Banking as a Service (BaaS) and Embedded Finance: Infrastructure, Partnerships & Compliance in 2026

Banking as a Service (BaaS) allows businesses not covered by financial regulations to offer banking products and services directly to their clients. 

It is an increasingly popular way to do business: the global BaaS market is currently valued at around $22.5 billion and is predicted to reach a total value of $70.8 billion by 2032. Financial services providers and a wide range of other businesses could stand to benefit from this growing sector.

Through BaaS, a company can provide services such as customer accounts, cards, or payments by relying on a licensed banking partner that handles the regulated infrastructure in the background. An example is the launch of Vivid Money in Germany together with solarisBank and Visa, offering an all-in-one mobile banking platform for spending, saving, and investing.

At the same time, the licensed bank remains responsible for core banking compliance (capital, safeguarding, prudential rules, etc.), while the non-bank partner is typically still subject to regulatory obligations such as AML/KYC, consumer protection, payments, e-money, or agent/distributor rules, depending on jurisdiction and structure.

Regulators increasingly scrutinize BaaS arrangements, and many fintech partners may need to register, obtain licenses, or operate within the bank’s compliance framework.

Although BaaS enables rapid innovation in financial services, it introduces operational and compliance complexity. Traditional compliance models assume a single accountable institution that owns the customer relationship and monitors transactions end-to-end. In BaaS ecosystems, responsibilities and data are distributed across multiple organizations, making coordination and oversight more challenging and requiring enhanced compliance approaches. Let’s dive into what BaaS is, how it’s different from embedded finance, as well as compliance challenges in BaaS and embedded finance.

What is Banking as a Service (BaaS)?

Banking as a Service, by definition, is usually a model in which a licensed bank or other regulated financial institution provides banking infrastructure as a white-label service to third-party businesses. Through this approach, non-financial companies can offer financial products and services under their own brand, while licensed banks and fintech providers deliver the regulated functionality in the background.

Using this model, fintech, ride-hailing, or e-commerce platforms can embed features such as branded wallets, debit cards, or accounts without holding a banking licence themselves. Although relatively new, BaaS banking now supports a wide range of products, including current and savings accounts, debit and credit cards, loans, and payment services.

How does Banking as a Service work?

In BaaS (Banking as a Service), non-banking businesses (commonly called 'distribution partners’ or ‘client firms’) pay banks to provide financial products and services, which the non-bank can then sell on to customers under their own brands. 

The bank will normally provide the technical platform for these financial services via its existing infrastructure or a dedicated platform created for the distribution partner. The client firm will access the bank’s platform through a Banking as a Service API (Application Programming Interface), which allows the client’s software to exchange data and share functionality with the bank’s infrastructure.

BaaS vs embedded finance: Key differences

The terms Banking as a Service and ‘embedded finance’ are sometimes used interchangeably, but they are not the same thing. 

The following breakdown explains some of the key differences:

Embedded finance vs Banking as a Service

What business problems can BaaS solve?

Banking as a Service providers can solve a number of major headaches for non-banking businesses through BaaS platforms. This can be especially useful for those who wish to offer innovative financial products but lack an existing banking infrastructure or access to a particular market.

💡Example: A ride-hailing app can use a BaaS provider to offer in-app wallets and debit cards to drivers, relying on a licensed bank partner for accounts, payments, and regulatory compliance instead of building a banking stack from scratch.

Reducing time to market for financial products

One of the biggest hurdles for challenger banks and innovative financial services companies is the long, complicated process to secure banking licenses. For example, in the UK, it typically takes 18 months to over 2 years to secure a banking license. In the case of Revolut, it took more than 3 years, and once a license was granted, their activities were subject to initial restrictions.

Banking as a Service providers offer a neat solution for financial startups and those looking to expand into new regions. Client firms can quickly access the regulated financial services they wish to offer, such as fintech card issuing, through a Banking as a Service platform, allowing them to start trading and generating revenue straightaway. They can continue this arrangement until they secure a banking license and regulatory approval, or avoid this process entirely by continuing to operate on a BaaS model.

Meeting strict regulatory compliance requirements 

Regulatory compliance requirements for financial service providers are complex, and businesses typically need large, experienced compliance teams and the right technology to support them. This can be an expensive investment for startups and businesses planning to break into new markets.

Working with a BaaS provider lets a client firm benefit from its existing compliance infrastructure, which can massively speed things up while keeping costs to a minimum.

Monetizing existing banking infrastructure for a strong ROI

The financial services sector represents a huge opportunity, particularly for those offering innovative financial services—globally, it was worth around $33.5 trillion in 2024 and is expected to reach $44.9 trillion by 2028.

