Embedded Finance Licensing 2026: When BaaS Partners Nee...

In April 2024, Synapse Financial Technologies filed for Chapter 11 bankruptcy. Over 100,000 customers lost access to approximately USD 265 million in deposits, with between USD 65 million and USD 95 million still unaccounted for as of early 2026. The CFPB opened proceedings in August 2025. This was not a crypto blowup or a speculative collapse. It was a licensed, audited banking-as-a-service middleware provider that sat between fintech apps and FDIC-insured banks. When it failed, the entire embedded finance model came under scrutiny.

The Synapse fallout and what it exposed

Synapse acted as the middleware layer connecting consumer-facing fintech apps to partner banks, primarily Evolve Bank & Trust. The fintechs never touched customer funds directly. Synapse handled ledger reconciliation, compliance reporting, and the movement of money between customer accounts and bank partners. When Synapse's records diverged from Evolve's, nobody could determine which customers owned which funds.

Evolve Bank itself received a Federal Reserve cease-and-desist order in May 2025, following a data breach that compromised 7.6 million individuals' personal information. The compounding failures confirmed what regulators had suspected: the BaaS model, where non-banks embed financial services through licensed partners, creates accountability gaps that existing supervision does not cover.

Evolve was not alone. The European Banking Authority published findings in October 2025 identifying the white-label banking model as a "critical money laundering vulnerability." In Lithuania, Railsr's subsidiary PayRNet had its electronic money institution license revoked by the Bank of Lithuania for anti-money laundering violations, stranding customers across multiple fintech brands that relied on its infrastructure.

Agent model versus own license: where the line sits

The fundamental question for any fintech embedding financial services is whether it can operate as an agent of a licensed institution or whether it needs its own authorization. The answer depends on what the fintech actually does with customer money and decisions.

The agent model works when the fintech's role is limited to distribution. A company that offers a branded debit card, routes transactions through a partner bank, and never holds or controls customer funds can typically operate as a registered agent. The licensed bank retains responsibility for compliance, and the fintech operates under its regulatory umbrella.

The line shifts when the fintech exercises independent discretion. If the company decides which transactions to approve or decline, holds customer funds in its own accounts (even temporarily), or makes lending decisions using its own underwriting criteria, the agent model breaks down. At that point, regulators in most jurisdictions expect the company to hold its own license.

EU: PSD2 today, PSD3 tomorrow

Under the current EU framework (PSD2), payment institutions (PIs) and electronic money institutions (EMIs) must be authorized by their home member state's competent authority. The agent model allows licensed PIs and EMIs to distribute services through registered agents, but the licensed entity remains fully responsible for the agent's compliance.

The provisional agreement on PSD3 and the Payment Services Regulation (PSR) was reached on November 27, 2025. The new framework merges the PI and EMI authorization categories into a single license type. Publication is expected in early-to-mid 2026, with an 18-to-21-month transition period. For embedded finance companies currently operating under either category, this means a single (potentially more demanding) authorization process. The merger is intended to close gaps where companies structured their operations to avoid the stricter EMI requirements while effectively performing EMI functions.

UK: Consumer Duty as the enforcement lever

The FCA has signaled that embedded finance oversight is a 2026 enforcement priority. The Consumer Duty, which took effect in 2023, requires firms to deliver good outcomes for retail customers throughout the distribution chain. In September 2024, the FCA fined Starling Bank GBP 29 million for failures in its financial crime screening, including inadequate controls over accounts opened through partner channels. The message was explicit: the licensed bank cannot outsource compliance responsibility by outsourcing the customer interface.

For early-stage fintechs, the FCA's Provisional Licences Authorisation Regime offers a pathway to obtain authorization before launching, reducing the gap between starting a business and operating legally. But the regime does not lower the compliance bar; it accelerates the timeline for firms that can meet it.

US: federal crime, state patchwork

In the United States, any company transmitting money must register as a Money Services Business (MSB) with FinCEN at the federal level. Separately, most states require Money Transmitter Licenses (MTLs). Obtaining licenses across all required states can exceed USD 1 million in legal and compliance costs, with timelines stretching 12 to 18 months. Over 25 states have adopted the Model Money Transmitter Modernization Act (MTMA), which standardizes some requirements but does not create reciprocity.

Operating without the required licenses is a federal offense carrying penalties of up to USD 250,000 in fines and five years in prison. The BaaS model allowed fintechs to avoid this burden by operating under their bank partner's charter. Post-Synapse, regulators are questioning whether that arrangement adequately protects consumers when the middleware layer fails.

The industry's response

Block, Brex, Mercury, and Stripe formed the Coalition for Financial Ecosystem Standards, a self-regulatory initiative aimed at establishing baseline operational and compliance standards for BaaS relationships. The coalition's formation acknowledges what the Synapse collapse demonstrated: the existing regulatory framework did not anticipate a business model where three or four entities (fintech, middleware, bank, and sometimes a separate ledger provider) share responsibility for a single customer's money.

Whether self-regulation will satisfy regulators is doubtful. The EBA's money laundering findings, the FCA's Starling enforcement action, and the Federal Reserve's Evolve order all point toward mandatory standards, not voluntary ones. The direction is clear: if you touch customer money, exercise discretion over financial decisions, or sit in the flow of funds in a way that creates risk if you fail, regulators increasingly expect you to hold your own license.

Practical decision framework

For fintech founders evaluating their licensing needs in 2026, three questions determine the answer. First: do you hold, control, or have the ability to redirect customer funds at any point in the transaction flow? If yes, you likely need your own license. Second: do you make independent decisions about credit, risk, or transaction approval that are not merely executing your bank partner's policies? If yes, the agent model is probably insufficient. Third: if your middleware provider or bank partner failed tomorrow, would your customers lose access to their money? If the answer is anything other than a confident no, the Synapse precedent suggests regulators will eventually require you to have your own authorization.

The cost of direct licensing is significant: six to twelve months and several hundred thousand dollars in the EU or UK, potentially over a million in the US for multi-state coverage. The cost of not having a license when regulators decide you need one is existential. The embedded finance companies that survive the current regulatory tightening will be the ones that made the licensing decision proactively, not the ones that waited for an enforcement action to make it for them.