NYDFS settled with Paxos Trust Company, imposing a $26.5 million penalty for inadequate due diligence on a former partner and systemic AML program failures. Paxos agreed to invest $22 million in compliance improvements.
Regulatory Tracker
Regulatory Tracker — Page 3 of 7
Archive of enforcement actions, consent orders, and supervisory guidance impacting the BaaS and embedded finance ecosystem.
Subscribe to alertsN/A — Industry-wide
Policy Statement / GuidanceThe FCA published strengthened safeguarding rules (PS25/12) effective August 2025 for authorised EMIs, payment institutions, and small EMIs to protect client funds in the event of firm failure. Interim compliance measures take effect May 2026.
N/A — Industry-wide PSPs
GuidanceIndia's NPCI imposed new UPI compliance rules effective August 1, 2025, under which payment service providers face penalties, API restrictions, or suspension of new customer onboarding for non-compliance with peak-hour transaction requirements.
Hong Kong's HKMA stablecoin licensing framework took effect August 1, 2025, requiring fiat-referenced stablecoin issuers to obtain a license by October 31, 2025 or face a mandatory closing-down period starting November 1, 2025.
BCB Resolution 589 requires all PIX participants to implement self-service MED (fraud recovery) functionality in their apps by October 2025, with MED 2.0 planned for February 2026 enabling tracing and blocking across five account layers.
Unknown Sponsor Bank
GuidanceThe OCC issued statements in June–July 2025 explicitly embracing bank-fintech partnerships while addressing risks such as crypto-asset safekeeping. No specific enforcement action was taken against a named bank, but the guidance signals supervisory expectations for sponsor banks.
Industry-Wide (All Banks and Credit Unions)
Order/GuidanceOCC, FDIC, Federal Reserve, NCUA, and FinCEN issued an order allowing banks and credit unions to collect Taxpayer Identification Numbers (TINs/SSNs) from third-party sources such as credit reporting agencies instead of directly from customers during account opening. The order was initially issued June 27, 2025 and expanded July 31, 2025.
Unknown Sponsor Bank
Guidance Withdrawal / Regulatory RollbackThe CFPB rolled back UDAAP oversight in June 2025, reducing some fintech supervisory burdens. The change affects the regulatory landscape for bank-fintech partnerships but core compliance risks persist.
Unknown Sponsor Bank
GuidanceThe DOJ updated its FCPA guidelines on June 9, 2025, prioritizing banks for anti-bribery controls in international transactions. The guidance has implications for BaaS and fintech firms engaged in cross-border banking.
N/A — Industry Guidance
GuidanceOCC leadership in 2025 expressed support for bank-fintech partnerships while prioritizing risk management. The OCC continued scrutiny of fintech arrangements with emphasis on robust compliance frameworks.
Multiple EMI/PI Firms (14 sampled)
Multi-firm reviewThe FCA conducted multi-firm reviews of risk management and wind-down planning at e-money and payments firms in 2024-2025, finding underdeveloped frameworks across the sector.
Evolve Bank and Trust
Consent Order (Early Termination)Evolve Bank & Trust's 2022 redlining-related consent order was terminated on May 29, 2025 after the bank complied with compensation and injunctive terms. Evolve is a major BaaS sponsor bank.
N/A - General CFPB Policy Memo
GuidanceThe CFPB issued a memo on April 16, 2025, detailing reduced federal oversight of fintechs, rescinding prior enforcement priorities and deferring to state-led enforcement. The bureau also adopted a no-priority stance on nonbank registration.
Block, Inc.
Consent OrderThe New York State Department of Financial Services issued a consent order against Block, Inc. on April 10, 2025, citing deficiencies in BSA/AML compliance, cybersecurity, and consumer protection. The action stemmed from examinations covering April 2021–September 2022 amid rapid transaction volume growth from $15.02 billion to $34.06 billion.
EMIs and PIs in Lithuania
Regulatory Requirement / GuidanceFrom April 9, 2025, EMIs and PIs in Lithuania must maintain approved wind-down plans as a regulatory requirement.
Ininal
License SuspensionTurkey's TCMB suspended Ininal's EMI operational license in late March 2025 as part of an investigation into digital wallets facilitating illegal gambling transactions.
SmartBiz Bank, N.A. (formerly CenTrust Bank, N.A.)
Conditional ApprovalThe OCC conditionally approved a fintech model by SmartBiz under rigorous compliance standards. The conditional approval reflects the OCC's approach of enabling fintech innovation while maintaining strict safety and soundness requirements.
Unknown Sponsor Bank
GuidanceThe OCC reaffirmed that national banks and federal savings associations can engage in crypto-asset activities without obtaining a nonobjection from the agency. This aligns with the broader rollback of restrictive crypto guidance.
Aypara
License RevocationTurkey's TCMB suspended and then fully revoked the EMI license of Aypara, a digital wallet provider, as part of a crackdown on payment institutions facilitating illegal gambling transactions.
PayFix
License RevocationTurkey's TCMB suspended and then fully revoked the electronic money institution (EMI) license of PayFix amid an investigation into illegal gambling and money laundering. Executive arrests and asset seizures accompanied the action.
Patriot Bank, N.A.
Formal AgreementOn February 20, 2025, the OCC entered a formal agreement with Patriot Bank, National Association, after an examination identified BSA/AML compliance deficiencies tied to third-party risks, including prepaid card programs. The bank was required to develop enhanced plans for strategic and capital planning, customer due diligence, suspicious activity monitoring, and oversight of third-party program managers.
CFPB (agency-wide action)
Stop-work order / Administrative actionIn early 2025, CFPB Acting Director Vought issued a stop-work order on February 10, placed staff on administrative leave, and terminated probationary employees, effectively halting CFPB enforcement and supervision activities including those involving banks and fintechs.
Unknown Sponsor Bank
GuidanceThe FDIC released documents related to its supervision of crypto-related activities at banks, signaling a reevaluation of earlier pauses on crypto and fintech partnerships. This reflects evolving supervisory approaches to fintech innovation.
PayPal, Inc.
FineNYDFS reached a $2 million settlement with PayPal over a December 2022 cybersecurity incident that exposed unmasked consumer data, including Social Security numbers, in Form 1099-Ks. Violations included skipped testing, inadequate personnel training, and optional multi-factor authentication.