API Banking & BaaS 2026 — Solaris, Synapse, Treasury Prime, Unit, Galileo, Marqeta, Stripe Treasury Deep Dive

Prologue — What Synapse 2024 Left Behind, and the BaaS Starting Lines in Korea and Japan

On April 22, 2024, Synapse Financial Technologies (San Francisco, Y Combinator W14) filed for Chapter 11 in a California court. As a result, users of fintech apps like Yotta, Juno, and Copper lost access to their own money. After FDIC and Fed investigations, the shocking conclusion was $300M missing customer funds. It was the largest BaaS ledger reconciliation failure ever recorded.

After the Synapse incident, US BaaS went through a tumultuous period in 2024-2025. The Federal Reserve issued consent orders to sponsor banks like Evolve Bank & Trust, Lineage Bank, and Choice Financial Group, while the OCC strengthened its own guidance. Treasury Prime, Unit, and Synctera pivoted toward sponsor bank multiplexing, and Stripe Treasury, Adyen for Platforms, Marqeta, and Galileo, with their own licenses or trusted sponsor bank backbones, gained market share.

In Europe, Solaris (formerly Solarisbank, Berlin) struggled with ADAC and BaFin issues in 2022-2023 but recovered after license cleanup in 2025. In Korea, Finnq opened BaaS APIs as a joint venture with SK Telecom, Toss operates its own BaaS, and Kakaobank exposes 50+ open APIs to external fintechs. In Japan, GMO Aozora Net Bank's BaaS, BANKING.JP, Sumishin SBI Net Bank (NEOBANK brand), J-coin Pay, and Setou Bank's Embedded Finance define the JPY-integrated API.

This article is the full BaaS map — what BaaS is, what sponsor banks are, which middleware exists, what the Synapse incident changed, and how Korea and Japan differ.

BaaS (Banking-as-a-Service) is a 3-tier model: a sponsor bank with a banking license exposes its infrastructure (deposits, payments, card issuance, transfers, KYC) as APIs, middleware clusters and abstracts those APIs, and a fintech app sits on top.

Layer	Role	Examples
Sponsor bank	Banking license, FDIC insurance, actual fund custody	Evolve, Cross River, Pathward, Coastal, Lead Bank
Middleware (BaaS provider)	API standardization, ledger operations, compliance automation	Treasury Prime, Unit, Synctera, Stripe Treasury, Galileo
Card processor / Issuer	Card issuance, payment network	Marqeta, Galileo, i2c, Lithic
Fintech app	User interface, branding	Mercury, Brex, Ramp, Chime, Wealthfront, Robinhood

This 3-tier model creates two trade-offs.

Pros: Fintechs can launch fast without a banking license. Capital and regulatory burden are low.
Cons: When the ledger desyncs, responsibility is unclear. That is exactly what Synapse exposed.

The core question is "who holds the funds and who runs the ledger?" Funds must always sit with the sponsor bank, and the ledger must always reconcile between the sponsor bank's core banking system and the middleware's ledger. Synapse broke that reconciliation.

2. Embedded Finance `$300B+` Market — Why BaaS

Embedded Finance is the practice of non-financial companies embedding payments, deposits, cards, lending, and insurance into their own products. Bain & Company, McKinsey, and a16z estimate the 2026 global market at $300B+.

Payments: Shopify Payments, Uber driver payouts, Lyft Driver Account.
Deposits: Apple Cash, Apple Card Savings, Brex Cash.
Cards: Brex, Ramp, Mercury, Robinhood Cash Card.
Lending: Affirm BNPL, Klarna, Shopify Capital, Square Loans.
Insurance: Tesla Insurance, Lemonade, Hippo (covered in earlier posts).

For a non-financial company to get its own banking license, capital, time, and regulatory burdens are heavy. So they launch through a sponsor bank plus middleware. Affirm partners with Cross River, Mercury uses Choice, Evolve, and Coastal, and Brex partners with Column Bank.

The core value here is distribution cost. A fintech's user acquisition cost (CAC) runs >$50/account, but a non-financial company embedding finance over its existing user base effectively reduces CAC to zero. That is why BaaS does not disappear despite Synapse — the market just gets bigger, with stronger sponsor bank governance.

3. Solaris (Formerly Solarisbank) — The Revival of European BaaS

Solaris (Berlin, 2016) was Europe's BaaS flagship. With a BaFin (German Federal Financial Supervisory Authority) license, it served clients like ADAC, Samsung, Tomorrow, and Vivid.

2022-2023 were hard years. BaFin flagged Solaris's AML controls and governance, ADAC card issuance got delayed, and capital pressure mounted. In 2023, a KKR-led €100M funding round provided recovery capital, and by 2024-2025 the license cleanup was done.

As of 2026, Solaris offers the following lineup.

Banking license: Deposits, accounts, transfers, SEPA, SWIFT.
E-money license: Card issuance, payment processing, digital wallets.
Lending: BNPL, consumer loans (eligible partners only).
Crypto custody: Approved by BaFin in 2024.

The API surface looks like this.

