So You Want to Create a Neobank in 2025

TL;DR

• The bar is higher in 2025: third‑party risk hardened, BaaS consolidated, diligence deeper. 🧭
• You can still launch—if you sequence decisions, pick the right bank/processor, and run a tight compliance program from day one. 🚀
• This is a practitioner’s checklist (150+ items) with diagrams, partner notes, and a networking route map.

Table of Contents

2025 Reality Snapshot

• Bank partner diligence is harder. OCC/FDIC/OCC 3PRM scrutiny tightened. Expect real audits.
• BaaS isn’t dead; it’s stricter. Sandbox demos don’t equal production access.
• Rails are richer (RTP/FedNow), but ops must be 24/7/365. Irrevocability changes risk.
• Credit attach is possible, but capital and servicing discipline decide survival.

Teaching note: I’m compiling what I’ve learned while building Clin—a “Brex for Dentists”—but the frameworks here apply broadly.

Why Build a Neobank (2025)

Building a neobank gives you control over the customer experience, the flow‑of‑funds, and the underlying economics. If you serve a vertical with non‑standard workflows (healthcare, logistics, contractor trades), generic banking often breaks at reconciliation, disputes, and compliance edge cases.

• Vertical product‑market fit. A domain‑specific ledger, limits engine, and dispute posture reduce exceptions and support tailored features (trust accounts, payout segmentation, specialty licensing). See FFIEC BSA/AML Manual for program structure requirements: https://bsaaml.ffiec.gov/
• Rails maturity. Instant rails (RTP/FedNow) open same‑day cash‑flow designs if you can staff 24/7 and manage liquidity. RTP: https://www.theclearinghouse.org/payment-systems/rtp | FedNow: https://www.fednow.org/
• Economics. Durbin‑exempt debit, B2B MCC mix, and value‑added SaaS/services can beat horizontal banking margins. Review interchange context with Visa/Mastercard rules: https://usa.visa.com/support/consumer/visa-rules.html | https://www.mastercard.us/en-us/business/overview/support/rules.html
• Compliance as moat. A tight third‑party risk posture and exam‑ready documentation make you a better partner to sponsor banks. OCC Third‑Party Risk guidance: https://www.occ.treas.gov/
• Data leverage. A unified ledger and event model enable cohort analytics, underwriting signals, and faster risk iteration.

Tradeoffs: third‑party risk oversight has hardened, partner diligence is real, and 24/7 ops aren’t optional if you expose instant rails. Plan for a real compliance budget, weekly partner syncs, and a migration path in case your first partner can’t scale.

Why I Built One (Clin)

I built Clin to solve vertical cash‑flow and operations problems I’d seen first‑hand. Hundreds of calls and 777 verified survey responses suggested that generic banking didn’t fit real workflows—reconciliation around mixed payer sources and state‑specific compliance created failure points.

Working with sponsor banks, I learned that flow‑of‑funds diagrams, reconciliation discipline, and a narrow wedge matter more than breadth. We chose a vertical ledger, explicit sub‑ledgers, and playbooks for disputes and returns; that’s how you get reliability in a space where exceptions are the norm.

Big Partner Landscape (name the banks; be specific in diligence)

• Banks with sponsor programs to evaluate: Cross River Bank, Green Dot Bank, Fifth Third Bank, Column N.A., First Internet Bank.
• Platform/BaaS to evaluate: Synctera.
• Processors/issuers (context): Marqeta, Lithic, Stripe Issuing, Galileo/TSYS, FIS/Worldpay, Moov.
• Diligence posture: confirm product fit (deposits, card issuing, RTP/FedNow readiness), Durbin status, risk appetite, dispute SLAs, data access, termination assistance.

Diligence Prompts (Use verbatim on calls)

• What is your Durbin status and how does it affect debit economics for this program?
• For BIN/product tiers, who controls issuance rules and benefit levels? What’s the process to add a new product?
• Which payment rails are available at launch (ACH, wires, RTP, FedNow) and what staffing do you expect from us for 24/7 support?
• What are your dispute SLAs and evidence requirements? How do Reg E/Z timers manifest in your tooling?
• What are the default data export formats and frequencies? Can we self‑serve full ledger exports?
• On termination assistance: how many months of cooperation? What engineering resources are committed?

Cross River Bank — Notes

• Questions to confirm: onboarding queue length; RTP/FedNow readiness; BIN/product tiering control; dispute tooling depth.
• Negotiation levers: termination assistance weeks/hours; SLA credits on auth latency; data export guarantees.

Green Dot Bank — Notes

• Questions to confirm: network program constraints; instant rails roadmap; BIN assignment control; portfolio monitoring cadence.
• Negotiation levers: dispute SLA timers; roadmap reviews; performance credits; explicit re‑papering support.

Fifth Third Bank — Notes

• Questions to confirm: risk appetite by niche; audit cadence; report formats; after‑hours ops expectations.
• Negotiation levers: SLA credits for file delivery; audit windows; change‑of‑control protection.

Column N.A. — Notes

• Questions to confirm: RTP/FedNow enablement; volume caps; product coverage; data egress surfaces.
• Negotiation levers: roadmap governance; export SLAs; caps re‑evaluation triggers.

First Internet Bank — Notes

• Questions to confirm: SMB niche fit; reconciliation cadence; staffing expectations; escalation paths.
• Negotiation levers: dispute turnaround SLAs; performance credits; sandbox parity guarantees.

Synctera — Notes (Platform)

• Questions to confirm: bank matching process; data ownership; migration/re‑papering support; caps/tiers.
• Negotiation levers: export entitlements; multi‑bank routing flexibility; pricing step‑downs.

Back to top

Foundations: Card Ecosystem 101 (Issuer • Processor • Network • Acquirer)

When a card is used, four roles coordinate economic flows:

• Issuing bank: owns the BIN, extends credit (credit) or holds deposits (debit/prepaid), bears regulatory duties (Reg E/Z). Revenue mainly from interchange share and, for credit, interest/fees.
• Issuer‑processor: runs authorization, tokenization, lifecycle, settlement files, sometimes disputes tooling (e.g., Marqeta, Lithic, Stripe Issuing, Galileo). Charges per‑card, per‑auth, program fees.
• Network (Visa/Mastercard): sets rules, brand standards, and fee frameworks (interchange, assessments). See Visa Core Rules and Mastercard Rules.
• Acquirer/merchant processor: sits on merchant side, pays interchange to issuers, collects assessments, and charges the merchant.

Card Flow (simplified)

 Cardholder -> Merchant POS/Checkout
    |                |
    v                v
  [Acquirer] ---> [Network] ---> [Issuer Processor] ---> [Issuing Bank]
                                   |                         |
                                   +-- Auth decision <-------+

Funds settle later: Acquirer pays merchant; interchange flows to issuer; assessments to networks; processor invoices program fees.

