Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Third-Party Risk

The BaaS Consent Order Playbook: What 10+ Enforcement Actions Reveal About TPRM Minimum Standards

From Cross River to Evolve, regulators have now issued consent orders against at least 10 BaaS-focused banks across three different agencies. The pattern is consistent enough to define TPRM minimum standards for any bank running a fintech partnership program — and what fintechs must build before their next sponsor bank due diligence review.

By Rebecca Leung · June 6, 2026 ·
Table of Contents

TL;DR:

  • At least 10 BaaS-focused banks have received consent orders since 2023. The enforcement wave covers FDIC, OCC, and Federal Reserve — meaning this is coordinated supervisory consensus, not a single agency’s focus.
  • The deficiency pattern across orders is consistent enough to define the TPRM minimum standard for any bank running a fintech partnership program.
  • Seven requirements appear in virtually every order: board governance, BSA/AML coverage for fintech customers, pre-onboarding due diligence, ongoing monitoring beyond annual reviews, fourth-party risk mapping, capital adequacy planning, and a new-partner approval gate.
  • For fintechs, the direct consequence is that your bank partner’s TPRM program is now a regulatory exam item — and their ability to pass that exam depends on what you can document about your own compliance program.

A Signal, Then a Pattern, Now a Playbook

In April 2023, the FDIC issued a consent order against Cross River Bank — one of the most prominent BaaS lenders in the U.S., with fintech partnerships across lending, payments, and embedded finance. The order cited deficiencies in Cross River’s fair lending program and third-party risk management, required FDIC approval before any new fintech relationship, and mandated comprehensive due diligence and monitoring enhancements.

At the time, it felt like a signal. Within 18 months, it was clearly a pattern.

BankRegulatorDatePrimary Issues
Blue Ridge BankOCC2023BSA/AML program, BaaS governance, “troubled condition” designation
Cross River BankFDICApril 2023Fair lending, TPRM deficiencies, new-partner approval gate
Lineage BankFDICJanuary 2024Enhanced risk management, capital increases, fintech offboarding
Piermont BankFDICFebruary 2024Board oversight, AML/CTF, internal controls
Sutton BankFDIC2024BaaS partnerships, AML deficiencies
Evolve Bank & TrustFederal ReserveJune 2024BSA/AML, OFAC, consumer compliance, new-partner freeze

Blue Ridge has since exited its consent order after completing remediation. The others remain in various stages of compliance. Evolve’s June 2024 cease and desist from the Federal Reserve is among the most extensive — issued weeks after the Synapse bankruptcy froze approximately $160 million in fintech customer funds and revealed significant ledger reconciliation failures across Evolve’s fintech partner relationships.

The enforcement wave has not peaked. The OCC, FDIC, and Federal Reserve issued joint interagency guidance on bank-fintech arrangements in November 2024 that sets examination expectations across the industry — not just for banks currently under order. The running list of BaaS banks with enforcement actions continued to grow through 2024 and into 2025.

The Seven Deficiencies That Appear in Every Order

Reading across these enforcement actions, seven deficiency categories appear with enough consistency to define the minimum TPRM standard that regulators now expect of any bank operating a fintech partnership program.

1. Board Governance and Risk Appetite

Every order cites inadequate board oversight — not inadequate management decisions, but the board’s oversight of management’s BaaS strategy.

Boards were approving BaaS growth without:

  • Receiving adequate reporting on individual fintech partner risk profiles
  • Reviewing and approving written TPRM policies that explicitly covered fintech partnerships
  • Establishing risk appetite limits on BaaS portfolio concentration or aggregate risk exposure

The remediation requirement in virtually every order: the board must approve a formal BaaS/TPRM policy, receive aggregate fintech partner risk reporting on a defined cadence (typically quarterly), and document its oversight function in board meeting minutes.

2. BSA/AML Coverage for Fintech-Sourced Customer Populations

This is the dominant operational finding across all enforcement actions. Banks had fintech partners onboarding customers and running transactions through the bank’s infrastructure, but the bank’s BSA/AML program was calibrated for the bank’s direct customer base — not for the risk profile of fintech-sourced accounts.

Specific findings that recur across orders:

  • Transaction monitoring rules built for the bank’s own customer transaction patterns, missing the profile of fintech customers (faster payments, higher volumes, different counterparty sets)
  • SAR decision-making processes that failed to adequately capture fintech-sourced account activity
  • OFAC screening that didn’t extend fully to fintech customer transactions
  • CIP documentation gaps for customers onboarded by fintech partners

In Evolve’s cease and desist, the Federal Reserve explicitly called out BSA/AML and OFAC compliance deficiencies as central to the enforcement action, alongside consumer compliance failures spanning multiple fintech partnerships.

3. Pre-Onboarding Due Diligence

Regulators found that banks onboarded fintech partners without thorough risk assessments of those partners’ compliance programs, financial condition, or operational capability.

