💡 왼쪽 원문을 읽으면서 오른쪽에 따라 써보세요. Tab 키로 힌트를 받을 수 있습니다.

원문 렌더가 준비되기 전까지 텍스트 가이드로 표시합니다.

Prologue — What Synapse 2024 Left Behind, and the BaaS Starting Lines in Korea and Japan

On April 22, 2024, Synapse Financial Technologies (San Francisco, Y Combinator W14) filed for Chapter 11 in a California court. As a result, users of fintech apps like Yotta, Juno, and Copper lost access to their own money. After FDIC and Fed investigations, the shocking conclusion was `$300M missing customer funds`. It was the largest BaaS ledger reconciliation failure ever recorded.

After the Synapse incident, US BaaS went through a tumultuous period in 2024-2025. The Federal Reserve issued consent orders to sponsor banks like Evolve Bank & Trust, Lineage Bank, and Choice Financial Group, while the OCC strengthened its own guidance. Treasury Prime, Unit, and Synctera pivoted toward sponsor bank multiplexing, and **Stripe Treasury, Adyen for Platforms, Marqeta, and Galileo, with their own licenses or trusted sponsor bank backbones, gained market share.**

In Europe, Solaris (formerly Solarisbank, Berlin) struggled with ADAC and BaFin issues in 2022-2023 but recovered after license cleanup in 2025. In Korea, Finnq opened BaaS APIs as a joint venture with SK Telecom, Toss operates its own BaaS, and Kakaobank exposes 50+ open APIs to external fintechs. In Japan, GMO Aozora Net Bank's BaaS, BANKING.JP, Sumishin SBI Net Bank (NEOBANK brand), J-coin Pay, and Setou Bank's Embedded Finance define the JPY-integrated API.

This article is the full BaaS map — what BaaS is, what sponsor banks are, which middleware exists, what the Synapse incident changed, and how Korea and Japan differ.

1. What Is BaaS — Sponsor Bank + Middleware + Fintech App

BaaS (Banking-as-a-Service) is a 3-tier model: a sponsor bank with a banking license exposes its infrastructure (deposits, payments, card issuance, transfers, KYC) as APIs, middleware clusters and abstracts those APIs, and a fintech app sits on top.

| Layer | Role | Examples |

| --- | --- | --- |

| Sponsor bank | Banking license, FDIC insurance, actual fund custody | Evolve, Cross River, Pathward, Coastal, Lead Bank |

| Middleware (BaaS provider) | API standardization, ledger operations, compliance automation | Treasury Prime, Unit, Synctera, Stripe Treasury, Galileo |

| Card processor / Issuer | Card issuance, payment network | Marqeta, Galileo, i2c, Lithic |

| Fintech app | User interface, branding | Mercury, Brex, Ramp, Chime, Wealthfront, Robinhood |

This 3-tier model creates two trade-offs.

- **Pros**: Fintechs can launch fast without a banking license. Capital and regulatory burden are low.

- **Cons**: When the ledger desyncs, responsibility is unclear. That is exactly what Synapse exposed.

The core question is **"who holds the funds and who runs the ledger?"** Funds must always sit with the sponsor bank, and the ledger must always reconcile between the sponsor bank's core banking system and the middleware's ledger. Synapse broke that reconciliation.

2. Embedded Finance `$300B+` Market — Why BaaS

Embedded Finance is the practice of non-financial companies embedding payments, deposits, cards, lending, and insurance into their own products. Bain & Company, McKinsey, and a16z estimate the 2026 global market at `$300B+`.

- Payments: Shopify Payments, Uber driver payouts, Lyft Driver Account.

- Deposits: Apple Cash, Apple Card Savings, Brex Cash.

- Cards: Brex, Ramp, Mercury, Robinhood Cash Card.

- Lending: Affirm BNPL, Klarna, Shopify Capital, Square Loans.

- Insurance: Tesla Insurance, Lemonade, Hippo (covered in earlier posts).

For a non-financial company to get its own banking license, capital, time, and regulatory burdens are heavy. So they launch through a sponsor bank plus middleware. **Affirm partners with Cross River, Mercury uses Choice, Evolve, and Coastal, and Brex partners with Column Bank.**

The core value here is distribution cost. A fintech's user acquisition cost (CAC) runs `>$50/account`, but a non-financial company embedding finance over its existing user base effectively reduces CAC to zero. That is why BaaS does not disappear despite Synapse — the market just gets bigger, with stronger sponsor bank governance.

3. Solaris (Formerly Solarisbank) — The Revival of European BaaS

Solaris (Berlin, 2016) was Europe's BaaS flagship. With a BaFin (German Federal Financial Supervisory Authority) license, it served clients like ADAC, Samsung, Tomorrow, and Vivid.

2022-2023 were hard years. BaFin flagged Solaris's AML controls and governance, ADAC card issuance got delayed, and capital pressure mounted. In 2023, a KKR-led €100M funding round provided recovery capital, and by 2024-2025 the license cleanup was done.

As of 2026, Solaris offers the following lineup.

- **Banking license**: Deposits, accounts, transfers, SEPA, SWIFT.

- **E-money license**: Card issuance, payment processing, digital wallets.

