Banking-as-a-Service (BaaS) Explained: A 2026 Guide for Financial Institutions

Published: June 2, 2026

A Message from Anna

I have spent 18 years bringing digital banking to credit unions, and "Banking-as-a-Service" is the term that has caused the most confusion in the boardrooms I sit in. After Synapse, the picture is finally clear: BaaS split into two models. One rents your charter to outside fintechs and is exactly the kind of program regulators are now watching. The other embeds software inside your own app for your own members and carries almost none of that risk. This guide shows you how to tell which one you are about to sign up for.

— Anna

What Banking-as-a-Service Actually Is

Banking-as-a-Service is a compliance program with an API attached. A licensed, chartered bank exposes its regulated capabilities — deposit accounts, payments, debit and credit cards, lending — through APIs so a non-bank company can offer those products under its own brand. The brand on the app is rarely the bank holding the money. A ride-share company that gives drivers a debit card, a payroll platform that pays workers instantly, a software tool that issues virtual cards — none of these are banks. They rent regulated banking functions from a chartered institution and present the experience as their own. The charter never moves. Only a bank can hold insured deposits, move money across the payment rails, and answer to federal regulators. BaaS rents access to those capabilities; it does not hand off the obligations that come with them. Lose sight of that one distinction and you get the failures this guide walks through.

Key Takeaways

BaaS is governance first, technology second. The bank — not the middleware — owns every obligation in the program.
After the 2024 Synapse collapse, the lightly-governed BaaS era is over. Regulators issued enforcement actions against sponsor banks and proposed new recordkeeping rules.
There are two distinct BaaS models. The sponsor-bank model carries the heavy regulatory exposure; the embedded-software model lets an FI modernize without it.
The middleware ledger was the single point of failure at Synapse. If you cannot reconcile balances down to each end customer, you have exposure, not a program.
Most middleware providers that defined the boom either pivoted hard or exited. Sponsor banks that survived rebuilt their compliance functions from scratch.

BaaS stack diagram: Brand/Fintech on top, Middleware/BaaS Platform in the middle marked as the Synapse failure point, and Licensed Sponsor Bank at the bottom, with charter and money responsibility flowing down to the bank and brand flowing up

The Numbers That Make This Worth Your Time

Roughly 25% of retail members already run a business on a personal account. Only about 8% of credit union members use their institution for business banking. An estimated 87% of new LLCs never see a credit union offer at all — and the average small business stays with its first bank for about 7 years. The members are already in the building. The gap is the product, not the relationship.

How BaaS Works: The Three Layers

A working BaaS arrangement has three layers, each with a different role and a very different level of regulatory responsibility. Risk flows down to the bank; the brand and the customer relationship sit up top.

Layer	Who it is	What it does	Carries the charter?
Brand / Fintech	The customer-facing company	Owns the app, the relationship, and the brand	No
BaaS Platform	Middleware / API provider	Connects the brand to the bank, runs the ledger and tooling	No
Licensed (Sponsor) Bank	Chartered, insured institution	Holds deposits, moves money, owns regulatory obligations	Yes

The sponsor bank holds the charter and the deposit insurance, and answers to the OCC, FDIC, or Federal Reserve for everything in the program — including the conduct of partners several steps removed from it. The BaaS platform sits in the middle, providing the APIs, the tooling, and the ledger that tracks which end customer owns which dollar. That middleware makes integration fast. It was also the single point of failure in the industry's worst collapse. The brand or fintech owns the experience but holds neither the money nor the charter.

The appeal is speed — a brand can stand up a banking product in months instead of years. The danger is the distance that grows between the people using the product and the bank legally responsible for it. The further those two ends drift apart, the harder it gets to answer a question that should always be simple: where is the money, and whose is it?

Two Models of BaaS: The Split That Matters

This is the decision underneath everything else. Post-Synapse, BaaS divides cleanly into two models. They share a name and almost nothing else.

	Sponsor-bank BaaS	Embedded-software BaaS
Who holds deposits	The sponsor bank, for fintech customers it never onboarded	The FI, for its own members (no change)
Who owns the ledger	The middleware platform	The FI, on its own core
Regulatory exposure	High — full BSA/AML, fair-lending, and third-party liability across the partner chain	Low — standard vendor diligence; no new deposit-pooling risk
What you can offer	Rented charter, cards, and accounts for outside brands	Modern tools for your own members: formation, bookkeeping, tax, compliance
Example	Evolve Bank powering dozens of fintech apps through Synapse	A credit union embedding small-business software in its own app

The first model produced the consent orders. The second is how a community bank or credit union modernizes without becoming the kind of institution regulators now watch most closely. When a vendor says "BaaS," your first question should be: which of these two am I being offered?

