What compliance obligations come with a BaaS program?

BaaS programs carry high compliance burden: full BSA/AML program, KYB/KYC for all customers, OFAC screening, Reg E disclosures, FDIC pass-through notices, and subledger reconciliation obligations. The sponsor bank is the primary regulatory entity but contractually pushes most operational compliance obligations to the fintech via indemnification clauses.

What is the difference between BaaS compliance and direct sponsor bank compliance?

In a BaaS arrangement, the middleware provider (Unit, Synctera) manages a significant compliance layer on behalf of the fintech. In a direct sponsor bank relationship, the fintech owns the full compliance program — BSA/AML policies, KYB/KYC processes, bank reporting, and exam participation — with no middleware compliance layer.

How long does it take to become compliance-ready for each payment model?

ISO/Agent: 2-4 weeks. PayFac: 90-180 days. BaaS: 60-90 days. Direct Sponsor Bank: 6-12 months. MTL (50 states): 18-36 months. Card Issuing: 6-12 months. Embedded Lending: varies by model — referral 30-60 days, co-origination 6-12 months, balance sheet 12-24 months.

What does it cost to maintain compliance for a money transmitter license?

Full 50-state MTL coverage costs $2-5M to achieve and $500K-$1.5M annually to maintain. This includes state exam participation, annual license renewals, permissible investment maintenance, net worth/surety bond requirements, and the dedicated compliance team required to manage state-specific obligations.

Compliance Reference

Payment Model Compliance Risk Matrix

Before you choose a payment model, understand what compliance obligations come with it. The model you pick determines who owns BSA/AML, how KYB works, what your liability exposure is, what the compliance team looks like, and what it costs annually. Eight models compared — from ISO to full MTL — so you can make this decision with the complete picture.

