(Note - all views are those of Fintech Compliance Chronicles/my personal views and not affiliated with any other organization)

At the start of the year, I planned a multi-part countdown of the biggest compliance stories of 2025 (Part 1 here). Instead of dragging that series out, I’m closing the loop here with a single synthesis: what actually mattered, what didn’t, and what compliance teams should still be paying attention to going into 2026. Let’s dive right in!

8. California’s “Mini-CFPB” Starts Cracking Down on Fees and Sloppy Crypto

The story: Last time we checked in on the NYDFS, New York’s version of a “mini-CFPB” state regulatory body. This time, we start with the DFPI, California’s edition. Two trends stood out - one, targeting crypto kiosks (think of the ATM-style bitcoin terminals that are available in random places) specifically for accepting cash transactions that surpassed the $1K daily AML limit, and for charging excessive fees on transactions; second, going after lenders (namely Apoyo Financiero, a lender that markets itself to the unbanked and primarily targeting Spanish speakers) for charging interest and fees that exceed the caps set by the California Financing Law.

Analysis: Here’s a quick table that shows some of the key fines and penalties across some of the larger state regulators in 2H 2025:

Based on the above, while NYDFS takes the cake from an overall monetary perspective, California is unique in that it appears to be the only major state regulator that is hitting hard on not just one two areas that seemed to have been the bread and butter of federal regulators and namely the CFPB - fintech lending/junk fees and cryptocurrency violations of AML and fees. Reg E, Reg Z, BSA/AML all come into play here. The other thing of note is that the DFPI appears eager to cross state lines (and even country lines in some cases) and tackle institutions based out of California that happen to operate there. Clearly, the CFPB “going to sleep” has simply opened up the doors for the DFPI to step in and leverage authority granted by regs like CCFPL, essentially their local version of UDAAP.

7. Aflac and Powerschool - When People, Not Systems, Become the Breach

The story: Neither of these players are true “fintech” institutions. However, these breaches are worth highlighting because of the attack vectors. In the case of Aflac, the popular insurance provider (yes, that’s why we had the ducks last time at the end of our post) in June of last year a social engineering attempt occurred by simply calling Aflac’s customer service line, asking for a password reset and stating that an urgent meeting was about to begin, and then also got the Helpdesk to reset the MFA. The individual whose credentials were compromised also had admin access to key systems. For a good read and further deep dive on this incident and how something seemingly simple can actually be pulled off, check out this post by cybersecurity expert Asad Syed.

In the case of Powerschool, it was a bit more of what I’ve seen in similar breakdowns (and probably many of you have seen for not just cybersecurity but other failures for institutions generally) - a vendor dropping the ball. Quick background, Powerschool is a cloud provider with front-end tools specifically for K-12 students, teachers and administrators. In this case, a contractor’s credentials were stolen who happened to have access to PowerSource’s portal, allowing access to what PowerSchool described as “sensitive personal information” that “may have included” Social Security numbers and medical data (!!!)

Analysis: The Aflac breach is a textbook example of why technical MFA is a secondary defense to social engineering; ultimately it is your classic human error leading to a huge breach situation. The Powerschool breach stands out to me more because of how it has been handled post-breach. First, they actually paid a ransom to the hackers - which flies in the face of the mindset “we don’t negotiate with bad actors” - to delete the data, which they have no true guarantee was actually done. Secondly, the types of information are way more than just your standard SSN, Driver’s License, credit card numbers - it turns out sensitive information about students was included that ranged from restraining orders to medication information, but again, no complete transparency was provided. The last update from Powerschool is a not-so-comforting announcement that someone is extorting impacted students/families with the stolen information and that in response, they will offer credit monitoring and identity protection services to those impacted. It has been 8 months since the last update.

One final thing of note here - PowerSchool was taken private by Bain Capital prior to the breach in late 2024, just months before the breach occurred, which almost certainly would have shifted its governance incentives and its focus for accountability. The reality is, when who you answer to changes, this sort of change in ownership will also change the context for risk prioritization, incident response, and disclosure practices even if it doesn’t cause operational failures. Specifically in the case of private equity acquisitions, Ownership transitions, whether to private equity or public markets, can create 'integration blind spots' where legacy controls may not scale at the pace of new strategic goals. This is inherent from acquisitions of Clear Channel to healthcare platforms. For compliance teams, the lesson isn’t about private equity itself, but about how ownership changes can quietly alter risk tolerance, oversight, and investment in control infrastructure.