Economics overview:

• Interchange: paid by acquirer to issuer; varies by product (regulated vs Durbin‑exempt debit; credit tiers), MCC, transaction type.
• Network assessments: paid to networks; basis points on volume plus fixed fees.
• Processor fees: per authorization, per active card, program fees.
• Issuer P&L: interchange share – processor/network/operating costs – fraud/chargebacks – rewards + (credit) interest/fees.

References:

• Visa Core Rules and Visa Product and Service Rules: https://usa.visa.com/support/consumer/visa-rules.html
• Mastercard Rules: https://www.mastercard.us/en-us/business/overview/support/rules.html

Back to top

Flow of Funds (FoF) 101

Banks and examiners care deeply about “who holds what money and when.” Draw this first.

FoF: Debit Purchase (Durbin-exempt)

 Cardholder -> Merchant (sale)
  |  Auth thru processor/network to issuer; issuer approves/declines
  |  Settlement T+1/T+2: Acquirer pays merchant
  |  Interchange flows from acquirer -> issuer
  |  Network assessments collected by network
  |  Issuer fees paid to processor/network per SOW

FoF: RTP Push Payment

 Payer DDA (at Bank A) --RTP--> Payee DDA (at Bank B)
  - ISO 20022 message (pain.001/pacs.008) equivalents per network
  - Final, irrevocable upon acceptance
  - Liquidity buffers required; 24/7 monitoring

FoF: ACH Credit (Batch)

 Originator -> ODFI -> ACH Operator -> RDFI -> Receiver
  - Returns up to 60 days in some cases (Reg E)
  - Three windows per business day; not 24/7

These diagrams should be adapted to your program, with exact account names, ledgers, and exception paths.

FoF References and Deeper Reading

• Column Bank — Flow of Funds (clear visual patterns): https://column.com/docs/flow-of-funds
• The Clearing House RTP Participant Guide (conceptual): https://www.theclearinghouse.org/payment-systems/rtp
• Nacha ACH Rules (returns and authorizations): https://www.nacha.org/
• FedNow Service — Service Provider listings and docs: https://www.fednow.org/

FoF: Detailed Patterns (Program Accounts)

FoF: Card Debit (Program Accounts & Settlement)

 [Customer Wallet (sub-ledger)]
      |  auth
      v
  [Issuer Processor] --auth--> [Network] --auth--> [Acquirer]
      |                                           |
      |<-- clearing/settlement files -------------+
      v
  [Issuing Bank BIN]  (net settles)
      |
      v
  [FBO Master @ Sponsor Bank]
     |-- Operating Sub-ledger (customers)
     |-- Reserve (fraud/loss)
     |-- Fees (program fees)

Daily: reconcile processor settlement, network fees, bank statements vs sub-ledger balances. Exceptions → case queue.

FoF: RTP Push (Program Liquidity)

 [Customer DDA @ Sponsor Bank]
      | RTP credit
      v
  [Payee DDA @ Receiving Bank]

Program liquidity (held in reserve) moves only for limits/settlement as configured. Real-time signals update ledger; exceptions route to ops.

FBO (For‑Benefit‑Of) Accounts 101

Definition: An FBO account is a pooled account at your sponsor bank where customer funds are held “for the benefit of” your end users, recorded via a sub‑ledger you maintain. You are not a bank; you operate under the bank’s charter and compliance program.

Why it matters:

• Legal/regulatory clarity on who holds funds and under what disclosures.
• Segregation: master FBO with sub‑ledgers per customer; sometimes per‑entity trust accounts if required.
• Reconciliation discipline: your ledger must tie to bank statements (daily) via files (BTR/IMAD/OMAD; ACH/Nacha; card settlement reports).

FBO Structure (simplified)

 [Master FBO @ Sponsor Bank]
      |-- Sub-ledger: Customer A balance
      |-- Sub-ledger: Customer B balance
      |-- Sub-ledger: Reserve (fees/fraud)

 Reconcile daily: Bank statement == Σ sub-ledgers
 Files: SFTP/PGP, BTR/IMAD/OMAD, ACH returns, card settlements

Disclosures and compliance:

• Customers must understand funds are held at the sponsor bank; FDIC insurance details must be accurate per bank guidance.
• Privacy (GLBA), Reg E/Z dispute handling, CIP/CDD/EDD, OFAC screening, recordkeeping, and third‑party risk obligations apply.

References:

• FFIEC BSA/AML Manual: https://bsaaml.ffiec.gov/
• Nacha Operating Rules: https://www.nacha.org/
• The Clearing House RTP: https://www.theclearinghouse.org/payment-systems/rtp
• FedNow Service: https://www.fednow.org/

Back to top

Diagram: Partner Map

 [Your App]
     |
 [Ledger/Event Bus] --(files)--> [Reconciliation Service]
     |                               |
 [Processor/Issuer] ---- card ----> [Networks]
     |
 [Bank Sponsor] <--- ACH/wire/RTP/FedNow ---> [Rails]
     |
[Compliance Stack] -- KYC/KYB/OFAC/TMS --> [Case Mgmt]

See also: Understanding FBO Account Requirements, Build vs Partner, Healthcare Banking Unit Economics, Learning BSA/AML for Healthcare, Exploring RTP Rails for Healthcare

Money20/20 + Networking Route Map

• Money20/20 is worth it—even without tickets. Lobby/lounges are dense. Book meetings back‑to‑back. 🎰
• Hotel hack: if you hold Amex, use the annual $200 FHR credit to offset 2–3 nights at Venetian/Palazzo. Sleep close; network more.
• LA Fintech (monthly): consistent serendipity; ask for bank intros and dispute playbooks.
• Other events: Fintech Meetup, Fintech Nexus USA, Finovate, Nacha Smarter Faster Payments, The Clearing House PayConf, FedNow Experience, Visa Payments Forum, Mastercard Connections, Bank Automation Summit, SIBOS (bank‑heavy), AFP.
• Tactics: book 30 days out; send one‑line asks; carry a precise RFP; follow up within 48 hours.

Diagram: Event Funnel

 Top: Conferences (Money20/20, Fintech Meetup)
  -> Mid: Bank/processor intro calls (2 weeks later)
  -> Bottom: Diligence workstream (90‑day plan: sandbox -> SOW -> pilot)

Back to top

Visa/Mastercard Program Management Notes

• Program roles: bank sponsor (principal member) owns network relationship; you act as program manager.
• Card “levels” and benefits: align product (consumer/business, debit/credit, Signature/World tiers) with economics and required protections.
• Must‑haves: 3DS strategy, tokenization (Apple/Google), issuer dispute flows, chargeback counters, BIN control plan.
• Settlement: understand network fees, chargeback windows, monitoring programs.

References:

• Visa Rules (program management, chargebacks): https://usa.visa.com/support/consumer/visa-rules.html
• Mastercard Rules (program obligations): https://www.mastercard.us/en-us/business/overview/support/rules.html

Back to top

Economics & P&L Model (Illustrative)

OC morning; spreadsheets open.

Debit Economics (Illustrative Ranges)

Credit (Small Business) Economics (Illustrative Ranges)

Formulas (sketch)

Effective Interchange (debit) = Gross Interchange
  - Network Assessments
  - Processor Fees (auth + per‑card)
  - Rewards Costs
  - Fraud/Chargeback Losses

Program Gross Margin (credit) = Interchange + Net Interest + Fees
  - Network/Processor Fees
  - Rewards
  - Fraud/Chargebacks
  - Servicing + Compliance

Sensitivity notes:

• Rewards earn/burn drives margin more than small auth fee differences.
• Loss provisioning assumptions dominate early credit P&L.
• For debit, Durbin status and MCC mix drive effective interchange more than anything else.

Scenario Table: Debit (Regulated vs Exempt)

Notes: numbers illustrative; tune to MCC mix, auth behavior, rewards posture, and fraud controls.

Scenario Table: Credit (Loss & Revolve Sensitivity)

Notes: “Net Interest” assumes APR net of funding and revolve balance; provision on monthly flow.

Worked Example: Debit Program P&L (Illustrative)

Inputs
- Monthly Txn Volume: $25,000,000  | Auths: 1,250,000 (avg ticket $20)
- Durbin Status: Exempt             | MCC Mix: 60% Retail, 25% Services, 15% Online
- Interchange (blended): 0.80% + $0.10
- Network Assessments: 0.15%        | Processor Auth: $0.03
- Per‑card monthly: $0.50 (100k active) | Rewards: 0.30% | Fraud: 0.10%

Calculations
- Gross Interchange: 0.80%*$25M + $0.10*1.25M = $200,000 + $125,000 = $325,000
- Network Assessments: 0.15%*$25M = $37,500
- Processor Auth Fees: $0.03*1.25M = $37,500
- Per‑card Fees: $0.50*100k = $50,000
- Rewards Cost: 0.30%*$25M = $75,000
- Fraud/Chargebacks: 0.10%*$25M = $25,000

Program Contribution (before servicing/compliance)
  = 325,000 - 37,500 - 37,500 - 50,000 - 75,000 - 25,000
  = $100,000 / month (0.40% of volume)

Worked Example: Small Business Credit P&L (Illustrative)

Inputs
- Monthly Purchase Volume: $30,000,000 | Auths: 600,000 (avg ticket $50)
- Interchange (issuer share): 1.80%     | Network Assessments: 0.15%
- Processor: $0.04 / auth; $0.75 per active (80k)
- Rewards: 1.00%                        | Annualized Loss Rate: 4.0%
- Revolve Rate: 40%                     | APR Net Yield: 15%

Calculations
- Interchange: 1.80% * $30M = $540,000
- Network Assessments: 0.15% * $30M = $45,000
- Processor Auths: $0.04 * 600k = $24,000
- Processor Per‑card: $0.75 * 80k = $60,000
- Rewards Cost: 1.00% * $30M = $300,000
- Credit Interest: 15% APR on avg revolve (40% of $30M / 12) = 0.15 * $1.0M = $150,000
- Credit Loss Provision (monthly): 4.0% * ($30M / 12) = $100,000

Program Contribution (before servicing/compliance)
  = (540,000 + 150,000) - 45,000 - 24,000 - 60,000 - 300,000 - 100,000
  = $161,000 / month (0.54% of volume)

Back to top

Diagram: Card Program Surfaces

 [BIN + Product] -> [Auth stack + 3DS] -> [Tokenization] -> [Disputes/Chargebacks]
                     |                                  \
                 [Risk/TMS]                           [Reg E/Z timers]

The 150+ Item Build Checklist

A. Architecture & Ops (40)

1. Define product scope (deposits, card, RTP/FedNow, wires, checks/RDC). Owner: CEO + CTO. Two crisp sentences: state exactly which rails and surfaces exist at launch, and which ship in months 6–12; write it as a one‑pager you can send to banks.
2. Pick ledger pattern (double‑entry, event‑sourced, idempotent writes). Owner: CTO. Choose a double‑entry ledger with immutable events and idempotent operations so backfills and retries are safe; define event schemas before writing business logic.
3. Model sub‑ledgers (operating, trust, receivables) if vertical B2B. Owner: CTO + COO. Name each bucket and write reconciliation math for each; require daily proof that Σ sub‑ledgers equals the bank statement.
4. Implement idempotency keys across all rails. Owner: CTO. Keys prevent double posts on retries; require them on webhook handlers and outbound rail calls.
5. Event bus for money movement; durable queues; DLQs. Owner: CTO. Use durable queues with retry/backoff and a DLQ for manual review; log every state transition with who/what/when.
6. Reconciliation service (BTR/IMAD/OMAD, ACH returns, card settlement). Owner: COO. Parse files, map reason codes, and produce a variances report daily; unresolved variances become tickets within 24 hours.
7. SFTP/PGP key mgmt; rotate keys; monitor late/missing files. Owner: CTO. Automate key rotation and heartbeat checks for inbound/outbound folders; alert if a daily file is late by X minutes.
8. ACH ODFI/RDFI flows; returns; unauthorized thresholds; ACH company IDs. Owner: COO + Compliance. Document R‑codes handling and unauthorized return monitoring; maintain company ID inventory and limits.
9. Wire (Fedwire/CHIPS) schemas; cutoff times; fee engine. Owner: CTO + COO. Enforce cutoffs in UI and service; compute fees up front and in settlement, and reconcile IMAD/OMAD.
10. RTP/FedNow: ISO 20022 mapping, 24/7 staffing, liquidity buffers. Owner: CTO + COO. Define message validation, weekend coverage, and where liquidity buffers sit; run a tabletop for rejects and exceptions.
11. RDC/check risk; positive pay; holds and releases. Owner: COO + Risk. Apply holds by risk tier and positive pay where supported; publish a release policy and appeal path.
12. Card issuing: BIN tables, interchange tables, MCC rules. Owner: CTO. Version the tables and keep them in config not code; provide an admin view for ops to inspect active configs.
13. Tokenization (network tokens) + PAN vault scoping. Owner: CTO. Prefer network tokens and isolate PAN to a vault provider; aim for the lowest SAQ path.
14. 3DS routing policy; friction vs fraud tradeoff. Owner: Risk + CTO. Route 3DS adaptively by amount/MCC and device risk; measure abandonment vs liability shift.
15. Dispute engine with Reg E/Z timer automation. Owner: COO + Compliance. Start clocks automatically on intake; templates for provisional credit and evidence packages.
16. Limits engine (per‑rail, per‑entity, velocity, geos). Owner: CTO + Risk. Store limits in a single service with audit history; allow emergency overrides with dual‑control.
17. Risk rules: device, velocity, behavioral; ML optional, rules first. Owner: Risk. Ship rules you can explain and tune weekly; add ML after you have labeled cases.
18. Case mgmt: queueing, SLAs, audit trails, SAR drafting. Owner: COO + Compliance. Everyone works from the same queue; SLA clocks visible; SAR drafts have a standard outline.
19. OFAC screening (enrollment + ongoing), list refresh cadence. Owner: Compliance. Refresh lists daily; tune fuzzy thresholds carefully and QA monthly on false positives.
20. KYC/KYB providers (Alloy/Socure/Persona/Middesk) integration plan. Owner: CTO + Compliance. Pick two to de‑risk outages (primary/backup) and map which docs you accept by entity type.
21. Beneficial ownership capture; CTA/BOI flow. Owner: Compliance + COO. Build BOI capture into onboarding, store attestations with timestamps, and define a change‑management path; confirm reporting cadence with counsel: https://www.fincen.gov/boi.
22. License/DEA verification if healthcare; renewal monitors. Owner: Compliance. Automate checks against state boards and DEA (where relevant) and set renewal alerts; log evidence in case files for exams.
23. PII safekeeping; data minimization; field‑level encryption. Owner: CTO. Only collect what you need, encrypt sensitive fields at rest, and document who can access which data under which roles.
24. Secrets/KMS; key rotation SOP; access reviews. Owner: CTO + Security. Centralize secrets in KMS, rotate keys on a calendar and on incident, and run quarterly access reviews with sign‑offs.
25. PCI DSS v4.0 scoping; SAQ eligibility; tokenization to shrink scope. Owner: CTO. Prefer network tokenization and keep PAN out of your systems; work with your processor on the right SAQ: https://www.pcisecuritystandards.org/.
26. Logging: append‑only audit logs; who/what/when; retention schedules. Owner: CTO + Compliance. Preserve tamper‑evident logs, document retention periods, and ensure investigators can reconstruct any customer‑affecting event.
27. Observability: metrics, traces, alerting; on‑call rota. Owner: CTO. Monitor every rail and file feed; publish SLOs; make on‑call shifts sustainable and measured.
28. DR/BCP: RTO/RPO; backup/restore drills; tabletop exercises. Owner: CTO + COO. Define recovery targets and prove them quarterly with drills; record findings and fixes.
29. Fraud loss reserve policy; provisioning in the P&L. Owner: CEO + Risk. Set a reserve policy tied to recent loss experience and growth; revisit monthly with portfolio data.
30. Collections/charge‑offs policy for credit attach. Owner: Risk + COO. Write when you contact, what arrangements are allowed, and when to charge off; ensure fair and consistent treatment.
31. Rate limiting + abuse protection at auth and API layers. Owner: CTO. Throttle by IP, account, and device; block obvious scrapers and credential stuffing; log blocks for review.
32. API versioning; deprecation policy. Owner: CTO + Product. Use semantic versioning, publish deprecation timelines, and provide migration guides for partners.
33. Identities/roles/least privilege; SoD for ops tasks. Owner: CTO + Compliance. Enforce least privilege and separation of duties (e.g., no one can both originate and approve refunds) and review quarterly.
34. Feature flags for risky changes; kill switches. Owner: CTO. Roll out changes behind flags with instant disable; test kill switches in staging and document who can trigger them.
35. SLA monitors on partner endpoints; auto‑failovers where allowed. Owner: CTO + COO. Track latency and availability for each bank/processor API; fail over read paths where feasible and escalate proactively.
36. Data warehouse with privacy boundaries; ETL to reports. Owner: CTO + Analytics. Keep PII out of analytical stores where possible; set clear boundaries and audit ETL jobs.
37. Customer comms rails: email, SMS, in‑app; templates pre‑approved. Owner: COO + Compliance. Pre‑approve copy for disputes, returns, and incidents; route all comms through logged channels.
38. Accessibility and internationalization basics; error copy. Owner: Product/Design. Meet baseline a11y standards and write plain‑language error messages; make support pathways obvious.
39. Sandbox vs prod separation; audit only prod data flows. Owner: CTO. Never use prod data in lower environments; audit every prod ingress/egress and document approvals.
40. Evidence plan: store artifacts for audits (tickets, logs, sign‑offs). Owner: COO + Compliance. For every high‑risk process, list what you’ll save and where; keep links in a single “evidence index.”

B. Compliance & Program (35)

41. BSA/AML policy; board approval; compliance officer named. Owner: Compliance + CEO. Write a risk‑based program that matches your products and customers, then get it formally approved and logged; name a responsible officer with clear authority and reporting lines.
42. CIP/CDD/EDD procedures; risk‑based. Owner: Compliance. Define what you collect by entity type, how you verify it, and when you escalate to EDD; record decisions and outcomes in a consistent case template.
43. OFAC program; blocking/reporting SOP. Owner: Compliance. Document screening points (onboarding and ongoing), match thresholds, and escalation paths; test your blocking and reporting workflow quarterly.
44. SAR/CTR procedures; narrative templates. Owner: Compliance. Spell out when you file, who drafts/reviews, and deadlines; keep a SAR narrative outline with facts, pattern, and rationale for consistency.
45. Model governance for TMS; tuning + QA cadence. Owner: Compliance + Risk + CTO. Keep feature lists, thresholds, and change logs for every rule/model; review precision/recall monthly and re‑tune with labeled cases.
46. Training plan (initial + annual); evidence of attendance. Owner: Compliance + HR. Train every role on relevant regs and document completion; track quiz results and remediation for audit evidence.
47. Independent testing plan; frequency; scope. Owner: Compliance. Engage internal audit or a third party to test your program annually; capture findings and remediation owners with due dates.
48. Vendor risk (OCC 2013‑29/2020‑10 posture); inventory + tiering. Owner: Compliance + COO. Classify vendors by risk and collect SOC/pen tests/contracts accordingly; maintain a single system of record for reviews and expirations.
49. GLBA Safeguards program; risk assessment; controls. Owner: CTO + Compliance. Run a formal security risk assessment and map controls to findings; keep a living plan of technical/administrative safeguards.
50. Privacy policy (CCPA/CPRA/GDPR mapping where applicable). Owner: Compliance + Legal. State what you collect, why, and how long you retain; offer user rights where required and verify the mechanics actually work.
51. Incident response plan; breach comms flow. Owner: CTO + Compliance + COO. Define severities, roles, and timelines from detection to customer notice; run a tabletop and update the plan with lessons learned.
52. Complaint management; Reg E/Z time clocks in tooling. Owner: COO + Compliance. Capture every complaint in one queue and start timers automatically; report volumes and themes to the board quarterly.
53. UDAP/UDAAP review of marketing and fees. Owner: Compliance + Marketing. Pre‑clear copy and fee schedules for fairness and clarity; retain annotated approvals alongside public artifacts.
54. Website/UX compliance (FDIC signage rules via sponsor bank). Owner: Marketing + Compliance. Use bank‑approved language and placement for disclosures/signage; add them to your release checklist so they never regress.
55. Disclosures library; versioning and approval records. Owner: Compliance. Store every customer‑facing disclosure with version, dates, and approvers; link each to the code or flow where it appears.
56. Records retention schedule; legal holds. Owner: Compliance + Legal. Publish a retention table by record type and teach teams how legal holds pause deletion; audit that deletions and holds do what they say.
57. State MTL mapping if needed (non‑bank money transmission edge cases). Owner: Legal + Compliance. Determine whether any flows trigger MTL requirements and document the analysis and exemptions; revisit when products change.
58. Card network program registration (via sponsor bank) with product tiers. Owner: Sponsor Bank + COO. Ensure the right BIN/product levels are registered and benefits/prereqs are met; keep certification evidence in your program file.
59. Program manager obligations with Visa/Mastercard documented and owned. Owner: COO + Compliance. Write down which obligations the bank vs you perform and how you evidence each one; align on audits and monitoring programs.
60. Portfolio monitoring KPIs: fraud rate, loss rate, disputes, timeliness. Owner: Risk + COO. Review KPIs weekly with actions for outliers; publish a monthly dashboard to the bank and your board.
61. Quarterly board/committee cadence; minutes; findings tracking. Owner: CEO + Compliance. Hold formal meetings with agendas and action logs; assign owners and dates for every finding and track through closure.
62. Marketing compliance pre‑clear with bank partner. Owner: Marketing + Compliance + Bank. Send new campaigns for review before launch and record approvals; build turnaround times into your content calendar.
63. Sanctions screening for vendors and counterparties. Owner: Compliance + Procurement. Screen non‑customers who can receive funds or data; document results and exceptions like you would for customers.
64. QA for KYC/KYB false positives/negatives. Owner: Risk + Compliance + Data. Sample approvals/declines weekly to check decision quality; adjust rules, weights, or provider settings and record the impact.
65. Annual policy review, attestation log. Owner: Compliance + CEO/Board. Update every policy at least annually, collect attestations, and log changes; archive prior versions for auditors.

C. Bank/Processor Partnering (30)

66. RFP packet: product scope, volume forecast, risk profile, staffing. Owner: CEO + COO. Keep it to five pages with crisp numbers and a FoF diagram; send a single PDF that answers diligence questions up front.
67. Scorecard: Durbin status, rails coverage, ops SLAs, data ownership. Owner: COO + Risk. Score each bank/platform against the same criteria and weight by your priorities so the decision is defensible.
68. Reference checks with existing programs. Owner: CEO + COO. Ask about support quality, incident handling, and export rights; request anonymized metrics (auth, dispute timeliness, uptime).
69. Sandbox tests: auth latency, webhooks, paging, idempotency. Owner: CTO. Write a small harness to prove webhooks fire reliably and pagination/idempotency behave as documented; save logs as evidence.
70. SOW clarity: limits, fees, pass‑throughs, minimums. Owner: COO + Legal. List every fee and minimum and include concrete examples; ensure enforceable SLAs with credits for misses.
71. Data ownership clause; export guarantees. Owner: COO + Legal + CTO. Require bulk exports on demand and document schema; test export throughput and correctness before going live.
72. Termination assistance clause; 6‑ to 12‑month cooperation. Owner: COO + Legal. Name roles/hours and artifacts for migration support; attach a weekly cadence so help shows up on time.
73. Step‑down rev‑share schedule; volume tiers. Owner: CEO + COO + Legal. Negotiate clear bands with automatic step‑downs and no retroactive resets; tie to calendar and volume to avoid ambiguity.
74. Change‑of‑control protections. Owner: Legal + CEO. Preserve economics and data access if you are acquired; prohibit unilateral termination on change‑of‑control.
75. Audit rights and SOC/PCI evidences. Owner: Compliance + COO. Lock in access to SOC reports and onsite visits with remediation timelines; calendar renewals so evidence never expires silently.
76. Dispute handling SLAs; escalation paths. Owner: COO + Sponsor Bank. Define intake formats, evidence windows, and escalation contacts; report compliance monthly with exception summaries.
77. Exception processes (after‑hours/lost rails). Owner: COO. Write what happens when a rail is down or a file is late; keep an on‑call tree with names and numbers.
78. KPI reporting cadence and format. Owner: COO. Agree on weekly/monthly reports, fields, and delivery method; automate generation and delivery from your warehouse.
79. Runbook for go‑live (Day‑0/30/90). Owner: COO + CTO. Define acceptance tests, rollback plans, and first 90‑day milestones; assign owners and daily standups during launch week.
80. Joint incident response drill. Owner: CTO + COO + Bank. Simulate a dispute system outage and a webhook failure; record response times and update both playbooks.
81. Quarterly roadmap syncs. Owner: CTO + Product + Partner. Share your roadmap and request theirs; align on dependencies and certification slots.
82. Performance credits for SLA misses. Owner: COO + Legal. Bake in automatic credits for chronic latency or uptime misses; track credits in your billing review.
83. Bank branding and customer comms approvals. Owner: Marketing + Compliance + Bank. Pre‑approve placement of bank names and FDIC disclosures; add approvals to your staging release checklist.
84. Re‑papering plan if you switch partners later. Owner: COO + Legal + CTO. Prepare templates and migration scripts ahead of time; store customer notices and consent flows ready to ship.
85. RTP/FedNow enablement checklist; liquidity rules. Owner: CTO + COO + Bank. Document participant setup, message validation, and liquidity limits; confirm weekend staffing and exception review windows.
86. BIN management + new product launch process. Owner: COO + Processor. Keep a calendar of BIN/product adds and required tests; assign a PM to shepherd certification.
87. Certification/testing requirements per network. Owner: COO + Processor + Bank. Track case matrices and success criteria; allocate time for re‑tests after any auth/dispute changes.
88. Data residency and backup expectations. Owner: CTO + Legal. Confirm where data lives and what backup/restore windows apply; add residency language to your contracts.
89. Billing reconciliation and dispute process with partner. Owner: COO + Finance. Reconcile invoices to logs and SLAs monthly; dispute any mismatches with evidence and a written position.
90. Counsel review; redlines; side letters recorded. Owner: Legal. Keep a single source of truth for contracts and side letters; summarize key terms for the exec team.

D. Niche & GTM (25)

91. Pick a vertical and a problem (cash flow, reconciliation, claims). Owner: CEO + Product. Choose the use‑case you can prove in 30 days and say no to the rest; document the operational workflow you will replace.
92. ICP definition; revenue bands; ops complexity bands. Owner: Marketing + CEO. Define firmographics and ops markers that correlate with willingness to pay; target the smallest viable segment first.
93. Wedge product with visible ROI inside 30 days. Owner: Product + COO. Ship a feature that moves cash‑flow timing or reduces manual work; measure baseline → after and publish the delta.
94. Integrations list (PMS/EHR/accounting); certification plan. Owner: CTO + Product. Rank integrations by coverage and friction and pre‑book certification windows; stub out adapters early.
95. Pricing sheet per segment; transparent fees. Owner: CEO + Marketing + Finance. Publish clear monthly + usage fees tied to value and cost to serve; avoid bespoke quotes unless strategic.
96. Implementation playbook; SLA; “white glove” tier. Owner: COO + Customer Success. Write step‑by‑step guides with timeboxes and clearly defined customer responsibilities; add a premium tier for hands‑on deployment.
97. Land/expand attach plan (payments -> credit -> insights). Owner: Product + CEO. Sequence attach SKUs after you earn trust on the wedge; set target attach rates and review monthly.
98. Partner channels: associations, ISVs; rev share bands. Owner: CEO + BizDev. Identify 2–3 distribution partners and propose simple banded rev share; offer co‑branded enablement kits.
99. Case studies with cost/time savings; before/after. Owner: Customer Success + Marketing. Write one‑page case studies with concrete numbers and a quote; use the customer’s own language.
100. Security/compliance one‑pager for buyers with FoF diagram. Owner: Compliance + COO + Marketing. Show controls, sponsor bank, and FoF at a glance; include contact info for diligence.
101. Content engine: cadence, distribution, lead capture. Owner: Marketing. Ship a weekly cadence tied to customer questions; add clear CTAs and capture forms that flow to CRM.
102. Analyst/press list; briefing plan. Owner: CEO + Marketing. Build a short list and brief quarterly with real metrics; send embargoed notes when you ship meaningful changes.
103. Community loop (Slack/Discord/meetups) if relevant. Owner: Marketing + Product. Offer a space for tips and feedback; harvest requests into the roadmap.
104. Support/runbooks; on‑call; escalation. Owner: COO + Support. Write runbooks for top 20 issues and publish SLAs; ensure on‑call knows how to escalate unblockers.
105. NPS/CSAT program; close‑loop. Owner: Customer Success. Survey quarterly and call detractors; log root causes and fixes.
106. Renewal motion; price‑rise policy. Owner: COO + Customer Success. Calendar renewal dates and send value summaries; publish how and when price changes happen.
107. Loss reasons tracking; win‑back. Owner: Sales + Marketing. Tag reasons in CRM and build campaigns to address the top three; re‑approach when the product closes gaps.
108. Partner MDF asks; co‑marketing guardrails. Owner: Marketing + BizDev. Make specific asks (amount, deliverables, dates); set brand and disclosure rules for each partner.
109. Onboarding UX walkthrough recorded. Owner: Product + Design. Record a 7‑minute guided tour and keep it updated as flows change; link it inside the product.
110. Sales enablement docs for partners. Owner: Marketing + Sales. Package ICP, value props, pricing, and objection handling; deliver as a single kit.
111. Compliance‑as‑a‑feature positioning where credible. Owner: Compliance + Marketing. Turn your controls into buyer value (fewer exceptions, faster audits) without over‑promising.
112. Vertical benchmarks in app; show value. Owner: Product + Data. Show how a customer compares to peers on core metrics and suggest actions; keep benchmarks anonymous and real.
113. Advocacy program; customer council. Owner: Marketing + Customer Success. Recruit 5–10 advisors for quarterly feedback and early access; spotlight them publicly with permission.
114. Roadmap transparency line (what/when/why). Owner: Product + CEO. Share what you will build next and why it matters; say “no” cleanly with reasoning.
115. Legal review of marketing claims. Owner: Legal + Compliance. Vet claims that touch performance, coverage, or regulatory posture; keep approvals next to the assets.

E. Fundraising & Board (20)

116. 18‑month plan: milestones, hires, budget, reserves. Owner: CEO + Finance. Publish a one‑pager with quarterly targets and hiring dates; add a cash runway chart with buffers for fraud and delays.
117. Narrative: risk owned vs outsourced; regulator posture. Owner: CEO. Explain clearly what you and the bank own and why that reduces execution risk; show how your controls map to examiner expectations.
118. Metrics: funded rate, transacting MAUs, lift, fraud/loss. Owner: CEO + Data. Track activation → engagement → revenue with a single definition doc; plot fraud and loss next to growth so tradeoffs are visible.
119. Customer proof: LOIs, pilots, signed MSAs. Owner: CEO + Sales. Keep up‑to‑date counters and examples; convert pilots to MSAs with a short success checklist.
120. Dataroom: bank LOI/MOU, processor SOW, SOC/PCI, policies. Owner: CEO + Ops + Compliance. Organize folders by topic and keep a changelog; restrict access and watermark exports.
121. Audit calendar; independent testing slot. Owner: Compliance + COO. Book testing windows at least 60 days ahead and reserve internal bandwidth to fix findings; share the calendar with your bank.
122. Unit economics model; sensitivity tabs. Owner: CEO + Finance + Data. Provide base, best, and conservative cases; show how attach, rewards, and loss move the curve.
123. Fraud reserve policy; capital plan. Owner: Risk + CEO + Finance. Tie reserves to trailing loss and growth; reconcile policy monthly and adjust capital runway accordingly.
124. Hiring plan: compliance lead, ops lead, risk engineer. Owner: CEO + COO. Write job scorecards with outcomes and interview loops; stage hires just before their bottlenecks appear.
125. Reference calls lined up (bank, processor, customers). Owner: CEO. Pre‑wire your strongest references and prepare a one‑page FAQ; avoid surprises by aligning on messaging.
126. Investor map by stage/sector; warm intros. Owner: CEO. Maintain a short list with partners, theses, and portfolio fit; time outreach to your next proof of progress.
127. Pre‑mortem risks and mitigations. Owner: CEO + Team. List top ways you fail and what early indicators you’ll watch; assign mitigations and owners now, not later.
128. Board design: operating advisors who’ve run programs. Owner: CEO. Add operators who have launched regulated products; pay in options and timebox their commitments.
129. Communications cadence; monthly letter. Owner: CEO. Send the same template every month with metrics, progress, and asks; track answers and follow‑ups.
130. Governance basics; option pool refresh plan. Owner: CEO + Legal. Keep consents, minutes, and cap table current; plan pool top‑ups a round ahead to avoid emergency approvals.
131. Secondary guidelines; no surprises. Owner: CEO + Legal. Write internal rules for any secondary sales and align early with major holders; disclose clearly to future investors.
132. Escalation matrix for incidents. Owner: COO + CTO + Compliance. Define severity levels, roles, and paging paths; test quarterly and log response times.
133. Key man insurance where required. Owner: CEO + Legal. Confirm policy amounts and beneficiaries with your board; review annually as responsibilities change.
134. SOC 2 roadmap if needed. Owner: CTO + Compliance. Decide scope and target date and start evidence collection early; reuse security program artifacts to reduce lift.
135. Exit criteria for partner switches. Owner: COO + CTO + Legal. Write objective triggers (SLA, roadmap, pricing) and a migration plan; review readiness twice a year.

F. Founder Tactics (15)

136. Weekly partner syncs; action logs. Owner: COO + Partner PM. Keep a rolling agenda with decisions, owners, and dates; share notes within 24 hours so nothing goes missing.
137. Write decision memos; store artifacts. Owner: CEO + CTO + COO. For material choices (bank, processor, rails), record options, constraints, and rationale; link code/contract changes to the memo.
138. Shadow disputes for two weeks; learn the edge cases. Owner: Founder/CEO. Sit with agents and file 20 cases yourself; fix forms and copy immediately where confusion appears.
139. Listen to support calls; change copy. Owner: CEO + Product. Review call snippets weekly and update error text and help articles; measure repeat contacts per issue.
140. Publish your risk dashboard; talk about it. Owner: Risk + CEO. Show fraud, loss, disputes, and timeliness next to growth so everyone sees tradeoffs; use it to prioritize.
141. Keep a failure log; close loops fast. Owner: CEO + Team. Maintain a blunt list of misses and the fix/date/owner; celebrate closed loops publicly.
142. Ask dumb questions early; save months. Owner: Founder/CEO. When you don’t understand a bank or network rule, escalate immediately; a ten‑minute call can save a quarter.
143. Hire a fractional compliance officer before you “need” one. Owner: CEO. Bring in a pro to set tone and cadence; convert to full‑time when audit workload demands it.
144. Build one killer pre‑mortem; update quarterly. Owner: CEO + Team. Imagine failure and list the most likely causes; assign mitigations and revisit after each milestone.
145. Teach sales how Reg E works. Owner: Compliance + Sales. Train on dispute obligations and timing so promises match reality; include escalation paths in the playbook.
146. Tape the Reg E/Z calendars to the wall. Owner: Compliance + Support. Make timers visible in the floor tools and on a printed calendar; audit missed clocks monthly.
147. Spend afternoons in the lobby at Money20/20. Owner: CEO. Schedule back‑to‑backs and keep asks specific; write follow‑ups within 48 hours.
148. Use the Amex FHR credit to stay close to action. Owner: CEO. Cut travel friction to maximize meetings; revisit budget after you measure ROI of the trip.
149. Follow up in 48 hours, always. Owner: CEO. Recap decisions and next steps quickly while context is fresh; momentum wins deals.
150. Lead the partnership—local/regional banks want to help, but you set the pace. Owner: CEO + COO. Propose agendas, send artifacts, and run the cadence; partners follow teams that execute.

Rewards & Loyalty Platforms (Ascenda)

If you plan to offer points or miles, you can build a basic in‑house ledger or use a specialized partner. Ascenda provides an earn/burn marketplace across airlines/hotels/merchants with API integration and settlement support.

Key questions:

• Funding source: interchange margin, subscription, or credit interest?
• Liability: when do you recognize points cost; breakage assumptions?
• AML/fraud: abuse vectors (manufactured spend), KYC for transfers.

Reference: https://www.ascenda.com/

Rewards Flow (simplified)

 [Transaction Volume] -> [Interchange Margin] -> [Rewards Accrual Ledger]
         |                                  \
         +-- Funding Pool ------------------> [Partner Marketplace (Ascenda)]

First Partner Bank Call: Cheat Sheet

What to send ahead (24–48 hours):

• One‑page overview: product, target segment, volumes (12–18 mo), top risks you anticipate.
• Flow of Funds diagram for your primary use case (card/deposit/real‑time).
• Compliance outline (CIP/CDD/EDD, OFAC, disputes, vendor risk, independent testing plan).
• Team: compliance lead, ops lead, engineering lead.

What they will care about most:

• Do you understand FoF with precise account names and exception flows?
• Who owns KYC/KYB, sanctions, TMS tuning, and SAR narratives?
• How will you reconcile daily and staff 24/7 for instant rails?
• What is your dispute posture (Reg E/Z) and customer communication plan?

Questions to ask them:

• Durbin status; RTP/FedNow enablement timeline; BIN control model.
• Data ownership/egress; termination assistance terms (months of cooperation).
• SLA and performance credits for misses; audit rights; re‑papering if switching banks.

FoF: What to bring to the call

 [End-user] -> [App] -> [Ledger] -> [Processor] -> [Bank] -> [Rails]
  - Name the systems and the legal owner of funds at each hop
  - Show normal and exception flows (returns, disputes, reversals)
  - Note daily reconciliation and who signs off

Glossary (Selected Jargon)

• ACH: Automated Clearing House; batch payment network (Nacha rules).
• Acquirer: Merchant‑side processor/settlement entity.
• AML: Anti‑Money Laundering program components and controls.
• Assessments: Network fees (basis points plus fixed) charged by card networks.
• BIN: Bank Identification Number; identifies issuer and product.
• BSA: Bank Secrecy Act; core compliance requirements.
• BTR/IMAD/OMAD: Bank transfer/wire identifiers used in reconciliation.
• CDD/EDD: Customer Due/Enhanced Due Diligence.
• Chargeback: Dispute mechanism for card transactions under network rules.
• CIP: Customer Identification Program; identity verification requirements.
• CTR: Currency Transaction Report (> $10,000 cash).
• Durbin: US debit interchange regulation; “regulated” vs “exempt.”
• EDR/EDW: Event‑driven reconciliation/warehouse (internal terms; define in program).
• FBO: For‑Benefit‑Of pooled account structure at sponsor bank.
• FedNow: Federal Reserve instant payment rail.
• FoF: Flow of Funds; diagram of money movement and responsibilities.
• GLBA: Gramm‑Leach‑Bliley Act; Safeguards Rule for data security.
• IMAD/OMAD: Wire message identifiers for Fedwire/CHIPS.
• Interchange: Fee from acquirer to issuer per card transaction.
• Issuer‑processor: Vendor providing auth + card lifecycle for issuer.
• KMS/HSM: Key management/hardware security modules.
• KYB/KYC: Know Your Business/Customer identity verification.
• Nacha: ACH network governing body and operating rules.
• OFAC: Sanctions screening requirements and blocking/reporting.
• PCI DSS: Card data security standard; v4.0 current.
• PM (Program Manager): Entity operating card program under bank’s license.
• Reg E/Z: US regulations for electronic fund transfers (E) and credit (Z).
• RTP: Real‑Time Payments network (The Clearing House).
• SAR: Suspicious Activity Report.
• Tokenization: Replacing PAN with network tokens; reduces PCI scope.
• TPRM/3PRM: Third‑Party Risk Management.
• UDAAP: Unfair, Deceptive, or Abusive Acts or Practices.

