What Sponsor Banks Actually Look For (And What They Don't Care About)

If you're building a fintech that touches payments — PayFac, BaaS, embedded finance, whatever the flavor — you're going to face sponsor bank due diligence at some point. And if you're like most founders, you probably have no idea what to expect.

Having sat on both sides of this process, I want to demystify what banks actually care about. Spoiler: it's not what most people think.

What Banks Actually Care About

1. Do You Understand Your Risks?

This is the big one. Banks don't expect you to have zero risk — that's impossible. They want to see that you've thought through what could go wrong and have a plan for managing it.

The question isn't "is this risky?" It's "does this company understand their risks and have proportionate controls?"

If you're onboarding merchants in high-risk verticals, say so. Explain why you chose those verticals, what the specific risks are, and how you're managing them. Pretending your risk profile is lower than it is will backfire — banks see right through it.

2. Can You Actually Execute?

A beautiful policy document means nothing if you can't operationalize it. Banks want to see:

• Who's doing the work? (Names, qualifications, capacity)
• What's the workflow? (Step-by-step, not hand-wavy)
• What tools are you using? (Specific vendors, not "industry-leading solutions")
• How do you know it's working? (Metrics, reporting, oversight)

I've seen companies get approved with imperfect policies but strong operational evidence, and rejected with perfect policies but no proof they could execute.

3. What Happens When Things Go Wrong?

Banks know things will go wrong. A merchant will commit fraud. A transaction will be suspicious. A customer will sue. They want to see escalation paths, decision-making authority, and evidence that problems get surfaced rather than buried.

The worst answer to "what happens if a merchant commits fraud?" is "that won't happen because our onboarding is so good." The right answer describes your detection mechanisms, investigation process, termination criteria, and reporting obligations.

4. Who's Accountable?

Banks want a named human they can call when something goes wrong. If your compliance function is "everyone's responsible," that means no one is. You need:

• A designated compliance officer (can be fractional)
• Clear reporting lines to leadership
• Board or executive visibility into compliance matters

What Banks Don't Actually Care About

Perfect Policies

I've seen 200-page policy manuals that were clearly copy-pasted from templates and never implemented. Banks see through this. A 20-page manual that accurately describes what you actually do beats a 200-page fiction.

Expensive Tools

"We use [expensive vendor] for KYC" is not a compliance strategy. Banks want to know how you're using the tool, what your rules are, how you handle edge cases, and who's reviewing the outputs. The tool is table stakes; the process is what matters.

Zero Risk

Banks aren't looking for risk-free partners — those don't exist. They're looking for partners who manage risk intelligently. A well-controlled high-risk program can be more attractive than a poorly-controlled low-risk one.

The Real Secret

Here's what nobody tells you: sponsor bank diligence is a conversation, not an exam. Banks aren't trying to catch you out. They're trying to figure out if they can work with you.

The companies that do best are the ones that treat diligence as an opportunity to demonstrate sophistication, not an obstacle to overcome. They're proactive, transparent about weaknesses, and responsive to questions.

The companies that struggle are the ones that treat every question as an attack, provide minimal information, and act defensive. Banks read that as "something to hide."