What Is Banking-as-a-Service (BaaS)? Platforms, Players, and Risks Explained
BaaS promised to turn any software company into a bank. The infrastructure exists — but the Synapse collapse exposed exactly what happens when the middleware layer fails.
The pitch was elegant: any software company could become a bank in weeks, not decades. No charter, no regulator knocking on the door, no core banking system to procure. Just call an API, pass some KYC checks, and you were issuing cards and holding deposits. Banking-as-a-Service turned the most heavily regulated industry in finance into something that looked — from the outside — like a developer integration. The irony arrived in April 2024 when Synapse Financial Technologies, one of the most prominent middleware providers in the American BaaS stack, filed for Chapter 11. The CFPB later described a shortfall estimated at between $60 million and $90 million, while customers of apps built on Synapse's infrastructure lost access to money for weeks or months. Building a bank turned out to be easy. Making it safe was something else entirely.
What BaaS Actually Is: The Three-Layer Stack
Banking-as-a-Service is not a product. It is an architecture — a set of contractual and technical relationships that allow a non-bank business to offer bank-grade financial products to its own customers.
The stack has three layers, and conflating them is where most confusion begins.
The chartered bank sits at the bottom. This is the entity that actually holds the banking licence, carries deposit insurance (FDIC in the United States, FSCS in the United Kingdom), and bears the primary regulatory obligations. It accepts deposits in the legal sense, extends credit, and maintains the master ledger. Without the chartered bank, nothing else in the stack is real money.
The middleware platform sits above the bank. This is what most people mean when they say "BaaS provider." Platforms like Stripe Treasury, Unit, Synctera, Treasury Prime, and Marqeta (for card issuance specifically) provide the developer-facing APIs, the compliance tooling, the KYC and KYB orchestration workflows, and — critically — the reconciliation infrastructure that keeps track of who holds what across every customer account. The middleware layer is the translation layer: it abstracts the bank's legacy systems and regulatory complexity into something a software team can integrate in a sprint cycle.
The software business — the "BaaS customer," or sometimes called the fintech or brand — sits at the top. This is the company building the user experience: the neobank app, the spend management platform, the payroll product, the vertical SaaS tool with an embedded wallet. It holds no banking licence of its own. It relies entirely on the layers below it to ensure that money actually moves, that accounts are reconciled, and that regulatory obligations are met.
The critical thing to understand: most companies marketing themselves as "BaaS providers" are not banks. They are API wrappers around banks. That distinction is not semantic — it determines who bears regulatory responsibility and, more practically, what happens when the wrapper fails.
For a deeper look at what software companies are building on this infrastructure, see our coverage of B2B embedded finance and where the revenue is actually accruing.
What Each Layer Does in Practice
The chartered bank does more than hold a licence. It maintains the actual deposit ledger, handles settlement with payment networks, extends credit lines (where applicable), and files the regulatory reports. It also bears responsibility for Bank Secrecy Act compliance, suspicious activity reporting, and anti-money-laundering obligations — though it typically delegates the operational execution of those obligations to the middleware layer and the fintech above it.
The middleware platform's job is operationally dense. It handles API design and versioning; webhook infrastructure so fintechs can react to real-time events like card authorisations and ACH settlements; KYC and KYB orchestration (typically aggregating identity verification providers like Alloy, Persona, or Socure behind a single interface); compliance rule configuration; and reconciliation. That last item — reconciliation — proved to be the fault line. In a well-functioning BaaS stack, every dollar that passes through the middleware platform is tracked at the sub-account level, with the middleware maintaining a shadow ledger that matches the chartered bank's master ledger. When that matching breaks down, the consequences are severe.
Card-specific infrastructure sits partly in this layer. Marqeta, for instance, is a card issuing platform rather than a full BaaS suite: it connects to Mastercard and Visa's networks, issues virtual and physical cards, and processes authorisations in real time, but it pairs with bank partners and sometimes other BaaS layers for deposit accounts. The card economics are distinct from the deposit economics, and understanding which providers operate in which part of the stack matters when building a product.
