Understanding BSA/AML Responsibilities for BaaS Providers

Aug 14, 2025

Banking-as-a-Service (BaaS) has opened new opportunities for fintechs, brands, and non-bank platforms to offer financial products directly to their customers. But with opportunity comes responsibility — particularly when it comes to compliance.

Under the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) rules, sponsor banks and their fintech partners must implement controls to prevent illicit activity, protect the financial system, and ensure regulatory compliance.

What BSA/AML Means in BaaS

BSA/AML requirements were designed to combat money laundering, terrorist financing, and other illicit financial activities. In a BaaS relationship, the bank is ultimately responsible for ensuring compliance — even if certain processes are handled by the fintech partner.

This means sponsor banks must have oversight, not just contractual language.

Core Responsibilities

For BaaS providers and their partners, the obligations include:

  • Customer Due Diligence (CDD) & Know Your Customer (KYC):
    Collect, verify, and maintain accurate customer identity data.

  • Ongoing Transaction Monitoring:
    Identify unusual activity in real time, flag potential suspicious transactions.

  • OFAC & Sanctions Screening:
    Screen customers and transactions against global sanctions lists.

  • Suspicious Activity Reporting (SAR):
    File reports with regulators when suspicious activity is detected.

Lessons from Recent Enforcement Actions

  • Hatch Bank (CA DFPI Consent Order): Highlighted failures in partner oversight and transaction monitoring.

  • Blue Ridge Bank (OCC Agreement): Cited weaknesses in risk assessment and BaaS partner due diligence.

These actions underscore that regulators are not only reviewing banks, but the entire BaaS ecosystem.

Best Practices for Compliance Success

  • Maintain centralized oversight of all fintech partners.

  • Use automated KYC and monitoring tools to increase efficiency and reduce false positives.

  • Define clear roles and responsibilities in partner contracts.

  • Conduct regular compliance audits to catch gaps early.

How Medici Bank Approaches Compliance

At Medici Bank, our compliance framework is designed for BaaS scale:

  • Integrated Vendor Stack: KYC, transaction monitoring, and sanctions screening embedded at onboarding and transaction stages.

  • Proactive Oversight: Dedicated compliance staff overseeing fintech partner activity.

  • Audit-Ready Reporting: Documentation and reporting tools to meet regulatory expectations.


BaaS success depends on trust — and trust is built on compliance. By meeting and exceeding BSA/AML requirements, we create a safer, stronger, and more resilient financial ecosystem for our partners and customers.

📩 Want to learn how Medici Bank’s BaaS model integrates compliance into every step? Contact us today.

#BaaS #Compliance #BSA #AML #RegTech #FinTech #MediciBank

What Data Monetization Means for Open Banking — And Why It Matters for BaaS Providers ›