Standard Chartered is harnessing its regulatory risk experience and cyber security know-how to bet big on banking-as-a-service, senior figures at the bank say. It comes as new figures from KPMG show global revenue from BaaS is expected to more than triple between 2022 and 2027. 

BaaS is a financial technology that helps non-banks, such as e-commerce platforms or taxi firms, access banking products like current accounts and credit cards traditionally offered only by licensed financial institutions. This can be mutually beneficial: it permits non-banks to offer financial products, while banks can expand their customer base more cheaply than signing them up one-by-one.

The Asia-focused bank is onboarding customers using BaaS at around a tenth of its typical cost, according to Marnix Zwart, global head of partnerships in Standard Chartered’s retail banking division.

Following the launch of KPMG’s research paper into BaaS in Singapore, Zwart claims the bank’s experience in onboarding fintechs, including early stage compliance, has been crucial in securing partnerships with fintechs wanting to co-opt banking products — allowing it to be a first-mover in south-east Asia’s BaaS sector. 

“Our whole regulatory-risk experience is a big differentiator from our competitors, because we have been able not only to launch this model but also scale it,” Zwart says.

“One of the advantages is knowing how to operate in this space, including how to get [regulatory] approvals, and price and design products.” 

Standard Chartered claims it has tripled its customer base in Indonesia over the course of six months, between the latter part of 2022 to early 2023, simply by advocating BaaS as a service.

Globally, revenue from BaaS is set to rise from $11bn in 2022 to more than $38bn in 2027, according to new figures from KPMG, with a projected global growth rate of 70 per cent for BaaS migration in the next three years.

Risky partner selection

To mitigate risks from fintechs spilling over to Standard Chartered, Zwart says the bank typically chooses players already established in their market.

“The established players will have more robust data, internal compliance and risk management processes,” he says. 

“In the beginning, we also were partnering with the smaller players, but it was not a great fit,” Zwart adds. “Because with all these strategic partnerships, there will be onboarding, data sharing and regulatory approvals, so it’s important that they understand these complexities.”

Banks also need robust onboarding processes in order for their BaaS fintech partners to get the necessary regulatory approvals.

Success in Indonesia

Standard Chartered’s BaaS solutions, powered by audax, was the first financial institution to secure regulatory approval for end-to-end digital onboarding in Indonesia, “without requiring any physical interaction or video-call verification with the customer”, says Karthik Sethuraman, chief operating and risk officer at audax. 

The digital banking solutions provider was spun off from Standard Chartered’s fintech arm SC Ventures in 2023.

“In order to do that, we had to assure [regulators] that we are doing all the due diligence, at multiple levels, and that we are actually going ahead with onboarding based on a reliable set of data,” Sethuraman explains.

As part of receiving regulatory approval in Indonesia for digital onboarding, audax needed to work with a biometrics vendor, which provided it with a solution to circumvent the Indonesian government’s need for physical interaction.

“Then we built in controls and we had to nudge the regulators to look at how the controls were written,” Sethuraman adds. “We had to show that we are not compromising anything from a regulatory or a Know Your Customer standpoint.”

Standard Chartered tripled its customer base in Indonesia via its ecosystem partnership with audax, as well as Bukalapak, an Indonesian e-commerce platform. The partnership gave the bank access to Bukalapak’s ecosystem of more than 110mn users and 20mn business owners.

Data leaks and spillover risk

Cybersecurity is a major internal and external risk, however, which banks need to overcome to ensure customers’ data remain safe. The safeguarding of data seeps into third-party risk management, meeting regulatory requirements and ensuring operational resilience.

Banks are required to develop robust integration strategies so that BaaS partners can meet the existing standards of the bank’s IT systems, applications and data repositories.

“Security and data is a really big part of the whole negotiation and onboarding process of partners,” Zwart explains. The process can be complex, requiring banks to approve customer terms and conditions, comply with local regulations and consistently check partners’ use cases.

Standard Chartered’s regulatory approvals were delayed in Indonesia due to a data sovereignty challenge. 

“The platform in Indonesia that we had partnered with for the card management system was actually authorising the data outside of Indonesia,” says Sethuraman. “The authorisation aspect of it is happening in their central location in Singapore or Hong Kong.”

This proved to be an issue because, in Indonesia, local laws stipulate that data authorisation has to be made within the country. While it is possible to take the data out for the purposes of reporting or analysis, “for decision making, that particular aspect or component of the platform had to reside within the boundaries of Indonesia,” he explains.

“So we had to push the timeline back to ensure that the third-party vendor built the relevant module and established it within the boundaries of Indonesia, before we launched the debit card product,” says Sethuraman. “We’re very strict on this.”

Left to right: Karthik Sethuraman, audax and Marnix Zwart, Standard Chartered

Bullish on BaaS

The success of Standard Chartered’s venture in Indonesia and elsewhere in the region has boosted the bank’s confidence to attract new prospects, Zwart notes. While navigating a new space is challenging, BaaS partnerships present a significant revenue opportunity for banks.

“We are very bullish on BaaS,” he says. “We’ve invested a lot of time and resources on it, but I think it will be such a big market that multiple banks will participate.”

Regulators are flexing their muscles, however. In the US, banks that provide BaaS to fintech partners accounted for 13.5% of severe enforcement actions issued by federal bank regulators in 2023, amid rising regulatory scrutiny. US regulators have wielded consumer protection laws and anti-money laundering rules to discipline unruly banks.

In September 2023, the Federal Reserve warned Goldman Sachs’s fintech unit to stop signing on riskier financial technology clients, citing insufficient due diligence and monitoring processes.