Banking-as-a-Service: The Hidden Risk of Letting Fintechs Rent Your Charter

The pitch was irresistible. Partner with a fintech, let them use your charter to issue cards or hold deposits, collect fee income, and grow without adding branches or staff. For community banks squeezed by narrow margins and hungry for non-interest income, Banking-as-a-Service looked like a gift.

Then Synapse filed for Chapter 11 in April 2024 and up to $85 million in customer funds went missing. Then Blue Ridge Bank — which had assembled a portfolio of 70 fintech partnerships — entered an OCC consent order, dismantled its entire BaaS program, and spent nearly two years clawing back to compliance. Then enforcement orders hit bank after bank: Evolve, Cross River, Choice Financial Group, Metropolitan Commercial Bank, Lineage Bank, Sutton Bank, Piermont Bank, Vast Bank.

The gift had a price no one had clearly disclosed.

This is not a case against BaaS. Done right, it’s a legitimate revenue strategy. Coastal Financial Corporation’s BaaS arm generated $25.6 million in program fee income in 2024 — up 57% from 2023 — and the bank has operated its program with relatively clean regulatory standing. But done wrong — or entered into without understanding the real risk framework — BaaS can cost more in regulatory remediation, legal fees, and management distraction than it ever earned.

Here is what the risk picture actually looks like.

Why BaaS Looked So Attractive

Community banks have always faced a structural challenge: local, relationship-driven institutions competing for deposits and customers against firms with technology budgets ten times their size. BaaS offered a way out of that trap.

The model works like this. A fintech company builds a consumer-facing product — a neobank, a payroll platform, a spend management tool — but needs an FDIC-insured bank behind it to issue accounts, hold deposits, or originate loans. Community banks, already chartered and compliant, became the infrastructure layer. The fintech handled customer acquisition and the technology. The bank collected interchange fees, program fees, and deposit float.

On paper, the economics worked. A single well-managed BaaS partnership could generate more fee income than an average branch. Early movers like Cross River, Sutton, and Coastal demonstrated it could scale into a meaningful revenue line.

The problem is that the early movers had the time, capital, and internal capacity to build the right risk infrastructure around those partnerships. Many of the community banks that followed — attracted by the revenue story without fully internalizing the compliance story — did not.

community bank fee income diversification strategy

The Synapse Collapse Changed Everything

Most community bankers had never heard of Synapse Financial Technologies. They should learn the name now.

Synapse was a middleware company that sat between fintechs and their sponsor banks — including Evolve Bank, Lineage Bank, AMG National Trust, and American Bank. Synapse handled the ledger: tracking which customer’s funds resided at which bank. When Synapse filed for Chapter 11 in April 2024, that reconciliation broke down completely.

The result: somewhere between $65 million and $85 million in customer funds could not be located. Depositors were locked out of their accounts for months. The bankruptcy trustee couldn’t reconcile Synapse’s records against what the partner banks were actually holding. The gap was never fully closed.

No sponsor bank failed. FDIC insurance didn’t trigger because the banks themselves were solvent. But real customers lost access to real money for extended periods — and some never fully recovered their funds. The Federal Reserve issued a cease-and-desist order against Evolve Bank for “unsafe and unsound banking practices” tied directly to its management of third-party fintech relationships.

The lesson regulators took from Synapse was unambiguous: the bank is responsible for knowing exactly where its deposits are, at all times. The middleware provider is not a compliance buffer. It is a risk.

The Enforcement Wave

Synapse accelerated the regulatory response, but the enforcement pressure had been building for two years before the bankruptcy.

As of mid-2025, nearly 45% of active BaaS programs were being run by banks under formal regulatory enforcement action. That is not a fringe problem. That is a structural crisis in a business model many community banks were either already running or actively considering.

The named institutions span every charter type and primary regulator:

• Blue Ridge Bank (OCC consent order, January 2024): BSA/AML deficiencies tied to fintech partnerships; exited BaaS entirely by end of 2024; released from the order in November 2025 after a two-year remediation effort
• Evolve Bank & Trust (Federal Reserve cease-and-desist): deficient third-party risk management tied to Synapse
• Cross River Bank (FDIC): fair lending and compliance concerns in fintech partnerships
• Choice Financial Group, Vast Bank, B2 Bank, Metropolitan Commercial Bank, Piermont Bank, Lineage Bank, Sutton Bank: all under enforcement orders in the 2023–2025 period

The common thread across nearly every enforcement action: BSA/AML program failures, inadequate transaction monitoring, poor oversight of fintech partners, and deficient due diligence at onboarding. These are not exotic compliance failures. They are basic ones.

