BaaS Due Diligence Checklist: 30 Questions Every Fintech Should Ask (2026)

Every Banking-as-a-Service evaluation eventually comes down to the same 30 questions. Most fintechs ask 8 or 10 of them, sign on the answers, and discover within a year which 20 they should have asked. The cost of the missing questions is measurable — termination at thirty days' notice, customer-fund freezes during wind-down, sponsor-bank de-risking that pulls the entire fintech under.

This is the full pre-signing diligence checklist we run on any BaaS engagement for a client. Six sections, five questions each. Each question has a good answer pattern, a red-flag answer, and a follow-up. Used together, the 30 questions force the BaaS provider to expose the structural fragility of the sponsor relationship — or to confirm that the relationship is actually durable.

The checklist is framework-only — naming specific BaaS aggregators or sponsor banks publicly serves no purpose. The questions are universal; the answers are vendor-specific.

Run the checklist in three passes. First pass: send the 30 questions to the BaaS provider in writing as part of the diligence cycle. Demand written answers under NDA. Second pass: review answers against the good/red-flag patterns and surface the gaps to the provider. Third pass: escalate to the sponsor bank directly — for any answer where the BaaS aggregator's response cannot be independently verified, ask for a meeting with the sponsor bank's BaaS team.

BaaS providers that refuse the third-pass meeting are signalling a fragile sponsor relationship. Walk away. The cost of finding a different provider is far lower than the cost of being de-platformed eighteen months later.

Good answer: a single named bank, EU/UK/US authorised, with a verifiable authorisation number on the home regulator's public register. Red flag: refusal to disclose, multiple sponsors with no clarity on which one issues your IBAN range, or a bank in a less-credible jurisdiction.

Good: ≥1.5x the regulatory minimum, with a citation to EBA¹^[1] prudential disclosures or the bank's published Pillar 3 report. Red: 'we don't disclose,' or operating at minimum CET1.

Good: under 20% — BaaS is supplementary to a diversified balance sheet. Red: over 40% — sponsor's revenue depends on BaaS continuation, which means a single regulatory letter on the BaaS book triggers existential pressure.

Good: diversified across investment management, lending, embedded payments, low-risk B2B verticals. Red: concentrated in remittance, higher-risk MCC merchant acquiring, or crypto on-ramps — concentration risk that becomes contagion risk.

Good: stable or growing book with documented onboarding cadence. Red: rapid book contraction, multiple high-profile fintech terminations in the last 18 months, or 'we are repositioning' — sponsor in retreat.

Verify against the FCA enforcement register²^[2] or the equivalent NCA database. Red: AML-related consent order in 24 months — sponsor is structurally compelled to reduce BaaS programmes.

Most predictive question in the entire checklist. Good: 'no.' Acceptable: 'yes, fully remediated, evidenced.' Red: 'cannot disclose' — assume yes, assume unremediated, walk away.

Good: senior MLRO with ≥5 years tenure at the sponsor and prior BaaS or AML enforcement experience. Red: junior MLRO, frequent turnover, or no named MLRO disclosed.

DORA³^[3] applies from 17 January 2025. Good: documented programme, annual attestation, ICT-third-party register published. Red: 'we are working on it' or no documented timeline.

Good: documented 12-month programme aligned to AMLR⁴^[4] articles, with named programme owner. Red: 'AMLR doesn't apply to us' or vague references to 'compliance teams looking at it.'

Good: named IBANs in the customer's name with the sponsor bank as account-holder-of-record. Red: pooled virtual IBANs under a single aggregator account — wind-down behaviour materially worse.

Good: separately-named safeguarding accounts under EMD2 Article 7⁵^[5], per-fintech segregation, daily reconciliation. Red: pooled across multiple fintechs in one operating account.

Good: contractual right to inspect the safeguarding bank annually, with documented attestation cadence. Red: 'trust the BaaS provider's own audit' or no contractual right.

Good: documented three-way reconciliation (sponsor bank ledger, BaaS aggregator ledger, fintech ledger) with break workflow and signed-off attestation. Red: weekly or monthly reconciliation, manual processes, no documented break workflow.

Good: customer funds legally segregated, deposit insurance applicable (where the sponsor is a bank), wind-down playbook documented. Red: 'this won't happen' or no legal opinion on customer-fund treatment in resolution.

Good: clear delineation — typically fintech designs and operates customer-facing AML, sponsor sets the floor and audits. Red: ambiguity or 'all three apply, depends on the issue.'

Good: full OFAC, EU consolidated, UN, OFSI screening at sponsor level on every transaction, daily refresh. Red: only at the BaaS aggregator level — sponsor bank may have additional screening with different match-tolerance, creating duplicate alerts.

Good: documented protocol for who files (typically sponsor bank to FIU on behalf of the relationship), how the fintech is informed, and when the customer can/cannot be notified. Red: no documented protocol or 'we file on a case-by-case basis.'

