Embedded Finance in crisis

Every company became a Fintech company, but not every partner bank was fully ready for the consequences. Choice Financial's FDIC consent order and Blue Ridge's second in 18 months is a huge problem.

Hey everyone 👋, welcome to Brainfood, the weekly read to go deeper into Fintech news, events, and analysis. Join the 37,649 others by clicking below, and to the regular readers, thank you. 🙏

Hey Fintech Nerds 👋

Embedded finance is in crisis.

Blue Ridge had a second OCC consent order in 18 months, and Choice Financial received an order from the FDIC. That's existential for banking as a service. And the focus of this week’s Rant.

Apple being forced to open iPhone NFC chip access will be a game changer in payments. I’ve already seen someone build point-of-sale tap-to-pay via open banking.

PayPal did not shock the world by copying SHOP pay and launching cashback.

Brex layoffs are a sign of the times. This company has $279m “ARR” and a great ground game, but is “AI-powered” enough to stand out against the competition?

You’re gonna want to read this one fully.

Grab a coffee.

Let’s do this.

Enjoyed this content? It would help me so much if you hit reply to this email with a simple “hello,” and it tells your email client this matters.

Here's this week's Brainfood in summary

📣 Rant: Is embedded finance in a crisis?

💸 4 Fintech Companies:

  1. Promoteo - The single Open Finance API for LATAM

  2. Twodots - Tennant screening fraud checker 

  3.  Plenty - Acorns for Couples

  4. Foyer - The savings account for first-time buyers

👀 Things to Know:

  1. Apple Wallet iPhone NFC payments available for 3rd parties

  2. Brex lays off 20% of staff

  3. 🥊 PayPal did not shock the world. But the products are decent.

📚 Good Read: Hard Assets by Marc Ruby

Weekly Rant 📣

Is Embedded Finance in a crisis?

Partner banks are 9 times more likely to receive regulatory enforcement actions than non-partner banks. 

Credit Konrad Alt - Klaros Partners

Every company became a Fintech company, but not every partner bank was fully ready for the consequences. 

In the past week, Blue Ridge Bank received its second OCC enforcement in 18 months, and Choice Financial received a consent order from the FDIC. This could impact Fintech companies like Mercury and Current.

The risk/reward has shifted. 

And the problem is becoming exponentially worse with each passing day.

Two consent orders in 18 months is as bad as it gets. It means stop.

That is existential for a bank.

And it’s existential for Banking as a Service as a category if we can’t up our game across the board.

Is Banking as a Service still worth it?

TL;DR - Yes, but we need much more automation and focus.

How do we fix this? That’s today’s Rant.

  1. How compliance “should” work

  2. Where it’s going wrong in embedded finance

  3. The options for partner banks

  4. The complication as embedded finance goes multi product

  5. The need for a regulatory response

  6. The enforcement will make us stronger in the end

1. How compliance should work 

"Should" is a dangerous word, but go with me here.

If you're a platform offering debit cards, you might choose Stripe or Synapse as your Banking Service provider.

Under the hood, the providers work with partner banks like Evolve or Blue Ridge. The bank is accountable to the regulator for *all* program activities and is required to exercise detailed oversight of the programs (in this case, the platform) offering debit cards. They also must have full oversight of intermediary providers (i.e., the API providers)

I've written about why accountability is hard in banking as a service before.

Responsibility is on the left of the picture, but control of the customer and the data is on the right. And the way banks prove they have control is by checking policies, procedures, and controls at the Fintech company. The lack real-time data and automation. Consider most banks procedures were built before APIs existed. The odds of the program agreement compelling partners to provide this real-time data are very low.

Partner banks should oversee all risks related to their sponsored programs (3rd or even 4th parties). These risks run a spectrum of BSA/AML, fair lending, Unfair Acts and Deceptive Practices (UDAAP) and countless others. It's up to the partner bank to know what risk applies and how those risks must be managed by their 3rd parties. 

Before Banking-as-a-Service, this was case by case and could take 6 to 12 months to operationalize per partner. The boom through the late 2010s led to a gold rush of partner banks competing to work with providers and non-banks to attract more deposits. 

