Castellum.AI

View Original

Best Practices: Compliance for Banking as a Service (BaaS)


The landscape of financial services is evolving rapidly and Banking as a Service (BaaS) has emerged as a model offering flexibility and agility to both traditional financial institutions and innovative fintech companies. 

However, an onslaught of regulatory fines, many of which prevent a bank from growing its deposit base until compliance matters are resolved, highlight that compliance needs to be the first, not last, consideration for BaaS partnerships. 

In this guide, we delve deep into the intricacies of compliance within BaaS, offering insights and best practices for all parties involved in a BaaS relationship.


What is Banking as a Service?

Banking as a Service (BaaS) is a financial services model enabling non-bank entities, like fintech companies, to offer financial products and services to their customers by accessing established financial institutions’ banking infrastructure. Uses range from account creation to payment processing and lending – all without building new infrastructure or applying for (and maintaining) costly and time-consuming banking licenses. 

Sponsor banks offering BaaS solutions to fintechs unlock a broader market. These otherwise inaccessible end-customers create new revenue streams for sponsor banks through deposits and for fintech partners through fees.

In a BaaS relationship, there are typically several parties involved:

  • Sponsor Banks: Established financial institutions, like banks or credit unions, offer banking infrastructure to third-party companies. BaaS providers supply payment rails, account management technologies, and regulatory frameworks necessary for fintech companies to offer financial products to end-users.

  • Middleware BaaS Companies: Technology companies that manage relationships between sponsor banks and fintechs, as well as provide software that lays on top of unwieldy and sometimes, ancient, core banking systems. They frequently bundle BaaS offerings to provide new solutions to fintechs and are a key part of the BaaS ecosystem.

  • Fintech Companies: Technology companies leveraging BaaS to offer financial products and services to customers. Fintech companies may specialize in various areas of finance, including payments, lending or personal finance management.

  • End Users: Customers of fintech companies who benefit from the banking products and services offered through BaaS. End users may include individuals, businesses, or other organizations that use fintech platforms to execute P2P or B2B payments, secure higher yields on their savings, execute international transactions or access credit.

  • Regulatory Authorities: Banking regulators at the federal and state level oversee BaaS relationships to ensure compliance with relevant laws and regulations. These authorities may set standards for risk management, customer due diligence and anti-money laundering (AML) measures to mitigate risks associated with BaaS.

Compliance Developments in the BaaS Space

Recent years have seen a marked increase in regulatory scrutiny of the BaaS sector, driven by concerns over compliance deficiencies and the potential for financial crime. The impact? Every single party to a BaaS partnership must have a comprehensive compliance program - and moreover - this should be specified in every contract. Regulators will no longer accept post-factum claims that the other party should have been “doing the compliance.”

In 2023, an estimated 13.5% of severe enforcement actions in the US targeted banks providing BaaS services to fintechs, according to S&P. The buck may stop with regulated banks, but due to the sponsoring banks' duty  to improve compliance programs, downstream fintech partners will have to prove compliance to offset regulatory risk further.

Which regulators are involved in overseeing BaaS compliance?

Regulatory oversight of BaaS relationships falls under the purview of multiple banking regulators, including the FDIC, OCC, and FRB at the federal level, but also 50 state banking regulators, many of whom examine banks differently and sometimes fight each other over authority to examine a bank. Banks also sometimes work to switch regulators to find an easier path toward compliance, something called “regulatory arbitrage.”

The regulators also enforce laws and regulations published by the Financial Crimes Enforcement Network (FinCEN), Office of Foreign Assets Control (OFAC) and Securities and Exchange Commission (SEC), among others. These regulators enforce many laws and regulations, including anti-money laundering (AML) and know your customer (KYC) statutes.

Compliance Considerations for BaaS Partnerships

Sanctions Compliance Risks

BaaS providers and fintech companies must ensure compliance with sanctions imposed by regulatory authorities, such as the Office of Foreign Assets Control (OFAC) in the United States or the European Union's sanctions regime. Sanctions compliance involves transaction screening, i.e. automatically vetting against lists of sanctioned individuals, entities, and countries to prevent prohibited activities, such as facilitating transactions with sanctioned parties or countries.

Know Your Customer (KYC) Compliance

KYC regulations require BaaS providers and fintech companies to verify the identity of their customers and assess the risk associated with their business relationships. Failure to perform adequate KYC checks can result in exposure to financial crime, such as fraud, identity theft, or money laundering. KYC compliance involves collecting and verifying customer identification documents, assessing the source of funds, and monitoring customer transactions for suspicious activity.

