What FDIC Enforcement Actions Mean for Banking as a Service (BaaS)

Regulators are stretched thin. Federal agencies are working with fewer staff, evolving priorities, and changing market conditions — all of which impact the exam and review process across financial institutions (FIs).  

Despite these shifts, enforcement actions are on the rise for FIs working with fintech partners through Banking as a Service (BaaS) models. If your institution is offering BaaS or considering it, now's the time to take a hard look at your oversight practices. Here's what the latest actions tell us — and what you can do to protect your institution and customers from BaaS risk.  

Related: Financial Services Enforcement Action Tracker

What is Banking as a Service, and why is it under scrutiny?

Banking as a Service, or BaaS, refers to a relationship between a traditional financial institution and a technology-driven company offering products and services directly to consumers. One of the most common examples of BaaS in action is a bank (BaaS provider) working with a payment services provider to offer debit cards, bank accounts, and other products to new customers.    

These partnerships are beneficial for financial institutions for a few key reasons:  

• New revenue streams: In a typical BaaS relationship, a bank or credit union enables a non-bank financial tech (fintech) company to access its core systems and infrastructure through an application programming interface, or API, in exchange for a fee. The fintech then shares the interchange fees.
• Broader market reach: Through BaaS, community financial institutions can indirectly reach new customer segments — often younger, tech-savvy consumers — by powering fintech apps that already have large user bases. This strategic move expands their footprint beyond traditional markets or geographies.  
• Innovation without the uplift: FIs can reap the benefits of digital innovation without investment by enabling fintechs to build and iterate quickly. This lets institutions stay competitive in a fast-moving landscape without taking on the development and user experience responsibilities themselves.
• Improved customer experience: As financial services evolve, customers want a seamless journey from depositing funds in their banking accounts to spending them at a retailer. This competitive edge is part of many institutions’ strategies as larger FIs take up more market share.  

Unfortunately, as BaaS partnerships started to grow, they outpaced sound oversight practices. Weak vendor management and blurred lines of accountability introduced risks to consumers, prompting increased regulatory scrutiny that continues today. 

Related: Regulators Crank Up the Heat On BaaS Banking 

What did the FDIC find in recent enforcement actions?

BaaS enforcement actions aren’t new. In 2023, banks engaged in BaaS accounted for 13.5% of all “severe” enforcement actions. While the underlying risks haven’t changed, regulators have become more assertive — broadening their focus and taking more decisive action in response to emerging threats. 

BSA/AML risk

Regulators continue to emphasize that FIs are ultimately responsible for their fintech and middleware partners, especially when it comes to Bank Secrecy Act/anti-money laundering (BSA/AML), Know Your Customer (KYC), and consumer protection obligations.  

In previous years, enforcement often came in the form of non-public supervisory actions or early-stage warnings. In 2025, we’ve seen a marked shift toward more public and prescriptive consequences with the Federal Deposit Insurance Corporation’s (FDIC’s) enforcement actions:  

• A Pennsylvania Bank was cited for unsafe practices tied to BSA/AML and must implement a third-party risk management program with independent testing and look-back reviews.
• A California Bank was ordered to strengthen its BSA/AML controls related to third-party partnerships, including conducting periodic risk-based assessments. 

Weak compliance

Many BaaS providers are still grappling with compliance frameworks that haven’t kept pace with their rapid growth. Regulators continue to flag gaps in AML and KYC programs — particularly deficiencies in transaction monitoring, risk assessments, and suspicious activity reporting — that expose institutions to significant regulatory and operational risk. 

Middleware providers

The collapse of Synapse, a middleware provider that connected fintechs to FIs, has drawn more attention to middleware models as critical risk points. Customer assets remain frozen, and litigation is still pending — underscoring the long-term impact of a single third-party provider’s failures. 

BaaS providers should closely monitor their institutions’ dependence on middleware providers, particularly around fund flow transparency and operational resilience. FIs must take full responsibility for their relationships with middleware providers to ensure fund reconciliation and custodial risks are mitigated through proper recordkeeping, testing, and communications.  

Data breaches

Data breaches continue to make headlines. Earlier this year, an Arkansas BaaS Bank agreed to settle a $11.9 million lawsuit stemming from a 2024 data breach that exposed sensitive customer data, including bank account numbers, routing numbers, and other personally identifiable information (PII). 

Failing to protect consumer data is one of the most common mistakes FIs make when working with fintechs and other vendors. With hundreds of third-party relationships to manage (including BaaS relationships), FIs must ensure their due diligence processes are updated and followed and continue to monitor throughout the relationship — not just at the beginning. 

Related: Ghosted by a Vendor? Here’s How to Get Due Diligence Documents 

Governance and accountability 

A solid BaaS risk management strategy starts with governance — the internal systems that guide how an organization is managed and directed. Ensure your governance framework identifies all fintech partners, defines how each uses your institution’s charter, and documents responsibility for compliance.  

As regulators have emphasized in past guidance, your institution ultimately bears the responsibility for all vendor risk. That means your compliance teams must be prepared to monitor not only your institution’s customers, but also those onboarded through fintech partners, with visibility into how critical issues, such as BSA/AML and data security, are being managed. 

Effective oversight also requires strengthening third-party risk management across the relationship’s full lifecycle. This includes rigorous initial planning, due diligence, contractual negotiation, and ongoing monitoring. Regularly testing your partners’ controls and conducting independent audits are not optional — they are regulatory expectations.  

Ultimately, institutions must move beyond passive oversight and adopt a proactive, risk-based approach to manage BaaS relationships effectively.  

Related: High-Impact Risk Management: Key Strategies for Financial Institutions 

Here are more tips to keep in mind as you engage in BaaS relationships: 

• Evaluate partners effectively. Your institution has a regulatory obligation to mitigate risk, so ensure your BaaS meets all applicable regulatory requirements, including Regulation E compliance, information security, and consumer data protection.  
• Maintain a complete inventory of all fintechs using your charter and their service models. This list should be easily accessible and in a centralized location so all stakeholders can access it.  
• Document oversight responsibilities in contracts and internal policies. Remember, compliance can’t be delegated.  
• Embed BaaS-specific due diligence and monitoring criteria in your third-party risk management strategy (TPRM). Verify that your fintech partners obtain required disclosures and approvals from customers.
• Clearly define roles and responsibilities for onboarding, transaction monitoring, customer service, and compliance reporting. Designating these stakeholders ahead of time will enable better communication and help address any risks or issues more efficiently.  
• Conduct regular testing of the fintech controls, including audits and risk assessments. While a BaaS relationship can start strong, ongoing testing and monitoring can help you spot potential red flags.
• Equip your compliance team to manage customer risk and ensure they have access to partner data. Additional team training may be required to account for new risks and internal policies and procedures.
• Maximize your third-party risk management tools. TPRM solutions can help you manage vendors more efficiently, from centralizing vendor data to offering customizable risk assessments to evaluate and monitor compliance controls.   

Balancing the benefits and risks of BaaS relationships

Partnering with fintechs and other third-party providers to offer BaaS is a smart, strategic move for FIs that want to grow and stay competitive. Like any vendor relationship, however, the risks can outweigh the benefits if not effectively managed. As recent enforcement actions have emphasized, strong oversight and risk management practices are not just good practice — they’re critical to a strong compliance posture.  

Want more information on how to identify and assess potential fintech and BaaS partners? 

Download The Ultimate Guide to Fintech and Third-Party Vendor Onboarding for a deep dive into what you need to know.