Best Practices: Compliance for Banking as a Service

Introduction

Banking as a Service has unlocked significant revenue opportunities for banks and fintechs alike, enabling non-banks to offer financial products through sponsor bank partnerships. However, compliance failures have emerged as the single greatest obstacle separating successful BaaS programs from those facing regulatory enforcement. The numbers tell the story: BaaS sponsor banks accounted for 35% of all severe federal enforcement actions in Q1 2024, up sharply from 13.5% in 2023—despite representing fewer than 100 community banks nationwide.

Recent FDIC and Federal Reserve consent orders have frozen new fintech partner approvals and imposed growth restrictions on non-compliant banks. Navigating this environment demands more than good intentions. This guide is designed for sponsor banks, fintechs, and payments companies building BaaS partnerships that can withstand regulatory scrutiny. We'll cover what BaaS compliance involves, the key risk areas, who owns what, and how to build a program that holds up.

TL;DR

  • BaaS sponsor banks represented 35% of all severe federal enforcement actions in Q1 2024, up from 13.5% in 2023
  • Both sponsor banks and fintechs must maintain independent compliance programs; relying on a partner's controls is a regulatory failure
  • Regulators hold sponsor banks ultimately accountable for the entire BaaS chain, regardless of day-to-day responsibilities
  • Effective compliance requires continuous partner oversight, clear contractual definitions, and audit-ready documentation
  • Recent enforcement actions include growth freezes that prohibit onboarding new fintech partners without prior regulatory approval

What Is BaaS and Why Compliance Can't Be an Afterthought

Banking as a Service is a model where licensed banks provide their regulatory framework, payment rails, and infrastructure to non-bank entities—typically fintechs and payments companies—via APIs. This arrangement enables these companies to offer banking products (deposit accounts, payment cards, lending) without holding a banking license themselves. BaaS differs from standalone fintech services where companies build independent products; BaaS always involves a sponsor bank providing the regulatory backbone.

The Parties in a BaaS Arrangement

A typical BaaS ecosystem includes four distinct layers:

  • Sponsor bank — The licensed depository institution providing charter and regulatory compliance infrastructure
  • Middleware BaaS provider — The technology layer between bank and fintech, managing APIs, ledgers, and operational connectivity
  • Fintech company — The consumer-facing entity offering financial products to end users
  • End users — The customers who interact primarily with the fintech brand

Four-layer BaaS ecosystem structure from sponsor bank to end users

Each additional layer increases compliance complexity, creating potential gaps in accountability. Regulators hold the sponsor bank accountable for the entire chain, regardless of which party performs day-to-day functions. That accountability structure is precisely why compliance must be built in from the start—not retrofitted after a problem surfaces.

Why Compliance Must Come First

According to S&P Global analysis, BaaS banks accounted for 13.5% of severe enforcement actions in 2023, rising to 35% in Q1 2024. Consent orders issued during this period carried real business consequences: both Blue Ridge Bank and Lineage Bank were prohibited from onboarding new fintech partners without prior written regulatory approval. For growth-stage fintechs, a sponsor bank operating under those restrictions isn't just an inconvenience—it can halt product launches entirely. Building compliance into the program architecture from day one is what separates partnerships that scale from those that stall under regulatory pressure.

The Regulatory Landscape Shaping BaaS Compliance

Multiple Regulators, Unified Expectations

BaaS arrangements face oversight from a complex web of federal and state regulators:

Federal banking regulators:

  • FDIC (Federal Deposit Insurance Corporation)
  • OCC (Office of the Comptroller of the Currency)
  • Federal Reserve Board

Financial crime enforcement:

  • FinCEN (Financial Crimes Enforcement Network) for BSA/AML compliance
  • OFAC (Office of Foreign Assets Control) for sanctions

State-level oversight:

  • 50 state banking regulators with jurisdiction over banks chartered in their states

This multi-regulator environment historically created opportunities for "regulatory arbitrage," where banks switched primary regulators seeking more lenient oversight. However, the June 2023 Interagency Guidance on Third-Party Relationships established unified standards across all three federal banking agencies, eliminating the regulatory shopping option.