- **Lending**: BNPL, consumer loans (eligible partners only).

- **Crypto custody**: Approved by BaFin in 2024.

The API surface looks like this.

Solaris API — account creation + card issuance (conceptual cURL)

1) Customer KYC registration

curl -X POST https://api.solarisbank.de/v1/persons \

-H "Authorization: Bearer $TOKEN" \

-H "Content-Type: application/json" \

-d '{

"first_name": "Mina",

"last_name": "Kim",

"birth_date": "1990-04-21",

"nationality": "DE",

"address": {"line_1": "Friedrichstrasse 1", "city": "Berlin", "country": "DE"}

2) Open account

curl -X POST https://api.solarisbank.de/v1/persons/$PERSON_ID/accounts \

-H "Authorization: Bearer $TOKEN" \

-d '{"type": "CHECKING_PERSONAL", "currency": "EUR"}'

3) Issue a Visa card

curl -X POST https://api.solarisbank.de/v1/persons/$PERSON_ID/cards \

-H "Authorization: Bearer $TOKEN" \

-d '{"type": "VISA_BUSINESS_DEBIT", "account_id": "$ACCOUNT_ID"}'

This lineup is the European BaaS standard. Outside Solaris, ClearBank in the UK, Bankera in Lithuania, and SumUp Bank in Germany run similar lineups.

4. The 2024 Synapse Bankruptcy — `$300M missing customer funds`

The center of gravity of this article. On April 22, 2024, Synapse filed for Chapter 11. Problems had been brewing for a while, but the trigger was the dispute with Evolve Bank & Trust.

Timeline:

- 2014: Synapse (San Francisco) starts as Y Combinator W14, connecting fintechs to sponsor banks as middleware.

- 2019-2022: Mercury, Yotta, Juno, Copper, Mainvest, and 100+ fintech clients onboard.

- 2023: Layoffs and capital shortfalls. Mercury starts migrating away from Synapse to direct sponsor bank integration.

- March 2024: Evolve halts settlements over a reconciliation dispute with Synapse.

- April 22, 2024: Chapter 11 filed.

- May 2024: Users lose access to funds. One Yotta user has 80K USD frozen.

- June 2024: Court-appointed trustee (Jelena McWilliams, former FDIC chair) begins investigation.

- July-September 2024: `$300M missing customer funds` confirmed. Ledger mismatch makes tracking impossible.

Root cause analysis:

1. **Ledger mismatch**: Synapse's internal ledger no longer reconciled with Evolve's core banking system. It was impossible to know exactly which user owned what amount.

2. **FBO account problem**: Synapse operated For-Benefit-Of (FBO) accounts at sponsor banks. Multiple users' funds pooled into one account, with the per-user breakdown living only in Synapse's ledger.

3. **Limits of FDIC pass-through**: FDIC insurance applies only when the sponsor bank fails. When Synapse (middleware) failed, FDIC pass-through did not save users.

4. **Governance gap**: External audits and internal controls were insufficient.

This incident traumatized BaaS as a whole. Afterward, the Federal Reserve issued a consent order against Evolve, and Lineage Bank and Choice Financial Group received compliance directives. **Unit and Treasury Prime pivoted toward sponsor bank multiplexing, and Stripe Treasury, Adyen for Platforms, and players with their own licenses or trusted sponsor bank backbones reclaimed market share.**

5. Federal Reserve / OCC Consent Orders — Regulatory Tightening

After Synapse, US bank regulators issued strong orders against sponsor banks.

- **Evolve Bank & Trust (Arkansas, June 2024)**: Federal Reserve cease-and-desist. Required improvements in AML, BSA (Bank Secrecy Act), consumer protection, and third-party risk management.

- **Lineage Bank (Tennessee, Jan-Mar 2024)**: OCC consent order. Mandated fintech partner review.

- **Choice Financial Group (North Dakota, May 2024)**: Consent order, fintech partner limits.

- **Cross River Bank (NJ, April 2023)**: Prior FDIC consent order. Fair lending and third-party risk.

- **Sutton Bank (Ohio, February 2024)**: Compliance tightening.

The core message is **"a sponsor bank is responsible for its fintech partners' behavior as if it were its own."** Even when middleware fails, the sponsor bank takes the hit. As a result, sponsor banks became more selective with fintech partners, and some paused onboarding new fintechs altogether.

OCC updated its "Third-Party Risk Management" guidance in July 2024. Key requirements:

1. Quarterly third-party risk assessments.

2. Daily ledger reconciliation.

3. Sub-ledgers for pooled FBO accounts maintained by the sponsor bank itself.

4. Visibility into fintech partner affiliates and fund flows.

5. Contingency plans for adverse events (e.g., middleware financial distress).

6. Treasury Prime — The Multi-Bank Network Model

Treasury Prime (2017, San Francisco) is one of US BaaS's big three alongside Synapse and Unit. Its differentiator is the **multi-bank network**: fintechs choose among multiple sponsor banks through Treasury Prime.