# Solaris API — account creation + card issuance (conceptual cURL)
# 1) Customer KYC registration
curl -X POST https://api.solarisbank.de/v1/persons \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
        "first_name": "Mina",
        "last_name": "Kim",
        "birth_date": "1990-04-21",
        "nationality": "DE",
        "address": {"line_1": "Friedrichstrasse 1", "city": "Berlin", "country": "DE"}
      }'

# 2) Open account
curl -X POST https://api.solarisbank.de/v1/persons/$PERSON_ID/accounts \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"type": "CHECKING_PERSONAL", "currency": "EUR"}'

# 3) Issue a Visa card
curl -X POST https://api.solarisbank.de/v1/persons/$PERSON_ID/cards \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"type": "VISA_BUSINESS_DEBIT", "account_id": "$ACCOUNT_ID"}'

This lineup is the European BaaS standard. Outside Solaris, ClearBank in the UK, Bankera in Lithuania, and SumUp Bank in Germany run similar lineups.

4. The 2024 Synapse Bankruptcy — `$300M missing customer funds`

The center of gravity of this article. On April 22, 2024, Synapse filed for Chapter 11. Problems had been brewing for a while, but the trigger was the dispute with Evolve Bank & Trust.

Timeline:

2014: Synapse (San Francisco) starts as Y Combinator W14, connecting fintechs to sponsor banks as middleware.
2019-2022: Mercury, Yotta, Juno, Copper, Mainvest, and 100+ fintech clients onboard.
2023: Layoffs and capital shortfalls. Mercury starts migrating away from Synapse to direct sponsor bank integration.
March 2024: Evolve halts settlements over a reconciliation dispute with Synapse.
April 22, 2024: Chapter 11 filed.
May 2024: Users lose access to funds. One Yotta user has 80K USD frozen.
June 2024: Court-appointed trustee (Jelena McWilliams, former FDIC chair) begins investigation.
July-September 2024: $300M missing customer funds confirmed. Ledger mismatch makes tracking impossible.

Root cause analysis:

Ledger mismatch: Synapse's internal ledger no longer reconciled with Evolve's core banking system. It was impossible to know exactly which user owned what amount.
FBO account problem: Synapse operated For-Benefit-Of (FBO) accounts at sponsor banks. Multiple users' funds pooled into one account, with the per-user breakdown living only in Synapse's ledger.
Limits of FDIC pass-through: FDIC insurance applies only when the sponsor bank fails. When Synapse (middleware) failed, FDIC pass-through did not save users.
Governance gap: External audits and internal controls were insufficient.

This incident traumatized BaaS as a whole. Afterward, the Federal Reserve issued a consent order against Evolve, and Lineage Bank and Choice Financial Group received compliance directives. Unit and Treasury Prime pivoted toward sponsor bank multiplexing, and Stripe Treasury, Adyen for Platforms, and players with their own licenses or trusted sponsor bank backbones reclaimed market share.

After Synapse, US bank regulators issued strong orders against sponsor banks.

Evolve Bank & Trust (Arkansas, June 2024): Federal Reserve cease-and-desist. Required improvements in AML, BSA (Bank Secrecy Act), consumer protection, and third-party risk management.
Lineage Bank (Tennessee, Jan-Mar 2024): OCC consent order. Mandated fintech partner review.
Choice Financial Group (North Dakota, May 2024): Consent order, fintech partner limits.
Cross River Bank (NJ, April 2023): Prior FDIC consent order. Fair lending and third-party risk.
Sutton Bank (Ohio, February 2024): Compliance tightening.

The core message is "a sponsor bank is responsible for its fintech partners' behavior as if it were its own." Even when middleware fails, the sponsor bank takes the hit. As a result, sponsor banks became more selective with fintech partners, and some paused onboarding new fintechs altogether.

OCC updated its "Third-Party Risk Management" guidance in July 2024. Key requirements:

Quarterly third-party risk assessments.
Daily ledger reconciliation.
Sub-ledgers for pooled FBO accounts maintained by the sponsor bank itself.
Visibility into fintech partner affiliates and fund flows.
Contingency plans for adverse events (e.g., middleware financial distress).

6. Treasury Prime — The Multi-Bank Network Model

Treasury Prime (2017, San Francisco) is one of US BaaS's big three alongside Synapse and Unit. Its differentiator is the multi-bank network: fintechs choose among multiple sponsor banks through Treasury Prime.

As of 2026, Treasury Prime's sponsor bank network includes:

BMO Harris Bank (parent: BMO Financial Group)
BankProv (Massachusetts)
Emigrant Bank (New York)
LendingClub Bank (California)
Mid-Penn Bank (Pennsylvania)
Sutton Bank (Ohio)

The advantage is that fintechs do not depend on a single sponsor bank. If one bank halts onboarding over compliance issues, you can migrate or distribute to others.

The API is RESTful, with a surface similar to Stripe and Plaid.

