The responses provided below are based on events and activities which occurred in 2024. US law and policy is currently under review by the Trump administration and material changes may be forthcoming. Contact DLA Piper for the most up-to-date information.

The range of products and services being offered by innovative fintech business continues to expand. Fintechs often partner with traditional banking institutions rather than independently competing – eg, for point-of-sale financing or payments, lending, real-time payments, trading, tokenising real world assets, and investing.

Perhaps one of the most anticipated changes in the US fintech market will be the shift in the regulatory clarity regarding technology, including in artificial intelligence (AI) and digital assets. The market reacted positively following the re-election of President Trump. On 20 January 2025, he issued an Executive Order (EO) to promote US leadership in the digital asset and artificial intelligence industry. Importantly, Trump directed the provision of “regulatory clarity” and “well-defined jurisdictional regulatory boundaries”. While disallowing central bank digital currencies, and revoking restrictions related to adverse accounting restrictions, the EO established a working group charged with submitting a report that proposes a federal regulatory framework for digital assets, including whether the US should have a national digital asset reserve.

Prior to the change in administration, bank partnerships were subject to increased scrutiny over the last 12 months from both federal and state regulators, in parallel with an increase in enforcement actions by multiple US regulatory agencies in 2024 that targeted fintech relationships. This is expected to change, given the objectives of the new administration.

Outside of the regulatory environment, exponential advances in AI, particularly large language models/generative AI, has led to similarly exponential industry enthusiasm towards adoption of the technology. While institutions are still learning about the nature of the available tools, financial service institutions are increasingly employing AI for customer service (such as chatbots), credit scoring, authentication, fraud detection, and personalised financial advice. Conversely, financial service institutions are coping with an onslaught of AI-enabled threats to existing systems, such as deepfakes or synthetic identities.

Industry-recognised fintech verticals that currently predominate in the US include the following.

• Mobile payments – the use of mobile devices to engage in payment transactions as an alternative to using cash or plastic credit cards.
• Online banking and lending – the offering of traditional banking services and lending services in a digital environment, which may be provided by the bank alone or in partnership with a fintech.
• Banking as a service (BaaS) – this allows fintech, non-bank organisations to offer banking services to their customers by leveraging the infrastructure and capabilities of a licensed bank.
• Embedded finance – the integration of financial services, including mobile payments, online banking, lending, and digital asset use into non-financial platforms.
• Open banking – the ability of third-party financial services providers and data aggregators to use and access bank customer data via an application programming interface (API) or other means.
• Decentralised finance (DeFi) – financial services and products using a blockchain for critical infrastructure, including decentralised exchanges (DEXs), borrowing/lending protocols, derivatives, staking, and stablecoins.
• Fintech-driven investment platforms – hedge funds and asset managers leveraging digital platforms to onboard clients, manage trading (using platform algorithms), automate client communications, and provide reporting.
• Earned wage access – this allows employees to access their earned wages before a traditional pay period, often through mobile apps or platforms that connect directly to employer payroll systems.
• Tokenisation and digital assets – digital origination of assets such as cryptocurrency, securities, electronic chattel paper, transferable records, and carbon credits.

Federal Regulators

The US federal government actively regulates most financial products and services. A non-exhaustive list of federal regulators includes:

• Consumer Financial Protection Bureau (CFPB) (virtually all financial products and services for consumers);
• Federal Reserve Board of Governors (FRB);
• Federal Deposit Insurance Corporation (FDIC);
• US Department of the Treasury (Treasury), including:
1. Financial Crimes Enforcement Network (FinCEN);
2. Federal Financial Institutions Examination Council (FFIEC);
3. Office of the Comptroller of the Currency (OCC);
4. Office of Foreign Asset Control (OFAC); and
5. Internal Revenue Service (IRS);
• Securities and Exchange Commission (SEC); and
• Commodities Futures Trading Commission (CFTC).

With respect to laws and regulations within the jurisdictions of the federal agencies noted above, a non-exhaustive list of statutes and regulations addressing financial products and services includes:

• Electronic Fund Transfer Act (EFTA) and Regulation E;
• Fair Credit Reporting Act (FCRA) and Regulation V;
• Truth in Savings Act and Regulation DD;
• Truth-in-Lending Act (TILA) and Regulation Z;
• Bank Secrecy Act (BSA) and/or the USA PATRIOT Act;
• Securities Act of 1933 and related regulations;
• International Emergency Economic Powers Act (IEEPA);
• Securities and Exchange Act of 1934 and related regulations (Exchange Act);
• Investment Company Act of 1940 and related regulations (ICA); and
• the Commodities Exchange Act (CEA).

State-Level Regulation

Individual states and the District of Columbia can establish their own statutes and regulations that address licensing or chartering of banks, non-banks, brokers and dealers, and product regulation. These state rules are not the same in all jurisdictions, and sometimes conflict with each other. Relevant regulators may include state banking departments, consumer protection agencies, money transmitter regulators, and securities commissions.

States also adopted a commercial law framework known as the Uniform Commercial Code (UCC) that addresses electronic payments and lending, and the custody and transfer of letters of credit, “financial assets” in digital form, electronic chattel paper, and “controllable electronic records”.

Transferable records (ie, electronic negotiable promissory notes) are governed by the federal Electronic Signatures in Global and National Commerce Act (ESIGN) or the applicable state Uniform Electronic Transactions Act (UETA).

