The seven terms
that decide whether a neobank is safe.

IBAN is specified by ISO 13616, maintained by SWIFT as the registration authority. An IBAN is not itself an account; it is a machine-checkable way to uniquely address one inside an international payment.

In the SEPA zone, a neobank can operate with an IBAN whose country code differs from the customer's residence — for example a Revolut customer in Germany usually receives an LT-country IBAN because Revolut Bank UAB is licensed in Lithuania. Under the SEPA IBAN-discrimination rule (EU Regulation 260/2012), EEA merchants and employers must accept any valid IBAN from within the SEPA area.

Why it matters for a neobank

Neobanks that passport from one EEA member state into the rest of the bloc often issue only their home-country IBAN. That is legal, but in practice a minority of merchants and payroll systems still reject "foreign" IBANs — which is why local-IBAN coverage is a tracked feature in our comparisons.

SEPA was launched in 2008 by the European Payments Council, replacing a patchwork of national credit-transfer schemes. It covers all 27 EU member states plus the EEA countries, the UK, Switzerland, Monaco, San Marino, Andorra, and Vatican City.

The governing law is Regulation (EU) 260/2012 — the same regulation that prohibits IBAN discrimination. SEPA itself is a scheme, not a bank; it is implemented by individual banks and payment institutions via the SEPA Credit Transfer (SCT) and SEPA Direct Debit (SDD) rulebooks.

Why it matters for a neobank

For a neobank, "SEPA support" is table stakes. What actually varies across the index is whether the bank charges a fee for non-domestic SEPA transfers (it should not, under 260/2012), whether it supports SEPA Instant (see next entry), and whether its currency-conversion spread on non-euro SEPA-adjacent payments is competitive.

Launched in 2017 as an optional scheme, SEPA Instant was made mandatory by the EU Instant Payments Regulation (Regulation (EU) 2024/886). The headline obligations: receive-side capability by 9 January 2025; send-side capability by 9 October 2025; fee parity with non-instant SCT at all times.

The per-transaction cap was raised to €100,000 in the same regulation (previously €15,000, then €100,000 since 2020 as a scheme option). Settlement is bilateral via the TARGET Instant Payment Settlement (TIPS) system operated by the Eurosystem, with 99.9% availability required.

Why it matters for a neobank

From 2025 onwards, a neobank that charges extra for Instant — or silently routes Instant requests to next-day SCT — is in breach of 2024/886. This matters for users paying bills close to deadlines, salary splits, or mortgage-deposit transfers. It is also the foundation on which Verification of Payee (below) is built.

Introduced by the Instant Payments Regulation (2024/886), VoP obliges the payer's bank to query the payee's bank for a name-match before an instant transfer is authorised. The response is typically match / close match / no match. A no-match result must be surfaced to the payer before the transaction is confirmed.

Technically VoP runs on top of TIPS / RT1 rails via the EPC SEPA Payment Account Access scheme. For neobanks, it means every Instant payment now triggers an API round-trip to the beneficiary's bank and a UI prompt to the user — a material UX and engineering lift.

Why it matters for a neobank

VoP is the direct European answer to authorised push-payment fraud. It doesn't eliminate it (a payer who ignores a warning still loses money), but it meaningfully reduces the impersonation vector. When comparing neobanks, UX matters: how clearly the match / no-match signal is shown is already a differentiator.

The European Commission proposed the package on 28 June 2023. As of April 2026 it is working its way through the co-legislative procedure between the European Parliament and Council; a final text is expected in 2026 with application 18 months after entry into force.

Headline changes: open banking APIs become mandatory performance-measured interfaces (not best-effort); strong customer authentication loopholes tightened; non-bank payment institutions gain parity access to commercial bank money; IBAN-name matching and spoofed-merchant protections baked in; enforcement harmonised under a single regulation.

Why it matters for a neobank

For the neobanks in our index, PSD3/PSR means tighter open-banking performance SLAs and reduced latitude for gatekeeper behaviour by incumbent banks holding their customer accounts. For comparison readers, it will change how payment-institution-tier neobanks (Wise, Qonto) can connect to the rest of the banking system.

Regulation (EU) 2022/2554 (DORA) covers credit institutions, e-money institutions, payment institutions, investment firms, crypto-asset service providers, and critical ICT third-party providers (CTPPs). The scope is broader than any previous EU operational-resilience rule.

Core pillars: (1) a documented ICT risk-management framework; (2) classification and reporting of major ICT-related incidents within 24 hours; (3) oversight of critical ICT third-party providers, including cloud hyperscalers; (4) threat-led penetration testing (TLPT) at least every three years for significant entities; (5) an information-sharing framework for cyber-threat intelligence.

