Regulatory Tracker — Page 4 of 6

The Bank of Lithuania imposed restrictions on PayrNet, a subsidiary of British BaaS provider Railsr, after finding gross and systematic AML violations. Grant Thornton Baltic was appointed to monitor mandatory AML improvements.

BaFin banned Solaris from entering new partnerships without regulatory approval and ordered AML-related upgrades. The BaaS provider was also required to observe transfer and cash payment limits for certain accounts.

The CFPB proposed a rule in February 2023 to create a registry for supervised nonbanks that use restrictive form contracts, signaling heightened scrutiny of nonbank fintech practices. The rule targeted terms and conditions that seek to waive consumer rights.

The FCA placed restrictions on Nexus Independent Financial Advisers and Nexus Investment Managers on January 25, 2023, halting regulated activities and asset access due to concerns over unauthorized fund withdrawals by a senior individual.

The NY Department of Financial Services issued a consent order against Coinbase on January 4, 2023, for deficiencies in BSA/AML, KYC/CDD, transaction monitoring, and OFAC compliance. The order required remediation via an independent consultant and built on a prior MOU from February 2022.

The CFPB fined ACI Worldwide $25 million in 2023 for processing $2.3 billion in unlawful payments tied to mortgage servicer Mr. Cooper, which caused overdraft fees for consumers. Banks remain liable for such third-party vendor failures.

The FDIC published a rule on official sign and advertising requirements, false advertising, and misrepresentation of insured status in December 2022. The rule addresses how FDIC insurance status must be communicated, particularly relevant to fintech-bank deposit arrangements.

NYDFS established a prior approval requirement for virtual currency activities in 2022, requiring regulated entities to obtain approval before engaging in new or significantly different virtual currency-related business activities.

In October 2022, the DFPI issued desist and refrain orders against 11 entities — nine crypto trading schemes, one DeFi platform, and one additional entity — for securities violations related to crypto activities.

The California DFPI joined seven other states in a multi-state action against Nexo for offering its Earn Interest Product as unregistered securities via crypto deposit accounts. The desist and refrain order was issued on September 26, 2022.

Blue Ridge Bancorp operated under a 2022 OCC formal agreement requiring improvements to BSA/AML compliance and third-party risk management. The order required OCC non-objection before onboarding new fintech partners or offering new products through existing third-party relationships.

The OCC outlined supervisory expectations for banks' use of artificial intelligence, relevant to BaaS platforms leveraging AI in lending and compliance. The guidance established standards for AI risk management in banking.

The California DFPI filed a cross-complaint against OppFi in April 2022, alleging that OppFi—not its partner FinWise Bank—was the 'true lender' on high-interest loans, thereby violating California's 36% interest rate cap under AB 539. On February 24, 2026, a Los Angeles County Superior Court granted summary judgment in favor of OppFi, rejecting the DFPI's true lender theory.

The Financial Stability Board (FSB) issued observations in 2022 highlighting risks from Big Tech and fintech outsourcing to traditional banks, noting that complex structures complicate supervision of third-party fintech services.

The CFPB announced on March 16, 2022, that it would leverage its UDAAP authority to prohibit discrimination in noncredit products such as deposits and payments. This guidance affects banks and their fintech partners offering these products.

The Department of Justice initiated redlining investigations using HMDA data, targeting banks and non-depository lenders—including potential fintech collaborators—for mortgage discrimination. The initiative bypasses prudential regulators in pursuing fair lending violations.

California's DFPI threatened enforcement against OppFi for loans originated via partner bank FinWise Bank, leading OppFi to sue in March 2022. DFPI counterclaimed in April 2022 under a 'true lender' theory challenging interest exportation.

The OCC conditionally approved SoFi's national bank charter, subjecting the fintech-turned-bank to full federal supervision. The approval included restrictions on crypto activities to ensure safe deposit and lending practices.

GLBA Safeguards Rule amendments became effective in January 2022 with a compliance deadline of December 2022. The amendments expanded coverage to 'finders' in fintech and mandated qualified overseers for information security programs.

The OCC issued a consent order against Blue Ridge Bank for unsafe practices in its BaaS program involving approximately 50 fintech partners. The order required improvements in third-party fintech oversight, AML/SAR compliance, and IT controls, and remained active into late 2023.

California DFPI issued a consent order against Wheels Financial Group (LoanMart), an auto title loan servicer, following a 'true lender' investigation into its partnership with a Utah state-chartered bank to potentially evade interest rate caps. LoanMart agreed not to market or service high-interest loans under $10,000 through state-chartered banks.

FinCEN assessed an $8 million civil money penalty against CommunityBank of Texas (CBOT) for willful AML program deficiencies spanning 2015–2019. The bank received a $1 million credit for a prior OCC penalty related to the same conduct.

California DFPI issued a cease-and-desist order against Nano Banc, a fintech-chartered bank, for making unapproved management changes that violated a prior consent order. The action addresses governance and compliance failures.

The FCA imposed requirements on Viola Money (Europe) Limited, an authorised electronic money institution, to cease all regulated electronic money and payment services on 14 December 2021 due to serious concerns about its business operations and client dealings.