The software business at the top layer is responsible for its own user experience, its own customer support, and increasingly — following regulatory guidance — for understanding the full chain of its banking relationships. A fintech cannot simply outsource awareness of its underlying bank to its middleware provider. If the middleware fails, the fintech's customers are the ones who cannot access their funds.
Why Small Banks Dominate the US BaaS Market
The most striking feature of the American BaaS ecosystem is who the chartered bank partners tend to be. The BaaS market is not built on JPMorgan Chase or Bank of America. It is built on Evolve Bank & Trust (Memphis, Tennessee, roughly $1 billion in assets at its peak), Cross River Bank (Fort Lee, New Jersey), Coastal Community Bank (Everett, Washington), and a collection of similarly sized community banks that most consumers have never encountered.
This is not an accident. It is the direct consequence of the Durbin Amendment to the Dodd-Frank Act, which capped debit interchange fees for banks with more than $10 billion in assets. Under the cap, large banks receive roughly 21 cents plus 0.05% of transaction value on a debit transaction. Banks below the $10 billion threshold are exempt — they can continue charging the pre-Durbin market rate, which is typically 1–1.5% of transaction value.
Interchange revenue is the economic engine that makes BaaS unit economics work. A neobank issuing debit cards through a large bank earns capped interchange, which at consumer spend volumes rarely covers the cost of customer acquisition, customer support, and platform fees. The same neobank issuing through a sub-$10 billion community bank earns uncapped interchange, which can be meaningful at scale. The business model depends on the regulatory carve-out. This is why the BaaS ecosystem in the United States is structurally dependent on small banks that most of their customers' customers have never heard of — and why the risk is concentrated in institutions with less capacity to absorb operational or compliance failures.
The Synapse Collapse and What It Revealed
Synapse Financial Technologies was, for several years, one of the more prominent middleware providers in the US BaaS market. It connected a collection of partner banks — including Evolve Bank & Trust, American Bank, AMG National Trust, and Lineage Bank — to dozens of fintech apps including Yotta (a savings product with lottery-style prizes), Juno (a crypto-linked neobank), and others. At its peak, Synapse processed billions of dollars in transaction volume across millions of accounts.
In April 2024, Synapse filed for Chapter 11 bankruptcy protection. What followed exposed the structural fragility at the centre of the three-layer stack.
The core problem was reconciliation. Synapse maintained the sub-account ledger — the record of which customer's money was held at which partner bank in what amount. When Synapse collapsed, the reconciliation records became disputed. The partner banks each had records of total deposits held against Synapse, but not necessarily the granular customer-level allocation. Synapse had that granular allocation, and its records were inaccessible or unreliable. The CFPB later put the estimated aggregate shortfall between the banks' records and Synapse's records at $60 million to $90 million, with the gap proving impossible to close quickly.
Customers of apps built on Synapse lost access to their funds — in some cases for months. Because the accounts were held through a middleware layer at multiple partner banks, neither the FDIC nor the individual banks had a straightforward mechanism for releasing funds. The FDIC's pass-through deposit insurance — which protects end customers of BaaS arrangements in theory — requires accurate records of beneficial ownership at the bank level. Without those records, even insured deposits cannot be disbursed.
The Synapse case illustrated a risk that had been hypothetical until that point: the middleware layer could fail independently of the chartered bank, and that failure could strand customer funds even when the banks themselves remained solvent. Regulators took note. The OCC, FDIC, and Federal Reserve subsequently increased scrutiny of "pass-through" deposit arrangements and third-party risk management at the banks involved.
The EU and UK Parallel: EMI Licences
In Europe and the United Kingdom, the structural picture is similar but the regulatory framework differs. The equivalent of the BaaS chartered bank relationship is often built around an Electronic Money Institution (EMI) licence rather than a full banking licence.
EMIs are authorised to issue electronic money (stored value) and provide payment services, but they cannot take deposits in the strict banking sense, are generally not permitted to extend credit from their own balance sheet in the way a bank can, and are not covered by deposit guarantee schemes in the same way as licensed banks. Instead, they are required to safeguard customer funds — holding them either in a segregated account at a credit institution or invested in liquid, low-risk assets — under the Electronic Money Regulations 2011 in the UK (the FCA being the supervising authority) and the Electronic Money Directive (now updated under the Payment Services Directive framework) in the EU.