As of 2026, Treasury Prime's sponsor bank network includes:

- BMO Harris Bank (parent: BMO Financial Group)

- BankProv (Massachusetts)

- Emigrant Bank (New York)

- LendingClub Bank (California)

- Mid-Penn Bank (Pennsylvania)

- Sutton Bank (Ohio)

The advantage is that fintechs do not depend on a single sponsor bank. If one bank halts onboarding over compliance issues, you can migrate or distribute to others.

The API is RESTful, with a surface similar to Stripe and Plaid.

// Treasury Prime — Node.js SDK example (conceptual)

const tp = new TreasuryPrime({ apiKey: process.env.TP_API_KEY })

// 1) Register person (auto-triggers KYC)

const person = await tp.persons.create({

first_name: 'Jiwoo',

last_name: 'Lee',

date_of_birth: '1992-07-15',

ssn: '123-45-6789',

address: { line1: '1 Market St', city: 'San Francisco', state: 'CA', postal_code: '94105' },

})

// 2) Create account (sponsor bank selectable)

const account = await tp.accounts.create({

person_id: person.id,

product: 'CHECKING',

bank: 'sutton',

})

// 3) ACH transfer

const transfer = await tp.transfers.create({

source_account_id: account.id,

destination_routing_number: '021000021',

destination_account_number: '4444333322221111',

amount: 50000, // 500.00 USD in cents

type: 'ACH',

direction: 'CREDIT',

})

Treasury Prime's value proposition is **"no sponsor bank lock-in."** Post-Synapse, that proposition carries more weight.

7. Unit — A BaaS Backed by Y Combinator and Bessemer

Unit (2019, Tel Aviv origin, HQ New York) graduated from Y Combinator W20. In 2022, a Bessemer-led Series C raised `$100M+`. As of 2026, Unit uses Blue Ridge Bank, Choice Financial Group, Thread Bank, and Pacific West Bank as sponsor banks.

Its differentiator is **developer experience**. Unit's DX most closely resembles Stripe's — docs, SDKs, dashboards are all fintech-friendly.

Core products:

- **Deposit accounts**: Checking / Savings.

- **Debit/Credit cards**: Virtual and physical.

- **ACH, Wire, Book Transfer**: Unified transfer channels.

- **White-label app**: Fintech-brand exposure.

- **Compliance automation**: KYC, OFAC sanctions screening, transaction monitoring.

Unit's API follows the JSON:API standard.

// Unit — full stack account + card issuance (conceptual TypeScript)

const unit = new Unit(process.env.UNIT_TOKEN!, 'https://api.s.unit.sh')

// 1) Create customer

const customer = await unit.customers.create({

type: 'individualCustomer',

attributes: {

fullName: { first: 'Sora', last: 'Park' },

dateOfBirth: '1991-03-12',

ssn: '999887777',

address: { street: '15 W 38th St', city: 'New York', state: 'NY', postalCode: '10018', country: 'US' },

})

// 2) Open deposit account

const account = await unit.deposits.create({

type: 'depositAccount',

attributes: { depositProduct: 'checking' },

relationships: { customer: { data: { type: 'customer', id: customer.data.id } } },

})

// 3) Issue debit card

const card = await unit.cards.create({

type: 'individualDebitCard',

attributes: { shippingAddress: customer.data.attributes.address },

relationships: { account: { data: { type: 'depositAccount', id: account.data.id } } },

})

After Synapse 2024, Unit expanded to new sponsor banks and hardened its multi-bank model. As of 2026, Unit and Treasury Prime form the duopoly of US BaaS.

8. Galileo (SoFi Subsidiary) — Processing Backbone for `$50M+ accounts`

Galileo Financial Technologies (2000, Utah) is one of America's oldest payment processing backbones. SoFi acquired it for `$1.2B` in 2020, and since then it has served as SoFi's financial backbone while also providing processing services to external fintech customers (Chime, Robinhood, Dave, parts of Varo).

2026 statistics (Galileo official + SoFi 10-K):

- Roughly `$50M+ accounts` processed (combined Chime, SoFi, Dave, and other fintechs)

- Supported in the US, UK, Canada, Mexico, and Colombia

- Monthly processing of `$200B+` (TPV smaller than Marqeta, but account count is comparable in scale)

Galileo is closer to a **card processing and ledger backbone** than a BaaS provider proper. Sponsor banks are separate (in Chime's case, The Bancorp Bank and Stride Bank).

In this model, Galileo's value lies in **card authorization, payment network integration, and ledger operations**. When a fintech issues user cards as Chime does, Galileo exchanges ISO 8583 messages with Visa/Mastercard and records the transactions in the ledger.

Galileo's API is RESTful but isolated — a separate instance is deployed per fintech. It is not multi-tenant.

9. Marqeta — `$200B+ TPV` Card Issuance Specialist

Marqeta (2010, Oakland, California) is the global leader in card issuance. Post-2021 IPO, market cap has been volatile, but its position as a payments backbone remains solid as of 2026.

2026 statistics:

- TPV (Total Processed Volume): `$200B+` annually. `$220B` in 2025.

- Top customers: Block (Cash App Card), DoorDash, Instacart, Uber, Affirm, Klarna, Coinbase (previously), JPMorgan Chase (off-market)

- Cards issued: Visa, Mastercard, Discover, virtual and physical, EMV chip, contactless.

- Markets: US, Canada, UK, EU, Australia, Japan (entered 2025).

