Banking as a service

Last updated January 07, 2026

Banking as a service (BaaS) is the provision of banking products (such as deposit accounts, loans and credit cards) to customers through non-bank or non-financial third party partnerships. The bank provides the balance sheet management, including capital, liquidity and credit risk management, while the partner company (typically a fintech) interacts directly with the customer via their proprietary app, often accessing the bank's systems and data via APIs.

API-based stack

Skinner suggested a 3-layer representation of the BaaS stack.^[1] In this stack, the underlying infrastructure-as-a-service is provided by a traditional, licensed and regulated bank. Above this bank would be the centralized middleware layer that Skinner refers to as "bank as a service". Added on to the bank as a service is a group of decomposed banking services consisting of an ecosystem of fintech startups and service providers.

With this technology, based on the BaaS-platform, it is possible to create fintech banks, which could improve banking processes and provide increased convenience for banking clients. In such a constellation, fintech banks are enabled to compete directly with banks by offering core-banking services without having to build all the products that would be needed. The API-based bank as a service platform serves as the back-end that hosts standalone independent fintech startups and integrates seamlessly with any existing back-office of traditional banks. This allows non-banks to cost-effectively launch additional financial products and expand into additional markets.^[1]

Potential consequence

The consequence of having a decomposed stack is that there are multiple ways that the customer's front-end could be presented. One way would allow the BaaP provider to appear directly as a bank to its customers. This necessitates the provision of a front-end user interface to the end-customers including user authentication and other features. The bank would appear as any other online bank where all banking services are presented and seamlessly integrated in a single user interface. Another option is that the bank will operate as a white label bank, which will then have a software as a service provider on top of the partner operating as the front-end to the end-customer.

Integrated BaaS structure vs. single service offering

A single service provider is at a greater risk of failure than a provider that offers a larger portfolio of services. Using an integrated BaaS structure efficiently provides an end-to-end value proposition that frees the service provider from having to develop all the needed peripheral services, including authentication and other security services. Those who adopt the BaaS structure are able to provide a higher level of trust than a smaller provider might do.^[2]

Regulations

Banking is a highly regulated industry throughout the world and online banks utilizing BaaS are no exception.

Europe

In Europe, BaaS for fintechs is overseen by the Payment Services Directive (PSD, 2007/64/EC) and its 2nd amendment (PSD2) that was adopted in November 2015.^[3] Banking licenses are overseen by competent national authorities in accordance to Directive 2013/36/EU and Article 14 of Regulation (EU) No 1024/2013.^[4] The eIDAS regulation provides requirements for authentication and electronic identification and trust services for electronic transactions throughout the entire end-to-end process.^[5] Additional oversight for financial and insurance transactions are provided through Directive 2004/39/EC ^[6] and Directive 2016/97/EU.^[7]

United States

In the United States, banks are highly regulated at both the state and federal levels. Regulators have issued supervisory guidance on arrangements with third-parties. A number of enforcement actions have been issued against banks involved in BaaS.

A major failure of BaaS provider Synapse led to significant loss of customer funds.

Brazil

In Brazil, BaaS is regulated by the Brazilian Central Bank within the rules of a Payment Institution.^[8] The best known BaaS' fintechs providers in Brazil are Matera, Zoop, Dock, and S3 Bank.^[9]

India

In India, BaaS is regulated by the Reserve Bank of India (RBI). On Nov 7, 2023 RBI published Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices with an objective to tighten the governance framework for technology within banking segment. The Master Direction has been in effect since April 1, 2024.^[10]

References

1 2 Skinner, Chris. "Overview of APIs and Bank-as-a-Service in FinTech" (PDF). ASAP Agency Moscow. Archived from the original (PDF) on 24 February 2024. Retrieved 16 January 2017.
↑ Skinner, Chris (September 7, 2014). Digital Bank: Strategies to Launch or Become a Digital Bank. Singapore: Marshall Cavendish International (Asia) Pte Ltd. ISBN 978-9814516464.
↑ The European Parliament and the Council. "Directive (EU) 2015/2366 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC". Official Journal of the European Union. Retrieved 17 January 2017.
↑ The European Parliament and the Council. "Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC". Official Journal of the European Union. Retrieved 17 January 2017.
↑ Turner, Dawn M. "Understanding eIDAS". Cryptomathic. Retrieved 17 January 2017.
↑ Commission of the European Communities. "Commission Directive implementing Directive 2004/39/EC of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms, and defined terms for the purposes of that Directive" (PDF). European Commission. Retrieved 17 January 2017.
↑ The European Parliament and the Council. "Directive (EU) 2016/97 on insurance distribution (recast)". EUR-Lex. Retrieved 17 January 2017.
↑ bcb.gov.br/ O que é instituição de pagamento?
↑ globallegalchronicle.com/ Banco BV’s Investment in S3 Bank
↑ Team, FinStack. "RBI Compliant Loan Origination System". FinStack. Retrieved 2025-09-22.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Skinner-Baap-1] 1 2 Skinner, Chris. "Overview of APIs and Bank-as-a-Service in FinTech" (PDF). ASAP Agency Moscow. Archived from the original (PDF) on 24 February 2024. Retrieved 16 January 2017.

