BaaS x Compliance - the good and the not-so-good
Some examples of what works and doesn't work for BaaS providers.
By now if you’re in fintech, you should know that one of the hottest topics in the industry in 2023 (certainly within the last several months) is BaaS or Banking as a Service. While the space has picked up steam naturally because of the expanding capabilities of what technology innovations can do for banks, their customers, and their partners, obviously we wouldn’t be this excited about it if there wasn’t a major compliance component. And by now it should be strikingly clear, if it wasn’t already, that there absolutely is based on various regulatory commentary and actions, not just here in the US but also in the EU.
So in this week’s edition of our newsletter, we’ll focus on the compliance dimension of this topic. Specifically, I thought it would be interesting to do a quick run through of five leading BaaS providers in the space and look at their compliance profiles - specifically, how they talk and operate regarding compliance and whether they’ve got in trouble or are facing likely/potential compliance and risk (whether operational or otherwise) issues. Without further ado, let’s dig in:
Synctera
The company prioritizes compliance in its tagline - citing itself as offering “fully compliant bank accounts, debt cards, charge cards, lending, and more.” While the CEO Peter Hazlehurst is a product management veteran through and through, the Chief Compliance and Risk officer Mitchell Lee is extremely well-qualified for his role, having spent over 7 years at the San Francisco Fed before coming over to Synctera.
In terms of their offerings, the most notable compliance-related product is Synctera Ground Control, where they actually offer cosourcing on a variety of matters including KYC/KYB, BSA/ALM, Fraud, and disputes. The other offering are APIs, which essentially provided more automation around the same topics that are staffed.
Notably, they have steered clear of any regulatory criticism or major callouts that I could find. The reputation generally appears to be strong - based on FeaturedCustomers, which is a tool that can be used by B2B customers to rate their providers, they have a 4.8 rating.
While none of these indicate absolutely that the company is flawless, I think Synctera is a great example of what to do right in the BaaS game.
Unit
Probably one of the biggest names in the BaaS space along with/right after Synctera, Unit also offers APIs but also emphasizes SDKs and white labeled user interfaces. Their co-founders Ital Damti and Doron Somech actually launched a previous company together, Leverate, which was a sort of BaaS except for foreign exchange brokers - the two of them moved on in 2016 and after doing things separately they reunited to form Unit in 2019. Similar to Synctera, their Chief Compliance Officer Amanda Swoverland also spent time with the Fed (Minneapolis) and is similarly extremely well-qualified with a great team (shout-out to Yuval Hadda, a friend of the newsletter).
For compliance-related products, they not only have the same focus areas (or similar enough) as Synctera - AML, KYC, and in-person/manual Compliance support - but they also focus on fraud. Then, as an auditor, what really gets me hyped up is the fact that they actively tout two of the most “un-sexy” things I’ve had to try and advocate for - policies and procedures, and audits and testing! As an auditor, seeing that screams “take my money.”
While Unit itself has been able to steer clear of any regulatory issues or call-outs, it is notable that one of their bank partners, Blue Ridge, got hit by the OCC for BaaS related issues (and Unit did chime in that there will be no impact to their customers). Friend of the newsletter and major inspiration Jason Mikula did a deep dive into Blue Ridge’s issues in the article noted, speculating about which BaaS partnership might have gotten them in trouble. I think the larger point this raises, although really not on Unit, is that not every BaaS provider is going to be as robust as Unit (or Synctera) for that matter. To that end, it is incumbent on the banks to provide their own monitoring and oversight of the vendor, no matter how good they claim to be. Not doing so will almost certainly get the bank in trouble with the regulators.
All in all, another great example of a fintech BaaS success story.
Alviere
Alviere is a bit different from our previous two examples, emphasizing embedded finance and specifically focusing on providing an enterprise-wide solution. The CEO, Yuval Brisker, has done product management at several companies and also founded a few other companies of his own before launching Alviere in 2020. The Chief Compliance Officer Luis Trujillo is yet again another example of having regulatory experience, with him specifically having worked as a money transmitter licensing manager/examiner at the North Carolina Department of Commerce.
