The BaaS space is on 🔥 ... but sadly not in a good way. The ongoing Synapse/Evolve saga in the US is casting a dark cloud over the space and is challenging the validity of the ecosystem to its core.

Only time will tell what direction the BaaS space goes from here, but Synapse’s collapse has raised the question across the pond: Could the same thing could happen in the UK or Europe?

In order to address that question and fully understand the differences in the BaaS space across the pond, we asked three industry leaders to dive into the differences between UK/EU and US-based BaaS platforms, what banking partners are doing to ensure safety for customers, and how they see the BaaS model evolving from here. .

This is our first foray into longer, hopefully educational if not interesting content at TWIF UK & Europe so please let us know your thoughts and any topics you are interested in us covering.

Responses below have been lightly condensed for brevity.

Introducing the participants

David Jarvis (DG) - CEO and co-founder of Griffin. Griffin is an authorised UK bank that powers a range of fintech businesses.

DJ, Griffin - We work with both regulated companies (typically payments and wealth firms) as well as unregulated firms looking to embed banking or payments services into their products. 

Nicolas Benady (NB) - CEO of Swan. Swan's embedded finance platform allows companies of all kinds to unlock the full potential of their product with banking features such as accounts, cards and, payments

NB, Swan - We primarily work with unregulated companies, such as startups, SaaS platforms, and marketplaces, that want to embed banking features into their offerings. I’d say 95% of our clients are non-regulated companies.

These companies don’t want to necessarily become a neobank, but rather add a payment layer or banking features on top of their existing, core offer.

Now, when we do work with regulated companies, we act more in payment orchestration or as a key part of their core banking system. For example, we partner with fintech innovators like Alma, a regulated entity providing a flexible payment instalment solution.

Rebecca Skitt (RS) - Deputy Group Chief Executive Officer of The Bank of London. The Bank of London is a principal UK clearing bank authorised and regulated by  the Bank of England’s Prudential Regulation Authority and Financial Conduct Authority.

RS, The Bank of London - We partner with companies that wish to embed compliant banking products into their offerings from a licensed bank. We support regulated, non-regulated, and pre-regulated businesses, with a primary focus on those in the financial services sector.

Clients are attracted to us due to our safer banking proposition, purpose-built cloud-native technology, easy API integration, and exceptional client service, which is not as common as many might think.

We serve companies that want multi-bank partners and companies that want to ensure business resilience as part of their risk management and diversification strategies and do not want to have their operating funds, or client money loaned, invested or leveraged elsewhere.

Unlike other banks, we hold all client deposits securely and fully liquid with the UK’s central bank, the Bank of England. Interest in this safer banking model has surged amid the recent bank collapses and particularly in the wake of SVB’s downfall.

What do you see as the core differences between how the BaaS ecosystem works in the US vs the UK?

DJ, Griffin - There are two huge differences: one commercial, one regulatory. 

On the commercial side, card interchange rules the roost in the US thanks to high rates of interchange and the unique market dynamics created by the Durbin Amendment. This gives a very high incentive to issue cards, with lots of revenue to be shared. 

In Europe, card interchange - particularly for consumers - is capped at such a low level that retail card programs might as well be thought of as loss leaders. I am personally not super convinced that this has ended up as a net good for the consumer, but that’s an argument for another time. It means BaaS firms need to look elsewhere for revenue. 

The main regulatory difference is that essentially all BaaS players in the UK and Europe more broadly are regulated firms (usually as Electronic Money Institutions [“EMIs”] rather than banks - sort of analogous to the US Money Transmitter framework). 

However, this regulatory framework has a major constraint, which is that EMIs can’t pay interest on any funds held (unlike in the US, where the BaaS players are simply distributing fully fledged bank accounts)

NB, Swan - The BaaS ecosystems in the US and the UK/EU have many differences, particularly in their regulatory approach. In the US, we’re seeing issues rise from the middleware BaaS approach, in which the middleware provider, that is, the technology provider simplifies connection to underlying 3rd parties and holds the relationship with banks and issuer processors.

