Artificial Intelligence

Exponential advances in AI, particularly large language models (LLMs)/generative AI, have led to similarly exponential industry enthusiasm towards adoption of the technology. AI models are already widely used in fintech products and services. Common deployments include identity verification and fraud detection, underwriting and pricing (eg, credit scoring with alternative data), customer service (eg, LLM-powered chats), collections optimisation (eg, predictive models pick optimal outreach timing/channel and tailor loan repayment plans to maximise recovery), and marketing, amongst other uses. These are the most prevalent deployments today because they generally show a clear ROI and tend to fit rigorous, documented risk management for models and data systems aligned with prudential standards used by regulated banks. Moving forward, we anticipate fintech providers to expand their use of AI in the areas of vendor and third-party risk-screening, compliance drafting and surveillance, investment portfolio advice, and in-app guidance (eg, “co-pilots”).

Adoption and expansion of AI is accelerating primarily because ROI and the technologies have improved, but it is also due in small part to regulators offering clearer guardrails in some areas. While guidance is far from comprehensive, regulators have generally advised that banking, consumer protection, AML/BSA, privacy, and securities rules apply regardless of whether a decision is made by a human or AI. For example, for credit products, regulators have reiterated that lenders must provide specific, accurate adverse action reasons even when using complex AI models. At the federal level, a number of Executive Orders (EOs) that bear on AI have been issued. However, importantly, in December 2025, President Trump issued another EO entitled “Ensuring a national policy framework for artificial intelligence” that directs the US Attorney General to establish a task force to challenge state regulation of AI deemed burdensome.

CFPB’s De-Regulation Posture

The Consumer Financial Protection Bureau’s (CFPB) posture can be characterised by a significant shift toward de-regulation, and a return to formal rulemaking processes, while operating amidst staff reductions, congressional scrutiny, and funding uncertainty. CFPB withdrew over 60 guidance documents, policy statements, and advisory opinions in 2025. As federal enforcement activity recedes, state regulators will increasingly look to fill that void, and in some cases, already have. One such example is the Trump administration’s CFPB retraction of an Interpretive Rule that former Director Rohit Chopra issued under the Biden administration that asserted that “digital user accounts” that permit consumers to access credit in the course of a retail purchase, such as Buy Now, Pay Later (BNPL) products, are “credit cards” under TILA, subjecting the “card issuer” (eg, BNPL provider, bank partner-originated BNPL credit, payment processor) to certain additional disclosure and substantive obligations. New York quickly acted to fill the void with a “BNPL Act” of its own, which represents one of the first of potentially many attempts by states to step into the perceived void left by the change in administration at CFPB.

Continued Use of De Novo Bank Charters

The regulatory landscape in 2025 was marked by a pronounced shift toward institutional autonomy, as the Office of the Comptroller of the Currency (OCC) received 14 de novo applications for limited-purpose national trust bank charters. This influx primarily reflects a strategic pivot by fintech and digital asset firms seeking to vertically integrate regulated functions – namely payments, custody, lending, and stablecoin issuance – thereby mitigating their historical reliance on third-party banking intermediaries. This momentum, bolstered by the parallel pursuit of industrial loan company (ILC) charters by major technology and payments companies, signals a trend that we anticipate will accelerate throughout 2026.

Digital Assets

In 2025, a quickly growing cadre of companies known as “digital asset treasuries” (DATs) began accumulating digital assets as part of a corporate treasury strategy. The term is generally used to refer to a company adopting a crypto treasury strategy that purchases, holds, and deploys digital assets on its balance sheet as a primary business line. DATs may derive revenue from these digital assets in a variety of ways, including price appreciation, staking, trading, and generation of yield through DeFi protocols. DATs may raise public or private capital specifically to purchase digital assets with the proceeds of the raise. Capital-raising strategies for DATs include at-the-market offerings, private investments in public equity (PIPE), equity lines of credit, convertible notes, warrants, preferred equities, deSPACs, reverse mergers, and credit facilities.

One-Stop Platforms

Finally, many businesses that had previously provided a narrower range of products and services (including cryptocurrency trading, securities trading, prediction markets, and borrowing/lending) have sought to broaden their offerings to become more of a one-stop platform. In 2026 we expect to see continued expansion of the products and services provided by individual businesses.

Industry-recognised fintech verticals that currently predominate in the USA include the following:

• payments – mobile devices to engage in payment transactions as an alternative to using cash or plastic credit cards; as well as point-of-sale systems, business-to-business payment processing, and digital wallets for cryptocurrency and stablecoins;
• online banking and lending and expanded collateral options – the offering of traditional banking and lending services using electronic signatures and records and “control” frameworks under UCC Articles 8, 9, and 12; taking digital assets as collateral;
• neobanks – the development of fully digital banks, offering services through websites and apps;
• embedded finance – the integration of financial services, including mobile payments, online banking, lending and digital asset use into non-financial platforms;
• open banking – the ability of third-party financial services providers and data aggregators to use and access bank customer data via an application programming interface (API) or other means;
• decentralised finance (DeFi) – financial services and products using a blockchain for critical infrastructure, including decentralised exchanges (DEXs), borrowing/lending protocols, derivatives, staking; 
• fintech-driven financial wellness platforms – hedge funds and asset managers leveraging digital platforms to onboard clients, manage trading (using platform algorithms), provide wealth management services, automate client communications, and provide reporting;
• earned wage access – allows employees to access their earned wages before a traditional pay period, often through mobile apps or platforms that connect directly to employer payroll systems;
• tokenisation and digital assets and fractional investing – digital origination of assets such as cryptocurrency, securities, electronic chattel paper, transferable records, carbon credits, real estate and allowing investors to buy fractions of assets;
• regtech – the leveraging of AI and other technological tools to assist in compliance monitoring and automation; and
• derivatives and prediction markets – fintechs that have expanded into the institutional and retail markets for derivatives, including in prediction markets.

Federal Regulators

The US federal government actively regulates most financial products and services. A non-exhaustive list of federal regulators includes:

• Consumer Financial Protection Bureau (CFPB) (virtually all financial products and services for consumers; however, see 2.10 Significant Enforcement Actions);
• Federal Reserve Board of Governors (FRB);
• Federal Deposit Insurance Corporation (FDIC);
• Treasury, including:
1. Financial Crimes Enforcement Network (FinCEN);
2. Federal Financial Institutions Examination Council (FFIEC);
3. Office of the Comptroller of the Currency (OCC);
4. Office of Foreign Asset Control (OFAC); and
5. Internal Revenue Service (IRS).
• Securities and Exchange Commission (SEC); and
• Commodities Futures Trading Commission (CFTC).

