All guides
Banking11 min read

Neobank Compliance & Licensing: The Complete 2026 Guide

Everything neobanks need to know about BSA/AML, state money transmitter licenses, BaaS sponsor risk, and federal oversight - with a step-by-step compliance roadmap.

PliOS Compliance Team

The neobank industry has added tens of millions of accounts over the past five years. Chime, Dave, Current, Revolut, and dozens of others have proven that mobile-first, low-fee banking resonates with consumers who have been underserved or overcharged by traditional institutions. But as the market matures, so does regulatory scrutiny - and the compliance failures that once stayed quiet are now generating consent orders, enforcement actions, and outright shutdowns.

If you are building a neobank, or are already operating one, compliance is not a future problem. It is a launch-day problem. This guide covers everything your team needs to understand: licensing models, federal obligations, BaaS risk, crypto overlays, and what a defensible compliance program actually looks like in 2026.

What Is a Neobank, Legally?

The term "neobank" is a marketing category, not a legal one. Regulators do not issue neobank licenses. What matters is the underlying structure, and there are three primary models:

Model 1: Money Transmitter License (MTL) Only

The most common path for early-stage neobanks. Under this model, the neobank holds state-level money transmitter licenses in each jurisdiction where it operates. It is not a bank - it cannot accept FDIC-insured deposits or make loans directly. Payments flow through a bank partner. The neobank is classified as a money services business (MSB) under FinCEN rules and must comply with BSA/AML accordingly.

Model 2: Banking-as-a-Service (BaaS) / Sponsor Bank

The neobank partners with an FDIC-insured sponsor bank - Evolve Bank & Trust, Sutton Bank, Column Bank, and others - that provides the charter, FDIC insurance, and core banking infrastructure. The neobank operates as the customer-facing product layer. Both the sponsor bank and the neobank share regulatory accountability, but the sponsor bank's charter is on the line when things go wrong.

Model 3: De Novo Bank Charter

A small number of fintechs have pursued full bank charters - either an OCC national bank charter, a state bank charter, or an industrial loan company (ILC) charter. This path is expensive (significant capital and resource requirements), slow, and increasingly competitive as regulators have grown cautious about de novo approvals. For most neobanks, this is not a realistic short-term option.

Understanding which model you operate under determines which regulators you answer to, which licenses you need, and what your compliance program must include.

Federal Oversight: What FinCEN and the CFPB Expect

Regardless of charter model, federal regulators have jurisdiction over neobanks. Two agencies dominate the compliance landscape.

FinCEN and BSA/AML

The Bank Secrecy Act applies to any financial institution - and FinCEN's regulations make clear that money services businesses, including neobanks operating under MTL models, are fully subject to BSA requirements. The five pillars of a compliant BSA/AML program are non-negotiable:

  1. A written BSA/AML policy and procedures manual tailored to your business model, risk profile, and products
  2. A designated BSA Compliance Officer with sufficient authority, resources, and independence
  3. Ongoing BSA training for all employees with customer-facing or financial roles
  4. Independent testing (internal audit or third-party review) of your BSA program at regular intervals
  5. Customer Due Diligence (CDD) - including Know Your Customer (KYC) at onboarding and ongoing monitoring of customer activity

For neobanks with high transaction volumes, thin margins, and customer bases that skew toward cash-heavy or underbanked populations, the CDD and transaction monitoring requirements deserve particular attention. Regulators expect risk-based controls, not one-size-fits-all rules.

Suspicious Activity Reports (SARs) must be filed within 30 days of detecting suspicious activity. Currency Transaction Reports (CTRs) apply at the $10,000 threshold. These are not optional, and failure to file - or failure to file accurately - generates the kind of findings that lead to consent orders.

CFPB: Regulation E, UDAAP, and Fair Lending

The Consumer Financial Protection Bureau has increasingly asserted jurisdiction over fintechs and neobanks offering consumer financial products. If your product touches:

  • Electronic fund transfers (Regulation E applies - error resolution, unauthorized transaction liability, disclosure requirements)
  • Savings or deposit-like products marketed to consumers
  • Credit products, BNPL, or earned wage access

...then the CFPB's Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) rules apply. Misleading fee disclosures, inadequate error resolution processes, and aggressive marketing of high-cost products to vulnerable populations have all drawn CFPB attention. The bureau's 2024 interpretive rule extending Regulation E to digital wallets and certain stored-value products further expanded the compliance surface for neobanks.

State Licensing: The 50-State Problem

Here is where neobank compliance becomes operationally painful. There is no federal money transmitter license. There is no passporting between states the way the EU's PSD2 works. Each state has its own licensing regime, its own bonding requirements, its own net worth minimums, and its own examination schedule.