The partner banks 

  1. Worked with new providers to embed controls in the API platforms directly

  2. Build processes and procedures to examine their sponsored programs to ensure compliance

  3. Some scaled up their partnerships and control functions to cope with new volume and demand

If a Fintech company has deceptive marketing (UDAAP) or inadequate FDIC disclosures, the partner bank is responsible for that to state or national regulators. The customers are legally bank customers.

The sponsor bank builds a first and second line of defense for risk. The first line is typically operational, working as a part of the business line directly on risks like fraud, disputes, or compliance cases. The second line is about setting up processes, procedures, reports, and training to manage risks. The leadership will periodically use reports and testing to determine the effectiveness of their controls and make adjustments. 

The processes and procedures built by the second line at a partner bank should also be adopted by the programs they sponsor. While the program has room to implement those processes in their first line, one trend is now for banks to bring those in-house. 

When the Fintech program gets started, they need to implement those processes directly or with their providers' help. The partner bank would then approve that implementation before they can go live. 

Consumers and SMBs are the bank's customer in all of these cases.

Today, some programs are separately licensed as money transmitters and receive direct regulatory oversight once they reach a certain size, although this isn't formalized or consistent. Larger MTL programs should expect regulatory requests and examinations. In this case the program has direct responsibility for the customer to state regulators. 

2. Where it starts to go wrong

We have a problem.

BaaS specifically has several. 

  1. Small teams with limited staff are easily overwhelmed. Regulators are essentially asking banks to act with equal weight to regulators, but many lack the skill and capacity for this. If a sponsored program quickly hits millions of customers or billions in deposits, it can quickly dwarf the bank. Scaling headcount is not the only or best answer. Often, automation and technology are more helpful. Relying on sample testing of 30 customers against a cohort of millions is not statistically significant. These tests must scale much further and that requires investment in automation. However:

  2. Risk is often the last part of the value chain to receive investment. When starting a new business line, a small bank will focus on sales, partnerships, and going to market. The early winners like Evolve became especially good at the “Fintech client experience.” While the good ones have scaled up their risk staff, not everyone has scaled up their risk technology capability. The OCC, Federal Reseve, and FDIC specifically mentioned that it's ok to partner to solve some of the control gaps with technology providers' help in their 3rd party recent guidance.

  3. Not all partner bank controls are equally capable. The partner banks nobody talks about do not receive enforcement actions and have very happy clients. Many program agreements are often vague and lack compulsion. They might not compel API providers to share real-time data, or define who owns customer data for example.

  4. Not all sponsored programs are equally capable. Companies embedding finance for the first time run the spectrum from novice to expert. Part of the value proposition of "Banking as a Service" was to remove much of the complexity and focus on building a strong UX. While many color inside the lines, a few have unwittingly fallen foul of key regulations. This is especially noticeable where they serve consumers. Consumer regulation is a high bar; seemingly simple things like FDIC disclosure copy mistakes can backfire massively.

  5. Documentation rarely matches implementation. How does a partner bank know that a program is operating per its agreement and policy docs. How does a bank prove that to regulators?

  6. Implementation processes can be where risk piles up. What questions are on the implementation checklist, what processes are put in place, and what data is supposed to be made available is critical. Post-launch, who will review that data, and in what system? Reviewing data when you’re receiving CSV files isn’t easy unless you have the tooling to make that work. If your second line of support is a single person, they’ll easily be overwhelmed.

The reality is compliance program sophistication and capability vary on a bell curve. Some great, some terrible, most okay-at-best. That creates a lot of room for improvement.

In practical terms we've seen programs and partner banks receive enforcement actions and notices. Even the mighty Goldman received a warning from the Federal Reserve about compliance with its BaaS program.

The warnings and enforcement actions have not gone unnoticed. 

Three years ago, a Fintech company could quickly start "penny testing." Which is shorthand for using real operating accounts and moving real money so long as the users and values are restricted. They'd also have some level of grace from their partner bank on getting policy and processes in place allowing them to soft launch with alpha users.

That's long gone. 

Rightly so.

3. What options do partner banks have?

Smaller banks don't have a lot of good choices to drive growth. Competing on digital UX isn't their core strength, and they're becoming less relevant to a consumer and SMBs who have more choices than ever before. 