6. The "AI-Washing" Crackdown at the SEC

The story: After the departure of Gary Gensler, who was quite reviled in the crypto world, the SEC has been headed up by Paul Atkins, who came into the organization in April 2025 shortly after the agency had already slimmed down by 10%. The SEC’s focus area has been more targeted towards “AI-washing” while decreasing the focus on registration violations and things like “off-channel communications”. In addition, the signal from the SEC as well as the DOJ and Congress (i.e. passing the GENIUS Act) is extremely pro-crypto.

But despite the federal government’s simultaneous pro-AI stance as evidenced by a recent executive order, the SEC seems to be unfazed as it converted its previously entitled “Crypto Assets and Cyber Unit” division to the “Cyber and Emerging Technologies Unit”, reflecting the de-emphasis on crypto and the broader coverage of technology risk in general - and this unit was responsible for two major actions, with one taken against the founder of prominent fintech Nate in April 2025 and a more sweeping action against a slew of crypto-related companies that touted their “AI wealth” capabilities in December of the same year. In addition, the 2026 SEC Enforcement priorities included AI as a continued focus, ensuring this is likely the beginning, not the end of targeted focus in this.

Analysis: Looking at the raw number of SEC enforcement actions in the 1 year since the Trump administration took office, the amount has gone down by 22% (311 between Jan 20 2024 - 2025, 242 between Jan 20 2025 - 2026). But in addition to the above activity, the SEC also launched an AI task force in August of this past year and appointed Valerie Szczepanik to head it - an interesting pick as she served in the agency through the Biden administration leading its innovation hub, proving this is no longer a party-line issue.

The aforementioned enforcement priorities also talk about evaluating AI in the context of cybersecurity, which should be interesting as to date the focus has been more on fraud perpetrated by registrants but this seems to indicate the scope will expand in the new year.

5. The Impending Advent of PSR in the EU

The story: If you lived in or interacted with any EU payments related regulatory matters, you were probably familiar with PSD2, the latest iteration of which went into effect in 2018 and was best known for mandating Strong Customer Authentication (SCA), for which enforcement was fully implemented in 2021. In English, this mandated multi-factor authentication, more accessibility/portability for customers (think open banking), and customer liability limits, just to name a few. PSD3 doesn’t introduce anything fundamentally groundbreaking, instead focusing on strengthening and clarifying some of the minutiae in PSD2 and making it clear that this will head to the issuance of PSR (a true Payments Services Regulation), so that the rollout is not forced to align with national regulations (something a non-PSR directive has to do, resulting in time-consuming legislation in each member state).

Analysis: The specifics of PSD3 are focused on two key areas - liability for spoofing (which now falls on the bank, even if a customer “falls for” a spoofing attempt) and firming up requirements for banks to “open the doors” to allow PSPs access to APIs so that open banking can start to scale (with a specific expectation of providing a dashboard where customers can see all third party access they have provided).

Check this article out for a great primer on where things currently stand - their prediction is that the PSR will be passed this summer and compliance will likely be expected by early 2027. This leaves precious little time for IT organizations of banks to get it together, particularly those that have not been modernizing their infrastructure. Aside from this, I was also curious whether there is going to be any customer awareness campaign so that customers know what their rights are. The data to date about consumer awareness has been telling:

• A 2023 YouGov survey found that only 34% of EU-based adults were aware of “Open Banking” (a core PSD2 pillar).

• A 2019 study by Riskified found that as many as 76% of consumers had never heard of PSD2.

• Awareness is lowest among younger users (ages 16–24), where knowledge of the directive is below 30% (using a survey of Swedish consumers as an example).

This all begs the question - a more comprehensive regulation is great, but what is the point if the people it’s intended to serve have no idea what it’s supposed to do?

4. The Billion-Dollar Message Down Under (or is it?)

The story: The SEC’s Australian counterpart, the Australian Securities and Investment Commission, took massive action late last year against the Australia and New Zealand Banking Group (ANZ). ANZ happens to be the second-largest bank in Australia - which makes it a more prominent target. In essence, ANZ was invited to join a government panel that, among many things, influences government bond markets. To join the panel, ANZ would be evaluated by the government on how active it was in the secondary bond market (aka bonds already issued and being traded between investors). However, ASIC identified that ANZ had found a way to puff up its numbers here.