// Treasury Prime — Node.js SDK example (conceptual)
import { TreasuryPrime } from '@treasuryprime/sdk'

const tp = new TreasuryPrime({ apiKey: process.env.TP_API_KEY })

// 1) Register person (auto-triggers KYC)
const person = await tp.persons.create({
  first_name: 'Jiwoo',
  last_name: 'Lee',
  date_of_birth: '1992-07-15',
  ssn: '123-45-6789',
  address: { line1: '1 Market St', city: 'San Francisco', state: 'CA', postal_code: '94105' },
})

// 2) Create account (sponsor bank selectable)
const account = await tp.accounts.create({
  person_id: person.id,
  product: 'CHECKING',
  bank: 'sutton',
})

// 3) ACH transfer
const transfer = await tp.transfers.create({
  source_account_id: account.id,
  destination_routing_number: '021000021',
  destination_account_number: '4444333322221111',
  amount: 50000, // 500.00 USD in cents
  type: 'ACH',
  direction: 'CREDIT',
})

Treasury Prime's value proposition is "no sponsor bank lock-in." Post-Synapse, that proposition carries more weight.

7. Unit — A BaaS Backed by Y Combinator and Bessemer

Unit (2019, Tel Aviv origin, HQ New York) graduated from Y Combinator W20. In 2022, a Bessemer-led Series C raised $100M+. As of 2026, Unit uses Blue Ridge Bank, Choice Financial Group, Thread Bank, and Pacific West Bank as sponsor banks.

Its differentiator is developer experience. Unit's DX most closely resembles Stripe's — docs, SDKs, dashboards are all fintech-friendly.

Core products:

Deposit accounts: Checking / Savings.
Debit/Credit cards: Virtual and physical.
ACH, Wire, Book Transfer: Unified transfer channels.
White-label app: Fintech-brand exposure.
Compliance automation: KYC, OFAC sanctions screening, transaction monitoring.

Unit's API follows the JSON:API standard.

// Unit — full stack account + card issuance (conceptual TypeScript)
import { Unit } from '@unit-finance/unit-node-sdk'

const unit = new Unit(process.env.UNIT_TOKEN!, 'https://api.s.unit.sh')

// 1) Create customer
const customer = await unit.customers.create({
  type: 'individualCustomer',
  attributes: {
    fullName: { first: 'Sora', last: 'Park' },
    dateOfBirth: '1991-03-12',
    ssn: '999887777',
    address: { street: '15 W 38th St', city: 'New York', state: 'NY', postalCode: '10018', country: 'US' },
  },
})

// 2) Open deposit account
const account = await unit.deposits.create({
  type: 'depositAccount',
  attributes: { depositProduct: 'checking' },
  relationships: { customer: { data: { type: 'customer', id: customer.data.id } } },
})

// 3) Issue debit card
const card = await unit.cards.create({
  type: 'individualDebitCard',
  attributes: { shippingAddress: customer.data.attributes.address },
  relationships: { account: { data: { type: 'depositAccount', id: account.data.id } } },
})

After Synapse 2024, Unit expanded to new sponsor banks and hardened its multi-bank model. As of 2026, Unit and Treasury Prime form the duopoly of US BaaS.

8. Galileo (SoFi Subsidiary) — Processing Backbone for `$50M+ accounts`

Galileo Financial Technologies (2000, Utah) is one of America's oldest payment processing backbones. SoFi acquired it for $1.2B in 2020, and since then it has served as SoFi's financial backbone while also providing processing services to external fintech customers (Chime, Robinhood, Dave, parts of Varo).

2026 statistics (Galileo official + SoFi 10-K):

Roughly $50M+ accounts processed (combined Chime, SoFi, Dave, and other fintechs)
Supported in the US, UK, Canada, Mexico, and Colombia
Monthly processing of $200B+ (TPV smaller than Marqeta, but account count is comparable in scale)

Galileo is closer to a card processing and ledger backbone than a BaaS provider proper. Sponsor banks are separate (in Chime's case, The Bancorp Bank and Stride Bank).

In this model, Galileo's value lies in card authorization, payment network integration, and ledger operations. When a fintech issues user cards as Chime does, Galileo exchanges ISO 8583 messages with Visa/Mastercard and records the transactions in the ledger.

Galileo's API is RESTful but isolated — a separate instance is deployed per fintech. It is not multi-tenant.

9. Marqeta — `$200B+ TPV` Card Issuance Specialist

Marqeta (2010, Oakland, California) is the global leader in card issuance. Post-2021 IPO, market cap has been volatile, but its position as a payments backbone remains solid as of 2026.

2026 statistics:

TPV (Total Processed Volume): $200B+ annually. $220B in 2025.
Top customers: Block (Cash App Card), DoorDash, Instacart, Uber, Affirm, Klarna, Coinbase (previously), JPMorgan Chase (off-market)
Cards issued: Visa, Mastercard, Discover, virtual and physical, EMV chip, contactless.
Markets: US, Canada, UK, EU, Australia, Japan (entered 2025).

Marqeta's differentiator is JIT (Just-in-Time) Funding. At card payment time, Marqeta calls a webhook to the fintech's backend, and the fintech decides funding right there. This model gives card issuance more freedom.