The main difference here is that most BaaS across this side of the Atlantic aren’t simply middleware providers, they don’t simply partner with banks. They are regulated financial institutions themselves.

Swan, for example, has an “e-money license”. EMIs are regulated by banking authorities to ensure consumer protection and to prevent money laundering and other financial crimes. EMIs protect consumers' money through safeguarding and segregation account mechanisms. Even if the EMI fails, funds are protected. It’s very hard to get this license (it took us around 2 years), but it’s significantly easier than a full-fledged banking license. In the UK, Revolut is also an e-money institution (EMI), not a bank.

At Swan, we built our own Core Banking System, we are a direct member of Mastercard, we use our own BIC code when issuing IBANs, and we manage our banking operations ourselves — from KYC to clearing and settlement.

We are in full control of our roadmap and our risk. We can choose the clients we work with, and have better unit economics.

RS, The Bank of London - In the UK, we have a very progressive regulatory environment that supports the creation of new types of banks like The Bank of London, which do not lend, and instead allow for a focused, safer banking model. Having fully licensed tech-led banks offering BaaS eliminates the need for and reliance on unregulated middleware tech providers.

In the US, many banks rely on traditional core systems overlaid with an API layer to enable new products and services, with unregulated middleware tech providers playing a significant role. However, this setup often serves as a wrapper around traditional banking services rather than offering fundamental core access. Importantly, regulators do not have direct jurisdiction over these middleware providers.

Introducing a middleware layer adds complexities, such as account and payment reconciliation, and can obscure real-time data visibility. We aim to work with all stakeholders across the value chain to enhance transparency, speed, and reduce costs. While the system is inherently complex, we believe the current complexity exceeds what is necessary.

At the core of the issues with Evolve/Synapse appear to be related to the use of FBO accounts and related checks/reconciliations between parties moving money between accounts.

Do you utilise FBO accounts? What reconciliations and checks/balances do you have in place to prevent similar issues?

DJ, Griffin - Europe and the UK have various similar structures but they aren’t an FBO per se. The closest you could get to an FBO structure would be where a pooled account was being held on behalf of a trust; most of the other pooled account analogs (client money, safeguarding, etc.) require the “platform” to be regulated and to have controls around reconciliation. 

We disprefer pooled accounts in general (and have written about this extensively). We’re willing to use them if the customer is a regulated firm, but even then we’d much rather be the primary ledger holder.

NB, Swan - No, Swan doesn’t use FBO accounts. That’s a US thing. Instead, we keep a direct relationship with end-users for all sensitive operations. This approach includes managing ID verification, strong customer authentication as established by PSD2, and transaction confirmations. All this is done via our secure, OAuth2-based system. By maintaining direct control, we ensure compliance and mitigate the risks associated with account reconciliation.

When you allow a company to manage funds on behalf of —or in theory for the benefit of — their users, without assuming legal ownership of the account, you can end up misaligning incentives. In the FBO scenario, a Banking-as-a-Service provider can create one big bank account they'll manage with their partner bank. The BaaS can keep track of each customer's balance separately within that big account, by using a sub ledger. The partner bank ledger, however, only takes into account that one big account, not the individual customers balances. For example, if 500,000 customers each have $100, the bank sees one $50 million account. If the BaaS provider's records don't match the bank's records… you’re in for big problems.

Beyond that, when there isn’t clear responsibility for failing to properly manage risk, complicated situations escalate. There is a standard in our industry that enables traditional BaaS platforms to "rent" their license. Their clients can become agents. I believe this standard is broken.

At Swan, our partners don’t typically become our agents and we don’t partner with sponsor banks. Instead, Swan retains complete control over compliance and financial operations, to ensure robust oversight and reduce risk. Our approach encourages accountability and transparency for everyone involved. Our board is fully committed to overseeing this: even a single unaccounted cent at the end of the day triggers an immediate alert.

RS, The Bank of London - The Bank of London is a licensed bank, unlike so many BaaS providers out there that may look and act like a bank but are not regulated and in a position to offer regulatory- compliant financial products and services.