See 6. Marketplaces, Exchanges and Trading Platforms and 10. Blockchain.

Direct consumer compensation models for fintechs in the US include those based on subscriptions, transactions, payment processing, funds transfers, trading, management, or commissions. Direct fees may be required to be disclosed based upon the regulations applicable to the underlying transaction.

Certain fintech services are offered to consumers without fees. Consumer resistance to fees for certain services, such as peer-to-peer (P2P) payments, has been significant in the US. “Freemium” or tiered pricing models often include a basic level of service without direct cost and a premium level available for a fee.

Indirect fees include interchange fees, referral or lead-generation compensation, spread-based fees, advertising revenue, interest generation, payment for order flow, data monetisation, and contractual profit-split arrangements. Indirect fees may also require disclosure or be restricted in certain jurisdictions.

US regulation of fintechs is layered; regulators rely on established laws and regulations that were developed for traditional financial services models in conjunction with new, often licence-based, federal and state laws and regulations. Legacy players in financial services rely upon traditional exemptions from some state licence-based requirements, but are subject to well-established frameworks with requirements for capital reserves, liquidity, and risk management.

Regulation of fintechs differs significantly from that of legacy players. Fintech regulatory oversight can vary significantly by jurisdiction. Whether a fintech is subject to federal and/or state regulation, including licensure, will depend on the fintech’s activities – the flow and exchange of value and the nature of the specific product or service being offered. Regulators also focus on the location of the fintech, the location of the customer, and whether the customer is an individual or a business. Whether the product or service is delivered through an online or mobile channel or utilises innovative technology is also relevant.

Consumer protection and privacy laws for banks are well established. Fintechs have less clarity, with less centralised regulatory oversight.

No US regulator has established a true regulatory sandbox for fintech – instead opting for “innovation hubs” – dedicated points of contact for fintech firms to raise enquiries and seek non-binding regulatory guidance. For example, the SEC’s fintech hub is the “SEC Strategic Hub for Innovation and Financial Technology”, and the CFTC’s fintech hub is the “CFTC Office of Technology Innovation”.

Some states have provided a limited-term regulatory sandbox for fintechs in certain areas, such as money transmission.

All fintech verticals are subject to a patchwork of laws and regulations at both the state and federal level, and of varying degrees of overlap and clarity. Additionally, non-governmental entities may also issue rules that are quasi-regulatory.

Some of the many regulators and their jurisdiction include:

• FDIC: insured depository institutions, including digital asset activities and partnerships with fintechs.
• FinCEN: money transmission, money laundering, and the financing of terrorist activities; and regulates digital currency exchanges, including anti-money laundering (AML) and know-your-customer (KYC) compliance.
• OCC: national banks, including digital asset activities and collaborations with fintechs.
• OFAC: economic and trade sanctions.
• IRS: tax matters.
• SEC: activities in securities markets.
• CFTC: commodities and derivatives.
• State level: licencing laws and regulations for securities, lending, and money transmission.

See 6. Marketplaces, Exchanges and Trading Platforms and 10. Blockchain.

Regulators provide “no-action” letters when their staff will not recommend enforcement action against particular persons based on specific facts and circumstances presented in the request for a no-action letter.

Outsourcing by fintechs to a regulated entity can offer enhanced compliance. Regulated entities are already subject to stringent oversight and have established compliance programmes, which can reduce the risk of non-compliance in the outsourced functions. See 1.1 Evolution of the Fintech Market.

Similarly, regulated entities can outsource to fintechs and other third-party providers. Often regulation requires certain due diligence related to the use of third-party providers.

With respect to many regulators, the regulated entity remains responsible for compliance even if the entity outsources functions to fintechs.

Fintechs may become de facto gatekeepers when subject to US federal or state AML laws, required to detect and report suspicious activity to law enforcement. Unless a specific exemption applies, fintechs must develop risk-based compliance controls designed to prevent laundering money, financing terrorism, and/or evading sanctions.

Additionally, the SEC and state securities regulators have expanded their position that fintechs have gatekeeper responsibilities. The SEC has pursued audit firms, underwriters, broker-dealers, auditors, compliance officers, and attorneys who service and advise the industry.

See 2.10 Significant Enforcement Actions and 6. Marketplaces, Exchanges and Trading Platforms.

SEC

Although the SEC brought fewer cryptocurrency cases in 2024, it obtained over USD8.2 billion in remedies – with USD4 billion from its trial win against Terraform Labs. 

Significant SEC enforcement actions included: (1) that a DAO was charged with failure to register its offer and sale of tokens and for operating an unregistered investment company; (2) that the SEC alleged that a staking service constituted an unregistered offer and sale of securities, and that the service provider was operating as an unregistered broker.

However, there is a significant shift in enforcement sentiment in the US. In February 2025, the SEC began to seek dismissals of pending lawsuits alleging that cryptocurrency exchanges were unregistered securities exchanges.

CTFC

The CFTC also brought fewer new actions in 2024, but collected over USD17.1 billion in monetary relief – primarily attributed to its settlement with FTX and Alameda Research. Significant CFTC cases included: (1) settling charges involving the operation of an illegal digital asset derivatives exchange and wilfully evading or attempting to evade the CEA and CFTC regulations; and (2) bringing an action that a decentralised exchange offered leveraged or margined retail commodity transactions in the form of “leveraged tokens” issued by an unaffiliated third party.