HIGHEST Own MTL licenses — full regulatory ownership

HIGH BaaS / Direct Bank — significant shared obligations

MEDIUM PayFac / Processor — operational compliance, less regulatory

LOW ISO / Agent — minimal direct compliance burden

← Scroll right to see all columns

Payment Model	Compliance Burden	Time to Compliance-Ready	Annual Compliance Cost	Minimum Team	KYB / KYC Obligations	BSA / AML Ownership	Key Regulatory Frameworks	Liability Structure	Migration Path	Right For / Not Right For
ISO / Agent Referral arrangement. No funds held. Merchant signs direct with processor. Lowest burden	LOW	2–4 weeks Contract execution + registration only	$20K–$80K/yr Primarily legal and agent agreement maintenance	No dedicated compliance hire required. Risk oversight typically handled by existing legal/finance function.	KYB on your own entity by the processor. No KYB obligation on end merchants — processor handles merchant underwriting directly.	Processor owns BSA/AML entirely. ISO has no direct obligation unless it qualifies as an MSB independently.	Card network ISO registration (Visa/MC) State sales agent registration (some states) NACHA agent registration if ACH referral	Minimal. Processor owns fraud, chargeback, and regulatory liability. ISO earns residuals; ISO does not absorb losses.	ISO → PayFac: 90–180 days. Requires sub-merchant underwriting program, chargeback reserve, card network PayFac registration. PayFac vs ISO →	✓ Right for Early-stage platforms testing monetization. Low-volume programs. High-risk merchant categories where PayFac exposure is too high. ✗ Not right for Any program at $500K+ monthly where economics gap vs. PayFac/direct exceeds $50K annually. Long-term strategy.
PayFac / Payment Facilitator Master merchant aggregating sub-merchants. You own the payment experience and chargeback liability. Vertical SaaS standard	MEDIUM	90–180 days Card network PayFac registration + underwriting program build	$100K–$300K/yr Risk/compliance manager, chargeback ops, fraud tooling	Risk/Compliance manager (sub-merchant underwriting, chargeback monitoring). Chargeback analyst at scale. Legal counsel for card network compliance.	You underwrite your sub-merchants. KYB required on each sub-merchant at onboarding. Ongoing monitoring for chargeback patterns and fraud signals. Card network mandates sub-merchant due diligence standards.	Acquiring bank owns primary BSA/AML. PayFac has delegated obligations for sub-merchant monitoring — suspicious activity in sub-merchant transactions must be reported to the acquiring bank.	Visa/Mastercard PayFac registration Acquiring bank agreement + underwriting standards PCI DSS compliance (SAQ or full audit) Chargeback ratio thresholds (Visa <1%, MC <1.5%) NACHA if ACH origination included	You own sub-merchant chargeback losses. Acquiring bank indemnification clause shifts fraud losses to PayFac. Card network violations (chargeback ratio breach) can result in program termination and fines.	PayFac → Direct Bank: 9–12 months. Build compliance infrastructure, establish bank relationship, migrate sub-merchants. PayFac → BaaS: not a typical migration — BaaS is usually the starting point, not the destination. PayFac vs ISO → BaaS vs Direct →	✓ Right for Vertical SaaS at $1M–$10M monthly processing. Marketplaces. Platforms needing fast sub-merchant onboarding and control over the payment experience. ✗ Not right for Programs with high-risk merchant segments where chargeback exposure is uncontrollable. Programs needing card issuing or deposit accounts.
BaaS + Middleware Unit, Synctera, Column, Infinant. Middleware between fintech and sponsor bank. Fast launch path	HIGH	60–120 days BaaS onboarding + compliance program documentation	$150K–$400K/yr BSA officer, compliance analysts, BaaS platform fees include some compliance tooling	BSA Officer (required by bank). 1–2 compliance analysts for alert triage and KYB review. Compliance manager at $10M+ monthly.	Full KYB required — EIN, beneficial ownership (25%+ UBOs), Articles of Incorporation. FinCEN CDD Rule applies. Bank sets the KYB bar; conservative banks require enhanced due diligence on higher-risk verticals. Ongoing OFAC/SDN screening.	Shared — tiered. Sponsor bank is primary BSA officer. BaaS middleware manages significant layer (transaction monitoring tooling, SAR support). Fintech has delegated obligations — owns execution of CDD, handles escalations to bank. Contractual indemnification shifts financial losses to fintech.	BSA/AML written program (bank-mandated) Reg E (consumer programs) FDIC pass-through compliance + subledger NACHA operating rules (ACH) State MTL exemption via bank charter Annual bank audit participation	Shared with tilt toward fintech. Sponsor bank is regulatory-facing. Fintech indemnifies bank — fraud, KYB failures, and compliance violations flow financial loss back to the fintech. Subledger reconciliation breaks = immediate fintech exposure.	BaaS → Direct Bank: 6–18 months depending on integration coupling. Requires: compliance program independence build (10–18 weeks), bank diligence (6–12 months), integration re-architecture if tightly coupled. Economics gap at $5M monthly: $300K–$700K annually. BaaS vs Direct → BaaS providers →	✓ Right for Pre-PMF fintechs. Programs under $3M monthly. Fast launch required. Card issuing, deposit accounts, ACH needed without bank relationship investment. ✗ Not right for Programs at $5M+ monthly where economics gap exceeds migration cost. Programs needing product flexibility beyond BaaS stack. Without a defined migration trigger.
Direct Sponsor Bank Direct bank agreement. No middleware. Full economics capture. Scale model	HIGH	6–12 months Bank diligence + compliance program build in parallel	$250K–$600K/yr BSA officer, compliance ops team, bank reporting, audit	BSA Officer (required, named). Compliance manager. 2–3 compliance analysts for alert triage, KYB review, reporting. Bank relationship manager role (often the BSA officer or a senior operator).	Full KYB — platform owns entirely. No middleware compliance layer. Bank sets standards; platform executes independently. Written KYB procedures reviewed by bank examiner. Ongoing monitoring, re-KYB triggers, and enhanced due diligence all platform-designed and operated.	Platform owns the full BSA/AML program. Written, board-approved policy. Transaction monitoring (platform selects and operates tooling). SAR filing via bank. CTR reporting. Annual independent BSA audit required. Bank examiner reviews the platform's program directly.	BSA/AML written program + annual independent audit Reg E (consumer programs) FDIC subledger compliance NACHA origination compliance Reg Z (credit card programs) Bank exam participation (annual) State MTL exemption via bank charter	Platform owns operational compliance; bank is regulatory-facing. Indemnification clause typical — compliance failures, fraud losses, and KYB failures flow financial exposure to platform. Full economics capture (140–160 bps net interchange) is the return on this compliance investment.	Direct Bank → MTL: parallel track (18–36 months). Uncommon — direct bank covers most use cases without MTL. Direct Bank → Card Issuing expansion: negotiate commercial card BIN with existing bank — 3–6 months. Bank selection → Diligence guide →	✓ Right for Programs at $3M+ monthly. Card issuing. Full interchange economics required. Programs that have outgrown BaaS product ceiling. ✗ Not right for Pre-PMF programs. Teams without compliance operations capacity. Programs needing to launch in under 90 days.
