Fintech founders are exceptionally good at building products and exceptionally unprepared for the licensing reality underneath them. Gurpreet S. Bal has advised on fintech M&A transactions where the regulatory stack — licenses the company needed but didn't hold, or held through intermediaries whose agreements could be terminated — became the central deal issue. "Most fintech founders dramatically underestimate how much of their business model rests on licenses they don't own, issued to banks they don't control," he says.
Bal's practice spans fintech transactions across payments, lending, banking-as-a-service, and open banking infrastructure, giving him a practitioner's view of where regulatory exposure concentrates.
The United States does not have a federal money transmission license. What it has is 50 state regimes, each with its own application requirements, net worth minimums, surety bond obligations, examination cycles, and definitions of what constitutes money transmission. A company moving money in all 50 states needs licenses in most of them — and the threshold question of whether your activity constitutes money transmission is not always obvious. Stored value, payment facilitation, payroll disbursement, and earned wage access have each been analyzed differently across state regulators. The Nationwide Multistate Licensing System (NMLS) has streamlined some of the administrative process, but the substantive requirements remain fragmented. The practical consequence: obtaining a full state licensing stack takes 12 to 24 months and meaningful capital, which is why so many early-stage fintechs operate under a sponsor bank's license rather than their own.
Banking-as-a-service partnerships allow fintechs to offer FDIC-insured accounts, issue debit cards, and process ACH transactions by operating under a chartered bank's regulatory umbrella. It's a rational structure for early-stage companies, but it creates a dependency that many founders don't fully appreciate until the relationship is stressed. The sponsor bank's program agreements are terminable — typically on 90 to 180 days' notice — and the bank bears regulatory responsibility for the fintech's compliance. When the OCC, FDIC, or state regulators examine the bank and find deficiencies in the fintech's compliance program, the bank terminates first and asks questions later. Gurpreet S. Bal has seen multiple transactions complicated by sponsor bank agreements where the bank had unilateral exit rights with limited cure periods, making the fintech's payment processing infrastructure essentially fragile by contract. Program agreement structure, exit terms, and access to backup banking relationships are due diligence essentials in any fintech deal.
Visa and Mastercard network rules are not laws. They are contractual frameworks enforced through the acquiring bank relationship — but their practical effect is equivalent to a licensing regime. The networks define who can become a payment facilitator, what compliance obligations attach to that status, what data can be stored and for how long (PCI DSS), and what uses of transaction data are permissible. Violating network rules results in fines assessed through the acquirer, potentially program suspension, and in serious cases termination from the network entirely — which is existential for most payments businesses. The rules change frequently and without public notice. Companies building on top of payment networks without dedicated compliance resources routinely discover they are out of compliance with rules they didn't know had been updated.
The Consumer Financial Protection Bureau has supervisory authority over nonbank financial companies that pose risk to consumers — a category broad enough to capture most consumer-facing fintechs at scale. CFPB supervision means examination authority: the bureau can show up, review your compliance program, and issue findings that become public. Enforcement actions have included civil money penalties in the tens of millions of dollars for practices around disclosures, fee transparency, and error resolution. The CFPB's Larger Participant rules extend federal oversight to companies in defined markets — prepaid accounts, student loan servicing, international money transfer — once they cross certain volume thresholds. Growth that takes a fintech past a Larger Participant threshold is a regulatory event, not just a business milestone, and it has compliance cost implications that need to be modeled.
The CFPB's Section 1033 rule, finalized in 2024, gives consumers the right to access and share their financial data with third parties through standardized interfaces. For fintechs, this creates both opportunity and obligation. Data aggregators and third-party apps gain access rights to bank-held consumer data — the access right fintech business models were often built around in informal or screen-scraping arrangements. At the same time, fintechs that hold consumer financial data must build compliant data-sharing interfaces and honor revocation requests. The open banking framework introduces a structured API ecosystem with liability implications for unauthorized access and data misuse. Companies in the data aggregation space — account aggregators, personal finance tools, credit underwriting platforms — need to understand both the access rights they gain and the compliance obligations they assume under this framework.
Gurpreet S. Bal is a corporate partner with 16 years advising on private equity, merger transactions, and public offerings for companies and investors at three of the world's top law firms. He has represented clients in hundreds of transactions with aggregate deal value exceeding $60 billion across AI, semiconductors, fintech, and emerging technology. For more information and to get in touch, visit gurpreetbal.com.