Embedded Finance and Compliance: Key Considerations

Introduction

The regulatory heat on embedded finance is real — and it's measured in consent orders, not warnings. According to Klaros Group analysis, FDIC-supervised fintech partner banks faced a 15% chance of formal enforcement action between Q1 2023 and Q1 2024, compared to just 1.8% for non-partner banks. That's an eightfold difference. Regulators, banks, and their fintech partners have all taken notice — and most are now reassessing how compliance accountability is distributed across the ecosystem.

Global embedded finance revenue is projected to surpass $228 billion by 2028, up from $92 billion in 2024. That growth is real — but so is the compliance burden that comes with it. Most fintechs and platforms discover just how layered that structure is only after they're already in the middle of a bank partnership review.

This guide breaks down who owns what in an embedded finance partnership, the core regulatory requirements every participant must understand, cross-border considerations for US, UK, EU, and Canadian operations, and the most common compliance failures — before regulators find them first.

TL;DR

  • Embedded finance operates through a three-layer structure (sponsor bank, BaaS provider, end-brand) — each layer carries distinct compliance obligations.
  • End-brands carry real contractual and operational compliance duties — these cannot be delegated to the sponsor bank.
  • Core requirements include BSA/AML, KYC/KYB, UDAAP, Reg E, and data privacy — varying by jurisdiction.
  • Regulators now expect every layer to demonstrate its own controls — assuming the sponsor bank "handles compliance" is a costly mistake.

What Is Embedded Finance — and Why Compliance Is Non-Negotiable

Embedded finance is the integration of financial services — payments, lending, insurance, deposit accounts — into non-financial platforms by leveraging a licensed bank's regulatory infrastructure. A SaaS company offering its customers a business account, or a gig platform paying workers through an in-app wallet, is delivering embedded finance.

BaaS (Banking as a Service) is the infrastructure layer that makes this possible — the APIs, middleware, and program management that connect the licensed bank to the brand. Embedded finance is the what; BaaS is the how.

The Three-Layer Ecosystem

Every embedded finance program involves three parties, each carrying compliance weight:

Layer Role Primary Compliance Obligation
Sponsor Bank Holds the charter and banking license AML/BSA, consumer protection, deposit rules
BaaS Provider Middleware connecting bank to brand Contractually delegated controls (onboarding, monitoring)
End-Brand Customer-facing product layer KYC standards, AML controls, UDAAP, data privacy

Embedded finance products touch regulated activities — money movement, credit issuance, deposit-taking — which means a failure at any layer can trigger enforcement against the licensed bank, program suspension, or direct regulatory action against the brand. The Synapse bankruptcy in April 2024 illustrated this clearly: frozen accounts for tens of thousands of customers and an estimated $85 million shortfall, with liability tracing back to every party in the stack.

Three-layer embedded finance ecosystem showing sponsor bank BaaS provider and end-brand compliance roles

The Compliance Accountability Framework: Who Owns What

Sponsor Banks: The Primary Regulatory Liability Holder

Sponsor banks — chartered banks and federally regulated institutions — hold the banking license and are the primary party regulators hold accountable. This accountability doesn't transfer when they partner with a fintech. The 2024 interagency statement from the OCC, FDIC, and Federal Reserve makes this explicit: use of third parties to deliver deposit products does not diminish a bank's legal and regulatory responsibilities.

The enforcement record reflects this. Between 2023 and 2024, consent orders hit Blue Ridge Bank (OCC), Evolve Bank & Trust (Federal Reserve), Thread Bank (FDIC), Piermont Bank (FDIC), Lineage Bank (FDIC), Cross River Bank (FDIC), and Green Dot Bank (Federal Reserve, $44 million penalty). The violations cluster around the same issues: BSA/AML deficiencies, inadequate fintech partner oversight, weak transaction monitoring, and consumer compliance failures.

Alloy's 2024 State of Embedded Finance Report found that 80% of sponsor bank decision-makers described meeting compliance requirements in embedded finance as challenging — and 75% had lost at least $100,000 to compliance violations and regulatory fees.

BaaS Providers: The Infrastructure and Oversight Layer

BaaS providers often absorb specific compliance functions through contract — onboarding flow design, card issuance controls, transaction monitoring infrastructure. Their specific responsibilities depend on what the sponsor bank delegates and how the governance model is structured.

Two models dominate:

  • Bank-as-regulator: The bank maintains close, direct oversight of every partner's compliance controls
  • Program management: The bank relies heavily on the BaaS middleware to monitor and enforce compliance on its behalf

Neither model relieves the bank of ultimate accountability — both require documented evidence trails that regulators can audit.