With respect to laws and regulations within the jurisdictions of the federal agencies noted above, a non-exhaustive list of statutes and regulations addressing financial products and services includes:

• Electronic Fund Transfer Act (EFTA) and Regulation E;
• Fair Credit Reporting Act (FCRA) and Regulation V;
• Truth in Savings Act and Regulation DD;
• Truth-in-Lending Act (TILA) and Regulation Z;
• Bank Secrecy Act (BSA) and/or the USA PATRIOT Act;
• Securities Act of 1933 and related regulations;
• International Emergency Economic Powers Act (IEEPA);
• Securities and Exchange Act of 1934 and related regulations (Exchange Act);
• Investment Company Act of 1940 and related regulations (ICA);
• the Commodities Exchange Act (CEA); and
• The GENIUS Act.

State-Level Regulation

Individual states and the District of Columbia can establish their own statutes and regulations that address licensing or chartering of banks, non-banks, brokers and dealers, and product regulation. These state rules are not the same in all jurisdictions and sometimes conflict with each other. Relevant regulators may include state banking departments, consumer protection agencies, money transmitter regulators, and securities commissions.

States also adopted a commercial law framework known as the Uniform Commercial Code (UCC) that addresses electronic payments and lending, and the custody and transfer of letters of credit, “financial assets” in digital form, electronic chattel paper, and “controllable electronic records”.

Transferable records (ie, electronic negotiable promissory notes) are governed by the federal Electronic Signatures in Global and National Commerce Act (ESIGN) or the applicable state Uniform Electronic Transactions Act (UETA).

See 6. Marketplaces, Exchanges and Trading Platforms and 10. Blockchain.

Direct consumer compensation models for fintechs in the USA include those based on subscriptions, transactions, payment processing, advisory, funds transfers, trading, funds acceleration, management, or commissions. Direct fees may be required to be disclosed based upon the regulations applicable to the underlying transaction.

Certain fintech services are offered to consumers without fees. Consumer resistance to fees for certain services, such as peer-to-peer (P2P) payments, has been significant in the USA. “Freemium” or tiered pricing models often include a basic level of service without direct cost and a premium level available for a fee.

Indirect fees include interchange fees, referral or lead-generation compensation, API fees, spread-based fees, advertising revenue, interest generation, payment for order flow, data monetisation, and contractual profit-split arrangements. Indirect fees may also require disclosure or be restricted in certain jurisdictions.

Applicable laws and regulations often require fees to be disclosed clearly and conspicuously, without misrepresentation (including the omission of mandatory fees) and may include requirements to disclose conflicts of interest.

US regulation of fintechs is layered; regulators rely on established laws and regulations that were developed for traditional financial services models in conjunction with new, often licence-based, federal and state laws and regulations. Legacy players in financial services rely upon traditional exemptions from some state licence-based requirements but are subject to well-established frameworks with requirements for capital reserves, liquidity, and risk management.

Regulation of fintechs differs significantly from that of legacy players. Fintech regulatory oversight can vary significantly by jurisdiction. Whether a fintech is subject to federal and/or state regulation, including licensure, will depend on the fintech’s activities, the flow and exchange of value and the nature of the specific product or service being offered. Regulators also focus on the location of the fintech, the location of the customer, and whether the customer is an individual or a business. It is also relevant as to whether the product or service is delivered through an online or mobile channel or utilises innovative technology.

Consumer protection, anti-money laundering and privacy laws for banks are well established. Fintechs have less clarity, with less centralised regulatory oversight, but they remain subject to these laws.

No US regulator has established a true regulatory sandbox for fintech, instead opting for “innovation hubs” – dedicated points of contact for fintech firms to raise enquiries and seek non-binding regulatory guidance. For example, SEC has established the Crypto Taskforce to help SEC provide clarity on the application of the federal securities laws to the crypto-asset market, and recommend practical policy measures that aim to foster innovation and protect investors, and CFTC’s fintech hub is the “CFTC Office of Technology Innovation”. The administration issued an Executive Order “Ensuring a National Policy Framework for Artificial Intelligence”, promoting AI innovation and reducing the state regulatory burden. Congress is considering AI sandbox legislation, but, to date, no laws have been enacted.

Some states have provided a limited-term regulatory sandbox for fintechs in some areas, such as money transmission.

Fintechs often face conflicting regulatory requirements when operating nationwide in the USA. All fintech verticals are subject to a patchwork of laws and regulations at both the state and federal level, and of varying degrees of overlap and clarity. Additionally, non-governmental entities may also issue rules that are quasi-regulatory.

Some of the many regulators and their jurisdictions include:

• FDIC: insured depository institutions, including digital asset activities and partnerships with fintechs;
• FinCEN: money transmission, money laundering, and the financing of terrorist activities; and regulates digital currency exchanges, including anti-money laundering (AML) and know-your-customer (KYC) compliance;
• OCC: national banks, including digital asset activities and collaborations with fintech;
• OFAC: economic and trade sanctions;
• IRS: tax matters;
• SEC: activities in securities markets;
• CFTC: commodities and derivatives; and
• state level: licensing laws and regulations for securities, lending, and money transmission.

See 6. Marketplaces, Exchanges and Trading Platforms and 10. Blockchain.

Regulators generally provide “no-action” letters when their staff will not recommend enforcement action against particular persons or companies based on specific facts and circumstances presented in the request for a no-action letter and/or in connection with an investigation.

In December 2025, SEC issued a no-action letter to the Depository Trust Company (DTC) regarding the DTC’s development and launch of a pilot programme for its securities tokenisation services. Under the programme, upon a DTC participant’s instruction, DTC would debit eligible securities from the participant’s book-entry account and credit them to an account on DTC’s centralised ledger that reflects all tokenised securities entitlements held in registered wallets. DTC would then mint tokens to the participant’s registered wallet. Tokens may be transferred directly between registered wallets, with all movements tracked by DTC’s off-chain system, which would make a record of tokenised securities entitlements.

Outsourcing by fintechs to a regulated entity can offer enhanced compliance. Regulated entities are already subject to stringent oversight and have established compliance programmes, which can reduce the risk of non-compliance in the outsourced functions. See 1.1 Evolution of the Fintech Market.

Similarly, regulated entities can outsource to fintechs and other third-party providers. Often regulation requires certain due diligence related to the use of third-party providers. However, the regulated entity remains ultimately responsible for compliance even if the entity outsources certain functions to fintechs.

Fintechs become de facto gatekeepers when subject to US federal or state AML and sanctions laws that require them to detect and report suspicious activity to law enforcement. Unless a specific exemption applies, fintechs must develop risk-based compliance controls designed to prevent laundering money, financing terrorism, and/or evading sanctions.