Resource Library (Primary Sources)

• FFIEC BSA/AML Manual: https://bsaaml.ffiec.gov/
• OCC Third‑Party Risk (2013‑29, 2020‑10, 2023 updates): https://www.occ.treas.gov/
• FedNow Service: https://www.fednow.org/
• The Clearing House RTP: https://www.theclearinghouse.org/payment-systems/rtp
• Nacha Operating Rules: https://www.nacha.org/
• Visa Core Rules: https://usa.visa.com/support/consumer/visa-rules.html
• Mastercard Rules: https://www.mastercard.us/en-us/business/overview/support/rules.html
• PCI DSS v4.0: https://www.pcisecuritystandards.org/
• GLBA Safeguards Rule: https://www.ftc.gov/
• FinCEN BOI/CTA: https://www.fincen.gov/boi

Back to top

Appendices: RFP, Redlines, KPIs

Key Hires & Sequencing 👥

Start lean and hire for control points. The early team should be able to ship product, pass audits, and run money movement.

Suggested sequence (first 12–18 months):

• Founding CTO: owns ledger, rails integrations, security. Define event schemas, enforce idempotency, and build reconciliations.
• Founding COO/Head of Banking Ops: owns FoF, reconciliations, disputes, and partner cadence. Stands up playbooks and SLAs.
• Head of Compliance (fractional → full-time): owns BSA/AML, CIP/CDD/EDD, OFAC, TMS governance, training, and independent testing.
• Risk/Data lead (part-time → full-time): owns fraud rules, loss provisioning assumptions, and post‑mortem tuning.
• Product/Design (shared/founder → dedicated): owns UX for onboarding, disputes, limits, and comms.
• GTM (founder‑led → AE/CSM): validates ICP, captures case studies, and closes lighthouse customers.

Hiring signals to look for: prior program launch or exam cycles; ability to read SOWs and redline; comfort with on‑call and audits.

90‑Day Diligence Plan (Week by Week)

• Weeks 1–2: RFP out; sandbox access; auth/latency tests; file/webhook inventory; dispute demo; draft FoF v1.
• Weeks 3–4: Reference calls; security review; data export test; preliminary SOW outline; risk alignment memo.
• Weeks 5–6: Compliance workshop (CIP/CDD/EDD/OFAC/TMS); incident drill; SLA negotiation; redline v1.
• Weeks 7–8: Pilot plan (Day‑0/30/90) agreed; BIN/product configuration draft; reporting pack prototype.
• Weeks 9–10: SOW final; price step‑downs; termination assistance schedule; audit rights addenda.
• Weeks 11–12: Go‑live gate criteria; acceptance tests; issue log; executive sign‑offs.

Sample SOW Structure (Outline)

1. Scope of services (rails, card products, BIN, program management obligations)
2. Pricing (all pass‑throughs; step‑downs; minimums; floors)
3. SLAs & credits (auth, files, disputes, incidents)
4. Data ownership & exports (formats, cadence, entitlements)
5. Termination assistance (period, hours, roles, artifacts)
6. Audit & compliance (evidence packs, frequency, remediation)
7. Security (encryption, key mgmt, vulnerability mgmt, incident comms)
8. Change management (roadmap reviews, release windows)
9. Acceptance & launch gates (test cases, rollback plan)
10. Legal (indemnities, limitation of liability, COC protections)

Redline Matrix (Cheat Sheet)

Back to top

Frequently Asked Questions (FAQ)

What is the minimum viable compliance stack to get a bank to yes?

Written BSA/AML program with CIP/CDD/EDD, named compliance officer, OFAC screening plan, transaction monitoring with tuning process, training calendar, independent testing schedule, incident response, and third‑party risk program. See FFIEC: https://bsaaml.ffiec.gov/

Do I need RTP and FedNow on day one?

No. Start with ACH/wire and add instant rails when you can staff 24/7 exceptions and manage liquidity. See TCH RTP: https://www.theclearinghouse.org/payment-systems/rtp and FedNow: https://www.fednow.org/

Are debit rewards worth it without Durbin exemption?

Often no—the economics are tight once assessments, processor fees, and fraud are netted. If you offer rewards, cap earn rate tightly and test breakage.

What’s the fastest route to a BIN/product launch?

Leverage your bank’s existing BIN/product tiers first; add new tiers after you establish program stability. Confirm certification steps in Visa/Mastercard rules: https://usa.visa.com/support/consumer/visa-rules.html and https://www.mastercard.us/en-us/business/overview/support/rules.html

How do I structure a FoF diagram for a bank call?

Show account owners, rails, message/file flows, and exception paths. Keep names exact: “FBO Master @ Sponsor Bank,” “Reserve,” “Operating sub‑ledger,” “Processor settlement.” Example patterns: Column: https://column.com/docs/flow-of-funds

Back to top

RFP Question Bank (Shortlist)

• Program scope: What products at launch (deposits, card, RTP/FedNow, wires)? What’s the 12–18 month roadmap?
• Risk alignment: Which customer segments are in/out of appetite? What concentration limits apply?
• Rails readiness: RTP/FedNow timelines; liquidity and after‑hours staffing expectations.
• Data ownership: What can we export, at what frequency, and in what format? Are real‑time webhooks available for all state changes?
• Disputes: Reg E/Z timers—how are they enforced? What evidence packages are required? What’s the escalation path?
• BIN/product control: Who owns product configuration? How fast can we launch a new BIN/product level? What are certification dependencies?
• SLAs & credits: Auth latency, file delivery, dispute response, incident comms. What credits apply for misses?
• Termination assistance: Minimum period, named roles, and engineering commitments during migration.
• Audit rights: SOC/PCI evidence packs; on‑site visits; frequency; remediation SLAs.
• Pricing: All pass‑throughs itemized; step‑down schedule; volume bands; floors and minimums.

Negotiation Levers & Redlines (Patterns)

• Data ownership and escrow: add explicit right to full exports and escrow key artifacts for exit scenarios.
• Termination assistance: 6–12 months, with weekly cadence and named engineering hours.
• SLA credits: meaningful, automatic credits for chronic latency or outage events.
• Rev‑share step‑downs: target clear volume bands with step‑downs; ban retroactive resets.
• Change‑of‑control protections: preserve economics and access on acquisition.
• Launch gates: clear acceptance tests for go‑live to avoid scope creep.

Operating KPIs (Starter Targets)

• Fraud loss (debit): < 15 bps of volume after month 6.
• Dispute timeliness: > 98% of Reg E/Z deadlines met.
• Auth approval rate (debit): > 92% excluding insufficient funds; (credit): > 95% subject to risk.
• RTP success rate: > 99.5% with < 1% manual exceptions.
• Reconciliation timeliness: daily, zero unexplained variances > $X threshold.
• Support response times: first response < 2 hours; resolution SLA by severity.

Dispute Playbook (Outline)

1. Intake and triage (auto clock start); 2) Provisional credit (where applicable); 3) Evidence collection; 4) Network response; 5) Customer comms; 6) Post‑mortem rules tuning.

PCI Scoping Patterns (Quick Notes)

• Prefer network tokenization; isolate PAN to vault provider; keep your SAQ as low as feasible.
• Enforce mTLS, rotate keys, and minimize card data surfaces in logs and analytics.

Back to top

Open Questions