BaaS vs. Embedded Finance vs. Embedded Banking

These three terms get used interchangeably, and that looseness causes real confusion in partnership conversations. Keep them straight:

Banking-as-a-Service is the supply side — the infrastructure. It is the plumbing that lets a non-bank offer banking products through a chartered institution. BaaS is the engine that makes the other two possible.
Embedded finance is the broad outcome: any financial product offered inside a non-financial experience — a "buy now, pay later" button at checkout, insurance offered during a car purchase, a payment feature inside a software tool. Some of it runs on BaaS; some does not. See our guide to embedded finance in 2026.
Embedded banking is a more specific case: bank-grade products — accounts, cards, payments, and increasingly accounting and tax tools — delivered inside an app the customer already uses, often the bank's own. We cover the distinction in our embedded banking explainer, and the accounting layer specifically in our embedded accounting guide.

BaaS is the engine, embedded finance is the broad category of what you build with it, and embedded banking is one important product family inside that category. An institution does not have to become a high-risk sponsor bank to take part in embedded banking — and for community banks and credit unions, that is the whole point.

The Named BaaS Players

Decision-makers ask for names, so here they are. The middleware tier is where the 2024–25 shakeout hit hardest; the sponsor-bank tier is where the enforcement landed.

Middleware / BaaS platforms

Provider	What it does	What happened in 2024–25
Unit	BaaS middleware, card issuing, accounts	Active; tightened bank-partner and compliance requirements
Treasury Prime	Bank-direct BaaS connectivity	Active; pivoted toward a bank-led, direct-relationship model
Synctera	BaaS platform with sponsor-bank marketplace	Active; leaned into compliance tooling and program management
Column	Nationally chartered bank with a developer API	Active; bank and platform are the same entity, removing the middleware gap
Stripe Treasury	Embedded banking via partner banks	Active; large-scale, bank-partner model
Synapse	Middleware that pooled customer funds in FBO accounts	Filed Chapter 11 in April 2024; ledger shortfall triggered the crisis
Bond, Solid	BaaS middleware startups	Exited the market amid the broader BaaS pullback

Sponsor banks

Bank	Role	What happened in 2024–25
Evolve Bank & Trust	Major Synapse sponsor bank	Federal Reserve cease-and-desist order over its fintech risk-management framework
Blue Ridge Bank	Active BaaS sponsor	OCC consent order over BSA/AML deficiencies in its fintech programs
Lewis & Clark Bank	Smaller sponsor bank	Continued operating; representative of community-bank entrants
Coastal Community Bank	High-volume sponsor bank	Continued operating with significant fintech-program exposure

The pattern across the survivors is consistent: the ones still standing rebuilt their compliance functions before they grew their partner books, not after.

The 2025–2026 Regulatory Reality

The lightly-governed BaaS era is over. That is not a forecast — it is what the public record now shows. Each fact below comes with what it means for you.

The Synapse collapse. In April 2024, Synapse Financial Technologies — a middleware provider in that middle layer — filed for Chapter 11. Synapse did not hold deposits; it reconciled and routed pooled customer funds into "for benefit of" (FBO) omnibus accounts at partner banks. When the relationships unraveled, the bank-held balances did not match Synapse's records. More than 100,000 end users lost access to over $265 million, and many were locked out of their money for months. This was a ledger and reconciliation breakdown, not a hack or a market crash. (CNBC, Fortune) What this means for you: if you cannot reconcile down to each end customer independent of the middleware, you do not have a program — you have exposure.

Enforcement against sponsor banks. Regulators did not stop at the middleware. The Federal Reserve issued a cease-and-desist order against Evolve Bank & Trust — a Synapse partner — citing an ineffective risk-management framework for its fintech partnerships. The OCC placed Blue Ridge Bank under a consent order over Bank Secrecy Act and anti-money-laundering deficiencies. The common thread was weak due diligence and inadequate ongoing monitoring of partners. (Banking Dive, ABA Banking Journal) What this means for you: outsourcing the activity does not outsource the responsibility. Earn the upside of a partner's program and you own the full downside of its conduct.