Processor / PSP Stripe, Adyen, Moov, Modern Treasury. Pass-through payment processing — no fund custody. SaaS default start	MEDIUM	Days–4 weeks API integration + processor KYB on platform entity	$30K–$150K/yr Primarily legal, PCI compliance, and dispute management	No dedicated compliance hire at early stage. Risk manager at $2M+ monthly for dispute/fraud monitoring. PCI compliance officer or third-party QSA.	Processor performs KYB on the platform entity. Platform has no KYB obligation on end customers unless acting as a PayFac or holding funds in transit. OFAC screening handled by processor for individual transactions.	Processor owns BSA/AML entirely. Platform has no direct MSB obligations as long as it does not hold funds in transit beyond settlement timing. If funds sit in platform-controlled accounts >1 business day, state MSB licensing may trigger.	NACHA origination rules (if ACH) PCI DSS (SAQ or full audit) CFPB EFTA if consumer-facing State MSB if funds held in transit ACH return rate thresholds (NACHA)	Platform owns origination errors. NACHA return rate breaches (R10 unauthorized debits) — fintech absorbs. Processor's liability caps at fees paid. Processor concentration risk — single vendor dependency.	Processor → PayFac: 90–180 days for sub-merchant program. Processor → BaaS: 60–120 days when deposit accounts or card issuing needed. Processor → interchange-plus: renegotiate with existing processor at $1M+ monthly — weeks. Stripe vs IC+ → Optimize interchange →	✓ Right for Inbound payment collection. SaaS subscriptions. Early-stage programs <$2M monthly. No card issuing or deposit accounts needed. ✗ Not right for Programs at $3M+ monthly where flat-rate economics gap exceeds $300K annually. Programs needing card issuing, disbursements, or float economics.
Own MTL Licenses Money Transmitter Licenses in 40–48 states. Full regulatory ownership — no bank charter required. Maximum independence	HIGHEST	18–36 months Full US coverage from scratch	$500K–$1.5M/yr State exams, renewals, permissible investments, dedicated licensing team	Dedicated BSA officer + BSA team. State licensing function (2–4 FTE). Compliance manager. Annual independent AML audit. Legal counsel in each licensed state. Total compliance org: 6–12 FTE at full US coverage.	Full KYB/KYC — licensee owns entirely. Written BSA/AML policy filed with FinCEN. SAR filing obligation — direct to FinCEN. CTR filing (>$10K cash transactions). No bank to delegate to. Regulatory examination of the KYB program is direct — NYDFS has revoked licenses for BSA failures.	Platform IS the regulated entity — full ownership. FinCEN MSB registration required. Independent annual AML audit required (most states). Dedicated BSA officer with documented authority. State regulators conduct mystery shopper examinations — disclosure failures trigger fines and license suspension.	FinCEN MSB registration State MTL — 40–48 states (hardest: NY DFS, CA DFPI, TX SML) Permissible investment requirements (CA: 100% coverage) Net worth / surety bond by state SAR + CTR direct filing Annual state exam participation State-specific consumer protection laws	Full liability — no bank backstop. Fraud losses, unauthorized transmission, regulatory fines — all on the licensee. License lapse in a key state = illegal transmission immediately. Regulatory examination failure = consent order + public disclosure. Reputational damage often exceeds the fine.	MTL → Direct Bank: parallel program, not migration. Companies that hold MTLs often also maintain a bank relationship for specific product types. MTL network partners (Ironpay, Nuvei) allow access to MTL infrastructure without building it — valid alternative to full build. MTL vs Sponsor Bank →	✓ Right for Remittance companies. Cross-border payment platforms. Crypto platforms. Programs needing product freedom beyond bank appetite. Companies with capital to sustain build + ongoing cost. ✗ Not right for Most vertical SaaS and fintech platforms — sponsor bank exemption is faster, cheaper, and sufficient. Any program needing to launch in under 18 months.
Card Issuing (Direct) Direct BIN sponsorship with bank. Virtual or physical card programs. Commercial or consumer. Interchange economics	HIGH	6–12 months Bank BIN agreement + card network registration + program build	$200K–$500K/yr Card compliance program, network fees, dispute operations	Card program compliance manager. Dispute/chargeback analyst. BSA officer (bank requirement). Card network compliance function (Visa/MC program rules). Fraud operations at scale.	Full KYB on card program participants. Cardholder agreement disclosure required at issuance. Spending controls (amount limits, MCC restrictions, single-use) are both product features and compliance instruments. Beneficial ownership for commercial card programs.	Shared with bank. Bank is primary BSA entity for the card program. Platform has delegated obligations for cardholder monitoring, unusual spend pattern detection, and escalation. Commercial card programs may have lighter consumer protection obligations than consumer card programs.	Visa/Mastercard program rules (issuer obligations) Reg Z — credit card programs Reg E — debit card programs FCBA — billing dispute rights (credit) Bank card program agreement compliance PCI DSS (card data security) BIN sponsorship agreement terms	Platform owns card program economics and liability. Chargeback losses on consumer cards flow to program. Commercial card BIN programs (P-card BINs) generate 175–250 bps interchange — highest return on compliance investment in the matrix. Wrong BIN selection at launch is architecturally expensive to fix.	Card Issuing → Embedded Lending: natural extension using cardholder transaction data. 6–12 month expansion. Consumer card → Commercial card: BIN renegotiation — 3–6 months with existing bank, 6–12 months with new bank. Card programs → BIN sponsorship →	✓ Right for AP automation (VCard). Corporate expense programs. Vertical SaaS with B2B payment flows. Programs where interchange is a primary revenue line. ✗ Not right for Consumer programs without consumer protection infrastructure. Programs selecting consumer BINs when commercial P-card BINs are available and applicable.
Embedded Lending Referral, co-origination, or balance sheet. BNPL, working capital, invoice financing. Three distinct models	HIGH Varies significantly by model — referral is low, balance sheet is highest	Referral: 30–60 days Co-origination: 6–12 months Balance sheet: 12–24 months	Referral: $30K–$100K/yr Co-origination: $200K–$500K/yr Balance sheet: $500K–$2M/yr	Referral: existing legal function. Co-origination: credit compliance officer + bank relationship manager. Balance sheet: full credit risk team + compliance org + capital markets function.	Borrower KYC/KYB required for all models. Beneficial ownership for business loans. Credit decisioning documentation required under fair lending obligations. Balance sheet model requires full underwriting program with documented credit policy.	Referral: lender owns entirely. Co-origination: shared — bank is primary, platform has delegated CDD obligations. Balance sheet: platform IS the lender — full BSA/AML program required if loan origination volume qualifies as MSB activity.	Reg Z (Truth in Lending — all consumer credit) ECOA / Fair lending (all models) State lending licenses (co-origination + balance sheet) CFPB supervision (balance sheet at scale) UDAAP (all models) Servicer obligations (balance sheet) 1099-INT reporting (all interest-bearing)	Referral: no credit risk. Co-origination: shared per agreement — platform absorbs agreed % of losses. Balance sheet: full credit risk on platform — loss reserve requirements, capital adequacy, investor reporting obligations.	Referral → Co-origination: 6–12 months with bank partner negotiation. Co-origination → Balance sheet: 12–24 months, capital raise required. Most platforms stay at co-origination — economics are strong and capital risk is bounded. Embedded lending → Co-origination →	✓ Right for Platforms with deep customer transaction data. Vertical SaaS with working capital use case. AP platforms adding early pay / dynamic discounting. ✗ Not right for Platforms without underwriting data advantage. Balance sheet model without institutional capital backing. Programs without a bank partner willing to co-originate.

