obOpen Banking Lab
GlossarySTETBlogContact
Actor

BaaS

Banking-as-a-Service

A model where a credit institution or EMI exposes its authorisations and infrastructure (accounts, cards, payments) via API to fintechs or non-banking brands. Treezor, Swan, Solaris, Modulr in Europe.

See also:ECEPEMEAgent PSPTreezor / Swan / SolarisEmbedded financeDORA

Definition

BaaS (Banking-as-a-Service) lets a regulated institution (a credit institution, PI or EMI) expose its authorisations and banking infrastructure via API to players that need them.

Accounts, cards, SEPA transfers, IBANs, KYC, compliance: everything is consumed as an API by a fintech, a brand or a platform. The end customer deals with the brand; the BaaS provides the regulated machinery, invisible, running behind the scenes.

Why BaaS exists

Without BaaS, any player wanting to offer an account or a card would have to:

  • apply for a PI or EMI authorisation from the ACPR (12 to 18 months, €200K to €500K);
  • build its entire compliance setup (AML/CFT, fraud monitoring, sanctions screening);
  • join the card schemes as a principal member (~€1M in fees, plus the technical setup);
  • integrate the SEPA systems (STEP2, EBA RT1) or go through a correspondent.

With BaaS, all of this is already done: you consume an API.

The building blocks of a BaaS offering

  • Payment accounts with dedicated IBANs (French, European).
  • Card issuing, physical and virtual, via the BaaS's BIN sponsor.
  • SEPA transfers SCT and SCT Inst, incoming and outgoing.
  • Direct debits SDD Core and B2B.
  • Reloadable wallets (e-money) for marketplaces and Merchant of Record.
  • KYC / KYB integrated (often Onfido, Veriff or Sumsub embedded).
  • Fraud monitoring at the transaction level.
  • Regulatory reporting: in practice, it is the BaaS that answers to the ACPR.

All via a REST API (or GraphQL at the most modern ones).

BaaS, Open Banking, embedded finance

Three close but distinct concepts:

BaaSOpen BankingEmbedded finance
Direction of the flowBank → fintech (B2B)Bank → TPP (B2B2C)Finance inside a non-financial product
Triggered byCommercial contractRegulation (PSD2)Product strategy
ExampleTreezor → QontoBridge reads your BNP accountUber pays its drivers via an integrated wallet

BaaS is often the technical means by which embedded finance is realised.

Two main models coexist:

  • PSP agent — the BaaS is the principal, the fintech is an agent registered with the ACPR. Accounts opened in the BaaS's name. Quick start, but strong dependency.
  • Distribution — the fintech is authorised in its own right (PI / EMI / CI) and uses the BaaS only for building blocks (card issuing, SEPA access). More expensive to set up, less dependent.

Many start as an agent and then migrate to their own authorisation (Qonto, N26, Lydia).

What BaaS is not

  • Not a consumer product: nobody "goes on Treezor", the BaaS is invisible.
  • Not Open Banking: Open Banking is regulated (PSD2, free of charge, AIS/PIS scope); BaaS is commercial (pricing, contract, SLA).
  • Not exempt from DORA / AML-CFT: the BaaS remains responsible for compliance towards the ACPR, and the agent fintech keeps its own obligations.
  • Not a risk-free partnership: a failure (Wirecard in 2020, the freeze of Railsr in 2023) freezes the partners' accounts. The continuity plan has been a DORA obligation since 2025.

The business models

  • Initial setup fee: €5K to €50K depending on the building blocks.
  • Fees per account opened: €0.5 to €5 per month.
  • Fees per card issued: €1 to €3 per month, plus the issuance.
  • Fees per transaction: a few cents to a few tens of cents.
  • Revenue share on card interchange (often 30% to 50% for the fintech).
  • Float on the funds ring-fenced at the third-party credit institution.

In the PSD2 ecosystem

BaaS is both a client of and a complement to PSD2: it lets hundreds of fintechs operate without their own authorisation, within a regulated framework carried by the principal. When the customer account is opened in its books, the BaaS is itself an ASPSP within the PSD2 meaning, and therefore subject to the XS2A API obligations.

Concrete examples

  • French BaaS: Treezor (Société Générale subsidiary, FR leader), Swan (API-first, European B2B), Sumeria for Business (from Lydia).
  • European BaaS: Solaris (Germany, in difficulty in 2024), Modulr (UK/Ireland), Railsr (UK, restructured in 2023), Bankable (UK), ConnectPay (Lithuania), Hype (Italy).
  • US BaaS: Unit, Synapse (bankruptcy in 2024), Marqeta, Galileo.
  • Pixpay case (teen account): runs on Treezor — each teen card is technically issued by Treezor, and the parent IBAN is hosted there.
  • 2023-2024 BaaS crisis: the bankruptcy of Synapse froze millions of dollars of fintech customers; Solaris had serious compliance problems. Hence a regulatory tightening and increased continuity-plan requirements.
  • Pricing: a European BaaS charges €2 to €10 per account per year, plus the interchange share and the setup — i.e. a break-even around 5,000 to 10,000 active customers.
  • Evolution: PSD3 (2026-2027) should clarify the status of infrastructure players (BaaS, card processors), with possible own-funds obligations and reinforced supervision.

Sources

Back to glossary