A regulated fintech with a single bank relationship is one supervisory letter away from operational shutdown. The 2023 collapses of Signature Bank and Silvergate, Silicon Valley Bank's collapse-and-rescue, and the cascade of crypto de-bankings across European banks since 2018 prove the same point in three different ways: bank concentration is treasury risk, and treasury risk for a regulated firm is licence risk.
The mature treasury architecture for a CASP, EMI, or payment institution in 2026 uses 4–6 institutions across distinct functions and jurisdictions. Operating accounts in two countries. Client safeguarding ring-fenced under MiCA Article 75 at a separate credit institution. EMI rails for inbound client deposits. A USD correspondent bank. Treasury and FX with a fourth provider. Built in calm, this architecture costs 0.5–1% more on operating expense than a single-bank setup. Built in panic during a 30-day termination notice, it is impossible.
This guide explains the architecture: the four-layer model, why each layer needs to be at a different institution, how to choose the institutions, the reconciliation engineering required to run multi-bank operations, and the annual operational discipline (de-banking drill, quarterly review) that turns architecture into resilience. Treasury redundancy is not optional for a regulated crypto firm. The question is whether you build it before you need it or after.
Why Single-Bank Treasury Fails
Single-bank treasury sits on three correlated failure modes that the EBA Opinion on de-risking documents explicitly. Each one alone is enough to halt a CASP for weeks; together they describe the historical pattern of every crypto-firm operational shutdown.¹[1]
Direct termination. Bank closes the account on its standard contractual notice (30–90 days). Documented hundreds of times across EEA crypto firms.
Correspondent failure. Bank's USD or EUR correspondent withdraws nostro line. Bank then drops every crypto client overnight to preserve the relationship.
Bank failure. The bank itself fails (Signature, Silvergate, SVB pattern). All accounts frozen during resolution; client safeguarding becomes a deposit-insurance question.
The Four-Layer Treasury Model
The architecture decomposes treasury into four functional layers, each of which must sit at a different institution for redundancy purposes. Mixing layers in a single bank is the single most common architectural mistake.
The four-layer multi-bank treasury model — minimum institutions and the rationale.
| Layer | Purpose | Minimum institutions | Why separate |
|---|---|---|---|
| 1. Operating | Day-to-day cash, payroll, suppliers, tax | 2 (primary + backup, different jurisdictions) | 48-hour activation if primary closed |
| 2. Client safeguarding (MiCA Article 75) | Ring-fenced client crypto-asset proceeds and e-money balances | 1 dedicated, never the operating bank | Regulatory requirement; closure of operating bank does not touch safeguarding |
| 3. Inbound client deposits | Client funding rails — virtual IBANs, SEPA / SWIFT inbound | 1 EMI (Paysera, Striga, Modulr, Banking Circle) | Reduces concentration on safeguarding bank; faster IBAN issuance |
| 4. Treasury / FX / capital | Prudential capital own funds, FX hedging, liquidity management | 1–2 separate institutions | Capital must be segregated from client funds; FX continues during operating disruption |
USD treasury is a fifth layer for any fintech with material US-denominated exposure — supplier costs, stablecoin flows, OTC settlement. See the dedicated USD treasury guide for provider selection (BCB Group, Cross-River, Customers Bank, JP Morgan, Wise Business, FV Bank). Combined with the four EUR/GBP-side layers above, the full architecture is typically 5–7 institutions.
Layer 1 — Operating Accounts (Primary + Backup)
The operating layer needs two banks in two jurisdictions. Primary handles day-to-day flows; backup is funded, mandate-tested, and ready to absorb operating volume within 48 hours of a primary disruption. Same-jurisdiction backups fail the test — a Lithuanian primary with a Lithuanian backup sits behind the same correspondent network and can lose USD access simultaneously.
Primary in licence jurisdiction — Bank of Cyprus, LHV, Banking Circle, ClearBank.
Backup in second jurisdiction — BCB Group (UK), Sygnum Bank (Switzerland), Wio Bank (UAE) for non-EEA backstop.
Both fully funded with 30 days of operating expense. A backup with €0 balance is theatre, not architecture.
