Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Risk management redefined

Developing successful BaaS partnerships to limit financial crimes risk

Download PDF
Share

What is Banking as a Service?

Banking as a Service (“BaaS”)1 is a business model where sponsoring banks2 and platforms3 can establish partnerships through a BaaS provider4 to allow platform customers, such as merchants or individuals, to access various bank products or services through a streamlined user experience5. Consumer preferences have shifted to conducting business online rather than in person. Additionally, platforms have the ability to customize product offerings based on customers behaviors and perceived needs, which is made possible through the emergence of artificial intelligence. Both trends have contributed towards an explosion of BaaS partnerships over the past few years. BaaS partnerships allow non-bank businesses, such as tech firms, fintech companies, or retailers, to offer financial services without acquiring a banking license, while at the same time providing additional revenue opportunities for the sponsoring banks. In a typical BaaS model, as shown in Figure 1, a sponsoring bank holds the licenses required to offer various financial services, such as providing loans, issuing cards, managing deposits, and acquiring merchants. As a regulated financial institution under the Bank Secrecy Act, the sponsoring bank has the responsibility to abide by all Anti-Money Laundering (“AML”) and sanctions regulations. The BaaS provider performs several roles including, but not limited to, matching sponsoring banks to platforms, supporting relationships with technology, such as Application Programming Interfaces (“APIs”)6, and offering program management services, such as AML functions and other compliance services. Through this BaaS relationship, the platform leverages the license held by the sponsoring bank to offer financial products and services to their customers through one integrated platform without the need for their own bank charter, thereby benefitting from the established infrastructure and regulatory framework of the sponsoring bank.

Figure 1

Typical BaaS Model

Sponsoring Bank, BaaS Provider, & Platform

icon

01. Sponsoring Banks

01. Sponsoring Banks

  • Provides necessary licensing and regulatory approval through their charter.
  • Executes instructions received from the Baas Non-Bank through the provider.
icon

02. BaaS Provider

02. BaaS Provider

  • Facilitates the relationship matching of BaaS Banks and BaaS Non-Banks.
  • Provides support of the BaaS relationship through their technology services (eg. through APIs, ledgers, and payment processing, etc.) to help the sponsoring bank and platform communicate and integrate.
  • Provides project management services, as requested.
  • Develops the API to connect sponsoring bank and platform by integrating banking.
  • Transfers instructions via the API for the BaaS platform to their sponsoring bank.
icon

03. Platform

03. Platform

  • Offers products and services to their customers.
  • Maintains a frontend or user interface("UI") that allows their customers to interact with the financial products (eg, bank accounts cards, loans, etc.).
  • Passes instruction to their sponsoring bank through the Baas Provider when there are interactions with the financial products.
01. Sponsoring Banks 02. BaaS Provider 03. Platform

Simplification of the symbiotic partnership

No doubt, BaaS partnerships offer many advantages for all parties engaged in these relationships. Benefits to the sponsoring bank include pipelines of new customers or entry into new geographic markets, scalability of operations, growth of bank deposits, and an increase in revenue. For the BaaS provider, their entire business model is driven by providing various services as the intermediary. The Platforms benefit from the partnership as they can provide growth through new product and service offerings, accelerate time to market for new product/services offerings, promote growth of their user/customer base, increase revenue, and reduce overhead costs due to not having extensive regulatory obligations.

However, there are risk considerations that should be carefully considered and assessed by all parties prior to entering a BaaS partnership. From a regulatory perspective, a sponsoring bank outsourcing Bank Secrecy Act (“BSA”)/ AML functions to a BaaS provider faces heightened risk of potential non-compliance with applicable laws and regulations and potentially increased costs driven by the need to dedicate resources to compliance oversight, including but not limited to due diligence and ongoing monitoring and testing of AML-related processes executed by third-party providers. Sponsoring banks run the risk of developing unsustainable operating models and risk regulatory and reputational exposure through the facilitation of these partnerships. In the case of the platforms, the ease, speed, and agility which clients or users expect may be negatively impacted as the platform strives to comply with onboarding and compliance requirements set forth by regulations and enforced by sponsoring banks. AML-related compliance costs are also a factor for platforms to consider.

