Voice of the Industry

Compliance and risk management in BaaS partnerships: considerations for banks and fintechs

Friday 10 March 2023 09:25 CET | Editor: Oana Ifrim | Voice of the industry

This article provides insights for banks and fintech seeking to navigate the evolving Banking-as-a-Service landscape and partnerships while ensuring compliance with regulatory requirements.


While this article covers only some aspects related to BaaS (Banking-as-a-Service) partnerships, we know there's much more to discuss. That's why we have an exciting announcement to make. Our first edition of the Embedded Finance and BaaS report will be released in June 2023. The report will cover expert opinions and interviews from diverse participants, including banks, BaaS providers, fintechs, consultants, and associations. It will analyse industry trends, data, and real-world examples to offer readers a complete picture of the landscape and help identify emerging trends and opportunities. Stay tuned for our Embedded Finance report!


As the banking industry continues to shift towards Banking-as-a-Service (BaaS) partnerships with fintechs, compliance and oversight are becoming increasingly important. Regulators are monitoring these partnerships closely to ensure they are sustainable and compliant with regulations. 

The Consumer Financial Protection Bureau dusted off its regulatory authority to crack down on non-bank entities - including neobanks and consumer fintechs - just last year. Meanwhile, the Office of the Comptroller of Currency is pushing for tighter oversight of the bank-fintech relationship as the distinction between banks and fintechs continues to blur. This emphasizes the importance of risk management and compliance for fintechs and banks.

It is crucial for banks, fintechs, and other businesses interested in BaaS arrangements to prioritise compliance and risk management to reduce risks and gain a competitive edge in the market. Regulators expect banks, fintechs, and BaaS providers to have robust compliance controls in place to avoid risks and regulatory scrutiny, especially when marketing financial products and services to consumers. To manage compliance and risk effectively, companies need to continuously monitor marketing communications across all channels and have the ability to approve content across all partners.

Having a proactive approach to compliance monitoring is critical for banks, fintechs, and BaaS providers to mitigate risks as they partner with more fintechs. Fintechs can use compliance data to show potential partners that they are proactive in compliance and won't pose any risk to their business. BaaS providers can take the compliance burdens off their partners and offer themselves as ideal partners by having their own programs in place.


Banking-as-a-Service (BaaS) is a growing trend that allows fintechs to access a bank's infrastructure, regulatory expertise, and chartered capabilities. Banks benefit from increased revenue and improved customer engagement, while fintechs can develop innovative products and reach underserved communities. However, banks must assume ultimate accountability for their partner's compliance and risk management, including any fines or penalties levied by regulators in the event of non-compliant activity.

To avoid negative consequences resulting from a non-compliant partner, banks should build BaaS partnerships with risk and compliance in mind. Banks should establish a detailed overview of responsibilities covering all aspects of risk management and compliance, review product roadmaps and technology plans, engage with regulators, and automate compliance workflows.

Before embarking on a BaaS program, banks must consider various business and legal considerations. The involvement of the board and senior management is crucial to evaluate whether the bank has the necessary infrastructure to support BaaS. Banks should also have proper policies and procedures in place, regularly tested to ensure they are followed. Banks should perform comprehensive due diligence on fintech clients offering BaaS and have a strong program management agreement properly vetted by legal counsel to govern the BaaS relationship.

Banks must consider whether they are prepared for increased BSA/AML activity involving BaaS and whether the fintech client has adequate BSA/AML controls. Effective communication with the fintech client is essential to avoid adverse reputational and regulatory consequences. Finally, having a plan for deconversion, transition, and assessment of costs is equally important to prepare for regulatory examinations and in case a particular fintech client is not working out or has not successfully scaled-up.

BaaS can be a lucrative and innovative business opportunity for banks. Still, it is essential to consider the abovementioned business and legal considerations to ensure a successful BaaS program. By evaluating these considerations, banks can confidently offer BaaS from a risk and operational perspective.


While compliance for BaaS can seem like a daunting task, it's not only achievable but absolutely necessary for the survival of fintechs and BaaS as a product.

Banks and fintechs should work together to ensure compliance with regulations in the world o BaaS. Fintechs can bring innovation and agility to the table, which can be crucial in addressing regulatory challenges. With regulators taking a closer look at the fintech industry, it's more important than ever for banks and fintechs to collaborate to create a compliant BaaS ecosystem that avoids penalties and mitigates regulatory risks. In short, it's imperative that banks and fintechs partner up to maintain compliance in BaaS, leading to a more robust and resilient financial ecosystem.

Regulatory compliance is crucial in the fast-paced world of financial technology. From onboarding customers to monitoring transactions, fintech companies must navigate a complex landscape of regulations to avoid fines and reputational damage. One key aspect of compliance is the KYC process, which helps prevent financial crimes. But compliance isn't just about KYC - it also involves payment screening and transaction monitoring, among other things. Even a single violation of regulations can result in hefty penalties, making it essential for fintech companies to invest in robust compliance processes and tools. While compliance can be complex, it's necessary to maintain trust and confidence among customers and stakeholders. Fintech companies must stay up-to-date with regulatory changes and invest in compliance technology to streamline their processes and reduce the risk of violations. By doing so, they can maintain a competitive edge and avoid the consequences of non-compliance, including losing regulatory licenses, business shutdowns, and even imprisonment for directors.

