Embedded Finance’s Next Chapter: Growth, Regulation, and Accountability

  • Blog

Embedded finance = integrating financial services (payments, lending, banking, insurance, etc.) directly into a non-financial platform or user experience. Beyond payments, platforms can embed:

  • Lending (loans, BNPL, cash advances)
  • Banking (accounts, wallets, debit cards)
  • Insurance (coverage at point of sale)
  • Investments (trading, savings tools)

I. Introduction — The Infrastructure Beneath the Interface

Framing: Embedded finance is the invisible layer powering millions of daily transactions — the lending widget inside a Shopify dashboard, the insurance upsell in a rideshare app, the payroll advance in an HR platform. But as the sector matures from novelty to infrastructure, regulators are no longer willing to let the compliance obligations remain as invisible as the technology itself.

Key facts:

  • The global embedded finance market is expected to grow from $115.8 billion in 2024 to $251.5 billion by 2029, at a CAGR of 16.8%. A 2025 Deloitte report estimates that embedded finance could contribute nearly 10% of global financial transactions by 2030. Evolute
  • The global BaaS (Banking as a Service) market is projected to grow from $29.5 billion in 2024 to $74.8 billion by 2030, at a CAGR of 16.8%. Nearly 36% of all neobanks globally now operate on BaaS backends. Evolute
  • Two events defined the embedded finance compliance conversation entering 2025: the collapse of Synapse in the United States and the securing of a UK banking license by Revolut — together symbolizing the tension between rapid innovation and the regulatory oversight required to maintain a stable financial ecosystem. Weavr

II. Understanding the Embedded Finance Stack — Who Is Responsible for What?

Before getting into jurisdiction-specific regulation, it’s worth establishing the three-layer accountability structure at the heart of every embedded finance arrangement. This is where compliance disputes — and enforcement actions — originate.

  • The platform (e.g., an e-commerce site, HR software, gig economy app) — distributes the product and owns the customer relationship.
  • The BaaS/middleware provider — handles API connectivity, ledgering, and routing between platform and bank.
  • The sponsor/licensed bank — holds the charter, absorbs the regulatory obligation, and is ultimately accountable for consumer funds.

In today’s traditional paradigm, fintechs are often viewed as third-party technology partners and are therefore not directly regulated. Moving forward, banks engaging in fintech partnerships will need to strengthen investment and oversight in assessing their partners’ operational risk, while fintechs seeking bank partnerships must also demonstrate quality and compliance maturity. Treasuryprime

Operating at the intersection of finance and technology invites significant regulatory complexity. Embedded finance must comply with lending laws, payments regulations, KYC/AML rules, and data privacy requirements — and these obligations multiply when platforms operate across multiple jurisdictions. FinTechtris

III. The Synapse Collapse — A Case Study That Changed Everything

No discussion of embedded finance compliance is complete without this. Synapse is the industry’s cautionary tale and the single event most responsible for accelerating regulatory action in 2024–2025.

What happened:

  • When Synapse Financial Technologies collapsed in April 2024, more than 100,000 people lost access to over $265 million held across several fintech platforms. By May, partner banks were unable to retrieve accurate customer balance records, making it extremely difficult to process withdrawals. Yalejournal
  • Synapse’s collapse was triggered by disputes with key partner banks and major fintech clients, operational breakdowns, and a mismatch between internal ledgers and bank-held funds. The failure to reconcile end-user funds left tens of thousands stranded without access. Yalejournal
  • At the center of the controversy was the management of “For the Benefit Of” (FBO) accounts — pooled accounts controlled by fintech intermediaries that lacked the transparency and safeguards individual account holders might expect. BobsGuide

The regulatory response:

  • The Synapse collapse marked a critical tipping point, sparking regulatory efforts to protect end customer funds. It exposed the crucial importance of transaction visibility among all parties, as data-sharing and recordkeeping gaps between Synapse and sponsor bank Evolve left millions of dollars of customer funds unaccounted for. Treasuryprime
  • The FDIC’s proposed “Synapse rule” in October 2024 addresses these risks by requiring banks to maintain accurate recordkeeping of beneficial owners in custodial accounts, without extending deposit insurance coverage to middleware providers. Yalejournal