They can tread water, do M&A, or try Banking as a Service.

Done well, Banking as a Service grows deposits and lending and allows innovative businesses to manage the digital user experience. Win/win.

If they want to do so without reputational risk, there are two categories of action: the obvious and the less obvious.


  1. Tighten first and second-line controls. Most have already done this.

  2. Hire more compliance staff. Most have already done this. (Although I'm loathed to ever accept hiring alone is the answer to anything).

  3. Hiring external compliance expertise. Compliance consultants are having a field day.

  4. Or exit Banking as a Service. Some have done this (either through being acquired, going out of business, or refocussing on the core business). 

Yet, for a small bank suffering from deposit flight and needing to find new sources of income, the apparent steps don't make you competitive.

The less obvious.

  1. Own the Go-to-Market directly. Many have started to do this. Often, with a small handful of providers in Banking as a Service, payments, and fraud/compliance, they build a package to go to market. Practically, this means the program (e.g., platform or Fintech company) buys directly from the bank with pre-approved vendors. The program can change providers, but that slows things down dramatically for them. This sounds easy, but it is hard. Building a client experience that would make a tech company want to work with you is a massive shift if you’ve never offered an external API before.

  2. Digital-first direct oversight. Build real-time data and feedback loops between the sponsored program and partner bank. This would include having the ability to collaborate on AML cases and using things like GenAI to pre-check any customer-facing copy before approval. (Some BaaS API providers have been reluctant here and this has to change). 

  3. Digital-first operational oversight. Get the management data needed to ensure companies are in policy and/or create new policies when needed. Collecting real-time data on fraud rates, errors, SAR volume, chargebacks, ACH returns, etc. 

  4. Automation. The bank should see in its dashboard everything it would see if it ran these programs internally. There should be no data gaps or control gaps. The problem is, they're outnumbered. One bank might have dozens of clients who aggregate millions of consumer accounts. 

The need for automation is critical. 

The increased focus of regulators means that the fixed costs of running a program have increased significantly. Add this against a backdrop of fraud and SAR volumes growing 31% and 15% YOY, and becoming a partner bank becomes uneconomical. 

Regulators expect headcount to grow, but scaling headcount is unrealistic.

We must scale automation.

Regulators need to understand the capabilities of regtech and automation at a much deeper level.

The question I get most often is:

Who should we partner with?

Today, the Fintech provider landscape has much more ready-made regtech automation for partner banks. There's AI like Tennis Finance, BaaS platforms doing more for partner banks, or entire Dashboards like Sardine* Operating System.

Tighter controls plus digital-first risk management feel like a winning combo.

And we'll get there.

When we do, a new challenge awaits.

4. Embedded Finance is getting complex, and we don't fully understand the regulatory implications

When the unit economics suffer, everyone loses. 

The banks, the intermediary providers (BaaS platforms like Stripe or Unit), and, critically, the user experience providers at the front from Neobanks to vertical SaaS platforms.

The answer is to diversify revenue streams.

So today, Fintech companies offer multiple products via multiple partners and partner banks. This means they take on more responsibilities and have multiple partner bank relationships.

It looks a bit like this.

If we follow the theory, each partner bank (or custodian) should manage their 3rd party risks. They should assess and understand who the end customer is and the risks and ensure their sponsored program is managing those appropriately. 

There's that "should" word again.

Here are a few things that give me heartburn.

  1. Each partner bank only assesses the partner product's risk, not the whole customer lifecycle. The bank providing deposit access isn’t on the hook to manage the risk of charge cards or securities products if they are not providing them.

  1. Providers implement controls with different approaches. Some want to manage compliance or think of Fintech as their customer (not the bank). Others enable compliance and consider the bank and the Fintech company as their customers. Some have a regulatory license; others don’t. That changes by product and by business model.

  1. The level of licenses available or required by Fintech companies is inconsistent. A Fintech company using their bank as a partner, is relying on the bank to manage the licences and the compliance and is simply managing the UI. Or a Fintech company might have a Money Transmission Licence (MTL) and be a Registered Investment Advisor (RIA) but rely on their bank to sponsor their card program. The sophistication they’re expected to have if they’re licensed is much higher, and they will be examined by state or national regulators.

