Neobanks operate in a regulatory gray zone that is closing fast. If you hold accounts through a sponsor bank, regulators still expect you to run a compliance program — not just inherit your partner's. The FDIC, OCC, and CFPB have all issued guidance or taken enforcement actions that make this expectation explicit. This guide covers what neobank compliance actually requires, where enforcement focus has shifted, and how to build a program that satisfies both regulators and your bank partner.
Key Takeaways:
- Neobanks carry direct compliance obligations even when operating through a BaaS partner — the sponsor bank's program does not substitute for yours
- BSA/AML requirements under 31 U.S.C. § 5311 apply to you through your bank partner's charter, and regulators test whether you're actually executing
- The FDIC's third-party risk management guidance (FIL-29-2023) and consent orders against BaaS banks have shifted enforcement toward the fintech side of the partnership
- State money transmission licensing, consumer compliance (UDAAP, ECOA, TILA), and data privacy form the second layer of obligations most neobanks underestimate
- A compliance program built on documented evidence — not policies alone — is what separates exam-ready neobanks from those scrambling during partner bank audits
The Neobank Compliance Model: Who Owns What
The defining feature of neobank compliance is the split-responsibility model. You don't hold a charter. Your sponsor bank does. But federal regulators don't view this as a clean division.
The OCC has published interpretive letters (OCC IL 1170, OCC IL 1176) establishing that banks must exercise oversight of fintech partners. When the OCC examines your sponsor bank, they examine your operations too — particularly customer-facing practices, complaint handling, and AML controls.
The FDIC reinforced this in its third-party risk management guidance (FIL-29-2023), which replaced the 2008 guidance and aligned with the interagency framework. The key shift: regulators now expect sponsor banks to hold fintechs accountable for specific compliance deliverables with documented evidence. That means your bank partner will require you to produce evidence of compliance execution — not just maintain policies.
Practical impact for neobanks:
- Your sponsor bank's compliance team will audit your program at least annually, often quarterly
- Regulators will review your customer-facing disclosures, marketing materials, and complaint handling during the bank's exam
- Evidence of your compliance activities must be accessible to your bank partner on demand
- Gaps in your program create regulatory risk for your partner, which creates business risk for you (terminated partnerships)
This isn't theoretical. Multiple BaaS banks received consent orders in 2023-2024 specifically citing inadequate oversight of fintech partners. In several cases, the bank was forced to pause new fintech onboarding — directly impacting neobanks that relied on those partnerships.
BSA/AML Requirements for Neobanks
BSA/AML obligations represent the highest-stakes compliance area for neobanks. Even though SARs are filed under the bank's charter, regulators expect the neobank to perform the front-line compliance work: customer identification, transaction monitoring, and suspicious activity detection.
Customer Identification Program (CIP)
Under 31 CFR § 1020.220, every customer opening an account must be identified and verified. For neobanks onboarding customers digitally, this means:
- Collecting name, date of birth, address, and identification number at onboarding
- Verifying identity through documentary methods (ID upload and validation) or non-documentary methods (database verification, knowledge-based authentication)
- Maintaining records of the verification method used and the results
- Screening against government lists (OFAC SDN, 314(a) lists) at onboarding and on an ongoing basis
Digital onboarding creates specific CIP risks that regulators flag. Identity verification through selfie-matching and document scanning must be validated against known fraud patterns. If your identity verification vendor has a 2% false-acceptance rate, you need compensating controls — and documentation that they're working.
Customer Due Diligence and Beneficial Ownership
CDD requirements under 31 CFR § 1010.230 apply to all legal entity accounts. If your neobank serves business customers, you must collect and verify beneficial ownership information (25%+ owners and at least one controlling person) at account opening.
Beyond legal entity requirements, CDD includes:
- Risk rating each customer at onboarding based on product type, geography, business type, and expected activity
- Ongoing monitoring to detect changes that affect the risk profile
- Periodic reviews of higher-risk customers on a schedule aligned to risk tier
- Enhanced due diligence (EDD) for PEPs, MSBs, and other elevated-risk categories
Transaction Monitoring and SAR Filing
This is where AML in BaaS gets complicated. Your sponsor bank's BSA program must cover transaction monitoring, but regulators increasingly expect neobanks to operate their own first-line monitoring or demonstrate active participation in the process.