The New Enforcement Posture

Regulators now require every party to a BaaS partnership to maintain its own comprehensive compliance program. Post-factum claims that "the other party was handling compliance" are no longer accepted as valid defenses.

2024 enforcement examples:

BankRegulatorKey Findings
Evolve Bank & TrustFederal Reserve (June 2024)Ineffective risk management framework for fintech partnerships; unsafe and unsound banking practices
Thread BankFDIC (May 2024)Required documented risk assessments of fintech partners and approval of risk tolerance thresholds
Piermont Bank & Sutton BankFDIC (February 2024)Failures to maintain appropriate internal controls and information systems for third-party relationships

2024 BaaS enforcement actions comparison table showing bank regulator findings

Sponsor banks cannot outsource accountability. Fintech partners cannot rely solely on their sponsor's compliance program. Each enforcement action above reflects that same principle applied in practice.

An Evolving Landscape Requiring Continuous Attention

The 2023 Interagency Guidance extends existing third-party risk management standards to fintech relationships, requiring compliance programs calibrated to the bank's size, complexity, and the specific risk profile of each fintech partner. These standards don't stand still—agencies continue issuing supplemental guidance, enforcement orders, and updated exam procedures as BaaS models mature. For both sponsor banks and fintechs, that means building a process for tracking regulatory developments rather than treating compliance as a one-time build.

Key Compliance Risk Areas in BaaS

AML Compliance

AML obligations under the Bank Secrecy Act apply to both sponsor banks and their fintech partners. Both entities must implement transaction monitoring systems capable of identifying and reporting suspicious activity to FinCEN. Fintechs cannot delegate their BSA/AML program responsibilities to the sponsor bank.

The five pillars of AML compliance:

  1. System of internal controls — Written policies and procedures governing AML processes
  2. Independent testing — Periodic audits evaluating program effectiveness
  3. Designated BSA officer — A named individual responsible for program oversight
  4. Training program — Ongoing education for appropriate personnel
  5. Customer due diligence — Risk-based procedures for ongoing CDD (formalized in 2018)

Five pillars of AML compliance program for BaaS banks and fintechs

Transaction monitoring must be tuned to the actual customer base and product risk. Out-of-the-box default rules create excessive false positives or, worse, miss genuinely suspicious activity. FinCEN enforcement actions demonstrate the consequences of AML failures: a penalty of $60 million against Helix for failing to register as an MSB and implement an AML program, and $100 million against BitMEX for failing to file SARs on high-risk transactions.

KYC and KYB Onboarding

Know Your Customer (KYC) and Know Your Business (KYB) requirements establish the foundation for compliant customer relationships. These processes verify customer identity, assess the source of funds, and conduct enhanced due diligence for high-risk segments. Weak onboarding is among the most common entry points for financial crime in BaaS ecosystems.

The volume of end-users in BaaS arrangements makes scalable, accurate onboarding screening critical. A well-designed program addresses:

  • Identity verification — Document checks and database matching at account opening
  • Customer due diligence (CDD) — Risk-based profiling to establish expected transaction behavior
  • Enhanced due diligence (EDD) — Deeper review for high-risk customers, business types, or geographies
  • Source of funds — Documented basis for where customer funds originate

False negatives let bad actors into the system; excessive false positives create friction and operational drag. Getting this balance right requires thoughtful program design — not just automated tools running default settings.

Sanctions Screening

Clean identity verification at onboarding is only half the picture — sanctions exposure doesn't end there. All parties in a BaaS relationship must screen customers and transactions against OFAC's Specially Designated Nationals (SDN) list and other relevant watchlists in real time. Failure to block a prohibited transaction — even if processed through a fintech partner — can result in civil penalties for the sponsor bank.

