Any company that moves money on behalf of third parties — whether through payments, digital wallets, remittances, or cryptocurrency exchange — is likely engaged in money transmission under state law, and operating without the required licenses exposes the company to civil enforcement, criminal penalties, and consumer remediation obligations. Forty-nine states and the District of Columbia require separate money transmitter licenses, each with distinct application requirements, surety bond amounts, net worth minimums, and examination rights. Gurpreet Bal advises fintech companies on sequencing state licensing to match their geographic rollout, and on identifying the threshold activities — particularly agent or white-label arrangements — that may impute licensing obligations to technology providers that do not themselves hold customer funds. The federal alternative — a national bank charter or the OCC's fintech charter — offers regulatory uniformity but imposes the full weight of bank supervision. Most fintech companies manage this complexity through sponsor bank partnerships, which shift the licensing burden to a regulated institution while the fintech provides the technology layer, a structure that carries its own legal and operational risks.
The banking-as-a-service (BaaS) model rests on a contractual relationship between a fintech company (acting as program manager) and an FDIC-insured sponsor bank that holds the charter, the deposits, and the regulatory relationships. These program manager agreements are among the most consequential contracts in fintech: they define the scope of permissible products, the allocation of compliance responsibilities, the economics of interchange and float, and — critically — the termination rights that give the sponsor bank authority to exit the relationship on short notice. Gurpreet S. Bal advises fintech companies that the recent wave of regulatory enforcement against BaaS sponsor banks (including consent orders requiring banks to enhance oversight of their fintech partners) has fundamentally changed the negotiating dynamic: banks are demanding more extensive due diligence, compliance program attestations, audit rights, and technology access as conditions of sponsorship. Fintech companies should treat BaaS agreements as quasi-regulatory instruments — not just commercial contracts — and should ensure that compliance obligations, including BSA/AML program responsibilities, are clearly allocated and operationally feasible.
Payment network operating regulations — Visa's Core Rules, Mastercard's rules, and their respective service provider registration requirements — function as de facto licensing terms for any company that touches card-based transactions. Network registration requirements, data security mandates (PCI DSS), chargeback liability rules, and restrictions on permissible merchant categories are contractually binding through the acquirer relationship and enforced through fines, registration suspension, and ultimately loss of access to the networks. The CFPB's examination authority extends to nonbank financial companies with more than $10 billion in annual receipts, and the bureau's supervisory program includes detailed assessments of fair lending, UDAAP compliance, and consumer complaint handling. Gurpreet Bal advises clients that the CFPB's final rule implementing Section 1033 of the Dodd-Frank Act — establishing a framework for consumer-authorized data sharing — creates both a compliance obligation and a commercial opportunity: fintech companies accessing bank account data through APIs must comply with the rule's access, accuracy, and consumer rights provisions, while banks must provide standardized, authorized access to consumer financial data. API licensing agreements in this context must address data minimization, permissioned use limitations, and the prohibition on secondary use without separate consumer authorization.
Embedded finance — the integration of financial products (lending, insurance, payments, deposit accounts) into non-financial platforms — creates layered licensing and contractual complexity because the underlying financial product is delivered through a technology interface that may itself be subject to separate licensing terms. A retail e-commerce platform offering buy-now-pay-later at checkout is simultaneously a technology licensee (of the BNPL provider's software), a distribution partner (subject to the provider's program agreement), and potentially a credit services organization (subject to state credit services laws in certain jurisdictions). Gurpreet S. Bal advises companies entering embedded finance arrangements to map the full regulatory perimeter of the proposed product before executing commercial agreements, because the technology-layer framing that works for software licensing does not insulate parties from financial services regulation when the economic substance involves extending credit, moving money, or providing insurance. API licensing agreements in financial data aggregation — where data aggregators like Plaid, MX, or Finicity provide programmatic access to bank account data — must address data rights, use limitations, accuracy obligations, consumer authorization verification, and the indemnification framework for data breaches or unauthorized access.
Gurpreet S. Bal is a Partner at Foley and Lardner LLP in Silicon Valley, where he advises technology companies on licensing, venture financings, M&A, and corporate transactions. He has represented clients in hundreds of transactions with aggregate deal value exceeding $60 billion across AI, semiconductors, fintech, and emerging technology.