A recent enforcement action issued by a state regulator could mark a pivotal moment in how banking-as-a-service (BaaS) models are monitored and governed. The California Department of Financial Protection and Innovation (DFPI) has released a consent order requiring a regional bank to address deficiencies in its anti-money laundering (AML) and Bank Secrecy Act (BSA) compliance — an action that may signal growing state interest in directly regulating financial infrastructure supporting FinTech partnerships.

While federal regulators have traditionally led the charge on BaaS enforcement, this order — issued independently by a state agency — suggests a broader trend may be emerging. In states like California and New York, where digital finance activity is highly concentrated, local regulators could begin asserting more direct authority over the compliance frameworks that support these fast-evolving financial ecosystems.

BaaS Under Pressure

BaaS models have become attractive to both banks and FinTechs for their scalability and efficiency. These partnerships allow FinTech companies to offer banking products without holding charters themselves, relying on banks to handle the regulatory heavy lifting. But the rapid growth of these relationships has outpaced many banks’ compliance infrastructure, creating risk exposure that regulators are increasingly unwilling to ignore.

Over the past 18 months, several sponsor banks have received consent orders — mostly from federal agencies — requiring them to strengthen their oversight of FinTech partners. The core concern: fragmented responsibilities in areas like customer onboarding, transaction monitoring, and fraud prevention.

A New Chapter in Oversight

What makes the California action stand out is not just its content, but its source. State-led enforcement could represent a shift in the regulatory dynamic, particularly in jurisdictions that want to take a more active role in protecting consumers and ensuring financial stability in the digital finance space.

The bank at the center of the order had rebranded and repositioned itself in recent years to focus on serving FinTechs as a modern infrastructure provider. Its consent order highlights the growing complexity of overseeing third-party partners and the need for more robust internal controls.

According to the order, the bank must overhaul its risk management framework to reflect the operational realities of its BaaS model — including more thorough assessments of customer activity, partner types, transaction patterns, and geographic exposure. It must also conduct ongoing reviews of vendors handling key compliance functions and obtain state approval before expanding into new lines of business.

A Broader Moment for Compliance Strategy

This enforcement action comes as financial institutions and regulators alike recognize that compliance can no longer be treated as an afterthought or a box-checking exercise. In a landscape where banks act as platforms for third-party providers, oversight must evolve to match the complexity of those relationships.

The implications go beyond one institution. For BaaS banks across the country, this may be a signal that state regulators are becoming more assertive — and that a patchwork of oversight may emerge alongside federal rules.

As regulators sharpen their focus, sponsor banks must be prepared to adapt. Institutions that invest in scalable, transparent compliance systems — particularly around BSA and AML functions — will be better positioned to meet evolving expectations. Those that don’t may find themselves facing not just federal scrutiny, but increasing pressure from the states as well.

Ultimately, the lesson is clear: the future of BaaS success depends on robust compliance, comprehensive partner oversight, and a readiness to navigate a multi-layered regulatory environment.

‍

‍