While BaaS is part of what they offer, they also focus on other pieces of the fintech puzzle including payments, credit and debit issuing, money transfers, and crypto (which they lovingly refer to as CaaS (crypto as a service)). And so with this comes their slightly different approach to compliance, which is more global and security-focused (compared to our previous two examples). Specifically, because of their focus on payments, they have worked to get MTL (money transmitter licenses) in various jurisdictions including in every state in the US. The issue of licensing can be a hairy one but the fact that they have resolved it quickly suggests they know what they are doing (and they proudly touted this in their press release here) and the fact that Trujillo worked as an MTL manager/examiner is no doubt a huge reason behind this.
There are no major issues I could see with regulatory action or consent orders, although the firm did admit as part of a promotional piece with ComplyAdvantage that it had come across a number of false positives in its KYC screening process - which their partnership helped to reduce. The transparency itself is refreshing, and beyond that, what sells me on their model is that the CEO does his own personal blog on the importance of compliance, rather than just leave it to his CCO.
Again, super impressive.
Solid
Unfortunately, I’d be remiss if we didn’t end with two examples of what not to do. There are two to highlight here, and both were exhaustively investigated by Jason M. Let’s start with Solid - similar to Alviere, they also offer card issuing and payments in addition to banking. The company was founded in 2019 and is run by CEO Arjun Thyagarajan, who is yet another product veteran. However, their chief compliance officer, Jeff Vegh, was just onboarded in February of this past year and comes from Cross River, another BaaS provider which has its own issues. It doesn’t appear they had a predecessor. Furthermore, unlike the other three fintechs we covered, he doesn’t have examiner experience. Is this a deal-breaker though? Read on to find out.
I think the biggest red flag from a high level is that while they do tout their compliance capabilities, there is only one or two statements (i.e. “Solid has built a comprehensive governance and compliance program with its sponsor banks that help FinTechs build, launch, and scale their offering– quickly!”) and there’s nothing else to be found on their website on this beyond technical compliance helpdesk pages - which are helpful, but don’t exactly help to sell the importance of this to prospective customers.
Of course, this is likely to lead to what Jason unveiled in one of his recent issues of Fintech Business Weekly, where they have a lawsuit in progress related to faking financial information and having ties to Russian Money Launderers. While this hasn’t been publicly affirmed yet and Jason obtained this info from anonymous sources, I think it kind of says it all about where things stand here. More to come…
Synapse
Another example that is actually the most current of the not-so-good BaaS stories is Synapse. They have been around considerably longer than any of the other companies we covered here. The story of the CEO is definitely a non-conventional one, while appears to not have had any prior banking or fintech experience before launching Synapse, his journey to launch the company was based on his struggles as an immigrant having issues with the US banking system and launched in 2014. Interestingly, the Chief Compliance Officer Jillana Downing spent 17 years at the ill-fated SVB until its end. While she doesn’t have examiner experience either, she did work at regional bank First National Bank of Omaha for 12 years in compliance.
Since the company launched, it has managed to become regulated, licensed, and claims to be the largest BaaS to have that distinction. The CEO speaks directly to and is clearly proud of his company’s support of compliance (as seen in this interview). They even announced a “policy and regulatory advisory board” which included an ex regulator. However, on their web page, it’s very similar to Solid, with a broad statement about a compliance offering “With us as the lender of record and our built-in compliance framework, we break down the barriers to licensing and compliance, enabling speed-to-market and underwriting model flexibility” and one article written by an engineering manager on the importance of cross-border KYC. Nothing beyond that.
The biggest development is first off, that they have laid off a chunk of their employee base this past week with reports citing “pressures on BaaS companies due to expanding regulatory requirements.” The other is yet again covered by Jason in his bombshell piece calling out millions in missing user funds at partner bank Evolve. You can read more about it at his site (linked). Needless to say, things are not looking good here either.
Conclusion
I think we’ve learned a few things - in the three “success stories,” all three BaaS providers had Chief Compliance Officers who spent time as regulators. Also, each company proudly touted its focus on Compliance, not just with a high level statement, but in great detail. Lastly, each company carved out a competitive niche in terms of what they do well in Compliance. In other words, they were good at what they offered to their customers. On the other hand, the “not so great” stories featured unstable compliance teams, not using compliance as a marketing pitch, and have now come across scenarios where less than upstanding behavior was occurring within the company.
As the space grows, hopefully more companies can learn from these prominent examples of what does and doesn’t work from a Compliance perspective in the BaaS space.