How Sponsor Banks Can Thrive in the Era of Heightened BaaS Scrutiny

For those of a certain generation, describing someone as working “bankers hours” meant that they were, you know, good at golf. Yep, there was a time when physical bank hours were minimal and those in charge were never accused of working too much.

That’s obviously changed. You can conduct business with your bank in a virtual fashion any time and from anywhere, and the clubby atmosphere of banking has become a relic of an earlier time. And with these changes have come more oversight in the form of regulations and compliance mandates. Especially for sponsor banks, Banking-as-a-Service (BaaS) companies, and embedded finance operations, financial services fraud teams are putting in an increasingly rigorous effort to ensure their organizations are compliant. 

Yet in today’s environment, those organizations are required to maintain the compliance of their partners as well. For sponsor banks, when mistakes are made, it's their charter that's at risk, and amending those missteps can be costly on every level.

The BaaS Evolution: How We Arrived Here

Some sponsor banks are still reeling from the torrent of BaaS-related enforcement actions enacted in early 2024. Klaros Group had predicted that, last year, every single bank with a BaaS or embedded finance line of business would expect some level of regulatory action in 2024. While the pace cooled throughout 2024 and into 2025, the clear takeaway for sponsor banks with third-party partnerships is that their third-party programs and controls are under intense scrutiny.

That all sounds daunting, but it's not deterring many organizations from continuing or initiating sponsor bank programs. Instead, it's driving an evolution. New programs are being launched with new considerations and, most importantly, much stronger compliance requirements in mind. Compliance is clearly essential, but it’s manageable.

The rise of fintech partnerships and the expansion of access to financial services have been a boon for sponsor banks, especially smaller institutions. These collaborations have allowed them to diversify their deposit base, expand customer profiles, and leverage innovative technology that might be challenging to deploy in a traditional retail environment. This has, admittedly, created a competitive environment to attract fintech relationships. However, this competition has, in some instances, led to banks appearing to let their fintech partners "drive" the relationship.

Recent consent and cease and desist orders unequivocally demonstrate that this "hands-off" approach is no longer acceptable. The most successful BaaS environments are built on a true, symbiotic partnership. The fintech must recognize that the bank carries the ultimate risk and owns the charter, while the bank must acknowledge the immense value a fintech brings in terms of market reach and innovative technology.

The Intensifying Regulatory Hammer: Beyond Basic Compliance

Following the turbulence in the banking sector in the past couple of years, regulators have significantly stepped up enforcement measures across capital requirements, fraud prevention, fair lending standards, and, critically, Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations. Regulators are now demanding that sponsor banks exert demonstrable control over who fintechs are onboarding as customers. This mandate extends far beyond basic Customer Identification Programs (CIP). Banks and financial services organizations are now refining and modernizing all elements of onboarding. Among the things they must prioritize:

• Oversight of fraud settings and fraud scorecards: Ensuring the parameters and methodologies used to detect and prevent fraudulent activity are robust and aligned with the bank's risk appetite.
• Document verification: Beyond simple capture, ensuring the authenticity and validity of identity documents.
• Behavioral transaction monitoring: Proactive analysis of customer activity for suspicious patterns, not just reactive reviews.
• Customer Due Diligence (CDD) and Know Your Customer (KYC): Comprehensive processes for understanding the customer's identity, nature of activity, and risk profile throughout the customer lifecycle.
• Customer risk ratings: Dynamically assessing and categorizing customers based on their inherent risk.
• Identity assurance level: Modernizing identity confidence by using values that represents the confidence level between an identity and their authentication key.

A sponsor bank is now required to understand all operations of the fintechs leveraging their charter. CCG Catalyst analyst Tyler Brown recently noted that major themes across recent enforcement actions include a significant gap in banks’ oversight and control over third-party partners’ BSA/AML compliance, and a failure to scale the scope and quality of risk management to a level appropriate for the size and risk profile of third-party partners. We’re beginning to understand that compliance is the essential ingredient to successful bank and fintech partnerships.

The Challenge of High-Risk Clients: The Worldline "Dirty Payments" Case

In June 2025, a collaborative media investigation by 21 European outlets, dubbed "Dirty Payments," alleged that the French digital payments giant Worldline had systematically processed payments for high-risk merchants in sectors like online gambling and adult entertainment and that it had done so while allegedly covering up client fraud to protect its revenue. Based on confidential internal documents, the reports claimed that the company even moved fraudulent clients between divisions to obscure their true fraud rates.

The fallout was immediate and dramatic:

• Market Collapse and Reputational Damage: Following the publication of the allegations, Worldline's shares plunged by over 20% in a single day. The public nature of the investigation and the ensuing market reaction caused significant reputational damage, eroding investor and public trust.
• Regulatory Scrutiny: The reports prompted renewed regulatory scrutiny. One report claimed the Netherlands' central bank had already investigated Worldline's Dutch unit in 2022 due to weak controls. The incident highlighted the intense pressure on payment processors to meet stringent anti-money laundering (AML) and counter-fraud requirements.
• Operational and Compliance Gaps: This case revealed a critical vulnerability in managing high-risk client portfolios. The allegations suggest a failure to uphold a "zero-tolerance" policy, instead allegedly employing operational "tricks" to obscure risk and maintain revenue.

