Banking-as-a-Service has revolutionised the issuing landscape. It promises FinTechs speed and scale, and it offers incumbent banks new revenue streams by monetising their core infrastructure. Yet, beneath the seamless API layers and co-branded cards lies an uncomfortable truth: the regulatory responsibility remains fundamentally unchanged.
For the issuing bank or financial institution that holds the payment network licence (whether Visa, Mastercard, or others), the ultimate accountability for compliance never shifts.
The unwavering law of the licence
In a card BaaS partnership, two types of risk exist: contractual risk and regulatory risk.
The issuing bank's burden (regulatory risk): The FI that sponsors the card programme holds the licence issued by the payment scheme (Visa/Mastercard) and the charter from the financial regulator (e.g., FCA, EBA, OCC). When a FinTech partner breaches a rule (whether it's on KYC/AML, dispute handling standards, or operational security), the scheme or regulator first targets the licensed entity: the bank. Penalties, fines, and reputational damage are incurred by the bank, regardless of contractual indemnities.
The FinTech's obligation (contractual risk): The FinTech is contractually obliged to adhere to the bank's standards, often mirroring the scheme rules. However, enforcement by the bank is a costly, manual, and reactive process. Many FinTechs, particularly smaller ones, lack the dedicated compliance teams to keep up with the sheer volume of scheme updates.
The distinction is clear: the bank owns the regulatory risk, the FinTech owns the operational execution. The bank's primary pain point, therefore, is the lack of visibility and auditability into that operational execution.
Navigating the 2025 mandate pressure
The compliance pressure on issuing banks is accelerating, not slowing. Recent scheme updates directly impact BaaS operations.
Effective from mid-2025, Visa's Issuer Monitoring Programme (VIMP) consolidated several compliance metrics. This means BaaS portfolios are under unified, yet more stringent, performance thresholds for fraud and disputes. An issuing bank's portfolio now includes the combined risk profile of all its FinTech partners.
The compliance firewall analogy
Think of the issuing bank's licensed infrastructure as a regulatory firewall.
In a traditional setup, the firewall is strong and singular. In a BaaS partnership, the bank effectively opens multiple 'ports' (APIs, shared processes) to the FinTech's 'traffic'.
The bank's compliance team can't rely on manually checking every single piece of traffic (every compliance update, every internal policy change). Relying on disparate, manual communication with the FinTech's team is like having a person stand guard at every network port. It's unsustainable, prone to human error, and lacks auditable logs.
An automated, intelligent firewall manager for scheme compliance doesn't replace the firewall (the bank's licence), but it manages the ruleset, monitors traffic, and ensures only compliant activity passes through.
Automating compliance in the BaaS channel
Our Kajo platform is purpose-built to address the operational fragmentation inherent in the BaaS compliance model. It transforms the issuing bank's approach from reactive policing to proactive governance.
Kajo ingests all scheme mandates (Visa, Mastercard, and others) and automatically filters them based on the issuing bank's specific licences and regional products. When a bulletin impacts a BaaS-driven product, it's immediately tagged.
The platform's core strength is turning complex, often jargon-filled scheme bulletins into actionable tasks with clear ownership and deadlines. An issuing bank can instantly assign a task to the BaaS partner's team (or an internal team managing that partner) and track its implementation in real time. This provides the crucial, auditable trail required by regulators, solving the visibility and auditability gap.
Kajo flags mandatory or opt-out bulletins, ensuring the bank can quickly decide on new scheme services and avoid incurring unnecessary fees that impact the overall profitability of the BaaS portfolio.
Taking control of regulatory destiny
BaaS partnerships are the future, but they can't operate outside the foundational rules of card issuance. The issuing bank, as the ultimate compliance owner, must have a robust, automated system for oversight. Manual processes expose the entire business to reputational damage and significant penalties.
By deploying Kajo, issuing banks aren't simply automating a process. They're re-establishing the regulatory firewall required to manage risk at scale. This allows the bank to confidently embrace BaaS innovation whilst demonstrating proactive, auditable control to both scheme networks and financial regulators.
Stop inheriting risk from your partners. Discover how Rivero Kajo can centralise, automate, and audit scheme compliance across your entire BaaS portfolio. Book a call with our team here.