Managing Banking as a Service (BaaS) Third-Party Risk

Part 1 of 3

BaaS rapid growth leaves compliance/operations teams at a disadvantage resulting in massive regulatory fines.

This blog post is the first in a three-part series, examining the rise of Banking as a Service (BaaS), the regulatory actions targeting sponsor banks providing those services to fintech clients, and how technology can strengthen the capabilities of the compliance teams at those sponsor banks in evaluating risk and regulatory compliance.

The last few years have seen remarkable growth for sponsor banks in the United States. The number of Banking as a Service (BaaS) sponsor banks has grown from 102, in 2022, to 149 by the end of Q1, 2025.  That figure represents an increase of 50% over that 3-year period.   Those 149 institutions provide BaaS services to support 690 fintech brands within the US, with one third of those fintechs having relationships with more than one sponsor bank.

But, that expansion has challenged regulators and compliance teams all the same. The rapid growth without clear regulatory framework has left banks’ compliance and risk operations teams at a disadvantage.  While accounting for only 2% of all banks nationally, these sponsor banks accounted for 13.5% of all severe enforcement actions in 2023.   Regulators are concerned about an unchecked increase in services by these sponsor banks to their FinTech clients, who use the banks to provide payments, depository accounts, and other financial services to their end-customers. At the same time, sponsor banks are struggling to meet prior guidelines regarding banks and third-party fintech clients that they felt weren’t clear, leading to those actions and fines. 

As a result, the Federal Reserve, the Federal Deposit Insurance Company (FDIC), and the Office of the Comptroller of the Currency (OCC) issued a joint statement in July, 2024, detailing the nature of their concern in that they have “…observed an evolution and expansion of these arrangements to include more complex arrangements that involve the reliance on third-parties to deliver deposit products and services…”, and provided examples of elevated risk in having the third-party fintech clients performing the compliance function tied to these services.  This “double-whammy” of the marked increase in BaaS offerings by fintech clients, while at the same time relying on those same fintech clients to perform the required compliance oversight tied to those services, is at the heart of the regulators concern.  The joint statement went on to say that “…regardless of whether the functions are shared between the bank and the third-party, the bank remains responsible for failure to comply with applicable requirements.” Moving forward, the regulators want sponsor banks to have well-documented visibility into the compliance programs of their fintech clients, assuring that the appropriate policies and risk management are being followed. 

Here is a sampling of actions that regulators have taken recently against sponsor banks offering these services to third-parties: 

Cross River Bank, March 2023 

Metropolitan Commercial Bank, October 2023 

Vast Bank, October 2023 

B2 Bank, November 2023 

Piermont Bank, February 2024  

BlueRidge Bank, January 2024 

Quaint Oak, May 2025 

Hatch Bank, May 2025 

These actions listed outstanding issues such as deficiencies in third-party risk management, customer identification, Bank Secrecy Act (BSA) compliance, and oversight of fintech partnerships in general.  Further, orders have included mandates that the bank(s) develop third-party risk management programs which include independent testing of those programs. 

BaaS products often represent a higher burden of risk management to their sponsor bank providers. Regulators have cracked down on these products heavily, especially where they sponsor credit for third-parties. Sponsor banks have often run into issues with KYC and AML risk management, when they delegate those responsibilities to their fintech third-party partners, who may not uphold the same standards as their bank. Maintaining such standards represent a significant challenge to BaaS providers because for one it is difficult to enforce good practices across their third-party partner portfolio, and secondly there isn’t enough visibility into the compliance function of those third-party clients.  And lastly, but not least, BaaS offerings evolve quickly; regulators have noted that risk management efforts by those banks have not matched the swift pace of evolution.  

To reconcile this, regulatory agencies have increasingly turned towards recommending the utilization of independent providers to assist in determining 3^rd party risk, as can be seen in both the Cross River Bank and Metropolitan Commercial Bank consent orders. In both remediation recommendations, they mandate engagement with an independent assessor. This independent entity would be tasked with helping evaluate the risks associated with AML obligations as they relate to BaaS functions, as well as ensuring that financial products developed by other third-parties are compliant.  

The FDIC has also ordered financial institutions to create comprehensive plans for future development of financial products and report those plans for review. This recommendation was included in consent orders issued to Vast Bank and Piermont Bank - among others - and is intended to allow regulatory agencies to spot red flags. Bank compliance should design these plans to align with risk management standards; standards consistent with those upheld by those independent arbiters.  Logically, these same arbiters should be involved in the creation of these plans to ensure their efficacy and accordance with regulatory guidelines. 

In parts two and three of our blog posts to follow, we will review how compliance teams at sponsor banks are currently engaging with their 3^rd party fintech clients, and how technology can be applied to provide better transparency in assessing the compliance and risk management operations of those fintechs.