Additionally, SEC and state securities regulators have expanded their position that fintechs have gatekeeper responsibilities. SEC has pursued audit firms, underwriters, broker-dealers, auditors, compliance officers, and attorneys who service and advise the industry.

See 2.10 Significant Enforcement Actions and 6. Marketplaces, Exchanges and Trading Platforms.

SEC

In 2025, SEC dismissed a number of enforcement cases against fintechs involving alleged regulatory violations without fraud or other wrongful conduct. Notably, SEC voluntarily dismissed a number of enforcement actions against cryptocurrency exchanges for allegedly operating as unregistered securities exchanges and brokers. However, SEC continued to bring enforcement actions involving fraud or other wrongful conduct. In April 2025, SEC obtained a consent judgment in its enforcement action charging a developer of a decentralised wireless network with making misrepresentations in connection with its offer and sale of stock.

In May 2025, SEC charged Unicoin, Inc. and several executives with making false and misleading statements in an offering of certificates that purportedly conveyed rights to receive digital assets called Unicoin tokens and an offering of Unicoin stock. SEC alleged Unicoin advertised the tokens were backed by billions of dollars in real estate and equity interests in pre-IP companies, when Unicoin’s assets were never worth more than a fraction of that amount.

In December 2025, SEC filed a civil complaint against three alleged crypto trading platforms and four affiliate investment clubs, alleging they engaged in a fraudulent scheme targeting retail investors through social media recruitment and fake crypto trading and “security token offerings”, misappropriating more than USD14 million. 

CFTC

In addition to issuing various consent orders focused on fraud, the Commodity Futures Trading Commission (CFTC) took several significant actions in 2025 reflecting a more accommodating regulatory approach including withdrawing outdated guidance and engaging in initiatives to integrate tokenised collateral, including stablecoins, into derivatives markets, and a focus on collaborative regulation with SEC to harmonise regulations and foster innovation in financial markets.

CFPB

In 2025, CFPB issued several statements regarding deprioritisation of certain areas of enforcement and significantly reduced their volume of enforcement activity. Only one enforcement action was concluded in 2025. CFPB alleged that the fintech did not maintain adequate location records related to consumers’ funds, and did not reconcile those records with partnering banks, resulting in the loss of those funds. The parties entered into a stipulated judgment with injunctive relief and a USD1 civil penalty.

AML and Sanctions

The Department of Justice (DOJ) and Treasury continued aggressive AML and sanctions enforcement against digital asset companies and their executives primarily for conduct that threatened (or had the potential to threaten) US national security.

• A centralised cryptocurrency exchange pleaded guilty to unlicensed money transmission and agreed to pay nearly USD300 million in penalties for operating in the USA without properly registering and failing to implement AML controls.
• A cryptocurrency exchange also pleaded guilty to operating an unlicensed money transmitting business, with penalties totalling ~ USD504 million. The exchange also committed to compliance undertakings, including an external compliance consultant through at least 2027.
• FinCEN assessed a USD3.5 million penalty against a peer-to-peer CVC trading platform, alleging it facilitated more than USD500 million in suspicious activity and had major AML programme failures.
• OFAC brought enforcement actions against, among others: (i) a defunct cryptocurrency trading platform which serviced users in sanctioned jurisdictions; (ii) a digital asset wallet company for recklessly evading or coaching users on how to evade sanctions on North Korea and Iran; and (iii) non-US entities, including fintechs in the Middle East, Russia, and China, adding the entities to its Specially Designated Nationals (SDNs) list for facilitating sanctions evasion and assisting in military and terrorist operations, including through cryptocurrency.

Although 2025 reflected a less aggressive enforcement environment for SEC, CFTC, and CFPB, national security-related enforcement by Treasury, the DOJ, and Departments of State and Commerce increased significantly. This trend is likely to continue. 

While privacy, cybersecurity, social media and software development regulations apply broadly across financial entities and services, legacy financial institutions and fintechs have different regulatory frameworks and enforcement risks. For example, banks are subject to direct supervisory oversight whereas fintechs may be obligated through contractual arrangements with partners, vendors, or technology providers.

Where strict privacy rules apply to banks under the federal Gramm–Leach–Bliley Act and strict data rules also apply, fintechs are subject to state privacy and data laws – a much less onerous framework. 2024 saw a significant uptick in enforcement and litigation matters related to privacy claims under various state Biometric Information Privacy Acts and under the California Invasion of Privacy Act. 

Fintechs are exposed to other marketing and consumer engagement regulations and policies due to their dependence on technology. Prohibitions against the use of “dark patterns” are one such example. “Dark patterns” is a set of practices using electronic interface design that may manipulate, mislead or deceive a consumer into providing consent that they would not otherwise or otherwise steer consumers into decisions that they may not truly intend or understand.

Entities like self-regulatory organisations (SROs) and accounting firms or accountants may have responsibilities to review activities of industry participants. SROs are not regulators but are overseen by federal regulators, like CFTC and SEC. SROs can impose fines and suspend or revoke licenses. There is currently no SRO for digital assets. Accounting and auditing firms play an important role in ensuring compliance with financial reporting standards.   

Offering an unregulated product or service in conjunction with regulated products and services could put the offeror at risk of regulator scrutiny for both products. Companies may want to set up separate entities to streamline compliance of regulated products.

AML, countering the financing of terrorism (CFT), and sanctions rules impact fintechs in a meaningful and often resource-intensive way. Developing thoughtful, risk-based compliance programmes pre-launch and assessing the adequacy of such programmes are important steps to avoid facilitating criminal conduct and minimise the risk that a company will become the target of a regulatory or criminal investigation. FinCEN, OFAC, the State Department, Commerce Department and various components of DOJ regulate and/or prosecute AML and sanctions or export control violations.

Additionally, banking and money transmission regulators at the state level have their own regulatory and licensing regimes which may be applicable to fintechs, including AML. OFAC guidance provides that US sanctions compliance obligations apply equally to cryptocurrencies and fiat currency transactions. Cryptocurrency industry members are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC. Additionally, there is often liability for non-US persons who “facilitate” sanctions violations by US persons.

As it relates to fintechs, the AML/CFT and sanctions rules in the USA generally follow the standards and guidelines set forth by the FATF. FATF “Recommendations” are not binding on its member nations, including the US. FATF Recommendations and the principles underlying the US regulatory regime share fundamental concepts, including that the US and FATF generally require certain entities to register or be licensed. 

