Banking as a Service: Understanding Compliance & Regulatory Requirements

Introduction

Banking-as-a-Service compliance is not a checkbox exercise. It's a structural requirement that determines whether a BaaS partnership survives regulatory scrutiny. In 2024, sponsor banks accounted for 18.3% of all federal enforcement actions, up from 13.5% in 2023—a dramatic escalation that signals regulators are no longer issuing warnings. They're issuing consent orders, deposit growth restrictions, and partnership terminations.

The core problem is that most BaaS participants underestimate the layered compliance obligations built into the model. Fintechs assume the sponsor bank's license "covers" them. Sponsor banks assume contractual indemnities shield them from liability. Both assumptions fail under regulatory scrutiny.

When they do, banks face enforcement actions that freeze their ability to onboard new partners, and fintechs face partnership terminations that can collapse their entire business model.

Understanding where those gaps form — and how to close them — starts with the fundamentals. This article covers:

What BaaS compliance actually means in practice
Which regulatory frameworks apply to each party
The core requirements fintechs and sponsor banks must meet
What happens when any party in the chain falls short

TL;DR

BaaS compliance is shared: sponsor banks are ultimately liable, but fintechs must run independent AML programs
FDIC, OCC, Federal Reserve, FinCEN, and OFAC all enforce BaaS compliance at the federal level
Core requirements include KYC/KYB, AML/BSA, OFAC sanctions screening, transaction monitoring, and data privacy
Consent orders carry real consequences: deposit restrictions, partnership terminations, and reputational damage
Partnership contracts must spell out compliance responsibilities explicitly — auditors won't accept vague terms

What BaaS Compliance Actually Means — and Who Owns It

BaaS compliance is the full set of regulatory obligations that attach to delivering banking services through non-bank channels. It is not just the bank's problem or just the fintech's problem—compliance follows the activity, not the license.

The Three-Party Structure

Understanding accountability starts with understanding the structure:

Sponsor bank - Holds the charter and bears ultimate regulatory accountability for all activities conducted under its license
Middleware/BaaS platform - Provides the technology layer connecting fintech to bank; may carry specific compliance duties depending on contract
Fintech/brand - Customer-facing entity subject to BSA and consumer protection rules regardless of who holds the charter

BaaS three-party structure showing sponsor bank middleware and fintech roles

The Accountability Trap

The sponsor bank cannot transfer its regulatory accountability to its fintech partner. The 2023 Interagency Guidance on Third-Party Relationships explicitly states that a bank's use of third parties does not diminish its responsibility to perform activities in a safe and sound manner and in compliance with applicable laws.

FDIC guidance reinforces this point: indemnity agreements do not "insulate the institution from its ultimate responsibility to conduct banking and related activities in a safe and sound manner." The contract may shift costs — it cannot shift accountability.

Fintechs Are Not Off the Hook

Fintechs cannot rely on the sponsor bank to perform BSA duties on their behalf. Under 31 CFR 1022.210, each Money Services Business (MSB) must develop, implement, and maintain an effective, written anti-money laundering program. This is where many BaaS relationships have failed under regulatory scrutiny.

Contract Clarity Is Non-Negotiable

Because both parties carry independent obligations, compliance responsibilities must be explicitly defined in the BaaS partnership contract, covering:

Customer onboarding and identity verification
Transaction monitoring and alert escalation
Fraud detection and response protocols
Consumer disclosures and fee structures
Data privacy and breach notification
Complaint handling and resolution
Fourth-party (sub-vendor) due diligence

For early-stage fintechs lacking internal compliance bandwidth, engaging fractional compliance leadership — a fractional BSA Officer or CCO through Fraxtional — allows these companies to meet sponsor bank expectations without the cost of a full-time executive hire.

The Regulatory Landscape Governing BaaS Partnerships

The regulatory landscape is multi-layered and multi-jurisdictional. There is no single BaaS-specific statute—instead, overlapping frameworks apply based on the activities being performed.

Key U.S. Federal Regulators

FDIC, OCC, and Federal Reserve (Prudential Oversight)

The three primary banking regulators divide jurisdiction based on charter type:

FDIC - Supervises state non-member banks and enforces deposit insurance rules
OCC - Oversees nationally chartered banks and has issued consent orders against BaaS banks for inadequate third-party risk management
Federal Reserve - Regulates state member banks and bank holding companies, including enforcement actions for deficient AML controls

Regulators collaborate but may also issue separate actions against the same institution.

FinCEN and OFAC (Financial Crime Enforcement)

FinCEN - Enforces the Bank Secrecy Act, requiring SAR (Suspicious Activity Report) and CTR (Currency Transaction Report) filings
OFAC - Enforces sanctions compliance on a strict liability basis, meaning violations carry penalties regardless of intent

Any entity in the BaaS chain that processes transactions faces OFAC liability for violations.

