Before discussing the security of Banking-as-a-Service (BaaS), we must have a level set on what it is. BaaS is a business model providing banking products and services to third-party distributors or non-banking businesses. With BaaS, non-banking businesses can offer banking products and services through a partnership with regulated financial institutions. Examples of pure BaaS companies include Bankable, ClearBank, Solaris, and Treezor.
One of the best examples is a retail chain offering a logo-branded credit or debit card where customers earn points for purchases. In this scenario, it’s a win-win; the financial institution collects fees for the transaction, and the retail chain builds brand loyalty and increases repeat business. The BaaS business model is estimated to produce nearly US$30 billion in 2023, growing at a CAGR of approximately 16%.
How Does BaaS Work?
At the heart of this business model are the fintech companies that provide the BaaS platforms enabling these third-party banking products and services. These platforms allow the building, launching, and scaling of embedded banking and adjacent fintech products. They are also driving the digital transformation of companies and financial institutions worldwide.
The secret sauce of the connectivity between financial entities and third parties is application programming interfaces (APIs). Many APIs are required to create a seamless interaction between customers and third parties, and BaaS platforms seamlessly embed financial services with the online experience of a third party.
Let’s take DoorDash (or your other favorite online food delivery app), for example. Using DoorDash means using BaaS, first by ordering food at a restaurant, maybe including a stop at AutoZone to pick up a sparkplug, and paying for the entire transaction from your bank in one seamless transaction. The genius of these companies partnering with a financial institution is that the financial institutions are the ones that must be concerned with know your customer (KYC), anti-money laundering (AML), and other regulations, not the third party. Approximately 120 banks provide BaaS capabilities, with up to another 200 planning or developing a BaaS service.
Is BaaS Risky?
The short answer is yes. But to understand the risk of BaaS, one must understand the components that enable BaaS. These components include cloud services, APIs, and applications, all with inherent risks with histories of compromise.
The BaaS experience has a value chain of financial entities, fintech providers, BaaS platform providers, third parties, and customers. Value chains, like any chain, have a weak link. Unfortunately, in BaaS, as it is so new, the weak link can exist anywhere in the chain.
There are four primary risk categories in BaaS: platform resiliency, regulatory and compliance risk (regtech), data privacy, and infrastructure compromise. Cybercrime and fraud have always been pervasive in banking, but BaaS opens up new threat vectors requiring protection. With that said, the issue of liability is still up for debate.
The Consumer Finance Protection Bureau (CFPB) has yet to weigh in on who should be held responsible if a data aggregator is hacked or a consumer is tricked into sharing data with fraudsters who steal their funds or assume their identity to commit fraud.
What Makes a BaaS Architecture Secure?
Fintechs, financial institutions, and financial product and service distributors must collaborate on a unified architecture that includes the following:
- Data privacy
- Operational resilience
- Regulatory fraud and cybercrime compliance
- Risk management
- Supply chain security
- Third-party due diligence
The sponsoring bank, fintech partner, and product and services distributor must know who they’re doing business with and create a shared risk model. Customers will expect not only a seamless transaction but one that is secure and available anytime, anywhere. Platform providers will require independent security and resiliency testing, including an ISO 27001, PCI DSS, or SOC 2. BaaS initiatives are the ideal time for converging fraud, cybersecurity, and IT infrastructure disciplines.
Neobanks, the gig economy, and embedded finance cannot survive without BaaS, and BaaS cannot survive without built-for-purpose privacy, security, and resiliency. Conventional approaches to security, privacy, and resilience may not be enough.
Aite-Novarica Group believes the answer lies in machine learning (ML) and artificial intelligence (AI) to detect fraud and cyberattacks across the open banking ecosystems and the BaaS participants. Conventional risk treatments will find it difficult to scale to the vast amounts of data collected, the number of third parties involved, and the complexity of cloud computing technology to make open banking and BaaS secure and reliable. Zero-trust and identity authentication and management are core to BaaS security, and resiliency must be measured according to the Digital Operational Resiliency Act (DORA).
To learn about protecting BaaS, check out my blogs on securing open banking and What Is the Digital Operational Resilience Act (DORA)? Or, if you prefer, contact me here.