New York’s Algorithmic Turn: AI Accountability, Charter Strategy and Embedded Finance in 2026

Introduction: federal reset, state assertiveness

The regulatory landscape entering 2026 reflects a divergence between federal and state initiatives.

One year into the current Trump administration, federal policy has prioritised innovation and deregulation – specifically encouraging artificial intelligence (AI) technology development and digital asset growth. In December 2025, the administration issued an Executive Order directing federal agencies to evaluate state AI laws and prepare legislative recommendations for federal preemption of state AI regulations deemed inconsistent with national innovation policy. As for banking and financial services regulation, enforcement intensity has significantly diminished, although the underlying statutes remain in force.

New York, by contrast, has not moderated its regulatory assertiveness. In November 2025, the state enacted the first-of-its-kind Algorithmic Pricing Disclosure Act (NY Disclosure Act). This development, together with ongoing supervisory signals from the New York State Department of Financial Services (NYDFS), demonstrates its willingness to address emerging technology risks through targeted regulation and enforcement rather than waiting for federal action. This state-level assertiveness creates compliance obligations that extend beyond federal requirements, particularly for companies deploying consumer-facing AI systems.

For fintech companies operating in or through New York, 2026 presents a question: how should AI strategy, regulatory strategy and embedded finance architecture align in an environment where federal innovation policy and state-level requirements may not align?

The Algorithmic Pricing Disclosure Act

The NY Disclosure Act requires that where a price is set by an algorithm using a consumer’s personal data, the entity must provide a clear disclosure:

“THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA”.

The NY Disclosure Act applies to entities domiciled or doing business in New York state and offering goods or services for personal, family or household purposes. It exempts:

• financial institutions subject to the Gramm–Leach–Bliley Act (GLBA);
• entities regulated under New York’s insurance law; and
• certain subscription-based discount arrangements.

The statute does not mandate bias testing, algorithmic audits or governance documentation. It is narrowly focused on consumer transparency.

Many fintech companies operate in or through New York, offering banking or payments services powered by sponsor bank partnerships and embedded finance structures. These arrangements have become foundational to modern fintech business models, enabling technology companies to offer financial products without obtaining direct charters or licensing. In these models, institutional responsibilities are distributed across multiple entities, creating nuanced questions about regulatory accountability:

• A bank holds the charter and issues cards or books loans.
• A fintech partner designs the product experience.
• Pricing logic may reside in fintech controlled infrastructure.
• Data flows across institutional boundaries.

Where a bank qualifies as a GLBA financial institution, it falls within NY Disclosure Act’s exemption. However, a fintech that partners with the exempted bank may not. This creates a potential divergence between the exempted entity and the entity that controls pricing.

Regulatory obligations often attach to the entity controlling the consumer interface, not merely to the underlying regulated institution. State banking regulators have already established this principle in the banking-as-a-service context: unchartered fintech platforms offering banking products through partner banks have been required by various state regulators to display conspicuous disclaimers stating that the platform is a “fintech, not a bank”, even though the underlying banking services are provided by FDIC-insured partner banks. This enforcement pattern demonstrates that consumer-facing entities bear independent compliance obligations regardless of whether a chartered institution stands behind the product. A similar logic applies to algorithmic pricing disclosures. When pricing decisions flow through distributed technical systems spanning multiple legal entities, the exemption is not automatic. Contractual arrangements between fintech and bank partners do not automatically extinguish regulatory duties that attach to the party controlling the consumer interface or pricing.

Disclosure analysis in three models

• Bank-Controlled Pricing: The bank owns and operates the pricing engine. The fintech provides marketing and servicing functions. In this structure, the GLBA exemption likely applies.
• Fintech-Developed Algorithm With Bank Oversight: The fintech designs and operates the pricing model. The bank approves parameters and guardrails but does not control real-time outputs. In functional terms, the fintech may be setting the price, and a disclosure may be required.
• Marketplace and Aggregator Platforms: A fintech that personalises which bank offers or rates are displayed to a consumer may fall directly within the NY Disclosure Act, even if underlying banks are exempt.

The legal question of who sets a price depends on various factors: whose infrastructure hosts the pricing model, whose data feeds the algorithm, whose personnel modify parameters, and whose brand the consumer sees. Compliance architecture must therefore be designed alongside technological architecture from the outset. Legal teams should monitor enforcement actions and case law to track evolving regulatory standards on pricing authority attribution and exemption applicability in embedded finance arrangements.

CFPB and federal AI enforcement under Trump

The federal enforcement landscape for AI-driven financial systems has become increasingly uncertain. While the Consumer Financial Protection Bureau (CFPB) historically asserted that existing consumer financial statutes fully apply to AI-driven systems, the current administration’s deregulatory posture and ongoing congressional efforts to limit the CFPB raise questions about future enforcement priorities.

The administration has signalled limited appetite for new AI-specific rules or aggressive enforcement, save where centralisation of regulatory supervision at the federal level is necessary to effect pre-emption of state law. Congressional efforts continue to advocate for curtailing the Bureau’s authority, with some calling for its elimination. While statutory obligations remain on the books, the likelihood and intensity of federal enforcement are unclear, requiring companies to balance compliance investment against uncertain enforcement priorities.

