Many recent failures happened because control mechanisms worked in theory but not in practice — as firms grew, prices no longer matched the value customers received and distribution models pushed products in ways that increased risk. Alex Tsepaev, chief strategy officer of B2PRIME Group, explains how regulators are addressing the feedback loop between what a product promises and what customers experience.
Over the past two years, regulators have started to move away from paper-based compliance toward evidence-based supervision. In the UK, for instance, the FCA is using its Consumer Duty regulation to test whether pricing and distribution deliver fair value in practice. In the EU, DORA has turned operational resilience and third-party oversight from supervisory guidance into enforceable obligations.
All of these factors point in the same direction. Regulators are no longer relying on declarations. They are asking for proof. So the real question is whether a firm’s operations actually behave as intended once real customers start using it in real conditions.
For fintechs planning to scale in 2026, this shift changes how they operate. Firms will be expected to demonstrate, on demand, that customer outcomes are fair, operations are resilient and execution and distribution hold up under scrutiny.
Outcomes replace intentions
When regulators say they want evidence, they’re not asking for more documentation. They’re demanding a different kind of explanation. Instead of describing how a business is supposed to function, firms are expected to show how it actually functions once products meet scale, incentives and operational stress. So, evidence-based supervision is becoming the default.
That expectation mirrors how supervisors already work today. Many of the recent failures happened because control mechanisms worked in theory but not in practice. As firms grew, prices no longer matched the value customers received. Distribution models started to push products in ways that increased risk, even though that was never the original intention. And when something went wrong, response plans turned ineffective once several systems or external partners failed at the same time.
That’s why supervisors are adjusting their approaches. At the EU level, the European Securities and Markets Authority (ESMA) has repeatedly emphasized through its supervisory convergence work that compliance must be assessed based on how governance and controls operate in real conditions. The same logic is now showing up across conduct, operational and prudential supervision. The uncomfortable implication is that “We were compliant at launch” won’t carry much weight if the outcomes change a year later.
For fintechs planning to scale in 2026, this sets a new baseline. If a firm can’t show that its controls continue to work as complexity increases, confidence erodes quickly, both with regulators and with partners. Eventually, that will separate firms that can scale from those that can only ship.
Resilience and vendor risk take center stage
One of the most telling examples of how the landscape has changed is how regulators pay close attention to the vendors that sit beneath the entire financial system. In November 2025, the European Supervisory Authorities designated 19 technology providers as “critical” under DORA, including major cloud and data providers, so they can be overseen at the EU level.
I think that’s purely about preventing concentration risk. Otherwise, if many firms depend on the same few providers, a single disruption can have a significant market-wide effect.
Platforms built on outsourced infrastructure and APIs carry this risk by default. That reality changes how partnerships are won and kept. Banks, payment networks and enterprise clients will ask for proof of recovery times, vendor oversight and incident discipline because their regulators will ask them first.
In this environment, third-party risk turns into something you inherit and must be able to defend.
Fraud metrics and AI decisions redraw the perimeter
Evidence-based supervision doesn’t stop at a firm’s walls. The next pressure point is where customer harm shows up fastest, particularly fraud losses and automated decisions. These are areas where harm is measurable within days and where partner risk becomes reputational risk immediately.
On fraud, the direction is toward outcome responsibility. In the UK, the APP fraud reimbursement regime for Faster Payments took effect Oct. 7, 2024, with a maximum reimbursement level set at £85,000 per claim. That doesn’t mean scams will disappear. What matters is that supervisors are shifting the question from “was the payment authorized” to “did the system make it too easy for criminals to succeed.”
The EU approach reinforces the same trend. A late-November 2025 political deal on new EU payment services rules includes stronger anti-fraud measures for banks and payment service providers, and it extends responsibility toward online platforms when fraudulent ads drive scams. In plain terms, the perimeter expands to wherever fraud originates, rather than only where the payment settles.
The second accelerant is automated decisions. As firms use AI for onboarding, credit and fraud controls, governance has to cover explainability, monitoring and escalation. The EU AI Act is already on a phased timetable, with major obligations rolling through 2027, even as industry groups and some policymakers push for delays or simplification.
The takeaway is that AI compliance emerges as a governance discipline before it becomes a standard audit procedure, because partners and supervisors will demand clarity on automated decisions long before every deadline arrives.
What changes in 2026
The way I see it, in 2026, the compliance advantage will belong to firms that can show their work.
Obviously, regulators are tightening the feedback loop between what a product promises and what customers experience. Fraud losses and automated decisions, in turn, make the perimeter even wider, because harm appears fast and gets attributed fast, regardless of who built the model or hosted the service.
That’s where the growth starts to fork. Firms that can evidence fair outcomes, resilient delivery and accountable third-party oversight will keep winning partnerships and market access. Those that can’t do it will spend 2026 negotiating exceptions, rebuilding trust and relearning that compliance is now part of the product.
Alex Tsepaev is chief strategy officer at B2PRIME Group, a global financial services provider for institutional and professional clients. 