The compliance lesson:

  • Ledgering issues, bank partner and regulatory lapses, and gross mismanagement led to a shortfall of up to $95 million between bank-held funds and amounts owed to fintech end users. Fintechs need leadership with deep risk management and bank supervision expertise, regular training programs, and interdisciplinary compliance teams. Banking Dive

IV. Geographic Regulatory Landscape

A. United States — Escalating Enforcement, Shifting Politics

The US presents the most complex regulatory picture: a multi-agency framework, escalating enforcement through 2024, and a significant policy pivot under the Trump administration in 2025.

The multi-agency problem: The OCC supervises national banks’ digital asset activities and collaborations with fintechs. The FDIC covers insured depository institutions and partnerships with fintechs. FinCEN regulates money transmission and AML/KYC compliance. State-level licensing laws for lending and money transmission add another layer. Chambers and Partners

The enforcement surge (2024):

  • Since the beginning of 2024, more than a quarter (25.6%) of the FDIC’s formal enforcement actions have been directed at sponsor banks in embedded finance partnerships. More than 1 in 5 OCC enforcement actions have similarly targeted sponsor banks in embedded finance. Alloy
  • 75% of sponsor banks say they lost $100,000 or more to compliance violations in their embedded finance partnerships. And 80% of sponsor banks report difficulty meeting compliance requirements — stemming from the need to monitor multiple fintech partners across various jurisdictions. Alloy
  • 29% of sponsor banks are considering shutting down or scaling back their embedded finance programs due to compliance pressure. Alloy

Key enforcement actions:

  • Blue Ridge Bank (January 2024): The OCC entered a consent order alleging that Blue Ridge’s BSA/AML program experienced “systemic internal controls breakdowns.” The order directed the bank to implement a written program to effectively assess and manage risks posed by third-party relationships, including fintech partners. Fenwick
  • Evolve Bank & Trust (June 2024): The Federal Reserve Board issued a cease-and-desist order against Evolve Bank specifically related to its dealings with fintech partners, noting that the bank had “pursued a business strategy that primarily involves offering deposit accounts and payment processing services to fintech partners that, in turn, offer various financial products and services to end-user customers.” Fenwick

The 2024 regulatory guidance trifecta: Of particular relevance were the Joint Statement on Banks’ Arrangements with Third Parties (July 2024), the Request for Information on Bank-Fintech Arrangements (July 2024), and the Proposed Recordkeeping Requirements for Custodial Accounts (October 2024). The guidance makes clear that banks cannot outsource their legal obligations — BSA or otherwise — to third parties. Fenwick

The 2025 shift:

  • In June and July 2025, the OCC released public statements signaling support for bank-fintech partnerships while highlighting associated risks. Acting Comptroller Hood’s priorities include embracing bank-fintech partnerships, expanding bank activities involving digital assets, and reducing regulatory burden. Baas
  • Prior to the change in administration, bank partnerships were subject to increased scrutiny from both federal and state regulators in parallel with an increase in enforcement actions in 2024. This is expected to change given the objectives of the new administration. Chambers and Partners

Open banking — still catching up: The US lacks a formal open banking mandate comparable to the UK’s. The CFPB’s Personal Financial Data Rights Rule (Section 1033), implemented in October 2024, requires phased compliance from 2026–2030 for banks with assets exceeding $850 million — but enforcement is uncertain given the CFPB’s operational disruption in early 2025.

B. Canada — Federal-Provincial Tension, Watching the World

Canada’s embedded finance regulatory environment mirrors its broader financial services structure: federal oversight for chartered institutions, provincial authority for most consumer-facing products, and a growing recognition that the current patchwork isn’t fit for purpose.

