Fintech

Looking Ahead to 2026

Key issues to watch in 2026 include whether the Consumer Financial Protection Bureau (CFPB) finalizes its revisions to the “open banking” rule, which would require applicable financial institutions to provide consumers and authorized third parties secure access to their consumer financial data. The CFPB has indicated in a recent court filing that it anticipates issuing an interim final open banking rule in 2026. We are also monitoring the Office of Comptroller of the Currency (OCC) and Federal Reserve for their renewed focus on third-party risk management for banking-as-a-service (BaaS) partnerships as evidenced in the Bank-Fintech Partnership Enhancement Act. Currently pending before the House of Representatives, this act would empower the OCC and Federal Reserve to conduct additional research into the partnerships between regulated banking organizations and fintech companies.

Key Trends From 2025

2025’s developments underscored the industry’s maturation. The balance between increased state oversight and decreased federal enforcement mirrored the regulatory shifts seen across the consumer financial services industry. However, fintech companies’ deep-seated use of artificial intelligence (AI) opened them up to new avenues of regulatory oversight for companies that previously faced lighter government scrutiny than traditional, regulated banks do. For example, states such as Texas and California passed legislation requiring fintech companies that use AI to publish information about their use of AI and monitor such use to ensure it does not violate constitutional or criminal laws.

Both the privacy of consumer data and consumers’ access to their own data, known as “open banking,” also remained touchpoints for regulations and laws affecting fintech companies. In addition, while federal regulation decreased overall, remaining enforcement activity examined fintech companies through the broader lens of unfair, deceptive, or abusive acts or practices (UDAAP), and the OCC examined allegations of debanking among fintech companies’ partner banks.

In the News

Bifurcated Federal Landscape

The CFPB’s shift toward deregulation was visible in how it treated fintech supervision. In August 2025, the CFPB proposed raising the transaction thresholds for which entities qualify as “larger participants” subject to supervision across multiple markets — including consumer reporting, international money transfers, debt collection, and auto finance — effectively excluding many midsize fintech lenders from direct oversight. Also in August, the CFPB proposed limiting its authority to designate nonbank entities for examination, reversing its 2022 rule that brought large fintech companies under continuous supervision.

The practical outcome was a bifurcated landscape; large, bank-partnered fintech companies continued to face OCC and Federal Reserve oversight through their depository affiliates, while smaller independent providers operated with minimal federal engagement.

Open Banking and Consumer Data Rights

The CFPB’s section 1033 rulemaking under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) — previously positioned as the cornerstone of the CFPB’s “open banking” initiative — was effectively suspended pending significant redesign. The CFPB’s original rule, which was issued in final form in October 2024, required financial institutions, credit card issuers, and other financial providers to transfer an individual’s personal financial data to another provider for free, at the consumer’s request. At the time, the CFPB touted the rule as bringing the United States “closer to having a competitive, safe, secure, and reliable ‘open banking’ system.” 

Following extensive litigation and public criticism that the 2024 final rule was overbroad and technologically unworkable, the CFPB retreated from it. In July 2025, the CFPB moved to stay a lawsuit brought by industry actors to vacate the rule, stating that it was initiating “a new rulemaking to reconsider the Rule with a view to substantially revising it and providing a robust justification.” Then in August, the CFPB issued an advance notice of proposed rulemaking (ANPR) reopening comment on four fundamental questions: (i) who may access a consumer’s data as their representative; (ii) whether it is permissible to charge a fee for the transfer of a consumer’s data; (iii) what are the appropriate data security standards for compliance with the rule; and (iv) what data privacy concerns exist.

The ANPR drew more than 14,000 public comments before the closure of the comment period and remains pending.

Bank–Fintech Partnerships

In August 2025, the Trump administration issued an executive order on politicized debanking. The order directed banking agencies to remove “reputation risk” from existing regulatory guidance and ensure account closures are based solely on neutral, risk-based factors. Following this order, fintech platforms offering BaaS products faced compliance uncertainty as the OCC scrutinized some large partner banks over past onboarding and account termination policies, including policies that allegedly debanked entities or individuals associated with digital assets.

The recently proposed Bank-Fintech Partnership Enhancement Act, if passed, would empower federal banking regulators to study fintech–banking partnerships to “help promote effective partnerships between banking organizations, on the one hand, and financial technology companies, on the other hand,” indicating that bank–fintech partnerships are increasingly viewed as permissible, and even beneficial, in the banking industry.

2025 Enforcement Highlights

CFPB Terminates Consent Orders, Drops Fintech Lawsuit

The CFPB quietly terminated two pending consent orders with financial institutions (one in May 2025, the other in July), stating that, in both instances, the companies had fulfilled many of their obligations under the original consent orders, citing changes in its policy, and rescinding previous guidance. The CFPB also dropped an active lawsuit against a major retailer and its fintech partner, reflecting a broader strategy to retreat from the regulatory efforts of the past administration.

CFPB Turns to UDAAP Authority Against Bankrupt Fintech Provider

The CFPB signaled it would rely on its general UDAAP authority — rather than prescriptive rulemaking — to address fintech payment conduct when it pursued an enforcement action against a bankrupt fintech service provider on UDAAP grounds. In an adversary proceeding complaint filed in August 2025, the CFPB alleged that the fintech provider’s failure to maintain adequate records of consumers’ funds, which delayed their access to those funds, constituted an “unfair, deceptive, or abusive act or practice.” The CFPB subsequently entered into a stipulated final judgment with the fintech provider’s Chapter 11 trustee in which a nominal civil money penalty of $1 was entered to secure the CFPB’s claim in the company’s ongoing bankruptcy proceedings.

Fintech Payday Lender MoneyLion Faces Federal and Local Enforcement

MoneyLion, a payday loan fintech company, faced both continued federal scrutiny as well as new lawsuits brought by the New York attorney general (AG) and the City of Baltimore. The CFPB originally sued the company in 2022 with allegations that it violated the Consumer Financial Protection Act and Military Lending Act by charging inflated annual percentage interest rates on its loans and trapping customers in a predatory “membership” program.

The New York AG filed suit in April 2025, characterizing the company’s product as illegal “high-cost loans.” The mayor of Baltimore followed suit in October, filing a lawsuit accusing the company of taking advantage of consumers who were already “in a precarious financial position” by offering easy, mobile-accessible “cash advances.” In November, the company entered into a stipulated judgment to resolve the CFPB’s lawsuit, which included $1.75 million in redress.

These concerted actions show a multilateral enforcement approach that spans federal, state, and local entities and indicates that fintech companies venturing into traditionally enforcement-heavy products should remain cautious.

*  *  *

Read the next chapter, “Telephone Consumer Protection Act (TCPA) and Mini-TCPAs.”

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.