FATF identified as an area of improvement the US’s delay in establishing a comprehensive beneficial ownership information reporting regime to combat the use of shell companies. Although the US Congress endeavoured to address these concerns with the 2021 Corporate Transparency Act (the CTA), the CTA took a long time to implement. In early 2025, the new administration’s Treasury Department significantly limited the beneficial ownership reporting requirements which now only impact non-US-registered companies.

The FATF Travel Rule requires covered virtual asset service providers (VASPs) to convey information regarding the identity of the payment sender and recipient to other VASPs and financial institutions. The FATF Travel Rule has a reporting threshold of USD1,000, and requires the provision of detailed information about the originator and beneficiary of the transaction.

FinCEN adopted the US Funds Travel Rule which requires financial institutions, including money services businesses, to transmit basic information regarding the sender and recipient (not detailed information) with the transmittal of funds equal to or greater than USD3,000. Fintech compliance with the FATF and the US Travel Rules continues to present significant challenges, eg, the lack of standards across countries and differing implementation dates.

“Reverse solicitation” is an approach made by an existing or prospective customer to a financial services provider, where the provider has not actively encouraged the customer to contact the provider.

The concept of reverse solicitation exists in the USA, but it is not a codified legal principle. Depending upon the state, and at the federal level, reverse solicitation may be permissible where the provider can demonstrate that the relationship was genuinely customer-initiated.

Despite the benefits of reverse solicitation, foreign service providers may still face regulatory scrutiny and must be prepared to provide documentation to support their assertions that the relationship was customer-initiated.

Robo-advisers provide asset management services to their clients through online algorithmic-based programmes, and are typically investment advisers registered with SEC, subject to SEC oversight, and must comply with the Advisers Act. Depending on the types of services they provide, robo-advisers also may be subject to other regulatory regimes.

Many major US banks, broker-dealers and investment advisory firms have implemented a robo-adviser platform. Within the US, the robo-adviser industry is anticipated to experience high growth due to digitalisation in the financial sector.

The Advisers Act establishes a federal fiduciary standard for all investment advisers, including robo-advisers. When a robo-adviser selects broker-dealers and executes customer transactions, the robo-adviser is obligated to seek “best execution” of customer transactions.

There are significant differences in US regulation of loans made to consumers and loans made to businesses.

Loans to individuals for consumer purposes (ie, family, household, or personal use) are highly regulated. At the US federal level, there are a variety of consumer protection laws (eg, TILA, ESIGN, FCRA, EFTA, and unfair, deceptive, or abusive acts and practices (UDAAP)) with which online lenders originating consumer loans will likely need to comply, depending on the specific features of the product. More regulations are triggered under federal law if the consumer product being offered is secured by real estate (ie, residential mortgages). At the state level, lenders offering consumer loans must be licensed in nearly all states, and many states have their own laws similar to UDAAP.

Small business and commercial loans are often exempt from many federal laws and regulations, and state licensing, usury, and disclosure requirements, depending on the features of the product. However, a number of federal regulations may still apply to these loans in certain circumstances.

A minority of states require lenders to provide specific disclosures to commercial loan recipients. Commercial lenders are subject to licensure in fewer than half the states, often only where the interest rate or principal amount deviates from specified thresholds.

Underwriting processes in the US vary by industry but generally assess credit risk, income, collateral, and the borrower’s ability to repay. Banks and traditional lenders follow regulatory guidelines set by agencies like the OCC, FDIC, and CFPB, while private lenders and fintechs often use proprietary models with fewer regulatory constraints. Mortgage and small business loans adhere to strict federal rules, including the Dodd-Frank Act and SBA requirements, whereas corporate and commercial lending relies on financial metrics and risk-based assessments.

Sources of funds for loans will vary depending on several factors, including the type of loan, economic environment, and creditworthiness of borrowers.

P2P lending allows individuals or businesses seeking financing to borrow money directly from another person without applying to a traditional financial institution. P2P loans are often issued to borrowers with lower credit profiles, resulting in a higher risk of default. P2P lending platforms are generally less regulated than traditional lending but may be subject to loan brokerage laws.

Lender-raised capital can be generated through debt financing or equity financing. Private equity and venture capital firms may provide funding for specialised loans, such as those for start-up businesses in exchange for equity in the borrower. Institutional investors may provide funds for debt-financed transactions. Banks and other deposit-taking institutions are the most common source of loan funds.

Syndication is a common practice in the USA and allows lenders to participate in bigger financing opportunities by sharing loan risks with other lenders.

The syndicate agent (a lead financer) will co-ordinate the syndication process, including structuring the loan terms, finding lenders to participate, and performing due diligence. There is one loan agreement for the entire syndicate, with each lender’s liability limited to its respective share of the loan interest.

Loan syndications typically meet industry standards and best practices set forth by the Loan Syndications and Trading Association (LSTA). LSTA provides standardised documentation and guidelines for various aspects of loan syndications. Lenders participating in a syndication are also subject to federal or state laws that would otherwise be applicable, as described in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities, as well as any other regulations that may be applicable to the type of lender and jurisdiction.

It is common practice in certain industries to syndicate electronically originated promissory notes, loans, and leases secured by collateral such as real estate or a vehicle. ESIGN and UETA, and UCC Articles 3 and 9, support and enable pooling, transfer, and syndication of such transferable records and electronic chattel paper.

In the USA, firms involved in the processing of payments are generally separate legal entities from the payment networks that operate the “rails” through which payment information flows. Payment processors typically transmit or submit credit or debit card transactions for authorisation through the card payment networks and arrange for settlement to the bank accounts of the underlying merchant or payee that accepted the card for payment.

US laws and regulations do not prevent a payment processor from creating its own set of payment “rails” through which to transmit payment information. However, the high transaction volume needed to drive sufficient payor interest and achieve a critical mass of merchant or payee acceptance of the new payment network serves to limit the development of new payment networks.

Cross-border payments and remittances are subject to a US financial regulatory framework which addresses consumer protection, AML/CTF, and/or commercial efficiencies.

Federal consumer protection laws such as the EFTA and Regulation E, as well as state law equivalents, generally require a cross-border or remittance transfer provider to comply with certain obligations, such as providing clear and accurate disclosures prior to payment regarding the fees to be charged and the ultimate timing of delivery to the intended recipient. A remittance provider must also provide receipts with similar disclosures for consumer retention. Additionally, state laws require money services businesses to obtain a licence, meet certain net worth and bonding requirements, and retain permissible assets to support their activities.

Remittance transfer providers may be a subset of money services business required to adopt AML/CTF compliance programmes under the BSA which require the provider to conduct due diligence on their customers (KYC), engage in ongoing transaction monitoring for suspicious transmissions or money movement involving illegal activity, and meet transaction reporting requirements. See 2.15 Financial Action Task Force (FATF) Standards.