Marqeta's differentiator is **JIT (Just-in-Time) Funding**. At card payment time, Marqeta calls a webhook to the fintech's backend, and the fintech decides funding right there. This model gives card issuance more freedom.

Marqeta JIT Funding webhook handler (Python Flask conceptual)

from flask import Flask, request, jsonify

app = Flask(__name__)

@app.post('/marqeta/jit')

def jit_funding():

payload = request.get_json()

Marqeta calls this JIT webhook right before card authorization

user_id = payload['cardholder_user_token']

amount_cents = int(payload['amount'] * 100)

merchant_mcc = payload['mid'].get('mcc')

1) Check user balance

balance = get_user_balance(user_id)

if balance < amount_cents:

return jsonify({"jit_funding": {"decline_reason": "INSUFFICIENT_FUNDS"}}), 200

2) MCC restrictions (block gambling MCC 7995)

if merchant_mcc in ['7995', '7800']:

return jsonify({"jit_funding": {"decline_reason": "MERCHANT_NOT_ALLOWED"}}), 200

3) Place hold in our ledger

hold_funds(user_id, amount_cents)

4) Notify Marqeta of approval

return jsonify({

"jit_funding": {

"amount": payload['amount'],

"memo": "approved",

"tags": "consumer-debit"

}

}), 200

Thanks to this model, spend-management companies like Brex and Ramp could launch. The moment a user swipes a card, the fintech's own compliance rules (e.g., policy-violating MCC blocking, limit management, GL category mapping) kick in immediately.

10. Stripe Treasury — The New BaaS Standard

Stripe Treasury (launched 2020) entered BaaS late but quickly became the standard. Goldman Sachs and Evolve Bank & Trust act as sponsor banks (as of 2026).

Differentiators:

- **Integration with Stripe API**: Platforms already using Stripe Connect can add it with minimal friction.

- **Trust**: Goldman Sachs as sponsor bank offsets the worries the Synapse incident raised.

- **API surface**: Financial Account, Issuing, Treasury Send, OutboundTransfer, etc.

Stripe Treasury's primary users are **B2B marketplaces and platforms**: Shopify Balance, Lyft Driver Direct Deposit, parts of Grab's services in Southeast Asia.

Stripe Treasury — create Financial Account and issue card

stripe.api_key = "sk_live_..."

1) Create Financial Account on a Connected Account

financial_account = stripe.treasury.FinancialAccount.create(

supported_currencies=["usd"],

features={

"card_issuing": {"requested": True},

"deposit_insurance": {"requested": True},

"financial_addresses": {"aba": {"requested": True}},

"inbound_transfers": {"ach": {"requested": True}},

"outbound_payments": {"ach": {"requested": True}, "us_domestic_wire": {"requested": True}},

"outbound_transfers": {"ach": {"requested": True}, "us_domestic_wire": {"requested": True}},

stripe_account="acct_1NXY..." # Connected Account

)

2) Issue an Issuing card

cardholder = stripe.issuing.Cardholder.create(

type="individual",

name="Yuna Choi",

email="yuna@example.com",

individual={"first_name": "Yuna", "last_name": "Choi", "dob": {"day": 14, "month": 6, "year": 1993}},

billing={"address": {"line1": "1234 Market St", "city": "SF", "state": "CA", "postal_code": "94103", "country": "US"}},

stripe_account="acct_1NXY..."

)

card = stripe.issuing.Card.create(

cardholder=cardholder.id,

currency="usd",

type="virtual",

financial_account=financial_account.id,

stripe_account="acct_1NXY..."

)

Stripe Treasury's weakness is sponsor bank dependency. Outside Goldman and Evolve, options are limited. That contrasts with Treasury Prime's multi-bank model. But Stripe's global reputation and developer experience offset the drawback.

11. Adyen for Platforms — European Origin, Global Embedded Finance

Adyen (Netherlands, 1998) started in payment processing and expanded to embedded finance. Adyen for Platforms lets marketplaces and platforms offer payments, settlement, and card issuance to their own sub-merchants.

Differentiators:

- **Global**: Europe, US, Asia, Latin America under a single API.

- **Own license**: Adyen holds a European banking license (De Nederlandsche Bank) and US acquirer license itself. No separate sponsor bank.

- **Marketplace focus**: Backbone for Uber, eBay, Etsy, etc.

Adyen for Platforms has been operating carded embedded finance in the US since 2024. A 2025 partnership with Klarna in the UK has also been announced.

12. BaaS Middleware Comparison Matrix

At this point, let us crystallize the matrix.

| --- | --- | --- | --- | --- | --- | --- | --- |

13. BaaS Account Ledger Schema — The Core Data Model

The core of BaaS operation is the ledger. As Synapse showed, if the ledger is wrong, everything collapses. The 2026 standard ledger schema looks like this.

