What the 2025 BaaS Consent Orders Actually Require from Fintech Partners
Three bank sponsors received consent orders in 2024 and 2025 with explicit provisions targeting fintech partner oversight. The orders did not just criticize the banks. They created specific compliance obligations that flow directly to every fintech operating on those platforms and, by regulatory extension, set the standard of care across the BaaS industry.
The Orders and What They Said
The consent orders issued to Blue Ridge Bank (OCC, 2023), Sutton Bank (FDIC, 2024), and Thread Bank (FDIC, 2025) each contained provisions on third-party risk management that were materially more specific than prior enforcement guidance. Where earlier guidance described general principles, these orders specified documentation requirements, board oversight obligations, and program-level controls that banks were required to implement for each fintech partner.
The common thread across all three: regulators determined that the banks had inadequate visibility into how fintech partners were operating consumer-facing programs, and that the banks' third-party risk management frameworks were not producing the oversight the agencies expected.
What the Orders Now Require at the Fintech Level
Bank sponsors subject to these orders and, increasingly, those operating under heightened regulator scrutiny are requiring fintech partners to produce documentation that was previously discretionary. The following are now effectively baseline requirements for any fintech seeking or maintaining a BaaS relationship:
- Written compliance program documentation covering BSA/AML, UDAAP, consumer complaint handling, and applicable product-specific regulations. Not a policy checklist. An actual program with written procedures, assigned owners, and evidence of operation.
- Third-party vendor risk documentation for every vendor in the fintech's stack that touches consumer data, payments, or credit decisions. SOC 2 reports, contract risk assessments, and incident response procedures for critical vendors.
- Consumer complaint tracking and reporting with documented escalation procedures, regulatory complaint monitoring (CFPB Consumer Complaint Database), and quarterly complaint trend reports deliverable to the bank sponsor on request.
- BSA/AML program that meets bank sponsor standards, not just FinCEN minimums. The bank is accountable for the fintech's AML program under its own Bank Secrecy Act obligations. Most bank sponsors are now requiring quarterly BSA/AML attestations and annual independent assessments.
- Board or senior management oversight documentation demonstrating that the fintech's leadership has reviewed and approved its compliance program. For early-stage companies, this means board minutes or written consents reflecting compliance program approval.
The Contractual Mechanism
Bank sponsors are transmitting these requirements through program agreements and annual compliance certifications. Fintechs that cannot produce the required documentation face two outcomes: delayed program launches while documentation is assembled under time pressure, or program suspension while the bank's compliance team escalates the gap to its examiner.
Neither outcome is recoverable quickly. Program launches delayed by compliance documentation gaps typically run three to six months longer than planned. Program suspensions create immediate consumer harm and regulatory reporting obligations.
The practical test: If your bank sponsor's compliance team asked for your BSA/AML program, your consumer complaint log, and your vendor risk register today, could you produce all three within 48 hours? If the answer is no, that is the gap.
What Has Not Changed
The consent orders did not change the underlying regulatory framework. They did not create new legal obligations that did not previously exist. What they did was demonstrate that regulators will enforce existing third-party risk management standards against bank sponsors, and that bank sponsors will in turn enforce those standards contractually against fintech partners.
Fintechs that built compliance programs to regulatory standard before the enforcement wave are discovering that their bank partner conversations are materially shorter and less contentious than those of competitors scrambling to assemble documentation retroactively.
The Advisory Perspective
The compliance programs that satisfy current bank sponsor due diligence share three characteristics. They are written to examiner standard, not template standard. They are operational, meaning they are actually being executed and producing records. And they are organized to produce at short notice, because that is precisely when a bank sponsor will ask for them.
Building that infrastructure before entering a bank partnership conversation is straightforwardly cheaper than building it during one. This is not a regulatory opinion. It is a project management observation confirmed across the due diligence packages I have reviewed at both the bank and fintech level.