Embedded finance, the invisible layer stitching lending widgets into e-commerce dashboards, insurance upsells into ride-hailing apps, and payroll advances into HR platforms, has quietly become critical financial infrastructure.
According to AscentAI, but maturity brings scrutiny, and regulators across multiple jurisdictions are now making clear that compliance obligations can no longer remain as invisible as the technology itself.
AscentAI recently detailed embedded finance’s next chapter, including growth, regulation, and accountability.
The scale of the opportunity explains why the pressure is intensifying. The global embedded finance market is projected to expand from $115.8bn in 2024 to $251.5bn by 2029, growing at a compound annual rate of 16.8%. A Deloitte estimate suggests the sector could account for nearly 10% of all global financial transactions by 2030. The Banking as a Service (BaaS) market underpinning much of this activity is on a similar trajectory, forecast to reach $74.8bn by 2030, with nearly 36% of neobanks globally now running on BaaS backends.
Two events framed the compliance debate entering 2025 more than any others: the collapse of Synapse Financial Technologies in the United States, and Revolut’s securing of a UK banking licence. Together, they captured the central tension of the industry, rapid innovation straining against the regulatory oversight required to keep financial ecosystems stable.
Understanding the accountability stack
Any serious discussion of embedded finance compliance begins with a basic question: who is responsible for what? The typical arrangement involves three layers. The platform, whether an e-commerce site, a gig economy app, or an HR software provider, distributes the financial product and holds the customer relationship. The BaaS or middleware provider manages API connectivity, ledgering, and routing between platform and bank. The sponsor bank holds the charter and ultimately carries the regulatory obligation.
In the traditional paradigm, FinTech firms have largely been treated as third-party technology partners sitting outside direct regulatory oversight. That era is closing. Banks pursuing FinTech partnerships are now expected to invest significantly in assessing their partners’ operational risk. FinTechs, for their part, must increasingly demonstrate genuine compliance maturity before they can secure those partnerships at all.
The complexity is compounded by the nature of embedded finance itself. Platforms operating at the intersection of finance and technology must simultaneously satisfy lending laws, payments regulations, KYC and AML rules, and data privacy requirements, obligations that multiply with every additional jurisdiction entered.
The Synapse collapse: a cautionary tale that reshaped the industry
No event has done more to accelerate regulatory action in embedded finance than the failure of Synapse in April 2024. When the middleware provider collapsed, more than 100,000 customers lost access to over $265m held across several FinTech platforms. By May, partner banks were unable to produce accurate customer balance records, making withdrawals effectively impossible to process.
The root causes were multiple: disputes with key partner banks and major FinTech clients, operational breakdowns, and a fundamental mismatch between Synapse’s internal ledgers and the funds actually held at banks. At the centre of the controversy was the mismanagement of “For the Benefit Of” (FBO) accounts, pooled accounts controlled by FinTech intermediaries that lacked the transparency individual account holders would reasonably expect. The resulting shortfall between bank-held funds and amounts owed to end users reached as much as $95m.
The regulatory fallout was swift. The FDIC proposed a rule in October 2024 requiring banks to maintain accurate records of beneficial owners in custodial accounts. While the rule stopped short of extending deposit insurance coverage to middleware providers, it signalled a clear directional shift: recordkeeping and fund visibility were no longer optional standards.
The lessons for the industry were blunt. FinTechs need leadership with deep risk management expertise, regular compliance training, and genuinely interdisciplinary governance, not compliance teams bolted on after the fact.
United States: enforcement surge meets political pivot
The US presents the most complex regulatory picture, combining a multi-agency framework, an enforcement surge through 2024, and a pronounced policy shift following the change in administration in 2025.
The oversight architecture spans multiple bodies. The OCC supervises national banks’ digital asset activities and FinTech collaborations. The FDIC covers insured depository institutions. FinCEN regulates money transmission and AML and KYC compliance. State-level licensing requirements for lending and money transmission add yet another layer.
The enforcement numbers from 2024 were striking. More than a quarter of the FDIC’s formal enforcement actions were directed at sponsor banks in embedded finance partnerships. More than one in five OCC enforcement actions similarly targeted sponsor banks. Three in four sponsor banks reported losing $100,000 or more to compliance violations, and 80% said they struggled to meet compliance requirements across multiple FinTech partnerships and jurisdictions. Nearly 30% said they were considering winding down or scaling back their embedded finance programmes as a result.
The enforcement actions themselves were instructive. Blue Ridge Bank entered a consent order with the OCC in January 2024 after its BSA and AML programme was found to have experienced “systemic internal controls breakdowns.” Evolve Bank & Trust received a Federal Reserve cease-and-desist order in June 2024, specifically related to its FinTech partnerships and deposit-plus-payments model.
Complementing the enforcement activity, regulators issued a trifecta of guidance documents: a joint statement on bank arrangements with third parties, a request for information on bank-FinTech arrangements, and the proposed FBO account recordkeeping requirements, all in the second half of 2024. The collective message was unambiguous: banks cannot legally delegate BSA obligations to third parties.