In response, Worldline has denied the allegations, stating that it is fully committed to compliance and has strengthened its merchant risk framework since 2023, including terminating relationships with non-compliant clients. However, this real-world example underscores that, just as in the banking-as-a-service model, a payment provider's failure to effectively manage risk from third-party merchants can lead to profound financial, legal, and reputational consequences.

A Welcome Regulatory Adaptation: FinCEN's Stance on TIN Collection

In a significant move demonstrating responsiveness to the evolving financial landscape, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued an order permitting banks to collect Tax Identification Number (TIN) information from a third party rather than directly from the bank’s customer. This long-anticipated flexibility, developed in coordination with the OCC, FDIC, and NCUA, directly addresses the changing ways customers interact with financial services.

As FinCEN Director Andrea Gacki noted, this order "reduces burden by providing banks with greater flexibility in determining how to fulfill their existing regulatory obligations without presenting a heightened risk of money laundering, terrorist financing, or other illicit finance activity."

While this exemption offers an alternative collection method for TIN information, banks must still otherwise comply with the overarching Customer Identification Program (CIP) Rule. This means maintaining robust written procedures that enable the bank to obtain TIN information prior to opening an account, based on their risk assessment, and ensuring they can form a reasonable belief that they know the true identity of each customer. The use of this exemption is optional, but it signals a key regulatory acknowledgment of modern identity verification tools and the need for more adaptable compliance frameworks.

For sponsor banks, this flexibility is a huge advantage. It aligns with the need for more efficient and less friction-filled onboarding, especially when dealing with the diverse customer segments that fintechs often serve. It reduces the reliance on direct customer input for a piece of data that can often be reliably sourced from third parties, streamlining the initial identification process while maintaining the integrity of the overall CIP. 

Ultimately, it emphasizes the importance of continuous evolution of compliance and demonstrates that adaptable processes are increasingly recognized as essential tools for risk management and growth. This change supports better customer onboarding and accurate identity verification.

The Path Forward: A New Era of Oversight, Technology, and Transparency

So, what can we learn from these enforcement actions? The key takeaway is a clear shift toward greater openness and transparency in the fintech-sponsor bank ecosystem. Improving compliance controls around digital identification isn't just a regulatory mandate; it's becoming a competitive advantage. The new trend is for sponsor banks to take direct responsibility for running the Customer Identification Program (CIP) for their fintechs. While this centralizes compliance checks, it also necessitates significant investment in security and can strain internal resources, potentially putting smaller banks at a disadvantage against larger institutions with established compliance practices.

To navigate this complex landscape and even gain a competitive edge, BaaS providers should prioritize the following:

Implement Solutions with Clear Controls and Centralized Data:

• Prioritize a comprehensive platform that provides clear controls and centralizes compliance data for complete transparency. This enables sponsor banks to manage identity verification and compliance risks across their entire partner portfolio.
• Explore reseller arrangements with leading identity verification software providers. A bank could contract with a robust identity verification platform and then license it to its fintech partners. This demonstrates direct control and standardization, though it does require additional resources from the bank for management.
• Conduct continuous, granular risk assessments to identify and address vulnerabilities proactively throughout the entire lifecycle of the fintech partnership and its end-users.
• Prioritize the ability to ingest and orchestrate signals in-flow that impact CIP compliance and enable fintechs to ensure customers are who they say they are and not just verify veracity of identity information.

Integrate Advanced Entity Resolution and Risk Content:

• Add sophisticated entity resolution procedures to identify customers with multiple relationships, enhancing the ability to detect linked fraudulent activities or complex financial schemes.
• Consolidate OFAC and sanctions screening into one comprehensive solution, ensuring real-time adherence to global compliance requirements.
• Leverage specific risk content (e.g., Politically Exposed Persons (PEP) lists, Adverse Media screening, Human Trafficking indicators) to drive more accurate and dynamic customer due diligence (CDD), Enhanced Due Diligence (EDD), and customer risk ratings. This deep contextual data improves detection capabilities throughout the customer lifecycle.

Embrace Collaborative Technology for Shared Oversight:

• The Prove platform can help sponsor banks gain deep visibility and manage identity and compliance risks across their partner portfolios. These platforms enable banks to build and enforce risk policies at scale with cloneable rulesets, eliminating blind spots with a single holistic view.
• They allow for customizable risk policies tailored to a partner's product type and maturity, moving beyond a "one-size-fits-all" approach that can stifle fintech innovation. Crucially, they empower fintechs with visibility into their own policies and performance while the sponsor bank retains total oversight. This collaborative model ensures compliance without compromising the frictionless user experiences that define successful fintechs.

Proactive Planning for Evolving Regulatory Landscapes:

• The industry should anticipate more enforcement actions and new regulatory guidelines. While regulators have often relied on older laws like the Bank Secrecy Act to enforce compliance in modern digital industries, new beneficial ownership laws and discussions around "reasonable security" and loss distribution through legislation signal ongoing evolution.
• Sponsor banks must stay agile, continuously updating their compliance frameworks and risk management practices to keep pace. This often means investing in specialized talent and technology that can interpret and adapt to new regulations efficiently.

By prioritizing robust, technology-driven compliance programs, fostering truly collaborative partnerships, and maintaining enhanced oversight, sponsor banks can transform regulatory pressure into a strategic advantage. This proactive approach will not only mitigate fraud and ensure strict regulatory adherence but, most importantly, empower the rapid and secure growth of legitimate customers, ensuring the future success and stability of the entire BaaS ecosystem.