State laws such as Article 4A of the UCC provide a legal framework for the efficient payment and transmission of money on a commercially reasonable basis. These laws set default rules governing the administration and role of various parties involved in the transfer of funds for business-to-business or commercial purposes (and do not involve transactions to/from consumer accounts).

Fintech marketplaces offer a wide array of financial offerings, such as:

• loans and credit (consumer and business);
• B2B including invoice financing;
• computing power;
• prediction markets;
• investments and wealth management;
• insurance;
• payment solutions (eg, digital wallets and P2P platforms); and
• cryptocurrency exchanges.

Fintech marketplaces aim to simplify access to financial products and services by aggregating offerings from multiple providers in one place. They can enhance transparency, competition, and choice in the financial industry.

All fintech marketplaces must ensure they comply with all laws and regulations applicable to the services and products offered.

See discussion in 10. Blockchain.

Engaging in the business of selling or exchanging cryptocurrency constitutes money transmission under US federal and state regulation. Money transmission regulations treat cryptocurrency similarly to fiat currency and often require that the exchange obtain a money transmission licence. Custodying customer funds may also trigger licensing. If the asset is deemed a security or a derivative on a security, federal securities laws would apply, requiring additional licensing.

SEC’s position and the legal question of whether and when digital assets constitute securities remains open. In late 2025, SEC issued a detailed staff statement on custody of crypto-asset securities, specifically addressing how broker-dealers can demonstrate “physical possession” of fully paid crypto-asset securities under Exchange Act Rule 15c3-3(b)(1). This guidance follows SEC staff FAQs released in May 2025 describing broker-dealer obligations with respect to crypto-asset activities.

Cryptocurrencies and tokens not considered to be securities may be considered commodities subject to CFTC regulation. Exchanges conducting only spot transactions do not have to register, but those trading derivatives, futures, swaps, or options on spot transactions must register with CFTC and comply with CFTC regulations.

Whether decentralised exchanges would similarly be required to register with money transmission, securities, or commodities regulators remains an open legal question, particularly where no centralised entity takes custody of assets, processes the transaction, or controls the decentralised exchange.

See 2.10 Significant Enforcement Actions and 10. Blockchain.

There is currently no uniform US regulatory listing standard for digital assets offered on centralised or decentralised platforms. The platforms commonly have their own listing frameworks. Listing requirements for digital assets may include:

• whether the asset is a security or commodity;
• the extent of community adoption;
• trading volume; and
• indicia of code reliability or vulnerability.

Certain decentralised exchanges may provide guidance on how to list a token – but many remain effectively permissionless, allowing users to create their own pools with compatible tokens of their choosing.

CTFC regulates the listing of digital asset derivative products. Under CFTC guidance, trading platforms and clearing houses should:

• partner and have information sharing agreements with spot market platforms that follow KYC/AML rules;
• monitor price settlement data from spot markets and identify/investigate anomalies or disproportionate moves;
• set large trader reporting thresholds at five Bitcoins or less;
• regularly co-ordinate with CFTC staff and provide trade data; and
• allow CFTC staff to review initial and maintenance margins for cryptocurrency futures.

The CEA provides a self-certification process for new digital asset commodities products to be listed on designated contract markets (DCMs) or through swap execution facilities (SEFs).

For both retail and non-retail commodities transactions, CFTC order handling rules require futures commission merchants (FCMs), SEFs and DCMs to execute orders fairly and orderly – there is a prohibition on front-running. Order handling rules do not apply to spot exchanges trading digital assets.

See 10.8 Cryptocurrency Derivatives.

The regulation of P2P trading platforms in the USA is dependent upon whether the digital asset being traded is a security, a commodity, or another digital financial asset subject to the UCC or other federal or state law.

SEC has asserted that certain P2P platforms offer securities and are subject to US securities laws. SEC has historically required and enforced registration by different P2P lending platforms. However, SEC now seeks to modernise its regulatory approach towards digital assets and DeFi, including creating “Project Crypto”, setting up roundtable discussions with market participants to explore paths toward regulatory clarity, and collaborating with CFTC in an effort to harmonise regulatory frameworks regarding digital assets and crypto-related activities.

See 6.4 Listing Standards for a discussion of CFTC and SEFs. The extent to which decentralised P2P platforms trading CFTC-regulated commodities are subject to CFTC regulation also remains unsettled.

See 10. Blockchain.

To the extent that US federal securities laws apply to a platform, payment for order flow typically implicates broker-dealer/customer relationships and is regulated by SEC and FINRA rules. Also, best execution obligations and anti-fraud provisions can be implicated if payment for order flow results in a broker-dealer directing a transaction to a platform for execution when better terms are available elsewhere.

SEC Reg NMS has rules that require a broker-dealer to execute in a particular manner.

SEC proposed Regulation Best Execution which, if finalised, would apply to digital assets that qualify as securities and impact practices governing payment for order flow.

US securities regulations, at the federal and state level, establish key principles to promote market integrity and prevent market abuse. Additionally, SROs such as FINRA also have similar rules.

Some of the key principles include:

• promoting laws and rules designed to ensure that market participants have equal access to markets and that pricing and trading practices are fair, transparent, and accurate;
• requiring that all investors receive access to basic facts about an investment before buying it;
• enforcing laws, regulations, and rules to detect, deter and prevent wrongdoing of all types, including market manipulation, insider trading and frontrunning; and
• sanctioning and disciplining those who violate securities laws, regulations, and rules.

With respect to CFTC, the core mission of CFTC is preserving market integrity. CFTC may pursue manipulation, attempted manipulation, fraud, and false reporting of any commodity in interstate commerce.

In the USA, high-frequency trading (HFT) and algorithmic trading are regulated by SEC for securities and CFTC for commodities.

SEC Reg NMS ensures best execution and prevents trade-throughs, and the Market Access Rule mandates pre-trade risk controls for algorithmic trading and post-trade surveillance. SEC has adopted rules that require market participants that perform dealer functions to register as dealers, subjecting them to capital requirements and anti-manipulation and anti-fraud provisions. Also, HFT and algorithmic trading are often scrutinised in the context of potential market manipulation, including under the Exchange Act and Rule 10b-5.

CFTC implemented anti-manipulation rules under the Dodd–Frank Act, such as banning spoofing and other disruptive trading practices. CFTC also implemented a principle-based approach applicable to DCMs and generally imposed risk controls regarding trading.