Why it matters for a neobank

DORA raises the floor for neobank operational maturity. Entities in our index that are subject to DORA must now disclose material ICT-related incidents under a harmonised regime — so when a neobank goes dark for a day, the regulator's incident record is increasingly the authoritative source rather than tweets and press releases.

The licences come from different European legal acts. EMIs are authorised under the E-Money Directive (2009/110/EC), while credit institutions are authorised under the Capital Requirements Directive (2013/36/EU, CRD IV) and, where relevant, directly supervised by the ECB under the SSM Regulation.

Customer money at an EMI is "safeguarded" — typically held at a separate credit institution in a ring-fenced pooled account, or invested in HQLA assets, or covered by an insurance arrangement. If the EMI fails, customers recover from the safeguarded account; if the safeguarded account is itself impaired, there is no statutory payout. By contrast, failure of a credit institution triggers the national DGS which pays up to €100,000 per depositor within seven working days.

Many household-name neobanks in Europe began life as EMIs and migrated to banking licences once scale justified the capital and compliance cost. Revolut, N26, bunq, and Trade Republic are full credit institutions. Wise and Qonto remain payment / e-money institutions by design — a deliberate choice, not a regulatory failing.

Why it matters for a neobank

This single distinction explains most of the "is my money safe?" questions readers ask about neobanks. It is the axis on which our deposit-protection tracker sorts the entire index, and it is the most common source of Stage 6 YMYL misinformation on the open web.

In the United States, household-name fintechs such as Chime, Cash App, Varo (a rare exception — Varo holds its own national bank charter), Current, and Mercury are not banks. They are technology companies whose customer balances sit at one or more FDIC-insured "sponsor" banks (see next entry). The fintech provides the app, customer support, card programme, and product design; the sponsor bank provides the routing number, the deposit ledger, and the legal compliance perimeter.

FDIC pass-through insurance only applies when the fintech's records can identify each end-customer's beneficial interest in the pooled account at the sponsor bank. The 2024 collapse of middleware provider Synapse exposed how fragile that record-keeping can be: tens of thousands of customers were locked out of funds for months because the reconciliation between Synapse, the partner banks, and the fintech-facing apps had broken down. The Federal Reserve, OCC, and FDIC issued joint guidance in 2024 tightening third-party risk-management expectations for sponsor banks.

BaaS is not a US-only pattern. In the EU, a similar model exists where Solaris SE or ClearBank acts as the licensed institution behind a fintech. The difference is that in Europe, the front-end fintech is more often itself a regulated EMI or PI; in the US, the fintech is typically not regulated at the federal banking level at all.

Why it matters for a neobank

If you bank with a US fintech, the entity you sue if things go wrong, the entity that holds your deposit, and the entity whose name is on the app are three different companies. That has practical consequences for FDIC eligibility, dispute resolution, and the failure mode you should expect — and it's the single most-misunderstood concept in our US-market reviews.

A small group of US community and regional banks dominate the sponsor-bank market: The Bancorp Bank, Stride Bank, Sutton Bank, Cross River Bank, Pathward (formerly MetaBank), Evolve Bank & Trust, Lewis & Clark Bank, Lead Bank, and Column. These institutions are typically under USD 30bn in assets, which keeps them outside the largest-bank prudential perimeter while still allowing them to issue Visa or Mastercard BINs and offer ACH and FedNow access to fintech partners.

The sponsor-bank relationship is contractual, not customer-facing. End-customers of Chime see a Chime debit card and a Chime app, but the deposit account is held at The Bancorp Bank, N.A. or Stride Bank, N.A. — disclosed in the cardholder agreement and the deposit account terms, but rarely surfaced prominently in marketing.

From a regulatory perspective the sponsor bank is fully responsible for the fintech's compliance: BSA/AML, Reg E error resolution, deposit reconciliation, and consumer protection. When the FDIC issues consent orders against the BaaS layer, the named institution is always the sponsor bank — not the fintech.

Why it matters for a neobank

Identifying the sponsor bank is the first step in answering "is my money actually safe?" for any US fintech account. The sponsor bank determines the FDIC certificate number used for pass-through insurance aggregation, and its own financial health is the relevant signal — not the fintech's VC valuation.

Standard FDIC insurance covers up to USD 250,000 per depositor, per insured bank, per ownership category. When a US fintech holds customer money in a single FBO ("for benefit of") pooled custodial account at a sponsor bank, that pool can be "passed through" so each underlying customer gets their own USD 250,000 limit at that bank. The legal basis is 12 CFR § 330.5 plus the FDIC's recordkeeping requirements for custodial accounts.

