top of page

Subscribe to our Resources Mailing List

Thanks for submitting!

OCC Takes a Closer Look at BaaS Compliance

Updated: Sep 23, 2022

What exactly is “banking-as-a-service” (commonly referred to as BaaS)? Simply put, BaaS is a type of partnership between a traditional financial institution and a fintech or other non-bank innovator designed to sell financial products and services. With BaaS partnerships, companies can offer financial products and services without undertaking the onerous process of actually becoming a bank.

For banks and credit unions, especially smaller community based FI’s, BaaS is a way to generate revenue and to continue to operate independently. It’s no secret that consolidation among community FI’s has run rampant, with many financial institutions gobbled up by mergers.

According to the Office of the Comptroller of the Currency (OCC), BaaS relationships are primarily with community banks that have total assets below $10 billion. What’s more, nearly 20 percent of BaaS partnerships are with banks that have under $1 billion in assets[1].

BaaS can be an enormous source of revenue and a boon for innovation, but it can also go badly wrong. Critics sometimes deride BaaS as a rent-a-bank scheme designed to circumvent official channels and oversight. Regardless of concerns, the BaaS market is poised to reach almost $2.3 billion by 2028, with a compound annual growth rate of 26.3% over the next several years, according to Verified Market Research[2].

Regulators Take a Closer Look

When it comes to BaaS and compliance, the responsibilities are clear. It is the licensed bank or credit union that is responsible for the actions of the service provider. Just in BSA/AML (Bank Secrecy Act/Anti-Money Laundering) this includes Know-Your-Customer (KYC) during onboarding, handling customer complaints, and maintaining an accurate risk profile.

Fintech Business Weekly points out that regulatory guidance was written for an era when vendors were service providers to the bank, not the BaaS model, where the dynamic is reversed: “In the Banking-as-a-Service model…. Banks are, essentially, service providers to BaaS platforms’ customers and to fintechs.” The article continues: “This entails different kinds of risks to the banks involved and necessitates developing new approaches to monitoring and mitigating those risks.”[3]

The OCC’s recent enforcement action [4] with a community bank actively banking BaaS companies sheds some light on how future regulation might take shape. Here, the OCC is, among other things, requiring the bank to craft and oversee a more robust suspicious activity reporting program and to shore up its unsound practices around BSA/AML management. The OCC enforcement action serves as a roadmap for what BaaS providers might view as best practices. How Banking Compliance Tools Can Help

No question, compliance within BaaS relationships can be quite tricky to navigate. At the same time as fintechs are pushing the boundaries of what exists within the financial landscape, partners like RiskScout are innovating to make sure that traditional and less traditional community banks and credit unions have the tools to meet their compliance and operational needs, including banking fintech and BaaS relationships.

For community banks or credit unions seeking to enter the lucrative BaaS space, RiskScout can help understand the opportunities (and potential pitfalls) involved. To learn more about banking fintechs and BaaS relationships, watch our webinar What Bankers Need to Know About Fintech Compliance and contact us at






Join the Higher Risk Banking Group

This is your private resource group for financial institutions to ask questions, get advice, and learn from experts on providing financial services to higher-risk specialty business markets including: Private ATM, Hemp & CBD, Crypto, MSB, Cannabis (THC), Fintech, and more.