The FDIC often issues Cease and Desist orders to entities for making false or misleading claims regarding deposit insurance coverage. The infractions can range from the outright misleading, such as coverage when none exists, to the trivial, like the placement of a comma, to the seemingly benign, like misstating that it is the bank, not the program manager, that holds the insurance.
Poorly placed commas and "simplified details" seem harmless. Unfortunately, when things go wrong details matter. I'm a big fan of common sense language over legalese that isn't easily understood, but it still needs to be accurate. It's not "semantics" as the co-founder of a major neo-bank argued with me many years ago. Regulators are not big fans of semantics. Grey areas are where consumers are most often harmed. Regulators have taken notice and are clamping down on both the egregious and innocuous.
Regulators don't believe in semantics.
Conversations with founders and bankers that entered the BaaS and partnership space over the last 10 years often share a similar concern that regulators are taking a new approach to overseeing their partnerships. This isn't a new reality, but an old reality. Two shifts in the regulatory environment beginning in 2016 intertwined to created an unintended consequence. Under the political shift toward deregulation, the CFPB was relatively hands off when it came to BaaS partnerships. At the same time, the FDIC was going through a modernization effort. The effort was well intended (and I'd argue long overdue) but the front line was ill prepared to change their practices. Faced with the uncertainty of "what to do," many examiners opted to be more hands off.
The resulting vacuum broke a very necessary feedback loop. The lack of intervention, in many cases, was interpreted as tacit approval. Simultaneously, a surge in middleware providers that aggregate and connect programs and banks further blurred the lines of who was responsible for what. The proliferation of variants in the indirect model only exacerbated the confusion.
In the compliance game of thrones, there can be only one and that is the bank (sorry to mix those two for TV series purists). Contracts may shuffle who takes first, second, or third line of defense, but the hands off era practice that responsibility lies with the party doing the work is gone.
We are back to the BaaSics of program management and that means greater oversight for all parties involved.
Leading BaaS banks often talk about cultural alignment as one of the critical, but most difficult, items to diligence when onboarding a program. Cultural alignment isn't about liking the other party, wanting to have dinner at Fintech Meetup, or even alignment on the program's vision. Cultural alignment is about shared values, ethos, and integrity that will define the relationship.
Cultural alignment is paramount for BaaS relationships to scale and be successful.
All About the Values
Values are the principles that guide decisions and actions. Values are what the organization defines as important and acceptable. The bank understanding the internal values of the partner are critical. Growth at all costs, lack of intellectual humility, and an internal unwillingness to share bad news with leadership are all yellow flags for potential impending disaster.
Doing diligence on values takes time and requires observation beyond what is said in meeting or contained in the company's policies and procedures.
Ethos are not Ethereal
Ethos are how these values interact with the external world. Ethos of transparency, accountability, and trustworthiness are critical to the bank <> partner relationship.
Ethos are only understood over an extended period of interaction. The difference between espoused and enacted behaviors determines the organizations ethos.
Dancing in the Dark
Integrity is how an organization behaves when a regulator is not in the room. OK, that's probably not the definition in any philosophy book, but how a program and a bank behave when no one is watching is ultimately what builds and maintains the regulatory relationship.
Trust is built over time, but destroyed in an instant.
Early in my career a leadership coach shared with me his view of building strong relationships: "trust is based on the promises we make, the promises we keep, and how we repair when promises are broken."
Banks, particularly those using middleware, need to over invest in testing philosophical and cultural alignment. The adage "trust but verify" holds true. A risk based approach needs to work on two planes: 1. what areas could cause the greatest harm to customers 2. New relationships require extra attention until trust is earned.
Oversight of new programs is much like parenting; trust is earned, not given, through repeated interactions. The default should be that everything needs to be reviewed and tested until proven otherwise, not waiting till something goes wrong.
Programs can set themselves up for success by making compliance a core value.
Colleen Wilson at MANTL shared this insight with me as she was building the product team (paraphrased): "Compliance is everyone's job, not a functional area. If my team produces something that isn't compliant, it isn't actually a product."
Leadership needs to take ownership over mistakes and set this as an organizational expectation. Just as the buck stops with the bank, the buck stops with the CEO regardless who was at fault.
Trust may seem basic, but strong relationships are built by returning to BaaSics.