White label banking, where non-banking companies offer financial services via BaaS, can allow client firms to reach new customers with products and services that use existing banking infrastructure. They can therefore serve customers and share in the sector’s huge revenue without having to invest in costly infrastructure themselves. Investing in a Banking Platform as a Service costs a fraction of what it would to create separate financial infrastructure, meaning a much better Return on Investment (ROI) for financial services innovators.

How does BaaS create value?

Banking as a Service creates value in several ways beyond reducing infrastructure and licensing costs:

• Speed and experimentation: Companies can launch, test, and refine financial products in weeks instead of years, allowing them to validate demand before committing to full regulatory expansion or obtaining their own license.
• Customer engagement and retention: Embedding accounts, cards, or wallets into a product turns occasional users into recurring users, strengthening relationships and providing continuous behavioral insight.
• Revenue diversification: Businesses can generate interchange revenue, subscription fees, lending margins, or payment commissions alongside their core offering.
• Geographic scaling: By leveraging a licensed partner’s regulatory footprint, companies can expand into new markets with significantly lower operational and compliance complexity.

In some cases, BaaS may offer greater strategic flexibility than embedded finance solutions, particularly when a company aims to build an independent financial brand while working toward its own license or expanded regulatory approval. However, embedded finance platforms can be more appropriate where financial services are designed to enhance a core product. For example, when retailers offer buy now, pay later options directly within the customer journey.

The rise of neobanks through BaaS

Digital-first ‘neobanks’ such as Monzo, Revolut, and Starling all started out using BaaS to deliver their financial products and services. This meant they could offer innovative personal banking solutions while awaiting banking licenses.

The popularity of neobanks has risen fast, with half of UK adults using neobanks by the end of 2024, up from just 16% in 2018. Meanwhile, China’s digital bank, WeBank, entered 2025 with more than 420 million customers. This shows the huge potential in the world of innovative fintech for Banking as a Service.

BaaS revenue models and market opportunities

The Banking as a Service market can generate revenue for BaaS providers in a number of ways, including:

• Platform fees. Recurring monthly fees paid by client firms to access a BaaS provider’s platform and APIs.
• Onboarding fees. One-off fees paid by client firms to be set up on a BaaS platform.
• Usage-based fees. Charges paid based on the amount of specific services a client firm uses.
• White labelling fees. One-off fees and/or recurring licensing fees for a bank to set up financial services under a client firm’s brand using the bank’s platform.
• Net interest margins. Revenue generated by the difference between the higher interest rates banks earn on money deposited with them by customers of client firms and the lower rates banks pay out to those customers.

Embedded finance can also offer attractive market opportunities, for example, where Business-to-Business (B2B) embedded finance is used by client firms to provide deferred payment options to their customers. The value of B2B orders can often be significant, meaning there can be substantial interest to be earned on such transactions.

Who should pay attention to BaaS?

With the BaaS industry already worth around $22.5 billion and predicted to see strong growth, established banks and licensed financial service providers should closely evaluate the opportunity. BaaS banking can provide a valuable new revenue stream by monetizing existing infrastructure and partnerships, particularly as digital-first financial services gain popularity.

Fintech companies should also pay attention. BaaS enables them to rapidly launch innovative services and enter new markets, while fintech partnerships with sponsor banks to deliver services to third-party brands can be highly lucrative.

In addition, a wide range of non-financial businesses can benefit from Banking as a Service by embedding financial features into their products, including offerings such as Buy Now, Pay Later (BNPL). BNPL is currently estimated to be used by hundreds of millions of consumers globally, with continued strong growth expected in the coming years.

Platform businesses such as marketplaces and SaaS providers are also major beneficiaries, as embedded accounts and payouts allow them to control payment flows and strengthen ecosystem lock-in.

How can businesses prepare for BaaS?

There are various steps businesses can take to prepare for BaaS and embedded finance, including:

• Explore existing uses of BaaS and embedded finance. Looking at a range of BaaS and embedded finance examples can give a clear picture of the opportunities.
• Pick the right solution for your business and customers. Embedded finance use cases will differ from BaaS use cases, so thorough research on what you and your customers want should inform which solution will provide the best service and ROI.
• Choose the right provider. The right fit is critical when choosing a BaaS or embedded finance provider. Cost is always key, but it should be weighed against what is provided, including infrastructure and support to meet technical requirements.
• Select the most appropriate fee structure. You should carefully examine the different fee structures and how much they might cost under different scenarios, so you can make an informed choice.
• Establish liability and best practices. While BaaS providers generally take on the bulk of the compliance burden, you need to be clear about what you are responsible for and get best practices in place to meet your obligations. 
• Get the right infrastructure in place. You may need additional infrastructure to successfully integrate your provider’s financial services with your own systems. You should work out exactly what is required and the costs involved at an early stage, so you have a complete picture of your total investment.