A rise in regulatory scrutiny surrounding BaaS partnerships

As previously outlined, one of the risks of a BaaS partnership is the increased regulatory risk and scrutiny that sponsoring banks may face. During 2023, only three percent (3%)7 of banks engaged in BaaS relationships, however these banks made up 13.5% of all severe8 regulatory enforcement actions during that same year9. S&P Global noted there was an increase in BaaS partnerships10, which has led to heightened regulatory scrutiny at a seemingly disproportionate percentage. Moreover, the statistics could potentially understate the number of regulatory concerns as there may be sponsoring banks operating under Matters Requiring Immediate Attention (“MRIA”) and Matters Requiring Attention (“MRA”) related to BaaS relationships that are not part of publicly disclosed enforcement actions. When platforms or providers perform tasks other than Know Your Customer (“KYC”) collection, it may pose an increased amount of regulatory risk. But why is this?

US Banks that Received Regulatory Enforcements in 2023

Financial institutions have the responsibility to comply with AML and sanctions laws and regulations, including but not limited to requirements around collecting and monitoring KYC information, performing transaction monitoring (“TM”) to identify potentially suspicious activity, filing Currency Transaction Reports (“CTRs”) and Suspicious Activity Reports (“SARs”), performing sanctions screening for both customers and transactions, and many additional requirements. While the AML and sanctions compliance responsibilities may fall on the sponsoring bank, the sponsoring bank may not have necessary data or rights under the partnership to effectively monitor and oversee the various functions outsourced in BaaS relationships. Additionally, sponsoring banks tend to be small, community banks, which may not have the resources (e.g., inadequate number of full-time employees, inappropriate level of expertise, obsolete or inapplicable technology, etc.)  to manage the risk. BaaS partnerships have the potential to vastly expand the sponsoring bank’s client base and business volumes, seemingly overnight. The AML risks, of course, could see a commensurate rise. As such, the sponsoring bank may need to rely on the platform or BaaS Providers (depending on the delegation of roles) to execute AML-related compliance functions, which may raise heightened risk for non-compliance. The platform or BaaS provider may not provide an adequate amount of risk oversight (e.g., regular reporting of key risk indicators, issue management updates, etc.), have the appropriate level of expertise necessary to identify regulatory risks, nor have the same risk tolerance as the sponsoring bank. Further, the roles and requirements of the different players in BaaS relationships can be unclear, leading to potential breaches of regulatory compliance. For example, the onboarding practices at Sutton Bank’s BaaS partners led to a Federal Deposit Insurance Corp. (“FDIC”) consent order11. The consent order required the bank to ensure compliance with Customer Identification Program (“CIP”) regulations by requiring "Prepaid Third-Party Program Managers" collect the full first name of customers at account opening, test for compliance during the CIP testing process, develop procedures for identity verification, and conduct a lookback review of prepaid card customers onboarded during the past four (4) years. When regulators identify compliance shortcomings, such as a lack of oversight resulting in non-compliance with BSA/AML requirements, the sponsoring bank bears the responsibility as the regulated financial institution.

Banks involved in BaaS partnerships will often face regulatory scrutiny due to AML compliance oversight and other third-party risk management issues at their BaaS provider or platform partner12. For example, an FDIC consent order issued to Blue Ridge Bank, N.A.13 highlighted several controls violations and issues in their BaaS operations. The key issues identified included:

