Feature Third-Party Risk
The BaaS Consent Order Playbook: What 10+ Enforcement Actions Reveal About TPRM Minimum Standards
From Cross River to Evolve, regulators have now issued consent orders against at least 10 BaaS-focused banks across three different agencies. The pattern is consistent enough to define TPRM minimum standards for any bank running a fintech partnership program — and what fintechs must build before their next sponsor bank due diligence review.
Table of Contents
TL;DR:
- At least 10 BaaS-focused banks have received consent orders since 2023. The enforcement wave covers FDIC, OCC, and Federal Reserve — meaning this is coordinated supervisory consensus, not a single agency’s focus.
- The deficiency pattern across orders is consistent enough to define the TPRM minimum standard for any bank running a fintech partnership program.
- Seven requirements appear in virtually every order: board governance, BSA/AML coverage for fintech customers, pre-onboarding due diligence, ongoing monitoring beyond annual reviews, fourth-party risk mapping, capital adequacy planning, and a new-partner approval gate.
- For fintechs, the direct consequence is that your bank partner’s TPRM program is now a regulatory exam item — and their ability to pass that exam depends on what you can document about your own compliance program.
A Signal, Then a Pattern, Now a Playbook
In April 2023, the FDIC issued a consent order against Cross River Bank — one of the most prominent BaaS lenders in the U.S., with fintech partnerships across lending, payments, and embedded finance. The order cited deficiencies in Cross River’s fair lending program and third-party risk management, required FDIC approval before any new fintech relationship, and mandated comprehensive due diligence and monitoring enhancements.
At the time, it felt like a signal. Within 18 months, it was clearly a pattern.
| Bank | Regulator | Date | Primary Issues |
|---|---|---|---|
| Blue Ridge Bank | OCC | 2023 | BSA/AML program, BaaS governance, “troubled condition” designation |
| Cross River Bank | FDIC | April 2023 | Fair lending, TPRM deficiencies, new-partner approval gate |
| Lineage Bank | FDIC | January 2024 | Enhanced risk management, capital increases, fintech offboarding |
| Piermont Bank | FDIC | February 2024 | Board oversight, AML/CTF, internal controls |
| Sutton Bank | FDIC | 2024 | BaaS partnerships, AML deficiencies |
| Evolve Bank & Trust | Federal Reserve | June 2024 | BSA/AML, OFAC, consumer compliance, new-partner freeze |
Blue Ridge has since exited its consent order after completing remediation. The others remain in various stages of compliance. Evolve’s June 2024 cease and desist from the Federal Reserve is among the most extensive — issued weeks after the Synapse bankruptcy froze approximately $160 million in fintech customer funds and revealed significant ledger reconciliation failures across Evolve’s fintech partner relationships.
The enforcement wave has not peaked. The OCC, FDIC, and Federal Reserve issued joint interagency guidance on bank-fintech arrangements in November 2024 that sets examination expectations across the industry — not just for banks currently under order. The running list of BaaS banks with enforcement actions continued to grow through 2024 and into 2025.
The Seven Deficiencies That Appear in Every Order
Reading across these enforcement actions, seven deficiency categories appear with enough consistency to define the minimum TPRM standard that regulators now expect of any bank operating a fintech partnership program.
1. Board Governance and Risk Appetite
Every order cites inadequate board oversight — not inadequate management decisions, but the board’s oversight of management’s BaaS strategy.
Boards were approving BaaS growth without:
- Receiving adequate reporting on individual fintech partner risk profiles
- Reviewing and approving written TPRM policies that explicitly covered fintech partnerships
- Establishing risk appetite limits on BaaS portfolio concentration or aggregate risk exposure
The remediation requirement in virtually every order: the board must approve a formal BaaS/TPRM policy, receive aggregate fintech partner risk reporting on a defined cadence (typically quarterly), and document its oversight function in board meeting minutes.
2. BSA/AML Coverage for Fintech-Sourced Customer Populations
This is the dominant operational finding across all enforcement actions. Banks had fintech partners onboarding customers and running transactions through the bank’s infrastructure, but the bank’s BSA/AML program was calibrated for the bank’s direct customer base — not for the risk profile of fintech-sourced accounts.
Specific findings that recur across orders:
- Transaction monitoring rules built for the bank’s own customer transaction patterns, missing the profile of fintech customers (faster payments, higher volumes, different counterparty sets)
- SAR decision-making processes that failed to adequately capture fintech-sourced account activity
- OFAC screening that didn’t extend fully to fintech customer transactions
- CIP documentation gaps for customers onboarded by fintech partners
In Evolve’s cease and desist, the Federal Reserve explicitly called out BSA/AML and OFAC compliance deficiencies as central to the enforcement action, alongside consumer compliance failures spanning multiple fintech partnerships.