The practical implications:

  • 40–48 state licenses are typically required to operate nationally (some states have exemptions for certain business models or volumes)
  • Licensing timelines range from 3 months (a few states with streamlined processes) to 18+ months for complex applications in states like New York or California
  • Surety bonds can run $50,000 to $1M+ per state depending on transaction volume and state requirements
  • Net worth requirements vary widely - some states require $100,000 in net worth; others require $500,000 or more
  • Annual reports and renewals must be filed through the Nationwide Multistate Licensing System (NMLS), and missing deadlines results in license suspension

California, New York, and Texas are the three highest-priority states for most neobanks by population, and they are also three of the most demanding licensing jurisdictions. California's Department of Financial Protection and Innovation (DFPI) conducts rigorous examinations. New York's DFS is famous for its demanding applications and high standards. Texas requires its own examination process separate from NMLS.

The licensing timeline is one of the most underestimated delays in neobank launches. Founders who assume they can obtain MTLs in parallel with product development routinely find themselves with a built-out product and no ability to legally operate in key states.

The BaaS Compliance Trap

The BaaS model looked like a clean solution to the licensing problem: partner with a bank that already has a charter, use their FDIC insurance, and get to market faster. And for several years, it was. But the wave of enforcement actions against sponsor banks in 2024 and 2025 exposed a fundamental weakness in the model.

When a sponsor bank receives a consent order - as Evolve Bank & Trust, Blue Ridge Bank, Sutton Bank, and others did - the consequences cascade immediately to every fintech partner on their platform. Customer accounts can be frozen. New customer onboarding must be suspended. The neobank's ability to operate depends entirely on the regulatory status of a third party they do not control.

The underlying issue: regulators hold sponsor banks responsible for the BSA/AML compliance of their fintech partners. If Fintech A is doing inadequate KYC, that is Sponsor Bank B's problem. The OCC, FDIC, and Federal Reserve have all issued guidance making clear that a bank cannot outsource compliance responsibility to a fintech partner - the bank is accountable even if the fintech is the customer-facing entity.

For neobanks on BaaS platforms, this creates an obligation that many have underestimated: you must run a compliance program that your sponsor bank's examiners will approve of, not just one that satisfies your own internal standards. Your BSA program, your KYC procedures, your SAR filing practices - all of these are subject to review by the sponsor bank and by the sponsor bank's regulators.

Questions every BaaS neobank should be asking:

  • What is the regulatory status of my sponsor bank? Any outstanding consent orders, MRAs, or MRIAs?
  • What BSA/AML documentation does my sponsor bank require from us, and how often?
  • Does our agreement include contractual compliance obligations that could be triggered by an exam finding?
  • What is our contingency plan if our sponsor bank is forced to suspend BaaS partnerships?

Diversifying across two sponsor banks is expensive but increasingly common for neobanks that have reached scale and cannot afford a single point of failure.

Crypto Neobanks: A Double Layer of Regulation

Neobanks that touch cryptocurrency - whether offering crypto trading, crypto-backed debit cards, stablecoin wallets, or crypto-to-fiat conversion - face an additional regulatory layer on top of everything above.

At the federal level, crypto activity triggers MSB registration with FinCEN under the money transmission category. The BSA/AML obligations apply to crypto activity as fully as they do to fiat activity, including transaction monitoring rules that must be adapted to on-chain behavior.

At the state level, crypto neobanks face state-specific licensing requirements that differ significantly from standard MTLs:

  • New York requires a BitLicense from DFS for virtual currency business activity - one of the most demanding and expensive licensing processes in the country
  • California requires a Digital Financial Assets License (DFAL) under the DFAL Act, which took effect in 2025
  • Several other states have enacted or are enacting digital asset licensing regimes that do not align with the standard MTL framework

The GENIUS Act, which passed in 2025 and established a federal framework for payment stablecoins, adds another dimension. Neobanks issuing or integrating payment stablecoins face federal reserve requirements, redemption obligations, and disclosure rules under the Act. Follow the latest regulatory developments on our Regulatory Radar →

For crypto neobanks, the compliance budget and timeline estimates that apply to traditional neobanks need to be revised upward significantly. Budget for both federal and state licensing tracks running simultaneously, with specialized outside counsel for crypto licensing.

Building a Defensible Compliance Program

Regulators examining neobanks are looking for the same things they look for at traditional banks, adapted for the higher transaction volumes and tech-forward business models that neobanks operate. Here is what a defensible compliance program includes:

Written Policies and Procedures

Your BSA/AML program must be documented in writing, approved by your board (or equivalent governing body), and reviewed and updated at least annually. This is not a formality - examiners read your policies and compare them against what they observe in your actual operations. Policies that describe processes you do not follow are worse than having no policies at all, because they demonstrate awareness without action.

Risk Assessment

A written risk assessment that profiles your customer base, geographies, products, and transaction types against known BSA/AML risk factors is required. Neobanks serving cash-heavy populations, offering peer-to-peer payment functionality, or operating in high-risk jurisdictions need to document those risks explicitly and explain the controls they have put in place to mitigate them.

Customer Identification Program (CIP) and KYC

Your CIP must verify customer identity at account opening using documentary or non-documentary methods. For most neobanks, this means identity verification services (Socure, Alloy, Jumio, etc.) integrated into onboarding. The CIP must be documented, tested, and capable of withstanding examiner review. Enhanced due diligence (EDD) procedures for higher-risk customers must be documented separately.

Transaction Monitoring

Automated transaction monitoring is expected at any neobank with meaningful transaction volume. Your monitoring rules must be calibrated to your risk profile and reviewed regularly. An alert backlog with no documented resolution process is a major exam finding. Regulators expect to see evidence that alerts are reviewed, dispositioned, and escalated when appropriate.

SAR Filing

Your SAR process must be documented. Who makes the SAR decision? What is the escalation path? How are SAR decisions documented even when a SAR is not filed? Failure to file SARs for known suspicious activity is one of the most serious BSA violations an institution can commit.

Independent Testing

An internal audit function or third-party BSA review must test your program at intervals appropriate to your risk profile - typically annually at minimum. The testing scope, findings, and management responses must be documented. Examiners want to see that you identify your own gaps before they do.

Board Governance

Your board or governing body must receive BSA/AML reporting at regular intervals and must formally approve your BSA program. For neobanks with less formal governance structures, this requires building board-level compliance reporting into your operations early.

Common Exam Findings at Neobanks

Based on published enforcement actions and examiner guidance, these are the issues that surface most frequently at neobanks:

  • Inadequate CIP: Identity verification that does not collect or verify all required elements, or that uses identity verification vendors without adequate quality controls and regular performance reviews
  • No ongoing monitoring: Onboarding KYC without any mechanism to update customer risk profiles or detect behavior that differs from stated purpose
  • Weak vendor oversight: No due diligence documentation for fintech partners, payment processors, or identity verification vendors; no contractual BSA obligations in third-party agreements
  • Alert backlogs: Transaction monitoring alerts that accumulate without timely review or documented disposition
  • Missing or stale risk assessments: No formal BSA risk assessment, or a risk assessment that has not been updated to reflect changes in the customer base, products, or geographic footprint
  • Insufficient board reporting: No formal mechanism for the board to receive BSA/AML performance data, including SAR volumes, monitoring alert metrics, and exam findings

The common thread is that many neobanks treat compliance as something to retrofit after achieving product-market fit. Regulators do not accept that sequence. The expectation is a compliant program from the first customer interaction.

Building the Right Compliance Infrastructure

Neobanks face the same regulatory obligations as traditional banks but with leaner teams, faster growth rates, and less institutional history. The compliance programs that hold up under examination are built on software that keeps risk assessments current, policies maintained, and exam evidence organized - not on spreadsheets and shared drives that break down at scale.

PliOS is built specifically for neobanks and fintechs navigating this landscape. From BSA/AML risk assessments and policy management to exam readiness and vendor risk tracking, PliOS gives lean compliance teams the infrastructure to operate at a level regulators expect.

Start your free gap assessment → and see where your compliance program stands before your next exam does.


This guide is intended for informational purposes and does not constitute legal advice. Neobanks and fintechs should consult qualified legal counsel for licensing and compliance program design specific to their business model and jurisdiction.

Frequently asked questions

Do neobanks need a banking license?

Most neobanks operate under a money transmitter license (MTL) or partner with a sponsor bank under a BaaS model rather than holding a full bank charter. Each state has its own MTL requirements, and some states - like New York - layer on additional licenses such as BitLicense for crypto activity.

Are neobanks subject to BSA/AML?

Yes. Neobanks operating as money services businesses (MSBs) must register with FinCEN and maintain a written BSA/AML compliance program regardless of charter type. The five pillars - written program, designated BSA officer, training, independent audit, and customer due diligence - apply in full.

What is BaaS compliance risk?

Banking-as-a-service (BaaS) neobanks rely on sponsor banks for FDIC insurance and charter access. Regulators hold both the sponsor and the fintech partner accountable for BSA/AML violations. Several sponsor banks received consent orders in 2024–2025 - and their fintech partners faced immediate disruption.

What licenses does a neobank need in all 50 states?

A neobank typically needs a money transmitter license in each state where it operates, except where exemptions apply. This can mean 40–48 individual state licenses, each with separate bonding, net worth, and reporting requirements.

What is the difference between a neobank and a traditional bank for regulatory purposes?

Traditional banks hold OCC or state charters with FDIC insurance directly. Neobanks typically do not - they operate as MSBs, under BaaS arrangements, or (rarely) under industrial loan company charters. The regulatory obligations differ but compliance programs are required either way.

PliOS provides compliance management tools and educational content. This article does not constitute legal advice. Always consult qualified legal counsel for jurisdiction-specific guidance.

See where your compliance program stands

PliOS maps your obligations, drafts your policies, and keeps you exam-ready. Start with a free, AI-guided gap assessment — no credit card required.

Run My Free Assessment