Regulatory Tracker

The FCA fined Dinosaur Merchant Bank Limited £338,000 for market abuse and systems failures. The firm was categorized under electronic money and payment institutions.

The SEC and CFTC signed a landmark memorandum of understanding on regulatory harmonization in March 2026, potentially affecting bank-fintech partnerships involving digital assets.

The FDIC published a speech or update on reforms to its regulatory toolkit, potentially addressing BaaS and third-party risk management supervisory approaches.

The Central Bank of Nigeria released a Fintech Policy Insight Report on February 2, 2026, proposing collaborative regulation for fintechs. The report outlines a Standing Fintech Engagement Forum, a Compliance-as-a-Service platform, and an expanded regulatory sandbox.

In January 2026, the US Treasury heightened Bank Secrecy Act/AML scrutiny on banks for fraud detection, especially involving nonprofits and government funds. This indirectly raises compliance risks for fintech partners handling high-volume transactions.

The CFPB allocated $46 million related to the Synapse/Evolve situation, addressing harm to consumers affected by the Synapse Financial Technologies collapse. Evolve Bank & Trust was a key banking partner in the Synapse middleware ecosystem.

Ohio's banking regulator reversed course in October 2025, easing its licensing position for bank partnerships under the Small Loan Act. This represents evolving state-level regulatory guidance on BaaS partnership structures.

The OCC issued a formal agreement with First National Bank of Pasco for unsafe practices, including BSA/AML risk management, suspicious activity reporting, and due diligence deficiencies. While not explicitly tied to fintech partnerships, the areas cited are highly relevant to BaaS oversight.

The CFPB took enforcement action against Synapse Financial Technologies, a BaaS middleware provider. The citation references the CFPB's official enforcement actions page for Synapse.

The Bank of Lithuania revoked KogoPay UAB's electronic money institution (EMI) license in August 2025 due to capital shortfalls, delayed financial reporting, and insolvency. Bankruptcy proceedings were initiated after the firm admitted inability to meet its obligations.

The Bank of Lithuania issued guidance in 2025 preparing EMIs and PIs for the REGATA reporting transition (Q1 2026) and MiCAR crypto-asset reporting requirements, including new safeguarding reports due by June 30, 2026.

DFPI settled with a former mortgage lender/servicer for $1.8 million in penalties plus $550,316 in borrower refunds for overcharges, escrow failures, and violations of California lending laws.

The FDIC adopted more visible and prescriptive enforcement approaches against banks involved in bank-fintech partnerships in 2025, shifting from non-public supervisory actions to more public consequences.

The FCA published strengthened safeguarding rules (PS25/12) effective August 2025 for authorised EMIs, payment institutions, and small EMIs to protect client funds in the event of firm failure. Interim compliance measures take effect May 2026.

The FCA published Policy Statement PS25/12 on August 7, 2025, introducing strengthened safeguarding rules for authorized payment institutions and e-money institutions, effective May 7, 2026.

NYDFS settled with Paxos Trust Company, imposing a $26.5 million penalty for inadequate due diligence on a former partner and systemic AML program failures. Paxos agreed to invest $22 million in compliance improvements.

Hong Kong's HKMA stablecoin licensing framework took effect August 1, 2025, requiring fiat-referenced stablecoin issuers to obtain a license by October 31, 2025 or face a mandatory closing-down period starting November 1, 2025.

India's NPCI imposed new UPI compliance rules effective August 1, 2025, under which payment service providers face penalties, API restrictions, or suspension of new customer onboarding for non-compliance with peak-hour transaction requirements.

BCB Resolution 589 requires all PIX participants to implement self-service MED (fraud recovery) functionality in their apps by October 2025, with MED 2.0 planned for February 2026 enabling tracing and blocking across five account layers.

The OCC issued statements in June–July 2025 explicitly embracing bank-fintech partnerships while addressing risks such as crypto-asset safekeeping. No specific enforcement action was taken against a named bank, but the guidance signals supervisory expectations for sponsor banks.

OCC, FDIC, Federal Reserve, NCUA, and FinCEN issued an order allowing banks and credit unions to collect Taxpayer Identification Numbers (TINs/SSNs) from third-party sources such as credit reporting agencies instead of directly from customers during account opening. The order was initially issued June 27, 2025 and expanded July 31, 2025.

The CFPB rolled back UDAAP oversight in June 2025, reducing some fintech supervisory burdens. The change affects the regulatory landscape for bank-fintech partnerships but core compliance risks persist.

The DOJ updated its FCPA guidelines on June 9, 2025, prioritizing banks for anti-bribery controls in international transactions. The guidance has implications for BaaS and fintech firms engaged in cross-border banking.

OCC leadership in 2025 expressed support for bank-fintech partnerships while prioritizing risk management. The OCC continued scrutiny of fintech arrangements with emphasis on robust compliance frameworks.