CFPB

In 2024, the CFPB finalised a rule that made “larger participants” (ie, non-bank companies providing digital wallets and payment apps and handling more than 5 million transactions per year) subject to CFPB supervision. It filed 28 enforcement actions against nonbanks in 2024. Targets included consumer reporting agencies, non-depository mortgage lenders, finance companies, and mobile payments applications.

AML and Sanctions

The Department of Justice (DOJ) and Treasury continued aggressive AML and sanctions enforcement against digital asset companies and their executives.

•       The founder of a cryptocurrency mixer was sentenced to more than 12 years in prison for conspiracy, money laundering, and operating an unlicensed money transmitting business.

•       A federal judge fined a centralised cryptocurrency exchange USD100 million for wilfully failing to establish, implement, and maintain an adequate AML/KYC programme.

However, the Fifth Circuit ruled that OFAC overstepped its authority by adding Tornado Cash, a cryptocurrency mixer, to its list of Specially Designated Nationals in 2022. The court concluded that immutable smart contracts used by Tornado Cash to anonymise cryptocurrency transactions do not qualify as “property” under the IEEPA.

2025

It is possible that the upcoming year will result in fewer new federal enforcement cases. Some courts have already shown a tendency toward decreasing enforcement support. Recently, the SEC was ordered by a federal appellate court to explain why it denied a rulemaking petition filed by a major exchange. As of March 2025, the SEC has withdrawn major actions against prominent digital asset companies.

While privacy, cybersecurity, social media, and software development regulations apply broadly across financial entities and services, legacy financial institutions, and fintechs have different regulatory frameworks and enforcement risks. For example, banks are subject to direct supervisory oversight, whereas fintechs may be obligated through contractual arrangements with partners, vendors, or technology providers.

Where strict privacy rules apply to banks under the federal Gramm-Leach-Bliley Act, and strict data rules also apply, fintechs are subject to state privacy and data laws – a much less onerous framework. 2024 saw a significant uptick in enforcement and litigation matters related to privacy claims under various state Biometric Information Privacy Acts and under the California Invasion of Privacy Act. 

Fintechs are exposed to other marketing and consumer engagement regulations and policies due to their dependence on technology. Prohibitions against the use of “dark patterns” is one such example. “Dark patterns” is a set of practices using electronic interface design that may manipulate, mislead, or deceive a consumer into providing consent that they would not otherwise, or otherwise steer consumers into decisions that they may not truly intend or understand.

Entities like self-regulatory organisations (SROs) and accounting firms or accountants may have responsibilities to review activities of industry participants. SROs are not regulators, but are overseen by federal regulators, such as the CFTC and the SEC. SROs can impose fines and suspend or revoke licenses. There is currently no SRO for digital assets. Accounting and auditing firms play an important role in ensuring compliance with financial reporting standards.   

Offering an unregulated product or service in conjunction with regulated products and services could put the offeror at risk of regulator scrutiny for both products. Companies may want to set up separate entities to streamline compliance of regulated products.

AML, countering the financing of terrorism (CFT), and sanctions rules impact fintechs in a meaningful and often resource-intensive way. Developing thoughtful, risk-based compliance programmes pre-launch and assessing the adequacy of such programmes are important steps to avoid facilitating criminal conduct and minimise the risk that a company will become the target of a regulatory or criminal investigation. FinCEN, OFAC, the State Department, the Commerce Department, and various components of the DOJ regulate and/or prosecute AML and sanctions or export control violations.

Additionally, banking and money transmission regulators at the state level have their own regulatory and licensing regimes which may be applicable to fintechs, including AML. In January 2025, Block, a money services business, was assessed an USD80 million penalty issued by the Conference of State Bank Supervisors for various BSA/AML compliance failures.

OFAC guidance provides that US sanctions compliance obligations apply equally to cryptocurrencies and fiat currency transactions. Cryptocurrency industry members are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC. Additionally, there is often liability for non-US persons who “facilitate” sanctions violations by US persons.

As it relates to fintechs, the AML/CFT and sanctions rules in the US generally follow the standards and guidelines set forth by the FATF. FATF “Recommendations” are not binding on its member nations, including the US. FATF Recommendations and the principles underlying the US regulatory regime share fundamental concepts, including that the US and FATF generally require certain entities to register or be licensed. 

FATF identified as an area of improvement the US’s delay in establishing a comprehensive beneficial ownership information reporting regime to combat the use of shell companies. To address these concerns, the US Congress passed the Corporate Transparency Act in 2021 and FinCEN promulgated reporting rules and information-sharing requirements effective 1 January 2024. Under the rules, non-exempt companies must report personal identifying information about their beneficial owners to FinCEN.

The FATF Travel Rule requires covered virtual asset service providers (VASPs) to convey information regarding the identity of the payment sender and recipient to other VASPs and financial institutions. The FATF Travel Rule has a reporting threshold of USD1,000 and requires the provision of detailed information about the originator and beneficiary of the transaction.

FinCEN adopted the US Funds Travel Rule which requires financial institutions, including money services businesses, to transmit basic information regarding the sender and recipient (not detailed information) with the transmittal of funds equal or greater than USD3,000.

Fintech compliance with the FATF and the US Travel Rules presents significant challenges, eg, the lack of standards across countries and differing implementation dates.

“Reverse solicitation” is an approach made by an existing or prospective customer to a financial services provider where the provider has not actively encouraged the customer to contact the provider.