  • In June 2024, the federal government passed the Consumer-Driven Banking Act, which addresses elements of governance, scope, and process. The more substantive aspects of this framework — liability and privacy — are expected to follow in subsequent legislation. This establishes an independent “parallel” consumer-driven banking regulator within the FCAC structure. Torys LLP
  • Canada’s open banking framework, while legislated, remains largely aspirational. The FCAC is working closely with the Department of Finance on consumer protection standards that would form the core of an open banking regime.
  • Regulatory trends in the U.S., Europe, and other international markets are influencing Canada to address similar risks, ensuring that Canadian practices align with global standards, with local regulators taking proactive steps to tackle concerns about consumers overextending their finances. Lexpert
  • Canada currently operates under a patchwork of relevant laws found under banking, consumer protection, and privacy regimes. A comprehensive or streamlined system of rules has yet to emerge to replace this patchwork. Miller Thomson

Provincial complexity: Consumer protection remains largely provincial, creating a fragmented compliance environment for platforms operating nationally. Ontario, Quebec, and British Columbia each have distinct frameworks governing credit products and consumer agreements. Ontario’s new Consumer Protection Act provisions and New Brunswick’s forthcoming consolidated CPA are examples of this evolving landscape.

Key compliance risks in Canada:

  • Licensing ambiguity for non-bank embedded lenders operating across provinces
  • Unclear application of federal privacy law (PIPEDA, being replaced by Bill C-27/CPPA) to embedded data flows
  • AML obligations under FINTRAC for platforms handling payments or acting as money services businesses
C. United Kingdom — The Most Developed Framework, With More on the Way

The UK has the most structured and rapidly evolving embedded finance regulatory environment of the three markets, anchored by the FCA and powered by a proactive open banking/open finance agenda.

Consumer Duty — the centerpiece:

  • The FCA enforces the Consumer Duty and maps out clear lines of accountability — ensuring the digital checkout experience does not become a financial trap. If a middleware tech provider fails, the principal bank holding the license is legally responsible for maintaining the financial agreements. Editorialge
  • The FCA has emphasized that firms must not only meet technical requirements but also integrate the Duty’s principles across the entire customer journey — acting in good faith, avoiding foreseeable harm, and supporting customers in achieving their financial goals. Superficial compliance will not suffice. The Payments Association
  • The FCA is already conducting deep-dive reviews, and a mid-2026 post-implementation assessment is expected to further sharpen scrutiny and enforcement expectations. The Payments Association

Open banking — transitioning to open finance:

  • The FCA published its open finance roadmap in April 2026, aiming to extend secure, consent-based data sharing to a wider range of financial products. Open banking currently has 145 active third-party providers, facilitating approximately 17 million active users. Open finance would extend the same principles to mortgages, SME lending, investments, pensions, insurance, savings, credit, and debt management. Freshfields
  • In 2026, the Treasury is expected to introduce legislation giving the FCA new powers to set open banking rules, laying the foundations for a stable long-term regulatory framework. FCA
  • In May 2025, the Data (Use and Access) Bill received government approval, establishing a legal basis for Smart Data schemes that extend beyond banking and paving the way for a broader Open Finance framework. The Payments Association

Operational resilience — now enforced:

  • As of March 31, 2025, UK regulatory supervision of operational resilience has transitioned from a preparatory phase to active enforcement. The Payments Association
  • As of March 31, 2025, banks should have embedded strategies, processes, and systems to meet operational resilience expectations. Banks must remediate vulnerabilities and reach full resilience standards by the regulatory deadlines. Chambers and Partners

AML enforcement:

  • In 2025, the FCA fined a BaaS provider £21.1 million (~$28.8 million) for failures in financial crime controls, including inadequate checks during customer onboarding. Sumsub

Senior Managers & Certification Regime (SM&CR): Individual accountability is a cornerstone of the UK framework. Senior managers are subject to a duty of responsibility requiring them to take reasonable steps to prevent regulatory breaches in their areas of accountability — with consequences including fines and prohibition.

