Compliance: the secret weapon for BaaS growth

Compliance is often dismissed as a business blocker. In my experience, it can be quite the opposite if organizations can rethink the way they operate. Putting people in the second line of defence on deals from the start has been crucial for Aion Bank to roll out banking-as-a-service to customers, sometimes within weeks. 

Cassy Ramsey is chief risk officer at Aion Bank

BaaS, as we know it, began in the 2000s by empowering retailers and marketplaces to offer their customers banking products directly on their websites and apps.

Today, it is available to almost any enterprise – and captures the interest of regulators. However, BaaS is still perceived by most as the “Wild West” of finance. 

What does the future hold? I believe the movement is entering a more “responsible” era – one where the compliance and risk functions at banks are business enablers – not blockers. 

“Us vs them”

My career path to becoming a CRO is not what you might expect.

I have worked mainly as a chief operating officer and in general management roles for global brands, including Citi, Santander and American Express, where I led teams responsible for technology and operations. 

This means I am more than familiar with the challenges of the first line of defence and the well-established dynamics of “us vs them” between the first and the second and third lines.

Some find it surprising that I lean on my technology and operations expertise just as much as my internal control and risk oversight experience in my role as CRO at Aion. 

Seasoned COOs know the value of “first time right” and efficiency in tech design. This is about more than just a seamless customer experience, it reduces the risk of unnecessary costs in the back office by ensuring that tech addresses risky manual processes in the development phase.

How many of us have experienced tech development lifecycles where risk or compliance arrive at the last minute to upend an entire project? My guess is most. And no matter how valid the challenge, these situations taught me that early engagement is the key to success – for all parties. 

Why is BaaS hard for traditional banks?

Compliance is still mostly inserted at the end of the journey - and I would argue far too late. This is because most traditional retail banks continue to be constrained by mainframe technology, which is both cumbersome and expensive to work with, and they tend to work in waterfall mode.

Even when traditional banks apply agile methodology, it is unusual to see compliance or risk colleagues included, probably because they are perceived as slowing down the process. 

Hitting the accelerator

What we see at Aion Bank, though, is that bringing in the risk team at the beginning of the conversation with any prospective client speeds up the whole process. 

Including the second line of defence from the get-go avoids unpleasant and costly surprises in any project's late stages. An extra advantage is that compliance can monitor our partners to ensure things are working as expected and that the established controls are working. 

This means that, instead of projects taking months or years, we get clients to markets in weeks and months. 

We are currently working on a BaaS project that was brought to the executive committee for consideration in late November last year, to go live in June 2025. Given the traditional freezes and holiday period of December, it would be unthinkable to meet such ambitious timelines in a traditional bank.   

Another example is a global fintech client that needed access to a Polish banking licence to avoid the expensive fees associated with cross-border transactions. It took us three months to set them up with access to Polish IBANs and payment schemes so they could offer their services in Polish zloty.

My guess is this project would take a year or more in a traditional bank.

Does BaaS 2.0 lead to Regulation 2.0?

 If BaaS 1.0 was fueled by investors wanting growth at all costs without much thought to regulation, BaaS 2.0 will be compliance-first and led by banks. 

The concept is still relatively new for regulators and, historically, new agile companies are difficult for them to understand. This makes transparency and a strong partnership with watchdogs very important.

We have seen some BaaS providers get into trouble with regulators because their clients onboarded end customers without really knowing who they were, or violated anti-money laundering laws because they didn’t fully understand them.  

Many non-financial companies we work with are not knowledgeable about regulation and compliance, so banking expertise plays a prominent role in product development, and we are there to help

So how does a BaaS provider determine if a client might cause them issues? 

Explaining the BaaS provider's own risk appetite and ensuring that the client understands the mechanics of how to work within that framework, and how their business strategy will be achieved or even accelerated within such a framework.

At Aion, we prioritise having a good working relationship with the National Bank of Belgium. BaaS providers will need to show regulators they have three lines of defence, although it might look slightly different than traditional banks, and though there will be complexities, one size will definitely not fit all companies.

Banks at the centre of BaaS 2.0

Bigger banks now see BaaS as a model that can complement rather than compete with their existing businesses. UniCredit became the first big European bank to fully acqiure a player in the sector when it acquired 100% of Aion Bank and Vodeno in March this year.

For BaaS 2.0 to deliver its promise, every provider needs to put compliance at the heart of its organisation. There also needs to be a mindset shift and buy-in from the business to move risk from defence to offence. In this new reality, CROs can be of more added value by proactively engaging with the business and stepping out of their comfort zone at times.