3. Pre-Onboarding Due Diligence
Regulators found that banks onboarded fintech partners without thorough risk assessments of those partners’ compliance programs, financial condition, or operational capability.
The consent orders require retroactive due diligence on existing partners and comprehensive prospective due diligence on all new ones. Based on the 2023 Interagency TPRM Guidance (OCC Bulletin 2023-17) and the consent orders together, “comprehensive” now means:
- Financial condition: Audited financials, capital adequacy, investor backing, unit economics, funding runway
- BSA/AML program: Written program documentation, staffing, independent testing results, SAR filing history
- Consumer compliance: Complaint history, regulatory and enforcement history, policy documentation, disclosure accuracy
- Operational capability: Sub-vendor dependencies, technology reliability, customer service capacity, data handling
- Business model sustainability: Product concentration, customer concentration, revenue model, funding risk
4. Ongoing Monitoring — At Intervals More Frequent Than Annual
Most TPRM programs are structured around annual due diligence cycles. Every consent order found this insufficient for active, high-risk fintech partnerships.
What regulators now expect in ongoing monitoring:
- Monthly or quarterly financial condition reviews for critical fintech partners
- Transaction-level monitoring of fintech-sourced customer activity — not a portfolio summary once a year
- Quarterly performance reporting from fintech partners covering compliance incidents, complaint volumes, and any examination or audit findings
- Defined incident notification windows: fintechs must notify the bank of material incidents, regulatory inquiries, significant customer complaints, or critical sub-vendor changes within 24–72 hours
This is the requirement that most directly changes the fintech-bank relationship. If your bank partner is under a consent order — or under heightened examination expectations on BaaS — expect materially increased monitoring cadence: more frequent reporting, shorter notification windows, and more documentation demands are now the regulatory floor.
5. Fourth-Party Risk Management
Banks were expected to know not just who their fintech partners were, but who the fintech partners’ critical vendors were. The Synapse bankruptcy illustrated this at scale: Synapse was a middleware provider operating between multiple BaaS banks and multiple fintechs. When Synapse filed Chapter 11, the banks’ customer and financial exposure crystallized through a sub-vendor relationship they hadn’t fully mapped or stress-tested.
Post-enforcement fourth-party requirements include:
- Identification of critical sub-vendors for each fintech partner (cloud infrastructure, payment processors, identity verification vendors, middleware platforms)
- Documentation of the bank’s customer and financial exposure if a critical sub-vendor fails or becomes unavailable
- Contractual requirements that fintech partners notify the bank of critical sub-vendor changes before those changes take effect
- Business continuity assessment for significant sub-vendor outage scenarios
We covered the mechanics of fourth-party risk mapping and monitoring in Fourth-Party Risk: When Your Vendor’s Vendor Becomes Your Problem.
6. Capital Adequacy Planning
Several consent orders included explicit requirements to maintain additional capital specifically to support BaaS activity. Lineage Bank’s order required both enhanced risk management and capital level increases tied to its fintech portfolio concentration.
The underlying logic: BaaS activity generates contingent liabilities — potential fraud losses, regulatory remediation costs, customer restitution obligations — that require capital reserve backing commensurate with the risk profile of the fintech customer base. Banks that grew BaaS programs without scaling capital alongside were operating with buffers that didn’t reflect their actual exposure.
For banks building BaaS programs today, capital planning must explicitly account for fintech partner risk — and that calculation should be reviewed and board-approved at least annually.
7. New-Partner Approval Gating
Every consent order that restricted future BaaS activity included some form of approval gate for new fintech partnerships — ranging from internal committee approval (risk committee, board) to external regulator pre-approval.
Cross River cannot enter new fintech relationships without FDIC approval. Evolve cannot add new partners without Federal Reserve approval. For banks not currently under formal orders, examiners have begun expecting documented committee approval processes before new fintech partners are onboarded at all.
For fintechs seeking new banking relationships, the practical consequence: longer due diligence timelines (three to six months is now common for banks actively managing BaaS risk), significantly more documentation requirements upfront, and more touchpoints with the bank’s compliance team before any onboarding decision.
What This Means for Fintechs
The consent orders were issued against banks, not fintechs. But the requirements flow directly downstream.
