Regulatory Tracker — Page 2 of 6

The Bank of Lithuania revoked KogoPay UAB's electronic money institution (EMI) license in August 2025 due to capital shortfalls, delayed financial reporting, and insolvency. Bankruptcy proceedings were initiated after the firm admitted inability to meet its obligations.

DFPI settled with a former mortgage lender/servicer for $1.8 million in penalties plus $550,316 in borrower refunds for overcharges, escrow failures, and violations of California lending laws.

The FDIC adopted more visible and prescriptive enforcement approaches against banks involved in bank-fintech partnerships in 2025, shifting from non-public supervisory actions to more public consequences.

The FCA published strengthened safeguarding rules (PS25/12) effective August 2025 for authorised EMIs, payment institutions, and small EMIs to protect client funds in the event of firm failure. Interim compliance measures take effect May 2026.

NYDFS settled with Paxos Trust Company, imposing a $26.5 million penalty for inadequate due diligence on a former partner and systemic AML program failures. Paxos agreed to invest $22 million in compliance improvements.

Hong Kong's HKMA stablecoin licensing framework took effect August 1, 2025, requiring fiat-referenced stablecoin issuers to obtain a license by October 31, 2025 or face a mandatory closing-down period starting November 1, 2025.

India's NPCI imposed new UPI compliance rules effective August 1, 2025, under which payment service providers face penalties, API restrictions, or suspension of new customer onboarding for non-compliance with peak-hour transaction requirements.

BCB Resolution 589 requires all PIX participants to implement self-service MED (fraud recovery) functionality in their apps by October 2025, with MED 2.0 planned for February 2026 enabling tracing and blocking across five account layers.

The OCC issued statements in June–July 2025 explicitly embracing bank-fintech partnerships while addressing risks such as crypto-asset safekeeping. No specific enforcement action was taken against a named bank, but the guidance signals supervisory expectations for sponsor banks.

OCC, FDIC, Federal Reserve, NCUA, and FinCEN issued an order allowing banks and credit unions to collect Taxpayer Identification Numbers (TINs/SSNs) from third-party sources such as credit reporting agencies instead of directly from customers during account opening. The order was initially issued June 27, 2025 and expanded July 31, 2025.

The CFPB rolled back UDAAP oversight in June 2025, reducing some fintech supervisory burdens. The change affects the regulatory landscape for bank-fintech partnerships but core compliance risks persist.

The DOJ updated its FCPA guidelines on June 9, 2025, prioritizing banks for anti-bribery controls in international transactions. The guidance has implications for BaaS and fintech firms engaged in cross-border banking.

OCC leadership in 2025 expressed support for bank-fintech partnerships while prioritizing risk management. The OCC continued scrutiny of fintech arrangements with emphasis on robust compliance frameworks.

The FCA conducted multi-firm reviews of risk management and wind-down planning at e-money and payments firms in 2024-2025, finding underdeveloped frameworks across the sector.

Evolve Bank & Trust's 2022 redlining-related consent order was terminated on May 29, 2025 after the bank complied with compensation and injunctive terms. Evolve is a major BaaS sponsor bank.

The CFPB issued a memo on April 16, 2025, detailing reduced federal oversight of fintechs, rescinding prior enforcement priorities and deferring to state-led enforcement. The bureau also adopted a no-priority stance on nonbank registration.

The New York State Department of Financial Services issued a consent order against Block, Inc. on April 10, 2025, citing deficiencies in BSA/AML compliance, cybersecurity, and consumer protection. The action stemmed from examinations covering April 2021–September 2022 amid rapid transaction volume growth from $15.02 billion to $34.06 billion.

From April 9, 2025, EMIs and PIs in Lithuania must maintain approved wind-down plans as a regulatory requirement.

Turkey's TCMB suspended Ininal's EMI operational license in late March 2025 as part of an investigation into digital wallets facilitating illegal gambling transactions.

The OCC conditionally approved a fintech model by SmartBiz under rigorous compliance standards. The conditional approval reflects the OCC's approach of enabling fintech innovation while maintaining strict safety and soundness requirements.

The OCC reaffirmed that national banks and federal savings associations can engage in crypto-asset activities without obtaining a nonobjection from the agency. This aligns with the broader rollback of restrictive crypto guidance.

Turkey's TCMB suspended and then fully revoked the EMI license of Aypara, a digital wallet provider, as part of a crackdown on payment institutions facilitating illegal gambling transactions.

Turkey's TCMB suspended and then fully revoked the electronic money institution (EMI) license of PayFix amid an investigation into illegal gambling and money laundering. Executive arrests and asset seizures accompanied the action.

On February 20, 2025, the OCC entered a formal agreement with Patriot Bank, National Association, after an examination identified BSA/AML compliance deficiencies tied to third-party risks, including prepaid card programs. The bank was required to develop enhanced plans for strategic and capital planning, customer due diligence, suspicious activity monitoring, and oversight of third-party program managers.