasing fire from financial regulators. This increased pressure on already understaffed compliance teams will further highlight the need for well-designed and defensible compliance programs. The challenge that has arisen from the “fintech + partner bank” model is that now those legally obligated to adhere to a risk program seldom sit in the same organization as those responsible for executing those programs.
The first line of defense (i.e., KYC, AML) solutions sit within the customer journey, so fintechs need to take ownership of them. While many startups have built great pieces of software for this purpose, the partner bank, as the holder of the bank charter, is actually obligated to understand the breadth and effectiveness of any fintech partner's holistic risk program.
Today, testing the effectiveness of the first-line of defense solutions and ensuring assurance of those controls is an incredibly manual task. Typically, the only way to scale and handle this problem has been adding more people - internal resources and external consultants - and even those resources are only able to QC a small sample of accounts.
So why is this a problem?
First, the main reason banks and fintechs struggle to stop financial crime is that they don’t understand their own deficiencies in combatting fraud and whether the tools they utilize are functioning appropriately.
Second, most FIs only pull the relevant sample data to validate assurance of these controls on a predetermined cadence as required by regulators (in most cases quarterly).
However, to truly understand gaps or vulnerabilities within a compliance program, you need to be able to systematically and regularly test that all first-line of defense solutions are working across all accounts.
This is an admittedly challenging problem to solve. For a tech solution to emerge here, it must do the upfront work to build integrations to the major hubs where banks and fintechs store their data. That data then must be pulled seamlessly and measured against regulatory thresholds to ensure the first-line of defense solutions are meeting expectations. While difficult, the urgency for a better solution is precipitously increasing as partner banks – many of whom are managing multiple fintech programs – receive additional scrutiny from regulators and struggle to hire rapidly enough to tackle this problem via additional compliance personnel.
Like everything in compliance, regulation and regulators are the greatest catalyst for change – and thus opportunity. So far, we've focused on regulatory scrutiny as the change agent, but several additional opportunities will emerge because additional regulatory regimes are being defined – specifically cannabis and online gambling.
In the case of cannabis, the current lack of federal legislation ensures that banking and access to capital remain a constant struggle for industry operators. As a result, many traditional financial institutions avoid serving these companies because they aren’t comfortable with the compliance obligations / don’t have the appropriate tools to manage this efficiently. This is despite cannabis being a massive market seeing continued strong growth, with cannabis sales expected to reach $41.5 billion by 2025, according to Financial Times.
However, potential legislation via the SAFE Banking Act is being actively debated in Congress, which could dramatically shift how money moves within the cannabis industry and how it can participate in that funds flow. Once defined, these regulatory regimes will necessitate unique solutions, and it is yet unknown if existing compliance software solutions can meet or will be willing to meet those needs.
Online betting is another “high-risk” fast-growing market; Goldman Sachs believes it could reach $39 billion in annual revenue by 2023. Given the complex layering of state and federal regulatory bodies and jurisdictions, we haven’t yet seen a coordinated effort to address criminal abuse of online betting platforms.
While larger operators, like DraftKings, have in-house compliance teams, smaller startups in the sector are poorly equipped to handle compliance demands and often first learn of anti-money laundering requirements when banking partners start asking questions, according to a report in The Wall Street Journal. The opportunity exists for purpose-built fraud prevention, AML, and risk mitigation solutions specifically designed for the gambling industry and the unique elements associated with it.
The growth and success of fintechs challenging the traditional players (and status quo) within financial services have been nothing short of astonishing this last decade. Net-net, their proliferation has contributed to an overall positive evolution in customer service, experience, access, and choice.
We don’t believe all the winners of this era have been minted already, but many have. These winners will spur continued growth via expansion, namely by offering existing customers more. Several fintechs, like Stripe, SoFi, PayPal, and Block have already used this playbook.
This view that competition will be horizontal rather than vertical (i.e. owning more infrastructure) further reinforces our appetite for opportunities within compliance solutions selling into this segment. If competition is horizontal – expansion into more products, geographies, and demographics – then we can anticipate continued and increasing complexity to risk management programs as incremental point solutions are introduced to address new “jobs to be done,” – further reinforcing the value of the areas discussed in these two posts.
Sure, there will be some vendor consolidation – managing 8–10-point solutions is inefficient – but we believe any consolidation will be more than offset by the expansion driven by ambition to grow. We believe orchestration and second-line automation to be two very logical opportunities in our multi-partner, interdependent view of the world.
We would love to know if you see other themes or have an altogether different view of the world; let us know.