Your bank partner’s TPRM program is now a regulatory exam item. The examiner reviewing your bank’s BaaS program is, in effect, evaluating your compliance program through your bank’s lens. The documentation your bank needs to satisfy their examination — your BSA/AML program, consumer compliance policies, complaint data, sub-vendor inventory — is documentation you need to be able to produce on short notice.
The documentation your bank partner now needs from you:
- Current, board-approved BSA/AML written program with independent testing results
- Consumer complaint management policy and quarterly complaint volume data
- Material incident and regulatory action disclosure log (including any state AG or federal regulatory contacts)
- Critical vendor and sub-vendor inventory covering your key operational dependencies
- Business continuity and disaster recovery documentation
- Evidence of board-level compliance oversight — risk committee charters and board meeting minutes showing compliance is a standing agenda item
Monitoring cadence has permanently increased. Banks that have been through examinations or received orders have rebuilt their monitoring programs to quarterly cycles with shorter notification windows. Annual reviews have become quarterly check-ins. Informal relationships have become documented request-and-response processes with evidence trails.
The fintechs that move through this environment most smoothly are the ones that have already built what the bank needs to demonstrate — before the bank has to ask. For a systematic framework covering the vendor lifecycle from onboarding through exit planning, the Third-Party Risk Management (TPRM) Kit provides the due diligence questionnaire templates, ongoing monitoring framework, risk tiering methodology, and documentation structure.
So What? The Minimum Standard Is Now Documented
The BaaS enforcement wave has produced something practically valuable: a detailed, multi-agency, multi-institution definition of what adequate third-party risk management looks like for fintech-bank partnerships.
You don’t need to guess what regulators expect. They’ve told you — across six consent orders, two interagency guidance documents, and an examination focus that’s visible in findings across the industry.
The minimum TPRM standard for BaaS activity:
- Board-approved policy with documented risk appetite for BaaS concentration
- Comprehensive pre-onboarding due diligence covering BSA/AML, consumer compliance, financial condition, and operational capability
- Ongoing monitoring at quarterly intervals for critical partners — not annual reviews
- BSA/AML program coverage specifically designed for fintech-sourced customer populations
- Fourth-party risk mapping with contractual incident notification requirements
- Capital planning that reflects fintech portfolio contingent liabilities
- New-partner approval gating with documented review rationale
For the complete vendor lifecycle framework — from onboarding through offboarding — see our post on Vendor Risk Management: The Complete Process. For the exit planning component that regulators are now explicitly requiring, see Critical Vendor Exit Planning: How to Build a Wind-Down Strategy Before You Need One.
Sources: Federal Reserve enforcement action against Evolve Bancorp, June 2024; Banking Dive — Running list of BaaS banks with consent orders, 2024; OCC Bulletin 2023-17 — Third-Party Risk Management Interagency Guidance; Banking Dive — Lineage Bank FDIC consent order
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Which BaaS banks have received consent orders since 2023?
What were the most common deficiencies cited across BaaS consent orders?
What does a consent order against my bank partner mean for my fintech?
What specific TPRM program elements did the consent orders require?
As a fintech, what documentation does my bank partner now need from me because of the enforcement wave?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
◆ Keep reading
Related posts.
Third-Party Risk
The Marquis Software Breach: What 80 Banks and Credit Unions Need to Learn About Vendor Concentration Risk
In August 2025, Akira ransomware hit Marquis Software Solutions through an unpatched SonicWall firewall. By the time breach notifications went out—over two months later—80 banks and credit unions had been exposed, 824,000 consumers' data was compromised, and a ransom had reportedly been paid. Here's what your third-party risk program should take from it.
Jul 7, 2026
Third-Party Risk
AI Foundation Model Concentration Risk: When Your Entire AI Stack Depends on Three Vendors
The Cambridge Centre for Alternative Finance's 2026 report found 76% of financial institutions rely on OpenAI, 57% on Google, and 35% on Anthropic — while 63% build on external models rather than their own. Under OCC 2023-17 and DORA, that's not just an AI strategy question. It's a third-party concentration risk your TPRM program probably isn't mapped to address.
Jul 5, 2026
Third-Party Risk
Vendor Financial Health Monitoring: The Early Warning Program OCC 2023-17 Expects for Critical Third Parties
OCC 2023-17's ongoing monitoring phase requires active financial health surveillance for critical third-party vendors — but most institutions treat it as an annual renewal checkbox. Here's what a defensible early warning program looks like, what warning signs to track, and what the Synapse collapse demonstrated about gaps in current practice.
Jul 3, 2026