We built the bank from the ground up in the past few years and are not reliant on legacy infrastructure. We provide safeguarded physical or virtual accounts that allow our clients to hold funds for or on behalf of their underlying customers. Our purpose-built cloud native design approach means we are not reliant on delayed, third-party batching and reconciliations in the ways that many BaaS providers, supported by traditional banks and unregulated middleware tech providers are.

Fundamentally, we operate to the standards which meet the expectations of local regulators and expect our client partners to do the same.

Who do you think should own the ledger? What does an ideal reconciliation process look like that might have avoided what we are seeing play out in the US?

DJ Griffin - I feel very strongly that the bank should own the ledger, for two reasons:

• First, if the BaaS platform and the bank disagree about the overall sum of money in the account (as we’re seeing with Synapse), only one of those parties can be correct. And 99% of the time, it will be the bank. 
• Second, I’ve been doing this for long enough to know that non-bankers have a grotesquely uninformed view of what a ledger should do and how it should work. We have, arguably, only two battle-tested ledger technologies: double-entry accounting, and the blockchain. And yet most fintechs will try to convince you that their “single-entry” accounting system (typically called a transaction log) will do just fine. It won’t. 

So far, the arguments to the contrary have largely oriented around the pain of dealing with legacy bank technology. While there is real merit to those arguments, the risk of customer deposits not being appropriately accounted for means real people could end up losing their money through no fault of their own - and that’s just not acceptable.

NB, Swan - Embedded finance brings in essence a lot of complexity - all of our partners have different needs. It’s a challenge to build a platform that fits simultaneously the need of an accounting software and a gift card program.

So of course, you need different additional rules and logics for each ledger. But the foundation of it, well, that’s what it is, the foundation. At Swan, we own the ledger, the core banking system is our technology.

A thorough reconciliation process involves real-time transaction monitoring, automated auditing, and robust end-to-end encryption to safeguard data integrity. Regular, ongoing in-depth audits are necessary. A direct communication channel with regulators is also fundamental to reinforce and protect this system.

RS, The Bank of London - We see two modes of operation:

• Where the underlying bank itself is distributing a payment or deposit account,
  then ledger mastery must be retained by the bank, acting as a system of record.
  There will be financial events, query interaction and reconciliation with upstream platforms; but ledger mastery remains with the bank.
  
  This clearly places the onus for financial control and audit of partners’ controls on the bank, and provides the end customer and regulators with clarity and finality. Banks have the necessary expertise in managing financial records and adhering to stringent regulatory standards, maintaining trust and reliability with their customers and regulators.
  
• In the remainder of cases where the bank typically provides underlying payments, clearing and client funds custody, the picture is different. The bank must discharge its duty to ensure appropriate financial and accounting controls are in place, but the ledger mastery is in a partner’s platform.
  
  As a consequence of this, additional continuous and periodic controls, reconciliation and audit need to be built into the financial lifecycle to provide customers, regulators and stakeholders with the required certainty and risk mitigation. Interestingly, mature examples of this model working reliably, processing trillions annually, are hiding in plain sight – the payment card industry.

Who should own the compliance layer and why? Who owns it between your company and your customers?

DJ, Griffin - Because many of our customers are themselves regulated firms, it is not unusual for them to own the “compliance layer”. That said, we have a few different operating models:

• “Fully managed” - (where we do everything)
• “Tech provider” - where we provide technical rails to enable the customer to do the checks and retain visibility into the checks done and the nested customer base, but leave exception handling to them
• “Data sharing” - where we have full visibility but where another vendor is providing the technology and exception handling is left to the fintech
• “Reliance” - where the vast majority of the compliance layer sits with the fintech and we diligence their control environment (only for regulated customers)

NB, Swan - We are the regulated financial institution, we own the compliance layer. Our 120 clients, who are not regulated, rely on our expertise to navigate compliance requirements. By taking responsibility for compliance, we protect our clients, their end-customers, and of course, ourselves.

RS, The Bank of London - Like a good soccer team being attacked, compliance should be a team sport,
characterised by strength in depth, layering and redundancy. Think of the bank as the goalkeeper and the back line, the bank needs to manage and operate compliance controls across all lines of business, in line with regulatory obligations; period.