What regulators look for:
- Your role in alert investigation — do you receive alerts from the bank, or do you run your own monitoring rules?
- Investigation timelines — the 30-day SAR filing clock (31 CFR § 1020.320) starts at detection, not when someone assigns the alert
- Documentation quality — SAR narratives must include the five W's with specific transaction details
- Escalation procedures — how suspicious activity detected through your platform reaches the bank's BSA team
FinCEN enforcement actions have targeted institutions where the fintech partner flagged suspicious activity but the bank failed to file a SAR — and vice versa, where the bank's monitoring missed activity visible in the fintech's data. Both sides bear responsibility.
For a detailed breakdown of BSA/AML program requirements, see our BSA/AML compliance checklist for community banks. The five-pillar structure applies equally to neobank programs.
Consumer Compliance: The Second Layer
BSA/AML gets the most attention, but consumer compliance violations generate the largest penalties for fintechs. The CFPB has filed enforcement actions against non-bank fintechs using its authority under 12 USC § 5536 (UDAAP) and through "larger participant" rules under 12 CFR § 1090.
UDAAP
Unfair, deceptive, or abusive acts and practices (UDAAP) applies to every customer-facing interaction. For neobanks, the highest-risk areas include:
- Fee disclosures — Insufficient notice of fees, or fees that contradict marketing claims, are deceptive
- Deposit insurance representations — After the 2023 enforcement sweep, the FDIC clarified that non-bank fintechs cannot state or imply deposits are FDIC-insured unless the pass-through insurance requirements under 12 CFR § 330 are actually met
- Account closure practices — Closing accounts without adequate notice or explanation creates UDAAP risk, especially when customers lose access to direct-deposited funds
- Marketing claims — Overstating interest rates, understating conditions, or failing to disclose material terms
Fair Lending (ECOA/Reg B)
If your neobank offers credit products — including credit-builder loans, earned wage access, or overdraft features that function as credit — ECOA applies. Key requirements:
- Adverse action notices must comply with Reg B (12 CFR § 1002.9) and include specific reasons for denial
- If you use alternative data or ML-based underwriting models, you must demonstrate the model does not produce disparate impact
- Fair lending testing must occur regularly, not only when regulators ask
TILA/Reg Z
Truth in Lending Act disclosures apply to any credit product. APR calculations, finance charge disclosures, and right-of-rescission notices must follow Reg Z (12 CFR § 1026) requirements precisely. Fintech-specific risk: products described as "tips" or "subscriptions" that function as finance charges can trigger TILA obligations.
State Licensing Requirements
State licensing is the compliance obligation neobanks most frequently underestimate. The analysis depends on your activities and structure:
Money transmission licensing: If your neobank handles funds outside of the bank partner's direct custody — even temporarily — most states require a money transmitter license. The analysis under each state's money transmission statute is fact-specific. Operating without required licenses exposes you to state enforcement actions and, in some states, criminal liability.
Lending licensing: State lending licenses are required in most states for non-bank entities originating loans, regardless of bank partnership structure. The "true lender" doctrine, applied differently across states, determines whether the bank or the fintech is the lender of record for licensing purposes.
Multi-state complexity: A neobank operating in 40 states may face:
| Obligation | Scale |
|---|---|
| Money transmitter licenses | 40+ state applications and renewals |
| Annual reporting requirements | 40+ state-specific reports |
| Examination schedules | 10-15 state exams per year |
| Surety bond requirements | Varying by state, $25K-$7M+ |
| Change-of-control filings | Each state requires separate notice |
NMLS (Nationwide Multistate Licensing System) simplifies some of this, but state-specific requirements beyond the NMLS framework still demand individual compliance tracking.
Building a Neobank Compliance Program
A defensible neobank compliance program needs four components. Policies alone don't count — regulators and bank partners evaluate whether you can demonstrate execution.