OFAC updates its sanctions lists frequently. In 2024, the Biden administration added 3,135 persons to the SDN List, up from 2,502 in 2023. Programs that only screen at onboarding will miss newly designated individuals — ongoing transaction-level screening is non-negotiable.

Recent OFAC enforcement examples:

  • Exodus Movement, Inc.$3.1 million penalty (December 2025) for providing customer support to Iranian users and recommending VPNs to circumvent geo-blocking
  • ShapeShift AG — $750,000 penalty for processing 17,183 transactions for users in sanctioned jurisdictions without any compliance program

Consumer Protection and Data Privacy

Consumer protection obligations carry real regulatory teeth in BaaS arrangements. Fintechs must clearly disclose fees, terms, and FDIC insurance status — and regulators have shown they will act when those disclosures mislead customers.

The CFPB issued Circular 2022-02 warning that covered persons likely violate consumer protection laws if they misuse the FDIC name or make misrepresentations about deposit insurance. The FDIC followed with cease-and-desist letters to five fintech entities in January 2024 for falsely suggesting uninsured products were FDIC-insured.

Who Owns What: Compliance Responsibilities in a BaaS Partnership

The Sponsor Bank Is Ultimately Accountable

The sponsor bank is ultimately responsible for BSA compliance across its entire BaaS program. Regulators don't accept arguments that a fintech partner was supposed to handle it. The bank's charter and license are on the line — regardless of day-to-day operational arrangements.

Fintechs Have Independent Obligations

Fintechs offering bank-like products are typically subject to the BSA in their own right and must build their own AML/KYC compliance programs. Reliance on the sponsor bank's program as a substitute is a compliance failure that regulators have specifically cited in enforcement actions. Both parties need robust, independent programs.

That two-party accountability model gets more complicated when middleware enters the picture.

The Middleware Accountability Gap

BaaS middleware companies sitting between sponsor banks and fintechs create real ambiguity about who owns which compliance function — and the Synapse bankruptcy shows what happens when that ambiguity goes unresolved.

Synapse Financial Technologies filed for Chapter 11 bankruptcy in April 2024, freezing accounts for over 100,000 end-users across multiple partner banks.

The bankruptcy trustee identified a ledger shortfall of $65 million to $95 million between funds held in custodial accounts and amounts owed to depositors — a direct result of failures in reconciliation, record-keeping, and accountability across the middleware layer.

Partnership Contracts as Compliance Tools

Compliance responsibilities, oversight rights, audit access, and escalation procedures must be explicitly defined in every BaaS agreement—not assumed. Contracts should specify:

  • Which party performs each compliance function
  • How and when the sponsor bank exercises oversight
  • Audit and examination rights
  • Escalation procedures for compliance failures
  • Responsibilities when partnerships evolve or new products are added

BaaS partnership contract compliance requirements checklist with five key components

Ongoing Monitoring: What the Sponsor Bank Must Review

The sponsor bank must periodically assess whether fintech partners are actually performing their compliance obligations. This includes reviewing:

  • KYC processes and documentation
  • Transaction monitoring outputs and alert disposition
  • SAR filing practices and supporting documentation
  • BSA program documentation and independent testing results

A fintech that passed onboarding review can still develop compliance gaps as it scales — monitoring cadence should reflect that risk.

Best Practices for Building an Audit-Ready BaaS Compliance Program

Conduct Thorough, Documented Risk Assessments

Before entering or expanding a BaaS partnership, conduct a comprehensive risk assessment evaluating:

  • End-user profiles and the risk characteristics of your customer base
  • Inherent risks tied to the specific financial services being offered
  • Transaction and customer origination by geography
  • How products are delivered and accessed across channels

Use frameworks like the FFIEC BSA/AML Examination Manual as a baseline and tailor the assessment to the specific BaaS business model. Document every conclusion and supporting rationale.