-- BaaS account ledger schema (PostgreSQL conceptual)

-- Double-entry ledger principle — every transaction is two rows (debit/credit)

CREATE TABLE accounts (

id UUID PRIMARY KEY DEFAULT gen_random_uuid(),

customer_id UUID NOT NULL,

sponsor_bank TEXT NOT NULL, -- 'evolve', 'cross_river', 'sutton'

external_account_number TEXT NOT NULL,

product TEXT NOT NULL, -- 'checking', 'savings', 'credit'

currency TEXT NOT NULL DEFAULT 'USD',

status TEXT NOT NULL, -- 'open', 'frozen', 'closed'

created_at TIMESTAMPTZ NOT NULL DEFAULT now()

);

CREATE TABLE ledger_entries (

id BIGSERIAL PRIMARY KEY,

transaction_id UUID NOT NULL, -- groups one transaction

account_id UUID NOT NULL REFERENCES accounts(id),

direction TEXT NOT NULL, -- 'debit' or 'credit'

amount_cents BIGINT NOT NULL,

currency TEXT NOT NULL,

balance_after BIGINT NOT NULL, -- balance after this entry

description TEXT,

external_ref TEXT, -- sponsor bank transaction id

posted_at TIMESTAMPTZ NOT NULL DEFAULT now(),

CHECK (amount_cents > 0)

);

-- Daily reconciliation

CREATE TABLE reconciliation_runs (

id BIGSERIAL PRIMARY KEY,

run_date DATE NOT NULL,

account_id UUID NOT NULL REFERENCES accounts(id),

internal_balance BIGINT NOT NULL, -- BaaS middleware's own ledger balance

external_balance BIGINT NOT NULL, -- sponsor bank's core banking balance

diff_cents BIGINT NOT NULL, -- internal - external

status TEXT NOT NULL, -- 'matched', 'mismatch_minor', 'mismatch_critical'

resolved_at TIMESTAMPTZ

);

CREATE INDEX idx_ledger_account_posted ON ledger_entries(account_id, posted_at DESC);

CREATE INDEX idx_recon_status ON reconciliation_runs(status, run_date DESC);

The key is **double-entry ledger**. Every transaction is always two rows (debit + credit) summing to zero. Daily reconciliation with the sponsor bank's core banking system is required, with critical-level mismatch triggering an immediate alert.

OCC guidance mandates **the sponsor bank performs this reconciliation itself**. Trusting middleware's ledger alone is not allowed — the core lesson from Synapse.

14. KYC, AML, OFAC Compliance Automation

BaaS compliance burden is heavy. Every user must pass the following checks.

1. **KYC (Know Your Customer)**: ID, SSN, address, DOB verification.

2. **OFAC sanctions screening**: US Treasury SDN List matching.

3. **PEP (Politically Exposed Person) screening**: politically exposed individuals.

4. **Adverse media screening**: negative media exposure.

5. **CIP (Customer Identification Program)**: BSA requirement.

A separate market has formed around automation vendors.

- **Persona, Sumsub, Alloy**: KYC + sanctions.

- **ComplyAdvantage, Refinitiv**: sanctions + adverse media.

- **Socure**: ID verification + fraud.

- **Plaid Identity Verification**: KYC integration.

BaaS middleware typically integrates 1-3 of these vendors and exposes them as a single API to fintech clients.

Transaction monitoring is also mandatory. An AML rules engine detects transaction patterns (e.g., structuring, layering) and files SAR (Suspicious Activity Report) on suspicious activity. SARs are reported to FinCEN (US Financial Crimes Enforcement Network).

15. Korea BaaS — Finnq, Toss, Kakaobank

Korean BaaS evolved on a different path from the US and Europe. With MyData and Open Banking starting in 2019, bank APIs became externally accessible, and that flow led into BaaS.

**Finnq** — Founded in 2016 by SK Telecom and KEB Hana Bank as a joint venture. Originally a PFM (Personal Finance Management) app on MyData, opened BaaS APIs to external fintechs from 2023. Telco-bundled products are its differentiator.

**Toss** — Founded in 2014 by Viva Republica. Toss Bank is a separate internet-only bank, and some of Toss's APIs are exposed to external fintechs. With massive in-house infrastructure, Toss uses BaaS more internally than as a provider.

**Kakaobank** — Internet-only bank since 2017. In addition to Open Banking, it exposes 50+ proprietary APIs to external partners — FX, deposits, transfers, cards.

Kakaobank Open API example — transfer API (conceptual cURL; actual endpoints may differ)

curl -X POST https://openapi.kakaobank.com/v2/transfer \

-H "Authorization: Bearer $ACCESS_TOKEN" \

-H "Content-Type: application/json" \

-d '{

"fromAccount": "3333-01-1234567",

"toBank": "088",

"toAccount": "110-1234-5678",

"amount": 100000,

"memo": "monthly transfer"

Korea's distinctive feature is **the existence of internet-only banks**. Kakaobank, K Bank, and Toss Bank hold their own banking licenses, lowering sponsor bank dependence. The US BaaS middleware market is triggered by sponsor bank scarcity, while in Korea fintechs can take the path of becoming banks themselves.

**Key regulators**: Financial Services Commission, FSS (Financial Supervisory Service), and KFTC (Korea Financial Telecommunications and Clearings Institute). Since MyData (2022), consent-based data sharing has become the standard.