BaaS-adjacent providers operating under EMI authorisation in Europe include Swan (France), Solaris (Germany — a full bank licence, actually, making it somewhat atypical), Weavr (UK EMI), and Railsr (formerly Railsbank, UK, which went through its own distressed acquisition in 2023 before stabilising under new ownership). Stripe Treasury operates in the EU and UK through local partnerships and entity structures. The safeguarding model differs meaningfully from FDIC pass-through insurance: rather than guaranteed reimbursement up to a statutory limit, customers of EMIs rely on the adequacy of the safeguarding arrangement, which is only as strong as the credit institution holding the segregated funds and the rigour of the EMI's internal controls.
This matters for businesses building on BaaS in Europe: the question is not just "is this provider regulated?" but "what is the precise nature of the regulatory protection it offers, and how does that translate into customer-level risk in a failure scenario?"
How to Choose a BaaS Provider
Four questions cut through the marketing and go to the actual risk structure of any BaaS relationship.
Does the provider own the bank relationship, or is it a chain of intermediaries? Some middleware platforms have direct, exclusive relationships with one or two partner banks. Others aggregate access across multiple banks or sub-contract through other middleware providers, creating a chain of four or five entities between the software business and the chartered bank. Every additional link in that chain is an additional point of failure — and another entity that needs to be assessed for operational and financial resilience.
How does reconciliation work, and who owns it? This is the Synapse question. Ask any prospective BaaS provider how sub-account balances are maintained, how frequently they are reconciled against the bank's master ledger, and what happens to those records in the event of the provider's insolvency. If the answer is vague or deferred to the bank, that is a structural warning sign. The reconciliation architecture is not a technical detail — it is the core safety property of the entire arrangement.
What is the provider's regulatory track record? Evolve Bank & Trust, one of the major BaaS-aligned community banks in the US, received a cease-and-desist order from the Federal Reserve in June 2024 relating to its fintech partnership risk management and BSA/AML programme — contemporaneous with the Synapse collapse but addressing broader weaknesses in how the bank oversaw its fintech relationships, not solely the Synapse situation. Regulatory actions against partner banks or middleware providers are public and searchable. Check the OCC enforcement actions database, the FDIC's enforcement decisions, and equivalent FCA and PRA registers in the UK before committing.
Do the unit economics work at your projected volume? BaaS providers typically charge a platform fee (monthly or per-account), pass-through transaction fees from the partner bank, and in some cases take a share of interchange. The interchange split — how much of the uncapped debit interchange actually flows to the software business versus the middleware and the bank — varies significantly. Modelling the unit economics at low, medium, and high volume scenarios before signing is not optional; the margin difference between providers at scale can be several basis points per transaction, which at millions of transactions per month is the difference between a profitable product and a loss-making one.
BaaS is distinct from building on cloud-native core banking infrastructure: BaaS abstracts the bank relationship entirely, whereas core banking migration involves the bank itself modernising its own systems. The two paths serve different builders.
For software businesses evaluating BaaS, the compliance layer — specifically KYC, KYB, and AML — deserves particular scrutiny. BaaS providers vary in how much of this they genuinely handle versus how much they configure and delegate back to the fintech. Understand exactly where your compliance obligations begin.
Where BaaS Is Heading
The regulatory direction is clear: fewer intermediaries, stronger contracts, and explicit audit rights at every layer of the stack.
The OCC, FDIC, and Federal Reserve issued joint guidance on third-party risk management in June 2023, which — while not BaaS-specific — directly addressed the obligations of chartered banks when entering into relationships with fintech partners. The guidance requires banks to conduct due diligence on third parties commensurate with the risk, to maintain ongoing monitoring, and to ensure they can access the records and systems of third-party providers during a failure scenario. Banks that cannot demonstrate compliance with this guidance now face meaningful supervisory risk, which is filtering through to the contracts they will sign with middleware providers.