1. Compliance Management System (CMS)
Your CMS must include:
- Written policies and procedures for each regulatory area (BSA/AML, consumer compliance, privacy, state licensing)
- Assigned ownership for each compliance function with documented authority
- A compliance officer with reporting access to the board or executive team
- Regular compliance reporting — monthly to management, quarterly to the board
2. Risk Assessment
Document your compliance risk across products, customer types, and geographies. This isn't a one-time exercise. Update your risk assessment when you launch new products, enter new states, or add customer segments. Regulators check the date on your risk assessment — an 18-month-old document signals a stale program.
3. Monitoring and Testing
First-line monitoring (your compliance team's day-to-day checks) and second-line testing (periodic independent reviews) must both exist and be documented. Testing should cover:
- Transaction monitoring effectiveness (are rules calibrated? are alerts investigated?)
- CDD program compliance (are customers risk-rated? are reviews current?)
- Consumer complaint trends and resolution quality
- Marketing and disclosure accuracy
- Vendor compliance with contractual obligations
4. Evidence and Audit Trail
This is where most neobanks fall short. Having policies means nothing without evidence of execution. Every compliance activity — training completion, policy review, risk assessment update, SAR investigation, complaint resolution — must generate a documented record with a timestamp, an owner, and an outcome.
When your sponsor bank's compliance team requests evidence of your quarterly high-risk customer reviews, you need to produce the reviews, not a policy that says reviews happen quarterly.
How Neobank Compliance Teams Close the Evidence Gap
The hardest part of neobank compliance isn't knowing what's required — it's producing evidence that requirements are being met. Sponsor banks demand it. Regulators verify it during exams. And when the evidence doesn't exist, the default assumption is that the work wasn't done.
Canarie turns BSA/AML requirements and consumer compliance obligations into executable workflows that capture evidence as a byproduct of doing the work. CDD reviews generate on schedule with assigned owners and recorded completion. SAR investigation timelines are tracked from alert to filing decision. Training, policy attestations, and vendor reviews all produce timestamped audit trails.
When your sponsor bank requests a compliance evidence package — or when examiners arrive at the bank — everything exports in minutes rather than weeks of reconstruction.
See how neobank compliance teams stay exam-ready →
Frequently Asked Questions
Does a neobank need its own BSA/AML program if the sponsor bank has one?
Yes. While the SAR filing obligation technically belongs to the bank, regulators expect neobanks to perform front-line BSA/AML functions: customer identification, transaction monitoring alert review, and suspicious activity investigation. The bank's BSA program does not substitute for your own controls. The FDIC's third-party risk management guidance (FIL-29-2023) and enforcement actions against BaaS banks in 2023-2024 confirm that regulators evaluate both sides of the partnership.
What happens when a sponsor bank receives a consent order?
A consent order against your sponsor bank can directly impact your operations. Common consequences include: pausing new fintech partner onboarding, requiring enhanced compliance evidence from existing partners, mandating independent compliance audits of fintech programs, and in severe cases, terminating fintech partnerships entirely. The 2023-2024 wave of BaaS consent orders forced several neobanks to find new bank partners under compressed timelines. Building a documented compliance program before a consent order hits is the only reliable protection.
Which regulators can take enforcement action against a neobank directly?
Multiple agencies have authority. The CFPB can pursue enforcement against non-bank fintechs under 12 USC § 5536 (UDAAP) and through "larger participant" rules. State regulators can act under money transmission and lending licensing statutes. The FTC has authority over deceptive practices. And FinCEN can impose civil money penalties on any person (not just banks) involved in BSA violations under 31 USC § 5321. For a deeper look at automating compliance across these obligations, see our fintech compliance automation guide.
How should neobanks prepare for a sponsor bank compliance audit?
Treat it like a regulatory examination. Prepare evidence packages organized by compliance area: BSA/AML (CIP records, transaction monitoring reports, SAR investigation files), consumer compliance (disclosure samples, complaint logs, fair lending testing results), and operational compliance (training records, policy version history, vendor assessments). The audit will test whether your program is documented and whether evidence exists that it's being executed. Producing organized evidence on demand — rather than scrambling to reconstruct it — is the clearest signal of a mature program.