Both with active payment mandates — verify quarterly that signatories are current, beneficiaries are loaded, and a test outbound payment lands without manual escalation.
Layer 2 — Client Safeguarding
MiCA Article 75 requires CASPs holding client crypto-assets to keep them segregated from CASP own assets, with arrangements that protect the client in CASP insolvency. EMI and PI safeguarding rules under the Payment Services Directive and the Electronic Money Directive impose equivalent obligations on fiat client funds. The architecture imperative: safeguarding sits at a credit institution that is not your operating bank, with daily reconciliation.⁵[2]⁶[3]
Many CASPs treat safeguarding as a paper exercise — a designated account at the same bank as operating, with a label. This fails the segregation test the moment the operating bank issues a termination notice: client funds are frozen alongside corporate funds during the migration. Regulatory inspections increasingly probe this. The Bank of Lithuania has explicitly criticised co-located operating-and-safeguarding arrangements.
Dedicated safeguarding account at a separate credit institution — never the operating bank.
Daily reconciliation between book balance (per the client ledger) and bank balance.
Quarterly external attestation to the NCA confirming no shortfall.
Clear written agreement with the safeguarding institution naming the trust nature of the funds.
Reconciliation Engineering Across Multiple Banks
The technical hard part of multi-bank architecture is reconciliation. With one bank and one ledger, end-of-day reconciliation is trivial. With four to seven institutions across multiple currencies and timezones, it requires deliberate engineering.
Treasury management system (TMS) or equivalent custom infrastructure — pulls balances from every institution daily via SWIFT MT940 / MT942, ISO 20022 camt files, or institution-specific APIs.
Single source of truth ledger — every transaction written first to an internal ledger; bank statements reconcile against the ledger, not the other way around.
Sweep automation — scheduled liquidity sweeps move funds between layers to maintain target balances; manual sweeps for unscheduled movements.
Exception monitoring — out-of-tolerance reconciliation differences alert the treasury team within 1 hour, not the next morning.
Audit trail — every internal movement, every external transfer, every reconciliation event timestamped and immutable.
DORA and the ICT Implications of Multi-Bank Architecture
The Digital Operational Resilience Act applies to every CASP, EMI, and payment institution from January 2025 and significantly raises the bar on third-party ICT risk management. Multi-bank architecture intersects DORA on three fronts: each bank is an ICT third party for the bank-side connectivity, the TMS is an ICT third party in itself, and the treasury operations team's runbooks must cover business continuity for any single-institution failure.³[4]
Practical DORA implications for multi-bank treasury: maintain a third-party register listing every banking institution, the TMS provider, and any reconciliation tooling; document exit strategies for each (how to migrate balance away if the institution exits); test the runbook annually with a tabletop exercise simulating a single-institution termination; and report any material ICT incident affecting bank connectivity within DORA's classification windows.
Cost vs Resilience — The Numbers
Multi-bank architecture costs more than single-bank. The cost is meaningful but bounded; the upside is operational survival. The table below benchmarks the marginal annual cost of running a 5-institution architecture vs a single-bank setup for a mid-sized CASP (€100M annual revenue).
Marginal annual cost of multi-bank architecture vs single-bank — mid-sized CASP example.
| Cost driver | Single-bank | Multi-bank (5 institutions) | Increment |
|---|---|---|---|
| Bank account fees + minimum balances opportunity cost | €10,000–€20,000 | €40,000–€80,000 | +€30,000–€60,000 |
| Treasury management system + APIs | €0–€20,000 | €60,000–€150,000 | +€60,000–€130,000 |
| Treasury team headcount (FTE allocation) | 0.25 FTE | 0.75–1.0 FTE | +€60,000–€100,000 |
| Reconciliation tooling + audit | €10,000 | €40,000–€80,000 | +€30,000–€70,000 |
| FX dealing margin (consolidated provider) | 0.25–0.5% | 0.15–0.25% (better rates from competition) | Saves 0.10–0.25% of FX volume |
| Total marginal annual cost | — | — | €180,000–€360,000 (~0.18–0.36% of revenue) |
The Operational Discipline That Turns Architecture Into Resilience
Annual de-banking drill — pick one institution, simulate a 30-day termination notice, exercise the migration plan end-to-end. Find the gaps before they find you.