  1. The patchwork of regulations means nobody except the Fintech company or embedded finance provider sees the whole customer. What happens when one customer is running massive risks

The good Fintech companies are doing everything they can to understand, mitigate and manage the risk of offering multiple complex products to consumers and SMBs. 

Fintech is re-aggregating everything financial services used to do under a much better user experience. This, in aggregate, is a massive positive for growth and productivity.

But the nature of the market structure leaves us with a reality where.

  1. The amounts involved are becoming massive. In many cases, Fintech companies dwarf their sponsor bank.

  2. There’s no clear accountability framework for all products, partners and providers when re-aggregated in a Fintech UI.

  3. We're heading into unchartered water without clear regulatory guardrails about what happens when we re-aggregate 5 or 10+ financial products into a mobile app or digital experience. 

Which prompted the question.

5. Should there be a Fintech Charter?

Non-bank embedding finance has a patchwork of regulations that create gaps in supervision and risk.

The CFPB is now pushing to regulate "digital wallets and payment apps" to create consistent national oversight of consumer-facing finance apps that might feature multiple products. This would include everything from the Apple Wallet to Chime.  

But as they get into lending, products are repackaged in novel ways for consumers and businesses, and an ocean of risk is not considered. 

  • What happens to investment products? 

  • What about contagion risk if big Fintechs cause a partner bank run?

Since the global financial crisis, we've implemented regulations worldwide to ensure banks can absorb losses. Above a certain asset size, banks are subject to more rigorous examination and required to hold more capital. 

This makes them less profitable.

The banks look at Fintech companies collecting billions in deposits, lending into the 10s of billions, and wonder, won't this lead to some financial crisis? 

And if it does, will the banks (and FDIC) be expected to absorb that loss?

The answer today is yes to both if we're talking about deposits. 

But if we have lenders going out of business or a blow-up in the treasuries markets that starts to impact consumers and small businesses, we will see a reaction in lawmaking. 

Sometimes bankers use the term "we need a level playing field," and regulators say "same risk, same regulation." Neither of those are accurate.

When Fintech companies reach bank scale, they're bank-level risk but not banks. Some can and should become banks, but for this second category of re-aggregating a ton of financial products, the risk isn't the same as banks; it's different. 

We need to think about third-party guidance more broadly than deposit insurance in the future. We need to think about Fintech companies not just as wallets and not just for consumers.

6. Regulatory action will make the industry better

2023 was the year of "BaaS is Dead." The Brainfood with that title in March was my second most viewed of the year (the winner was "Is payments a race to the bottom?"). While I'm the eternal optimist, it's hard to ignore what the market is saying here.

The vibe recession of Fintech.

And it’s not without merit. The news will get worse before it gets better.

As a result, partner banking and Banking as a Service are getting a bad rap. Bad actors are being flushed out, and that's a good thing. Today's regulators and regulations are working. It's also forcing everyone in the ecosystem to get better.

Enforcement actions happen. 

Want to know who the worst offenders are? 

The top 5 companies in the world by fines paid to authorities are Bank of America, JP Morgan, BP, UBS, and Wells Fargo. 

Banking as a Service and Embedded Finance has reshaped the industry. Some companies focussed more on growth than being sustainable, but the market and regulators are now correcting that.

If you're a partner bank, you cannot spend too much time looking for automation and partnerships. What I'm seeing is the partner banks and Fintech companies who get that—treating compliance as the bedrock for long-term growth.

The lesson here is Fintech is not a drag race.

It's Formula 1.

It's having the fastest car and the best brakes.

It's going slow at the right time to go fast and win the 3-hour race. It's not a 30-second race.

I’d love to see us create a high-watermark of compliance as a standard. I’d love to see automation become an industry default.

What does the API standard for data sharing with programs, banks, and regulators look like? Can we open-source that?

Let’s work on it. In October. In D.C.

Hit reply if you want to help out.


Enjoyed this? Sharing is caring. 👇

4 Fintech Companies 💸

1. Promoteo - The single API for LATAM banks

Promoter provides open banking APIs for 10 markets connecting to companies like Santander, Citi, and Rappi. Markets covered include Brazil, Argentina, Mexico, Peru, Chile, Colombia, Uraguay, and Paraguay. The service leads with account-to-account payments but is also live with use cases like treasury management and account aggregation.