The role of Baas providers

Fintech compliance is a crucial aspect that must be considered when developing financial tools, whether for dynamic startups or established enterprise companies. However, navigating regulatory compliance can be a challenging task, and the consequences of falling short can be severe. Although in-house compliance teams can be expensive and time-consuming, partnering with the right BaaS provider can provide a streamlined solution.

When selecting a BaaS provider, it's crucial to consider their compliance level and the specific services they offer. Some providers may only offer the bare minimum when it comes to compliance, while others take on extensive ongoing tasks such as risk management and fraud protection. One of the key responsibilities of BaaS providers is to perform Customer Due Diligence (CDD) on their customers, which involves identifying and verifying customer identity, assessing the risk associated with the customer, and monitoring their transactions. BaaS providers are also required to report any suspected money laundering activities to relevant authorities and maintain records of all transactions and customer information for a specified period.

Other BaaS providers offer a range of tools and resources to help fintechs manage compliance internally and establish direct relationships with banks for a more comprehensive approach. These providers offer a comprehensive compliance framework, guiding fintechs through all critical aspects of regulatory compliance, including risk assessment, due diligence, customer communications, and BSA/AML compliance guidance.

Collaborating with such providers empowers fintech companies to connect with the most reputable and rigorous vendors in the compliance industry. This not only offers them the flexibility to select their preferred partners but also enables them to adopt a compliance strategy that aligns with their specific needs and objectives.

Choosing the right BaaS provider is crucial for fintechs looking to navigate the constantly evolving landscape of regulatory compliance. By partnering with a BaaS provider that offers embedded compliance offerings and resources, fintechs can streamline their compliance processes and focus on growing their business. It's essential for fintechs to carefully evaluate and compare the compliance capabilities of various BaaS providers to ensure that they meet their unique needs and regulatory requirements.

The importance of independent compliance, vendor management, and risk 

Fintechs should exercise caution when it comes to compliance, vendor management, and risk management claims made by BaaS vendors. Although BaaS platforms can be useful for data connection and introductions, they are not one-size-fits-all solutions for compliance management. 

Compliance management is a complex process that involves overseeing a range of activities, such as change management, cybersecurity, business resiliency, and complaint management. For fintechs working with financial institutions, it's essential to have an effective compliance management system (CMS) in place, and financial institutions expect their fintech partners to have their own CMS and regularly report on compliance efforts. Fintechs should not rely solely on BaaS vendors for compliance management, as financial institutions are held legally responsible for their vendors' actions.

Similarly, vendor due diligence and risk assessments cannot be outsourced solely to BaaS platforms. Financial institutions will still want to perform their own assessments since they are ultimately responsible for managing vendor risks. While BaaS vendors can provide model risk assessments and advice on best practices, only a financial institution can make the final call on risk management, as risk is relative, and institutions have their own risk tolerance levels.

Therefore, fintechs should exercise caution when it comes to compliance, vendor management, and risk management claims made by BaaS vendors. They should not rely solely on BaaS vendors for these critical functions but instead have their own programs in place to become an attractive partner for financial institutions. By demonstrating a robust CMS and effective risk management practices, fintechs can build trust with financial institutions and secure long-term partnerships.

Areas for reflection by policymakers, regulators, and supervisors 

BaaS and Embedded Finance are two significant trends in the rapidly changing world of finance. BaaS allows non-banks to manage customer relationships while banks operate in the back-end role of financial services. While this approach offers a wide range of financial products and services, it also poses challenges in regulatory compliance. Third-party risk management is a significant challenge that needs to be addressed, and clear rules are required to allocate liability and control third-party risk within new value chains. Coordination among financial regulators, competition authorities, and data protection authorities is necessary to ensure end-to-end oversight and information sharing on BaaS platforms.

BaaS and Embedded Finance models raise consumer protection concerns related to data privacy and protection. The use and sharing of financial and non-financial customer data between providers and clients can create privacy and data protection issues. Although these models offer underserved populations access to previously unavailable products, customers should control and be informed about how their data are used. Authorities should update data regulations to enable customers to exercise authority over portability, sharing, and use of their personal data.

In conclusion, BaaS and Embedded Einance offer significant benefits for businesses and consumers, but they also pose unique challenges. Policymakers, regulators, and supervisors should work together to update frameworks, allocate liability and control third-party risk, and ensure consumer privacy and data protection are addressed. Prioritising compliance can help banks, fintechs, and BaaS providers reduce risk and gain a competitive edge in the market.

About Oana Ifrim

Oana Ifrim is a Lead Editor at The Paypers. Her expertise lies in the areas of Banking and Fintech innovation, with a particular focus on Open Banking, Open Finance, Embedded Finance, Banking-as-a-Service. She is responsible for  managing content and conducting interviews with key experts in the abovementioned fields, representing The Paypers at various banking and fintech events, researching trends and producing content, and providing strategic planning and coordination for large-scale, industry-specific research, reports, and projects. If you wish to get in touch with Oana, she can be reached via email at oana@thepaypers.com or on LinkedIn.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: embedded finance, BaaS, compliance, regulation, risk management, fintech, banks
Categories: Banking & Fintech
Countries: World
This article is part of category

Banking & Fintech