Copy Link

10 Enforcement Actions That Reshaped BaaS Regulation

-
Subristi Pradhan, SVP Compliance

Over the past few years, U.S. regulators have fundamentally reshaped how banks are expected to manage fintech partnerships and Banking-as-a-Service (BaaS) programs.

While fintech partnerships enabled rapid innovation in embedded finance, payments, and digital banking, regulators increasingly concluded that risk management frameworks at many banks had not kept pace with the complexity and scale of these programs.

Beginning around 2023, a wave of enforcement actions signaled a clear shift in supervisory expectations. Consent orders, formal agreements, and enforcement actions across multiple regulators made one message unmistakable:

Outsourcing financial services to fintech partners does not outsource regulatory responsibility.

The enforcement actions below collectively defined the modern supervisory framework for BaaS oversight.

1. Blue Ridge Bank – OCC Consent Order (2024)

Issued by the Office of the Comptroller of the Currency, the consent order against Blue Ridge Bank became one of the clearest regulatory statements about the risks associated with scaling fintech partnerships too quickly.

Regulators identified weaknesses in:

The order underscored that rapid expansion of fintech programs must be supported by equally robust compliance infrastructure. Many banks subsequently began establishing formal fintech oversight committees and strengthening partner monitoring frameworks.

2. Cross River Bank – FDIC Consent Order (2023)

The enforcement action issued by the Federal Deposit Insurance Corporation against Cross River Bank drew significant attention across the fintech ecosystem.

Cross River is a major partner bank supporting a wide range of fintech platforms, including payments, lending, and embedded finance providers.

The order highlighted:

The case reinforced a critical expectation: banks must maintain full visibility into transaction flows generated by fintech partners.

3. Evolve Bank & Trust – Federal Reserve Enforcement Action (2024)

The enforcement action issued by the Federal Reserve against Evolve Bank & Trust was particularly important because of the bank’s extensive fintech partner network.

Regulators cited deficiencies in:

The action reinforced that banks operating BaaS programs must maintain direct control over compliance functions, even when fintech partners manage operational components.

4. Metropolitan Commercial Bank – Federal Reserve Action (2023)

Metropolitan Commercial Bank faced enforcement action related to failures in its Customer Identification Program (CIP) and weaknesses in third-party risk management.

Regulators concluded that the bank had not adequately validated the onboarding and compliance processes performed by its partners.

This case highlighted a recurring supervisory theme: banks cannot rely solely on fintech-managed onboarding processes without independent validation and testing.

5. Thread Bank – FDIC Consent Order (2024)

Thread Bank operates a Banking-as-a-Service model supporting embedded finance platforms.

Regulators identified deficiencies in:

The order demonstrated that community banks operating fintech programs face the same supervisory expectations as larger institutions.

6. Sutton Bank – FDIC Consent Order (2024)

Sutton Bank, known for supporting payments and card-issuing fintechs, faced enforcement related to weaknesses in BSA compliance and transaction monitoring.

The case highlighted the regulatory risks associated with high-volume payment programs operated through fintech partnerships.

7. Lineage Bank – FDIC Consent Order (2024)

The enforcement action against Lineage Bank emphasized deficiencies in AML controls and risk management frameworks supporting fintech activities.

Regulators again stressed that rapid fintech partnership expansion requires scalable compliance infrastructure.

8. Piermont Bank – FDIC Consent Order (2024)

Piermont Bank’s enforcement action focused on governance weaknesses and gaps in third-party monitoring.

The order reinforced expectations that banks must maintain continuous monitoring of fintech partners rather than relying on point-in-time onboarding assessments.

9. Vast Bank – OCC Enforcement Action (2023)

Vast Bank’s enforcement action involved governance and risk management concerns tied to its digital asset and fintech activities.

The action demonstrated regulators’ willingness to intervene when banks pursue novel financial models without sufficient risk management frameworks.

10. Choice Financial Group – FDIC Consent Order (2023)

Choice Financial Group’s enforcement action involved deficiencies in AML compliance and third-party oversight.

This case further reinforced regulators’ focus on community banks that support fintech platforms through BaaS arrangements.

The Five Regulatory Themes That Emerged

Across these enforcement actions, regulators consistently identified the same structural weaknesses:

These themes now form the core supervisory expectations for banks operating fintech partnerships.

What Changed After 2024

After the wave of enforcement actions in 2023-2024, the regulatory landscape began to evolve.

Rather than issuing large numbers of new BaaS-specific consent orders, regulators shifted toward supervisory follow-up and structural reforms.

Key developments include:

1. Increased Supervisory Monitoring

Regulators began focusing on monitoring remediation efforts at banks operating under existing consent orders.

Banks were required to demonstrate:

2. Greater Emphasis on Policy and Guidance

Regulators increasingly turned toward policy clarification and rulemaking to address fintech risks at a systemic level.

Supervisory guidance began emphasizing:

3. Enforcement Lifecycle Management

Several earlier consent orders began entering the remediation and termination phase, demonstrating how regulators oversee long-term corrective actions.

This shift reflects a regulatory cycle:

  1. enforcement action
  2. remediation program
  3. supervisory monitoring
  4. eventual termination of the order

Why This Matters

The enforcement wave between 2023 and 2024 effectively established the modern regulatory framework for Banking-as-a-Service programs.

For banks operating fintech partnerships today, these cases define the minimum expectations for risk management.

Key lessons include:

For fintech companies and partner banks alike, these enforcement actions serve as a reminder that innovation in financial services must be matched by equally robust governance and risk management frameworks.

As regulators continue to refine their oversight approach, institutions that proactively strengthen fintech risk management will be best positioned to navigate the evolving regulatory landscape.

___________________________________________________________________________________________________________________________________________________________________

About Across

Across provides real-time, decision-ready onboarding and ongoing risk assessments for banks working with fintech partners. By combining automation with risk intelligence, Across helps financial institutions maintain continuous oversight, scale compliance infrastructure, and confidently operate Banking-as-a-Service programs in an increasingly complex regulatory environment.

Follow Across for insights on fintech risk, regulatory developments, and the future of bank-fintech partnerships.

web | connect | book

Read Next Blog

Third Party Risk Management Solution

Beyond Hallucinations: How Across Balances AI Speed with Human Expertise

Risk Assessment

The Road to Fintech Onboarding: From Strategic Impetus to Regulatory Assurance

Risk Assessment

Our Journey to SOC 2 Attestation: Why We Chose Trust Before Scale

January 22, 2026

350 MAIN ST Suite H

PLEASANTON, CA 94566

SOC Non CPA

Quick link

  1. Home
  1. Solutions
  1. Blogs
  1. Contact Us

Solutions

  1. Onboarding Risk Assessment
  1. Periodic Risk Review

© 2026 Across Technology Inc. All Rights Reserved

Privacy Policy

Terms of Use