BaaS Compliance Advisory for Fintechs
Banking-as-a-service is among the most heavily regulated fintech models operating today. OCC, FDIC, and Federal Reserve guidance issued since 2023 has imposed direct accountability on bank sponsors for the compliance programs of their fintech partners. This engagement builds or assesses the compliance infrastructure that lets your BaaS relationship survive examination.
Book a Discovery CallThe BaaS Compliance Landscape in 2026
The OCC's 2023 guidance on bank-fintech partnerships established that bank sponsors are accountable for the compliance failures of their fintech clients. Subsequent consent orders against Evolve Bank, Blue Ridge Bank, and others made clear that "we rely on our fintech partner to manage compliance" is not a defensible position. The result: bank sponsors have materially increased due diligence requirements for fintech partners, and the compliance bar for launching or sustaining a BaaS relationship has risen significantly.
Fintechs that built their compliance programs against 2020 or 2021 standards are often operating below what their bank sponsor now requires. This engagement closes that gap.
Current regulatory posture: OCC Interpretive Letter 1170, FDIC FIL-46-2023, and the Federal Reserve's guidance on novel banking activities have collectively established that bank sponsors must demonstrate active oversight of fintech partner compliance programs. Fintechs that cannot produce documentation of their compliance infrastructure create examination risk for their sponsors.
Compliance Pillars We Address
BSA/AML and KYC Program
Customer identification program (CIP) design, ongoing monitoring procedures, SAR filing protocols, and OFAC screening controls calibrated to your product's risk profile and customer base.
Consumer Protection and UDAAP
Product and marketing review for UDAAP exposure, Reg E compliance for deposit products, Reg Z for credit products, and complaint management procedures. Consumer protection is the most common BaaS examination finding area.
Third-Party Risk Management
TPRM documentation for your own vendor relationships, structured to meet OCC third-party risk management guidance standards. Bank sponsors review your vendor management as part of their TPRM examination response.
Compliance Program Documentation
Written policies and procedures, compliance calendar, board-level compliance reporting structure, and an annual compliance plan. The documentation a bank sponsor needs to demonstrate oversight of your program to examiners.
Program Manager Obligations
If you operate as a program manager between a bank sponsor and downstream fintech clients, this layer covers your contractual compliance obligations to both sides and the oversight framework you need for the programs you manage.
State Licensing Gap Analysis
Money transmitter licensing, lending license, and state regulatory registration analysis based on your product, geography, and transaction volume. BaaS structures do not always preempt state licensing requirements.
Who Is in the BaaS Compliance Stack
BaaS compliance involves at least three parties, and the obligations flow in both directions. Understanding who owns what is prerequisite to building a defensible program.
Each layer has distinct compliance obligations that are not fully transferred by contract. This engagement maps your position in the stack and builds the compliance program appropriate to your layer and product type.
Deliverables from This Engagement
- BaaS compliance gap assessment against current OCC, FDIC, and Federal Reserve guidance
- Written compliance program covering BSA/AML, KYC/CIP, UDAAP, and consumer protection
- TPRM documentation for your vendor and partner relationships
- State licensing analysis with exposure map and recommended path to compliance
- Compliance calendar with regulatory deadlines, annual review obligations, and reporting cadence
- Bank sponsor due diligence package: compliance policies, program summary, and compliance officer attestations
- Complaint management procedure and regulatory escalation matrix