State-Level Regulatory Complexity

Federal oversight is only part of the picture. State banking regulators add another enforcement layer, and fintechs often need money transmitter licenses (MTLs) in multiple states depending on their activity. As of 2026, 31 states have adopted the CSBS Money Transmission Modernization Act (MTMA) to standardize requirements — yet compliance fragmentation remains the norm, not the exception.

Some banks have attempted to switch charters to find more lenient oversight, a practice drawing direct regulatory penalties. CFPB Director Rohit Chopra explicitly cited Farmington State Bank for "charter shopping" to evade FDIC oversight — a signal that regulators treat jurisdictional maneuvering as an aggravating factor, not a workaround.

Cross-Border Considerations

BaaS operating across U.S., UK, and EU borders must layer in additional frameworks:

UK - FCA regulations require appointment of a Money Laundering Reporting Officer (MLRO) with sufficient authority and independence
EU - PSD2 licensing, AMLD6 requirements, and EBA Guidelines on Outsourcing apply
Data handling - GDPR compliance is mandatory for processing EU customer data

BaaS cross-border regulatory framework comparison US UK and EU requirements

Each jurisdiction adds its own filing obligations, licensing requirements, and supervisory relationships — meaning a BaaS model that's compliant in the U.S. may still face material gaps the moment it touches EU customer data or routes payments through a UK-regulated entity.

Core BaaS Compliance Requirements You Cannot Ignore

These are the operational requirements every party in a BaaS arrangement must address — regardless of role. Missing any one of them creates direct exposure for both the fintech and its sponsor bank.

KYC/KYB and Customer Due Diligence

Know Your Customer (KYC) and Know Your Business (KYB) procedures require verification of customer identity, source of funds, and beneficial ownership. Enhanced due diligence (EDD) is mandatory for high-risk customers.

Failure to perform adequate KYC exposes both the fintech and sponsor bank to fraud, money laundering, and sanctions violations.

BSA/AML Program Requirements

The Bank Secrecy Act requires a formal AML compliance program with four mandatory pillars:

System of internal controls
Independent testing
Designated BSA compliance officer
Ongoing training for appropriate personnel

Critical requirement: Fintechs in BaaS arrangements are not exempt. They must establish their own BSA programs rather than relying on the sponsor bank's program.

Filing requirements:

CTR (Currency Transaction Report) - Required for transactions over $10,000; must be filed within 15 calendar days
SAR (Suspicious Activity Report) - Required for transactions aggregating at least $5,000 that involve potential illegal activity; must be filed within 30 calendar days of initial detection
Both require 5-year record retention

BSA AML four pillars and CTR SAR filing requirements timeline infographic

Sanctions Screening (OFAC)

All parties must screen customers and transactions against OFAC's Specially Designated Nationals (SDN) list and other restricted party lists in real time.

OFAC enforces strict liability—violations carry penalties regardless of intent. In 2025, OFAC fined Exodus Movement $3.1 million for 254 Iran sanctions violations. The violations were deemed egregious because customer support staff repeatedly recommended that Iranian users use VPNs to circumvent IP-based geo-blocking controls.

SDN lists update without notice. Screening should run at onboarding, at transaction execution, and on a recurring batch basis to catch designations added after a customer was originally cleared.

Consumer Protection and Data Privacy

UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) obligations apply to marketing claims, disclosures, and fee structures. An act is unfair if it causes substantial injury that is not reasonably avoidable and not outweighed by countervailing benefits (meaning benefits to consumers or competition that justify the practice).

Following the Synapse collapse, regulators have intensified enforcement against fintechs misrepresenting FDIC insurance. Under 12 CFR Part 328, it is prohibited to falsely imply that an uninsured financial product is FDIC-insured.

Data privacy obligations vary by jurisdiction and customer location:

Regulation P - Requires financial institutions to provide clear privacy notices before disclosing nonpublic personal information
CCPA - California Consumer Privacy Act distinguishes between "businesses" and "service providers" and restricts data sharing
GDPR - Applies to any BaaS participant processing EU customer data

How BaaS Compliance Programs Are Structured and Monitored

A BaaS compliance program requires ongoing risk assessments, real-time monitoring, and periodic review—not a binder that gets filed away after onboarding. The contract should specify which party is responsible for each monitoring function and what evidence of compliance must be shared.

Monitoring Cadence

Ongoing monitoring includes:

Initial onboarding due diligence on the fintech partner
Real-time transaction monitoring and alert escalation
Periodic rescreening of customers against sanctions and watchlists
Product roadmap reviews to catch compliance implications of new features before launch
Annual third-party audits

Regulators expect banks to monitor their fintech partners with the same rigor they apply to their own operations.

Fractional Compliance Leadership for Early-Stage Fintechs

Many seed-to-Series B fintechs lack the internal bandwidth to build and run a full compliance function. Engaging fractional compliance leadership allows these companies to meet sponsor bank and regulatory expectations without the overhead of a full-time executive hire.

