In the previous two blog installments, I discussed the “State of the BaaS Union” and the benefit of putting in the effort to understand the intent behind laws, regulations, and supervisory guidance as they may relate to a program or fintech business model. As we head into Halloween season, I think it’s only fitting to chat about what some in fintech leadership consider a scary subject – their risk profile. No matter the type of fintech or the industry tenure of its leadership, there seems to be a mental block when it comes to acknowledging their risk profile. Simply put, no one thinks that their line of business or model is moderate risk, let alone higher risk. Picture it, northern Colorado circa 2019 and I’m sitting in an initial team meeting with a newer fintech to discuss compliance and risk management needs. As I walk through the details, I casually note the fact that the fintech’s business use case is considered higher risk for BSA/AML purposes. Before I start discussing the internal controls needed to properly manage that risk, I look around the table and stop when I see the faces of the leadership team. The looks I received ranged from shock and disbelief to truly offended.
The discussion that followed went something like, “But, it’s just payments.” “We only enable payments for bills and invoices.” “The card network didn’t say we were high risk.” And my personal favorite (NOT) – [insert other fintech name here] doesn’t consider itself as high risk!” It was as if they forgot why they brought us on board – to assess the company’s risk profile and build an enterprise risk governance program to properly manage that risk. To do this successfully requires not only experience and expertise, but more importantly an honest approach. What exactly does that mean? First, it means understanding that a product or service that is considered higher risk is not a bad thing. Being labeled as higher risk isn’t tantamount to getting a detention slip or sent to the principal’s office. It simply means there is more exposure for non-compliance with law, regulation, or misuse by actors with nefarious intent and that risk exposure must be properly managed. It also requires understanding how a risk profile is determined and that there are four components to consider equally. These components are inherent risk, risk management, residual risk, and direction of risk.

Let’s start with inherent risk, which is basically an accounting of the quantity of risk inherent in the product, service, customer, and geography a company wishes to offer or facilitate. If we use a payments fintech as a model, supervisory guidance clearly indicates that electronic transactions are considered higher risk for AML concerns. Why? Some of the factors that increase the risk profile of electronic transactions include the speed of the transaction, lack of transparency (think card not present transactions) or lack of a direct relationship with the end-user that can increase the potential for money laundering, fraud, and identity theft. Now, layer in foreign customers or jurisdictions, newer and innovative products and payment rails that may or may not fit clearly within the regulatory framework, and higher-risk business types (hey crypto folks, I’m looking at you). Each risk factor adds exposure and cumulatively increases inherent risk. And when you add in a consumer product component, there is a host of consumer protection laws and regulations on top of AML considerations that need managed.
The good news as I noted earlier, is that higher risk is not a bad thing. It just needs to be properly managed with internal controls, systems, and processes. Even better, there is an abundance of information regarding expected risk management practices. Some risk management controls are non-negotiable, like laws and regulations or network rules based on program type. Others, issued by oversight authorities, allow for flexibility based on the business model and provide a framework for a risk-based approach. An example of the distinction is the requirement to conduct CIP (or KYC) for new accountholders. The regulation doesn’t permit interpretations regarding the data collection and verification of net new customers, but it does provide for flexibility with the methodology for how a fintech or bank conducts verification. The key is that the quality of risk management controls implemented should be commensurate with the risk inherent in the products, services, and customers supported. That means if the inherent risk in the products or services offered are considered higher risk, stronger internal controls are required; in this case basic or baseline risk management is not sufficient. This is a time when a “satisfactory” program isn’t actually satisfactory.
In my experience, even more potentially problematic is the misunderstanding that residual risk (the aggregate or remaining risk once internal controls are in place) replaces inherent risk. Properly managed risk does not equate to “the inherent risk went away”. This thought process is unfortunately common among both bankers and fintech folks. The inherent risk of a business use case or model remains the same unless specific higher risk characteristics of the use case are changed or that use case is retired. The challenge to the mindset of residual risk prioritization is complacency. When things are running smoothly and risk is properly managed, too often the actual inherent risk exposure is forgotten. As companies grow and add to product offerings, shifting resources and priorities instead of expanding them can effectively end up robbing Peter to pay Paul. I’m by no means a troglodyte and embrace the philosophy of work smarter, not harder. But far too often, these changes that are characterized as doing more with less, don’t translate to doing better, just more with less – which is not a good thing when it comes to risk management. If the internal controls or risk management processes are not prioritized, are changed in a negative manner, or fail . . . inherent risk has a way of rearing its ugly head. This is imperative for both banks and fintechs to seriously consider when making decisions about offering a new product or line of business, expanding their footprint by jurisdiction, vertical, or customer type, attempting to fully automate processes, or address balance sheet issues with staff or system reductions.
Finally, I want to remind everyone that the risk assessment and risk management process is not a set it and forget it function. Risk assessment should be a continuous process and not prompted only by an expansion of services, a new law or regulation, or identification of non-compliance. Perhaps the most valuable and underrated component of the risk assessment and management process is understanding a company’s direction of risk. The direction of risk takes into consideration known variables on the horizon. This may include plans to scale current product offerings or expand customer base and jurisdictions, which may increase the quantity or inherent risk. It could be plans to remediate identified noncompliance issues that may decrease residual risk. And, it may be new law or regulation with a future effective date that requires a review of and possible changes to internal controls. These types of known variables should inform a roadmap of work to continue to implement an effective risk management program that keeps pace with the business. This can be a challenge for some fintechs that focus only on the current scrum or issue to be fixed. Even more challenging is that while fintechs purport to be quite different from their chartered counterparts, many have fallen into the same trap and siloed their engineering and product teams in the same way many banks silo their lines of business. This practice is counter to a defined risk management roadmap based on strategic goals and milestones and often creates more work to integrate and streamline internal controls.
At the end of the day, recognizing your true risk profile should be considered a win-win. Once you understand the inherent risk in your business model and use case, you can make a plan to properly manage that risk. Not acknowledging your risk profile is kind of like asking for a Halloween trick, instead of candy. It’s far scarier to not know the risk and exposure your company faces than acknowledging your risk profile and putting a plan together to properly address it. This is key to getting in front of any concerns or questions from regulators, auditors, investors, or prospective sponsor banks. So, in this fall season, don’t treat risk assessment and management like a costume that you pull out of the closet once a year and hope to win the contest. Make it a part of your company’s daily routine.
Kimberly Hebb, Co-Founder & CRO of BalancedTrust