In the UK, the FCA's supervisory approach to EMIs has tightened following several instances of safeguarding failures. The FCA's supervisory approach to EMI safeguarding has been tightening, with enhanced expectations around audit evidence and the quality of segregated account arrangements. The direction is the same as the US: closer supervision of the chain, not just the licence holder at the top.
For builders, this means BaaS is not getting simpler. The abstraction layer is becoming more contractually complex even as the APIs remain developer-friendly. Providers that can demonstrate genuine control over their reconciliation infrastructure, robust audit trails, and regulatory relationships built on transparency — rather than structural opacity — will be better positioned than those whose model depended on light-touch oversight of the middleware layer.
BaaS worked. It built an enormous amount of fintech infrastructure that would not otherwise exist. The question going forward is not whether the model survives — it will — but which providers have built the middle layer with sufficient rigour to survive the scrutiny that the Synapse collapse made inevitable.
Sources and methodology: This article draws on public regulatory guidance from the OCC, FDIC, and Federal Reserve joint third-party risk management guidance (June 2023); FCA Electronic Money Regulations documentation and supervisory publications; published reporting on the Synapse Financial Technologies Chapter 11 bankruptcy proceedings (April 2024); Federal Reserve enforcement action against Evolve Bank & Trust (2024); and publicly available product documentation from named BaaS providers. No proprietary data or unpublished sources are cited.
Frequently asked questions
What is the difference between a BaaS provider and a bank?
A BaaS provider is typically a middleware platform — it provides the APIs, compliance tooling, and developer infrastructure that sit between a chartered bank and the software business building a financial product. The chartered bank is the entity that actually holds the banking licence, accepts deposits in the legal sense, and carries deposit insurance such as FDIC or FSCS protection. Most companies marketing themselves as BaaS providers are not banks; they are API wrappers around banks, which means the bank relationship and its regulatory protections remain one layer removed from the developer.
Is BaaS regulated?
The chartered bank at the base of any BaaS arrangement is regulated as a bank — subject to the OCC, FDIC, and Federal Reserve in the US, or the PRA and FCA in the UK. The middleware platform itself is generally not a regulated entity in its own right, though it operates under the bank's oversight and must comply with the bank's third-party risk management requirements. In Europe and the UK, some BaaS-adjacent providers operate under Electronic Money Institution (EMI) licences from the FCA or national competent authorities, which carry their own regulatory obligations around safeguarding customer funds.
What went wrong with Synapse?
Synapse Financial Technologies was a middleware platform that connected several US community banks to dozens of fintech apps. When it filed for Chapter 11 in April 2024, the reconciliation records that matched customer-level balances to the partner banks' master ledgers became inaccessible or disputed. The CFPB later described an estimated shortfall of between $60 million and $90 million, and customers lost access to funds for weeks or months even though the partner banks themselves remained solvent. The collapse exposed the structural risk of relying on the middleware layer to own the reconciliation function.
Which BaaS providers operate in the UK and Europe?
In Europe and the UK, notable BaaS-adjacent providers include Swan (France, EMI-authorised), Solaris (Germany, holds a full banking licence), Weavr (UK, EMI-authorised), and Railsr (formerly Railsbank, UK, which went through a distressed acquisition in 2023 before stabilising). Stripe Treasury operates in the EU and UK through local regulatory structures. Each operates under different licence types — full banking licences, EMI authorisations, or payment institution licences — which determines the precise nature of customer protection in the event of a failure.
What does it cost to build on BaaS?
BaaS pricing typically combines a platform fee (charged monthly or per account), pass-through transaction fees from the partner bank (for ACH, wire, card network fees), and in many cases a share of interchange revenue that the provider retains. The interchange split — how much of the debit interchange actually flows to the software business — varies significantly between providers and is often negotiable at volume. Compliance costs, including KYC and KYB verification fees passed through from identity providers, add further variable cost. Total unit economics depend heavily on projected transaction volume and average spend per account; the model should be stress-tested at low, medium, and high volume before committing to a provider.