Concept
BaaS (banking-as-a-service) is a model in which a licensed bank provides accounts, cards, and payments externally through an API, while a non-bank brand embeds them into its product. Essentially, this is white-label banking: for the customer it's an "account at a fintech," legally it's an account at the partner bank. This is one of the verticals of embedded finance.
The fintech builder does not obtain a banking license—in the US this takes 3–5 years and substantial capital. Instead, they rent access to someone else's license: they connect to a sponsor bank and build a product on top of its charter.
🍓 The partner bank is responsible for end customers' funds and compliance before the regulator; the fintech is responsible to the bank. Therefore, the bank treats the fintech as its primary risk and has the right to shut down the program at any time. A list of sponsors and warnings can be found in the US sponsor banks overview.
How It Works
Three roles. The sponsor bank holds the charter and FDIC insurance and is accountable to the regulator. The middleware/BaaS platform provides the API and part of the compliance operations. The fintech manages the product and acquires customers. The bank earns from interest on deposits, a share of interchange, and fees for regulatory access.
Customer funds are held at the partner bank, often in a pooled FBO (for-benefit-of) account. FDIC insurance works as pass-through: $250K per end depositor per bank—provided there is correct itemized recordkeeping; sweep networks across multiple banks raise the limit (at Mercury—up to $5M). The critical node is reconciliation: the picture of "whose money is in the account" must match between the bank and the platform at all times. This is the same safeguarding discipline as in correspondent banking.
The cost of failure was demonstrated by the collapse of middleware Synapse (April 2024): Synapse's ledgers diverged from the banks' records, approximately $200 million in customer funds was frozen, and the shortfall was estimated at $85–95 million. The funds were in pooled FBO accounts, and reconciliation relied on Synapse's own system.
What You Need to Launch
You don't need your own banking license. You need a sponsor bank and, typically, middleware or an issuer-processor (Unit, Treasury Prime, Synctera, Lithic, Marqeta—depending on the product). The partner bank conducts due diligence per interagency guidance and assigns the fintech to the highest risk tier.
What the bank will request during onboarding: audited financials and runway; business model sustainability; operational maturity—platform, staff, BCP/DR, track record; a complete set of BSA/AML, KYC/KYB, PCI-DSS, and PII handling policies. Without a fully staffed compliance function, don't bother showing up for onboarding.
| Parameter | Benchmark |
|---|---|
| Go-live via vendor | 3–12 weeks (vs. 3–5 years for your own license) |
| Classic integration | £100K–250K+ and 12–18 months |
| BaaS platform | $1K–25K per month |
| AML/KYC support | $10K–50K per year |
| Payment to bank | revenue share on interchange + access fee |
| Signal "time for your own license" | around ~500K active cards |
Compliance
The fintech bears operational compliance, which the bank is obligated to oversee. The basic set: all BSA pillars; CIP plus CDD/EDD; sanctions screening; transaction monitoring. The bank requires demonstrable control over end-customer onboarding—this is broader than formal CIP.
Supervision follows a cadence: compliance testing—at least quarterly, financial review—at least semi-annually, full annual review once a year. Weak third-party risk management is the main cause of sanctions: in 2024, consent orders were issued to Blue Ridge (OCC, BSA/AML, "troubled condition"), Evolve (Fed), Cross River, and First Fed.
How It's Done in the Market
Typical stack: partner bank + middleware + issuer-processor. Public example: Mercury (a fintech, not a bank) works with Choice Financial and Column N.A.; in March 2025, Mercury announced its departure from Evolve to Column and Choice. Profiles of sponsor banks and those to avoid (Evolve, Blue Ridge) are in the US sponsor banks overview; the card side is covered in the BIN sponsorship material.
What to look for when choosing. Economics: interchange share, access fees, minimum volumes. Concentration: a bank with dozens of fintech programs under regulatory pressure shuts them down in batches—it's worth diversifying partners. Data control: your access to the ledger and reconciliation must be independent of the middleware, or you'll repeat the Synapse scenario. Exit rights: pre-negotiate the transfer of the program and customer funds to another bank.
Applicable Regulation
There is no separate regime for BaaS—the bank remains under standard supervision (OCC/FDIC/Fed), and the relationship with the fintech is governed by the Interagency Guidance on Third-Party Relationships (2023). The FDIC is preparing a rule on custodial accounts (NPRM dated October 2, 2024, new Part 375): itemized recordkeeping of beneficiaries and daily reconciliation; as of June 2026—it's a proposal, not finalized, comment period closed. In parallel, there is "rightsizing" of supervision and a shift of some players from renting to direct charter—see regulatory perimeter and rent-a-bank.
| Pros | Cons |
|---|---|
| Launch in weeks, without a banking license or capital | Responsibility and the "kill switch" are with the bank; the program can be shut down |
| Ready-made infrastructure for accounts, cards, and payments | A share of revenue goes to the bank and platform; economics squeeze with growth |
| FDIC pass-through for customer funds | Middleware and reconciliation risk (Synapse) |
| Access to interchange | Rising costs and supervisory burden on partners |
Q/A
Do you need your own banking license
No, that's the point of the model: you operate under the partner bank's charter. Your own license in the US takes 3–5 years and significant capital; companies transition to it at large volumes.
Are customer funds insured
Through FDIC pass-through at the partner bank level: $250K per end depositor per bank with correct itemized recordkeeping. The fintech itself is not insured; sweeps across multiple banks raise the limit.
What does the bank primarily check during onboarding
Financial sustainability, operational maturity, and ready compliance (BSA/AML, KYC/KYB, PCI-DSS). And then monitors the program at least quarterly.
This material is prepared as an expert overview and does not constitute individual legal advice.
FAQ
What does the bank primarily check during onboarding
Financial sustainability, operational maturity, and ready compliance (BSA/AML, KYC/KYB, PCI-DSS). And then monitors the program at least quarterly.
Key factual claims
- The fintech builder does not obtain a banking license—in the US this takes 3–5 years and substantial capital.
- The cost of failure was demonstrated by the collapse of middleware Synapse (April 2024): Synapse's ledgers diverged from the banks' records, approximately $200 million in customer funds was frozen, and the shortfall was estimated at $85–95 million.
- There is no separate regime for BaaS—the bank remains under standard supervision (OCC/FDIC/Fed), and the relationship with the fintech is governed by the Interagency Guidance on Third-Party Relationships (2023).