  1. Inadequate Monitoring of Suspicious Activity: The bank failed to effectively monitor high-risk customer activity involving third-party fintech partners. This lack of oversight led to non-compliance with BSA/AML requirements.
  2. Deficiencies in Third-Party Relationship Management: The bank's management of third-party relationships was found to be lacking. This included insufficient risk assessments, inadequate oversight, and failure to ensure compliance with regulatory requirements.
  3. Inadequate Staffing and Resources: The bank was required to hire additional AML compliance officers and ensure appropriate staffing levels to manage the increased risk associated with their BaaS partnerships.
  4. Enhanced Risk Management Program: The consent order mandated the implementation of an enhanced risk management program overseen by the bank’s board of directors. This included hiring a third party to assess risk management, increasing capital levels, and developing contingency plans for the termination of certain BaaS partnerships.
  5. Violations of Regulation E and DD: The consent order cited specific violations of Regulation E (Electronic Fund Transfers) and Regulation DD (Truth in Savings Act). These violations indicated a failure to provide accurate and clear information to customers regarding their accounts and transactions.

In other instances, insufficient due diligence practices have resulted in several sponsoring banks not sufficiently addressing AML requirements and regulatory expectations, exposing them to regulatory actions and significant fines.

Effectively managing financial crimes risk in a BaaS relationship

Prior to engaging in a BaaS relationship, the chief compliance officer (“CCO”) of the bank, along with senior management, at a minimum, should be involved in understanding the provider's and platform’s services, customers, and the impact that entering into a BaaS relationship will have on its risk profile and the BSA/AML Compliance and third–party risk management functions. In most cases, the platform’s customers become the sponsoring bank’s customers, so it is crucial for the sponsoring bank to understand the magnitude of risk presented by the platform and consider the nature of controls which may need to be implemented or enhanced to mitigate such risks. Thus, sponsoring banks should consider which roles, responsibilities, and risk mitigation control functions are outsourced to the BaaS provider or platform and the additional contract terms that are critical to establishing the roles and responsibilities of the parties. To reduce risk exposure, sponsoring banks may consider limiting the outsourcing of essential responsibilities. For instance, sponsoring banks may consider limiting the outsourcing of AML and sanctions compliance related functions. Even functions such as record retention can lead to regulatory issues if not supported by clearly defined contractual obligations. The more roles that are outsourced to the BaaS provider or platform, the less control sponsoring bank has over compliance related functions, driving a need for increased oversight, which may prove challenging in outsourcing arrangements. Additionally, BaaS providers and platforms may not have employees with the requisite BSA/AML subject matter experience, which further increases the risk of non-compliance with regulatory requirements and expectations. Sponsoring banks should also require a risk assessment of both providers and platforms before entering into a BaaS partnership. Moreover, a sponsoring bank will need to know how to incorporate all the risks presented by the BaaS relationship into its own AML and sanctions risk assessment and customer risk rating model. A risk assessment should be a regular exercise for BaaS partnerships to promote due diligence and should focus on identifying key risks, assessing control gaps, and implementing risk mitigation measures. BaaS providers typically do not want to undertake performing risk assessments due to associated costs and resource constraints; so, it would behoove sponsoring banks to include risk assessments in contractual negotiations. Required risk assessments would improve identification of risks, an understanding of control deficiencies, and oversight of issue management, all from onset of the BaaS relationship.

Throughout the lifecycle of the BaaS relationship, the sponsoring bank should contractually require information sharing between the sponsoring bank, platform, and BaaS partner to ensure the sponsoring bank’s Board of Directors (“BoD”) regularly receive risk updates from the BaaS partners. It is essential for sponsoring banks to oversee risks. Additionally, they must report key performance and risk indicators to the bank's oversight function and senior management. Effective reporting includes trend analysis and reporting to highlight the significant risk and necessary risk mitigation efforts, which many sponsoring banks may not currently be adequately managing. Regular information sharing can assist in mitigating risks by increasing the visibility sponsoring banks have into platform and promoting potential issue identification, remediation, and validation. Additionally, sponsoring banks should stipulate that the BaaS provider have ongoing independent testing of outsourced AML and sanctions functions performed by qualified independent third parties. Independent tests should occur throughout the course of the relationship to identify vulnerabilities, prevent financial crimes, and mitigate concerns early, the results of which should be available to the sponsoring bank. Of course, all of these obligations of the sponsor and platform, as well as the bank, should be clearly established by the terms of the contract.