On BaaS vs. Direct Bank economics: The compliance burden difference between BaaS and direct bank is meaningful but not the deciding factor. The economics gap is. At $5M monthly, direct bank generates $300K–$700K more annually than BaaS. The compliance investment for direct bank ($250K–$600K/yr) is funded by that gap within 6–12 months of launch.

On MTL partner networks: Ironpay, Nuvei, and similar MTL network operators allow platforms to access money transmitter infrastructure without building their own licenses. This is a legitimate alternative to full MTL build for programs that need MTL capability but cannot sustain the $2–5M build cost and 18–36 month timeline.

On the PayFac gap: Most vertical SaaS companies at $1M–$5M monthly processing are operating either as ISOs (leaving significant economics on the table) or on BaaS (paying middleware margin). PayFac is the frequently skipped middle option — better economics than ISO, faster than direct bank, and appropriate for the compliance capacity most SaaS companies have at that volume.

On embedded lending timing: Lending compliance always adds to payment compliance — it does not replace it. A platform adding co-origination to an existing BaaS payment program is managing two compliance frameworks simultaneously. Design both together; retrofitting lending compliance onto a payment program that wasn't designed for it adds 6–12 months to the timeline.

On migration path decisions: The most expensive mistake in payment model compliance is not choosing the wrong model at launch — it is failing to design the migration path before you need it. Every model in this matrix has a successor. Define your migration trigger (volume threshold, economics gap, product requirement) before you sign the first contract.

Not sure which compliance model fits your program?

The model you choose determines your regulatory exposure, operational requirements, and liability structure for the life of the program. We help you make this decision before it gets made by default.

Talk with us → Compliance readiness