The compliance challenge in BaaS and embedded finance

BaaS compliance and embedded finance compliance are often misunderstood. A common misconception is that regulatory responsibility sits entirely with the licensed bank, while in practice, client firms also retain obligations.

Understanding compliance responsibilities in the BaaS stack

Relying on outsourced compliance is one of the main attractions of BaaS, but it does not eliminate a company’s own duties. Non-bank businesses offering financial services must clearly understand their role in fintech regulatory compliance, including which parts of the customer relationship they manage and their duty of care toward customers.

❗Typically, the licensed bank remains responsible for prudential and core banking requirements, while the partner company must meet obligations related to customer onboarding, AML/KYC controls, consumer protection, and operational conduct, depending on the jurisdiction and structure. As regulators increasingly scrutinize BaaS arrangements, fintech partners may also need to register, obtain licenses, or operate within the bank’s compliance framework.

The fragmentation problem: Distributed risk across partners

Risk management for BaaS and embedded finance can be more challenging due to the complex relationships between the various parties involved and the issue of ‘risk transfer’, i.e., where a risk (such as regulatory non-compliance) is moved from one entity in a relationship to another.

Distributed risk refers to situations where there is a high level of risk transfer across complex systems involving multiple partner organizations. Standards of risk management may vary considerably between entities, and any weak links can increase risks for all connected entities.

Banks offering financial services via intermediaries must have a robust vendor risk management strategy as they will remain accountable for any failings across their network. This strategy will need to include suitable compliance oversight of a bank’s partner businesses.

For client firms, such as those in fintech, risk management is equally important. Choosing to partner only with reputable banks that offer strong risk management processes is key here.

Why traditional KYC, KYB, and AML models struggle in BaaS

KYC (Know Your Customer) and KYB (Know Your Business) are core components of Anti-Money Laundering (AML) frameworks. Traditionally, they rely on a single financial institution onboarding the customer, verifying identity once at account opening, and monitoring activity within its own systems.

In BaaS environments, however, the customer relationship, data, and operational control are distributed across multiple parties. This fragmentation creates visibility gaps: one organization may onboard the customer, another manages the interface, and the licensed bank performs transaction monitoring. As a result, traditional compliance models designed around a single accountable institution become less effective.

To address this, modern RegTech approaches combine ongoing KYC and KYB verification with continuous AML transaction monitoring across the lifecycle, enabling coordinated risk assessment and reducing cross-party blind spots. Let’s explore the key challenges.

KYC challenges in multi-party fintech arrangements

Key challenges for KYC requirements in multi-party fintech arrangements, such as BaaS, include:

• Split responsibility for KYC. Where a client firm is responsible for onboarding, any gaps in its KYC processes could result in compliance breaches that then affect the bank providing its BaaS platform. Responsibility for all stages of KYC should be clearly defined, and banks must ensure their clients have suitable controls in place.
• Data siloing. The systems used by parties to a BaaS relationship must be able to seamlessly share the information required for KYC checks. If this doesn’t happen, critical information could remain siloed in one system, preventing it from being considered by users of another system as part of KYC.
• Data containment. KYC relies on customers sharing sensitive personal and financial information. This will need to be transferred between the parties in a BaaS relationship, and any issues with the security, privacy, and control of that data could lead to data breaches.

KYB blind spots in business verification for BaaS partners

For banks to meet KYB requirements when offering Banking as a Service, they must ensure there are no blind spots in the KYB process across the different parties to the BaaS relationship.

Common KYB blindspots to be avoided include:

• Failure to understand complex ownership structures and identify UBOs. Client firms' onboarding new customers may lack the experience and technical skills to properly investigate and understand complex corporate structures, or to identify customers’ Ultimate Beneficial Owners (UBOs).
• Lack of continuous KYB. KYB should be an ongoing process, rather than something that happens only once during onboarding. Failure to facilitate continuous KYB can mean that any changes to a customer’s risk profile are missed.
• Data fragmentation. The more parties there are to a relationship, the greater the risk that important information may not be promptly shared between entities. This could lead to signs of financial crime being missed.
• Technical and behavioral gaps. Client firms are likely to lack the technology and behaviors expected of a financial services business, which can increase the likelihood of issues being missed and compliance breaches occurring.

