|
BaaS / Sponsor Bank
Full BaaS Stack
(via Infinant + Sponsor Banks)
Vertical SaaS embedding accounts, cards, ACH/RTP
|
★ High |
- FDIC pass-through notice — must state sponsor bank name, "Member FDIC," and that deposit insurance belongs to the bank, not the fintech. Required at account opening and on every statement.
- Reg E error resolution rights — 10/45-day dispute window disclosures, mandatory at onboarding.
- Reg DD / Truth in Savings — if interest-bearing accounts, APY disclosures at account opening.
- Privacy notice (GLB Act) — annual opt-out opportunity required.
- BSA/AML program disclosure — "we may report transactions over $10K" language required.
- Cardholder agreement if issuing cards (Reg Z if credit).
Delivery: In-app modal at signup + emailed PDF. Sponsor bank typically mandates their approved disclosure templates — the fintech cannot unilaterally edit language.
|
- Full KYB required — EIN, beneficial ownership (25%+ threshold), Articles of Incorporation, SSN/DOB of all UBOs.
- FinCEN CDD Rule applies — bank is the responsible party but pushes program obligations onto the fintech via contract.
- Ongoing monitoring required — re-KYB triggers if business structure changes.
- Automated OFAC/SDN screening at onboarding and continuously.
Bank sets the KYB bar. Conservative banks require more documentation and may demand enhanced due diligence on higher-risk verticals (cannabis, crypto, MSBs).
|
Not always — but structured.
- Sponsor bank typically holds a single omnibus FBO account for the fintech's entire customer base.
- Fintech must maintain a subledger mapping every end-user balance to the omnibus — this is a non-negotiable operational requirement.
- If FDIC pass-through coverage is claimed, the subledger must be reconcilable daily and meet the bank's record-keeping standards.
Per-customer FBO accounts are uncommon under BaaS — the omnibus + subledger model is standard, but your subledger accuracy is your legal exposure.
|
Shared — tiered
- Sponsor bank owns ultimate regulatory liability (BSA/AML, Reg E, FDIC).
- Fintech is contractually indemnified against — meaning if the fintech's KYB process fails and allows a bad actor, the fintech absorbs financial loss via indemnification clause.
- Fraud chargeback on debit/ACH — typically fintech absorbs unless routed to bank's own risk framework.
|
- BSA/AML program (written policy, CDD, SAR filing)
- Reg E (error resolution, provisional credit timelines)
- FDIC compliance (pass-through eligibility rules)
- NACHA operating rules (ACH)
- State money transmitter exemptions (bank-sponsored exemption)
- Annual bank audit / exam participation
|
- Bank exits the relationship — all accounts, FBO balances, and subledger must migrate. 90-day notice clauses are common but insufficient for complex migrations.
- Subledger reconciliation breaks — regulatory exposure immediately.
- Undisclosed beneficial owner triggers bank SAR — fintech's program is scrutinized.
- Bank changes risk appetite mid-contract and restricts your customer vertical.
|
|
Payment Processor
API-First Processor
(e.g., Moov.io)
ERP, AP/AR platforms moving money via ACH, RTP, FedNow
|
◆ Medium |
- No deposit-taking = no FDIC or Reg E disclosure obligation (unless acting as a custodian).
- ACH Authorization disclosure — explicit written or electronic authorization required before debiting any account. Must state amount, frequency, and revocation rights (NACHA R10/R29 compliance).
- Error/dispute process — not Reg E mandated but best practice disclosure of your internal dispute policy.
- Payment confirmation receipts — required by NACHA rules at transaction level.
- Privacy policy (CCPA/CPRA if CA customers).
Delivery: In-app at payment initiation. ACH authorization must be pre-authorized — verbal OK is insufficient for recurring pulls.
|
- KYB required by the processor (Moov mandates it) — EIN, legal name, beneficial ownership.
- If the fintech is acting as a payment facilitator (PayFac), the fintech takes on KYB of its own submerchants — this is a separate, significant compliance layer.
- OFAC screening required.
- No FinCEN CDD obligation on the fintech unless the fintech itself qualifies as an MSB (money services business).
If the fintech is just passing through payments (not holding funds), the processor's KYB program typically covers the fintech as a customer — not the fintech's end users.
|
Generally No.
- No FBO account required for pass-through payment processing.
- Exception: if the fintech holds funds between initiation and settlement (even briefly), FBO treatment may be required by state MSB law.
- Same-day ACH settlement typically flows directly between bank accounts — no custodial holding.
|
Fintech / Client
- The fintech as the originator of ACH transactions owns NACHA liability — return rates, unauthorized debits, R29 fraud.