Beyond this, ASIC also identified (likely triggered by more scrutiny after identifying the first gap) instances of misconduct, including tacking on fees towards accounts of deceased customers being run by the estates, and ignoring hundreds of customer-initiated hardship notices. In the end, the fines between both items (manipulation + misconduct) added up to $240 million Australian dollars, which happens to be the biggest fine ASIC has ever levied and is more than double the size of the previously largest fine (levied in 2022).

Analysis: A lot of “biggest” or “second-biggest” in this case. However, what is the real impact of this? Does it do anything in practicality to dissuade this behavior in the future or is the government trying to grab headlines? For context, the fine of $240 million is about 4% of ANZ’s full-year profit of $5.8 billion.

And how did ANZ respond to this, while publicly settling with the government? Just earlier this week, they announced their first quarter results, showing an increase in profit of 6% powered by cost-cutting - specifically, slashing 3500 jobs that took place at the beginning of the last quarter. This comes as just months before, Consumer NZ conducted a poll that revealed of all the major banks in New Zealand, ANZ ranked last in customer service satisfaction.

This raises a critical question about the efficacy of monetary penalties: if the cost of misconduct is simply passed on to the workforce through job cuts, the 'deterrent' hasn't actually changed the institution's risk culture.

3. The OCC Signals the End of Rent-A-Charter

The story: After a year of its enforcement action output slowing to a crawl, with several months of no enforcement activity, something that would have been unthinkable prior to 2025, the OCC took a wide-ranging action against the First National Bank of Pasco in Florida covering a slew of areas including corporate governance, capital planning, BSA/AML and FinCrime, and more.

The biggest driver here is that FNB Pasco was going way beyond their seeming profile as a community bank with only $285 million in assets. Thanks to the strain of markets and margins being squeezed, they had numerous partnerships with foreign FIs. However, per the enforcement action, these partnerships did not get the appropriate scrutiny required for correspondent banks that is supposed to be the hallmark of AML compliance. And this comes at a time when the Synapse case has already been dragging on for years now, showing that scrutiny is in full swing for both fintechs and the banks powering them. In this case, the cost of a mandated overhaul of board governance will likely wipe out any profit earned from fintech partnership.

Analysis: Two things stand out that are not immediately clear if you only look at the OCC’s action in isolation. First, the likely identities of some of these FIs. While the enforcement action doesn’t go into detail (which is typical for these sorts of documents), the FinCEN files were released in 2020 as a result of a collaboration between the International Consortium of Investigative Journalists (ICIJ) and 109 media parters. The documents that the journalists obtained revealed specifically for FNB Pasco correspondent accounts for banks in Tanzania, Latvia, Estonia and Russia, of which four were later involved in major money laundering concerns and actions. Interestingly, at the time of this disclosure, the sources stated that most SARs are not read or acted upon by FinCEN. The fact that an action like this took 6 years to be issued adds some credence to this concern.

Second, shortly after this action, a cannabis-banking related lawsuit was filed against the bank from minority shareholder based in the UK, citing the fact that the bank had significant experience to handle the nuances associated with cannabis banking. A quote from the lawsuit about the bank’s Board is something else, with some quotes you have to read, with the most comprehensive one being “Not a single one of the directors identifies any prior banking experience.”

2. CFPB Funding Cliff

The story: Almost anyone who has been keeping up with the activity of the federal government in 2025 knows that the CFPB has been in the crosshairs of the Trump Administration. Despite a lot of rhetoric in the first Trump administration, the Bureau soldiered on and continued to operate into the Biden administration. However, this time around things are quite different. A timeline-style format follows:

• 2/1 - 2/7/2025 - Trump fires CFPB Director Rohit Chopra and appoints Russell Vought, one of the key minds behind Project 2025, as Acting Director.

• 2/9 - 2/14/2025 - Vought issues a stop work order at the Bureau and the headquarters are locked, after which a team from DOGE enters the building and starts accessing sensitive data. A federal judge issues a Temporary Restraining Order to stop this data access and any attempts to fire employees. Most notably during this time period, Vought claimed the Bureau had “excessive “ reserves and declared that the “spigot” of Fed funding that had contributed to the “CFPB’s unaccountability” was being turned off by requesting $0 from the Reserve.

• 5/9/2025 - Trump signs resolutions repealing the credit card late fee and overdraft fee limit rules that had not yet gone into effect but had been finalized during the Biden administration.

• 10/28/2025 - Senate Democrats claim that Vought intends to “close down” the agency in months against the requirements of court cases that say the Bureau must remain operational.