Market makers in the USA are typically acting as dealers. A dealer is defined as any person engaged in the business of effecting transactions in securities from its own inventory, not acting as an intermediary between sellers and buyers. Dealers present themselves as willing to buy or sell a security at a quoted price on a continuous basis. The Exchange Act requires, with limited exemptions, dealers to register with SEC as a broker-dealer. Dealers are also subject to regulatory oversight by FINRA. See 7.3 Regulatory Distinction Between Funds and Dealers.

Digital asset market makers either offer continuous quotes of bids and offers on centralised cryptocurrency exchanges or contribute to liquidity pools on decentralised cryptocurrency exchanges that fund the trading of token pairs effected by smart contract-powered algorithms called automated market makers (AMMs). Crypto-asset market making is generally unregulated given that neither centralised crypto-exchanges nor AMMs are registered with SEC. SEC has asserted, in enforcement actions, that crypto market makers are required to register as dealers.

In the USA, a fund may qualify as an investment company and be subject to the registration requirements of the ICA, unless subject to an exemption. An adviser to a fund likely must register with SEC pursuant to the Advisers Act or with a state securities regulator. An adviser manages portfolios or pooled investments from third parties. Advisers are generally paid by collecting a management fee and/or incentive fees based upon the performance of the portfolio. Advisers are subject to fiduciary, custody and disclosure obligations.

A “dealer” is any person engaged in the business of buying and selling securities for the person’s own account, through a broker or otherwise. Dealers, like brokers, must register pursuant to the Exchange Act, absent limited exemptions. Dealers generally make money by collecting transaction-based fees or through the bid-ask spread. They do not collect management or incentive fees, like funds.

SEC released FAQs to clarify the application of existing broker-dealer financial responsibility and transfer agent rules to digital assets. 

There is no SEC regulation that expressly applies to programmers, but all persons are subject to the anti-market manipulation and fraud provisions of the US federal securities laws. Further, the definition of a broker is broadly construed and could include persons who provide services to registered brokers, thereby requiring a programmer to register as a broker. The definitions of an investment adviser and dealer are similarly broadly construed, such that providing services in the context of investment advice (which might implicate adviser registration requirements) or proprietary trading (which might implicate dealer registration requirements) should be evaluated on a case-by-case basis. To the extent a person must register as a broker, dealer, and/or investment adviser, such registration comes with additional regulatory requirements and oversight.

The use of AI-driven technologies in underwriting continues to grow in the insurance industry. Underwriting is a regulated activity for admitted insurers and AI use in the performance of regulated activities triggers considerations related to data privacy and use, data security, and the responsible use of advanced computational methods, including AI. 25 states have now adopted the model bulletin on the Use of Artificial Intelligence Systems by Insurers adopted in December 2023 by the National Association of Insurance Commissioners (NAIC), and the NAIC is now developing detailed questionnaires to be used by regulators when evaluating an insurer’s AI use, including requiring detailed inventories by use case, evidence of compliance with the bulletin and underlying laws (including the adoption of AI governance and risk controls), and evidence of validation and testing efforts.

Digital platforms and the sharing industry continue to embed insurance, make insurance available at “check-out”, or offer “protection packages” that appear to have the attributes of insurance. Whether these activities are insurance transactions that require licensure and how revenue can be lawfully shared is a regulatory consideration in negotiations and agreements between the platform and the insurer or underwriter.

Different types of insurance are treated differently in essentially every aspect of their respective businesses across the entire insurance business spectrum, including different standards related to marketing, sales, underwriting, pricing, financial requirements, reserving, reinsurance, claims handling, etc. With respect to each of these functional areas, technology-driven methodologies may trigger different treatment by regulators by line of business. For example, with respect to life insurance, the use of non-traditional risk factors or AI in automated underwriting may result in the imposition of advanced notice obligations in the event of an adverse underwriting decision and the NAIC has adopted guidance regarding regulatory oversight specific to automated life insurance underwriting that does not apply to other lines of insurance. 

Regtech providers are not regulated directly if the business solely develops and aids with the implementation of software solutions, data analytics, and automation tools to enhance regulatory compliance processes and reporting requirements (as opposed to providing regulated products and services directly to customers). Instead, most regtech providers are governed by contractual obligations which may include requirements to ensure compliance with financial law and regulation.

See 2.8 Outsourcing of Regulated Functions.

See 9.1 Regulation of Regtech Providers.

Traditional financial services industry players are testing blockchain technology to address enhanced transaction efficiencies, security, and transaction record integrity and auditability. Most tend towards centralised, permissioned platforms – not decentralised platforms.

Traditional players are also exploring blockchain to streamline financial processes, including payments, settlements, real estate recording, vehicle titling, and other record-keeping, including for loan transactions, insurance claims, and trade settlements. Additionally, several financial institutions are using blockchain to enable the purchase and sale of digital carbon credits and deploying digital asset control systems that enjoy the benefits of the legal framework of UCC Article 8 until such time as nearly all US states adopt the UCC Article 12 legal framework for controllable electronic records, controllable payment intangibles, and controllable accounts.

Blockchain activities may be regulated by multiple, independent regulators, state and federal, with overlapping jurisdiction. Regulators have diverged in enthusiasm for blockchain and have asserted positions inconsistent with each other and, at times, internally.

Influenced by the new administration, SEC dismissed several large enforcement actions and closed ongoing investigations. Non-binding statements and guidance provided by SEC staff and individual commissioners suggest SEC may have shifted its views. In August 2025, at a blockchain symposium, SEC Chair Paul Atkins publicly stated he believes “very few” tokens constitute securities.

In 2025, several states amended existing statutes regulating money transmitters or establishing new regulations for digital assets. As of December 2025, at least 33 states have adopted the 2022 amendments to the UCC, including Article 12 related to Controllable Electronic Records. In August 2025, DOJ and the National Economic Council announced an effort to identify state laws that significantly and adversely affect the national economy or interstate economic activity. In response, a crypto trading platform called for federal regulation that would pre-empt state law seeking to regulate crypto, including Blue Sky laws and state licensing and regulatory requirements. The regulatory developments in this space remain to be seen.

CFTC and financial regulators have proven more willing to work with certain players, such as spot and futures exchanges, to allow activities subject to regulation.

See 6. Marketplaces, Exchanges and Trading Platforms.

State regulators vary in support for blockchain. Multiple state legislatures have adopted amendments to the UETA to include blockchain and other DLTs within scope. Other states have restricted blockchain activities in the state, imposed strict registration requirements. State banking regulators require licensing of money transmission, payments, and trading activities. State securities and commodities regulators have been less active.

Greater regulatory clarity and co-ordination may come in the future, including through unifying federal legislation. See 1.1 Evolution of the Fintech Market.