V. Cross-Cutting Compliance Themes for Embedded Finance

A. AML/KYC — The Universal Floor

Client firms operating on BaaS platforms will often lack the technology and behaviors expected of financial services businesses. Common failures include inadequate Customer Due Diligence (CDD), inability to keep pace with demand during rapid scaling, and poor compliance with requirements such as checking customers against watchlists. Sumsub

B. Third-Party Risk Management — Banks Cannot Delegate Accountability

The single clearest regulatory signal across all three jurisdictions: sponsor banks own the compliance obligation, full stop. Banks are increasingly requiring fintechs to meet stricter standards, including more intensive AML policies and procedures. Partnership agreements frequently give banks the right to review and audit the compliance procedures of their fintech partners — and regulators have made clear they expect banks to exercise that right with increased frequency and stringency. Fenwick

C. Recordkeeping & FBO Account Transparency

A direct legacy of Synapse. The FDIC’s proposed rule would require banks to maintain ledgers of FBO accounts opened by third-party fintechs for continuous visibility into account activity. This has become a baseline expectation regardless of formal rule adoption. Treasuryprime

D. Consumer Data & Open Banking/Finance Compliance

All three jurisdictions are moving — at different speeds — toward mandatory data portability and consent-based data sharing. The compliance infrastructure to support this (APIs, consent management, data governance) must be built in parallel with the regulatory frameworks themselves.

E. Operational Resilience & Business Continuity

The Synapse collapse highlighted the importance of banks developing business continuity and disaster recovery plans when partnering with venture-backed startups. The UK has formalized this into enforceable rules; the US and Canada are moving in the same direction. Treasuryprime

F. Market Consolidation as a Compliance Signal

Traditional BaaS players, many operating on slim margins, are increasingly saddled with rising compliance costs. These rising costs, combined with the increasing complexity of regulatory requirements, may result in further consolidation within the BaaS market. Compliance capacity is becoming a prerequisite for survival, not just a cost of doing business. Weavr

VI. The Compliance-by-Design Imperative

By innovating proactively, embedded finance technology providers can offer compliance-first solutions that empower banks to extend their services without compromising their core responsibility to the end customer. Banks need robust account management features that allow them to lock accounts, set transaction limits, identify negative balances, and run KYC checks — maintaining full oversight of customers who open accounts through fintech partners. Treasuryprime

By implementing technology that enables real-time monitoring and offers deeper insight into fintech partners’ risk management activities, sponsor banks can take on a “compliance-as-a-service” or “bank-as-regulator” role. Alloy

VII. What Compliance Teams Need to Do Now

  1. Map liability across your stack. Identify the precise compliance obligations at each layer: platform, middleware, and sponsor bank. Don’t assume the bank absorbs everything.
  2. US firms: Review your third-party risk management program against the OCC’s 2024 continuous monitoring expectations and the interagency joint guidance. Conduct a BSA/AML gap analysis if you use or operate FBO accounts.
  3. Canada: Assess whether your activities trigger provincial licensing obligations as a lender, money services business, or credit agreement provider. Track the Consumer-Driven Banking Act’s implementation schedule.
  4. UK firms: Demonstrate Consumer Duty compliance at the product level — not just at the policy level. Prepare for the FCA’s mid-2026 post-implementation review. Evaluate your operational resilience posture, which is now under active enforcement.
  5. All markets: Build open banking/data infrastructure now — consent frameworks, API governance, and data mapping — before the regulatory mandates formalize.
  6. All markets: Treat compliance as a growth lever. The Synapse collapse and subsequent consolidation showed clearly that regulatory maturity is now a competitive differentiator when pursuing sponsor bank partnerships.

VIII. Conclusion — From Middleware to Mainstream Accountability

Fintech companies are now leaving the old “compliance as a separate department” approach and integrating regulatory requirements into their product development and business processes. This proactive stance can help attract investment, secure partnerships, build stronger customer relationships, and gain competitive advantage. LegalNodes

The embedded finance firms that will define the next decade won’t be those with the most innovative APIs — they’ll be the ones that made compliance as core to their architecture as the financial rails themselves.

 

More Insights