If you've spent any time building financial features into a SaaS platform, you've encountered the same wall we've seen over and over: the compliance question. Who owns KYC? Who files SARs if something looks suspicious? Who is responsible when a merchant on your platform turns out to be running transactions through a shell entity? These aren't hypothetical questions — they're the questions that stop most SaaS teams cold before they ever ship a financial product.
In our work with vertical SaaS platforms, we find this is where the confusion starts. Most founders assume compliance is something you bolt on at the end, after you've proven the product. The reality is inverted. Compliance determines the product you're allowed to build in the first place.
The Sponsor Bank Model: What It Actually Does
When a SaaS platform wants to hold merchant funds, issue cards, or move money via ACH, it needs bank infrastructure behind it. Almost no SaaS company has a bank charter — and obtaining one takes years and tens of millions of dollars. The sponsor bank model is how the entire embedded finance industry solves this problem.
A sponsor bank is an FDIC-insured institution that holds the actual accounts, maintains the banking licenses, and takes responsibility for the transactions that flow through its rails. The embedded finance provider — in our case, Mainstreetspine — sits between the platform and the sponsor bank, handling the technology, the merchant onboarding, and the compliance operations. The platform never directly touches regulated banking infrastructure.
This arrangement has a specific name in regulatory terms: the platform is often structured as a program manager, operating under the sponsor bank's banking license via a banking program agreement. The sponsor bank maintains oversight. The program manager handles day-to-day execution. The platform sits at the top of the stack, interacting with merchants through its own product interface.
"The sponsor bank relationship is not just a vendor contract — it's a regulatory accountability structure. Someone upstream is always responsible for BSA/AML compliance. In a well-structured program, that responsibility is documented, tested, and audited annually."
— Kwame Asante, Head of Credit & Risk
KYC: The Gate Every Merchant Has to Pass
Know Your Customer (KYC) is the onboarding process that verifies the identity of every merchant before they can hold funds, send money, or receive credit on your platform. It's not optional. Under the Bank Secrecy Act and FinCEN guidance, any entity facilitating money movement must collect and verify identity information. No exceptions for SaaS platforms that think they're "just" connecting payment flows.
For SMB merchants, KYC typically involves collecting the legal business name, EIN, beneficial ownership information for any owner with 25% or more stake, and a government-issued ID for the primary account holder. The verification process cross-checks this information against OFAC watchlists, PEP (politically exposed persons) databases, and adverse media sources.
Automated KYC systems can complete basic identity verification in under 60 seconds. More complex cases — businesses with multiple owners, sole proprietorships without formal EINs, or merchants flagged by watchlist hits — go into a manual review queue. Our experience is that roughly 85-90% of legitimate SMB merchants clear automated KYC without any human intervention. The remaining cases take 1-3 business days.
KYB — Know Your Business — adds a layer for business entities beyond what standard KYC covers. This includes Secretary of State registration checks, business formation documents, and sometimes bank statement verification for higher-volume accounts. Platforms serving contractors, restaurants, or field service businesses often encounter more KYB complexity than consumer-facing apps, because these merchants frequently operate under DBAs, partnerships, or informal sole proprietorships that don't map cleanly to standard identity-verification fields.
AML Monitoring: What Happens After Onboarding
KYC is a point-in-time snapshot. AML — Anti-Money Laundering — is the ongoing surveillance layer that monitors transaction behavior for suspicious patterns. Passing KYC doesn't mean a merchant is cleared forever. Behavior can change, and transaction monitoring catches it.
AML systems look for transaction patterns that deviate from a merchant's expected profile. A restaurant that typically processes $8,000 per week suddenly running $80,000 in transactions in 72 hours is a flag. A new merchant with no prior history immediately attempting to move $50,000 to a personal bank account is a flag. Large round-number transactions that don't correspond to typical retail purchase sizes are a flag.