BaaS partnerships offer significant advantages such as providing improved service offerings for merchants and individuals, a more streamlined user experience, and revenue growth. However, there are risks inherent in BaaS partnerships. Acting Comptroller of the Currency, Michael Hsu, stated that BaaS relationships can “create and distribute risk in unclear ways – with the public unwittingly expecting banks and bank regulators to cover problems no matter where they occur in the chain”14. To promote management of AML-related risks, it is important to define strong roles and responsibilities, receive regular BoD reporting, and review risk assessments and independent testing reports. By partnering with reputable BaaS providers and effectively managing AML risks, banks can leverage BaaS partnerships to drive innovation, promote growth, increase revenue streams, and maintain the compliance standards that banking regulators demand.

Footnotes

  1. In the financial services industry, BaaS relationships are often referred to as bank-nonbank relationships.
  2. Sponsoring banks are often referred to as BaaS banks, partner banks, and financial institutions.
  3. Platforms are often referred to as fintechs, payments subsidiaries of technology companies, non-bank businesses, and third parties.
  4. BaaS providers are often referred to as pure BaaS providers, intermediaries, middlemen, or middleware firms.
  5. A BaaS relationship can also exist where there is no separate BaaS Provider. For example, the sponsoring bank is one entity, and the other entity serves as the provider and the platform. In another example, there could be no BaaS provider, but rather the sponsoring bank uses their own infrastructure to integrate with the platform.
  6. APIs are a software code which includes rules or protocols, which enables software applications to access data and functionality.
  7. Source: S&P Global Market Intelligence, “Small group of banking-as-a-service banks log big number of enforcement actions,” Thomas Mason and Yizhu Wang.(January 2024).
  8. S&P defined severe enforcement actions as prompt corrective action directives, cease and desist orders, consent orders and formal agreements that were made public by federal regulatory agencies, including actions that were later terminated between January 1, 2020, and December 31, 2023.
  9. Source: S&P Global Market Intelligence, “Small group of banking-as-a-service banks log big number of enforcement actions,” Thomas Mason and Yizhu Wang.(January 2024).
  10. Source: S&P Global Market Intelligence, “Small group of banking-as-a-service banks log big number of enforcement actions,” Thomas Mason and Yizhu Wang.(January 2024).
  11. Source: FDIC, “Consent Order: In the Matter of Sutton Bank, Federal Deposit Insurance Corporation" (February 1, 2024).
  12. Other compliance concerns that arise due to BaaS partnerships include data privacy & security, which can lead to breaches of customer information and violations of privacy regulations.
  13. Source: OCC, “Consent Order: In the Matter of Blue Ridge Bank, N.A., United States of America Department of the Treasury, Office of the Comptroller of the Currency” (January 24, 2024).
  14. Source: OCC, "Size, Complexity, and Polarization in Banking" (July 17. 2024).

Dive into our thinking:

Risk management redefined

Developing successful BaaS partnerships to limit financial crimes risk

Download PDF

Explore more

Meet our team

Image of Matthieu Chabelard
Matthieu Chabelard
Principal, Advisory - Forensic, KPMG US
Read bio
Image of Patricia Lee
Patricia Lee
Director, Advisory - Forensic, KPMG LLP
Read bio
Image of Erik Krusch
Erik Krusch
Manager, Forensic, KPMG US
Read bio
Image of Jillian Brooks
Jillian Brooks
Manager, Forensic, KPMG US
Read bio
Image of Matthieu Chabelard
Matthieu Chabelard
Principal, Advisory - Forensic, KPMG US
Read bio
Image of Patricia Lee
Patricia Lee
Director, Advisory - Forensic, KPMG LLP
Read bio
Image of Erik Krusch
Erik Krusch
Manager, Forensic, KPMG US
Read bio
Image of Jillian Brooks
Jillian Brooks
Manager, Forensic, KPMG US
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2025 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP\'s . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline