Fintechs and emergent technologies are revolutionizing the way businesses and individuals make and receive payments. While innovative products and services can create new opportunities, regulatory scrutiny and requirements continue to impact what fintechs and other payment providers can do and offer.

We partner with clients to provide strategic legal, compliance and risk management advice throughout the company lifecycle — from fintech startups and traditional financial services providers to the largest global technology companies adapting to new regulatory obligations.

Regulatory Considerations in the Stages of a Payments Company’s Lifecycle

Payment providers can face similar challenges throughout the company lifecycle, but effective strategies vary greatly based on product offerings, geographic footprint and growth targets. We work with clients to understand their business goals and provide synthesized legal advice to assess regulatory considerations during formation, navigate ongoing compliance and risk management challenges during growth stages, and maximize the strategic events that define the course of their businesses.

  • Structure

    • Licensing requirements will impact the necessary structure, e.g., the inclusion of a holding company or other intermediary.
    • Review bank partnerships and other relationships for alignment with goals and resources.
    • Organizational decisions should reflect long-term considerations, e.g., acquisitions or other changes.
    • Investor profile and tax considerations also factor into structuring choices.


    • Many startups rely on bank partnerships and traditional lending programs to set up initial product offerings.
    • Alternative structures like SPVs can provide financing protections for innovative startups.
    • Some lenders require flexibility on required representations and warranties because of restrictions imposed by bank partners. 
  • Licensing Strategy

    • Thoughtful consideration is needed to identify what licenses are needed or how to structure a business to operate without licenses.
    • Licensing applications require significant, detailed corporate background materials, supporting documentation and personal information.
    • A well-prepared application requires more initial preparation, but can minimize regulatory follow-ups, delays and reviews.


    • It is becoming common for regulators to request compliance policies in conjunction with applications for licensure.
    • Well-positioned applicants should develop policies that document their compliance management system and evidence their understanding of the regulatory requirements that apply to their business activity.

    Application Requirements

    • Streamlining application requirements across different jurisdictions can create efficiencies, reduce regulatory follow-up and minimize review time, resulting in faster license approval.
    • Leveraging established regulatory relationships, experience navigating license application requirements and proven technology solutions can significantly improve efficiency and accuracy throughout the licensing process.
    • Learn More: Mogy | Licensing Regtech Platform »

    • Covered financial institutions, including banks and money transmitters, must implement extensive and detailed measures to prevent, detect and report money laundering and terrorist financing.
    • These include requirements to know-your-customer (KYC), report suspicious activity, keep records and cooperate with law enforcement requests.
    • BSA/AML compliance policies and programs are gating items for both licensing and partnerships between licensed and unlicensed entities.
    • U.S. sanctions separately prohibit every U.S. person from certain dealings with specified persons and jurisdictions.

    Building a CMS Program

    • Developing and implementing a well-coordinated CMS is critical to a company’s ability to grow, adapt to a changing regulatory environment and meet its strategic objectives.
    • Regulators expect entities to maintain an effective CMS that is integrated into the entire product and service lifecycle and assess CMS quality in nearly every routine examination.
    • Strong consideration should be given to developing a corporate governance policy, which includes a framework of internal controls that enable a company to sufficiently structure its financial reporting, CMS, information security and risk management controls to align with regulator expectations.

    Payments Regulations

    • Both state and federal statutes and regulations restrict how entities can collect and move funds.
    • Private rules like ACH and credit card network rules create additional overlays that are enforceable by contract.
    • These laws and rules impact how an entity is able to get paid and move funds and are a source of preventable risk.
    • Payment regulation violations are an easy target for regulators and private litigants, with putative liability often measurable in part in the amount of the non-compliant payment(s).

    Privacy & Data Security

    • Regulated industries are subject to stringent requirements for protecting and securing customer information.
    • Failure to implement proper cybersecurity standards can lead to loss of sensitive information, business disruption and reputational damage, all of which draw heightened scrutiny from regulators and potential costly enforcement actions.
    • Companies with a comprehensive understanding of the cybersecurity standards set forth in various federal and state laws are better positioned to develop compliant security policies, practices and procedures.

    State Examinations

    • State regulators often retain the authority to periodically examine entities licensed or operating in their state, a routine event with potentially significant business impacts.
    • Advance exam preparation can minimize and mitigate compliance risk and ease operational burdens.
    • Outside counsel review of company policies and internal documentation is recommended prior to furnishing materials to a regulator.
    • Identifying the audience and preparing a response strategy can significantly impact the outcome of an exam.
    • Establishing a single point of contact for regulatory examiners improves coordination with respect to communication, workflow, in-person requests, documentation gathering and more.
    • Learn More: APPROVED | Licensing, Compliance and Examination Solutions »

    Federal Examinations

    • Federal regulators — such as the CFPB — have broad authority to oversee compliance with federal law at entities participating in certain industries and of certain sizes.
    • Many of the same considerations apply as with state examinations (e.g., engagement of counsel, preparation, proactive engagement during the exam process).
    • Risk from a federal agency examination can be greater, as the scope of operations under review is often broader.