When the monitoring system generates an alert, a compliance analyst reviews the underlying transactions. If the review finds an explanation — a catering event, a seasonal spike, a one-time inventory purchase — the alert is resolved and documented. If the review cannot find a legitimate explanation, the compliance team files a Suspicious Activity Report (SAR) with FinCEN within 30 days of determining the activity is suspicious. SARs are confidential — the merchant is never notified.
For platforms, the key thing to understand is that AML monitoring generates support costs. Merchants who receive account holds while under review will contact your team. Designing clear communication flows for hold notifications — without disclosing the SAR process — is part of building a compliant embedded finance program. We handle this for the platforms we work with, but it requires upfront design decisions about how the platform surfaces account status information.
BSA Program Requirements Your Platform Needs to Understand
The Bank Secrecy Act requires that any financial institution with AML program obligations maintain a written compliance program that includes four elements: internal policies and procedures, an independent audit function, designated compliance personnel, and employee training. These are called the "four pillars" of BSA compliance.
Under the sponsor bank model, the sponsor bank owns the BSA program at the institution level. But the program manager — the embedded finance provider — typically operates its own BSA sub-program that the sponsor bank reviews and approves. This is sometimes called a "written supervisory agreement" or similar document in the program agreement.
What does this mean for your platform specifically? A few things:
- Your platform cannot decide unilaterally to skip identity verification for "low-risk" merchants. The BSA program sets minimum requirements that apply across the board.
- Transaction velocity limits and hold policies are not just product features — they're compliance controls that the sponsor bank has approved. Changing them requires sponsor bank sign-off.
- If your platform's marketing promises merchants instant payouts or frictionless onboarding, there will sometimes be a gap between that promise and reality when AML holds trigger. Setting accurate expectations upfront saves support headaches later.
- Annual BSA/AML program audits are standard. The audit covers your platform's practices as a program manager, not just the sponsor bank's operations.
MSB Licensing and When It Applies
One area that surprises many SaaS founders: Money Services Business (MSB) registration. FinCEN requires any entity that qualifies as an MSB to register, maintain a BSA/AML program, and in many cases obtain state money transmitter licenses as well. State licensing under the NMLS (Nationwide Multistate Licensing System) is required in 49 states for entities transmitting money, with fees and bond requirements that vary significantly by state.
Whether your platform qualifies as an MSB — rather than fitting under a bank agent or vendor exemption — depends on the specific services offered and how the sponsor bank structures the program agreement. This is not a determination you can make yourself. It requires legal review of the specific product design and the regulatory posture of your sponsor bank.
The reason we mention this is that some embedded finance providers paper over the MSB question in their sales pitches, claiming that the sponsor bank's license "covers" the platform entirely. That's sometimes true, but not always — and the consequences of getting it wrong include regulatory enforcement actions and mandatory business shutdowns while licensing is obtained. Ask the question explicitly before signing any program agreement.
What Platforms Don't Have to Build Themselves
Here's the practical upside of the sponsor bank plus program manager model: your platform does not need to hire a compliance officer, maintain its own BSA program, or navigate the MSB licensing question independently.
When a platform integrates with Mainstreetspine, the compliance obligations are allocated clearly. We maintain the BSA sub-program and work with our sponsor bank partner on annual audits. KYC and KYB workflows are embedded in our API — the platform surfaces the onboarding fields, we run the checks. AML monitoring runs in the background against all transactions. SAR filings are handled by our compliance team.
The platform needs to do a few things on its side: present KYC fields accurately, respond to account-hold communications appropriately, and not design product features that would conflict with compliance controls. That's a much shorter list than building the whole stack from scratch.
We've seen early-stage SaaS teams spend 12-18 months and $800,000 or more attempting to build this infrastructure directly. Most of them end up with something that still has compliance gaps when they first engage with a banking partner for review. Starting with a program manager model isn't a shortcut — it's the structure the industry developed specifically because building it from scratch is genuinely hard.
The compliance question doesn't go away when you use an embedded finance provider. But it does become a manageable set of responsibilities rather than an open-ended engineering and regulatory project. That distinction matters if your team's goal is to ship financial products to your merchants, not to become a compliance-first fintech startup.