KYC vs KYB: learn the differences between them in this guide

AML program gaps in distributed banking models

Client firms will often have a limited understanding of AML requirements, and their AML programs may be inadequate to properly manage financial crime risks. Examples of these types of failures in fintech AML include inadequate Customer Due Diligence (CDD), inability to keep pace with demand during rapid scaling, and poor compliance with requirements such as checking customers against watchlists.

Issuer-centric compliance: A new discipline for embedded finance

Banks issuing financial products, such as payment cards, face a heavy compliance burden. They can be held legally responsible for any compliance breaches across the network of partner businesses they are working with under a BaaS model.

So, a card-issuing platform could be penalized for any breaches by client firms offering debit and credit cards to their customers, even if it is not the bank’s name on the card. Payment issuers can similarly be held liable for any breaches involving payment services their client firms provide, even if the bank is not directly responsible for the breach.

Issuers must therefore understand their compliance obligations and take appropriate steps to ensure they are met across their entire network of partner businesses.

The licensed issuer's regulatory burden in BaaS

Obligations towards regulatory compliance in banking are the same for issuers when they issue products through a BaaS model as they are when those issuers deal directly with customers. This burden should be made clear in fintech licensing agreements for BaaS so that all parties are clear on their responsibilities.

Building compliance frameworks for issuer-led ecosystems

Effective compliance in Banking as a Service revolves around the idea of an issuer-led ecosystem. This is where the bank issuing financial services via intermediaries takes the lead on ensuring regulatory compliance across the entire network of connected entities, i.e., the BaaS ecosystem.

Modern regulatory technology (RegTech) can automate many key compliance processes, reducing the potential for compliance gaps. This can provide assurance for the issuer of continuous compliance across the ecosystem while simplifying things for client firms.

Real compliance blind spots between issuers, BaaS providers, and fintechs

A number of fintech regulatory challenges have emerged in the arena of digital banking compliance in recent years. The following are real examples of compliance blind spots:

Onboarding and identity verification gaps

Where a client firm is responsible for onboarding new customers, it is essential that they follow the same KYC and KYB protocols as a regulated financial services provider. Failings in KYC for fintech companies can lead to compliance gaps, including in relation to verifying customers’ identities or ‘identity verification compliance’.

Digital bank Monzo is one of the most high-profile examples of this issue. They were fined £21.1 million (~$28.8 million) in 2025 by the UK’s Financial Conduct Authority (FCA) for failures in the financial crime controls, including inadequate checks during customer onboarding.

Transaction monitoring and Suspicious Activity Reporting

Transaction monitoring allows banks to spot any suspicious activity by their customers, such as unusually high volumes of transactions. When such issues are discovered, a Suspicious Activity Report (SAR) must be made to the relevant authorities. 

In a BaaS relationship, there may be a responsibility for some aspects of transaction monitoring by fintech client firms, while banks will also have transaction monitoring and SAR obligations.

In 2024, US-based Blue Ridge Bank faced enforcement action from the US Department of the Treasury’s Office of the Comptroller of the Currency (OCC) for various AML failings in the way it administered its BaaS activities. This included serious gaps in its Suspicious Activity Monitoring and Reporting Program. Ultimately, the bank ended its BaaS program, showing just how serious these types of failings in AML for fintech BaaS relationships can be.

Contractual ambiguity and liability allocation

BaaS contracts have to be crystal clear to avoid any confusion over issues such as where liability lies for specific issues.

The case of collapsed fintech Synapse illustrates the problems that can arise when liability is unclear. Synapse acted as an intermediary, providing financial services to client firms with those services unpinned by four partner banks: American Bank, AMG National Trust, Evolve, and Lineage. At least two of those banks are now facing legal action from Synapse customers over allegations of negligence.

Exactly what liability these banks have for their fintech partnership with Synpase is currently unclear, and time will tell what the long-term consequences might be. But this should act as a stark warning of the dangers of ambiguous liability and inadequate partner bank compliance.

Regulatory trends shaping BaaS compliance in Europe and beyond

European regulatory framework for embedded finance

Electronic Money Institution (EMI) licenses and European Central Bank (ECB) licenses are key components of fintech regulation in Europe. An EMI license authorizes an institution to issue electronic money and provide payment services, while an ECB license authorizes delivery of a much wider range of financial services.

This difference is critical for BaaS as providers with an EMI license can only offer payment processing, while ECB license holders can offer services such as accounts and Buy Now, Pay Later.