Upstream partners must run equivalent or complimentary controls:

• Equivalent controls where a layered approach makes sense, e.g. payment
  screening where the whole customer relationship is understood, vs a single
  product / single channel view.
  
• Complimentary controls where the customer context means the bank could not
  run that control effectively, a good example of this are fraud controls that rely on instrumenting the UX layer and sifting good logins from bad logins, data that a bank purely processing payments is blind to.

Think of this like the soccer midfield, dispossessing the opponent and nullifying the threat before it even makes it to the bank.

Finally to round out the analogy, strong situational awareness and communication
enhance the team’s performance, or by analogy, the strength and robustness of the
compliance environment.

As a regulated entity, banks inherently uphold high compliance standards, making this a valuable asset for any partnership. At The Bank of London, we view compliance as a superpower, leveraging our expertise and robust frameworks to manage it effectively.

How do you think the BaaS space will evolve in the UK and across Europe? What needs to change?

DJ, Griffin - I think we’re at the “end of the beginning”, if that makes sense. The early BaaS models (light on compliance, focused on pure distribution and product) are clearly of significant concern to regulators on both sides of the pond. 

I think there are two future models for BaaS. The first is the Griffin model of what Simon Taylor calls “headless banks” - you could include Column and Lead Bank in the US in that group and probably Solaris in Europe. The second is the bank-direct model e.g. Treasury Prime in the US and someone like Integrated Finance in Europe where they’ll help to accelerate the integration process but ultimately make sure the fintech and the bank are working with each other directly. 

NB, Swan - As the industry goes under scrutiny, compliance will become more and more important. This unified and integrated model, with license, tech and banking ops under the same BaaS roof, will likely grow. Collaboration with regulators to support innovation without compromising security will also be important.

And, even with an unified approach, BaaS is a complex activity. Many players are struggling in Europe, but there’s no doubt there’s a strong appetite for embedded banking solutions. The market is literally booming.

RS, The Bank of London - The space will continue to evolve. You see how much innovation is happening in Europe and here in the UK. We can expect to see regulators like the Bank of England’s Prudential Regulation Authority, the Financial Conduct Authority and the Payments Systems Regulator to continue evolving in how they work to meet the needs of a world that is becoming more digitally connected across payments and money.

It’s fair to say too, that a lot of fintechs have emerged that do not originate from a risk management and compliance background. The models that will grow and succeed will be ones where businesses focus on what they are really good at and what they deeply understand.

What do you make of the recent actions against EMI holders in Europe in the past 18 months?

DJ, Griffin - There’s so much I could say about this. 

First, Lithuania. Lithuania made a political decision to throw open its doors after Brexit as Europe’s new fintech HQ, and as a result many people who needed an EU EMI license on short notice applied there and got one. The problem is that the Lithuanian regulator has but a small fraction of the team or institutional expertise that the UK’s financial services regulators have. And pretty quickly they realised that they had authorised a lot of firms that were not really able to adhere to their regulatory relationships. 

So we’re now in a new political phase in Lithuania where the regulators are de-risking their portfolio of authorised firms and pulling authorisations from players they don’t trust. I expect this will continue until the overall portfolio of authorised Lithuanian firms is more proportionate to the number of people working at the regulator. 

Second, the EMI license more broadly. I think we’re seeing an increasing degree of regulatory skepticism about the ability of EMI license holders to fulfil their regulatory obligations in many European jurisdictions concurrently. You can see this reflected both in enforcement actions but also in the fact that the time it takes to get authorised as an EMI has gone up dramatically - when I moved to the UK in 2017 it was about 6 months; today it’s typically over two years. 

NB, Swan - Compliance and AML are the biggest challenges for BaaS platforms and EMI holders alike. The winners will be those who manage these risks correctly. I firmly believe it’s possible. Look, the situation is like in the beginning of the 20th century, the car industry was booming with tons of different brands. Building a car is difficult and 95% of the car manufacturers had to shut down rapidly. Did it mean that the car market was not a booming market?

Thank you to David, Nicolas and Rebecca for sharing their thoughts and also to William Lorenz, Sophie Vo and Amber Glabb for their support.