As described above, regulators have yet to agree on a scheme to assess the open questions of (i) when cryptocurrency constitutes a security, a commodity, a currency, or something else and (ii) when certain activities, such as borrowing, lending, or trading, particularly when executed via a decentralised protocol, fall within regulatory jurisdiction.

See 2.6 Jurisdiction of Regulators.

Regulation of tokenised asset sales is generally based on the type of the assets tokenised. Sale of tokenised real estate would implicate state real estate laws. Sale of tokenised assets otherwise not subject to comprehensive regulation (eg, art) may correspondingly not trigger any comprehensive regulation.

In the USA, the sale or distribution of cryptocurrency is a regulated activity and is generally considered money transmission, requiring registration with federal and state regulators where required – generally where there are sales to US persons or persons located in the USA, even if the seller or distributor is located abroad.

To the extent the assets constitute securities, initial sellers or distributors must either register the sale with SEC or conduct the sale pursuant to an exemption to the registration requirement. In January 2026, SEC released a statement clarifying the application of federal securities laws to tokenised securities. This statement addressed both issuer-sponsored and third-party-sponsored models.

Cryptocurrency trading platforms have generally been regulated as money transmitters and have registered with state and federal money transmission regulators.

To the extent centralised cryptocurrency exchanges trade tokens considered securities, they would be considered securities exchanges and brokers and required to register with SEC. Some cryptocurrency trading platforms have registered as alternative trading systems (ATS) under US securities laws. An ATS must comply with complex SEC regulations and register as a broker-dealer. Thus far, the activity of these ATSs appears limited in scope and size, and the vast majority of crypto-asset trading occurs on centralised and decentralised trading platforms not registered with SEC.

See 6. Marketplaces, Exchanges and Trading Platforms and 10.11 Virtual Currencies.

While the issue remains somewhat unsettled, SEC’s Division of Corporation Finance issued non-binding guidance on the application of federal securities laws to various types of staking activities. The Division opined that staking by a node operator of its own assets and staking by a node operator of third-party assets (even if staked by a custodian holding those assets for and staked at the direction of a beneficial owner) do not involve the offer or sale of securities.

That said, a custodian’s use of discretion in how to stake assets to provide a return (fixed or variable) to the beneficial owner may involve the offer or sale of securities. In several enforcement actions, SEC asserted that such staking-as-a-service constitutes a securities offering subject to federal securities laws, requiring registration for the offer and sale of securities related to staking activities, and registration is also required as a broker.

Lending services related to cryptocurrencies are regulated at both the state and federal level, though these frameworks are still evolving. If the lending involves digital assets that would be securities or related to commodities and derivative products they would fall under SEC and CFTC jurisdiction respectively, while lending with respect to other types of digital assets such as cryptocurrency would be regulated under various state lending laws.

CFTC regulates activities such as sales, trading, and advice in markets for derivatives. No CFTC registration is required for over-the-counter derivative products, provided the parties are eligible contract participants.

Retail investors trading in crypto derivative products may use retail derivatives exchanges registered with CFTC. Derivatives on securities would be regulated by SEC.

It remains unclear what regulations govern various activities and products in DeFi. Considerations include how and whether decentralised activities can be regulated, what level of control or influence there is by a centralised figure, and the nature of the underlying asset (eg, collectibles, securities, etc).

Regulators and courts have expressed a variety of views on these issues.

Treasury published “Illicit Finance Risk Assessment of Decentralised Finance” in 2023, which acknowledged there is “currently no generally accepted definition of DeFi, even among industry participants, or what products make a product, service, arrangement or activity decentralized”. Treasury asserted that whether an entity is subject to regulation depends on specific facts and circumstances, and degrees of decentralisation may not be dispositive. The appellate court decision overturning OFAC’s designation of Tornado Cash illustrates the uncertainty around when DeFi activities are subject to regulations.

Potentially relevant to DeFi exchanges is 2019 FinCEN guidance that an exchange is not a money transmitter where it operates P2P and the parties both maintain control over the assets and interact directly with the payment system.

Following the passage of the GENIUS Act, Treasury issued a Request for Comment to the cryptocurrency industry about innovative methods for detecting illicit activity in digital assets, including how risk management methods can apply to DeFi. This signals that the administration is not only open to DeFi, but has directed Treasury to embrace a risk-based approach towards it.

DeFi protocols have received less securities scrutiny than centralised exchanges and other products. In 2025, an appellate court affirmed the dismissal of claims against a prominent decentralised exchange developer for alleged unregistered sale of securities, reasoning that the developer neither held title to the underlying assets nor solicited their sale. SEC also recently closed an investigation into the same developer without enforcement action. Also, at least one court has held that provision of self-custodial wallet software that allows routing of transactions to decentralised exchanges and other DeFi protocols does not “implicate” many of the factors courts use in assessing activity by a securities broker. Nevertheless, there remains some uncertainty about whether and when a decentralised protocol might implicate securities law.

See 2.10 Significant Enforcement Actions and 6.3 Impact of the Emergence of Cryptocurrency Exchanges.

In the USA, funds are regulated based on the assets held. If a fund primarily invests in securities, it is regulated by SEC; if it primarily invests in regulated commodities interests or other derivatives, it is regulated by CFTC. If a fund invests in securities and commodities, the fund may be regulated by both regulators.

SEC and CFTC regulations require registration of funds and their advisers. There are exemptions to registration requirements for funds and advisers that meet certain criteria.

Notably, 2025 saw the rise of DATs, which hold digital assets in their corporate treasury as a primary component of their business. To the extent such digital assets constitute securities or regulated commodities interests, these companies may be subject to regulation as a fund by SEC or CFTC, though to date no DAT has registered with these regulators.

Because the legal classification of various digital assets remains uncertain, so too does the unique regulation of DATs. To the extent that DATs sell their own equity or debt securities, they are subject to state and federal securities laws. Further, to the extent that DATs hold and invest in digital assets that constitute securities, DATs may also be regulated as investment companies. The Investment Company Act of 1940 regulates companies that engage primarily in investing, reinvesting, and trading in securities and whose own securities are offered to the investing public. The Act requires investment companies to register with SEC and comply with SEC regulations, including required disclosures, though exemptions are available. To date, no DATs have registered as investment companies – taking the position that the digital assets held do not constitute securities.

Analogously, the CEA regulates the activities of commodity pool operators, which raise funds from the sale of securities for the purpose of trading in commodity interests, including futures, swaps, options, or derivatives. Commodity pool operators must register with CFTC and comply with its regulations. The extent to which digital assets constitute commodities subject to regulation by CFTC remains similarly unsettled. Furthermore, the CEA and CFTC do not comprehensively regulate the commodity spot market, so DATs that invest and trade primarily in spot digital assets likely would not fall within these regulations, though DATs that invest and trade materially in digital asset interests may have to consider their implications.

