News

“Today, any company can offer financial services. It’s no longer about banks, but all about customer experience. Financial services should be baked seamlessly into everyday life.”

Such is how Berlin-based Solaris, which has become one of Europe’s largest financial technology-centric platforms, or fintechs, since obtaining a German banking license in 2016, described its business model in a recent marketing video.

“With Solaris, it’s all plug and play.”

Solaris ranks as the largest “banking-as-a-service” provider in Europe, where non-financial companies and other fintechs—usually startups—piggyback on the company’s banking license to offer payment accounts, lending programs, cryptocurrency trading and other financial products to their own customers.

But the BaaS model, also known as “embedded finance,” has drawn the attention of regulators on both sides of the Atlantic amid concern that companies featuring the service, which functions similarly to a correspondent banking relationship, frequently neglect to adequately assess and monitor the financial crime-related risks of their customers’ customers.

“BaaS models offer a quicker route to market for people who have ideas without incurring some of the risks and costs of a payments license,” said Robert Evans, chief executive of FINTRAIL, a consultancy that specializes in anti-money laundering compliance for fintechs. “The downside is that poor oversight of those relationships creates significant risks for the parties involved and the industry more systematically.”

Solaris’ clients include household names such as Samsung, American Express and BP, but the fintech has also pushed to become the banking platform of choice for the cryptocurrency industry. The company announced a partnership with Huobi in January, allowing the Seychelles-based exchange to offer customers a cryptocurrency-to-fiat debit card.

Two weeks later, BaFin, Germany’s primary anti-money laundering supervisor, disclosed a ban on Solaris from entering into any other new partnerships without first obtaining regulatory approval. The regulator also ordered the lender to make AML-related upgrades and begin observing “transfer and cash payment limits for certain accounts.”

The Bank of Lithuania imposed similar restrictions last month on PayrNet, the local subsidiary of Railsr, one of Britain’s most prominent BaaS providers, after finding that the company had “grossly and systematically” violated AML rules.

The regulator hired auditors Grant Thornton Baltic to monitor mandatory AML improvements at PayrNet, which operates as a licensed electronic money institution, or EMI, in the Baltic nation.

In August 2020, Railsr acquired the clients, card technology and other assets of the U.K. subsidiary of Wirecard, weeks after the German-headquartered payment processor and BaaS provider collapsed under the weight of an alleged €2 billion accounting fraud.

Railsr, previously known as Railsbank, went up for sale in November amid difficulties in raising capital and a reported investigation by the U.K. Financial Conduct Authority, or FCA. U.K. financial-services consortium Embedded Finance acquired Railsr last month, then took a pause to restructure and recapitalize the platform.

In December 2021, the Bank of Lithuania also issued a €65,000 penalty against Vilnius-based European Merchant Bank, a fintech and BaaS provider, for failing to “manage the risks of high-risk clients” and other AML violations. The regulator also restricted the fintech’s ability to serve existing and new EMIs and other payment institutions.

European Merchant Bank is owned by Norwegian entrepreneur Ozan Ozerk, who also owns OpenPayd, a London-based BaaS provider licensed as an EMI in Malta. Other prominent providers in the U.K. include Starling Bank, ClearBank, Bankable and Thought Machine.

Many such providers, including Solaris and Railsr, also sell anti-fraud and AML software to their clients, allowing them to vet and monitor their customers and transactions.

But when partnering with fintechs and other unregulated platforms, ultimate responsibility for AML compliance and keeping tabs on customers’ customers falls to the BaaS provider.

“The AML policy of the BaaS provider should be the one that dictates how they [BaaS clients] operate,” said Evans. “But if the oversight is poor, the model breaks down, and you end up in this situation where you could, for example, end up onboarding payment institutions with high-risk business models and downstream customers.”

Complexity

Last month, the FCA warned in a “Dear CEO” letter to payment services providers and EMIs that regulators had seen “increasing evidence” of financial crime in their industry since 2021.

“The ability to provide bank-like services, willingness to service high-risk customers, and weaknesses in some firms’ systems and controls, make PIs [payment institutions] and EMIs a target for bad actors,” the FCA said, adding that firms frequently failed to subject “agents and distributors” to “meaningful” due diligence and sufficient, ongoing monitoring.

The risks presented by BaaS models and other types of relationships between traditional lenders, “challenger” banks, e-money platforms and third-party fintech partners have also prompted U.S. regulators to issue warnings and, in at least one case, pursue enforcement.

In August 2022, the Office of the Comptroller of the Currency ordered Blue Ridge Bank, a community lender in Virginia, to bolster monitoring of suspicious activity, including “high risk customer activity involving … third-party fintech partners.”

Months before Germany’s BaFin and Lithuanian’s central bank took a similar approach with BaaS providers in their respective jurisdictions, the OCC also blocked Blue Ridge Bank from entering new contracts with fintechs or offering new products to existing partners without regulatory approval.

The agency further ordered Blue Ridge Bank to hire additional AML compliance officers, newly assess the financial crime-related risks of each fintech client, review their behavior and develop a process for “addressing any … activities identified as non-compliant.”

Acting Comptroller Michael Hsu told attendees of an industry conference in New York the following month that BaaS and other bank-fintech partnerships have grown in volume and complexity, making it “more difficult for customers, regulators, and the industry to distinguish between where the bank stops and where the tech firm starts.”

The trend carries outsized risks from a prudential, financial-crime and consumer-protection perspective, Hsu warned.

Infiltration

BaaS potentially, inadvertently incentivizes criminals to gain control over unlicensed fintechs that already have an account with a provider, and use that relationship to access the global financial system.

Last September, Simon York, the outgoing head of the Fraud Investigation Service at HM Revenue & Customs, the U.K. tax authority, warned in a speech that these novel types of correspondent banking-like arrangements have allowed “corrupt fintech payments firms” to infiltrate the “digital payments ecosystem of unwitting banks.”

“This provided a direct, hidden pathway for serious criminals to seamlessly turn the proceeds of tax fraud into apparently legitimate crypto-assets, which were quickly transferred offshore,” York said, without elaborating further on the nature of these schemes.

BaaS relationships can also obscure the identities and locations of the true originators and beneficiaries of transactions because they frequently involve virtual IBANs—unique codes of up to 34 characters that fintechs and other firms can issue to their customers throughout the world by leveraging a “master account” with a mainstream bank or BaaS provider.

ACAMS moneylaundering.com reported in January that virtual IBANs have emerged as a top concern among European investigators and compliance officers amid suspicions that many payments institutions that issue such accounts have weak anti-money laundering programs and undergo minimal AML supervision.

“There needs to be clear guidance issued by the regulators as to what their expectation is in some of these slightly new configurations,” said Evans. “That will ensure more focus at the level of the EMI or BaaS provider on assurance and oversight of their agent networks.”

Solaris and Railsr did not respond to questions from moneylaundering.com by press time.

Contact Koos Couvée at kcouvee@acams.org