Three conditions must be met: (1) the account must be properly titled to indicate custodial status; (2) the records of the fintech (or its middleware provider) must clearly identify each end-customer's beneficial interest and balance; (3) those records must be reconcilable with the bank's ledger. The Synapse failure in 2024 demonstrated that condition (3) is not automatic. When the reconciliation broke, FDIC pass-through could not be invoked because the FDIC could not identify whose money was whose.

Aggregation is the second gotcha. If a fintech sweeps your balance across, say, four sponsor banks, you nominally have USD 1,000,000 of coverage. But if you also hold a direct account at one of those four banks, your coverage at that institution caps at USD 250,000 combined. Some fintechs disclose the sponsor-bank list (Wealthfront, Betterment cash); others do not.

Why it matters for a neobank

Pass-through insurance is not the same as direct FDIC coverage. It depends on continuous, accurate recordkeeping by intermediaries the customer never chose. When a US fintech advertises "FDIC-insured up to $250k", the asterisk that almost never appears is "subject to pass-through conditions being met at the time of failure" — and that distinction has now cost real customers real money.

The FGC is a private non-profit funded by mandatory contributions from member institutions — every Brazilian bank, savings bank, credit cooperative central, finance company, mortgage company, and real-estate credit company. Coverage applies to demand deposits, savings deposits, time deposits (CDB, RDB), letras de crédito (LCI, LCA, LC), and a few other regulated instruments.

The BRL 250,000 cap is per CPF (individual) or CNPJ (entity), per conglomerate. Critically, the BRL 1,000,000 aggregate ceiling over four years was introduced by Resolução BCB 4,222/2013 and amended by later resolutions — meaning a depositor who has already been paid out FGC coverage on a previous failure has a reduced effective limit on subsequent claims.

Brazilian neobanks operating under a banking licence — Nubank (Nu Pagamentos S.A. plus the Nu Financeira and Nu Holding entities), Inter, C6, Banco Original — are FGC members and customer balances are covered. Mercado Pago in Brazil operates as an institução de pagamento, not a bank: customer balances are not covered by FGC, although the company invests them in CDBs that themselves carry FGC coverage at the underlying institution. This requires operator verification of the current product structure.

Why it matters for a neobank

FGC coverage and aggregation rules are the central fact in any Brazil-market neobank review. Marketing copy that says "protegido pelo FGC" without naming the issuing institution and without disclosing the four-year aggregate cap is incomplete — and that incompleteness is what we flag in our LATAM coverage.

CNBV is the federal agency that supervises Mexican banks (instituciones de banca múltiple), securities firms, brokers, mutual funds, and certain non-bank lenders. Bank-licensed institutions fall under IPAB, the deposit-insurance scheme, with coverage of 400,000 UDI per depositor per institution (UDI is an inflation-indexed unit; in 2026 the cap is roughly MXN 3.5–4 million — requires operator verification of the current UDI value).

SOFOM (Sociedad Financiera de Objeto Múltiple) is a non-bank lending licence. The "ER" variant — Entidad Regulada — is supervised by CNBV; the "ENR" variant — Entidad No Regulada — is supervised only for AML purposes. SOFOMs cannot take deposits, only lend. Many Mexican fintechs (Klar, Stori on its credit side) operate as SOFOMs.

IPMP refers more broadly to Instituciones de Fondos de Pago Electrónico (IFPE) under the 2018 Fintech Law. Mercado Pago in Mexico operates as an IFPE: customer balances are e-money, not deposits, and are not covered by IPAB. The funds must be safeguarded in a Mexican credit institution, but if the safeguarded account is impaired the customer has no IPAB recourse — directly analogous to the EU EMI vs banking licence distinction.

Why it matters for a neobank

Choosing between Nu México (banking licence, IPAB coverage), Stori (SOFOM ER credit licence with no IPAB on deposits), and Mercado Pago (IFPE, no IPAB) is fundamentally a regulatory choice, not a UX choice. The marketing surfaces rarely make this clear, which is why our Mexico-market reviews always lead with the licence class.

MAS was formed in 1971 and is unusual globally in concentrating monetary policy, prudential supervision, conduct supervision, and currency issuance under a single roof. Banks operate under the Banking Act 1970; payment institutions under the Payment Services Act 2019 (PSA). MAS is the entity that grants and revokes licences and that runs the Singapore Deposit Insurance Corporation (SDIC) — coverage SGD 100,000 per depositor per Scheme member.