• 11/11/2025 - The CFPB sends a notice in one of its court cases that it cannot legal request funds from the Federal Reserve, reigniting the argument that had been seemingly tabled back in February.

• 11/20/2025 - Vought sends a letter to Congress stating that the CFPB would run out of money by January 15, 2026 and that the Bureau was $279.6 million short of what was needed to maintain operations.

• 12/30/2025 - DC District Judge Amy Berman Jackson, who has been involved with the actions of the CFPB throughout 2025, ruled that the CFPB can continue to draw funding from the Fed, in a scathing 32-page decision.

• 2/9/2026 - The Senate Banking Committee’s minority staff releases a report detailing that the CFPB’s self-immolation has cost American consumers $19 billion in late fees and lost relief.

Analysis: What else is there to say at this point that hasn’t already been said? Here’s a link to a good analysis from Consumer Reports of where things stand at the Bureau as of February 2026. In spite of all the efforts made to save it, its future is still not looking good.

1. Synapse Implosion

The story: We save the best (or the worst, depending on how you look at it) for last. Arguably the biggest story in fintech for the last two years and running. We covered this as it started to become a big deal back in May 2024, but a lot more has happened since then. Similar to the above, we’ll use a timeline-style approach:

• 6/14/2024 - A massive ledger discrepancy is revealed - customers are owed $265 million from Synapse, but partner banks only hold $180 million. The gap that was previously thought to be $14 million is now $85 million.

• 10/15/2024 - The FDIC proposes a new rule that will require banks to maintain their own daily records of fintech customers rather than depend on middleware providers like Synapse.

• 03/11/2025 - One of Synapse’s biggest competitors, Synctera, raises $15 million while touting its new partnership with FinCrime vendor Hawk.

• 06/18/2025 - Synctera hires Deb Bonosconi, a former examiner with the Fed and the OCC, as Chief Risk and Compliance Officer, touting her compliance credentials and talking about how much this area is a priority for them.

• 08/27/2025 - After all the drama noted in our previous story, the CFPB breaks out of its Trump-era slumber and actually uses its enforcement power for the first time in the new administration to sue Synapse for “systemic failures” in fund tracking, with the suit amount being irrelevant as the goal is to unlock $46 million of victim relief funds. But that doesn’t address the almost $40 million still unaccounted for.

• 02/06/2026 - The CFPB announces new limits on its complaint portal, with the changes making it difficult for victims to whom the $40 million is still owed to have advocacy for their claims.

Analysis: Out of curiosity, I decided to take a look at what is left of the middleware space (specifically ledger as a service) that was a big thing in the BaaS space at the time this all started. I put together this table demonstrating what was happening in 2024 vs today in 2026:

Paired with the new FDIC rule, when 4 of the 6 names above no longer even exist as independent companies it is truly the end of an era.

In addition, even though it’s focused on a different side of the space (crypto/stablecoins), the GENIUS Act which was passed last year has a few interesting elements that would seem to take inspiration from the Synapse debacle. It provides the regulatory blueprint for what the 'Synapse Fix' should look like for the digital age, specifically the 1:1 reserve and monthly proof of accounting:

• A 1:1 reserve mandate - Every 1 unit of stablecoin has to be backed by cash, short-term treasuries, or central bank deposits

• No more lending out/investing customer funds to earn extra yield - This was what many suspect caused the Synapse shortfall

• Monthly Proof of Accounting - Stablecoin issuers have to publish a certified breakdown of their reserves on their website every 30 days, with top execs signing off on the accuracy of these ledgers (similar to what SOX mandated after Enron).

• Source of Truth - Issuers have to have the technical capability to seize or freeze tokens upon a court order, preventing a Synapse-like scenario where users are stuck because the middleman turned off the dashboard and now no one knows who owns what.

For more on this, as always, check out Jason Mikula’s multi-year coverage of all things Synapse and Evolve (dating back to before the bankruptcy - latest update here).

Wrap-Up

That finally does it for 2025! For a good preview of 2026, check out this post on Reddit that does a no-frills, straight to the point prediction about what compliance issues will keep up CEOs at night in the upcoming year.

Keep an eye out for more content and hopefully for things to become a bit more regular around these parts. I'm currently exploring how these 2026 shifts will impact lending in particular. If you are navigating these waters, I'd love to connect. Thanks, as always, for your subscriptions and support!