What is Due Diligence? Why is it Relevant?
Due diligence is a thorough process of investigating, verifying, and evaluating an individual or company before establishing a formal business relationship or engaging in transactions. Its primary goal is to identify the inherent risks associated with the counterparty, assess the controls implemented to mitigate those risks and uncover potential deficiencies or opportunities for improvement.
This practice is essential across industries as it enables companies to make well-informed decisions, design action plans, and manage risks such as regulatory, reputational, and operational. Due diligence promotes transparency in the contracting process, which is crucial for ensuring compliance and long-term success in business relationships.
In the banking sector, a robust due diligence process is mandatory. Banks operate under strict regulations and must thoroughly assess the integrity of their partnerships and activities and risk related to end users.
Banking-as-a-Service (BaaS) business model allows banks, through the use of Application Programming Interfaces (APIs), to exchange data with non-banking third parties, for them to offer banking services. When developing and implementing a BaaS program, making an adequate and effective due diligence process is even more critical as banks must work with several parties.
Ongoing Due Diligence
In banking, due diligence cannot be a “one-and-done” process. Sponsor banks should regularly require their partners to provide performance and compliance reports, and develop response strategies for issues that may require remediation, including the potential suspension of a partner’s activities that do not align with the bank’s risk appetite.
Through ongoing due diligence, the bank ensures that the relationship remains within the limits set at the outset of the partnership. This process allows the bank to monitor any changes in risk level and, if necessary, adjust its risk strategy, ensuring timely adjustments to its risk management strategies and fostering a more resilient and compliant operational framework.
Ongoing due diligence reaches end users and business partners according to their risk profiles. It must be tailored to each party, as each one may involve varying levels of criticality and unique operational needs. By customizing the due diligence process, banks can effectively identify and manage the specific risks associated with each relationship.
The Significance of Due Diligence in BaaS
In BaaS, due diligence covers several key areas:
- Regulatory Compliance
Banks are subject to stringent regulations, and banks operating in BaaS face expanded responsibilities, they must ensure their own compliance and oversee the activities of their business partners delivering banking services to end customers. This heightened level of scrutiny requires banks to implement robust oversight mechanisms and maintain ongoing due diligence to safeguard against potential regulatory risks associated with business partners’ relationships and end clients.
- Operational Efficiency
Effective due diligence ensures a holistic view of potential partners’ operational stability by assessing the capabilities, processes, and resources. By selecting partners who can meet their operational needs, banks reduce the likelihood of disruptions and enhance overall efficiency. In the fast-paced and complex environment of BaaS, where consistent customer interactions are crucial, maintaining smooth day-to-day operations is vital for delivering reliable services.
- Sustainable Business Growth
Banks that offer BaaS rely on business partners to extend their reach and deliver banking solutions to end users that would not be targeted in their traditional marketing strategies. However, unchecked growth can introduce risks, particularly if new partners lack solid business models. Due diligence ensures that each new business partner aligns with the bank’s long-term goals and values and is well-equipped to operate in the BaaS business. This approach to growth allows banks to scale responsibly, preventing costly setbacks.
- Building Trust
Trust is foundational in financial services, and due diligence fosters transparency and accountability in BaaS business partnerships. By thoroughly assessing each partner, banks demonstrate their commitment to safe and secure business practices.
This trust is essential for maintaining strong relationships, enabling smoother collaboration, and minimizing risks associated with business partner engagements. By building this mutual respect and commitment, due diligence becomes a bridge that also strengthens collaboration.
Due diligence in BaaS over whom?
There are several actors in a BaaS scheme, but three primary players warrant thorough due diligence:
- Non-banking partners
In the BaaS model, the two key parties are the bank—which holds the charter and provides the banking infrastructure—and the non-banking partner—which distributes and offers banking solutions to the end user.
This business partner primarily focuses on customer experience and includes fintechs, which typically offer payments, card issuing, investments, accounts, and lending solutions, and non-financial companies—mostly retailers and e-commerce platforms—that seamlessly integrate payment and lending services.
The role of the non-banking partner is essential in this business relationship. Its readiness to partner with a financial institution is crucial, as the sponsor bank faces regulatory exposure for any misconduct by these partners.
Making thorough due diligence is essential for the bank to ensure that each partner aligns with its risk tolerance and regulatory requirements. This involves assessing the fintech’s anti-money laundering (AML) and counter-terrorist financing (CFT) programs, monitoring their compliance track record, and verifying they have proper controls in place. Additionally, banks must analyze the non-banking partner’s information security framework, legal and regulatory compliance, operational resilience, business, financial condition, experience, and qualifications.
Effective due diligence helps banks minimize potential breaches that could affect the bank, and safeguard client assets.
- Third-Party Vendors
Banks may implement a direct or indirect BaaS model:
- Indirect BaaS model: The bank works with an API Brokerage BaaS Provider (middleware). These middleware act as market makers between banks and non-banking partners, streamlining the process of launching banking products by managing the program development and operations.
- Direct BaaS model: The bank works with BaaS providers, which focus on enhancing bank and non-banking partner capabilities through software solutions while leaving the management of fintech relationships solely in the hands of the sponsor bank. In this model, the bank manages and oversees its own fintech programs.
The main reason to conduct thorough due diligence on these business partners is related to the operational risk involved in any failure in their systems. In BaaS regardless of whether the bank manages the BaaS program, operations, and APIs, there is always an inherent risk related to information security.
The bank must ensure the capacity of these vendors to support the BaaS program, as well as all the policies and procedures oriented to the treatment of contingencies that could affect the end users’ access to funds and the bank’s reputation.
In particular, due diligence in the indirect model is critical, as regulators have increased their scrutiny given the risks associated with managing the ledger and ensuring accurate financial reporting.
- End user
Depending on the BaaS model adopted, banks may have a greater or lesser degree of involvement in the Due Diligence process of the end user. However, this process must not be omitted under any circumstance, as the relationship with end users presents money laundering/terrorism financing risks (AML/CFT), and the accountability of conducting effective due diligence cannot be delegated by the bank.
The banks and non-banking partners are required to implement Customer Identification Programs (CIP) that involve Know Your Customer (KYC) processes, customer risk segmentation, and simplified or enhanced due diligence procedures according to the risk levels. Failure to perform this due diligence can lead to violations of the AML/CFT laws and regulations, and consequently to severe sanctions.
Conclusion
In today’s dynamic financial environment, due diligence in BaaS goes beyond compliance, it’s about building a solid business foundation. By thoroughly assessing non-banking partners and third-party vendors, banks ensure that their partnerships align with critical standards, reducing risks and facilitating smoother, more efficient collaboration.
Effective due diligence enables banks to seize new opportunities in the BaaS environment confidently, knowing they have a secure, reliable infrastructure. This proactive approach supports sustainable growth and cultivates trust, a key asset as banks expand their BaaS offerings and foster valuable relationships within a trusted, compliant ecosystem.