Banking-as-a-Service has attracted more regulatory scrutiny in the past three years than almost any other financial services distribution model. The enforcement actions against Evolve Bank and Trust, Blue Ridge Bank, and the operational failure of Synapse Financial Technologies — which left thousands of end customers unable to access their funds for months — have focused both the OCC and Federal Reserve on the governance and risk management standards they expect from banks that sponsor BaaS programmes. The message from regulators is unambiguous: the chartered bank is responsible for all activities conducted through its charter, including those conducted by its fintech partners. Responsibility cannot be contracted away.
The Regulatory Risk in BaaS
The OCC's 2021 guidance on bank-fintech relationships and the Federal Reserve's 2022 supervisory letter on novel bank-fintech relationships both identify the same core concerns. First, that banks entering BaaS relationships often do not conduct adequate due diligence on their fintech partners, do not implement effective oversight of partner activity, and do not ensure that compliance obligations are being met across the combined programme. Second, that compliance systems — particularly AML monitoring and OFAC screening — are sometimes designed and operated by the fintech partner without sufficient bank oversight of their adequacy. Third, that the customer relationship data needed to perform compliance functions may be held by the fintech in systems the bank cannot directly access.
The Synapse failure illustrated the data ownership risk acutely. When Synapse ceased operations, the banks that had partnered with it could not independently reconstruct which customers held which balances because the ledger was maintained by Synapse in systems the banks had no direct access to. Customers suffered harm directly attributable to a data architecture decision made years earlier, when the partnership model was structured. Regulators have taken note and are requiring banks in BaaS relationships to demonstrate that they can reconstruct their compliance obligations independently of their fintech partners.
The OCC has been explicit: a bank cannot outsource its compliance obligations to a fintech partner. The bank must have its own view of the customer base, its own transaction monitoring programme operating on the full transaction data, and its own ability to assess compliance risk across the entire portfolio, even if the fintech is the customer-facing operator. Partner-operated compliance that the bank cannot directly observe or validate is not acceptable to the OCC under the current supervisory posture.
The Compliance Architecture That Satisfies Regulators
A defensible BaaS compliance architecture has three components. First, the bank must maintain a direct integration to the transaction data generated by the fintech programme, in real time, regardless of what the fintech partner does with that data. This integration does not need to be the bank's primary operational system, but the bank must be able to run its own AML monitoring and OFAC screening on the transaction data independently. Second, the bank must maintain the customer identity records — KYC data, beneficial ownership information — in systems it controls, or have contractual and technical mechanisms to access the fintech's records at any time. Third, the bank must have oversight mechanisms that allow it to identify and investigate anomalies in the fintech's compliance performance without relying on the fintech to self-report.
Partner Onboarding and Ongoing Oversight
The OCC and Federal Reserve both expect to see a formal partner risk management programme covering fintech onboarding, ongoing oversight, and exit management. Onboarding must include a due diligence assessment of the fintech's compliance programme, technology infrastructure, financial stability, and management team. Ongoing oversight must include periodic re-assessment, compliance testing of the partner's controls, and performance metrics against defined standards. Exit management must include a plan for transitioning the programme off the fintech partner's infrastructure in an orderly manner — including customer communication and data migration — in the event the partnership ends. The Synapse failure has made exit planning a specific examination focus.
Programme Concentration Risk
Banks that have grown BaaS programmes to the point where fintech-originated deposits represent a significant portion of their funding base have created a new dimension of risk that the FDIC flagged in its 2023 guidance: concentration risk in non-operating deposits. Brokered deposit rules may apply to fintech-originated customer deposits, affecting the bank's ability to use those deposits for lending and its obligations to maintain a well-capitalised status. The legal analysis of whether fintech-originated BaaS deposits are brokered deposits has produced significant regulatory ambiguity, and the prudent approach is to obtain legal counsel specific to each partnership structure before assuming the deposit treatment.
EU AI Act: What CTOs Actually Need to Do Before August 2026
DORA Is Live. Here's What 'Operational Resilience' Means for Your Codebase
FedRAMP Rev 5: What Changed and Why Most Current ATO Holders Are Already Non-Compliant
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.