The consent orders require retroactive due diligence on existing partners and comprehensive prospective due diligence on all new ones. Based on the 2023 Interagency TPRM Guidance (OCC Bulletin 2023-17) and the consent orders together, “comprehensive” now means:

  • Financial condition: Audited financials, capital adequacy, investor backing, unit economics, funding runway
  • BSA/AML program: Written program documentation, staffing, independent testing results, SAR filing history
  • Consumer compliance: Complaint history, regulatory and enforcement history, policy documentation, disclosure accuracy
  • Operational capability: Sub-vendor dependencies, technology reliability, customer service capacity, data handling
  • Business model sustainability: Product concentration, customer concentration, revenue model, funding risk

4. Ongoing Monitoring — At Intervals More Frequent Than Annual

Most TPRM programs are structured around annual due diligence cycles. Every consent order found this insufficient for active, high-risk fintech partnerships.

What regulators now expect in ongoing monitoring:

  • Monthly or quarterly financial condition reviews for critical fintech partners
  • Transaction-level monitoring of fintech-sourced customer activity — not a portfolio summary once a year
  • Quarterly performance reporting from fintech partners covering compliance incidents, complaint volumes, and any examination or audit findings
  • Defined incident notification windows: fintechs must notify the bank of material incidents, regulatory inquiries, significant customer complaints, or critical sub-vendor changes within 24–72 hours

This is the requirement that most directly changes the fintech-bank relationship. If your bank partner is under a consent order — or under heightened examination expectations on BaaS — expect materially increased monitoring cadence: more frequent reporting, shorter notification windows, and more documentation demands are now the regulatory floor.

5. Fourth-Party Risk Management

Banks were expected to know not just who their fintech partners were, but who the fintech partners’ critical vendors were. The Synapse bankruptcy illustrated this at scale: Synapse was a middleware provider operating between multiple BaaS banks and multiple fintechs. When Synapse filed Chapter 11, the banks’ customer and financial exposure crystallized through a sub-vendor relationship they hadn’t fully mapped or stress-tested.

Post-enforcement fourth-party requirements include:

  • Identification of critical sub-vendors for each fintech partner (cloud infrastructure, payment processors, identity verification vendors, middleware platforms)
  • Documentation of the bank’s customer and financial exposure if a critical sub-vendor fails or becomes unavailable
  • Contractual requirements that fintech partners notify the bank of critical sub-vendor changes before those changes take effect
  • Business continuity assessment for significant sub-vendor outage scenarios

We covered the mechanics of fourth-party risk mapping and monitoring in Fourth-Party Risk: When Your Vendor’s Vendor Becomes Your Problem.

6. Capital Adequacy Planning

Several consent orders included explicit requirements to maintain additional capital specifically to support BaaS activity. Lineage Bank’s order required both enhanced risk management and capital level increases tied to its fintech portfolio concentration.

The underlying logic: BaaS activity generates contingent liabilities — potential fraud losses, regulatory remediation costs, customer restitution obligations — that require capital reserve backing commensurate with the risk profile of the fintech customer base. Banks that grew BaaS programs without scaling capital alongside were operating with buffers that didn’t reflect their actual exposure.

For banks building BaaS programs today, capital planning must explicitly account for fintech partner risk — and that calculation should be reviewed and board-approved at least annually.

7. New-Partner Approval Gating

Every consent order that restricted future BaaS activity included some form of approval gate for new fintech partnerships — ranging from internal committee approval (risk committee, board) to external regulator pre-approval.

Cross River cannot enter new fintech relationships without FDIC approval. Evolve cannot add new partners without Federal Reserve approval. For banks not currently under formal orders, examiners have begun expecting documented committee approval processes before new fintech partners are onboarded at all.

For fintechs seeking new banking relationships, the practical consequence: longer due diligence timelines (three to six months is now common for banks actively managing BaaS risk), significantly more documentation requirements upfront, and more touchpoints with the bank’s compliance team before any onboarding decision.

What This Means for Fintechs

The consent orders were issued against banks, not fintechs. But the requirements flow directly downstream.

Your bank partner’s TPRM program is now a regulatory exam item. The examiner reviewing your bank’s BaaS program is, in effect, evaluating your compliance program through your bank’s lens. The documentation your bank needs to satisfy their examination — your BSA/AML program, consumer compliance policies, complaint data, sub-vendor inventory — is documentation you need to be able to produce on short notice.

The documentation your bank partner now needs from you:

  • Current, board-approved BSA/AML written program with independent testing results
  • Consumer complaint management policy and quarterly complaint volume data
  • Material incident and regulatory action disclosure log (including any state AG or federal regulatory contacts)
  • Critical vendor and sub-vendor inventory covering your key operational dependencies
  • Business continuity and disaster recovery documentation
  • Evidence of board-level compliance oversight — risk committee charters and board meeting minutes showing compliance is a standing agenda item

Monitoring cadence has permanently increased. Banks that have been through examinations or received orders have rebuilt their monitoring programs to quarterly cycles with shorter notification windows. Annual reviews have become quarterly check-ins. Informal relationships have become documented request-and-response processes with evidence trails.