Advisers that manage a fund holding digital assets must consider several issues, including:

• disclosure requirements addressing digital asset risk factors;
• fair valuation of assets;
• custody;
• treatment of assets in bankruptcy;
• policies on whether the assets are securities or commodities;
• investment thesis documentation addressing why assets fit the portfolio management criteria;
• tax considerations; and
• SEC compliance in marketing materials.

The term “virtual currency” is used by money and banking regulators to describe a money-like representation of value. Certain activities concerning cryptocurrencies (ie, virtual currencies), most notably transmission and trading, are subject to regulation by federal and state money and banking regulators.

See 6. Marketplaces, Exchanges and Trading Platforms.

Treasury

NFTs (in particular collectibles) have not per se been widely treated as cryptocurrency. NFT trading platforms have operated without money transmitter licences and with less scrutiny from financial regulators compared to cryptocurrency exchanges. In contrast, it is well accepted that at least centralised NFT trading platforms must comply with sanctions rules.

Treasury released in 2024 a risk assessment of NFTs finding the risk of money laundering or terrorist financing low, but acknowledging that:

• Existing AML regulations may not adequately capture all types of NFT and NFT platform activity.
• NFT platforms may have BSA and AML obligations, depending on the nature of the underlying activity and if the NFTs are considered currency or a currency substitute.
• All NFT platforms conducting transactions involving US persons are required to comply with sanctions regulations.

SEC

SEC has brought enforcement actions alleging that certain NFT collectibles constituted securities. In 2024, SEC commenced an investigation against OpenSea for the unregistered sale of securities which was dropped in 2025. It remains unclear how much SEC will continue these efforts or how courts would respond if challenged.

Separately, buyers of NFTs have brought private civil actions asserting claims under federal securities laws. Although early court decisions found that plaintiffs plausibly alleged NFT collectibles constituted securities, at least one court recently dismissed a lawsuit against an NFT collectible seller that controlled neither the underlying blockchain nor any marketplace.

Stablecoins have generally been regulated similarly to other cryptocurrencies. Centralised issuers and trading platforms are required to register with state and federal regulators as money transmitters, while the decentralised sale and trading of stablecoins remains in a relative regulatory grey area.

Additionally, in July 2025 the GENIUS Act was signed into law. The Act establishes a comprehensive legal framework for the issuance and regulation of “payment stablecoins” – defined as a digital asset:

• that is, or is designed to be, used as a means of payment or settlement; and
• the issuer of which:
1. is obligated to convert, redeem, or repurchase for a fixed amount of monetary value, not including a digital asset denominated in a fixed amount of monetary value; and
2. represents that such issuer will maintain, or create the reasonable expectation that it will maintain, a stable value relative to the value of a fixed amount of monetary value.

The Act also defines what entities may issue a payment stablecoin and sets various requirements for such issuers. The Act provides a three-year transition period, after which compliance is required before digital asset service providers may sell payment stablecoins to persons in the USA.

Open banking allows third-party developers to access financial data in traditional banking systems through APIs mandating standardised data formats and secure communication protocols. The APIs facilitate the secure exchange of financial information between banks and authorised fintechs – effectively decentralising financial services.

In 2025, banking trade groups sued CFPB immediately after its release of the “Personal Financial Data Rights” rule, also known as the “Open Banking” rule, to curtail screen scraping. The rule would have:

• enabled consumers to access and share their personal financial data with third-party providers securely and without charge;
• enabled covered entities – eg, financial institutions, credit card issuers, and digital wallet providers – to provide consumers and authorised third parties with access to specified consumer financial data upon request; and
• established privacy and security protections, limiting third parties’ use of the data they receive to the purposes expressly authorised by the consumer. 

A federal court issued preliminary relief delaying the rule’s effective/compliance dates while the case proceeds.

Under the Trump administration, CFPB repealed the rulemaking and, in August 2025, issued an Advance Notice of Proposed Rulemaking soliciting comments on a new open banking rule. CFPB listed four areas for comment:

• who may serve as a consumer “representative”;
• approaches to fee assessment to defray a covered entity’s costs in responding to a customer request;
• the threat and cost-benefit pictures for data security associated with Dodd-Frank compliance; and
• data privacy issues associated such compliance.

CFPB indicated its intent to issue an interim final rule, but has not yet done so.

As part of permitting access to the accounts and data of banking customers, financial institutions, fintechs, and third-party data aggregation platforms providing open banking services enter into contracts to address the risks and responsibilities associated with data security and privacy. Covered issues include:

• technical processes and requirements to access accounts, data and services;
• scope of access;
• authenticating account holders;
• elimination or restriction of “screen scraping” by data aggregators;
• data transmission, accuracy and protection;
• distribution of risk for loss and damages;
• “pass through” terms for account holders and third parties;
• delivering notices and disclosures to account holders;
• record retention requirements; and
• security reviews and audits.

Generally, claimants may demonstrate fraud if they establish:

• a material false statement;
• knowledge that the statement was false when it was made;
• reliance on the false statement by the victim; and
• damages resulting from the victim’s reliance on the false statement.

In certain circumstances, an omission of a material fact may also support a fraud claim.

Key areas of concern currently are frauds that impact consumers, enable money laundering, or jeopardise market integrity. Examples include account takeovers, synthetic identities, and identity theft, including AI-enhanced fraud such as deepfakes. Fraud detection remains a growing concern for fintechs, and the allocation of liability in cases of third-party fraud against consumers and/or their financial institutions is an area of concern.

Although federal regulatory oversight has shrunk significantly in the past year, recent regulatory focus includes oversight of the systems that help fintechs mitigate and reduce fraud – eg, transaction monitoring and customer due diligence in AML programmes, sanctions violations, and third-party risk management.

Fintech service providers may be held liable for customer losses. For example, if a provider fails to deliver services as agreed or does not meet the performance standards in their contract, it may be responsible for financial losses and other contractual damages.

Additionally, failure to comply with obligations under applicable financial regulations, such as data protection laws, can result in compensation for damages such as identity theft due to data breaches. Engaging in deceptive practices, such as false advertising or UDAAP can lead to refunds and compensation for financial losses.

Further, fintech providers may be held accountable under federal or state law and by contract for losses resulting from fraud and security breaches. If their platform is compromised, leading to unauthorised transactions or account takeovers, they may need to reimburse customers for losses and costs like legal fees, particularly if they employed inadequate security measures. Finally, fintechs may be liable for negligence if they fail to exercise due care in providing services and their failure results in customer losses.