Regulatory Architecture
The United States operates the world's largest financial services regulatory framework, built on a dual federal-state model with overlapping authority across multiple agencies and 50+ state regulators.
The US has no single federal fintech regulator. Companies face a patchwork of federal agencies (OCC, Federal Reserve, FDIC, CFPB, FinCEN, SEC, FTC) and individual state regulators.
Federal Regulators
The following federal agencies have primary authority over fintech, payments, and banking activities:
- OCC: Charters, regulates, and supervises national banks. Issued a Special Purpose National Bank Charter for fintech companies on July 31, 2018; adoption has been limited by litigation.
- Federal Reserve: Supervises bank holding companies and runs payment infrastructure including Fedwire, FedACH, and FedNow (launched July 2023).
- FDIC: Insures deposits up to USD 250,000 per depositor and supervises state-chartered banks.
- CFPB: Rulemaking and enforcement authority over consumer financial products under Dodd-Frank.
- FinCEN: Administers Bank Secrecy Act and AML requirements for financial institutions.
- SEC: Regulates securities markets, investment advisers, broker-dealers, and digital assets that qualify as securities.
- FTC: Enforces consumer protection laws including the GLBA Safeguards Rule for nonbank financial institutions.
State Regulators
Every US state maintains its own financial regulatory authority. Core state-level regimes include money transmitter licensing (required in 49 states + DC), consumer lending requirements, state privacy laws, and cryptocurrency frameworks such as New York's BitLicense.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) applies to any entity that stores, processes, or transmits cardholder data. PCI DSS v4.0.1 became effective in March 2025 and organizes controls into 12 requirements under 6 control objectives.
Even with Stripe or another processor, merchants are not exempt from PCI DSS. Stripe's Level 1 certification reduces scope but does not eliminate merchant responsibility.
PCI DSS v4.0.1 Core Requirements
| Control Objective | Requirements |
|---|---|
| Build and Maintain a Secure Network | Req 1: Network security controls. Req 2: Secure configurations. |
| Protect Account Data | Req 3: Protect stored data. Req 4: Encrypt transmission over public networks. |
| Vulnerability Management | Req 5: Malicious software protection. Req 6: Secure systems and software. |
| Strong Access Control | Req 7: Need-to-know access. Req 8: User authentication. Req 9: Physical access. |
| Monitor and Test Networks | Req 10: Log and monitor access. Req 11: Regular security testing. |
| Information Security Policy | Req 12: Organizational policies and programs. |
Source: PCI SSC, PCI DSS v4.0.1 (March 2025).
Merchants are classified into four levels by annual transaction volume. Level 1 (>6M transactions) requires a Qualified Security Assessor review, while Levels 2-4 may use SAQs. Platforms using Stripe Elements/Checkout typically align with SAQ A.
Bank Secrecy Act (BSA) and Anti-Money Laundering
The BSA, as amended by the USA PATRIOT Act and the Anti-Money Laundering Act of 2020, requires covered institutions to implement AML programs, file SARs, file CTRs for cash transactions above USD 10,000, and register as Money Services Businesses (MSBs) where applicable.
Source: FinCEN Interim Final Rule, 90 FR 15822 (March 26, 2025).
OFAC Sanctions
All US persons and entities must screen transactions against OFAC's SDN list. OFAC applies strict liability, and civil penalties can reach USD 368,136 per violation.
Consumer Protection
Truth in Lending (TILA / Regulation Z)
Requires clear disclosure of credit terms, including APR, finance charges, and total payments.
Source: CFPB withdrawal (May 12, 2025).
Equal Credit Opportunity (ECOA / Regulation B)
Prohibits credit discrimination. AI/ML models used in underwriting may still violate ECOA through unintended discrimination. Adverse action notices must provide specific denial reasons.
Fair Credit Reporting Act (FCRA)
Regulates collection and use of consumer credit information. Requires permissible purpose, accuracy controls, and adverse action notice obligations.
GLBA / Safeguards Rule
Requires covered financial institutions to protect customer data. Updated FTC Safeguards Rule (June 2023) includes encryption, MFA, penetration testing, and incident response requirements for nonbank financial institutions.
UDAAP
CFPB may enforce against unfair, deceptive, or abusive acts/practices. This includes misleading marketing, hidden fees, and deceptive claims. UDAAP risk controls should be integrated into product design and disclosures.
Data Privacy
Federal Framework
The US has no comprehensive federal privacy law. Financial data privacy is governed by sector statutes: GLBA (financial), FCRA (credit), HIPAA (health), and FTC Act authorities.
State Privacy Laws
At least 19 states enacted comprehensive consumer privacy laws by 2024, including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Florida, Indiana, Tennessee, Iowa, New Hampshire, New Jersey, Maryland, Minnesota, Nebraska, Kentucky, and Rhode Island.
Thresholds, rights, and enforcement vary by state, requiring jurisdiction-by-jurisdiction review.
Open Banking (Rule 1033)
CFPB finalized Rule 1033 in October 2024, establishing rights for consumers to access and share personal financial data with authorized third parties.
Source: CFPB Final Rule (October 2024), reconsideration notice (August 2025).
Money Transmission & Licensing
Money transmitters must register with FinCEN and obtain licenses in 49 states plus DC. Requirements often include surety bonds (USD 25K to USD 2M+), minimum net worth, background checks, AML programs, and periodic examinations.
Digital Assets & Cryptocurrency
SEC, CFTC, and FinCEN each assert jurisdiction over different parts of the digital asset stack. Key state frameworks include New York's BitLicense (23 NYCRR 200), Wyoming's digital asset framework, and California's Digital Financial Assets Law (licensure date extended to July 1, 2026 per DFPI).
FIT21 passed the US House in May 2024 and remained pending in the Senate as of March 2026.
Source: California DFPI; US House records (congress.gov).
Cybersecurity Requirements
- NYDFS 23 NYCRR 500 (amended November 2023): CISO designation, annual risk assessments, MFA, encryption, 72-hour incident notification, and board-level certification for NYDFS-regulated entities.
- FTC Safeguards Rule (effective June 2023): Written risk assessment, specific controls (encryption, MFA, secure development), annual penetration testing, and board reporting for covered nonbank financial institutions.
- FFIEC/Banking Agency Incident Notification Rule (May 2022): Requires banking organizations to notify regulators within 36 hours of material incidents.
Enforcement Trends (2024-2026)
- AI/ML in financial services: AI does not reduce obligations under fair lending, UDAAP, or fiduciary standards.
- Banking-as-a-Service: Intensified scrutiny of bank-fintech partnerships, with banks retaining accountability despite outsourcing.
- Fee transparency: CFPB actions against hidden fees across financial products.