- Processor (Moov) owns network-level compliance but the fintech indemnifies for origination errors.
- Chargeback/return risk absorbs at the fintech unless a risk-sharing agreement is in place.
|
- NACHA operating rules (origination, return rate thresholds)
- RTP / FedNow rules (Fed's participation requirements)
- CFPB EFTA compliance if consumer-facing
- State MSB licensing IF funds are held in transit
- OFAC (processor handles but fintech must contractually confirm)
|
- ACH return rate breach — NACHA can terminate origination rights. This kills your payment flow entirely.
- Unauthorized debit claim (R10) — no FDIC/Reg E backstop; fintech absorbs.
- If funds sit in transit > 1 business day in fintech-controlled account — MSB licensing trigger in most states.
- Processor concentration risk — single vendor dependency.
|
|
PSP / Treasury
PSP + Treasury Layer
(e.g., Modern Treasury, Stripe Treasury, Unit)
Complex AP/AR flows, multi-bank reconciliation, ledgering at scale
|
◆ Medium |
- Payment instructions disclosure — must clearly describe what payment is being made, to whom, from which account, at what amount.
- If operating virtual accounts for end users — disclosure that funds are held in an account at a named bank, not by the PSP/treasury layer (Modern Treasury, Stripe Treasury, Unit) or the fintech.
- Reconciliation dispute policy — internal SLA disclosure.
- Privacy policy (GLB if bank-linked, CCPA if CA).
PSP/treasury orchestration layers (Modern Treasury, Stripe Treasury, Unit) are not money transmitters — they do not hold funds. The underlying bank does. Disclosures flow from the bank relationship.
|
- KYB by fintech for its own customers — PSP/treasury layers (Modern Treasury, Stripe Treasury, Unit) do not perform end-user KYB.
- Fintech must implement its own KYB/KYC process for anyone it onboards to the payment workflow.
- The underlying bank will require KYB on the fintech entity itself.
- OFAC screening is the fintech's responsibility for end-user transactions.
|
Depends on design.
- For pure pass-through: No FBO needed.
- For virtual account / balance-holding models: Yes — PSP/treasury virtual account structures (Modern Treasury, Unit) sit on top of FBO accounts at the underlying bank. The fintech does not open per-customer FBOs directly, but the bank does.
- Reconciliation is the fintech's operational obligation.
|
Shared
- Underlying bank owns regulatory liability.
- Fintech owns operational liability — failed payments, misdirected funds, reconciliation errors.
- The PSP/treasury layer's SLA is the operational backstop but contractual liability typically caps at fees paid.
|
- NACHA / RTP / FedNow rules
- Bank account agreement terms
- State MSB if balance-holding detected
- SOC 2 / data security obligations (customer expectation)
- Reconciliation accuracy obligations (contractual, not regulatory)
|
- Ledger inconsistency — if virtual accounts don't reconcile to the FBO daily, regulatory and fraud exposure escalates immediately.
- Bank terminates the underlying account — all virtual accounts collapse.
- Misdirected payment — fintech absorbs recovery cost; the PSP/treasury layer's liability is capped.
- Complexity creep — multi-bank orchestration introduces reconciliation failure points at every node.
|
|
Own MTL Licenses
Money Transmitter
License Holder
e.g., Ironpay, Nuvei, Payoneer — B2B AP flows, state-licensed money movement
|
★ Highest |
- MTL disclosure required in every state where licensed — must display license number, regulator name, and complaint process in the app and on receipts.
- State-specific disclosure requirements vary — CA (DBO), NY (DFS, BitLicense if crypto), TX (SML), FL (OFR) all have distinct requirements.
- Material disclosures: fee schedule, FX rates (if applicable), cancellation rights, error resolution timeline — all mandated pre-transaction.
- Annual report to each state regulator — licensee must file independently.
- Federal MSB registration (FinCEN) required in addition to state licenses.
Delivery: In-app pre-transaction disclosure + printed/emailed receipt. State regulators conduct mystery shopper examinations — disclosure failures result in fines and license suspension.
|
- Full KYB/KYC program is the licensee's obligation — no bank to delegate to.
- Written BSA/AML policy required, filed with FinCEN as part of MSB registration.
- SAR filing obligation — must report suspicious activity directly to FinCEN.
- CTR filing (transactions > $10K cash) — direct filing obligation.
- Independent AML audit required annually (for most state licenses).
- Ongoing OFAC screening — your obligation, not delegated.
If a regulator examines your AML program and finds deficiencies — consent order, fine, or license revocation. This is an existential business risk. The NYDFS has revoked licenses for BSA failures.
|
Yes — required.
