Compliance is hard, especially for Banking-as-a-Service (BaaS) sponsor banks. Risk multiplies with the number of partners, especially when those partners own the relationship with end customers — and banks aren’t always well-equipped for BaaS-driven growth. Enforcement orders made public as recently as this month highlight the challenges of running a compliant BaaS program, and increasingly, the associated third-party risks. With the Federal Reserve’s latest action, the number of sponsor banks that have run into trouble with regulators is now 12.

Despite the number of enforcement orders, the reasons for them often overlap. This month’s consent order had nothing new — it checked boxes for the most common lapses in BaaS risk management and compliance, including third-party risk management and oversight, restrictions on business, and BSA/AML. Most notably, references to third-party risk were everywhere in the consent order, and the Fed effectively froze the BaaS business by requiring written approval for “new partners, subsidiaries, lines of businesses, products, programs, services, or program managers.”

These endemic issues shouldn’t scare bankers away from BaaS. The regulatory action is uncomfortable for the BaaS industry because it calls into question the model’s viability for some participants. But for banks that commit to BaaS as a line of business, a byproduct of enforcement actions will be a roadmap that didn’t exist at the outset for BaaS-related compliance. Third-party risk, as most understood it before the fintech boom, was related to the systems banks used to serve their customers directly — the potential scale of third-party risk was small compared to today. Now, banks, vendors, and regulators are catching up.

Despite the uncertainty over BaaS risk and compliance, sponsor banks have some guidelines to go by. Recent interagency third-party risk guidance can be extrapolated to fintechs and other BaaS channel partners. According to the guidance, to quote another article of ours, sponsor banks need to: