Banking as a service

Last updated
"Banking as a service" stack based on the cloud stack by Scholten, derived from Lenk et al. Banking as a Service - Infographics.jpg
"Banking as a service" stack based on the cloud stack by Scholten, derived from Lenk et al.
UML class diagram depicting banking Bank account (UML class diagram).svg
UML class diagram depicting banking

Banking as a service (BaaS) is the provision of banking products (such as current accounts and credit cards) to non-bank third parties through APIs. [1]

Contents

Description

As a value network, BaaS aims at integrating as many service providers as needed into one comprehensive process to complete a financial service in an effective and timely manner. It is implied that a BaaS would include certain features in addition to providing a financial service. There must be means for managing, deploying and delivery of the services' environment. The services must of course be in legal compliance with the banking laws in the regions where it is made available, with (at least) one entity within the process possessing a banking license. Of utmost importance is the assurance that proper mechanisms are in place to provide security, such as strong authentication and additional measures to protect sensitive information from unauthorized access throughout the entire process. These security mechanisms must be in compliance with laws of data protection for the jurisdictions involved. With the proliferation and acceptance of BaaS, the emergence and rapid growth of fintech can be expected. Fintech is “a business that aims at providing financial services by making use of software and modern technology.” [2]

API-based stack

This stack can be used with a licensed bank as foundation, a BaaS as middleware, and an ecosystems of FinTechs on top. BaaS Structure (Chris Skinner).png
This stack can be used with a licensed bank as foundation, a BaaS as middleware, and an ecosystems of FinTechs on top.

Skinner suggested a 3-layer representation of the BaaS stack. [3] In this stack, the underlying infrastructure-as-a-service is provided by a traditional, licensed and regulated bank. Above this bank would be the centralized middleware layer that Skinner refers to as "bank as a service". Added on to the bank as a service is a group of decomposed banking services consisting of an ecosystem of fintech startups and service providers.

With this technology, based on the BaaS-platform, it is possible to create fintech banks, which could improve banking processes and provide increased convenience for banking clients. In such a constellation, fintech banks are enabled to compete directly with banks by offering core-banking services without having to build all the products that would be needed. The API-based bank as a service platform serves as the back-end that hosts standalone independent fintech startups and integrates seamlessly with any existing back-office of traditional banks. This allows non-banks to easily and cost-effectively launch additional financial products and expand into additional markets. [3]

Cloud-based stack

Dynamic development and growth in the world of fintech have made the API-based bank-as-a-service stack obsolete in contexts where tech-companies now own licenses to operate as regulated banks, thus eliminating the reliance on classic banks. Embracing the new developments in financial technology and services, the banking-as-a-service stack can be redefined in analogy to the cloud stack. [1] [4]

Infrastructure as a service (IaaS)

The infrastructure as a service (IaaS) layer provides basic infrastructure services through an IaaS provider. A majority of these services would be available on demand and do not necessarily need to be fintech services (like Amazon Web Services or OVH). This layer would include the server and communication hardware (physical layer).

Banking as a platform (BaaP)

At the top of the IaaS model would be banking as a platform provider (BaaP). The BaaP would be a bank that is fully licensed or use an external regulated bank's licensed banking services. The decomposed banking services (fintech SaaS) are in essence, plugged into this layer. Data-security plays a crucial role in the BaaP. There is a need for monitoring functions that will enable seamless and secure operations across applications and domains through secure authentication.

FinTech SaaS

Fintech SaaS (software as a service) refers to all atomic or composite software-based financial services that are available on-demand. When these services are provided through a BaaP, they will need to be compliant with the BaaP's API specifications. The services may either be physically deployed in the BaaP's domain or work externally. This gives the potential for the ability to plug financial services from other banks into the BaaP to create new composite application services. The result is that traditional banking services can now be virtualized and dispatched via composite application services. This does, however, present a challenge in verifying that none of the plugged-in services will violate regulations that have been imposed by banking authorities.

HuaaS

Humans as a service [4] represents the top layer of the proposed revision of the BaaS stack. While at the onset this layer may not seem especially important, as fintech services continue to grow as a segment in the financial service market, services performed by cloudworkers will take on increased importance. This is a behind the scenes component that end-users will be unable to discern between a complete automated service and one that includes HuaaS.

Potential consequence

The consequence of having a decomposed stack is that there are multiple ways that the customer's front-end could be presented. One way would allow the BaaP provider to appear directly as a bank to its customers. This necessitates the provision of a front-end user interface to the end-customers including user authentication and other features. The bank would appear as any other online bank where all banking services are presented and seamlessly integrated in a single user interface. Another option is that the bank will operate as a white label bank, which will then have a software as a service provider on top of the BaaP operating as the front-end to the end-customer.

White label banking can be an answer to the challenge platform providers face in attaining customers. It can be used to offer banking services in environments where a large group of users already exist, including chains of grocery stores, hypermarkets or existing online portals. [1]

Integrated BaaS structure vs. single service offering

A single service provider is at a greater risk of failure than a provider that offers a larger portfolio of services. Using an integrated BaaS structure efficiently provides an end-to-end value proposition that frees the service provider from having to develop all the needed peripheral services, including authentication and other security services. Those who adopt the BaaS structure are able to provide a higher level of trust than a smaller provider might do. [5]

Security

Cyber-crime remains a constant and serious threat to the banking industry. The introduction of additional entrance gateways by offering increased amounts of composite online services does increase the risk for cyber-crime. It is important that each service be properly firewalled to prevent malicious intrusions. As such, this presents a challenge to a satisfactory user experience if the user needs to constantly be authenticated while performing an online transaction across several domains or applications. Instead, the many domains and apps that are used need to be interwoven in such a way that once a user has been authenticated, this authentication will carry through as he conducts his transaction. This can be accomplished through the 3 degrees of freedom in digital banking, involving:

Regulations

Banking is a highly regulated industry throughout the world and online banks utilizing BaaS are no exception.

Europe

In Europe, BaaS for fintechs is overseen by the Payment Services Directive (PSD, 2007/64/EC) and its 2nd amendment (PSD2) that was adopted in November 2015. [7] Banking licenses are overseen by competent national authorities in accordance to Directive 2013/36/EU and Article 14 of Regulation (EU) No 1024/2013. [8] The eIDAS regulation provides requirements for authentication and electronic identification and trust services for electronic transactions throughout the entire end-to-end process. [9] Additional oversight for financial and insurance transactions are provided through Directive 2004/39/EC [10] and Directive 2016/97/EU. [11]

United States

In the United States, banks are highly regulated at both the state and federal levels. The Securities and Exchange Commission (SEC) is responsible for much of this regulation. [12]

Asia

Asia has a strong disadvantage because of its high fragmentation of jurisdiction areas compared to Europe. Fintechs can plug into the national banking-as-a-service hub to provide their specific regulated and licensed face to their customers. [3]

Africa

Fintechs in Africa have provided an original financing solution in a previously unserved and untapped banking market. Because it is primarily mobile-based, Africa fintech is subject to national jurisdiction in regards to regulating financial markets and mobile telecommunications. [13]

Australia

Australia's government is behind in regulating fintech in comparison to the European Payment Services Directive. [14]

Brazil

In Brazil, BaaS is regulated by the Brazilian Central Bank within the rules of a Payment Institution. [15] The best known BaaS' fintechs providers in Brazil are Matera, Zoop, Dock, and S3 Bank. [16]

Russia

Russian banks are actively introducing BaaS, for example, the largest private bank Alfa Bank.

See also

Related Research Articles

Account aggregation sometimes also known as financial data aggregation is a method that involves compiling information from different accounts, which may include bank accounts, credit card, payroll accounts, investment accounts, and other consumer or business accounts, into a single place. This may be provided through connecting via an API to the financial institution or provided through "screen scraping" where a user provides the requisite account-access information for an automated system to gather and compile the information into a single page. The security of the account access details as well as the financial information is key to users having confidence in the service.

<span class="mw-page-title-main">Know your customer</span> Financial institution and company term

Know your customer (KYC) guidelines and regulations in financial services require professionals to verify the identity, suitability, and risks involved with maintaining a business relationship with a customer. The procedures fit within the broader scope of anti-money laundering (AML) and counter terrorism financing (CTF) regulations.

<span class="mw-page-title-main">Markets in Financial Instruments Directive 2014</span> European Union law

Markets in Financial Instruments Directive 2014, is a directive of the European Union (EU). Together with Regulation No 600/2014 it provides a legal framework for securities markets, investment intermediaries, in addition to trading venues. The directive provides harmonised regulation for investment services of the member states of the European Economic Area — the EU member states plus Iceland, Norway and Liechtenstein. Its main objectives are to increase competition and investor protection, as well as level the playing field for market participants in investment services. It repeals Directive 2004/39/EC.

Friendly fraud, also known as chargeback fraud occurs when a consumer makes an online shopping purchase with their own credit card, and then requests a chargeback from the issuing bank after receiving the purchased goods or services. Once approved, the chargeback cancels the financial transaction, and the consumer receives a refund of the money they spent. Dependent on the payment method used, the merchant can be accountable when a chargeback occurs.

<span class="mw-page-title-main">Single Euro Payments Area</span> System for money transfers within the European Union area

The Single Euro Payments Area (SEPA) is a payment integration initiative of the European Union for simplification of bank transfers denominated in euros. As of 2020, there were 36 members in SEPA, consisting of the 27 member states of the European Union, the four member states of the European Free Trade Association, and the United Kingdom. Some microstates participate in the technical schemes: Andorra, Monaco, San Marino, and Vatican City.

Home state regulation is a principle in the law of the European Union for resolving conflict of laws between Member States when dealing with cross-border selling or marketing of goods and services. The principle states that, where an action or service is performed in one country but received in another, the applicable law is the law of the country where the action or service is performed. It is also called home country control, country of origin rule, or country of origin principle. It is one possible rule of EU law, specifically of European Single Market law, that determines which laws will apply to goods or services that cross the border of Member States.

The Revised Payment Services Directive (PSD2, Directive (EU) 2015/2366, which replaced the Payment Services Directive (PSD), Directive 2007/64/EC) is an EU Directive, administered by the European Commission (Directorate General Internal Market) to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The PSD's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations of payment providers and users. The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments more secure and protecting consumers.

Data as a service (DaaS) is a cloud-based software tool used for working with data, such as managing data in a data warehouse or analyzing data with business intelligence. It is enabled by software as a service (SaaS). Like all "as a service" (aaS) technology, DaaS builds on the concept that its data product can be provided to the user on demand, regardless of geographic or organizational separation between provider and consumer. Service-oriented architecture (SOA) and the widespread use of APIs have rendered the platform on which the data resides as irrelevant.

<span class="mw-page-title-main">European Banking Authority</span> Agency of the European Union

The European Banking Authority (EBA) is a regulatory agency of the European Union headquartered in La Défense, Île-de-France. Its activities include conducting stress tests on European banks to increase transparency in the European financial system and identifying weaknesses in banks' capital structures.

Backend as a service (BaaS), sometimes also referred to as mobile backend as a service (MBaaS), is a service for providing web app and mobile app developers with a way to easily build a backend to their frontend applications. Features available include user management, push notifications, and integration with social networking services. These services are provided via the use of custom software development kits (SDKs) and application programming interfaces (APIs). BaaS is a relatively recent development in cloud computing, with most BaaS startups dating from 2011 or later. Some of the most popular service providers are AWS Amplify and Firebase.

Strong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. Physical card transactions already commonly have what could be termed strong customer authentication in the EU, but this has not generally been true for Internet transactions across the EU prior to the implementation of the requirement, and many contactless card payments do not use a second authentication factor.

In financial services, open banking allows for financial data to be shared between banks and third-party service providers through the use of application programming interfaces (APIs). Traditionally, banks have kept customer financial data within their own closed systems. Open banking allows customers to share their financial information securely and electronically with other banks or other authorized financial organizations such as payment providers, lenders and insurance companies.

"Fintech", a clipped compound of "financial technology", refers to the application of innovative technologies to products and services in the financial industry. This broad term encompasses a wide array of technological advancements in financial services, including mobile banking, online lending platforms, digital payment systems, robo-advisors, and blockchain-based applications such as cryptocurrencies. Fintech companies include both startups and established technology and financial firms that aim to improve, complement, or replace traditional financial services.

"X as a service" is a phrasal template for any business model in which a product use is offered as a subscription-based service rather than as an artifact owned and maintained by the customer. Originating from the software as a service concept that appeared in the 2010s with the advent of cloud computing, the template has expanded to numerous offerings in the field of information technology and beyond it. The term XaaS can mean "anything as a service".