Good: documented baseline (geographic restrictions, customer-type restrictions, transaction-volume thresholds). Red: 'whatever you want to do' — sponsor not actually risk-managing the relationship.

Good: automated daily list refresh, defined freeze-and-investigate workflow, deadline for fintech to act. Red: ad hoc handling, no documented timeline, no clarity on who informs the regulator.

Good: 90 days for non-regulatory termination; 30 days minimum for regulatory. Red: 7-day or 'immediate' termination rights for any reason — fintech is structurally exposed.

Good: documented runbook, customer-data portability, defined customer-fund return process, transition-services agreement. Red: 'we'll work it out at the time' — when termination happens, no leverage.

Good: annual audit right at fintech expense, with reasonable scope and access to sponsor records relevant to the fintech's customers. Red: no audit right or 'audit by exception only.'

Good: 14–30 days from termination notice, with sponsor bank acting as paying agent. Red: ambiguous or longer than 60 days — customer-fund stickiness in wind-down can be the difference between orderly exit and class-action.

Good: regulatory de-risking has a 30-day floor with mandatory migration support. Red: 'sponsor may terminate at any time for regulatory reasons in its sole discretion' — sponsor's discretion is the de facto termination clock.

Good: ≥99.95% uptime, RTO under 4 hours, RPO under 15 minutes, documented incident-response runbook. Red: 'best-effort' or RTO/RPO not contractually committed.

Good: minimum 90 days' notice on breaking changes, semantic versioning, deprecation cycles, sandbox parity. Red: 'we update when we update' or surprise breaking changes in production within the last 12 months.

Good: data residency contractually committed, GDPR-compliant cross-border flows, documented sub-processor list, annual review. Red: ambiguous data residency, no published sub-processor list.

Good: ISO 27001, SOC 2 Type II, annual penetration test, published security white paper. Red: 'security review by request' — security is opaque, regulators dislike it, and supervisor inspections will surface it.

Good: 24/7 dedicated incident hotline, defined escalation matrix to sponsor bank, regulator notification protocol. Red: business-hours support only, no clear escalation past the BaaS aggregator's account manager.

Even with a strong checklist completion rate, certain answers should be hard red lines. Walk away if any of the following are true:

• BaaS provider refuses to name the sponsor bank in writing.

• Sponsor bank has an unremediated AML consent order.

• Customer funds pooled across multiple fintechs in a single operating account.

• Termination clauses with no migration runbook or fund-return SLA.

• No DORA programme as of January 2025.

• Sponsor revenue concentration above 40% in BaaS, particularly with single-vertical exposure.

The 30 questions are not asked once. They are revisited quarterly. The sponsor's CET1 changes; the BaaS book composition shifts; supervisory letters arrive; AMLR readiness progresses or stalls. The review cadence is what catches sponsor-de-risking patterns six months early — early enough to begin a controlled migration rather than reacting to a 30-day termination notice.

6–10 weeks for a full 30-question response cycle. Faster suggests the BaaS provider is templating answers; slower suggests they don't have the data. The right pace is the one where each question is answered substantively with verifiable references.

BaaS providers that won't engage with diligence at small-fintech onboarding are signalling that they treat small fintechs as disposable. That is exactly the relationship to avoid. A provider willing to answer 30 questions for a £200k/year customer is one whose sponsor relationship is durable enough to support the customer.

Yes. Share it with the indicative term-sheet and ask for written responses within four weeks. The providers that engage substantively are self-selecting; the ones that won't are doing the work for you.

It is informed by the substance bar that EU and UK supervisors apply to BaaS arrangements, including PSD2⁶^[6] outsourcing expectations, EBA guidelines on outsourcing arrangements, AMLR-readiness, DORA, and customer-fund safeguarding. It is not a regulator publication.

They will. The quarterly review cadence is the answer. Build the review into the firm's compliance calendar; do not treat the diligence as a one-time event. The most expensive BaaS relationships are the ones where the fintech stopped paying attention nine months in.

• Sponsor Bank Profile: What a Fintech Should Demand from BaaS — the seven-criteria framework underneath this checklist.

• Bank Account for an EMI: 2026 Buyer's Playbook — the alternative when BaaS is the wrong answer.

• EMI Safeguarding Architecture — the segregation pattern your sponsor bank should implement.

• EMI vs PSP vs VASP vs CASP — deciding whether to BaaS or hold your own licence.

• Banking Access for Regulated Fintechs — our service: BaaS evaluation, sponsor diligence, migration planning.

Thirty questions is not enough to evaluate every nuance of a BaaS relationship. It is enough to surface the structural fragility before signing — the gaps in the answers that turn into operational crises eighteen months later. Run the checklist before signing; rerun it quarterly; act on the answers. The fintechs that survive sponsor de-risking cycles are the ones that keep asking, not the ones that asked once.