The gap in that chart — 9% doing it, 39% planning to — is where enforcement actions are born. Aspiration without infrastructure is exactly the pattern regulators have been punishing.

What the FDIC Is Now Requiring

In October 2024, the FDIC proposed a rule directly triggered by the Synapse collapse. In community banking circles, it is already being called the Synapse rule.

The proposed rule would require any FDIC-insured bank holding custodial or “for benefit of” (FBO) accounts — the standard deposit structure in a BaaS program — to maintain daily reconciliation of every beneficial owner’s balance. Not monthly. Not quarterly. Daily.

Banks would also need to maintain records in a standardized format identifying the individual owner behind every FBO account, the balance attributable to that owner, and the applicable FDIC deposit insurance category. Those records must be available on demand.

The compliance cost of this requirement is not trivial. Banks that were relying on a middleware provider to handle reconciliation — as the Synapse partner banks were — will need to either build that capability in-house or find a middleware partner whose infrastructure actually supports it. And they will need to verify it. Regularly. Not just at contract signing.

If this rule is finalized in anything close to its proposed form, the bar for running a BaaS program rises significantly. Banks that entered the space assuming their fintech partner or middleware provider would handle the back-office complexity are now discovering that assumption was never sound — and regulators are treating it as negligence, not naivety.

FDIC custodial account recordkeeping rule community bank compliance

Where the Real Risk Lives

There are three distinct risk layers in a BaaS arrangement. Most community banks that got into trouble underestimated at least two of them.

The fintech partner itself

Who are they serving? What does their customer base look like for BSA risk purposes? What does their transaction monitoring infrastructure actually do? A fintech with 200,000 customers is running a complex compliance operation across your charter. Their BSA/AML gaps are your regulatory exposure. Regulators will examine your program. The fintech does not sit in front of your examiner — you do.

The middleware layer

Synapse demonstrated what happens when the ledger breaks. If your program runs through middleware, you need to understand exactly what deposit records you hold independently of that provider. Could you reconstruct your full beneficial ownership picture if the middleware company shut down tonight? If the answer is “probably not,” you are carrying Synapse-style risk today.

Your own third-party risk management infrastructure

The banks that have survived BaaS regulatory scrutiny treated their fintech programs as a separate line of business with its own compliance function, dedicated monitoring, and independent testing. The banks that got consent orders often treated the fintech partner as a revenue relationship managed by the business development side. “The fintech handles compliance” was the last thing said before the exam started.

third-party vendor risk management community bank BSA AML compliance program community bank

Should Your Bank Do BaaS?

The CSBS 2024 survey found that 39% of community banks planned to add BaaS to their offerings. That is a substantial number of institutions entering a market where nearly half of existing programs are operating under regulatory orders.

Here is the honest framework.

You should probably not pursue BaaS if: - You don’t have a dedicated compliance officer who can own this program as a primary responsibility — not a secondary one - Your core system cannot produce daily FBO reconciliations independently of any third-party middleware - Your third-party risk management program hasn’t been reviewed and tested in the last 18 months - The primary driver is the fee income projections in someone’s pitch deck

You might be ready to explore BaaS if: - You have identified a specific, well-understood fintech partner with a clean regulatory record and a documented compliance infrastructure - Your BSA/AML program is current, tested, and rated positively in your last exam - You have modeled the full compliance cost — not just the revenue opportunity — and the economics still hold - You are prepared to exit the program if the partner’s risk profile changes, and you have defined what “exit” looks like operationally

fintech partnership due diligence community bank

The Hardest Lesson from the BaaS Reckoning

Blue Ridge Bank entered an OCC consent order in January 2024. It had 70 fintech partnerships and had built what looked, from the outside, like a thriving BaaS business. By the end of 2024 it had exited the business entirely. It took until November 2025 — nearly two years — to get out from under the order.

Two years. For a program it no longer runs.

The fee income from BaaS is real. The compliance exposure is also real — and it doesn’t end when you cancel the contract. Regulators will hold you responsible for what happened on your charter, inside your FBO accounts, under your BSA program. The fintech partner gets to walk away. You don’t.

If you’re going to do BaaS, build for the exam, not just for the revenue model. If you can’t build for the exam yet, the pitch deck can wait.