16. Japan BaaS — GMO Aozora, BANKING.JP, Sumishin SBI, J-coin

Japan is conservative but BaaS is accelerating. Key players:

**GMO Aozora Net Bank (GMO Aozora Net Bank)** — Founded 2018 as a joint venture of GMO Internet Group and Aozora Bank. A leading internet bank in BaaS. The subsidiary BANKING.JP exposes APIs to external fintechs.

**BANKING.JP** — GMO Aozora's BaaS brand. Accounts, transfers, and cards via API. Virtual account (furikomi-only account) API is its strength. Optimized for Japan's payment custom of furikomi (bank transfer).

**Sumishin SBI Net Bank** — Operates BaaS under the NEOBANK brand. Backs external brands like JAL Pay, Yamada NEOBANK, T NEOBANK.

**J-coin Pay** — Mizuho Bank-led QR payment. External fintechs can embed J-coin to process payments.

**Setou Bank Embedded** — Often cited as a hypothetical example, but symbolic of regional Japanese banks venturing into embedded finance.

Characteristics of JPY-integrated APIs:

- Furikomi (bank transfer) is more important than cards. Both ATM and internet banking center on furikomi.

- Virtual furikomi-only accounts are the core. A provider creates as many virtual accounts as it has users, and when a user transfers to their virtual account, the provider maps it to its own ledger.

- My Number-linked KYC is standardized.

// BANKING.JP — create virtual account + match (conceptual TypeScript)

// Create a virtual account per user; when a deposit arrives, map to user

interface VirtualAccount {

virtualAccountId: string

customerId: string

bankCode: string // GMO Aozora: '0310'

branchCode: string // branch code

accountNumber: string // 8-digit virtual account number

accountHolderName: string // kanji / katakana

createdAt: string

}

async function createVirtualAccount(customerId: string): Promise<VirtualAccount> {

const res = await fetch('https://api.banking.jp/v1/virtual-accounts', {

method: 'POST',

headers: {

'Authorization': `Bearer ${process.env.BANKING_JP_TOKEN}`,

'Content-Type': 'application/json',

body: JSON.stringify({

customer_id: customerId,

purpose: 'DEPOSIT',

currency: 'JPY',

}),

})

if (!res.ok) throw new Error(`virtual account creation failed: ${res.status}`)

return res.json()

}

// Handle incoming-transfer webhook

async function handleIncomingTransfer(payload: {

virtual_account_id: string

amount: number

sender_name: string

received_at: string

}) {

const va = await db.virtualAccounts.findById(payload.virtual_account_id)

if (!va) {

// No match — handle as unmapped deposit, return or manually match after 24h

return enqueueUnmatchedDeposit(payload)

}

await db.ledgerEntries.create({

accountId: va.customerId,

direction: 'credit',

amount: payload.amount,

currency: 'JPY',

externalRef: payload.received_at,

})

}

**Regulator**: FSA (Financial Services Agency) governs. The 2024 amendment to the Payment Services Act (Shikin Kessai Hou) brought BaaS operators directly under regulation. Banking-agent license may also be required in certain cases.

17. US vs EU vs KR vs JP — BaaS Matrix

| Item | US | EU | KR | JP |

| --- | --- | --- | --- | --- |

18. BaaS Risks — Lessons After Synapse

The Synapse incident surfaced multiple risks.

1. **Ledger integrity**: If middleware ledger and sponsor bank core banking system desync, it's over.

2. **Intrinsic FBO risk**: With pooled funds, who owns how much is unclear.

3. **Limits of FDIC pass-through**: When middleware fails, FDIC does not help.

4. **Governance gap**: External audit and internal controls were weak.

5. **Sponsor bank's expanded responsibility**: Fed/OCC mandates sponsor banks own their fintech partners' behavior.

The 2026 standard BaaS-provider compliance posture:

- Daily ledger reconciliation. Match against counterpart sponsor bank core banking system.

- Per-customer sub-ledger kept by the sponsor bank separately.

- Adverse-event contingency plan (e.g., middleware financial-distress scenario for user fund protection).

- External audits (Big 4) on a quarterly cadence.

- Board governance committee.

19. ACH, Wire, RTP, FedNow — Transfer Rail Integration

US transfer rails come in four flavors.

- **ACH (Automated Clearing House)**: Since the 1970s. Next-day or same-day settlement. Low fees. Bulk transactions.

- **Wire Transfer (Fedwire, CHIPS)**: Real-time during business hours. Large amounts. Higher fees.

- **RTP (Real-Time Payments)**: Operated by The Clearing House. Launched 2017. 24/7.

- **FedNow**: Operated by the Federal Reserve. Launched July 2023. 24/7 real-time.

BaaS providers expose all four through a unified API. FedNow adoption ramped up rapidly in 2025-2026.

BaaS — ACH vs RTP vs FedNow routing (conceptual)

def route_payment(amount_cents: int, urgency: str, recipient_routing: str) -> dict:

"""Choose transfer rail automatically"""

if urgency == 'instant' and supports_rtp(recipient_routing):

return {'channel': 'RTP', 'fee_cents': 25, 'eta_seconds': 10}

if urgency == 'instant' and supports_fednow(recipient_routing):

return {'channel': 'FedNow', 'fee_cents': 25, 'eta_seconds': 10}

if amount_cents >= 100_000_00: # 100K USD or more uses wire

return {'channel': 'WIRE', 'fee_cents': 1500, 'eta_seconds': 7200}

return {'channel': 'ACH', 'fee_cents': 5, 'eta_seconds': 86400} # next day

Korea has instant transfers via Open Banking (BANK_TRAN), Japan operates the Zengin ZEDI and Zengin EDI as the core, with the recent Cotra 24/7 service introduced.

