Banking-as-a-service

A chartered bank rents its regulated capabilities to a non-bank brand, often through a middleware platform. The model has scaled fintech rapidly and has produced the highest concentration of supervisory consent orders in the past five years.

Last reviewed May 2026 · Section VII

Banking-as-a-service is the industry term for the model by which a chartered bank provides regulated capabilities — deposit accounts, payment-network access, card issuance, KYC, BSA compliance — to a non-bank brand, typically through a middleware technology platform. The model emerged in the early 2010s and accelerated dramatically through the late 2010s and early 2020s, becoming the underlying infrastructure for most of the consumer "neobank" sector and for many business-banking, payroll, expense-management, and embedded-finance products. By 2022, more than 100 U.S. banks were operating BaaS programs, with several hundred fintech client brands relying on the model.

This article describes the BaaS structure, the principal middleware platforms, the ledger-reconciliation challenges that have produced supervisory action, and the regulatory response that has materially reshaped the model since 2023. For the consumer-facing layer, see challenger banks and neobanks; for the pass-through coverage question, see FDIC deposit insurance.

The structure

A typical BaaS arrangement involves three layers:

  1. The consumer-facing fintech: the brand the consumer interacts with. Provides the user interface, customer service, marketing, and (often) value-added features. Does not hold the consumer's deposit.
  2. The middleware platform: a technology layer that connects the fintech's interface to the partner bank's systems. Provides APIs for account opening, payment initiation, card issuance, statement generation, and the various other banking functions the fintech needs. Maintains the per-consumer ledger that tracks each consumer's balance.
  3. The partner bank: the chartered, FDIC-insured institution that legally holds the consumer's deposit (typically in a "for benefit of" account at the partner bank, with the middleware or the fintech maintaining the underlying consumer records).

The middleware platform is often the most operationally complex piece. Examples of major middleware providers have included Synapse (which collapsed in 2024), Treasury Prime, Unit, Sila, Lithic (for card issuance), and others. Some fintechs have bypassed the middleware layer and contracted directly with partner banks; some banks have built their own BaaS infrastructure internally rather than relying on third-party middleware.

The partner banks that have specialized in BaaS — including Evolve Bank & Trust, Cross River Bank, MetaBank (now Pathward), Sutton Bank, Lincoln Savings Bank, and others — have generally been small or mid-size community banks whose BaaS programs grew to be a substantial portion of their total deposit base. The economics of being a BaaS partner bank typically involve receiving deposits that the bank can lend out, with the fintech earning the consumer-facing relationship economics and the middleware earning per-transaction or platform fees.

Ledger reconciliation

The technical core of the BaaS model is the consumer-level ledger maintained somewhere in the stack. The partner bank typically holds a single (or several) omnibus "for benefit of" deposit accounts; the consumer-level breakdown — which specific consumer owns which portion of the omnibus balance — is maintained either by the middleware platform or by the fintech directly. The accuracy of this breakdown determines whether the FDIC pass-through coverage applies and, more practically, whether the bank can pay each consumer the correct balance on demand.

Reconciling the consumer-level ledger to the bank's omnibus-account balance, and reconciling each layer's records to the others (fintech to middleware, middleware to partner bank), is operationally complex. Discrepancies can arise from timing of transaction settlement, from operational errors at any layer, from disputes between the layers about who is owed what. In a well-run program, the discrepancies are small and resolved quickly. In a poorly-run program, they can grow over time and become unrecoverable.

The 2024 Synapse collapse turned on exactly this dynamic: years of unreconciled discrepancies between Synapse's consumer-level records and the partner banks' omnibus balances became material, and when Synapse entered bankruptcy, the lack of substantiation of individual consumer entitlements left many consumers unable to recover the full balances they had been told they held. See challenger banks and neobanks for the consumer-facing detail.

Supervisory response

U.S. bank regulators — the OCC, the Federal Reserve, and the FDIC — have substantially increased supervisory attention to BaaS programs since 2023. Notable themes:

  • Multiple consent orders against partner banks for inadequate oversight of their fintech relationships, particularly around BSA/AML compliance, third-party risk management, and operational controls.
  • Interagency guidance on third-party relationships (June 2023) consolidating earlier OCC, Fed, and FDIC guidance into a single framework with stricter expectations.
  • Specific FDIC actions related to deposit-insurance disclosure and pass-through-coverage adequacy at fintech-partner banks.
  • OCC enforcement actions including matter-requiring-attention findings on several large national banks with BaaS programs.

The cumulative effect has been a contraction of bank willingness to sponsor new fintech programs, the wind-down of some existing programs at banks that have decided the regulatory burden exceeds the economic return, and substantial investment by remaining BaaS partner banks in compliance and operational controls. The model is not going away, but the conditions under which a chartered bank will participate have become substantially stricter.

What the depositor should know

For a consumer using a product built on BaaS, the practical implications:

  • The legal account-holder relationship runs to the partner bank, not to the fintech brand. The fintech is the customer-service interface and the marketing entity; the bank is the depository institution.
  • FDIC insurance, where applicable, is pass-through at the partner bank, subject to the recordkeeping conditions described in the regulation. Aggregation rules apply per partner bank.
  • If the fintech or middleware fails, the partner bank is not automatically obligated to step into the customer-service role; the consumer may have to work through a bankruptcy trustee or an FDIC claims process to access funds.
  • If the partner bank itself fails, the FDIC resolution process applies as it would to any other failed insured bank, with pass-through coverage attaching to the underlying consumers per the records the partner bank or middleware maintained at the time of failure.
  • Some fintechs sweep deposits across multiple partner banks to extend the FDIC coverage limit; the sweep arrangement should be disclosed and should be verifiable in the account's documentation.
The practical point. BaaS is the infrastructure of much of the consumer fintech sector. The model can work well, and millions of consumers use BaaS-backed products successfully. The risk is operational rather than credit-based: the partner bank's failure is well-handled by the FDIC, but the failure of the middleware or the fintech itself can produce months of access difficulty even where the underlying deposit is insured. For consumers with substantial balances, understanding the structure of the specific product they hold matters.

Limits and uncertainty

The BaaS model is in active regulatory evolution. The post-Synapse supervisory cycle is still working through; additional consent orders and rulemaking activity are likely over the next several years. The FDIC's request for information on deposit-insurance disclosure and recordkeeping standards for partner-bank arrangements may produce a binding rule. The basic model — a chartered bank renting capabilities to a non-bank brand through middleware — is durable, but the specific operational, disclosure, and supervisory expectations around it are not.

Sources

  1. Interagency Guidance on Third-Party Relationships: Risk Management (June 2023), federalreserve.gov.
  2. FDIC, Request for Information on Deposit Insurance and Custodial Accounts (2024-2025), fdic.gov/news/board-matters.
  3. OCC, "Third-Party Risk Management" examination resources, occ.treas.gov.
  4. U.S. Bankruptcy Court, In re Synapse Financial Technologies, public docket, pacer.gov.