Embedded Applications: New Revenue and New Risks for Banks

Service-delivery partnerships require dedicated attention to risk and compliance functions and third-party contracts

Friday, July 22, 2022

By Katherine Heires


To embed or not to embed?

That has become a question for a growing number of banks as opportunities and risks arise from embedded banking, or integration of payments, credit and other banking services with the processes and platforms of non-financial firms or brands.

Examples of such embedding, typically found online or in mobile apps, are Apple’s card services for consumers and Amazon’s credit services for merchants, both delivered through Goldman Sachs’ Marcus; Walmart’s money card services provided by Green Dot Bank; Starbucks’ purchasing app, through a partnership with JPMorgan Chase & Co.; and the Cash App of Block (formerly Square), supported by Sutton Bank.

Facilitating these tie-ups – and what are marketed as frictionless customer experiences – are banking-as-a-service (BaaS) and application programming interface (API) technologies

Embedding also gives challenger banks and other fintechs a way to expand their capabilities “invisibly” to the consumer, as in cash advances on paychecks offered by Dave, whose brand name is inspired by “David vs. Goliath.” The bank behind the scenes is Memphis, Tennessee-headquartered Evolve Bank & Trust.

Shaping the Future

“I strongly believe that embedded banking is the future of the industry, and as the trend only grows, banks are going to have to determine their path forward,” says Jared Rorrer, managing director, commercial banking at Accenture and co-author of a 2021 report on embedded finance for SMEs. It projected that 25% of incumbent banks’ small- and medium-size enterprise revenue will shift to embedded channels by 2025.

“Embedded banking is going to be huge as eventually, nearly everyone and every type of business will offer some sort of financial service,” says Ron Shevlin, chief research officer of Cornerstone Advisors and author of a report published this year, sponsored by BaaS company Synctera, on bank-fintech partnerships. “It could be a payment, lending, investment or even tax help that relates to the products and services they already offer.”

The research finds that embedded banking and BaaS could generate more than $25 billion in annual revenue for banks by 2026. “This would go a long way to replacing the inevitable loss of overdraft fees the banking industry will face over the next five years,” Shevlin notes.

He says that 53 U.S. banks are currently active on the embedded front, including Coastal Community Bank, Cross River Bank, Sutton Bank and Webster Bank. Major institutions such as Goldman’s Marcus, JPMorgan Chase, BBVA and Standard Chartered are also pushing the trend.

“Banking as a service is a vital component of our growth strategy, and embedding loans at the consumer point of sale opens a new channel to provide financing to customers we couldn’t have reached before,” Josh Williams, executive vice president and chief banking officer, Seattle Bank, said in the June 30 announcement by financial software company Finastra of an embedded consumer lending solution. Designed to give both consumers and merchants seamless flexibility on sales made on credit, the BaaS offering is a cost-effective and “regulated alternative when it comes to POS financing,” Williams said.

Risks and Compliance

In addition to the technology integration, the BaaS platforms can support risk management and compliance. And the emerging risks need attention.

“The biggest risk [for the banks] is on the compliance and regulatory side,” says Robert Keil, chief payments officer of Sutton Bank, which works with upwards of 100 U.S. fintechs.

“If you do not exercise enough oversight over your fintech partners, or if your fintech is not doing appropriate [Know Your Customer, anti-money laundering and related controls], you are almost certain to get yourself in trouble,” Keil warns.

He says the solution is a careful vetting process and partnerships that contractually ensure regular monitoring and oversight to ensure compliance with all applicable rules. “You have to really be in the fintech’s face,” Keil advises, because the bank is “on the hook” for any deficiencies.

Keil adds that a bank should be alert to risks from fintech partners doing business outside the bank’s core geography. For example, if the bank is outside California but its partner has customers in that state, then the California Consumer Privacy Act may come into force. Other contingencies to be considered: how to respond if a fintech partner’s service fails or is discontinued, and reputational risks attributable to any third-party relationship.

Leigh Pepper

Up-to-date technology is essential, says Leigh Pepper, chief product officer of U.K.-based BaaS pioneer 10X Banking. Entering into embedded banking with a legacy technology stack has serious drawbacks and risks, he says, limiting a bank’s ability to effectively deploy necessary monitoring and alerting systems, along with recovery and resilience capabilities.

First and Second Lines

Mitchell Lee, formerly of the Federal Reserve Bank of San Francisco and currently chief risk officer of Synctera, recommends that banks view fintechs as a first line of defense and their own risk function as the second line. The fintechs “own the customer relationship and need to have policies in place that outline their roles and identify the people on staff to investigate when there is a fraudulent transaction,” Lee explains.

Dave Mayo, founder and CEO of the BaaS Association, says that operational visibility is key: “If a fintech does an agreement with somebody else or changes a policy, you as the sponsor bank have to make sure, contractually, that you have visibility to any downstream activity, as that is what the regulators will be looking for.”

According to Marcus Lobendahn, vice president of growth and business development at BaaS provider Bond, banks “need to look at BaaS platforms as though they are acquiring them,” as they are a counterparty in managing compliance risks. It’s a plus when a fintech has an in-house chief compliance officer, Lobendahn says, and more so when the BaaS company has one on staff, as Bond does.

The data sharing in API and open-banking arrangements drew a warning from William Isaac, chairman of Secura/Isaac Group, and Thomas Vartanian, executive director of the Financial Technology & Cybersecurity Center, in an American Banker opinion article: While consumers may save time and money, “the moment data is shared across companies or industries, the risk of execution failure and the potential for fraudulent third-party provider access increases, not to mention the creation of serious economic infrastructure and national security risks. The more providers that touch or are unaccountable for a user’s data, the greater the number of vulnerabilities there are.”

A New Power Center

Simon Torrance, an independent adviser to managements and boards, suggests that non-participation is not an option. “Banks are in danger of being disintermediated by these BaaS platforms,” he says. “The BaaS providers have become very powerful, and banks need to think about how they can survive in this space.”

Simon Torrance

He believes that from a risk perspective, it is better for banks entering into embedded relationships to create a business unit separate from their core business, and they will be unconstrained from traditional bank practices.

He also recommends formation of risk and compliance teams dedicated to embedded banking.

“You will be using data from third-party sources, and those types of skills don’t reside in a core bank,” Torrance states. “You will also need to develop new underwriting and compliance skills, as underwriting is very different in this world.”

He expects embedded banking to accelerate because of fundamental changes and expectations in the consumer market: “We are used to doing business over mobile phones, we don’t want to go to a physical bank, and we want all transaction frictions removed.”


Katherine Heires is a freelance business journalist and founder of MediaKat llc.


BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals