Regulatory Tracker — Page 2 of 6

The FCA conducted multi-firm reviews of risk management and wind-down planning at e-money and payments firms in 2024-2025, finding underdeveloped frameworks across the sector.

Evolve Bank & Trust's 2022 redlining-related consent order was terminated on May 29, 2025 after the bank complied with compensation and injunctive terms. Evolve is a major BaaS sponsor bank.

The CFPB issued a memo on April 16, 2025, detailing reduced federal oversight of fintechs, rescinding prior enforcement priorities and deferring to state-led enforcement. The bureau also adopted a no-priority stance on nonbank registration.

The New York State Department of Financial Services issued a consent order against Block, Inc. on April 10, 2025, citing deficiencies in BSA/AML compliance, cybersecurity, and consumer protection. The action stemmed from examinations covering April 2021–September 2022 amid rapid transaction volume growth from $15.02 billion to $34.06 billion.

Block agreed to pay a $40 million penalty to the New York Department of Financial Services for BSA/AML compliance failures related to its Cash App services. The settlement also requires Block to hire an independent compliance monitor.

From April 9, 2025, EMIs and PIs in Lithuania must maintain approved wind-down plans as a regulatory requirement.

Turkey's TCMB suspended Ininal's EMI operational license in late March 2025 as part of an investigation into digital wallets facilitating illegal gambling transactions.

The OCC conditionally approved a fintech model by SmartBiz under rigorous compliance standards. The conditional approval reflects the OCC's approach of enabling fintech innovation while maintaining strict safety and soundness requirements.

The OCC conditionally approved fintech SmartBiz Loans' acquisition of CenTrust Bank's national charter, imposing capital conditions including an 11% tier 1 leverage ratio. The merged entity will be subject to full OCC supervision.

The OCC reaffirmed that national banks and federal savings associations can engage in crypto-asset activities without obtaining a nonobjection from the agency. This aligns with the broader rollback of restrictive crypto guidance.

Turkey's TCMB suspended and then fully revoked the electronic money institution (EMI) license of PayFix amid an investigation into illegal gambling and money laundering. Executive arrests and asset seizures accompanied the action.

Turkey's TCMB suspended and then fully revoked the EMI license of Aypara, a digital wallet provider, as part of a crackdown on payment institutions facilitating illegal gambling transactions.

On February 20, 2025, the OCC entered a formal agreement with Patriot Bank, National Association, after an examination identified BSA/AML compliance deficiencies tied to third-party risks, including prepaid card programs. The bank was required to develop enhanced plans for strategic and capital planning, customer due diligence, suspicious activity monitoring, and oversight of third-party program managers.

In early 2025, CFPB Acting Director Vought issued a stop-work order on February 10, placed staff on administrative leave, and terminated probationary employees, effectively halting CFPB enforcement and supervision activities including those involving banks and fintechs.

The FDIC released documents related to its supervision of crypto-related activities at banks, signaling a reevaluation of earlier pauses on crypto and fintech partnerships. This reflects evolving supervisory approaches to fintech innovation.

NYDFS reached a $2 million settlement with PayPal over a December 2022 cybersecurity incident that exposed unmasked consumer data, including Social Security numbers, in Form 1099-Ks. Violations included skipped testing, inadequate personnel training, and optional multi-factor authentication.

New York Attorney General Letitia James secured a judgment exceeding $1 billion against Yellowstone Capital and affiliates for predatory loans disguised as merchant cash advances to over 18,000 small businesses. The scheme involved usurious interest rates and hidden fees.

The Bank of Lithuania revoked the license of an unnamed EMI or PI, citing 10 regulatory violations, with one violation referred to the Court of Justice of the European Union (CJEU) concerning direct debit services.

The Bank of Lithuania revoked Foxpay's electronic money institution (EMI) license on November 22, 2024, for laundering approximately €17 million between 2023-2024 and bribing AML officers.

The FCA opened one enforcement operation against a Payment Institution in 2024, as disclosed in its November 2024 FOI data. The specific institution and details of the enforcement were not publicly named.

The FCA published updated guidance on its approach to payment services and electronic money in November 2024, reflected in tracked-changes revisions to its 2017 approach document.

The CFPB finalized a rule defining larger participants in the general-use digital consumer payment applications market, enabling supervision of nonbanks with 50 million or more annual transactions. This rule was published around November 2024.

The FCA disclosed aggregate enforcement data for Electronic Money Institutions (EMIs) and Payment Institutions (PIs) through November 2024, revealing ongoing use of VREQs, OIREQs, enforcement operations, and s166 skilled person reviews. In 2024 YTD, EMIs received 3 VREQs and 6 s166 reviews, while PIs received 1 enforcement operation, 1 OIREQ, 2 VREQs, and 1 s166 review.

The FCA commissioned six s166 skilled person reviews of Electronic Money Institutions in 2024 through November. These reviews are used to independently assess whether firms meet regulatory requirements.