End-Brands: Contractual Compliance Obligations That Cannot Be Waived

End-brands — the fintech or non-financial company offering the embedded product — operate under a compliance framework set by the sponsor bank and BaaS provider through program agreements. These agreements cover KYC standards, AML controls, transaction limits, reporting obligations, and audit rights. Violating these terms can result in program termination.

The auditability gap compounds the risk. Alloy's research identified the lack of control and visibility over fintech partners' policy controls as a top barrier for sponsor banks — meaning many banks can't confirm whether their fintech partners are actually implementing agreed controls. Banks are tightening requirements precisely because that evidence gap creates direct regulatory exposure when examiners arrive.

Embedded finance compliance accountability matrix comparing sponsor bank BaaS provider and end-brand obligations

Key Regulatory Requirements Every Embedded Finance Participant Must Know

AML and BSA Compliance

The Bank Secrecy Act creates a framework that flows from the sponsor bank down through program agreements to the end-brand:

  • Customer Identification Program (CIP): Written procedures for identity verification before account opening — name, date of birth, address, identification number
  • Transaction monitoring: Ongoing surveillance for suspicious activity patterns
  • SAR filing: Timely Suspicious Activity Reports when thresholds are met
  • CTR filing: Currency Transaction Reports for qualifying cash transactions

FinCEN allows CIP reliance on a third party only when that party is subject to AML requirements and a contract requires annual certification. The bank remains responsible when using third-party agents to perform CIP elements. Fintechs executing onboarding on a bank's behalf carry real accountability for that work.

KYC and KYB Standards

KYC (Know Your Customer) for consumers and KYB (Know Your Business) for commercial accounts are gatekeeping requirements that every embedded finance product must implement at onboarding. FinCEN's beneficial ownership rule requires identification and verification of individuals with 25% or more equity ownership of legal entity customers, plus one control person. Records must be retained for five years.

The standard applied depends on product type and risk profile. A stored-value card program has different risk exposure than a small business lending product.

Consumer Protection: UDAAP and Reg E

UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) applies to every customer-facing element of an embedded finance product: marketing claims, fee disclosures, and product terms.

The CFPB's 2024 Supervisory Highlights flagged BNPL dispute-resolution failures and deceptive paycheck-advance representations. In both cases, end-brands — not just the banks — created the exposure.

Regulation E governs consumer electronic fund transfers and is frequently overlooked by fintechs until a complaint arrives. Key obligations include:

  • Error resolution procedures (reasonable investigation required, even when a third party handles disputes)
  • Disclosure requirements at account opening and for change-in-terms
  • Liability limits for unauthorized transfers

The FDIC's 2024 Consumer Compliance Supervisory Highlights specifically found that institutions failed to conduct reasonable Reg E error investigations when third-party service providers were involved. Outsourcing dispute handling does not transfer the underlying obligation.

BSA AML and Regulation E compliance obligations process flow for embedded finance programs

Data Privacy and Cybersecurity

As a party processing financial data, end-brands cannot treat data security as the bank's problem:

  • GLBA Safeguards Rule: Non-bank financial institutions must maintain a written information security program, designate a Qualified Individual, and notify the FTC of security events involving at least 500 consumers
  • GDPR: Applies to EU/UK data subjects regardless of where the processing entity is headquartered
  • State privacy laws: A growing patchwork (California, Colorado, Virginia, and others) creates direct obligations for end-brands serving US consumers

Cross-Border Compliance Considerations

Operating across multiple jurisdictions means navigating different regulators, different licensing requirements, and different accountability frameworks — often at the same time. Here's how the key frameworks break down across the four major markets.

United States

The US runs a multi-regulator structure. The relevant regulator depends on the sponsor bank's charter and the product category:

  • OCC: National banks and federal savings associations
  • Federal Reserve: State member banks
  • FDIC: State nonmember banks
  • FinCEN: BSA/AML obligations across all institutions
  • CFPB: Federal consumer financial law enforcement

Multi-bank or multi-product embedded finance structures can trigger obligations from more than one of these agencies, which creates complexity fintechs frequently underestimate at the design stage.

US embedded finance multi-regulator structure mapping five agencies to charter types and product categories

United Kingdom

The FCA's framework for embedded finance includes three key requirements:

  • EMI/PI authorization: Firms providing payment services or issuing e-money must be FCA-authorized or registered — or partner with an authorized entity
  • Payment Services Regulations: Governs conduct for regulated payment activity
  • Consumer Duty: Took effect for open products on 31 July 2023 and closed products on 31 July 2024. It explicitly applies to firms in a distribution chain that can influence retail customer outcomes — meaning end-brands and platforms can be in scope even without a direct customer relationship with the end user

European Union

The EU framework has three primary compliance layers:

