By Ian Cox
The opinions expressed in this blog are solely the author’s and do not reflect the views of PayPal.
On May 1, 2024, T-Mobile finalized the acquisition of Ryan Reynolds-founded Mint Mobile for $1.35 billion. Ironically, despite having 4 million subscribers, Mint Mobile did not own or operate a single cell phone tower.
Mint Mobile is one of many successful MVNOs (Mobile Virtual Network Operators) in the US and globally, like Cricket Wireless or US Mobile. Simply put, MVNOs create brands with tailored user experiences for specific end consumers, but rely entirely on incumbent telcos’ (e.g., AT&T, Verizon, T-Mobile) technology and infrastructure. In short, they resell telcos’ excess capacity and regulatory standing but in different packaging. And they do so without the immense capital requirements of building out a network or the regulatory burden of dealing with the FCC. For incumbent telcos, opening their infrastructure to MVNOs allows them to reach incremental customers (millennials who love Ryan Reynolds, perhaps?), and create a new revenue stream by monetizing excess capacity.
Though a bit more obscure, and certainly lacking the celebrity appeal, similar constructs and dynamics have existed in the financial services industry for some time. In 1979, for instance, GE Capital (now Synchrony) launched a credit card for consumers and contractors to pay and finance their purchases at Lowe’s home improvement stores. Synchrony still operates this portfolio today, and like a telco, owns the infrastructure (namely the balance sheet and lending decisioning) and the required licenses and regulatory relationships (with the OCC, CFPB, FDIC and State Regulators). Lowe’s markets the card directly to its consumer base but is generally not involved in any part of the lending or servicing operations.
Much like MVNOs built upon telcos’ infrastructure, in the last decade, thousands of financial services startups have been built on top of chartered and/or licensed institutions’ capacity and regulatory standing. And often the technological connection between these startups and their infrastructure providers is created through third-parties or middleware. This connective tissue – between startups and the financial mainstream – has been dubbed “banking-as-a-service” (BaaS).
While BaaS originated from similar market dynamics to the MVNO-Telco example, BaaS has evolved in its own direction, and given recent headlines, we believe the sector is at a crossroads. In this piece we discuss (1) the origins of the US BaaS sector, (2) recent relevant market developments, (3) the latest changes in the regulatory climate, and (4) where we see the industry headed and investment areas we like.
What is banking-as-a-service?
Non-banks and other players want to embed financial functionalities into their products; in this pursuit, banks may seem like the obvious potential partners. However, even though banks have the regulatory standing and balance sheets, most are running on technology that is too antiquated and inflexible to meet startups’ expectations. Like many asset-heavy businesses, banks are exposed to risks of technological obsolescence, asset depreciation, regulatory burdens, and market fluctuation. This often means that the value of partnering with startups is not material enough to justify banks building new bespoke technology, and for startups, dealing with banks directly may delay their speed to market.
BaaS players emerged to bridge this gap, building difficult integrations into core banking systems(often mainframes) and exposing specific functionalities to startups via API (see illustrative diagram below).
Some of the biggest names in US fintech were built and currently operate using BaaS constructs. Chime is not actually a bank; for the majority of its functionality, it relies on Bancorp and Stride Bank. Cash App, which is owned by Block, offers a debit card through partnerships with Marqeta and Sutton Bank, and also provides account numbers and ACH transfers through its partnership with Lincoln Savings Bank. PayPal itself partners with multiple regulated financial institutions to offer products to its consumer and merchant customers globally.
Since the beginning, however, these three-way relationships between banks, BaaS players, and the startups they serve have had their challenges. Startups – often VC funded – are incentivized to move quickly, to favor experimentation, and to grow exponentially . Similarly, the BaaS platforms that power these experiences (often startups themselves) aim to serve their key constituents – product engineers at startups – with clean, scalable, and flexible API-based solutions.
However, the banks on the back end may be a bit more reluctant to operate in this manner. These are often smaller regional players, and while they do benefit from the additional volume and reach that BaaS platforms provide, it comes with a tradeoff. These banks accept being one or two layers removed from the actual end user, but in doing so, take on significant operational and regulatory risk. Some of these banks have small teams, limited experience operating digitally (i.e., not in-person relationship banking) and can be ill-equipped to manage the exponential growth of their newly assumed digital channels. From a regulatory perspective, being removed from the end-user means that partner banks may lose a degree of control and visibility of key aspects of the customer relationship. These diverging incentives can raise challenges.