- Most state MTL laws require permissible investments equal to outstanding transmission obligations — in practice, an FBO or equivalent segregated account structure is mandatory.
- Permissible investment rules are state-specific — some require US Treasuries, bank accounts, or other liquid assets. CA requires 100% coverage.
- Net worth requirements must be maintained independently of customer funds.
This is one of the heaviest balance sheet obligations in payments. You cannot commingle licensee operating funds with customer transmission funds.
|
Fintech / Licensee — Full
- You own 100% of transaction liability — there is no sponsor bank backstop.
- Fraud losses, unauthorized transmission, regulatory fines — all land on the licensee.
- Consumer protection obligations in all licensed states — error resolution, refund timelines, liability caps for unauthorized transactions.
- No indemnification from a bank partner — you are the regulated entity.
|
- FinCEN MSB registration + BSA/AML program
- State MTL — 40–48 states if nationwide (ND, SC, MT often exempt)
- Annual state exam participation
- Permissible investment maintenance
- Net worth / surety bond requirements per state
- SAR + CTR direct filing obligations
- State-specific consumer protection laws
- CFPB oversight if consumer-facing (>$10B threshold or UDAAP)
|
- License lapse in a key state — transmission in that state becomes illegal immediately. Revenue stops.
- Regulatory examination failure — consent order, civil money penalty, public disclosure. Reputational damage is often worse than the fine.
- Permissible investment shortfall — regulators can freeze operations in the affected state.
- Cost of compliance: $2–5M+ to achieve full 50-state coverage, $500K–$1.5M/year to maintain.
- Speed: 18–36 months to achieve broad state coverage from scratch.
|
|
FBO / Claims
FBO Disbursement Model
(e.g., Hyperwallet, Tipalti, SnapRefunds)
Marketplace payouts, insurance claims, refund disbursement — Hyperwallet, Tipalti, SnapRefunds
|
◆ Medium
Low if well-structured; escalates fast if FBO governance fails
|
- FBO ownership disclosure — recipient must be told the funds are held in an account at [Bank Name] for their benefit. Required for FDIC pass-through eligibility.
- Disbursement method disclosure — how will they receive funds (ACH, check, prepaid card)? Timeline?
- Unclaimed property notice — if funds are unclaimed beyond state escheatment period (3–5 years depending on state), funds must be remitted to the state. Recipients must be notified before escheatment.
- Privacy policy — how is payment data used?
Delivery: Email or in-app at disbursement notification. Escheatment notices are often missed — this is a hidden compliance liability.
|
- KYB on the platform client (the company using the FBO disbursement service) — required by the underlying bank.
- KYC on individual recipients at or above CTR thresholds ($10K) — required even for refund/claims disbursements.
- For marketplace sellers or high-volume payees — OFAC and KYC screening required.
- For low-value consumer refunds (<$600 or below 1099 threshold) — lighter KYC permissible in most cases.
IRS 1099-K reporting obligation applies if a payee receives >$600 in aggregate payments in a calendar year (post-2024 threshold). This requires collecting TIN/SSN at onboarding.
|
Yes — structure is the product.
- The FBO account IS the compliance structure. One FBO account held at the underlying bank, with subledger entries for each recipient's balance.
- Subledger must reconcile to the FBO account daily.
- FDIC pass-through requires the subledger to identify each beneficial owner by name, SSN/EIN, and balance — this data must be available to the FDIC within 24 hours if the bank fails.
- Multiple FBO accounts may be required if the program spans multiple use cases (claims vs. payroll vs. refunds).
|
Shared — Structured
- Underlying bank owns regulatory liability for the FBO account.
- The fintech owns subledger accuracy — if subledger is wrong, the fintech has misrepresented beneficial ownership. Regulatory and civil liability.
- Unclaimed property liability is the fintech's — if escheatment is not done correctly, state attorneys general pursue the fintech, not the bank.
- Fraud on individual disbursements — typically fintech's responsibility.
|
- Unclaimed property / escheatment (all 50 states have different rules)
- IRS 1099-K / 1099-MISC reporting
- FDIC subledger requirements
- NACHA rules for ACH disbursement
- State-specific refund/claims laws (insurance claim disbursements have additional state insurance department rules)
- OFAC / KYC on payees
|
- Subledger reconciliation failure — if FBO balance ≠ sum of subledger entries, the fintech cannot demonstrate proper fund segregation. Regulatory exposure immediately.
- Escheatment failure — states aggressively pursue unclaimed property. Audit lookback periods of 10+ years are common.
- FDIC pass-through gap — if subledger doesn't meet standards at bank failure, recipients may not be covered. Reputational catastrophe.
- 1099-K non-compliance — IRS penalties + back-up withholding obligation.
|