Build Rigorous, Scalable KYC/KYB Processes

Define clear standards for:

  • Identity verification requirements and acceptable documentation
  • Beneficial ownership collection for business customers
  • Enhanced due diligence triggers for high-risk segments
  • Documentation requirements that can be demonstrated to examiners

The process must be both thorough and scalable—capable of handling volume without sacrificing accuracy.

Implement Risk-Based Transaction Monitoring

Avoid "set it and forget it" monitoring configurations. Instead:

  • Tune alert thresholds to specific products and customer behaviors
  • Review alert volumes and disposition rates regularly
  • Document tuning decisions with supporting analysis
  • Conduct periodic validation to ensure effectiveness

Generic monitoring rules generate noise, not insight. Effective monitoring reflects the actual risk profile of your BaaS customer base.

Establish Regular Rescreening and Review Cadences

Compliance programs must keep pace with changing customer behavior and risk profiles. Implement:

  • Periodic rescreening against sanctions lists and adverse media
  • Customer risk reviews for high-risk segments
  • Documented review schedules and completion records
  • Clear escalation procedures when risk profiles change

Risk profiles shift — rescreening schedules should reflect that reality, not just satisfy a checkbox at onboarding.

Invest in Documentation and Audit Readiness from Day One

Maintain comprehensive documentation including:

  • Policies and procedures
  • Risk assessments and supporting analysis
  • Training records and attendance logs
  • Independent testing results and remediation tracking
  • Board and management reporting materials

Audit-ready BaaS compliance documentation checklist five required record categories

A compliance program that works but isn't documented doesn't pass a regulatory exam. Examiners expect to see policies, testing results, and board reporting materials pulled quickly — often within days of a request.

Pillars FinCrime Advisory supports BaaS programs through the full compliance lifecycle: policy development, risk assessments, transaction monitoring optimization, and exam readiness. The focus is on building programs that are both operationally functional and defensible under regulatory review.

Frequently Asked Questions

What is BaaS in banking and FinTech, and how does it differ from other FinTech services?

BaaS is a model where a licensed sponsor bank provides its banking infrastructure to a non-bank company via APIs, enabling the non-bank to offer financial products without a banking license. Unlike standalone fintech services, BaaS always involves a licensed bank as the infrastructure and regulatory backbone.

Who is ultimately responsible for bank compliance with the BSA?

The sponsor bank is ultimately responsible for BSA compliance across its BaaS program—regulators hold the bank accountable regardless of which party performs day-to-day compliance functions. Fintech partners also carry their own independent BSA obligations and cannot rely solely on the bank's program.

What are the 5 key areas of compliance in banking?

The core compliance areas relevant to banking and BaaS are: AML/BSA compliance, KYC/KYB and customer due diligence, sanctions (OFAC) compliance, consumer protection, and third-party/vendor risk management.

How do you measure regulatory compliance and what should a compliance checklist include?

Compliance is measured through risk assessments, independent testing, exam findings, and ongoing monitoring metrics such as SAR filing rates and false positive rates. A BaaS checklist should cover AML program documentation, KYC procedures, sanctions screening, transaction monitoring tuning records, and third-party oversight.

What happens when a BaaS partner fails to meet compliance obligations?

Noncompliance by a fintech partner can trigger enforcement actions against the sponsor bank—including consent orders, business growth restrictions, and fines—even if the bank was not directly responsible for the failure. That exposure is why proactive partner monitoring and clear contractual compliance specifications are built into well-structured BaaS programs from the start.

Need help building an audit-ready BaaS compliance program? Pillars FinCrime Advisory supports sponsor banks, fintechs, and payments companies across the full compliance lifecycle—from policy development and risk assessments to transaction monitoring optimization and regulatory exam readiness. Contact Joshua Douglas at 281-825-1603 or pillarsfincrimeadvisory@gmail.com to discuss your compliance needs.