The fintechs that move through this environment most smoothly are the ones that have already built what the bank needs to demonstrate — before the bank has to ask. For a systematic framework covering the vendor lifecycle from onboarding through exit planning, the Third-Party Risk Management (TPRM) Kit provides the due diligence questionnaire templates, ongoing monitoring framework, risk tiering methodology, and documentation structure.

So What? The Minimum Standard Is Now Documented

The BaaS enforcement wave has produced something practically valuable: a detailed, multi-agency, multi-institution definition of what adequate third-party risk management looks like for fintech-bank partnerships.

You don’t need to guess what regulators expect. They’ve told you — across six consent orders, two interagency guidance documents, and an examination focus that’s visible in findings across the industry.

The minimum TPRM standard for BaaS activity:

  1. Board-approved policy with documented risk appetite for BaaS concentration
  2. Comprehensive pre-onboarding due diligence covering BSA/AML, consumer compliance, financial condition, and operational capability
  3. Ongoing monitoring at quarterly intervals for critical partners — not annual reviews
  4. BSA/AML program coverage specifically designed for fintech-sourced customer populations
  5. Fourth-party risk mapping with contractual incident notification requirements
  6. Capital planning that reflects fintech portfolio contingent liabilities
  7. New-partner approval gating with documented review rationale

For the complete vendor lifecycle framework — from onboarding through offboarding — see our post on Vendor Risk Management: The Complete Process. For the exit planning component that regulators are now explicitly requiring, see Critical Vendor Exit Planning: How to Build a Wind-Down Strategy Before You Need One.


Sources: Federal Reserve enforcement action against Evolve Bancorp, June 2024; Banking Dive — Running list of BaaS banks with consent orders, 2024; OCC Bulletin 2023-17 — Third-Party Risk Management Interagency Guidance; Banking Dive — Lineage Bank FDIC consent order

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Which BaaS banks have received consent orders since 2023?
The list as of mid-2026 includes: Blue Ridge Bank (OCC, 2023 — since exited), Cross River Bank (FDIC, April 2023), Lineage Bank (FDIC, effective January 2024), Piermont Bank (FDIC, February 2024), Sutton Bank (FDIC, 2024), and Evolve Bank & Trust (Federal Reserve cease and desist, June 2024). The enforcement wave spans three different regulators — FDIC, OCC, and Federal Reserve — indicating coordinated supervisory consensus, not a single agency's preference.
What were the most common deficiencies cited across BaaS consent orders?
Three categories dominate: (1) BSA/AML program failures — transaction monitoring not calibrated for fintech customer profiles, SAR decision gaps, OFAC screening deficiencies; (2) TPRM program gaps — insufficient pre-onboarding due diligence, inadequate ongoing monitoring, missing documentation; (3) Board governance failures — boards approving BaaS growth without adequate information about fintech partner risk or explicit risk appetite limits. Nearly every order also cited capital planning deficiencies relative to BaaS portfolio risk.
What does a consent order against my bank partner mean for my fintech?
In most consent orders, the bank must get regulator approval before adding new fintech partners. Existing partnerships are reviewed and some are wound down. The bank's compliance team will materially increase oversight of active partners: more RFIs, shorter response windows, more documentation requests. In Evolve's case, the Federal Reserve cease and desist coincided with the Synapse bankruptcy — which froze approximately $160 million in customer funds — illustrating how a bank-level enforcement action can have immediate product-level consequences for fintechs.
What specific TPRM program elements did the consent orders require?
Seven requirements appear consistently: (1) Board-approved TPRM policy with defined risk appetite for BaaS activity; (2) Formal pre-onboarding due diligence covering BSA/AML, consumer compliance, financial condition, and operational capability; (3) Ongoing monitoring at more frequent intervals than annual reviews; (4) Comprehensive BSA/AML coverage for fintech-sourced customer populations; (5) Fourth-party risk mapping and incident notification requirements; (6) Capital adequacy planning for fintech portfolio risk; (7) Regulator or committee approval before onboarding new fintech partners.
As a fintech, what documentation does my bank partner now need from me because of the enforcement wave?
Bank partners subject to exam pressure on BaaS now need: a current board-approved BSA/AML written program with independent testing results; consumer complaint management policy and quarterly complaint data; a material incident and regulatory action disclosure log; a critical vendor and sub-vendor inventory; business continuity and DR documentation; and evidence of board-level compliance oversight such as risk committee charters and board meeting minutes where compliance is a standing agenda item.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Third-Party Risk Management (TPRM) Kit

Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.

◆ Keep reading

Related posts.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.