Fractional roles commonly engaged at this stage include:

BSA Officer — owns AML program design, SAR filing, and examiner-facing documentation
CCO — oversees the full compliance framework and board-level reporting
MLRO — required for UK/EU-regulated entities handling payment flows or e-money

This model gives early-stage teams director-level compliance oversight while preserving runway for product and growth.

What Happens When BaaS Compliance Breaks Down

The cause-and-effect chain is predictable: a fintech's lax KYC or AML monitoring creates regulatory exposure at the sponsor bank level. Because the bank is ultimately accountable, regulators issue enforcement actions directly against it. Those actions can include deposit growth restrictions that effectively freeze the bank's ability to onboard new BaaS partners.

Real-World Enforcement Examples

In 2024, regulators issued consent orders against multiple BaaS sponsor banks:

Bank	Regulator	Key Enforcement Focus
Blue Ridge Bank	OCC	Required OCC non-objection before onboarding new fintech partners
Lineage Bank	FDIC	Ordered to develop contingency plan to terminate fintech partners
Piermont Bank	FDIC	Required to review all transactions since Sept 2022 for suspicious activity
Evolve Bank & Trust	Federal Reserve	Cited for deficient AML controls and risk management framework

Federal banking regulator enforcement action document with consent order details

18.3% of all federal enforcement actions in 2024 targeted BaaS sponsor banks — a signal of just how concentrated regulatory risk has become in this space. 79% of BaaS-related AML enforcement actions now mandate historical transaction lookbacks.

Downstream Consequences for the Fintech

When a sponsor bank receives an enforcement order, the fintech faces:

Partnership termination - The bank exits the relationship to protect itself
Reputational damage - Other potential sponsor banks view the fintech as high-risk
Regulatory action - In severe cases, regulators may pursue the fintech directly

The 2024 collapse of Synapse Financial Technologies serves as a case study in cascading BaaS failures. The bankruptcy revealed an estimated $65 million to $95 million ledger shortfall, leaving consumers unable to access their funds for months. In 2025, the CFPB permanently banned Synapse from engaging in financial services operations.

Common BaaS Compliance Misconceptions to Avoid

Misconception 1: The Sponsor Bank's License "Covers" the Fintech

Many fintechs assume the sponsor bank's license provides a compliance umbrella. It doesn't. Regulators treat the fintech as an independent obligated party — meaning the fintech must maintain its own BSA/AML program, conduct its own customer due diligence, and file its own SARs where applicable.

Regulators have cited reliance on the bank's program in actual enforcement actions as a compliance deficiency. Contractual indemnities provide no protection here — they don't shield the sponsor bank from regulatory liability, and they don't exempt the fintech from independent obligations.

Misconception 2: Compliance Is a One-Time Setup Task

BaaS compliance must evolve with the product. New features, new geographies, and new customer segments all trigger new compliance requirements.

Regulators expect proactive engagement — not reactive patching after an enforcement action. In practice, that means:

Continuous transaction monitoring and control testing
Periodic risk assessments as the product changes
Real-time adjustments when new customer segments or geographies are added

BaaS compliance lifecycle showing ongoing monitoring risk assessment and product change obligations

A program built for launch day will not hold up at Series B scale.

Frequently Asked Questions

What is compliance as a service (CaaS)?

Compliance as a Service (CaaS) is an industry term used by technology vendors to describe cloud-based solutions that automate regulatory compliance processes, testing, and reporting. It is distinct from BaaS. The two sometimes intersect when fintechs use third-party compliance tools or fractional compliance officers to meet their BaaS-related obligations.

What are the key areas of compliance in banking?

The main pillars are BSA/AML (anti-money laundering), KYC/KYB (customer and business verification), OFAC sanctions screening, consumer protection (UDAAP, Reg E), data privacy, and cybersecurity. In BaaS arrangements, all of these apply to both the sponsor bank and the fintech partner — not just the chartered bank.

Who is ultimately responsible for a bank's compliance with the Bank Secrecy Act (BSA)?

The bank's board of directors and senior management bear ultimate BSA accountability. In BaaS arrangements, this accountability extends to the bank's fintech partners' BSA performance, which the bank is expected to monitor and oversee.

What is an example of banking-as-a-service (BaaS)?

A fintech company offering FDIC-insured checking accounts and debit cards to its users by partnering with a sponsor bank via API is a common BaaS structure. The fintech handles the user interface and customer relationship while the bank provides the charter, infrastructure, and regulatory backing.

What is the $3,000 rule in banking?

The $3,000 rule, under the Bank Secrecy Act's Travel Rule, requires financial institutions to collect, retain, and transmit specific information about the sender and receiver for funds transfers of $3,000 or more. BaaS participants must ensure their compliance programs and partner agreements explicitly address data collection and transmission obligations for transactions at or above this threshold.