Neobank-relevant licence classes under the PSA are the Major Payment Institution (MPI), which can hold customer money above SGD 5 million in float and offer cross-border services, and the Standard Payment Institution (SPI), with lower thresholds. Wise Asia-Pacific holds an MPI licence in Singapore; Revolut Singapore holds a more limited licence. Neither is a bank.

Separately, MAS issued digital full-bank licences to GXS (Grab + Singtel) and MariBank (Sea Group), and digital wholesale-bank licences to ANEXT (Ant) and Green Link (Greenland). DFB-licensed institutions are SDIC-covered banks; MPIs and SPIs are not. The licence label on a Singapore neobank is therefore the key signal of deposit-protection eligibility.

Why it matters for a neobank

Singapore is the gateway market for APAC fintech, and MAS's licence taxonomy directly mirrors the EU's EMI-vs-credit-institution split — but with different thresholds and different scheme coverage. Our APAC reviews lean heavily on MAS's public licence register because the marketing surface alone is not a reliable guide.

KDIC was established in 1996 under the Depositor Protection Act. The KRW 50 million cap (raised from KRW 50 million unchanged for over two decades — 2024 legislation has signalled a future increase, requires operator verification of current effective cap) applies per depositor per institution, aggregated across deposit types at that institution.

The three Korean internet-only banks — KakaoBank (KB Financial / Kakao Group), K bank (Woori / KT), and Toss Bank (Viva Republica) — are full credit institutions under the Banking Act and the Internet-only Banks Act, supervised by the Financial Services Commission (FSC) and the Financial Supervisory Service (FSS). KDIC coverage applies to them on the same terms as commercial banks.

Covered products: demand deposits, savings deposits, time deposits, mutual installment savings, foreign-currency deposits at covered institutions. Not covered: investment products, ETFs, beneficiary certificates, and most types of crypto-asset balances even when held at a KDIC-covered bank.

Why it matters for a neobank

KDIC coverage is what makes Korean internet-only banks viable substitutes for legacy KEB, KB, and Shinhan accounts for retail savers. Coverage parity between digital-native and traditional banks is the regulatory choice that has allowed Kakao and Toss to scale to tens of millions of accounts without a perceived safety penalty.

APRA, established 1998, supervises authorised deposit-taking institutions (ADIs), insurance companies, and most superannuation funds. ADI is the umbrella licence class covering banks, building societies, credit unions, restricted ADIs, and the small "purpose-built" digital banks. ASIC handles conduct and disclosure; APRA handles capital, liquidity, and resolution.

The Financial Claims Scheme is administered by APRA under the Banking Act 1959 and only activates when the Treasurer formally declares an ADI failed — at which point it pays eligible deposits up to AUD 250,000 per account-holder per ADI, typically within seven days. Coverage is across all deposit accounts in the depositor's name at that ADI, aggregated.

Australia's neobank wave (Volt, Xinja, 86 400, Up, Judo) showed both the scope and the limits of the framework. Xinja and Volt returned their banking licences after deciding the digital-only retail model was uneconomic — customers were repaid in full because the institutions wound down voluntarily, not failed. Up (NAB-owned) and Judo (SME bank) remain ADIs and FCS-covered.

Why it matters for a neobank

Australia's ADI + FCS pairing is the closest international analogue to the EU's credit-institution + DGS pairing. For our Asia-Pacific reviews, this terminology is the bridge that lets EU and US readers reason about Australian neobank safety without learning a new vocabulary.

BSP issued its dedicated digital-bank framework via Circular No. 1105 (2020), creating digital bank as a distinct licence class with reduced minimum capitalisation (PHP 1 billion) and the requirement to operate without physical branches. The first six licences went to Tonik, UnionDigital, GoTyme, Maya, OFBank (state-owned), and UNO Digital Bank. BSP paused new digital-bank licences in 2021 and has since restarted limited issuance.

All BSP-licensed banks, digital or otherwise, are members of PDIC (Philippine Deposit Insurance Corporation), which covers up to PHP 500,000 per depositor per institution. Maya Bank, GoTyme, and UnionDigital are PDIC-covered. Maya's separate e-money product line under the PSP licence is not deposit-equivalent and is not PDIC-covered — a distinction users frequently miss.

Universal banks and commercial banks under BSP can take any type of deposit and offer the broadest range of services. Thrift banks focus on consumer and SME lending; rural banks on agricultural credit. The five-tier licence structure plus the digital-bank category gives Philippines fintech a wider taxonomy than most APAC peers.

