Regulators’ views on Banking-as-a-Service (BaaS) are maturing. The OCC, Federal Reserve, and FDIC just published a joint statement on banks providing deposit products and services through third parties — a classic BaaS use case — and the risks to end users. It addresses specific and timely issues in the BaaS space and drills down deeper than guidance on third-party risk management.

The statement is part of a regulatory normalization that we’ve seen coming. It follows guidance earlier this year that, as we discussed, covered community banks’ relationships with third parties. That guidance was particularly apt given community banks’ overrepresentation among BaaS sponsor banks. The agencies reiterated the need to make risk practices appropriate for a bank’s size, complexity, and risk profile — but plenty was left to interpretation.

The recent statement looks at BaaS with a focus on safe and sound practices and financial-crime prevention. The core problem it addresses is how fintechs’ claims that customer deposits are federally insured hides risks to consumers’ ability to access their funds. It adds to regulators’ body of work just as BaaS technology providers are at pains to assure regulators, investors, partners, and customers that they’re competent and compliant.

The document demonstrates regulators’ clearest understanding yet of factors behind the BaaS crisis. It also implies guardrails informed by examinations and, as we’ve covered, enforcement actions. It cites potential problems with operations, compliance, growth, governance, and third-party risk — all those factors get more complicated as the number of program partners multiplies, which may be exacerbated by a poorly designed or poorly managed intermediary.