For years, fintechs in the U.S. grew through partnership models. They owned the financial product’s customer experience. Banks provided the infrastructure behind deposits, payments, lending, credit cards and access to payment networks.
But a new trend emerged in 2025 – fintechs seeking their own banking charter, whether by acquiring an established bank or applying for a de novo bank charter under the OCC.
In the first half of 2026, OppFi announced a definitive agreement to acquire BNCCORP and BNC National Bank1. Affirm applied to establish Affirm Bank, a Nevada-chartered industrial loan company2. Revolut applied for a U.S. national bank charter3. Nubank received conditional approval from the Office of the Comptroller of the Currency to form Nubank, N.A4. PayPal applied to establish PayPal Bank, a Utah-chartered industrial loan company5.
Not every fintech wants to become a traditional bank, but the direction is clear: many fintechs want more control over the banking value chain. That control can unlock growth efficiency, improve funding economics, and reduce reliance on sponsor banks and third-party infrastructure. It also gives fintechs more direct control over products, payments and customer experience.
But the closer a fintech gets to being a bank, the more it must operate like one.
Protecht’s Risk in motion: A guide to connected, continuous risk management eBook shows how to build a dynamic GRC program that helps you see risk as it changes, act before it escalates and embed assurance into everyday workflows.
Why fintechs are pursuing bank charters
Regulatory concerns are a key part of the drive to banking among fintechs.
The banking-as-a-service model originally created innovation, powering everything from digital lending to embedded payments but also risks. As fintechs grew larger and more systemically important, regulators became more cautious about the model’s risks.
Enforcement action of fintechs, such as the 2023 OCC, Federal Reserve and FDIC joint guidance on third-party risk management for banks with third-party relationships, created new risks for fintechs6. For some, this led to the view that rather than avoiding being a bank, it was time to create one.
The current light-touch regulatory regime in the U.S. means that the regulatory window is open to obtain a banking license – but this may change as the political environment changes over the next two years, so if a fintech wants to keep the bank option open, the time to act is now.
Bank charters can also help fintechs with their expansion plans. For lenders, a charter or bank acquisition can support a more diversified funding model. For payments and merchant finance businesses, the benefit may be more direct control over lending, savings products, card network membership, processing and settlement. For global digital banks, a US charter can support expansion at scale.
A final driver is reducing the perceived risk for customers and partners. This became particularly visible after the collapse and bankruptcy of bank/fintech middleman Synapse in 2024 which froze accounts for tens of thousands of US businesses and consumers7. It showed how quickly weakness in a shared operating model can become a customer, regulatory and reputational issue.
Three routes, one governance challenge.
Fintechs are not all following the same route, with three main models on show.
- Buy a bank: OppFi’s acquisition of BNCCORP and BNC National Bank is a recent example. This route can offer a faster path to a charter than building a bank from scratch. But the buyer is not just acquiring a license. It is acquiring a regulated operating model, a balance sheet, a control environment, supervisory relationships, systems, people, customers and obligations.
- Build a bank: Revolut has applied for a US national bank charter. Nu has received conditional OCC approval to create Nubank, N.A. A de novo charter can allow a fintech to design a bank around a digital-first operating model. But conditional approval can still require capitalization, governance, risk management, operational readiness and further regulatory steps before the bank opens.
- Create a bank subsidiary or industrial loan company: Affirm and PayPal have applied to establish industrial loan charter banks, or ILC charter, offered by the FDIC. This route can be attractive for fintechs that want banking capabilities without turning the entire parent company into a traditional bank. But it still attracts scrutiny around governance, ownership, parent-company risk and how banking activity is separated from wider operations.
More control means more accountability.
A fintech that owns a bank, becomes a bank or establishes a bank subsidiary cannot treat GRC as a back-office compliance exercise. It must show that its governance, risk management, controls and reporting can support regulated banking activity.
This raises many questions. Who owns each material risk? How are risks identified, assessed, monitored and escalated? How are controls designed and tested? How are regulatory obligations mapped to controls and evidence? How are third parties assessed and monitored? How are incidents captured, investigated and remediated? How does the board know whether risk is increasing or controls are weakening?
In a fast-growth fintech, risk management may have developed organically. Teams may use different tools, definitions and reporting formats. That can work when the organization is smaller and the regulatory perimeter is limited. It becomes harder to defend when the business moves closer to banking.
Bank-grade GRC requires a common language for risk.
It requires clear ownership. It requires controls that are documented, mapped, tested and improved. It requires obligations to be linked to policies, controls, evidence and remediation. It requires third-party oversight that goes beyond onboarding checks. It requires operational resilience planning that reflects real dependencies across technology, vendors, processes and customer services.