The concept of reverse solicitation exists in the US, but it is not a codified legal principle. Depending upon the state, and at the federal level, reverse solicitation may be permissible where the provider can demonstrate that the relationship was genuinely customer-initiated.

Despite the benefits of reverse solicitation, foreign service providers may still face regulatory scrutiny and must be prepared to provide documentation to support their assertions that the relationship was customer-initiated.

Robo-advisers provide asset management services to their clients through online algorithmic-based programmes, and are typically investment advisers registered with the SEC, subject to SEC oversight, and must comply with the Advisers Act. Depending on the types of services they provide, robo-advisers also may be subject to other regulatory regimes.

Many major US banks, broker-dealers and investment advisory firms have implemented a robo-adviser platform. Within the US, the robo-adviser industry is anticipated to experience high growth due to digitalisation in the financial sector.

The Advisers Act establishes a federal fiduciary standard for all investment advisers, including robo-advisers. When a robo-adviser selects broker-dealers and executes customer transactions, the robo-adviser is obligated to seek “best execution” of customer transactions.

There are significant differences in US regulation of loans made to consumers and loans made to businesses.

Loans to individuals for consumer purposes (ie, family, household, or personal use) are highly regulated. At the US federal level, there are a variety of consumer protection laws (eg, TILA, ESIGN, FCRA, EFTA, and unfair, deceptive, abusive acts and practices (UDAAP)) with which online lenders originating consumer loans will likely need to comply, depending on the specific features of the product. More regulations are triggered under federal law if the consumer product being offered is secured by real estate (ie, residential mortgages). At the state level, lenders offering consumer loans must be licensed in almost all states.

Small business and commercial loans are often exempt from many federal laws and regulations, and state licensing, usury, and disclosure requirements, depending on the features of the product. Only nine states require lenders to provide specific disclosures to commercial loan recipients. Commercial lenders are subject to licensure in less than half the states, often only where the interest rate or principal amount deviates from specified thresholds.

Underwriting processes in the US vary by industry but generally assess credit risk, income, collateral, and the borrower’s ability to repay. Banks and traditional lenders follow regulatory guidelines set by agencies such as the OCC, FDIC, and CFPB, while private lenders and fintechs often use proprietary models with fewer regulatory constraints. Mortgage and small business loans adhere to strict federal rules, including the Dodd-Frank Act and Small Business Administration (SBA) requirements, whereas corporate and commercial lending relies on financial metrics and risk-based assessments.

Sources of funds for loans will vary depending on several factors, including the type of loan, economic environment, and creditworthiness of borrowers.

P2P lending allows individuals or businesses seeking financing to borrow money directly from another person without applying to a traditional financial institution. P2P loans are often issued to borrowers with lower credit profiles, resulting in a higher risk of default. P2P lending platforms are generally less regulated than traditional lending but may be subject to loan brokerage laws.

Lender-raised capital can be generated through debt financing or equity financing. Private equity and venture capital firms may provide funding for specialised loans, such as those for start-up businesses in exchange for equity in the borrower. Institutional investors may provide funds for debt-financed transactions. Banks and other deposit-taking institutions are the most common source of loan funds.

Syndication is a common practice in the US and allows lenders to participate in bigger financing opportunities by sharing loan risks with other lenders.

The syndicate agent (a lead financer) will coordinate the syndication process, including structuring the loan terms, finding lenders to participate, and performing due diligence. There is one loan agreement for the entire syndicate, with each lender’s liability limited to its respective share of the loan interest.

Loan syndications typically meet industry standards and best practices set forth by the Loan Syndications and Trading Association (LSTA). LSTA provides standardised documentation and guidelines for various aspect of loan syndications. Lenders participating in a syndication are also subject to federal or state laws that would otherwise be applicable, as described in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities, as well as any other regulations that may be applicable to the type of lender and jurisdiction.

It is common practice in certain industries to syndicate electronically originated promissory notes, loans, and leases secured by collateral such as real estate or a vehicle. ESIGN and UETA, and UCC Articles 3 and 9, support and enable pooling, transfer, and syndication of such transferable records and electronic chattel paper.

In the US, firms involved in the processing of payments are generally separate legal entities from the payment networks that operate the “rails” through which payment information flows. Payment processors typically transmit or submit credit or debit card transactions for authorisation through the card payment networks and arrange for settlement to the bank accounts of the underlying merchant or payee that accepted the card for payment.

US laws and regulations do not prevent a payment processor from creating its own set of payment “rails” through which to transmit payment information. However, the high transaction volume needed to drive sufficient payor interest and achieve a critical mass of merchant or payee acceptance of the new payment network serves to limit the development of new payment networks.

Cross-border payments and remittances are subject to a US financial regulatory framework which addresses consumer protection, AML/CTF, and/or commercial efficiencies.

Federal consumer protection laws such as the EFTA and Regulation E, as well as state law equivalents, generally require a cross-border or remittance transfer provider to comply with certain obligations, such as providing clear and accurate disclosures prior to payment regarding the fees to be charged and the ultimate timing of delivery to the intended recipient. A remittance provider must also provide receipts with similar disclosures for consumer retention. Additionally, state laws require money services businesses to obtain a licence, meet certain net worth and bonding requirements, and retain permissible assets to support their activities.