For fintech companies, this creates regulatory uncertainty at the federal level even as state requirements become more defined. The question is no longer simply dual compliance but strategic risk assessment: how to balance investment in federal compliance frameworks when enforcement priorities remain unclear against the certainty of state-level obligations.

Charter strategy and competitive federalism

Fintech regulatory planning requires strategic decisions about whether to pursue a charter, obtain a licence, or partner with a licensed entity – choices that fundamentally shape compliance obligations and operational flexibility.

The Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act) framework, enacted in July 2025, establishes three distinct pathways for lawful stablecoin issuance in the United States: subsidiaries of insured depository institutions, federal qualified payment stablecoin issuers chartered by the OCC, and state qualified payment stablecoin issuers. The third pathway is particularly significant. Under Section 7 of the GENIUS Act, a state qualified payment stablecoin issuer is defined as an entity legally established under state law – including state trust companies – and approved by a certified state payment stablecoin regulator. This framework enables state trust charters, subject to state banking department oversight, to issue payment stablecoins without converting to a federal charter, provided the state regulatory regime is certified by the Stablecoin Certification Review Committee as meeting or exceeding federal standards.

This dual-track structure reflects a federal philosophy favouring state dynamism and regulatory experimentation rather than federal pre-emption. Yet this approach stands in tension with the administration’s posture on AI regulation. While the GENIUS Act encourages states to serve as laboratories for digital asset innovation, the December 2025 AI Executive Order directs federal agencies to prepare legislative recommendations for pre-empting state AI laws deemed inconsistent with national innovation policy. The result is regulatory uncertainty: in stablecoin regulation, states are invited to participate; in AI regulation, state requirements that exceed or diverge from federal priorities may be overridden.

Notwithstanding, New York’s regulatory ecosystem, including trust company charters under Banking Law Article III, money transmitter licensing under Article XIII-B, and digital asset supervision under the BitLicense framework, positions New York as a candidate for GENIUS Act certification. The NYDFS has established precedent for state-level oversight of digital asset custody and payment systems through trust company charters, creating institutional pathways through which entities may seek qualification as state payment stablecoin issuers.

Tying this back to the NY Disclosure Act – chartered stablecoin issuers under New York trust company frameworks would, in most instances, qualify as GLBA financial institutions and therefore fall within the NY Disclosure Act’s exemption. Yet where these chartered entities engage in consumer-facing activities beyond core payment stablecoin functions, or where they partner with non-exempt companies in embedded finance arrangements, the NY Disclosure Act may become relevant if embedded finance models distribute pricing authority beyond the chartered entity.

NYDFS supervisory signals

The NY Disclosure Act is part of a broader regulatory pattern in New York.

In October 2025, NYDFS issued an industry letter clarifying that under 23 NYCRR Part 500, Covered Entities must maintain risk-based cybersecurity programmes and are prohibited from delegating compliance responsibility to third parties. Part 500 applies broadly to entities operating under or required to operate under any licence, registration, charter, certificate, permit, accreditation or similar authorisation under New York’s Banking Law, Insurance Law or Financial Services Law. This includes chartered trust companies, money transmitters, and BitLicense holders – categories central to fintech operations in and through New York. Entities engaged in embedded finance partnerships with such regulated entities may also face indirect scrutiny through vendor management and third-party oversight obligations imposed on the Covered Entity itself.

In Insurance Circular No 7, NYDFS issued guidance concerning the use of AI and predictive models in insurance underwriting. Although sector-specific, the guidance emphasises the importance of governance, testing and board oversight.

The regulatory message is consistent: technological innovation does not reduce institutional responsibility. The use of complex algorithmic systems increases governance expectations. Boards and senior management cannot delegate accountability to data scientists or technology vendors. Effective governance requires decision-makers to understand how systems operate, what data they use, how outputs are validated, and what risks they present – regardless of whether the technology is developed in-house or procured from third parties.

Conclusion: governance for 2026

Fintech companies operating in New York face varying but often overlapping compliance obligations depending on their business models, charter structures, and operational arrangements. Those deploying AI models using consumer personal data, pursuing or operating under state or federal charters or licences, or operating within embedded finance or partnership architectures, should consider structured internal reviews addressing the specific regulatory intersections relevant to their activities. Not all companies will confront each dimension discussed in this chapter: a non-exempt fintech using personalised algorithmic pricing may face transparency obligations under the NY Disclosure Act that do not apply to a GLBA-exempt trust company; a state trust or bank will encounter prudential third-party management and oversight questions not applicable to a fintech platform it may interface with. Where these issues arise, reviews should involve cross-functional teams including legal, compliance, technology, product and risk management. Key assessment areas, to the extent applicable to the company’s operations, might include:

• inventory of AI deployment;
• documentation of personal data inputs;
• allocation of pricing authority in partnership agreements;
• analysis of exemption applicability; or
• board-level oversight of AI deployment.

New York’s regulatory trajectory in 2026 reflects a wager: that transparency, accountability and governance discipline create a sustainable competitive advantage rather than counterproductive friction. For fintech companies, the question is how to strategically position within it. In an environment where federal pre-emption remains uncertain and state consumer protection laws continue to rise, the jury is still out on whether New York’s legislative and enforcement approach ultimately fosters or constrains innovation and business growth.