The 2025 administration has shifted tone considerably. Acting Comptroller Hood has publicly signalled support for bank-FinTech partnerships, with stated priorities including embracing such arrangements, expanding digital asset activities, and reducing regulatory burden. Whether enforcement intensity follows rhetoric downward remains to be seen.
On open banking, the US continues to lag. The CFPB’s Personal Financial Data Rights Rule, implemented in October 2024, requires phased compliance from 2026 to 2030 for larger banks, but enforcement remains uncertain following the CFPB’s operational disruption in early 2025.
Canada: a patchwork in search of a framework
Canada’s embedded finance regulatory environment reflects its broader financial services architecture: federal oversight for chartered institutions, provincial authority for most consumer-facing products, and a growing consensus that the current arrangement is no longer fit for purpose.
The Consumer-Driven Banking Act, passed by the federal government in June 2024, addressed governance, scope, and process and established an independent consumer-driven banking regulator within the FCAC structure. The more substantive elements, covering liability and privacy, are expected to follow in subsequent legislation. In the meantime, the FCAC continues to work with the Department of Finance on consumer protection standards that would form the core of an open banking regime.
Consumer protection remains largely provincial, creating a fragmented compliance environment for platforms operating nationally. Ontario, Quebec, and British Columbia each maintain distinct frameworks governing credit products and consumer agreements. Ontario’s new Consumer Protection Act provisions and New Brunswick’s forthcoming consolidated legislation are symptomatic of this ongoing evolution.
The key compliance risks for platforms operating in Canada include licensing ambiguity for non-bank embedded lenders operating across provinces, an unclear application of federal privacy law to embedded data flows as PIPEDA is replaced by the proposed Consumer Privacy Protection Act, and AML obligations under FINTRAC for platforms handling payments or acting as money services businesses.
United Kingdom: the most developed framework, still accelerating
The UK has the most structured and rapidly evolving embedded finance regulatory environment of the three markets, anchored by the FCA and powered by an ambitious open banking and open finance agenda.
The Consumer Duty sits at the centre of the framework. The FCA maps clear lines of accountability, ensuring that digital checkout experiences do not become financial traps, and has made clear that where a middleware provider fails, the principal bank holding the licence remains legally responsible for maintaining its financial agreements with customers. Firms have been put on notice that superficial compliance will not suffice; the Duty’s principles must be integrated across the entire customer journey, covering good faith, avoidance of foreseeable harm, and genuine support for customers in meeting their financial goals. A post-implementation assessment is expected in mid-2026.
On open banking, the UK is already transitioning to a broader open finance model. The FCA published its open finance roadmap in April 2026, aiming to extend consent-based data sharing to mortgages, SME lending, investments, pensions, insurance, savings, credit, and debt management. Open banking currently supports 145 active third-party providers serving approximately 17 million active users. Legislation giving the FCA new powers to set open banking rules is expected from the Treasury in 2026, while the Data (Use and Access) Bill, which received government approval in May 2025, has already established a legal basis for broader Smart Data schemes.
Operational resilience has moved from aspiration to enforcement. As of 31 March 2025, UK regulatory supervision transitioned from a preparatory phase to active enforcement, with banks required to have embedded strategies, processes, and systems in place and to remediate vulnerabilities against set deadlines.
AML enforcement has also sharpened. In 2025, the FCA fined a BaaS provider £21.1m for failures in financial crime controls, including inadequate customer onboarding checks. The Senior Managers and Certification Regime continues to place individual accountability front and centre, with senior managers subject to a duty of responsibility and exposed to fines and prohibition where they fail to prevent breaches in their areas of accountability.
Cross-cutting compliance priorities
Across all three markets, several themes are converging. On AML and KYC, FinTech firms operating on BaaS platforms frequently lack the compliance behaviours expected of regulated financial services businesses. Common failures include inadequate customer due diligence, an inability to keep pace with compliance requirements during rapid scaling, and poor adherence to watchlist screening.
Third-party risk management has become perhaps the single clearest regulatory signal across jurisdictions: sponsor banks own the compliance obligation, and regulators expect them to exercise audit rights over their FinTech partners with increasing frequency and rigour. Banks are already requiring FinTechs to meet stricter AML standards as a prerequisite for partnership.
Recordkeeping and FBO account transparency have become baseline industry expectations in the wake of Synapse, regardless of whether the FDIC’s proposed rule is formally adopted. Consumer data and open banking compliance infrastructure, covering APIs, consent management, and data governance, must be built in parallel with the regulatory frameworks being developed. Operational resilience planning, now formalised in the UK and under development in the US and Canada, requires embedded finance participants to consider business continuity in ways that the Synapse collapse demonstrated were previously neglected.
There is also a consolidation dynamic at play. Traditional BaaS providers, operating on thin margins, face rising compliance costs that are fast becoming existential. The firms best positioned to survive are those treating compliance capacity as a competitive differentiator rather than an overhead, building account management features, real-time monitoring, and KYC infrastructure that enable banks to take on a genuine oversight role across their FinTech partner ecosystems.
Read the full AscentAI story here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