Does anyone love their partner bank?
In speaking to hundreds of early stage fintech startups in the US each year, dissatisfaction with their partner banks is not rare. Tech-first startups want to move fast, but despite the modern window dressing provided by intermediary platforms, the nature of a regulated industry and antiquated core banking systems is inescapable. When banks face risk or uncertainty their instinct and policy is to slow down; when startups face uncertainty they purposefully fly closer to the flame. The BaaS platforms in the middle tend to side with the startups because at the end of the day, they are the ones paying the bills, and often may do so at the expense of their relationship with the partner banks.
The very public, bankruptcy of Synapse, a BaaS provider, and the difficult relationship with its partner bank, Evolve, are a case study in the nature of this uneasy dichotomy. While we do not know for certain if the Synapse situation is the result of bad operations, bad software, or bad actors, it does highlight the challenges and accountability gaps resulting from the multi-party model. It’s also not the first enforcement action that has affected partner banks, BaaS players, and their downstream customers. Unlike the very public fallout at Silicon Valley Bank (SVB), the FDIC may not step in to reunite customers with their funds in this case. This is because strictly speaking, Evolve – the chartered entity – is not insolvent. While the fallout with Synapse and Evolve is the most salient, recent – and significant – friction between platforms, banks, and end-users are not uncommon and have set the stage for regulatory changes and emerging business models.
What is stirring on the regulatory front? What might change?
For the past several years, the Federal Reserve and the Office of the Comptroller of the Currency (OCC), along with state banking regulators, have been very active in bringing enforcement actions against banks that provide BaaS services to fintechs. Actions that have been made public include Thread Bank, Blue Ridge Bank, Lineage Bank, Choice Bank, and Pierpont, and it can be expected that many similar regulatory findings have been delivered to regulated banks without a public announcement of an enforcement action.
The primary focus of banking regulators is on the “safety and soundness of the banking system” and, accordingly, areas of concern arising from BaaS activities include a bank’s regulatory obligations to supervise third parties who have access to the bank’s licensed capabilities. For example, if a middleware provider or fintech is not conducting Know Your Customer (KYC), sanctions screening, or AML compliance adequately, it can potentially expose the regulated banking partner to those risks. Other concerns include potential violations of the Bank Secrecy Act, misleading marketing of FDIC insurance protections, infosec/cybersecurity breaches, and/or poor board governance leading to business continuity risks. The federal banking regulators (OCC, FDIC and Federal Reserve) recently issued a joint statement that emphasized risks of the BaaS model, including: (a) significant operations performed by a third party; (b) fragmented operations; (c) lack of access to records; (d) third parties performing compliance functions; (e) insufficient risk management to meet consumer protection obligations; (f) lack of direct contracts with all parties; (g) lack of experience with new methods; and (h) weak audit coverage. The regulators expect that banks will ensure practices are consistent with guidelines for safety and soundness and risk management principles for third-party relationships.
Meanwhile, there are countervailing considerations in recent Supreme Court decisions that have (i) overruled the Chevron doctrine that previously had required courts to defer to the reasonable interpretation by a regulatory agency of an ambiguous statute (Loper Bright Enterprises v. Raimondo) and (ii) limited the power of federal agencies to levy fines on market participants without a jury trial (Jarkesy v. SEC). As of this writing, it is unclear how these court rulings will impact regulatory actions with regard to BaaS, but it seems likely that regulatory enforcement in general will face more challenges as a result. Furthermore, the results of this year’s U.S. Presidential election will be a significant factor in the future stance of the banking regulators.
Where do we go from here?
Venture capital and startups evolve quickly to benefit from big shifts, and we believe this will be no exception. Anticipating significant market and regulatory shifts in the US, we are actively shaping our investment hypotheses and pipeline around “BaaS 2.0.”
The chart below depicts a point-of-view of how the market may develop in the medium-term to emphasize the bank channel first and foremost. Startups will of course continue to partner with banks on their own, or via some of the remaining intermediary platforms; however, we believe the pendulum is ultimately swinging toward ‘bank-first’ go-to-market strategies.
Thesis 1. Powering bank branded experiences
The root cause of the existing agency problem in BaaS 1.0 (in the US) is that the startups – not the banks – are the customer. As such, the intermediary platforms (who were and are getting paid by the startups) are incentivized to go fast and sometimes cut corners. And, as a result, the banks are left holding the proverbial bag from a regulatory risk perspective.