Remittance transfer providers may be a subset of money services business required to adopt AML/CTF compliance programmes under the BSA which require the provider to conduct due diligence on their customers (KYC), engage in ongoing transaction monitoring for suspicious transmissions or money movement involving illegal activity, and meet transaction reporting requirements. See 2.15 Financial Action Task Force Standards.

State laws such as Article 4A of the UCC provide a legal framework for the efficient payment and transmission of money on a commercially reasonable basis. These laws set default rules governing the administration and role of various parties involved in the transfer of funds for business-to-business or commercial purposes (and do not involve transactions to/from consumer accounts).

Fintech marketplaces offer a wide array of financial offerings, such as:

• loans and credit;
• investments and wealth management;
• insurance; and
• payment solutions (eg, digital wallets and P2P platforms).

Fintech marketplaces aim to simplify access to financial products and services by aggregating offerings from multiple providers in one place. They can enhance transparency, competition, and choice in the financial industry.

All fintech marketplaces must ensure they comply with all laws and regulations applicable to the services and products offered.

See 10. Blockchain.

Engaging in the business of selling or exchanging cryptocurrency constitutes money transmission under US federal and state regulation. Money transmission regulations treat cryptocurrency similarly to fiat currency and often require that the exchange obtain a money transmission licence. Custodying customer funds may also trigger licensing. If the asset is deemed a security or a derivative on a security, federal securities laws would apply, requiring additional licensing.

Cryptocurrencies and tokens not considered to be securities may be considered commodities subject to CFTC regulation. Exchanges conducting only spot transactions do not have to register, but those trading derivatives on spot transactions must register with the CFTC and comply with CFTC regulations.

Decentralised exchanges would similarly be required to register based upon whether the asset on the platform is a security, a derivative on a security, a commodity or a derivative on a commodity. However, decentralised exchanges operate in a regulatory grey area because they lack central intermediaries.

See 2.10 Significant Enforcement Actions and 10. Blockchain.

There is currently no uniform US regulatory listing standard for digital assets offered on centralised or decentralised platforms. The platforms commonly have their own listing frameworks. Listing requirements for digital assets may include:

• whether the asset is a security or commodity;
• the extent of community adoption;
• trading volume; and
• indicia of code reliability or vulnerability.

Certain decentralised exchanges may provide guidance on how to list a token, but many remain effectively permissionless.

CFTC regulates the listing of digital asset derivative products. Under CFTC guidance, trading platforms and clearing houses should:

• partner and have information sharing agreements with spot market platforms that follow KYC/AML rules;
• monitor price settlement data from spot markets and identify/investigate anomalies or disproportionate moves;
• set large trader reporting thresholds at five Bitcoins or less;
• regularly coordinate with CFTC staff and provide trade data; and
• allow CFTC staff to review initial and maintenance margins for cryptocurrency futures.

The CEA provides a self-certification process for new digital asset commodities products to be listed on designated contract markets (DCMs) or through swap execution facilities (SEFs). In early 2024, the first CFTC-regulated exchange offered margin Bitcoin Cash and Litecoin futures contracts. 

In 2024, the SEC approved 21 ETPs that held Bitcoin and/or Ethereum. The relevant exchange (ie, NYSE, Nasdaq, or CBOE) must obtain SEC approval before listing such products, and the ETP issuer must file a SEC registration statement. Once approved and listed on a national exchange, ETPs must comply with the listing requirements of those exchanges.

For both retail and non-retail commodities transactions, CFTC order handling rules require futures commission merchants (FCMs), SEFs and DCMs to maintain fair and orderly markets – there is a prohibition on front-running. Order handling rules do not apply to spot exchanges trading digital assets.

See 10.8 Cryptocurrency Derivatives.

The regulation of P2P trading platforms in the US is dependent upon whether the digital asset being traded is a security, a commodity, or another digital financial asset subject to the UCC or other federal or state law.

The SEC has asserted that certain P2P platforms offer securities and are subject to US securities laws. The SEC has historically required and enforced registration by different P2P lending platforms. The extent to which decentralised P2P platforms or exchanges are subject to SEC regulation remains unsettled.

See 6.4 Listing Standards for discussion of CFTC and SEFs. The extent to which decentralised P2P platforms trading CFTC-regulated commodities are subject to CFTC regulation also remains unsettled.

See 10. Blockchain.

To the extent that US federal securities laws apply to a platform, payment for order flow typically implicates broker-dealer/customer relationships and is regulated by SEC and FINRA rules. Also, best execution obligations and anti-fraud provisions can be implicated if payment for order flow results in a broker-dealer directing a transaction to a platform for execution when better terms are available elsewhere.

SEC Regulation NMS has rules that require a broker-dealer to execute in a particular manner.

SEC proposed Regulation Best Execution which, if finalised, would apply to digital assets that qualify as securities and impact practices governing payment for order flow.

US securities regulations, at the federal and state level, establish key principles to promote market integrity and prevent market abuse. Additionally, SROs such as FINRA also have similar rules.

Some of the key principles include:

• promoting laws and rules designed to ensure that market participants have equal access to markets and that pricing and trading practices are fair, transparent, and accurate;
• requiring that all investors receive access to basic facts about an investment before buying it;
• enforcing laws, regulations, and rules to detect, deter, and prevent wrongdoing of all types, including market manipulation, insider trading, and frontrunning; and
• sanctioning and disciplining those who violate securities laws, regulations, and rules.

With respect to the CFTC, the core mission of the CFTC is preserving market integrity. The CFTC may pursue manipulation, attempted manipulation, fraud, and false reporting of any commodity in interstate commerce.

