Most fintechs think 2025 is shaping up to be their year. After a decade of expanding regulatory reach, aggressive enforcement, and agency interpretations that stretched statutory language to its breaking point, the tide seems to be turning.
Last week, a federal court struck down the Federal Reserve’s Regulation II debit interchange fee cap, upending a framework that defined payment economics for more than a decade. The Consumer Financial Protection Bureau (CFPB) paused its open banking rule under Section 1033 of Dodd-Frank and delayed small business lending data collection under Section 1071, both responding to litigation. The Supreme Court’s Loper Bright decision eliminated Chevron deference, sharply curtailing agencies’ ability to interpret ambiguous laws.
From a distance, this looks like a deregulatory moment. For many fintech business models, it creates a high-risk period of uncertainty that can be more damaging than the rules themselves.
When Winning In Court Breaks Your Business Model
The Regulation II ruling illustrates the problem. Companies that built their economics around debit interchange fees now face uncertainty. Some use those fees to fund rewards programs. Others share them with banking-as-a-service partners or use them to offer zero-fee accounts.
The Fed could rewrite the rule to favor merchants, which would slash interchange rates. But that process could drag on for years, with appeals and maybe even congressional hearings.
Meanwhile, companies are trying to plan budgets and investor presentations without knowing what their core revenue stream will look like.
This pattern extends beyond payments. Credit card rewards, routing rules, and data rights all face similar risks. When a business model depends on a particular legal framework, and that framework gets sent back to the drawing board, companies operate in uncertainty until something new emerges.
Open Banking Goes From Simple To Fragmented
Section 1033 was supposed to create order. The CFPB would set national standards for APIs, data fields, and dispute handling. Banks and fintechs would know exactly what they had to do. Consumers would get better data access.
Instead, the rule is on hold while the Bureau starts over. What’s likely to emerge is fragmentation. Private companies will cut bilateral data-sharing deals. Different states will write their own rules. Banks will use different technical standards depending on who’s asking for data.
For fintechs that need bank data, the complications are significant. Integration costs increase. Product launch timelines extend. And there’s always the risk that key data sources will change terms or cut access entirely. Recent developments illustrate this risk, with major banks beginning to charge fintechs for customer data access through aggregators. Industry executives warn these fees could be devastating for early-stage startups and make certain financial transactions economically impossible for consumers. Without clear federal rules, banks can essentially set their own terms for data access.
Small Business Lending: When Federal Vacuum Invites State Action
The CFPB’s 1071 rule, designed to create uniform small business lending data requirements, sits in limbo. While federal enforcement pauses, states may fill the gap by either adopting their own data reporting mandates or using unfair and deceptive acts and practices statutes to police perceived discrimination.
For fintech lenders, especially those serving niche or underserved markets, this raises the risk of multiple, overlapping compliance regimes. The absence of a single federal framework doesn’t eliminate rules. It creates more of them, with more variation.
States Are Already Moving In
Federal enforcement isn’t simply disappearing. While agencies pull back, state enforcers are getting more aggressive.
Massachusetts provides a clear example. This summer, the state’s AG settled a case against a student loan company that used AI for underwriting. The state alleged disparate impact discrimination under both federal and state law. This is exactly the kind of case federal regulators have been backing away from. But Massachusetts imposed detailed requirements: annual AI model reviews, documented fair lending tests, comprehensive governance protocols.
This pattern is becoming common. Federal regulators step back, state AGs step forward. The rules don’t disappear. Companies face 50 different versions of them.
Even at the federal level, not every enforcement trend is fading. Redlining cases continue working through courts, and judges sometimes refuse to unwind prior settlements despite joint requests from regulators and defendants. In other instances, the CFPB has terminated consent orders, but only after full compliance with monetary and conduct obligations. This hardly signals that underlying conduct is now acceptable.
Post-Chevron: More Litigation, Less Predictability
The Supreme Court’s Loper Bright decision, overruling Chevron deference, represents perhaps the most significant regulatory shift in decades. By giving courts, rather than agencies, the final word on statutory ambiguities, it invites more challenges to rules, more venue shopping, and more divergent interpretations.
In theory, this limits regulatory overreach. In practice, it means a fintech product cleared under one circuit’s interpretation could be non-compliant in another. Multi-state operations now carry not just operational complexity but legal risk tied to geography.
For fintechs, losing a single authoritative agency interpretation also complicates partnerships. Banks and vendors may adopt the most conservative reading available to mitigate risk, raising the compliance bar across the board.
What Companies Should Do Now
After years of aggressive enforcement, any pullback feels like relief. But smart executives are taking concrete steps:
Map legal dependencies. Companies should catalog every statute, regulation, and agency interpretation that their revenue model relies on. Track the court cases. Know when rulemaking deadlines are coming. Most organizations have little visibility into their actual regulatory exposure until something changes.
Plan for different outcomes. What happens if interchange rates get cut significantly? What if data sources get regulated differently across states? What if AI models have to meet the most stringent state standards everywhere? Develop actual contingency plans, not just optimistic projections.
Monitor state developments. Companies need systematic tracking of what each state AG is prioritizing. When federal enforcement slows down, state enforcement typically accelerates. The enforcement doesn’t stop. It becomes more complicated.
Update partnership agreements. Most fintech contracts were written assuming stable regulatory frameworks. But what happens when those frameworks change mid-contract? Agreements should include mechanisms to renegotiate or exit if compliance becomes impossible or uneconomical.
The Bottom Line
Fintech has always been about finding gaps where technology moves faster than regulation. But today’s gaps are different. They’re not gaps created by innovation. They’re gaps created by the deliberate unwinding of established rules.
These gaps don’t stay open forever. They get filled by state regulators, by federal courts applying different standards in different circuits, by agencies writing new rules under new administrations.
Regulatory pullback isn’t a victory lap. It’s a signal to prepare for what comes next. Because something always comes next. And in 2025, it’s likely to be more fragmented and harder to predict than what came before.