# Marqeta JIT Funding webhook handler (Python Flask conceptual)
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.post('/marqeta/jit')
def jit_funding():
    payload = request.get_json()
    # Marqeta calls this JIT webhook right before card authorization
    user_id = payload['cardholder_user_token']
    amount_cents = int(payload['amount'] * 100)
    merchant_mcc = payload['mid'].get('mcc')

    # 1) Check user balance
    balance = get_user_balance(user_id)
    if balance < amount_cents:
        return jsonify({"jit_funding": {"decline_reason": "INSUFFICIENT_FUNDS"}}), 200

    # 2) MCC restrictions (block gambling MCC 7995)
    if merchant_mcc in ['7995', '7800']:
        return jsonify({"jit_funding": {"decline_reason": "MERCHANT_NOT_ALLOWED"}}), 200

    # 3) Place hold in our ledger
    hold_funds(user_id, amount_cents)

    # 4) Notify Marqeta of approval
    return jsonify({
        "jit_funding": {
            "amount": payload['amount'],
            "memo": "approved",
            "tags": "consumer-debit"
        }
    }), 200

Thanks to this model, spend-management companies like Brex and Ramp could launch. The moment a user swipes a card, the fintech's own compliance rules (e.g., policy-violating MCC blocking, limit management, GL category mapping) kick in immediately.

10. Stripe Treasury — The New BaaS Standard

Stripe Treasury (launched 2020) entered BaaS late but quickly became the standard. Goldman Sachs and Evolve Bank & Trust act as sponsor banks (as of 2026).

Differentiators:

Integration with Stripe API: Platforms already using Stripe Connect can add it with minimal friction.
Trust: Goldman Sachs as sponsor bank offsets the worries the Synapse incident raised.
API surface: Financial Account, Issuing, Treasury Send, OutboundTransfer, etc.

Stripe Treasury's primary users are B2B marketplaces and platforms: Shopify Balance, Lyft Driver Direct Deposit, parts of Grab's services in Southeast Asia.

# Stripe Treasury — create Financial Account and issue card
import stripe
stripe.api_key = "sk_live_..."

# 1) Create Financial Account on a Connected Account
financial_account = stripe.treasury.FinancialAccount.create(
    supported_currencies=["usd"],
    features={
        "card_issuing": {"requested": True},
        "deposit_insurance": {"requested": True},
        "financial_addresses": {"aba": {"requested": True}},
        "inbound_transfers": {"ach": {"requested": True}},
        "outbound_payments": {"ach": {"requested": True}, "us_domestic_wire": {"requested": True}},
        "outbound_transfers": {"ach": {"requested": True}, "us_domestic_wire": {"requested": True}},
    },
    stripe_account="acct_1NXY..."  # Connected Account
)

# 2) Issue an Issuing card
cardholder = stripe.issuing.Cardholder.create(
    type="individual",
    name="Yuna Choi",
    email="yuna@example.com",
    individual={"first_name": "Yuna", "last_name": "Choi", "dob": {"day": 14, "month": 6, "year": 1993}},
    billing={"address": {"line1": "1234 Market St", "city": "SF", "state": "CA", "postal_code": "94103", "country": "US"}},
    stripe_account="acct_1NXY..."
)

card = stripe.issuing.Card.create(
    cardholder=cardholder.id,
    currency="usd",
    type="virtual",
    financial_account=financial_account.id,
    stripe_account="acct_1NXY..."
)

Stripe Treasury's weakness is sponsor bank dependency. Outside Goldman and Evolve, options are limited. That contrasts with Treasury Prime's multi-bank model. But Stripe's global reputation and developer experience offset the drawback.

11. Adyen for Platforms — European Origin, Global Embedded Finance

Adyen (Netherlands, 1998) started in payment processing and expanded to embedded finance. Adyen for Platforms lets marketplaces and platforms offer payments, settlement, and card issuance to their own sub-merchants.

Differentiators:

Global: Europe, US, Asia, Latin America under a single API.
Own license: Adyen holds a European banking license (De Nederlandsche Bank) and US acquirer license itself. No separate sponsor bank.
Marketplace focus: Backbone for Uber, eBay, Etsy, etc.

Adyen for Platforms has been operating carded embedded finance in the US since 2024. A 2025 partnership with Klarna in the UK has also been announced.

12. BaaS Middleware Comparison Matrix

At this point, let us crystallize the matrix.

Item	Synapse (bankrupt)	Unit	Treasury Prime	Synctera	Stripe Treasury	Galileo	Marqeta
Status	Bankrupt 2024	Operating	Operating	Operating	Operating	SoFi subsidiary	NASDAQ-listed
Sponsor banks	Evolve and others	Blue Ridge, Choice, Thread	BMO Harris, Sutton, BankProv	Coastal, Sutton, NBKC, Lineage	Goldman, Evolve	Stride, Bancorp (Chime)	Various
Own license	None	None	None	None	None	None	None
Multi-bank	Partial	Progressive	Core value	Core value	Limited	Card processing only	Card issuance only
Card issuing	Integrated	Integrated	Integrated	Integrated	Stripe Issuing	Integrated	Core value
ACH/Wire	Integrated	Integrated	Integrated	Integrated	Integrated	Integrated	Separate
Global	US-centric	US	US	US	US + partial EU	US, UK, MX, CO	US, UK, EU, Japan
Notable customers	Mercury (formerly), Yotta	Brex (partial), Ramp	Mercury (formerly), Brex	Lili, Stoovo	Shopify Balance, Lyft	Chime, Robinhood, Dave	Block (Cash App), Affirm

13. BaaS Account Ledger Schema — The Core Data Model

The core of BaaS operation is the ledger. As Synapse showed, if the ledger is wrong, everything collapses. The 2026 standard ledger schema looks like this.

