A company that moves money for third parties is likely engaged in money transmission under state law, and operating without the required licenses risks civil enforcement, criminal penalties, and consumer remediation. Most states require separate money transmitter licenses with their own application requirements, so fintechs should sequence state licensing to match geographic rollout and watch for agent or white-label arrangements that can impute licensing obligations to technology providers. The federal charter alternative offers uniformity but full bank supervision, which is why most fintechs use sponsor bank partnerships that shift the licensing burden while carrying their own risks.
Any company that moves money on behalf of third parties — whether through payments, digital wallets, remittances, or cryptocurrency exchange — is likely engaged in money transmission under state law, and operating without the required licenses exposes the company to civil enforcement, criminal penalties, and consumer remediation obligations. Forty-nine states and the District of Columbia require separate money transmitter licenses, each with distinct application requirements, surety bond amounts, net worth minimums, and examination rights. Gurpreet Bal advises fintech companies on sequencing state licensing to match their geographic rollout, and on identifying the threshold activities — particularly agent or white-label arrangements — that may impute licensing obligations to technology providers that do not themselves hold customer funds. The federal alternative — a national bank charter or the OCC's fintech charter — offers regulatory uniformity but imposes the full weight of bank supervision. Most fintech companies manage this complexity through sponsor bank partnerships, which shift the licensing burden to a regulated institution while the fintech provides the technology layer, a structure that carries its own legal and operational risks.
The BaaS model rests on a contract between a fintech acting as program manager and an FDIC-insured sponsor bank that holds the charter, deposits, and regulatory relationships. These program manager agreements define permissible products, the allocation of compliance responsibilities, the economics, and the termination rights that let the bank exit on short notice. Recent enforcement against sponsor banks has shifted the negotiating dynamic toward more due diligence and audit rights, so fintechs should treat BaaS agreements as quasi-regulatory instruments and ensure compliance obligations like BSA/AML are clearly allocated and operationally feasible.
The banking-as-a-service (BaaS) model rests on a contractual relationship between a fintech company (acting as program manager) and an FDIC-insured sponsor bank that holds the charter, the deposits, and the regulatory relationships. These program manager agreements are among the most consequential contracts in fintech: they define the scope of permissible products, the allocation of compliance responsibilities, the economics of interchange and float, and — critically — the termination rights that give the sponsor bank authority to exit the relationship on short notice. Gurpreet S. Bal advises fintech companies that the recent wave of regulatory enforcement against BaaS sponsor banks (including consent orders requiring banks to enhance oversight of their fintech partners) has fundamentally changed the negotiating dynamic: banks are demanding more extensive due diligence, compliance program attestations, audit rights, and technology access as conditions of sponsorship. Fintech companies should treat BaaS agreements as quasi-regulatory instruments — not just commercial contracts — and should ensure that compliance obligations, including BSA/AML program responsibilities, are clearly allocated and operationally feasible.
Payment network operating rules function as de facto licensing terms for any company touching card transactions, binding through the acquirer relationship and enforced through fines, suspension, and loss of network access. The CFPB's examination authority reaches larger nonbank financial companies and covers fair lending, UDAAP, and complaint handling. Its Section 1033 rule on consumer-authorized data sharing creates both a compliance obligation and a commercial opportunity, so API licensing agreements must address data minimization, permissioned use limitations, and the prohibition on secondary use without separate consumer authorization.
Payment network operating regulations — Visa's Core Rules, Mastercard's rules, and their respective service provider registration requirements — function as de facto licensing terms for any company that touches card-based transactions. Network registration requirements, data security mandates (PCI DSS), chargeback liability rules, and restrictions on permissible merchant categories are contractually binding through the acquirer relationship and enforced through fines, registration suspension, and ultimately loss of access to the networks. The CFPB's examination authority extends to nonbank financial companies with more than $10 billion in annual receipts, and the bureau's supervisory program includes detailed assessments of fair lending, UDAAP compliance, and consumer complaint handling. Gurpreet Bal advises clients that the CFPB's final rule implementing Section 1033 of the Dodd-Frank Act — establishing a framework for consumer-authorized data sharing — creates both a compliance obligation and a commercial opportunity: fintech companies accessing bank account data through APIs must comply with the rule's access, accuracy, and consumer rights provisions, while banks must provide standardized, authorized access to consumer financial data. API licensing agreements in this context must address data minimization, permissioned use limitations, and the prohibition on secondary use without separate consumer authorization.
Embedded finance layers a regulated financial product onto a non-financial platform through a technology interface, creating overlapping roles: a platform offering buy-now-pay-later can be a technology licensee, a distribution partner, and potentially a credit services organization at once. Companies should map the full regulatory perimeter before signing commercial agreements, because the technology-layer framing does not insulate them from financial services regulation when the substance is extending credit, moving money, or providing insurance. API licensing agreements for financial data aggregation must address data rights, use limitations, accuracy obligations, consumer authorization verification, and indemnification for data breaches or unauthorized access.
Embedded finance — the integration of financial products (lending, insurance, payments, deposit accounts) into non-financial platforms — creates layered licensing and contractual complexity because the underlying financial product is delivered through a technology interface that may itself be subject to separate licensing terms. A retail e-commerce platform offering buy-now-pay-later at checkout is simultaneously a technology licensee (of the BNPL provider's software), a distribution partner (subject to the provider's program agreement), and potentially a credit services organization (subject to state credit services laws in certain jurisdictions). Gurpreet S. Bal advises companies entering embedded finance arrangements to map the full regulatory perimeter of the proposed product before executing commercial agreements, because the technology-layer framing that works for software licensing does not insulate parties from financial services regulation when the economic substance involves extending credit, moving money, or providing insurance. API licensing agreements in financial data aggregation — where data aggregators like Plaid, MX, or Finicity provide programmatic access to bank account data — must address data rights, use limitations, accuracy obligations, consumer authorization verification, and the indemnification framework for data breaches or unauthorized access.
← More on Licensing & Contracts
Gurpreet S. Bal is a Partner at Foley and Lardner LLP in Silicon Valley, where he advises technology companies on licensing, venture financings, M&A, and corporate transactions. He has represented clients in hundreds of transactions with aggregate deal value exceeding $60 billion across AI, semiconductors, fintech, and emerging technology.