  • PSD2 / Strong Customer Authentication: Applies to payment service providers handling customer-initiated transactions
  • EBA outsourcing guidelines: Govern how payment and e-money institutions delegate functions to third parties
  • EU AML/CFT rules: Apply to obliged entities (credit and financial institutions). Non-licensed end-brands aren't automatically AML-obliged, but obligation mapping must be done explicitly based on whether the brand is acting as a licensed entity, agent, or distributor

Canada

Canada has two parallel compliance tracks:

  • FINTRAC / PCMLTFA: Money Services Businesses must register with FINTRAC before operating and meet Proceeds of Crime (Money Laundering) and Terrorist Financing Act obligations — this applies even when a firm holds a provincial license
  • OSFI Guideline B-10 (finalized April 2023): Sets third-party risk management expectations for federally regulated financial institutions using outsourcing arrangements

Operating across two or more of these jurisdictions at once introduces compliance complexity that most embedded finance teams aren't staffed to manage internally. Fraxtional addresses this by deploying role-specific fractional leadership — CCO, BSA Officer, MLRO, and CAMLO — each aligned to the regulatory framework in their jurisdiction. That gives embedded finance companies director-level oversight across the US, UK, EU, and Canada without the cost or overhead of four separate full-time hires.

Common Embedded Finance Compliance Pitfalls — And How to Avoid Them

Common Embedded Finance Compliance Pitfalls (And How to Avoid Them)

The "Bank Handles Compliance" Assumption

The most expensive assumption in embedded finance is that the sponsor bank's compliance program covers the fintech's obligations. Regulators increasingly expect end-brands to demonstrate their own robust compliance programs. Consent orders against Evolve, Thread, and Lineage all cited failures at the program-management level — failures that originated with fintech partner controls, not the bank's own operations.

Every end-brand needs documented policies, a named compliance officer accountable for the program, and controls it can demonstrate independently of the bank's own infrastructure.

One-Time Onboarding Without Ongoing Monitoring

BSA obligations don't end at account opening. A compliant embedded finance program requires:

  • Ongoing transaction surveillance with defined thresholds and alert logic calibrated to the product
  • Periodic customer reviews, particularly for higher-risk segments
  • SAR workflows with escalation paths and documentation that hold up under examiner review
  • OFAC and PEP screening that runs continuously, not just at onboarding

Static compliance — a clean sign-up with no follow-through — reliably generates MRA findings and, over time, enforcement actions. Programs that stop at onboarding rarely survive an examination intact.

Four-component ongoing AML compliance monitoring framework for embedded finance programs

The Vendor Due Diligence Gap

When fintechs switch BaaS providers or add technology partners, compliance obligations don't automatically transfer. The new provider may have different onboarding standards, stricter transaction monitoring rules, or alternative data access arrangements. Each transition requires a formal compliance re-assessment.

For growth-stage companies building or restructuring a compliance program without a full in-house team, engaging fractional compliance leadership — a BSA Officer, MLRO, or CCO — provides the expertise to audit third-party controls and close gaps before they surface in an examination.

Fraxtional's independent audit service takes this a step further, producing board-ready findings with prioritized remediation steps tailored for sponsor bank due diligence, regulatory examinations, and investor reviews.

Frequently Asked Questions

What is embedded compliance?

Embedded compliance builds regulatory controls directly into an institution's workflows so that compliance decisions happen at the point of activity — not after the fact. The system that generates a transaction also carries the controls governing it.

What does "embedded finance" mean?

Embedded finance is the integration of financial services — payments, credit, insurance, deposit accounts — into non-financial platforms or products. It allows brands to offer banking capabilities to their customers without becoming a licensed financial institution themselves, by operating through a sponsor bank's regulatory infrastructure.

What is an example of embedded finance?

A SaaS platform offering business accounts directly to its users is one common example. A ride-hailing app providing instant driver payouts through an in-app wallet is another. In both cases, a sponsor bank holds the license while the brand owns the customer relationship.

What are the three types of compliance?

The three broad categories are regulatory compliance (adherence to laws), operational compliance (internal controls and policies), and ethical/corporate compliance (conduct standards). Embedded finance primarily triggers regulatory obligations, but regulators look to operational compliance — documented controls and monitoring programs — as evidence of adherence.

Who is responsible for compliance in an embedded finance partnership?

All three parties carry distinct obligations: the sponsor bank holds primary regulatory liability, the BaaS provider is accountable for its contracted controls, and the end-brand must meet the compliance framework set in the program agreement. The bank's umbrella does not cover failures that originate with the fintech — regulators hold each layer accountable separately.

What regulations apply to embedded finance companies in the US?

Core frameworks include:

  • BSA/AML — FinCEN reporting and program requirements
  • Consumer protection — CFPB/UDAAP, Reg E
  • Data security — GLBA obligations
  • State MTLs — money transmission licensing where applicable

The specific requirements depend on product type and the sponsor bank's charter, which determines which prudential regulator has jurisdiction.