[Skinner_Book_Digital_Banking-2] Skinner, Chris (September 7, 2014). Digital Bank: Strategies to Launch or Become a Digital Bank. Singapore: Marshall Cavendish International (Asia) Pte Ltd. ISBN 978-9814516464.

[EU-PSD2-regulation-3] The European Parliament and the Council. "Directive (EU) 2015/2366 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC". Official Journal of the European Union. Retrieved 17 January 2017.

[DIRECTIVE_2013/36/EU-4] The European Parliament and the Council. "Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC". Official Journal of the European Union. Retrieved 17 January 2017.

[Turner-eIDAS-5] Turner, Dawn M. "Understanding eIDAS". Cryptomathic. Retrieved 17 January 2017.

[Directive_2004/39/EC-6] Commission of the European Communities. "Commission Directive implementing Directive 2004/39/EC of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms, and defined terms for the purposes of that Directive" (PDF). European Commission. Retrieved 17 January 2017.

[DIRECTIVE_(EU)_2016/97-7] The European Parliament and the Council. "Directive (EU) 2016/97 on insurance distribution (recast)". EUR-Lex. Retrieved 17 January 2017.

[8] .gov.br/ O que é instituição de pagamento?

[9] ronicle.com/ Banco BV’s Investment in S3 Bank

[10] Team, FinStack. "RBI Compliant Loan Origination System". FinStack. Retrieved 2025-09-22.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

v t e General areas of finance
Alternative Investments	Alternative investment Angel investor Super angel
Assets, Capital & Structure	Asset Asset allocation Asset growth Capital asset Capital management Capital structure Cost of capital Debt Disinvestment Diversification (finance) Divestment Position of trust
Markets & Trading	Bond (finance) Bull (stock market speculator) Exchange-traded fund Government bond Growth stock Growth investing Hedge (finance) Market risk Over-the-counter Risk–return spectrum Speculation Stock Stock exchange Stockbroker Swap (finance) Systematic risk Toxic asset Too big to fail Watered stock
Corporate Finance & Banking	Corporate finance Enterprise risk management Financial management History of banking History of money Investment banking Pension fund Personal finance Public finance Strategic financial management
Sustainable & Impact Finance	Climate finance Eco-investing Environmental finance ESG Impact investing Social finance Sustainability Sustainable Development Goals Sustainable finance
Quantitative & Mathematical Finance	Computational finance Experimental finance Mathematical finance Quantum finance Statistical finance Financial technology
Finance Theory & Behaviour	Behavioural finance Fundamental analysis Greater fool theory International finance Investment advisory Investment management Investment performance Investor profile
Financial Fields (subtopics)	Financial analysis analyst asset crime deepening economics engineering inclusion institutions management market plan planner regulation risk services social work system
Valuation	Valuation using discounted cash flows

v t e Privacy
Principles	Right of access to personal data Expectation of privacy Right to privacy Right to be forgotten Post-mortem privacy
Privacy laws	Australia Brazil Canada China Denmark England European Union Germany Ghana New Zealand Russia Singapore Sri Lanka Switzerland United Kingdom United States California, amended in 2020
Data protection authorities	Australia Denmark European Union France Germany India Indonesia Ireland Isle of Man Netherlands Norway Philippines Poland South Korea Spain Sweden Switzerland Thailand Turkey United Kingdom
Areas	Consumer Digital Education Medical Workplace
Information privacy	Automotive Law Financial Internet Facebook Google Twitter Email Personal data Personal identifier Social networking services Privacy-enhancing technologies Privacy engineering Privacy-invasive software Privacy policy Privacy software Secret ballot Virtual assistant privacy
Advocacy organizations	American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Social Responsibility Data Privacy Lab Electronic Frontier Foundation Electronic Privacy Information Center European Digital Rights Future of Privacy Forum Global Network Initiative International Association of Privacy Professionals NOYB Privacy International
See also	Anonymity Cellphone surveillance Data security Eavesdropping Global surveillance Identity theft Mass surveillance Panopticon PRISM Search warrant Wiretapping Human rights Personality rights
Category