Read more about KYC Screening for Financial Services

Anti-Money Laundering (AML) Compliance Risks

AML regulations mandate BaaS providers and fintech companies to implement measures to detect and prevent money laundering activities. This includes transaction monitoring to identify and report suspicious transactions to relevant authorities (like FinCEN in the US) and implementing risk-based AML policies and procedures. Failure to comply with AML regulations can result in severe penalties, including fines, reputational damage and legal action.

Related Compliance Risks

In addition to sanctions, KYC, and AML compliance risks, BaaS relationships may also be subject to other regulatory requirements including consumer protection laws, data privacy regulations and cybersecurity standards. Compliance is essential to protect customers' interests, safeguard sensitive data and maintain the integrity of the BaaS ecosystem.


Castellum.AI’s compliance screening system provides comprehensive KYC and AML screening coverage with 88% fewer false positives

Trusted by Sponsor Banks and Fintechs to automate KYC and AML screening

See this content in the original post

Best Practices for Compliance Screening in BaaS

BaaS providers must conduct thorough risk assessments, implement robust KYC onboarding processes, perform regular rescreening of customers, and maintain vigilant transaction monitoring systems. Fintech partners seeking BaaS solutions, meanwhile, must ensure compliance readiness by establishing AML and KYC screening processes and should maintain an open line of communication with their BaaS provider on compliance matters.

Risk Assessments

  • Conduct firm-wide risk assessments in line with regulatory recommendations (for example the Federal Financial Institutions Examination Council’s BSA manual) to identify and evaluate potential compliance risks associated with BaaS relationships or end-customers.

  • Assess the risk posed by customers, transactions, products, and geographies to prioritize compliance efforts effectively.

KYC/KYB Onboarding Screening

  • Implement robust KYC (Know Your Customer) and KYB (Know Your Business) procedures to verify the identity of customers and assess the risk associated with their business relationships.

  • Collect and verify customer identification documents, assess the source of funds, and conduct enhanced due diligence for high-risk customers.

Regular Rescreening

  • Regularly rescreen or monitor customers and transactions against sanctions lists, watchlists, and other relevant databases to detect changes in risk profiles.

  • Update customer information as needed and conduct periodic customer reviews to assess changes in risk profiles.

Transaction Screening

  • Screen all transactions conducted through BaaS relationships against sanctions lists, watchlists, and transaction monitoring systems.

  • Implement automated transaction screening tools to streamline compliance processes and enhance accuracy in identifying potentially suspicious transactions.

What to Look for in a BAAS Compliance Solution

Whether a licensed bank or a fintech seeking to implement a compliance program required to access BaaS services, the critical components for a BaaS-ready compliance system are:

  • Accuracy: Reducing false positives minimizes unnecessary, manual compliance reviews and reduces overhead costs. This is important for sponsoring banks that are expanding their coverage to a vast network of new end-users as well as fintechs that are strapped for resources. Castellum.AI reduces false positives by up to 88% compared with legacy screening systems.

  • Coverage: Global coverage of relevant sanctions, beneficial ownership, adverse media, and other financial crime risk data is essential to comply with AML regulations. Regional banks and credit unions have used BaaS to expand their business, and compliance systems cannot simply rely on outdated screening services with limited coverage. Similarly, fintechs must adopt screening systems aligned with their risk profile.

  • Enriched Financial Crime Data: Financial crime risk data is published by government authorities in different languages, data formats and varying degrees of quality. An AML compliance screening system should standardize and enrich that data to improve accuracy and eliminate the risk of false negatives. Castellum.AI’s patented process automatically extracts and standardizes critical data like dates of birth, ID information, crypto addresses and more to ensure accurate screening.

  • Speed: Over 6,000 new sanctions were implemented in 2023 alone, and sanctions lists can be updated multiple times daily. Combined with the immediate nature of BaaS-enabled financial services, having an up-to-date screening solution ensures BaaS partners are kept abreast of the latest regulatory changes. At Castellum.AI, our financial crime risk data is updated every 5 minutes.

Schedule a demo with Castellum.AI to learn more about how our compliance screening system reduces false positives by 88% to automate customer onboarding and transaction screening.


Further Reading on KYC and AML Compliance