Banking-as-a-service: Risks and complexities to consider before choosing the right partner

Aparna Chandrashekar   /    Content Specialist    /    2022-02-17


An oft misquoted statement, owed to Charles Darwin (he didn’t say it), and one that’s used in innumerable business presentations sums up Banking-as-a-service(BaaS) - “It is not the strongest of the species that survives, not the most intelligent that survives. It is the one that is most adaptable to change”

But adaptability in the banking and finance world is easier said than done. Data is sensitive, security is a challenge, and operations are complex. It’s what kept financial institutions away from adapting to digital technologies and innovations for so long. 

In the BaaS value chain, banks have the upper hand - they have the core elements of banking product and operations stack. What they lack is the technology to easily integrate with businesses and streamline operational capabilities. This is where Fintechs come into play. BaaS models generally involve the bank’s delivery of services via Application Programming Interfaces (APIs), usually developed in collaboration with a BaaS platform partner that serves as the interface between the bank and different companies.

Given the potential in the $43.15 billion (by 2026) BaaS and Open Banking market, financial institutions need to adapt by forging partnerships with the right fintechs. 

But, as we mentioned earlier, adaptability is complex and risky. We’ve compiled a four-point check list for financial institutions to consider before ratifying the contract with their fintech partner. 

Risk management 

Establishing a BaaS contract with a fintech company doesn't relieve banks of any obligations of risk management. In a BaaS arrangement, who the service provider is not intuitively clear. So, instead of bucketing partners into ‘vendors’ and ‘service providers’  categories and assessing risks thereof, banks should be asking themselves the following questions 

  • What are the risks for me in this arrangement? Especially legal and reputational risk

  • What’s the criticality of the functions performed by the partner? 

  • How would non-performance/misconduct by the partner affect me?

  • What’s the level of oversight I plan to have over my partner?

If the allocation of risk and responsibility for different aspects of the BaaS chain is baked into a standardised process, due diligence will only be a matter of minimum guidelines and ensuring partners comply with those standards. 

Data allocation, usage and protection

As a financial institution, you’d probably want, and in some cases may be required by law, to restrict what the partner may do with customer information. Negotiating the terms of data usage can then be challenging. There might also be some disagreement from the partner on where to draw the line when it comes to the extent of access to customer information. 

Since customer provided information is used to effect both the BasS credit transaction and the lending decision, there needs to be a distinct line drawn across what belongs to the bank and what belongs to the partner, even if they overlap. Negotiating these distinctions will be important on both sides. 

There’s also the case for a tight data security plan and the ultimate onus of a data breach risk on the bank. Considering data breach is the single biggest risk faced by lenders today, to the tune of $5.85 million per breach, here are some basic questions you can ask your fintech partner: 

  • Whether they’re Compliant with ISO 27001

  • Whether servers hosting customer data are located in India

  • If there is Tokenization of sensitive data and anonymization of all personally identifiable information 

  • Whether they conduct frequent, automated penetration testing and vulnerability scanning

  • Whether all types of data (data in rest & data in motion) is encrypted

  • Whether they have an explicit consent communication framework

Goal Alignment

Creating a roadmap to chalk out what each party wants to achieve in the short and long term is important. A technology blueprint is especially important. Some basic questions you can ask your fintech partner: 

  • Do you have plans to serve other, high risk verticals in the future?

  • What are your plans to rapidly grow your customer base? 

  • What additional features/capabilities beyond your existing products will you offer? 

  • Can our existing products fit into your future plans? 

  • What additional compliance/administrative requirements would they require? 

Contract structuring 

Approaching the contract thoughtfully is a challenge. This is primarily because services will be flowing in two directions. The fintech partner may be performing key functions for the banks like handling direct communication, complaints, and transmitting disclosures. The contract therefore needs to clearly segregate these multifaceted responsibilities, especially customer relationship management and regulatory compliance. 


We’re not saying anything that hasn’t been said before - BaaS partnerships are changing the face of the financial services industry. These arrangements have their own unique challenges that can be addressed with thoughtful due diligence, risk mitigation measures and tight data security plans that are communicated effectively with your fintech partner.

FinBox is an ISO-27001 certified technology product company that’s working with banks, NBFCs and MSME’s to democratise lending. Our alternative data-based underwriting models can speed up approvals by 90% and help banks approve 50% more customers. 

If you’re thinking about more than just surviving - if you’re looking to adapt and thrive in the growing world of BaaS, hit us up here