India Stack refers to the project of creating a unified software platform to bring India's population into the digital age. Its website describes its mission as follows: "India Stack is a set of open APIs that allows governments, businesses, startups and developers to utilize a unique digital Infrastructure to solve India’s hard problems towards presence-less, paperless, and cashless service delivery" Of the four "distinct technology layers" mentioned on the same page, the first, the "Presenceless Layer" is the most controversial as it involves storing biometric data such as fingerprints for every citizen. Since such markers are widely being adopted to enable cashless payment, the issue arises of fraudulent use of biometrics. The other layers are the Paperless Layer, which enables personal records to be associated with one's online identity; the Cashless Layer, a single interface to all national banks and online wallets; and the Consent Layer, which aims to maintain security and control of personal data.

Settle Group is a Norwegian, VC-backed financial technology company. Its PSD2 compliant technology platform enables banks to issue white label mobile payments products to their private and merchant customers.

An Electronic Money Institution (EMI) is a financial institution that is authorised to issue electronic money and provide payment services such as domestic and international electronic funds transfers and can provide bank accounts and e-wallets. EMIs are similar to banks except they are not allowed to lend money.

<span class="mw-page-title-main">Bunq</span> International fintech company

Bunq B.V., is a controversial fintech and neobank licensed in the Netherlands and operating within 30 European countries. It is headquartered in Amsterdam.

The development of neobanks in Europe is a trend in the European financial landscape beginning in the 2010s. Neobanks are a type of digital-only bank that offer financial services primarily through mobile and web applications, with little or no reliance on physical branches. The trend was driven by advancements in technology, changing consumer preferences, and supportive regulatory frameworks. Neobanks provide a range of services, including personal accounts, loans, and payment services, with a focus on user-friendly interfaces, low fees, and innovative features. In 2022, the European neobank market has generated over 570B transactions.

Open finance is a concept and practice within the financial services industry that involves the secure sharing of financial data with third-party service providers through Application Programming Interfaces (APIs). Building upon the principles of open banking, which focuses primarily on banking data, open finance aims to give consumers and businesses greater control over their financial data, enabling them to access a wider range of financial products and services. This includes sharing data beyond traditional banking, encompassing areas like investments, pensions, mortgages, and insurance.

References

  1. 1 2 3 Scholten, Ulrich. "Banking-as-a-Service - what you need to know". VentureSkies. Retrieved 25 December 2016.
  2. "FinTech Definition". FinTech Weekly. Retrieved 16 January 2017.
  3. 1 2 3 Skinner, Chris. "Overview of APIs and Bank-as-a-Service in FinTech" (PDF). ASAP Agency Moscow. Retrieved 16 January 2017.
  4. 1 2 Lenk, Alexander; Klems, Markus; Nimis, Jens; Tai, Stefan; Sandholm, Thomas (May 23, 2009). "What's inside the Cloud? An architectural map of the Cloud landscape". 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing. pp. 23–31. doi:10.1109/CLOUD.2009.5071529. ISBN   978-1-4244-3713-9. S2CID   14619005.{{cite book}}: |journal= ignored (help)
  5. Skinner, Chris (September 7, 2014). Digital Bank: Strategies to Launch or Become a Digital Bank. Singapore: Marshall Cavendish International (Asia) Pte Ltd. ISBN   978-9814516464.
  6. Balbas, Luis. "Digital Authentication: Factors, Mechanisms and Schemes". Cryptomathic. Retrieved 17 January 2017.
  7. The European Parliament and the Council. "Directive (EU) 2015/2366 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC". Official Journal of the European Union. Retrieved 17 January 2017.
  8. The European Parliament and the Council. "Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC". Official Journal of the European Union. Retrieved 17 January 2017.
  9. Turner, Dawn M. "Understanding eIDAS". Cryptomathic. Retrieved 17 January 2017.
  10. Commission of the European Communities. "Commission Directive implementing Directive 2004/39/EC of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms, and defined terms for the purposes of that Directive" (PDF). European Commission. Retrieved 17 January 2017.
  11. The European Parliament and the Council. "Directive (EU) 2016/97 on insurance distribution (recast)". EUR-Lex. Retrieved 17 January 2017.
  12. Marino, Jon (6 May 2016). "A wave of regulation is coming for fintech". CNBC. Retrieved 17 January 2017.
  13. van der Beek, Wim. "Five factors that differentiate Africa's fintech". CNBCAFRICA. Archived from the original on 18 January 2017. Retrieved 17 January 2017.
  14. Lucas, George. "Australia needs to foster FinTech with level playing field". The Australian Business Review. Retrieved 17 January 2017.
  15. bcb.gov.br/ O que é instituição de pagamento?
  16. globallegalchronicle.com/ Banco BV’s Investment in S3 Bank