-- BaaS account ledger schema (PostgreSQL conceptual)
-- Double-entry ledger principle — every transaction is two rows (debit/credit)

CREATE TABLE accounts (
  id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  customer_id     UUID NOT NULL,
  sponsor_bank    TEXT NOT NULL,        -- 'evolve', 'cross_river', 'sutton'
  external_account_number TEXT NOT NULL,
  product         TEXT NOT NULL,        -- 'checking', 'savings', 'credit'
  currency        TEXT NOT NULL DEFAULT 'USD',
  status          TEXT NOT NULL,        -- 'open', 'frozen', 'closed'
  created_at      TIMESTAMPTZ NOT NULL DEFAULT now()
);

CREATE TABLE ledger_entries (
  id              BIGSERIAL PRIMARY KEY,
  transaction_id  UUID NOT NULL,        -- groups one transaction
  account_id      UUID NOT NULL REFERENCES accounts(id),
  direction       TEXT NOT NULL,        -- 'debit' or 'credit'
  amount_cents    BIGINT NOT NULL,
  currency        TEXT NOT NULL,
  balance_after   BIGINT NOT NULL,      -- balance after this entry
  description     TEXT,
  external_ref    TEXT,                 -- sponsor bank transaction id
  posted_at       TIMESTAMPTZ NOT NULL DEFAULT now(),
  CHECK (amount_cents > 0)
);

-- Daily reconciliation
CREATE TABLE reconciliation_runs (
  id              BIGSERIAL PRIMARY KEY,
  run_date        DATE NOT NULL,
  account_id      UUID NOT NULL REFERENCES accounts(id),
  internal_balance BIGINT NOT NULL,     -- BaaS middleware's own ledger balance
  external_balance BIGINT NOT NULL,     -- sponsor bank's core banking balance
  diff_cents      BIGINT NOT NULL,      -- internal - external
  status          TEXT NOT NULL,        -- 'matched', 'mismatch_minor', 'mismatch_critical'
  resolved_at     TIMESTAMPTZ
);

CREATE INDEX idx_ledger_account_posted ON ledger_entries(account_id, posted_at DESC);
CREATE INDEX idx_recon_status ON reconciliation_runs(status, run_date DESC);

The key is double-entry ledger. Every transaction is always two rows (debit + credit) summing to zero. Daily reconciliation with the sponsor bank's core banking system is required, with critical-level mismatch triggering an immediate alert.

OCC guidance mandates the sponsor bank performs this reconciliation itself. Trusting middleware's ledger alone is not allowed — the core lesson from Synapse.

14. KYC, AML, OFAC Compliance Automation

BaaS compliance burden is heavy. Every user must pass the following checks.

KYC (Know Your Customer): ID, SSN, address, DOB verification.
OFAC sanctions screening: US Treasury SDN List matching.
PEP (Politically Exposed Person) screening: politically exposed individuals.
Adverse media screening: negative media exposure.
CIP (Customer Identification Program): BSA requirement.

A separate market has formed around automation vendors.

Persona, Sumsub, Alloy: KYC + sanctions.
ComplyAdvantage, Refinitiv: sanctions + adverse media.
Socure: ID verification + fraud.
Plaid Identity Verification: KYC integration.

BaaS middleware typically integrates 1-3 of these vendors and exposes them as a single API to fintech clients.

Transaction monitoring is also mandatory. An AML rules engine detects transaction patterns (e.g., structuring, layering) and files SAR (Suspicious Activity Report) on suspicious activity. SARs are reported to FinCEN (US Financial Crimes Enforcement Network).

15. Korea BaaS — Finnq, Toss, Kakaobank

Korean BaaS evolved on a different path from the US and Europe. With MyData and Open Banking starting in 2019, bank APIs became externally accessible, and that flow led into BaaS.

Finnq — Founded in 2016 by SK Telecom and KEB Hana Bank as a joint venture. Originally a PFM (Personal Finance Management) app on MyData, opened BaaS APIs to external fintechs from 2023. Telco-bundled products are its differentiator.

Toss — Founded in 2014 by Viva Republica. Toss Bank is a separate internet-only bank, and some of Toss's APIs are exposed to external fintechs. With massive in-house infrastructure, Toss uses BaaS more internally than as a provider.

Kakaobank — Internet-only bank since 2017. In addition to Open Banking, it exposes 50+ proprietary APIs to external partners — FX, deposits, transfers, cards.

# Kakaobank Open API example — transfer API (conceptual cURL; actual endpoints may differ)
curl -X POST https://openapi.kakaobank.com/v2/transfer \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
        "fromAccount": "3333-01-1234567",
        "toBank": "088",
        "toAccount": "110-1234-5678",
        "amount": 100000,
        "memo": "monthly transfer"
      }'

Korea's distinctive feature is the existence of internet-only banks. Kakaobank, K Bank, and Toss Bank hold their own banking licenses, lowering sponsor bank dependence. The US BaaS middleware market is triggered by sponsor bank scarcity, while in Korea fintechs can take the path of becoming banks themselves.