20. Card Issuance — Physical vs Virtual, JIT Funding Pattern

Card issuance is BaaS's flagship product. Two formats:

- **Virtual Card**: Issued instantly, usable instantly. Push to Apple Pay / Google Pay.

- **Physical Card**: 7-10 days by mail. EMV chip plus contactless.

Issuance patterns:

1. **Prefund**: Fintech prefunds each user's balance at the sponsor bank. Card spend deducts automatically.

2. **JIT funding**: Webhook to fintech at card-payment time. Fintech decides funding on the spot.

JIT funding's advantage is capital efficiency. Funds move only when the user swipes, so prefunding is unnecessary. This is core to Brex and Ramp.

JIT funding security — webhook signature verification (Marqeta style)

def verify_marqeta_webhook(payload_raw: bytes, header_signature: str) -> bool:

secret = os.environ['MARQETA_WEBHOOK_SECRET'].encode()

expected = hmac.new(secret, payload_raw, hashlib.sha256).hexdigest()

return hmac.compare_digest(expected, header_signature)

Handler

def handle_jit_request(request):

raw = request.body

sig = request.headers.get('X-Marqeta-Signature', '')

if not verify_marqeta_webhook(raw, sig):

return 401, 'invalid signature'

... then verify user balance and MCC

Webhook signature verification is critical. Without it, attackers can forge JIT responses and drain funds.

21. Sandbox and Test Environments — The Fintech Developer's Starting Point

The first step in choosing a BaaS provider is sandbox quality. Stripe Treasury, Unit, and Treasury Prime offer great sandboxes.

- Test ABA routing numbers, test SSNs, test card numbers provided.

- Event simulation: ACH return, chargeback, dispute, fraud alert.

- Time acceleration: T+1 ACH simulated instantly.

// Unit sandbox — ACH return simulation (conceptual TypeScript)

// In production, ACH return comes as R01 (Insufficient Funds), etc.

await unit.simulations.simulateAchReturn({

paymentId: 'payment_xxx',

reason: 'R01', // Insufficient Funds

})

// Handle R01 in your own webhook handler

async function handleAchReturn(event) {

const payment = await db.payments.findById(event.paymentId)

await db.payments.update(payment.id, { status: 'returned', returnCode: event.reason })

await db.ledgerEntries.create({

transactionId: payment.transactionId,

accountId: payment.accountId,

direction: 'debit', // re-debit

amountCents: payment.amount,

description: `ACH Return: ${event.reason}`,

})

}

Simulating every edge case in sandbox is what prevents production incidents.

22. Real-Time Ledger Updates and Idempotency

The operational core of BaaS API is idempotency. Even if the same request arrives twice, it must process once. Webhook retries or network timeouts always raise the possibility of duplication.

- **Idempotency Key**: A client-generated UUID in the header on every mutating request.

- **Server-side storage**: Persist key + response in DB. Return cached response on key replay.

- **TTL**: Usually 24-48 hours.

// Idempotency pattern — Express + PostgreSQL (conceptual TypeScript)

app.post('/transfers', async (req, res) => {

const key = req.headers['idempotency-key'] as string

if (!key) return res.status(400).json({ error: 'missing Idempotency-Key' })

const cached = await db.idempotency.findUnique({ where: { key } })

if (cached) return res.status(cached.statusCode).json(cached.response)

// New request

const transfer = await createTransfer(req.body)

const response = { id: transfer.id, status: transfer.status }

await db.idempotency.create({

data: { key, statusCode: 200, response, expiresAt: new Date(Date.now() + 24 * 3600 * 1000) },

})

res.status(200).json(response)

})

Missing this pattern means users trying to transfer once may transfer twice. It is one of the most common operational incidents in BaaS.

23. The Future in Korea and Japan — What's Next

Korea:

- Internet-only banks are strong. The path of becoming a bank directly is more available than BaaS middleware.

- API standardization across Finnq, Toss, Kakaobank, and K Bank is in progress.

- MyData (2022) and Open Banking (2019) are the infrastructure.

- 2025-2026 themes include embedded FX and remittance (partnerships with Wirebarley, Sentbe, Moin).

Japan:

- The 2024 Payment Services Act amendment puts BaaS clearly within scope of regulation.

- GMO Aozora, Sumishin SBI, and Minna Bank compete for the BaaS backbone position.

- My Number-linked KYC via My Number Portal accelerates digital KYC.

- 2026 themes include 24/7 embedded transfers (J-coin Pay, Cotra).

United States:

- After Synapse, the sponsor-bank governance trend will continue into 2027-2028.

- The Fed's master account policy is a key variable — whether fintechs can hold Fed accounts directly.

- Bank charter applications are increasing (SoFi and Square already received them). Middleware moving toward owning licenses.

Europe:

- After the Solaris and Railsr recovery, the market stabilized. Klarna and Revolut accelerated own-license efforts.