In the US, high-frequency-trading (HFT) and algorithmic trading are regulated by the SEC for securities and the CFTC for commodities.

SEC Regulation NMS ensures best execution and prevents trade-throughs and the Market Access Rule mandates pre-trade risk controls for algorithmic trading and post trade surveillance. In 2024, the SEC adopted rules that require market participants that perform dealer functions to register as dealers, subjecting them to capital requirements and anti-manipulation and anti-fraud provisions. Also, HFT and algorithmic trading are often scrutinised in the context of potential market manipulation, including under the Exchange Act and Rule 10b-5.

The CFTC implemented anti-manipulation rules under the Dodd Frank Act, such as banning spoofing and other disruptive trading practices. The CFTC also implemented a principle-based approach applicable to DCMs and generally imposed risk controls regarding trading.

Market makers in the US are typically acting as dealers. A dealer is defined as any person engaged in the business of effecting transactions in securities from its own inventory, not acting as an intermediary between sellers and buyers. Dealers present themselves as willing to buy or sell a security at a quoted price on a continuous basis. The Exchange Act requires, with limited exemptions, dealers to register with the SEC as a broker-dealer. Dealers are also subject to regulatory oversight by FINRA. See 7.3 Regulatory Distinction Between Funds and Dealers.

Digital asset market makers either offer continuous quotes of bids and offers on centralised cryptocurrency exchanges or contribute to liquidity pools on decentralised cryptocurrency exchanges that fund the trading of token pairs effected by smart contract-powered algorithms called automated market makers (AMMs). Crypto-asset market making is generally unregulated given that neither centralised crypto-exchanges nor AMMs are registered with the SEC. The SEC has asserted, in enforcement actions, that crypto market makers are required to register as dealers.

In the US, a fund may qualify as an investment company and be subject to the registration requirements of the ICA, unless subject to an exemption. An adviser to a fund likely must register with the SEC pursuant to the Advisers Act or with a state securities regulator. An adviser manages portfolios or pooled investments from third parties. Advisers are generally paid by collecting a management fee and/or incentive fees based upon the performance of the portfolio. Advisers are subject to fiduciary, custody, and disclosure obligations.

A “dealer” is any person engaged in the business of buying and selling securities for the person’s own account, through a broker or otherwise. Dealers, like brokers, must register pursuant to the Exchange Act, absent limited exemptions. Dealers generally make money by collecting transaction-based fees or through the bid-ask spread. They do not collect management or incentive fees, like funds.

In February 2024, the SEC adopted rules that significantly broaden the definition of a “dealer” to include crypto-asset market makers, those providing liquidity to AMMs, and potentially even developers of AMMs. Those rules were struck down by a court in November 2024, and their status remains uncertain.

There is not an SEC regulation that expressly applies to programmers, but all persons are subject to the anti-market manipulation and fraud provisions of the US federal securities laws. Further, the definition of a broker is broadly construed and could include persons who provide services to registered brokers, thereby requiring a programmer to register as a broker. The definitions of an investment adviser and dealer are similarly broadly construed, such that providing services in the context of investment advice (which might implicate adviser registration requirements) or proprietary trading (which might implicate dealer registration requirements) should be evaluated on a case-by-case basis. To the extent that a person must register as a broker, dealer, and/or investment adviser, such registration comes with additional regulatory requirements and oversight.

At the open SEC meeting during which the new dealer rules were adopted (see 7.3 Regulatory Distinction Between Funds and Dealers), when questioned directly about the potential for enforcement against AMMs, SEC staff left open the possibility that software developers behind the development of AMMs may be subject to the new rules.

Insurtechs have led the industry in the use of technology to streamline and improve the speed, efficiency, and accuracy of the underwriting process, and to provide greater accessibility to insurance.

The use of these technologies in underwriting triggers regulatory considerations related to data privacy and use, data security, and the responsible use of advanced computational methods, including AI. The National Association of Insurance Commissioners (NAIC) adopted a model bulletin on the Use of Artificial Intelligence Systems by Insurers that sets forth the regulatory expectation that insurers will adopt a written governance and risk management programme designed to identify and minimise regulatory risks with respect to the use of AI and other technologies. 

Similarly, the fundamental notion that insurance can only be solicited and sold through a licensed insurance producer has not changed. But the question of what constitutes a sale or solicitation in connection with an embedded insurance transaction on a digital platform and how revenue can be lawfully shared is a regulatory consideration in negotiations and agreements between the platform and the insurer or underwriter. 

Different types of insurance are treated differently in essentially every aspect of their respective businesses across the entire insurance business spectrum, including different standards related to marketing, sales, underwriting, pricing, financial requirements, reserving, reinsurance, claims handling, etc. With respect to each of these functional areas, technology-driven methodologies may trigger different treatment by regulators by line of business. For example, with respect to life insurance, the use of non-traditional risk factors or AI in automated underwriting may result in the imposition of advanced notice obligations in the event of an adverse underwriting decision and the NAIC has adopted guidance regarding regulatory oversight specific to automated life insurance underwriting that does not apply to other lines of insurance. 

Regtech providers are not regulated directly if the business solely develops and aids with the implementation of software solutions, data analytics and automation tools to enhance regulatory compliance processes and reporting requirements (as opposed to providing regulated products and services directly to customers). Instead, most regtech providers are governed by contractual obligations which may include requirements to ensure compliance with financial law and regulation.