Regulators are not simply assessing whether controls exist. They are assessing whether governance structures, risk ownership, independent challenge, and board oversight are effective in practice.
What bank-grade GRC needs to prove
Bank-grade GRC is the ability to prove that risk is understood, controls are working, dependencies are managed and leaders have reliable evidence to act. For fintechs moving closer to banking, that means answering four core questions:
| What needs to be proven | What this means in practice |
| Are material risks understood? | The organization needs a consistent view of strategic, operational, payment, compliance, technology, cyber, digital/stablecoin, model, third-party, conduct, liquidity and reputational risk. It needs to know which risks matter most, who owns them and whether they sit within appetite. |
| Are controls working? | Controls should be linked to the risks they mitigate, the obligations they support and the incidents or issues they help prevent. This is especially important where controls sit inside technology-enabled processes such as credit decisioning, payments, fraud monitoring, onboarding, KYC and AML screening. |
| Are obligations being met? | Compliance needs to be operationalized. The business must know which obligations apply, who owns them, what controls support them, what evidence exists, whether attestations are complete and what remediation is underway. |
| Are critical dependencies managed? | Becoming more bank-like does not remove reliance on cloud platforms, data providers, identity verification services, payments infrastructure, card processors and other vendors. It increases the need to connect due diligence, ongoing monitoring, incidents, concentration risk, exit planning and operational resilience. |
| Is risk changing faster than the organization can respond? | Management needs visibility into emerging risks, deteriorating controls, recurring incidents and unresolved issues before they become material events. |
The final proof point is reporting.
Boards, executives and regulators need visibility over risk exposure, control performance, compliance status, incidents, issues, remediation, third-party dependencies and emerging risk.
They also need to trust the data behind the report, which means being able to show where information comes from, how risks are assessed, how controls are tested, how issues are escalated and how actions are tracked to closure.
This is where fragmented GRC becomes a weakness. If risk, controls, compliance, incidents, issues and assurance activity sit in separate systems or spreadsheets, the organization may have activity without visibility.
Why integrated GRC is important
As fintechs become more bank-like, disconnected risk and compliance processes become harder to defend.
Spreadsheets, point solutions and manual workflows may work in early stages of growth. They can also work for isolated processes. But they struggle when the organization needs connected oversight, clear ownership, auditability and defensible reporting across the full risk life cycle.
Integrated GRC helps connect the moving parts.
It links risks to controls. Controls to obligations. Obligations to evidence. Incidents to issues. Issues to actions. Actions to assurance. Assurance to board reporting.
This is important because risk does not move in straight lines. A third-party issue can become an operational resilience issue. A control failure can become a compliance breach. A product change can create new obligations. A model change can affect credit risk, conduct risk and customer outcomes. A customer-impacting incident can trigger regulatory reporting, remediation and control redesign.
When these processes are disconnected, leaders may only see the problem after it has escalated. When they are connected, the organization can identify trends earlier, understand root causes, prioritize remediation and report with greater confidence.
This is what Protecht calls Risk in Motion—the reality that risks evolve continuously across products, processes, third parties and regulatory obligations. Organizations need visibility not just into individual risks, but into how those risks interact, accelerate and create downstream impacts.
For fintechs pursuing bank charters, acquisitions or bank subsidiaries, integrated GRC is not just a way to manage compliance. It is a way to support sustainable growth.
Becoming a bank is only the beginning
A bank charter can be a powerful strategic move. It can help fintechs gain control, improve funding, expand product offerings, reduce reliance on third parties and build credibility.
The challenge is not obtaining a bank charter. The challenge is operating successfully under one. As fintechs move closer to regulated banking, governance, risk and compliance become strategic capabilities—not just regulatory requirements. The organizations that build connected, evidence-based risk management early will be better positioned to scale with confidence.
This requires an operating model transformation. The fintechs best placed to succeed will be those that combine innovation with discipline. They will need the speed and customer focus of a fintech, supported by the governance, controls, resilience and oversight expected of a bank.
That means building GRC maturity before, during and after the charter journey.
Protecht helps financial services organizations connect risks, controls, obligations, incidents, issues, audits and actions in a single platform, giving leaders the visibility they need to make confident decisions.
Request a demo to see how Protecht can help you build a connected, evidence-based approach to risk and compliance:
Citations
3. Revolut, https://www.revolut.com/en-US/news/revolut_files_u_s_bank_charter_application_names_new_u_s_ceo/
4. Nu, https://international.nubank.com.br/company/nu-secures-approval-to-establish-us-national-bank/
6. OCC, https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-17.html
7. AP, https://apnews.com/article/07ecb45f807a8114cac7438e7a66b512