    Reporting & Audits

    • State and federal regulators expect companies to have a well-developed audit policy, a comprehensive audit report and a risk rating methodology that operates independently from the business.
    • A company’s audit function should be commensurate with its size, complexity and risk profile, and use a risk-based approach to determine the scope and frequency of its initiatives.
    • Licensed entities could be subject to periodic data submissions in connection to their business activities, including the company’s financial profile, in order to maintain licensure.

    Regulatory Change Management

    • Reliable regulatory change management is necessary to help navigate the constantly shifting patchwork of state and federal laws.
    • Implementing new policies, controls and standards is essential to keep compliance management systems aligned with changing regulatory requirements.
    • Remaining compliant with new and amended rules and regulations is vital to reducing legal risks from litigation and/or regulatory enforcement, as well as reputational risk.
    • Learn More: Winnow | Automated Compliance Change Management Platform »
  • Geographic Expansion

    • Distinct licenses are required for firms providing payment services in both the UK and in EU member states, though firms with a license in one EU member state may passport the same services across all other member states.
    • The authorization process can often take as long as 12 months, though the exact timing will vary from regulator to regulator.
    • Firms providing payment services will be expected to have certain senior employees resident in the country where they are authorized, usually including a head of branch/entity, money laundering reporting officer (MLRO) and chief compliance officer.
    • Payment firms are required to maintain regulatory capital based on transaction volume and meet overnight safeguarding requirements for customer funds.

    New Lines of Business

    • Launching a new payments line of business can trigger new and unanticipated regulatory, licensing and payments network requirements.
    • State money transmission laws can be a significant hurdle, even for entrants only tangentially involved with the movement of funds.
    • Identifying potential legal issues during the planning stage can give parties the ability to consider and implement alternative structures and arrangements to minimize regulatory requirements.
    • Resolving legal hurdles early makes the growth and development of successful lines of business smoother and can prevent the need for costly and time-consuming post-launch changes.
  • M&A

    • Timing depends largely on regulatory change of control requirements, and bifurcated deals are common.
    • Indemnification holdbacks are critical given the highly regulated nature of the activity and the potential for a deal to sit open for months to complete the change of control process.
    • Consider which party will be managing the change of control process and the impact parties can have on timing and conditions for a deal to close.


    • Build a strong, investable business well prepared to operate as a public company or for other transactions such as a sale or alternative exit.
    • Assemble experienced and credible internal and external teams to support the IPO process and beyond.
    • Accurately present financial data and confidently forecast with strong controls and infrastructure.
    • Work with advisors to perform due diligence and remove roadblocks.
    • Learn More: Orrick’s “IPO Ready” Assessment Tool »

    Change of Control

    • Advance notice is generally required in regulated industries prior to effecting a change of control.
    • “Change of control” is broader than just an acquisition and can include a large investment or change in management.
    • Materials about the acquiring company, a description of the transaction and personal information about new people in control positions will be required.
  • Restructuring/Bankruptcy

    • Coordination with regulators can minimize regulatory distractions and help efficiently navigate the restructuring or bankruptcy filing process.
    • Effective regulatory coordination can maximize outcomes and limit enforcement exposure when selling a licensed entity, disposing of assets and winding down a company, or restructuring debts.
    • Strategically working with regulators can minimize individual control person liability, both in the present and for future business endeavors.

    Surrendering Licenses

    • State regulators require notice of the intent to surrender the license, which may be submitted via the NMLS or by certain forms outside the system per state guidance.
    • Surrendering licensees may be required to submit payment of any final assessments or fees and/or final reports to the regulator and confirm ongoing compliance with certain books and records expectations.
    • Companies should have a comprehensive checklist for winding down or transitioning the business to reduce potential post-surrender liabilities.

    Enforcement Actions

    • Understanding risks, gathering intelligence and identifying strategic goals is imperative when faced with an enforcement matter.
    • Engage with regulators to establish trust through clear lines of communication and minimize the impact of inquiry.
    • Take affirmative corrective actions to address any perceived violations of law or deficient business practices.
    • Strategically working with regulators can minimize individual control person liability, both in the present and for future business endeavors.