Prospective BaaS client firms must carefully consider which services they want to offer to their customers, then ensure they choose a partner bank with the appropriate license. BaaS providers must weigh the benefits of offering a broader range of services against the stricter ECB licensing requirements.

The EU Anti-Money Laundering Regulation (AMLR) reinforces that, within Banking-as-a-Service models, the licensed credit or financial institution remains fully responsible and accountable for compliance with AML/CFT obligations, even where customer onboarding, transaction monitoring, or other AML functions are operationally performed by a fintech partner. 

AMLR strengthens requirements around risk management, customer due diligence, beneficial ownership identification, ongoing monitoring, and group-wide controls, while also tightening expectations for outsourcing and the use of third parties. In practice, this means BaaS providers must ensure clear allocation of AML roles, full access to customer and transaction data, effective oversight and testing of fintech partners, and the ability to detect, escalate, and report suspicious activity without reliance gaps. The regulation also increases supervisory convergence through the role of AMLA, making weak AML governance in embedded finance and BaaS arrangements more likely to attract regulatory scrutiny and enforcement.

Under the AMLR and the forthcoming Regulatory Technical Standards on Customer Due Diligence issued by the Anti-Money Laundering Authority (AMLA), the use of virtual IBANs (vIBANs) does not reduce transparency or AML/CFT obligations. Where vIBANs are linked to a pooled or master account, institutions must ensure that each vIBAN is uniquely assigned to an identified and verified customer, with full beneficial ownership information and risk assessment at the individual customer level. Customer due diligence, ongoing monitoring, and transaction surveillance must be performed at vIBAN (sub-account) granularity, and institutions must maintain the ability to reconstruct end-to-end payment flows for supervisory and FIU purposes. Where vIBAN infrastructure or monitoring is operated by a third party, the regulated institution remains fully responsible for AML/CFT compliance and must retain effective oversight, data access, and control to prevent misuse, including layering, funneling, or pass-through activity.

US regulatory scrutiny of bank-fintech partnerships

In the US, the Office of the Comptroller of the Currency (OCC) has been paying close attention to banks offering BaaS in recent years. The Blue Ridge Bank and Synapse cases show the compliance expectations of the OCC for fintech companies, as well as their requirements for sponsor bank compliance, including around third-party risk management.

These expectations include written programs to “effectively assess and manage risks posed by third-party relationships” and that “onboarding of new end user accounts within existing third-party fintech relationships and subpartners complies with BSA/AML requirements”.

BaaS providers in the US must ensure they understand these requirements and have effective frameworks in place to meet them.

Key takeaways: Building compliant BaaS and embedded finance partnerships

Banking-as-a-Service enables non-banks to provide innovative financial services to their customers while offering banks a potential new revenue stream. However, success depends on all parties clearly understanding their compliance obligations and liabilities and implementing effective controls to manage shared risks across BaaS and embedded finance models.

The right technology is critical to fintech regulatory compliance. Sumsub’s range of AML compliance tools helps streamline compliance for fintechs and banks by using AI-driven automation to reduce compliance gaps across partner networks, improve operational oversight, and support a seamless customer experience while lowering manual workload.

Rely on a full-cycle verification platform

Get one verification platform that secures the whole user journey, from onboarding to transactions

Find out more

FAQ

• What is Banking as a Service (BaaS)?

  Banking as a Service (BaaS) is an approach to delivering financial services that allows non-financial businesses to provide branded financial products and services to their customers, backed by regulated financial service providers.

• What is the difference between BaaS and embedded finance?

  Banking as a Service (BaaS) and embedded finance both involve non-banking companies offering outsourced financial services to their customers, but the method of delivery is different. With BaaS, financial services are offered under the non-banking company’s own brand, giving the impression that they are providing the service, while for embedded finance, the services are offered in partnership with a bank under the bank’s brand.

• How does BaaS compliance work?

  In general, the bulk of regulatory compliance obligations will sit with the bank providing financial services to a client firm via BaaS. However, client firms may still have regulatory obligations, so it is important that this is clearly defined in accordance with applicable regulations for all parties from the start.

• What are the main KYC and AML challenges in BaaS?

  Some of the main KYC and AML challenges in Banking as a Service are the need for clarity over liability for different risks, the difficulty of ensuring compliance by third parties, ineffective data sharing and data siloing resulting in the potential to miss key risk factors, and growing regulatory scrutiny of the sector.

• Who is responsible for compliance in a BaaS partnership?

  While the bank providing financial services through BaaS will have the highest level of responsibility for regulatory compliance, all parties to the relationship may have some compliance obligations.