- PSD3 (under negotiation 2024-2026) is the next standard. AISP and PISP responsibility will be clarified.

24. Integration Checklist — Before Choosing a BaaS Provider

A practical checklist to close.

1. **Sponsor bank stability**: Tier 1 capital ratio, CAMELS rating, recent consent orders.

2. **Multi-bank support**: Can you migrate if one sponsor bank halts?

3. **Ledger model**: Double-entry, daily reconciliation, sub-ledger custody location.

4. **Compliance automation**: KYC, OFAC, transaction monitoring, SAR automation.

5. **API quality**: Docs, SDKs, sandbox, webhook stability, idempotency support.

6. **Card issuance**: Virtual/physical, JIT funding support, push to Apple/Google Pay.

7. **Transfer rails**: ACH, wire, RTP, FedNow all supported.

8. **Global support**: If you have plans outside the US.

9. **Cost model**: Per-account, per-transaction, monthly minimum.

10. **Data extraction**: Pull accounts and transactions via API/Webhook/CSV.

11. **Adverse-event scenarios**: Playbook for middleware or sponsor-bank distress.

12. **Legal structure**: FBO vs sub-account, FDIC pass-through coverage.

13. **External audits**: Big 4 audits, SOC 2 Type II holdings.

14. **Customer support**: 24/7 ops, escalation path, postmortem disclosure policy.

15. **Joint liability (the Synapse lesson)**: Contractual clarity on middleware vs sponsor bank responsibility.

These fifteen are the 2026 standard for evaluating BaaS providers. The biggest lesson Synapse left behind is that **"BaaS is not just an API; it is infrastructure of trust and the safety of money."** Beneath the advantage of fast launches lies a deep governance burden. Fintechs that fail to fully grasp it may one day end up like Yotta — apologizing to their own users.

References

- Solaris — [https://www.solarisgroup.com/](https://www.solarisgroup.com/)

- Treasury Prime — [https://www.treasuryprime.com/](https://www.treasuryprime.com/)

- Unit — [https://www.unit.co/](https://www.unit.co/)

- Synctera — [https://www.synctera.com/](https://www.synctera.com/)

- Galileo Financial Technologies — [https://www.galileo-ft.com/](https://www.galileo-ft.com/)

- Marqeta — [https://www.marqeta.com/](https://www.marqeta.com/)

- Stripe Treasury — [https://stripe.com/treasury](https://stripe.com/treasury)

- Adyen for Platforms — [https://www.adyen.com/platforms](https://www.adyen.com/platforms)

- Federal Reserve Board (Evolve consent order, 2024) — [https://www.federalreserve.gov/newsevents/pressreleases/enforcement20240614a.htm](https://www.federalreserve.gov/newsevents/pressreleases/enforcement20240614a.htm)

- OCC Third-Party Risk Management — [https://www.occ.gov/news-issuances/news-releases/2023/nr-ia-2023-53.html](https://www.occ.gov/news-issuances/news-releases/2023/nr-ia-2023-53.html)

- FDIC Pass-Through Deposit Insurance Coverage — [https://www.fdic.gov/resources/deposit-insurance/brochures/insured-deposits/](https://www.fdic.gov/resources/deposit-insurance/brochures/insured-deposits/)

- Synapse Bankruptcy Court Filings (US Bankruptcy Court, Central District of California) — [https://www.pacer.gov/](https://www.pacer.gov/)

- Jelena McWilliams (Synapse Trustee, ex-FDIC Chair) — [https://www.fdic.gov/about/leadership/mcwilliams.html](https://www.fdic.gov/about/leadership/mcwilliams.html)

- CFPB 1033 (Open Banking, US) — [https://www.consumerfinance.gov/rules-policy/regulations/1033/](https://www.consumerfinance.gov/rules-policy/regulations/1033/)

- BaFin (German Federal Financial Supervisory Authority) — [https://www.bafin.de/EN/](https://www.bafin.de/EN/)

- Finnq — [https://www.finnq.com/](https://www.finnq.com/)

- Toss — [https://toss.im/](https://toss.im/)

- Kakaobank — [https://www.kakaobank.com/](https://www.kakaobank.com/)

- Korea Financial Supervisory Service (FSS) — [https://www.fss.or.kr/](https://www.fss.or.kr/)

- Korea Financial Telecommunications and Clearings Institute (KFTC, Open Banking) — [https://www.kftc.or.kr/](https://www.kftc.or.kr/)

- GMO Aozora Net Bank — [https://gmo-aozora.com/](https://gmo-aozora.com/)

- BANKING.JP — [https://corp.banking.jp/](https://corp.banking.jp/)

- Sumishin SBI Net Bank — [https://www.netbk.co.jp/](https://www.netbk.co.jp/)

- Japan Financial Services Agency (FSA) — [https://www.fsa.go.jp/en/](https://www.fsa.go.jp/en/)

- Mercury — [https://mercury.com/](https://mercury.com/)

- Brex — [https://www.brex.com/](https://www.brex.com/)

- Ramp — [https://ramp.com/](https://ramp.com/)

- Chime — [https://www.chime.com/](https://www.chime.com/)