If you know only one thing about banks and bank regulation, it’s probably encapsulated in the statement “FDIC-Insured.” For almost a century, this statement and others like it have been displayed at the entrance to every bank branch, on the desk at every teller window and, more recently, in the fine print on every bank TV commercial, smartphone app, and website. The statement is designed to serve a single and essential purpose: instilling depositors with confidence and trust in the safety of their bank and in the stability of the wider banking system.

The credibility of this statement is backed by some of the most sophisticated legal engineering the world has ever seen. It includes a combination of federal and state banking law, prudential regulatory frameworks, and ongoing examinations by state and federal bank supervisors. Behind these legal frameworks is a comprehensive safety net that includes the Federal Reserve System’s emergency lending facilities, a resolution process for failing banks, and the FDIC’s deposit insurance program. And behind that safety net is a second and even more powerful backstop: the full faith and credit of the U.S. Government. Viewed in this light, it is no exaggeration to say that the United States has thrown the full weight of its legal, economic, and political resources behind the safety of U.S. banks and their depositors.

As I argue in a new article, however, this safety net is under threat from technological disruption. Banks have long outsourced  essential technology functions, yet as technology has become more critical to banking, a new breed of technology-driven “fintech” platforms has started to flip this conventional outsourcing script. Rather than banks outsourcing technology, these fintech platforms are outsourcing core elements of the banking franchise like deposit-taking, credit and debit card issuance, and payments to their partner banks. This emerging “banking-as-a-service” or BaaS model is effectively an inversion of conventional bank-IT outsourcing relationships: with fintech platforms instead of banks outsourcing key back-office functions and assuming a critical customer-facing role.

By just about any measure, this BaaS model is rapidly growing in popularity and importance. While available data is still scarce, estimates suggest there are hundreds of BaaS partner banks, each typically serving dozens of fintech platforms, and collectively holding hundreds of billions of dollars in assets. And while many of the fintech platforms these banks serve are still relatively small, some of the largest – like the digital banking app Chime – hold billions of dollars in customer funds through their partner banks. Ultimately, all these partner banks, fintech platforms, and deposits add up, with some estimates forecasting that the revenue generated by BaaS will grow tenfold between 2021 and 2026. There is no doubt that BaaS is increasingly big business. The question is whether it’s a big problem.

There is no easy answer to this question. The principal reason is that there are two critical and opposing drivers behind the rise of BaaS. The first reflects ongoing structural changes in customer demand and, specifically, the desire for faster, cheaper, more seamless, and more convenient digital banking. In the United States, traditional banks have often been slow in responding to these changes. The resulting underinvestment has opened the door for fintech platforms to exploit both their comparative technological advantages and more nimble organizational structures to meet this growing demand and, in the process, drive the shift from conventional bank-IT outsourcing toward the BaaS model.

In theory, this customer-driven shift from conventional bank-IT outsourcing to BaaS should have no impact on the application of federal bank regulation, the scope of the financial safety net, or the stability of the U.S. banking system. As a consequence, customers should not be exposed to fundamentally different risks depending on whether their bank outsources critical technology functions or their fintech platform outsources core elements of the banking franchise. Yet in practice, that is often exactly what it means. Most important, as a growing number of fintech customers are starting to learn, the bankruptcy of a fintech platform can leave them struggling to recover their hard-earned money – even when that money is held with an FDIC-insured partner bank.

This in turn highlights the second critical driver behind the rise of the BaaS model: regulatory arbitrage. As a starting point, obtaining a bank charter, paying FDIC deposit insurance premiums, and ensuring ongoing compliance with bank activity, capital, liquidity, risk management, and other regulations are extremely costly. By outsourcing the core elements of banking, fintech platforms exploiting the BaaS model can replicate many of the financial products and services provided by banks, but without the need to incur these costs. Accordingly, as this divergence in regulatory compliance costs becomes more pronounced, we should expect to observe an increase in the number of firms forgoing a traditional bank charter in favor of the BaaS model.

The effects of regulatory arbitrage are compounded by the fact that the BaaS model does not fall squarely within the scope of the regulatory framework currently governing bank-IT outsourcing relationships. The twin cornerstones of this framework are, first, the Federal Reserve Board, OCC, and FDIC Interagency Guidance on Third-Party Relationships and, second, the Bank Service Company Act of 1962. The Interagency Guidance sets out broad principles that banks should follow when managing their relationships with technology firms and other third-party service providers. Operating in parallel, the BSCA envisions that these service providers may themselves be brought under the regulation and supervision of federal banking agencies. Together, the Interagency Guidance and BSCA have played a useful role in addressing the risks from conventional bank-IT outsourcing relationships. Yet they were clearly designed for a world in which banks were the orchestrators of these outsourcing relationships, the sole recipients of outsourced services, and at all times maintained direct customer-facing relationships. Put simply: They were not made for the brave new world of BaaS.

The collision of these two drivers exposes a tension at the heart of the BaaS model. On the one hand, to the extent that the rise of BaaS reflects a market-driven response to technological shocks, shifting customer demand, and the failure of incumbent banks to adapt, its emergence and growth hold out potentially significant benefits for competition and innovation within the financial services industry and, ultimately, for consumer choice. On the other hand, to the extent that this growth is fueled by regulatory arbitrage, the rise of BaaS outside the limits of bank regulation and the conventional financial safety net poses clear and mounting risks for consumers, for microprudential safety and soundness, and, perhaps one day, for financial stability.

My article chronicles the shift from conventional bank-IT outsourcing to BaaS and identifies the three, intertwined types of instability it potentially creates. The first type – business model instability – stems from the inversion of conventional bank-IT outsourcing relationships and the need to address the unique policy, legal, technological, and operational risks of the BaaS model. The second – expectations instability – stems from the risk that this business-model instability can confound the expectations that the customers of fintech platforms have regarding the scope of FDIC deposit insurance and other elements of the financial safety net and, hence, the legal protections to which they are entitled in the event of a platform’s bankruptcy. The third – financial instability – reflects the risk that the continued growth of the BaaS model, the complex and opaque interconnections it creates, and its impact on customer behavior could potentially sow the seeds of future banking panics. Together, these sources of instability are already stretching the fabric of the banking system. One day soon, they may tear it.

The rise of BaaS is ultimately an important plotline in a far bigger story about the complex and evolving relationship among finance, technology, and regulation. From BaaS to fintech, artificial intelligence to crypto, new technology has triggered a tectonic shift in the financial landscape. This shift has placed growing pressure on the perimeter of financial regulation: including foundational legal categories like “banks” and “banking,” “securities,” “futures contracts,” and “insurance.” In the process, this shift has further blurred the already fuzzy legal boundaries that demarcate the scope of the conventional financial safety net. In many ways, the rise of BaaS is simply a microcosm of this bigger story. Yet for precisely this reason, it also offers important insights into both the complex and often contradictory drivers of this shift and how policymakers can effectively respond to it.

Dan Awrey is the Beth & Marc Goldberg Professor of Law at Cornell Law School. This post is based on his recent article, “Banking, Technology, and Instability,” available here.