Banking-as-a-Service: Embeddable Accounts, Cards, and Payments via API
Banking-as-a-Service, built regulated-first
ACM's Banking-as-a-Service (BaaS) lets banks, credit unions, and health systems embed accounts, cards, and payments into their own products through a single API surface. This paper sets out the problem BaaS is meant to solve, ACM's architecture and security posture, how integration and deployment work, and the outcomes you can realistically expect, stated without exaggeration.
Why embedding banking is hard
Most institutions want to offer modern, embedded financial experiences. Few want to rebuild a core, a ledger, a card processor, and a payments network to do it, or to inherit the operational and regulatory weight that comes with each.
Fragmented infrastructure
Accounts, cards, payments, and ledgering often live in separate systems stitched together with brittle integrations. Each connection is a point of failure, a reconciliation burden, and an audit liability.
Regulatory weight
Embedded finance still operates under banking rules. Program oversight, KYC/AML, transaction monitoring, and dispute handling do not disappear because an API is involved; they have to be designed in from the start.
Legacy economics
Older core platforms carry high fixed costs and slow change cycles. Launching a single new product can take quarters, and infrastructure spend rarely scales down when volumes are modest.
Long-lived data risk
Account records, payment instructions, and identity data persist for years. Encrypted traffic captured today can be stored and decrypted later, a pattern widely described as "harvest-now, decrypt-later."
One API surface, regulated by design
ACM provides a unified BaaS platform: a consolidated set of services for opening and servicing accounts, issuing and controlling cards, and moving money, exposed through consistent, well-documented APIs. The platform is white-label, so your brand and product experience stay yours.
Accounts and ledger
A double-entry ledger underpins demand accounts, sub-accounts, and balances. Every movement is recorded immutably, designed so that reconciliation and audit reporting are a function of the system rather than a manual exercise.
Card issuing and controls
Virtual and physical card programs with spend controls, authorization rules, and lifecycle management, delivered through APIs and webhooks. Card data handling is designed to support PCI-DSS requirements.
Payments and money movement
Inbound and outbound payment rails, transfers, and settlement orchestration, with idempotent operations and event-driven status so your application always knows the true state of a transaction.
Program management
Tooling for onboarding, KYC/AML workflows, transaction monitoring, and dispute handling, so oversight obligations are supported within the platform rather than bolted on afterward.
How the platform is built
The architecture favors clear boundaries, auditable state, and operational resilience. Services are modular so that institutions can adopt accounts, cards, or payments independently and add the others over time.
- API-first. A consistent, versioned API and webhook model is the primary contract. New capabilities are additive, so existing integrations remain stable as the platform evolves.
- Event-driven and idempotent. Money-movement operations are idempotent and emit events, reducing the risk of duplicate transactions and giving downstream systems a reliable source of truth.
- Immutable ledger. The double-entry ledger is the system of record. Balances and history are derived from an append-only sequence of entries, which supports clean audit trails.
- Modular deployment. Components can be composed per program, allowing a phased rollout and isolating the blast radius of any single change.
- Tenant isolation. Programs are logically separated so that data, configuration, and limits for one offering do not leak into another.
Post-quantum security and a compliance-ready posture
Security is ACM's bread and butter. The BaaS platform is engineered to align with the latest cryptographic standards and to support the controls that regulated institutions are required to demonstrate.
Post-quantum cryptography
ACM builds on the NIST post-quantum standards finalized in 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). Because banking records are long-lived, aligning to these standards helps address harvest-now, decrypt-later risk for data that must stay confidential for years.
Key management
Threshold cryptography and non-custodial key management are used so that no single party or component holds unilateral control of sensitive keys, reducing single points of compromise.
Compliance alignment
The platform is designed to support SOC 2, ISO 27001, PCI-DSS, and HIPAA requirements. ACM does not assert certifications on your behalf; it provides controls, logging, and evidence that help your own programs meet their obligations.
Auditability
Immutable ledgering, structured event logs, and access controls are intended to make examinations and internal audits a reporting task rather than a forensic one.
From first call to production
ACM's Agile Speed Framework is meant to move teams from evaluation to a working program in deliberate, low-risk stages, without forcing a full core replacement to get started.
- Sandbox first. Begin against a sandbox with documentation, reference flows, and test data, so engineers can validate the integration before any production exposure.
- Phased adoption. Launch one capability, such as accounts or cards, then extend to payments and additional products as confidence grows.
- Flexible deployment. The platform supports deployment models that fit your regulatory and data-residency requirements, discussed during onboarding.
- Coexistence with existing systems. BaaS can sit alongside current infrastructure, so you can modernize selectively rather than all at once.
- Observability built in. Webhooks, event streams, and reporting give operations and risk teams visibility from day one.
What to expect, stated honestly
ACM frames outcomes in terms of capability and cost structure rather than guaranteed results. Your numbers will depend on program design, volumes, and how you integrate.
Lower infrastructure cost
By consolidating onto a modern, modular platform, ACM targets up to 95% lower infrastructure cost compared with legacy core systems. The realized figure varies by institution and workload.
Faster time to launch
A single API surface and phased rollout are designed to shorten the path from idea to live product, replacing multi-vendor integration work with one consistent contract.
Durable compliance footing
Designing oversight, auditability, and post-quantum-aligned cryptography in from the start is intended to reduce remediation cost and examination friction over the life of a program.
Room to expand
Because BaaS shares a foundation with ACM's broader ecosystem, programs can extend toward treasury, FX, tokenization, and stablecoin capabilities without re-platforming.
Related research
For ecosystem research on agentic AI and tokenized finance and settlement that complements ACM's banking technology, see the work of our partners. ACM's BaaS platform is designed to interoperate with these capabilities.
- Hanzo.ai research: agentic AI publications at papers.hanzo.ai.
- Lux Network: tokenized finance and settlement at lux.network.
- ACM capabilities: learn more about post-quantum security and our trust and compliance posture.
Evaluate ACM BaaS for your program
Talk to our team about a phased, regulated-first path to embedded accounts, cards, and payments, with a security posture built for the post-quantum era.
Start with a discovery callFrequently asked questions
What does ACM's Banking-as-a-Service include?
It is a white-label platform that lets institutions embed accounts, cards, and payments through a single, versioned API. It includes a double-entry ledger, virtual and physical card issuing with spend controls, inbound and outbound payment rails with settlement orchestration, and program-management tooling for KYC/AML, transaction monitoring, and disputes. Components are modular, so you can adopt one capability and add others over time.
How does ACM address post-quantum security in BaaS?
ACM builds on the NIST post-quantum standards finalized in 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). Because banking and identity records are long-lived, aligning to these standards helps address harvest-now, decrypt-later risk. Threshold cryptography and non-custodial key management are used so no single component holds unilateral control of sensitive keys. These standards are recent, so ACM frames its work as building on and aligning to them.
Does ACM provide regulatory certifications or charters?
No. ACM does not claim certifications or charters on your behalf. The platform is designed to support SOC 2, ISO 27001, PCI-DSS, and HIPAA requirements by providing controls, immutable logging, and audit evidence. Your institution remains responsible for its own compliance programs and examinations; ACM's role is to make meeting those obligations a reporting task rather than a forensic one.