See 2.8 Outsourcing of Regulated Functions.

See 9.1 Regulation of Regtech Providers.

Traditional financial services industry players are testing blockchain technology to address enhanced transaction efficiencies, security, and transaction record integrity and auditability. Most tend towards centralised, permissioned platforms – not decentralised platforms.

Traditional players are also exploring blockchain to streamline financial processes, including payments, settlements, real estate recording, vehicle titling, and other record-keeping, including for loan transactions, insurance claims, and trade settlements. Additionally, several financial institutions are using blockchain to enable the purchase and sale of digital carbon credits and deploying digital asset control systems that enjoy the benefits of the legal framework of UCC Article 8. 

Blockchain activities may be regulated by multiple, independent regulators, state and federal, with overlapping jurisdiction. Regulators have diverged in enthusiasm for blockchain.

The SEC has previously asserted that almost all cryptocurrencies constitute securities. Influenced by the new administration, the SEC is now dismissing several large enforcement actions and closing ongoing investigations.

The CFTC and financial regulators have proven more willing to work with certain players, such as spot and futures exchanges, to allow activities subject to regulation. See 6. Marketplaces, Exchanges and Trading Platforms.

State regulators vary in support for blockchain. Multiple state legislatures have adopted amendments to UETA to include blockchain and other DLTs within scope. Other states have restricted blockchain activities in the state or imposed strict registration requirements. State banking regulators require licensing of money transmission, payments, and trading activities. State securities and commodities regulators have been less active.

Greater regulatory clarity and coordination may come in the future. See 1.1 Evolution of the Fintech Market.

As described above, regulators have yet to agree on a scheme to assess the open questions of: (1) when cryptocurrency constitutes a security, a commodity, a currency, or something else; and (2) when certain activities, such as borrowing, lending, or trading, particularly when executed via a decentralised protocol, fall within regulatory jurisdiction.

See 2.6 Jurisdiction of Regulators.

In the US, the sale or distribution of cryptocurrency is a regulated activity and is generally considered money transmission, requiring registration with federal and state regulators where required – generally where there are sales to US persons or persons located in the US, even if the seller or distributor is located abroad.

To the extent that the assets constitute securities, initial sellers or distributors must either register the sale with the SEC or conduct the sale pursuant to an exemption to the registration requirement.

The SEC had sued several major cryptocurrency trading platforms for securities law violations arising from alleged failure to register as exchanges, brokers, and clearing agencies. The SEC has now dismissed, or is seeking to dismiss, these cases.

Some cryptocurrency trading platforms have registered as alternative trading systems (ATS) under US securities laws. An ATS must comply with complex SEC regulations and register as a broker-dealer. Thus far, the activity of these ATSs appears limited in scope and size, and the vast majority of crypto-asset trading occurs on centralised and decentralised trading platforms not registered with the SEC.

See 6. Marketplaces, Exchanges and Trading Platforms and 12.11 Virtual Currencies.

In several enforcement actions, the SEC asserted that staking-as-a-service constitutes a securities offering subject to federal securities laws, requiring registration for the offer and sale of securities related to staking activities, and registration is also required as a broker. This approach may change with the new administration.

The SEC brought several enforcement cases asserting that crypto lending products are securities. The agency has not, however, issued specific rules addressing crypto lending products.

In early 2023, several agencies issued a Joint Statement on Crypto-Asset Risks to Banking Organizations and a Joint Statement on Liquidity Risks to Banking Organizations Resulting from Crypto-Asset Market Vulnerabilities. In the Statement, regulators instructed supervised financial institutions to provide prior notice and demonstrate appropriate risk management before engaging in cryptocurrency activities. The agencies also cautioned banks about the risk in accepting deposits from certain crypto-asset-related entities. Since issuing the Statement, regulators have been slow to approve or respond.

Consequentially, supervised financial institutions de-risked, or otherwise limited exposure to, cryptocurrency-related companies. The new crypto-friendly Trump Administration may shift this approach. See 1.1 Evolution of the Fintech Market.

The CFTC regulates activities such as sales, trading, and advice in markets for derivatives. No CFTC registration is required for over-the-counter derivative products, provided the parties are eligible contract participants.

Retail investors trading in crypto derivative products may use retail derivatives exchanges registered with the CFTC. Derivatives on securities would be regulated by the SEC.

It remains unclear what regulations govern various activities and products in DeFi. Considerations include how and whether decentralised activities can be regulated, what level of control or influence is there by a centralised figure, and the nature of the underlying asset (eg, collectibles, securities, etc).

Regulators and courts have expressed a variety of views on these issues.

Treasury published Illicit Finance Risk Assessment of Decentralized Finance in 2023, which acknowledged that there is “currently no generally accepted definition of DeFi, even among industry participants, or what products make a product, service, arrangement or activity decentralized”. Treasury asserted that whether an entity is subject to regulation depends on specific facts and circumstances, and degrees of decentralisation may not be dispositive. The appellate court decision overturning OFAC’s designation of Tornado Cash illustrates the uncertainty around when DeFi activities fall subject to regulations.

Potentially relevant to DeFi exchanges is 2019 FinCEN guidance that an exchange is not a money transmitter where it operates P2P and the parties both maintain control over the assets and interact directly with the payment system.

See 2.10 Significant Enforcement Actions and 6.3 Impact of the Emergence of Cryptocurrency Exchanges.