Key regulators: Financial Services Commission, FSS (Financial Supervisory Service), and KFTC (Korea Financial Telecommunications and Clearings Institute). Since MyData (2022), consent-based data sharing has become the standard.

16. Japan BaaS — GMO Aozora, BANKING.JP, Sumishin SBI, J-coin

Japan is conservative but BaaS is accelerating. Key players:

GMO Aozora Net Bank (GMO Aozora Net Bank) — Founded 2018 as a joint venture of GMO Internet Group and Aozora Bank. A leading internet bank in BaaS. The subsidiary BANKING.JP exposes APIs to external fintechs.

BANKING.JP — GMO Aozora's BaaS brand. Accounts, transfers, and cards via API. Virtual account (furikomi-only account) API is its strength. Optimized for Japan's payment custom of furikomi (bank transfer).

Sumishin SBI Net Bank — Operates BaaS under the NEOBANK brand. Backs external brands like JAL Pay, Yamada NEOBANK, T NEOBANK.

J-coin Pay — Mizuho Bank-led QR payment. External fintechs can embed J-coin to process payments.

Setou Bank Embedded — Often cited as a hypothetical example, but symbolic of regional Japanese banks venturing into embedded finance.

Characteristics of JPY-integrated APIs:

Furikomi (bank transfer) is more important than cards. Both ATM and internet banking center on furikomi.
Virtual furikomi-only accounts are the core. A provider creates as many virtual accounts as it has users, and when a user transfers to their virtual account, the provider maps it to its own ledger.
My Number-linked KYC is standardized.

// BANKING.JP — create virtual account + match (conceptual TypeScript)
// Create a virtual account per user; when a deposit arrives, map to user

interface VirtualAccount {
  virtualAccountId: string
  customerId: string
  bankCode: string         // GMO Aozora: '0310'
  branchCode: string       // branch code
  accountNumber: string    // 8-digit virtual account number
  accountHolderName: string // kanji / katakana
  createdAt: string
}

async function createVirtualAccount(customerId: string): Promise<VirtualAccount> {
  const res = await fetch('https://api.banking.jp/v1/virtual-accounts', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.BANKING_JP_TOKEN}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      customer_id: customerId,
      purpose: 'DEPOSIT',
      currency: 'JPY',
    }),
  })
  if (!res.ok) throw new Error(`virtual account creation failed: ${res.status}`)
  return res.json()
}

// Handle incoming-transfer webhook
async function handleIncomingTransfer(payload: {
  virtual_account_id: string
  amount: number
  sender_name: string
  received_at: string
}) {
  const va = await db.virtualAccounts.findById(payload.virtual_account_id)
  if (!va) {
    // No match — handle as unmapped deposit, return or manually match after 24h
    return enqueueUnmatchedDeposit(payload)
  }
  await db.ledgerEntries.create({
    accountId: va.customerId,
    direction: 'credit',
    amount: payload.amount,
    currency: 'JPY',
    externalRef: payload.received_at,
  })
}

Regulator: FSA (Financial Services Agency) governs. The 2024 amendment to the Payment Services Act (Shikin Kessai Hou) brought BaaS operators directly under regulation. Banking-agent license may also be required in certain cases.

17. US vs EU vs KR vs JP — BaaS Matrix

Item	US	EU	KR	JP
Notable sponsor banks	Cross River, Evolve, Coastal	Solaris, ClearBank	(Internet banks direct)	GMO Aozora, Sumishin SBI
Notable middleware	Treasury Prime, Unit, Synctera	Solaris (integrated), Railsr (former Railsbank)	Finnq, Toss	BANKING.JP
Card issuer	Marqeta, Galileo, Lithic	Marqeta EU, Modulr	BC Card, BC Global	Mastercard, JCB
Regulator	Fed, OCC, FDIC, CFPB	EBA, national (BaFin, FCA)	FSS, FSC	FSA, Bank of Japan
Key event	Synapse bankruptcy (2024)	Solaris BaFin issues (2022-23)	MyData rollout (2022)	Payment Services Act amendment (2024)
Own-license share	Low (mostly sponsor-bank)	Medium	High (internet banks)	Medium
FDIC pass-through	Applies (only sponsor bank protected)	DGS (deposit guarantee scheme)	KDIC up to KRW 50M	DICJ up to JPY 10M
Open Banking	Limited (CFPB 1033 underway)	PSD2/PSD3	Open Banking (2019-)	Open API (2018-)

18. BaaS Risks — Lessons After Synapse

The Synapse incident surfaced multiple risks.

Ledger integrity: If middleware ledger and sponsor bank core banking system desync, it's over.
Intrinsic FBO risk: With pooled funds, who owns how much is unclear.
Limits of FDIC pass-through: When middleware fails, FDIC does not help.
Governance gap: External audit and internal controls were weak.
Sponsor bank's expanded responsibility: Fed/OCC mandates sponsor banks own their fintech partners' behavior.