🧠 Is open banking the killer app for regional Fintech expansion? Promoteo claims its biggest markets are Brazil and Mexico, but how many successful Fintech companies are now looking to expand regionally from those markets. Several LATAM countries have populations less than 100m but a burgeoning fintech scene. Getting a wedge in those markets is tricky, but an API with account-to-account payments and links to super apps like Rappi could be a great starting point.

2. Twodots - Tennant screening fraud checker 

Twodots provides an API for tenant screening that checks IDs and documents and opens banking to screen for fraud. The goal is to reduce the manual work for multi-family property managers that are often easy for fraudsters to circumvent. 

🧠 This is a huge pain point. According to Forrester, 97% of landlords who rent more than one property have experienced tenant fraud. In the past month, I've seen at least 3 companies focus on this use case as a wedge. Where companies pop up, there's usually pain, but I wonder if this has to get rolled up into a more generic fraud detection company? There's a broader theme here, too. Things that were very manual and old-world are going digital by default. As the experience of renting went digital, so did the fraud, and by extension, now we see the providers popping up to solve that. 

3. Plenty - Acorns for Couples

Plenty helps couples build goals, dreams, and plans and then invest to work towards those goals. Kids' college funds, weddings, and emergency funds fill up faster when they compound. The service offers up to 5.10% yield on cash or access to SEC-registered investment products like ETFs or funds.

🧠 Wealth management has always been single player, but the family P+L is more likely to be a partnership. This is a well-put-together proposition and has a beautiful UI. Robo advisory and savings accounts are tough businesses to make money in without attracting AUM at scale. They'll get there quickly if they can win enough 6-figure-earning couples who place their kid's college funds in this thing.

4. Foyer - The savings account for first-time buyers

Foyer allows consumers to save faster with 4.51% APY and up to 2% deposit matching (capped at $200 annually). The service will attempt to identify state-level tax advantages, apply those to the savings account, and support buyers with guides and matching to reputable real estate agents.

🧠 Homes are too expensive; consumers need an on-ramp, but are homes a good investment? We discussed this on Alex Johnson’s “Not Fintech Investment Advice” episode of Fintech Takes. A home feels like a distant dream for a generation of people, especially in a major city. The UK Government contribution matches up to 25% for first-time buyers but is still seeing a cooling of the market. Eventually, house prices have to come down relative to earnings. This is a great product for those who will buy a home anyway, but an organized person could find higher yield elsewhere. I don’t know if “help to buy your home” is enough of a hook to build a scaled business. Unless a bank acquires this, or they make money as a mortgage introducer?

PS. The UK’s equivalent, Nude, has been live for a couple of years, and I adore its design aesthetic. 

Things to know 👀

The EU Commission on Antitrust announced Apple has committed to allowing third-party mobile wallet and service providers access to the NFC chips on iPhones via an API. The ruling applies to users and devices in Europe but must not restrict access to payments for those users anywhere in the world. 

🧠 Now, any bank or Fintech wallet can make a card appear in their app without going via the Apple Wallet. The Apple Wallet was a phenomenal ecosystem lock-in, but fundamentally, payments in-store are a standard.

🧠 This makes point-of-sale open banking-initiated payments a possibility. Days since this ruling one startup (Overlay*) has already made that available in the UK.

🧠 Tech lock-in and experience lock-in are very different animals. This kind of NFC access was always available on Android but the vast majority used Google Wallet because the experience was so much better.

🧠 This EU ruling will likely impact Apple globally. GDPR became the world's data privacy template, meaning everyone has cookie consent forms. Since the passing of the Digital Markets Act, Spotify now lets people buy subscriptions without paying the Apple tax. This creates pressure globally.

🧠 The DoJ doesn't need to bother with antitrust; the EU is doing it for them. The EU has insisted Apple now has to enable side-loading of apps, support USB-C, and make its messaging service iMessage compatible with Android for multimedia (like photos).

🧠 Whenever a large company claims something isn't secure, that's often a headline excuse. You can always make something secure by locking it down, but that's not an option when it's a utility like payments. Apple is paranoid about security, a big part of its brand. Yes, being open and secure is harder, but that's also your job.