We believe this will change and the next generations of BaaS platforms will focus on selling into banks – not startups. For one, fintech startups are a notoriously volatile customer book. Furthermore, we anticipate that , BaaS platforms will react to banks’ imperatives: the need to retain control, manage risk, and ultimately own the customer relationships. The renewed BaaS value proposition will focus on helping banks address their technology gaps, but on their own terms and at their own speed. New BaaS platforms will integrate into banking cores systems (or next to banking cores) and enable banks to create better products and experiences for their existing customers, first and foremost. (This could also allow BaaS providers to compete for fintech and non-fintech opportunities once the Synapse dust settles.)
Based on this thesis, non-US players may be a few steps ahead; PayPal Ventures has already backed the likes of Prometeo and Mintoak, both of which have distinctive bank-first go-to-market strategies. In the US, we are seeing the ecosystem respond to this theme and are actively tracking startups like Tesouro (which enables banks to cross-sell merchant services offerings to their SMBs) and others.
Thesis 2. Better tools for fewer builders
Wrapping banking cores with more modular, API-first functionality helps bridge the gap but does not solve the whole problem. It enhances compatibility with older banking cores and creates opportunities for new product innovation. However, a new constraint appears: most banks lack the product and engineering talent and depth to take advantage of these new sets of tools. Having a new shiny, modular and scalable API set is only transformational if there are engineers to build with it.
Given this limitation, we think there is an opportunity for BaaS 2.0 startups to transcend the infrastructure layer, and also play a role in design and user experience.. In addition to connecting to the core, BaaS 2.0 can provide templates or easy low-code / no-code functionality to its partner banks, which can unlock new product innovation while meeting banks where they are. Along this thesis, we are tracking startups like Pollinate which provide their bank customers with configurable ‘mini-apps’ that can be easily implemented.
Admittedly, this may not be an issue for larger banks that already have large in-house development capabilities, or for the banks who still want to partner with the fintech ecosystem despite the Synapse / Evolve fallout.
Thesis 3. BaaS 2.0 subcomponents
While the new generation of BaaS players will have their hands full with difficult integrations and much longer bank sales cycles, they will likely need to rely on third parties to develop specific subcomponents or functionalities. In the future state, we envision that BaaS 2.0 will not only act as the orchestration layer and interface on top of the core banking systems, but it may also become a distribution channel for a curated and specialized set of point solutions by third parties that it can supply seamlessly to banks.
In this vision, there is opportunity for players big and small. In terms of investable opportunities, we are seeing many highly specialized functions being provided in API form via BaaS 2.0 platforms. This universe of solutions is incredibly broad but could include the likes of embedded remittances capabilities (see Remitee and Caliza), RTP initiation and payouts (see Aeropay), fraud-detection (see Stratyfy), or even embedded tax-preparation (see April and Column Tax).
What about core banking?
Setting aside regulatory considerations, the genesis of the BaaS 1.0 space was partially driven by the underlying limitations of legacy core banking infrastructure. If BaaS 1.0 was a bit of a band-aid, in BaaS 2.0 not much has changed. Can we imagine a new generation of core-banking systems that obviates the need for BaaS middleware and connectors altogether? We remain cautious about the investability of this subtheme, but remain open to the possibility of fixing the root cause.
Even if these core-banking startups were to emerge, ripping and replacing a deficient yet functional core banking system is a non-starter for most banks. The constraints are numerous: banks already have crowded product roadmaps, massive capital investment requirements, and huge operational risks related to switching stacks. As such, we believe that innovation in core-banking will continue to be incremental with incumbent providers (e.g., Fiserv, FIS, Jack Henry) able to respond to banks’ needs at a reliable pace. We will certainly keep our eye on the space, but ‘newcomers’ Mambu (13 years old) and Thought Machine’s (10 years old) inability to win big as of yet gives us additional skepticism.
The end game for startups and VCs
Ultimately, we believe that there will be incremental vertical integration between banks and BaaS platforms. This may occur via partnerships, but also could happen through acquisition, and will hopefully solve the latent agency problem by bringing the tech stack and regulatory charter under the same roof. SoFi’s acquisition of Galileo or FIS’s acquisition of Bond could suggest a path forward with a preferred exit outcome for venture investors. Ultimately, will BaaS players become banks, or will banks become (or acquire) BaaS players? This remains to be seen. For our part, we remain optimistic while we watch BaaS 2.0 take its ultimate shape.