What regulators expect. The governing framework is the interagency Third-Party Relationships: Risk Management guidance the Federal Reserve, FDIC, and OCC finalized in June 2023, followed in May 2024 by a companion guide written specifically for community banks. The principle is blunt: a bank's use of third parties does not diminish its responsibility for the activity. (Federal Reserve, OCC) What this means for you: due diligence before a partnership, contractual controls during it, continuous monitoring throughout — with oversight scaled to the risk.

The FDIC custodial-account rule. In September 2024 the FDIC proposed a rule requiring banks that hold custodial deposit accounts with transactional features to keep accurate per-owner records, reconcile them, and submit to independent validation. As of mid-2026 it remains in proposed status — the comment period closed in January 2025 and the rule has not been finalized. (FDIC, Federal Register) What this means for you: the direction is set even though the rule is not final — the recordkeeping responsibility lands on the insured bank, so build for it now.

BaaS is not dead. The loose version is, and the version that survives is a compliance discipline first and a technology product second.

How a Community Bank or Credit Union Participates Responsibly

Modernizing does not mean becoming a sponsor bank. I push back every time someone tells a credit union it does.

The high-risk version rents your charter to many unknown fintechs, holds pooled deposits for customers you never onboarded, and leans on a middleware ledger you do not control. That is the model that produced the consent orders. The embedded-software version is different in every dimension: you embed better tools for your own members, inside your own app, on your own ledger. The products small businesses actually need — formation, bookkeeping, accounting, and tax filing — do not require deposit-pooling or third-party-fintech risk.

The opportunity is large and largely unserved. With a quarter of retail members already running a business on a personal account and only 8% banking their business with you, the members are already in the building. You can serve them with embedded software that runs inside your existing app — vendor-managed, on your terms, with proper due diligence and clear data boundaries — without ever becoming the kind of sponsor bank regulators watch most closely. For where this is heading, see our 2026 credit union trends piece, our look back at the 2025 fintech year, and our state of community banking.

Common Mistakes and Pitfalls

Treating BaaS as a technology decision. It is a governance decision with an API attached. Risk, compliance, and legal belong in the room before engineering does.
Trusting the partner's ledger. Synapse showed the bank, not the middleware, has to answer "whose money is this?" at any moment. No reconciliation down to the end customer, no program.
Skipping the KYB and KYC chain. Knowing your partner is not enough; you have to know your partner's customers. Weak business verification ran through every enforcement action.
Underpricing the cost of oversight. Continuous monitoring, BSA/AML staffing, and audit are permanent expenses. The programs that priced for a one-time integration are the ones that failed.
Confusing reach with control. Nationwide deposits look appealing right up until they leave overnight, or carry compliance problems you never underwrote.

How Jupid Fits the Embedded Stack

Jupid sits at the responsible end of this spectrum. We do not ask a financial institution to become a sponsor bank or pool deposits for outside fintechs. We embed small-business financial tools — incorporation, accounting, tax, and compliance — natively inside the bank or credit union's own app, for its own members. You keep the relationship, the brand, the deposits, and the regulated activity; none of it moves. Jupid owns the software layer on top: an AI accountant your members reach through channels they already use, including WhatsApp and iMessage, that connects to bank accounts and categorizes transactions with 95.9% accuracy, then handles tax filing and ongoing compliance automatically. The journey runs from formation through accounting, tax, and compliance, so a member who forms an LLC stays supported long after filing day. Jupid integrates with the cores institutions already run — Banno, Q2, and Alchemy — across 3,000+ financial institutions, and it is SOC 2 certified, which keeps vendor diligence short. Our team previously built Anna Money, which served more than 60,000 small businesses and reached $40M in ARR.

If your team is weighing how to offer business members a modern financial product without taking on sponsor-bank risk, explore a partnership with Jupid, reach us at partnerships@jupid.tax, or see the full feature set.

Action Checklist

Define what you actually want to offer, and whether it requires holding third-party deposits at all
Identify which of the two BaaS models you are being offered — and therefore which risks you would own
Confirm you can reconcile balances down to each end customer, independent of any middleware
Map your BSA/AML, fair-lending, and KYB/KYC obligations across the full partner chain
Budget for continuous oversight as a permanent function, not a one-time integration cost
Evaluate embedded-software options that serve your own members without sponsor-bank exposure
Walk through the latest interagency third-party risk-management guidance with your compliance team

Sources

This article is for educational purposes only and does not constitute legal, regulatory, tax, or financial advice. Regulatory rules and guidance change; the FDIC custodial-account rule discussed here was in proposed status as of mid-2026. Consult qualified legal and compliance counsel before entering any banking-as-a-service or bank-fintech partnership.