In the US, funds are regulated based on the assets held. If a fund primarily invests in securities, it is regulated by the SEC; if it primarily invests in commodities or derivatives, it is regulated by the CFTC. If a fund invests in securities and commodities, the fund may be regulated by both regulators.

The SEC and CFTC regulations require registration of funds and their advisors. There are exemptions to registration requirements for funds and advisors that meet certain criteria. 

Advisers that manage a fund holding digital assets must consider several issues, including:

•       disclosure requirements addressing digital asset risk factors;

•       fair valuation of assets; 

•       custody;

•       treatment of assets in bankruptcy;

•       policies on whether the assets are securities or commodities;

•       investment thesis documentation addressing why assets fit the portfolio management criteria;

•       tax considerations, and

•       SEC-compliant marketing materials.

The term “virtual currency” is used by money and banking regulators to describe a money-like representation of value. Certain activities concerning cryptocurrencies (ie, virtual currencies), most notably transmission and trading, are subject to regulation by federal and state money and banking regulators.

See 6. Marketplaces, Exchanges and Trading Platforms.

Treasury

NFTs (in particular collectibles) have not, per se, been widely treated as cryptocurrency. NFT trading platforms have operated without money transmitter licences and with less scrutiny from financial regulators compared to cryptocurrency exchanges. In contrast, it is well accepted that at least centralised NFT trading platforms must comply with sanctions rules.

Treasury released in 2024 a risk assessment of NFTs finding the risk of money laundering or terrorist financing low, but acknowledging that:

• existing AML regulations may not adequately capture all types of NFT and NFT platform activity;
• NFT platforms may have BSA and AML obligations, depending on the nature of the underlying activity and whether the NFTs are considered currency or a currency substitute;
• all NFT platforms conducting transactions involving US persons are required to comply with sanctions regulations.

SEC

The SEC has brought enforcement actions alleging that certain NFT collectibles constituted securities. In 2024, the SEC commenced an enforcement action against OpenSea for the unregistered sale of securities, which was dropped in 2025. It remains unclear how much the SEC will continue these efforts or how the courts would respond if challenged.

Separately, buyers of NFTs have brought private civil actions asserting claims under federal securities laws.

Open banking allows third-party developers to access financial data in traditional banking systems through APIs mandating standardised data formats and secure communication protocols. The APIs facilitate the secure exchange of financial information between banks and authorised fintechs – effectively decentralising financial services.

In late 2024, CFPB finalised its “Personal Financial Data Rights” rule, also known as the “Open Banking” rule, to curtail screen scraping. The rule enables consumers to access and share their personal financial data with third-party providers securely and without charge. The rule will require covered entities – eg, financial institutions, credit card issuers, and digital wallet providers – to provide consumers and authorised third parties with access to specified consumer financial data upon request. It also establishes privacy and security protections, limiting third parties’ use of the data they receive to the purposes expressly authorised by the consumer.

Compliance with the rule is required by 1 April 2026 for the largest institutions, with later compliance dates for smaller institutions.

As part of permitting access to the accounts and data of banking customers, financial institutions, fintechs, and third-party data aggregation platforms providing open banking services enter into contracts to address the risks and responsibilities associated with data security and privacy. Covered issues include:

• technical processes and requirements to access accounts, data and services;
• scope of access;
• authenticating account holders;
• elimination or restriction of “screen scraping” by data aggregators;
• data transmission, accuracy and protection;
• distribution of risk for loss and damages;
• “pass-through” terms for account holders and third parties;
• delivering notices and disclosures to account holders;
• record retention requirements; and
• security reviews and audits.

Generally, claimants may demonstrate fraud if they establish:

• a material false statement;
• knowledge that the statement was false when it was made;
• reliance on the false statement by the victim; and
• damages resulting from the victim’s reliance on the false statement.

In certain circumstances, an omission of a material fact may also support a fraud claim.

Examples of fraud include false advertising with misleading claims about a product’s benefits, returns, or risks, misleading terms and conditions when taking out a loan, and identity theft.

Regulators have historically focused on digital asset fraud schemes such as Ponzi schemes, romance scams, and SIM card hacking. However, recent regulatory focuses involve identification and authentication fraud. In 2024, the DOJ reported extensive attention to financial frauds, including bribery, market manipulation, consumer and investments, and cryptocurrency and NFT related fraud. Stolen card data has surged with data posted on dark and clear web platforms. Additionally, scam e-commerce and dark web card validation activities have increased. Fraudsters are increasingly exploiting modern payment technologies and social engineering to bypass anti-fraud measures, and check fraud persists in the US.

Fintech service providers may be held liable for customer losses. For example, if a provider fails to deliver services as agreed or does not meet the performance standards in their contract, it may be responsible for financial losses and other contractual damages.

Additionally, failure to comply with obligations under applicable financial regulations, such as data protection laws, can result in compensation for damages such as identity theft due to data breaches. Engaging in deceptive practices, such as false advertising or UDAAP can lead to refunds and compensation for financial losses.

Further, fintech providers may be held accountable under federal or state law and by contract for losses resulting from fraud and security breaches. If their platforms are compromised, leading to unauthorised transactions or account takeovers, they may need to reimburse customers for losses and costs like legal fees, particularly if they employed inadequate security measures.

Finally, fintechs may be liable for negligence if they fail to exercise due care in providing services and their failure results in customer losses.