The 2026 standard BaaS-provider compliance posture:

Daily ledger reconciliation. Match against counterpart sponsor bank core banking system.
Per-customer sub-ledger kept by the sponsor bank separately.
Adverse-event contingency plan (e.g., middleware financial-distress scenario for user fund protection).
External audits (Big 4) on a quarterly cadence.
Board governance committee.

19. ACH, Wire, RTP, FedNow — Transfer Rail Integration

US transfer rails come in four flavors.

ACH (Automated Clearing House): Since the 1970s. Next-day or same-day settlement. Low fees. Bulk transactions.
Wire Transfer (Fedwire, CHIPS): Real-time during business hours. Large amounts. Higher fees.
RTP (Real-Time Payments): Operated by The Clearing House. Launched 2017. 24/7.
FedNow: Operated by the Federal Reserve. Launched July 2023. 24/7 real-time.

BaaS providers expose all four through a unified API. FedNow adoption ramped up rapidly in 2025-2026.

# BaaS — ACH vs RTP vs FedNow routing (conceptual)
def route_payment(amount_cents: int, urgency: str, recipient_routing: str) -> dict:
    """Choose transfer rail automatically"""
    if urgency == 'instant' and supports_rtp(recipient_routing):
        return {'channel': 'RTP', 'fee_cents': 25, 'eta_seconds': 10}
    if urgency == 'instant' and supports_fednow(recipient_routing):
        return {'channel': 'FedNow', 'fee_cents': 25, 'eta_seconds': 10}
    if amount_cents >= 100_000_00:  # 100K USD or more uses wire
        return {'channel': 'WIRE', 'fee_cents': 1500, 'eta_seconds': 7200}
    return {'channel': 'ACH', 'fee_cents': 5, 'eta_seconds': 86400}  # next day

Korea has instant transfers via Open Banking (BANK_TRAN), Japan operates the Zengin ZEDI and Zengin EDI as the core, with the recent Cotra 24/7 service introduced.

20. Card Issuance — Physical vs Virtual, JIT Funding Pattern

Card issuance is BaaS's flagship product. Two formats:

Virtual Card: Issued instantly, usable instantly. Push to Apple Pay / Google Pay.
Physical Card: 7-10 days by mail. EMV chip plus contactless.

Issuance patterns:

Prefund: Fintech prefunds each user's balance at the sponsor bank. Card spend deducts automatically.
JIT funding: Webhook to fintech at card-payment time. Fintech decides funding on the spot.

JIT funding's advantage is capital efficiency. Funds move only when the user swipes, so prefunding is unnecessary. This is core to Brex and Ramp.

# JIT funding security — webhook signature verification (Marqeta style)
import hashlib
import hmac
import os

def verify_marqeta_webhook(payload_raw: bytes, header_signature: str) -> bool:
    secret = os.environ['MARQETA_WEBHOOK_SECRET'].encode()
    expected = hmac.new(secret, payload_raw, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, header_signature)

# Handler
def handle_jit_request(request):
    raw = request.body
    sig = request.headers.get('X-Marqeta-Signature', '')
    if not verify_marqeta_webhook(raw, sig):
        return 401, 'invalid signature'
    # ... then verify user balance and MCC

Webhook signature verification is critical. Without it, attackers can forge JIT responses and drain funds.

21. Sandbox and Test Environments — The Fintech Developer's Starting Point

The first step in choosing a BaaS provider is sandbox quality. Stripe Treasury, Unit, and Treasury Prime offer great sandboxes.

Test ABA routing numbers, test SSNs, test card numbers provided.
Event simulation: ACH return, chargeback, dispute, fraud alert.
Time acceleration: T+1 ACH simulated instantly.

// Unit sandbox — ACH return simulation (conceptual TypeScript)
// In production, ACH return comes as R01 (Insufficient Funds), etc.

await unit.simulations.simulateAchReturn({
  paymentId: 'payment_xxx',
  reason: 'R01',  // Insufficient Funds
})

// Handle R01 in your own webhook handler
async function handleAchReturn(event) {
  const payment = await db.payments.findById(event.paymentId)
  await db.payments.update(payment.id, { status: 'returned', returnCode: event.reason })
  await db.ledgerEntries.create({
    transactionId: payment.transactionId,
    accountId: payment.accountId,
    direction: 'debit',  // re-debit
    amountCents: payment.amount,
    description: `ACH Return: ${event.reason}`,
  })
}

Simulating every edge case in sandbox is what prevents production incidents.

22. Real-Time Ledger Updates and Idempotency

The operational core of BaaS API is idempotency. Even if the same request arrives twice, it must process once. Webhook retries or network timeouts always raise the possibility of duplication.

Idempotency Key: A client-generated UUID in the header on every mutating request.
Server-side storage: Persist key + response in DB. Return cached response on key replay.
TTL: Usually 24-48 hours.

// Idempotency pattern — Express + PostgreSQL (conceptual TypeScript)
app.post('/transfers', async (req, res) => {
  const key = req.headers['idempotency-key'] as string
  if (!key) return res.status(400).json({ error: 'missing Idempotency-Key' })

  const cached = await db.idempotency.findUnique({ where: { key } })
  if (cached) return res.status(cached.statusCode).json(cached.response)

  // New request
  const transfer = await createTransfer(req.body)
  const response = { id: transfer.id, status: transfer.status }
  await db.idempotency.create({
    data: { key, statusCode: 200, response, expiresAt: new Date(Date.now() + 24 * 3600 * 1000) },
  })
  res.status(200).json(response)
})

Missing this pattern means users trying to transfer once may transfer twice. It is one of the most common operational incidents in BaaS.