Quarterly bank review — relationship update with each institution, refresh AML and source-of-funds package, surface any operational concerns proactively.
Monthly reconciliation review — out-of-tolerance items reviewed at the operations leadership level; trends in alert volume, not just point-in-time exceptions.
Continuous third-party register — DORA compliance plus practical readiness; updated within 30 days of any change.
Pre-emptive disclosure of incidents to all banks, not just the affected one. Banks talk to each other; surprise discovery is far worse than self-reporting.
Frequently Asked Questions
Is multi-bank architecture mandatory under MiCA or DORA?
Not literally — neither MiCA nor DORA prescribes a minimum number of bank relationships. But MiCA Article 75 segregation requirements and the Digital Operational Resilience Act ICT third-party risk framework together make single-bank architecture functionally non-compliant. A CASP that cannot survive a single bank's exit fails DORA's continuity-of-services test on first inspection.
Can my client safeguarding live at the same bank as my operating account if I label it correctly?
Technically possible, structurally unsound. Several NCAs (Bank of Lithuania, Central Bank of Ireland) have flagged co-located safeguarding as inadequate to MiCA Article 75 — the segregation must be operationally robust, not just labelled. When the operating bank issues a termination notice, co-located safeguarding gets caught in the same migration. Move safeguarding to a separate credit institution before the next supervisory inspection.
How small a CASP needs multi-bank architecture?
Any CASP serving real customers needs a minimum 3-institution setup: operating, safeguarding (separate), and an EMI for inbound client deposits. The 5-institution full architecture (primary + backup operating, safeguarding, EMI, capital) becomes proportionate at €5M–€10M annual revenue. Below that, the 3-institution minimum is the floor; above €100M, USD treasury and a second backup should be added.
What does an annual de-banking drill actually look like?
A 4-hour tabletop exercise: select an operating bank, simulate a 30-day termination notice, run through the full migration plan in real-time. Test signatory mandates at the backup bank. Generate the customer-communication template. Verify reconciliation infrastructure handles a multi-bank state. Document the gaps. Most CASPs find 5–10 things they did not expect — usually around mandate freshness, signatory authorisation lists, or backup-bank balance tooling — and remediate within 60 days. The drill costs €5,000–€20,000 in time. The first real termination notice costs much more.
Should the four layers all be in the same currency?
No — and treasury management gets harder when they are. Operating in EUR, safeguarding in EUR, capital in EUR, USD treasury at a USD-native institution. FX between currencies happens at a dedicated FX provider, not through cross-currency wire fees at any single bank. Multi-currency, multi-jurisdiction, multi-institution is the mature posture.
Does running 5+ institutions create more AML risk?
Marginally more documentation work, materially less concentration risk. Each institution applies its own AML diligence, refreshes its own source-of-funds package, and surfaces issues independently. The aggregate AML monitoring posture across 5 institutions is stronger than at 1 — and discovery of an issue at one bank is more recoverable when 4 others are functioning normally.
Designing or remediating treasury architecture for your CASP, EMI, or payment institution? Finconduit scopes the right institution mix, makes vetted introductions, and supports the reconciliation engineering required to operate across 4–6 banking relationships safely. Get a free treasury architecture review.
Book AssessmentHow to Get a Bank Account for a VASP or CASP: The 2026 banking playbook for regulated crypto firms
De-Banking Response Playbook for CASPs: What to do when your bank closes your account
USD Treasury for Non-US Fintechs: BCB, Wise, JP Morgan, Cross-River — provider selection by volume tier
MiCA Compliance Guide for CASPs: Authorisation walkthrough — capital, governance, supplier stack
Treasury architecture is the most underrated competitive moat in regulated fintech. Single-bank operators are one supervisory letter from shutdown; multi-bank operators have absorbed three bank closures over the last five years and kept growing. The cost of building this architecture in calm — 0.18–0.36% of revenue — is among the highest-ROI investments a CASP, EMI, or payment institution can make. Build it before you need it. The institutions you onboard will not always say yes; the ones that do will quietly become the reason you survive the next industry-wide stress event.
Footnotes & Citations