I wrote about Apple's current position in Fintech at length a few weeks ago in "Apple will be a bank in all but name"

Brex laid off 282 people or 20% of staff, "concentrating timezones" and changing its comp structure to reward long-term thinking. This follows a layoff of 136 people (or 11% of staff) in October 2022. This follows reporting by the information that it is burning $17m per month and has cash runway to March 2026. For its part, Brex says it grew revenue by 35% last year and gross profit by 75% with annualized net revenue of $279m.

🧠 What would Brex's year look like if SVB didn't fail? The deposit flight from SVB benefitted Brex, Mercury, its competitors, and the top 5 banks. If this didn't happen, how much would revenue be up?

🧠 This is a crowded space and competitive. Spend management and AP automation might be the most crowded segment of Fintech. Does that create pricing compression? It feels like the battleground now is feature velocity and growth. 

🧠 What is Brex great at? Brex has leaned into cash management and travel but I don’t know they’ve won. But they maintain the most mature GTM and ground game. Their events, marketing, and partnerships are best in class. If they can focus on and deliver feature velocity (an area I fear they’ve fallen behind on as an observer)

🧠 A ton of talent just entered the market. This is a great time to hire at a bank or a Fintech company.

🥊 Quick hit

PayPal said it was going to “Shock the World.” What did they announce? new feature fastlane gives one click checkout that's much faster. Smart receipts does order tracking and cashpass gives cashback at big merchants like McDonalds.🧠 That's not shocking. It's cashback. And copy+paste Shopify. Shopify Pay is a BEAST of an experience; PayPal was right to copy it.

🧠 Those product names are awful, and this is terrible PR. None of these products are bad. Smart receipts are clever, and how they’re doing the loyalty personalization is super smart under the hood. It’s a shame those features aren’t getting focussed because of how they spent the last week hyping up this release.

Good Reads 📚

Infrastructure like airports, shipping ports, toll roads, bridges, rail, energy generation, fiber, and wireless networks are becoming an investment asset class. Their steady income and remarkable profitability have led to the world's largest asset manager (Blackrock) acquiring Global Infrastructure Partners (GIP). The latest fund charges 1.75% and a 20% performance fee, netting $14bn across its 3 funds. They focus on increasing the EBITA (profit) of each of their investments but are often criticized for failing to invest in the utility.

(As ever, my summaries will not do Marc’s work justice; please go read it)

🧠 The world is investing more in infrastructure. In the US, we see much more activity since the Inflation Reduction Act created incentives for green investment, and there are giant plans to do much more with rail and airports. Still, the private sector opportunity dwarfs the public sector.

🧠 The leader in infrastructure has been China, which shows the promise and perils of such an approach. China has consistently used infrastructure investment to drive growth through its regions but now faces the risk of much of it sitting empty and unused as growth stalls.

🧠 Vital public services are more than an asset class. The UK water company Thames Water has consistently failed to invest, leading to outages, and leaks but has consistently increased executive pay. While it has been bought and sold as a profitable asset for investors, it currently has a £14bn ($17.8bn) pile of debt, nearly 80% of its capital value.

🧠 All assets will eventually be sold to consumers on a mobile phone. How long til this is a product in your investing app? If private credit is heading that way, it is a matter of time until one of the API providers in Fintech repackages this. I wonder if the mighty Blackrock might even try to do so.

That's all, folks. 👋

Remember, if you're enjoying this content, please do tell all your fintech friends to check it out and hit the subscribe button :)

(1) All content and views expressed here are the authors' personal opinions and do not reflect the views of any of their employers or employees. 

(2) All companies or assets mentioned by the author in which the author has a personal and/or financial interest are denoted with a *. None of the above constitutes investment advice, and you should seek independent advice before making any investment decisions.

(3) Any companies mentioned are top of mind and used for illustrative purposes only. 

(4) A team of researchers has not rigorously fact-checked this. Please don't take it as gospel—strong opinions weakly held 

(5) Citations may be missing, and I've done my best to cite, but I will always aim to update and correct the live version where possible. If I cited you and got the referencing wrong, please reach out