The dark side of embedded finance

In the world of finance, few trends are celebrated as enthusiastically as embedded finance. It’s the silent force turning retailers, software providers, and tech giants into financial institutions. This seamless integration of banking, payments, and credit into non-financial apps has made life undeniably easier.

Who needs a bank app when you can get a loan from your favourite e-commerce store or a debit card from a ride-sharing service?

But in its quiet rise to power, embedded finance has created a complex web of risk and regulatory ambiguity. The very convenience that makes it so appealing also hides a dark side: a lack of accountability, a murky regulatory landscape, and a massive, expanding attack surface that no one is talking about.

It’s the Trojan Horse of finance, and institutions are only just beginning to grasp the dangers it carries within.

A Shifting Regulatory Scrutiny

The traditional model of financial regulation is simple: the bank is on the hook. The Financial Conduct Authority (FCA) in the UK and regulators like the Consumer Financial Protection Bureau (CFPB) in the US have long held banks accountable for everything from fair lending practices to data security. But in embedded finance, this clear line of responsibility blurs.

The regulatory spotlight is shifting. In 2023, for example, a significant portion of severe enforcement actions from federal regulators in the US, 13.5% targeted banks involved in Banking-as-a-Service (BaaS) partnerships. Regulators are essentially telling the industry that a bank can’t outsource its regulatory and compliance responsibilities. This has created a new challenge for sponsor banks, which are now being held accountable for the actions of their non-financial partners.

Furthermore, the lack of a single, comprehensive regulatory framework for embedded finance complicates matters. Regulators are forced to apply old rules to a new model, creating friction and risk. The result is a system of “regulatory arbitrage” where some players operate in a grey area, exploiting gaps between regulations designed for traditional banking and those for technology companies.

The Problem of Shared Data and Fragmented Security

Embedded finance is a data-sharing ecosystem. A user’s financial information travels from a merchant platform to a fintech partner and then to a sponsor bank. This multi-party relationship creates serious security vulnerabilities.

While banks have robust, often over-engineered security protocols, their non-financial partners may not. A 2024 Verizon study found that 15% of data breaches stemmed from a third-party vendor, an increase of 68% from the previous year. If a retailer’s e-commerce platform suffers a breach, the bank that powers its embedded lending product could be on the hook for the reputational damage and the loss of customer trust, regardless of where the vulnerability originated.

Beyond data breaches, the lack of a unified security standard across partners creates opportunities for fraud. The sheer number of API integrations and third-party vendors expands the attack surface. This forces banks to extend their due diligence far beyond their own walls, constantly vetting and monitoring the security posture of every partner in their embedded finance chain—a labor-intensive and manual process.

The Threat of Predatory Lending and Consumer Harm

The promise of embedded finance is to make financial services more accessible. But in a controversial twist, it can also lead to consumer harm. When lending or payments are embedded into a checkout flow, the context changes. Consumers can make quick, emotional financial decisions without the kind of friction and information they would get from a traditional lender.

This is particularly concerning in the Buy Now, Pay Later (BNPL) space, a prime example of embedded finance. The convenience of splitting a purchase into payments can obscure the reality of taking on debt, leading to overspending and financial distress. While BNPL has brought financial services to many, it has also raised red flags among regulators. Both the FCA and the CFPB have expressed concerns over BNPL’s potential to facilitate consumer debt accumulation without the same level of consumer protections as traditional credit.

The ease with which these products are offered at the point of sale also makes them vulnerable to predatory practices. Without the rigorous underwriting and oversight of a regulated bank, there is a risk that some embedded platforms could target vulnerable consumers or obscure the true cost of credit in the fine print.

The Path Forward

The embedded finance revolution is here to stay. Its convenience and reach are too powerful to ignore. But the industry must address its dark side directly and proactively. The future of embedded finance depends on:

1. Clear Accountability: Regulators must establish clear, unified rules that define the roles and responsibilities of every player in the embedded finance value chain.
2. Robust Vendor Management: Banks must go beyond initial due diligence and implement continuous monitoring and security audits of all their fintech and non-financial partners.
3. Ethical Design: Platforms must design embedded financial products with consumer protection and transparency at their core, ensuring that convenience does not come at the cost of financial well-being.

The embedded revolution has the power to democratize financial services, but only if it’s built on a foundation of trust, transparency, and shared responsibility. Failing to confront these controversial risks is not an option; it’s a disaster waiting to happen.