23. The Future in Korea and Japan — What's Next

Korea:

Internet-only banks are strong. The path of becoming a bank directly is more available than BaaS middleware.
API standardization across Finnq, Toss, Kakaobank, and K Bank is in progress.
MyData (2022) and Open Banking (2019) are the infrastructure.
2025-2026 themes include embedded FX and remittance (partnerships with Wirebarley, Sentbe, Moin).

Japan:

The 2024 Payment Services Act amendment puts BaaS clearly within scope of regulation.
GMO Aozora, Sumishin SBI, and Minna Bank compete for the BaaS backbone position.
My Number-linked KYC via My Number Portal accelerates digital KYC.
2026 themes include 24/7 embedded transfers (J-coin Pay, Cotra).

United States:

After Synapse, the sponsor-bank governance trend will continue into 2027-2028.
The Fed's master account policy is a key variable — whether fintechs can hold Fed accounts directly.
Bank charter applications are increasing (SoFi and Square already received them). Middleware moving toward owning licenses.

Europe:

After the Solaris and Railsr recovery, the market stabilized. Klarna and Revolut accelerated own-license efforts.
PSD3 (under negotiation 2024-2026) is the next standard. AISP and PISP responsibility will be clarified.

24. Integration Checklist — Before Choosing a BaaS Provider

A practical checklist to close.

Sponsor bank stability: Tier 1 capital ratio, CAMELS rating, recent consent orders.
Multi-bank support: Can you migrate if one sponsor bank halts?
Ledger model: Double-entry, daily reconciliation, sub-ledger custody location.
Compliance automation: KYC, OFAC, transaction monitoring, SAR automation.
API quality: Docs, SDKs, sandbox, webhook stability, idempotency support.
Card issuance: Virtual/physical, JIT funding support, push to Apple/Google Pay.
Transfer rails: ACH, wire, RTP, FedNow all supported.
Global support: If you have plans outside the US.
Cost model: Per-account, per-transaction, monthly minimum.
Data extraction: Pull accounts and transactions via API/Webhook/CSV.
Adverse-event scenarios: Playbook for middleware or sponsor-bank distress.
Legal structure: FBO vs sub-account, FDIC pass-through coverage.
External audits: Big 4 audits, SOC 2 Type II holdings.
Customer support: 24/7 ops, escalation path, postmortem disclosure policy.
Joint liability (the Synapse lesson): Contractual clarity on middleware vs sponsor bank responsibility.

These fifteen are the 2026 standard for evaluating BaaS providers. The biggest lesson Synapse left behind is that "BaaS is not just an API; it is infrastructure of trust and the safety of money." Beneath the advantage of fast launches lies a deep governance burden. Fintechs that fail to fully grasp it may one day end up like Yotta — apologizing to their own users.

References

Solaris — https://www.solarisgroup.com/
Treasury Prime — https://www.treasuryprime.com/
Unit — https://www.unit.co/
Synctera — https://www.synctera.com/
Galileo Financial Technologies — https://www.galileo-ft.com/
Marqeta — https://www.marqeta.com/
Stripe Treasury — https://stripe.com/treasury
Adyen for Platforms — https://www.adyen.com/platforms
Federal Reserve Board (Evolve consent order, 2024) — https://www.federalreserve.gov/newsevents/pressreleases/enforcement20240614a.htm
OCC Third-Party Risk Management — https://www.occ.gov/news-issuances/news-releases/2023/nr-ia-2023-53.html
FDIC Pass-Through Deposit Insurance Coverage — https://www.fdic.gov/resources/deposit-insurance/brochures/insured-deposits/
Synapse Bankruptcy Court Filings (US Bankruptcy Court, Central District of California) — https://www.pacer.gov/
Jelena McWilliams (Synapse Trustee, ex-FDIC Chair) — https://www.fdic.gov/about/leadership/mcwilliams.html
CFPB 1033 (Open Banking, US) — https://www.consumerfinance.gov/rules-policy/regulations/1033/
BaFin (German Federal Financial Supervisory Authority) — https://www.bafin.de/EN/
Finnq — https://www.finnq.com/
Toss — https://toss.im/
Kakaobank — https://www.kakaobank.com/
Korea Financial Supervisory Service (FSS) — https://www.fss.or.kr/
Korea Financial Telecommunications and Clearings Institute (KFTC, Open Banking) — https://www.kftc.or.kr/
GMO Aozora Net Bank — https://gmo-aozora.com/
BANKING.JP — https://corp.banking.jp/
Sumishin SBI Net Bank — https://www.netbk.co.jp/
Japan Financial Services Agency (FSA) — https://www.fsa.go.jp/en/
Mercury — https://mercury.com/
Brex — https://www.brex.com/
Ramp — https://ramp.com/
Chime — https://www.chime.com/