Why it matters for a neobank

Maya, GoTyme, and Tonik are the regional case studies for whether BSP's digital-bank circular produced a sustainable model. Their PDIC-covered deposit products are directly comparable to EU full-bank neobanks; their separate e-money wallets are directly comparable to EU EMIs. We track them on both axes.

CBN consolidated the MFB framework in 2020 with revised regulatory and supervisory guidelines. Unit MFBs serve a single LGA with NGN 200 million minimum capital; State MFBs operate state-wide with NGN 1 billion; National MFBs cover all 36 states plus the FCT with NGN 5 billion. MFBs can take deposits, offer micro-loans, and remit money, but cannot deal in foreign exchange or offer the full corporate-banking suite of a commercial bank.

Kuda Microfinance Bank holds a National MFB licence and is therefore a deposit-taking institution covered by the Nigeria Deposit Insurance Corporation (NDIC). NDIC coverage for MFBs is NGN 5 million per depositor per institution (raised from NGN 200,000 by NDIC in May 2024 — requires operator verification of effective date and applicability to digital-first MFBs).

Opay and PalmPay are licensed as Mobile Money Operators (MMO) and as Switching and Processing companies under the CBN PSP framework, separate from the MFB licence stack. Customer balances at MMOs are e-money, held in trust accounts at commercial banks, and not directly NDIC-covered at the MMO level. The licence labels look superficially similar in marketing but the deposit-protection consequences are very different.

Why it matters for a neobank

Nigerian neobank coverage hinges on a single question: MFB or PSP? An MFB customer has NDIC protection on the deposit balance; a PSP/MMO customer has trust-account protection that depends on the underlying bank's solvency. Our Africa-region reviews lead with this distinction.

CBUAE was established in 1980 and authorises both conventional and Islamic banks. It also supervises finance companies, exchange houses, and — under the 2020 Stored Value Facility (SVF) regulation and the 2021 Retail Payment Services and Card Schemes (RPSCS) regulation — non-bank issuers of e-money and payment service providers. ESCA (the Emirates Securities and Commodities Authority) handles non-bank investment activity outside the central bank perimeter.

The UAE does not operate a Deposit Guarantee Scheme of the kind found in the EU, US, or APAC. There is no statutory cap and no funded scheme. In practice, depositors at UAE banks have been made whole in past failures via central-bank-led interventions, but this is not a legal entitlement. Neobank-marketing claims of "protected deposits" in the UAE require careful reading — they typically refer to capital-adequacy regulation, not depositor compensation.

Wio Bank (PJSC, full bank licence under CBUAE), Al Maryah Community Bank (AMCB), and Liv. by Emirates NBD operate within this framework. Revolut, Wise, and other foreign neobanks reach UAE residents only through limited cross-border arrangements; they are not CBUAE-licensed for resident deposit-taking.

Why it matters for a neobank

Operating in the UAE without a formal DGS changes the safety calculus. Customers comparing a CBUAE-licensed bank to a passported European neobank cannot rely on a fixed coverage figure — instead, the relevant signals are CBUAE supervisory status, parent-company strength, and the bank's place within the UAE banking-sector stability framework. Our GCC reviews call this out explicitly.

Adopted in 2024, the package consists of Regulation (EU) 2024/1624 (AMLR), Directive (EU) 2024/1640 (AMLD6), and Regulation (EU) 2024/1620 (the AMLA establishing regulation). AMLA — the Anti-Money Laundering Authority — was confirmed in February 2024 to be headquartered in Frankfurt am Main and began ramping up in 2025, with full direct supervisory powers from 1 January 2028.

The directly-applicable AMLR replaces national-law transposition of large parts of the previous AMLD framework. Headline changes: harmonised customer due diligence (CDD), enhanced due diligence (EDD) for high-risk third countries, an EU-wide cap of EUR 10,000 on cash payments, beneficial-ownership thresholds tightened from 25% to 25% with anti-circumvention rules, and crypto-asset service providers brought fully inside the AML perimeter alongside MiCA.

AMLA will directly supervise the riskiest cross-border financial institutions — initially around 40 entities including the largest neobanks operating across multiple Member States — rather than relying on the home-state regulator. For passported entities such as Revolut Bank UAB or N26 Bank SE, AMLA could become a co-supervisor alongside the LB or BaFin, with binding instruction power.

Why it matters for a neobank

AMLR/AMLA is the single largest cross-cutting regulatory change affecting EU neobanks between now and 2028. It will normalise CDD, EDD, and PEP-screening expectations across Member States, and it will redirect supervisory accountability for the largest passported neobanks to a single Frankfurt-based authority. We track its application timeline against every neobank we cover.