Article 7 min read

Navigating New York’s Landmark BNPL Regulation: What Fintech Leaders Need to Know

The Buy Now, Pay Later (BNPL) marketplace is undergoing a significant shift in New York. Governor Kathy Hochul signed the New York BNPL Act into law on May 9, 2025, and the New York State Department of Financial Services (NYDFS) has now released its proposed implementing regulations. Together, these actions mark one of the most comprehensive state-level interventions in the fast-growing Buy Now Pay Later state regulation sector. The proposed BNPL rule, which is currently in a public comment period and not yet final, establishes BNPL licensing requirements in New York and imposes strict BNPL consumer protection requirements, disclosure, fee and BNPL data privacy requirements on BNPL providers.

BNPL in neon letters sitting on a stack of credit cards.

Why New York Stepped In

As federal oversight eased, states began regulating BNPL. Governor Hochul described New York’s rules as “nation-leading,” with advocates viewing them as a model for other states. In May 2024, the CFPB attempted to apply credit card protections to BNPL providers via an interpretive rule; however, following litigation challenges and a change in administration, the CFPB formally rescinded that rule in May 2025. New York’s NYDFS fintech regulation approach illustrates a growing trend toward state-led NY BNPL Act compliance framework

Scope: Who and What the Rule Covers

  • Broad BNPL Definition: New York defines BNPL loans broadly as any closed‑end consumer credit used to purchase goods or services (excluding auto loans), capturing even short‑term, zero‑interest “pay‑in‑4” plans and treating BNPL as traditional consumer credit.
  • Covered Providers: The rule applies to non‑bank BNPL fintech companies, platforms facilitating BNPL transactions and entities purchasing BNPL receivables, effectively anyone offering or enabling BNPL to New York consumers.
  • Exclusions and Exemptions: Merchants extending their own credit and business‑purpose credit are excluded. Federally chartered institutions (e.g., national banks, federal credit unions) are exempt from licensing, though many state‑chartered lenders are not.

Licensing and Category Permissions

Non‑exempt BNPL providers must obtain a NYDFS license and display it on consumer‑facing platforms. Existing providers have 45 days to apply and may operate provisionally. Lenders must also obtain category permissions for interest‑free, interest‑bearing or both types of BNPL products.

Consumer Protections and Compliance Requirements

The rule aligns with TILA‑style protections, requiring underwriting for income and debt, robust disclosures, dispute and refund rights, and strict limits on fees and interest. Interest is capped at 16% APR (the BNPL APR cap in New York derives from the state’s civil usury law and applies in most cases; federally chartered banks may be exempt due to federal preemption), late fees are limited, and many fees are prohibited. Strong data‑privacy rules require explicit, revocable consumer consent for data use beyond loan servicing.

To provide a handy reference, the table below summarizes which key requirements apply to different BNPL provider categories:

Regulatory RequirementApplicability by Provider Type
BNPL License
Must obtain NYDFS license to offer BNPL loans in NY
All non-bank BNPL providers (fintech lenders, BNPL platforms, loan buyers) must be licensed. NY “Banking Law” entities (NY-chartered banks, NY-licensed lenders) need authorization, not a license. Exempt orgs (national banks, federal credit unions, etc.) are exempt from licensing.
Category Permission
Additional approval for interest-free vs. interest-bearing products
All licensed or authorized BNPL lenders must obtain specific category permissions for offering interest-free BNPL, interest-bearing BNPL or both. (Not applicable to exempt organizations.)
Interest Rate Cap
16% APR ceiling on BNPL loans with interest
Applies to all interest-bearing BNPL loans (offered by licensed or authorized lenders). Interest includes any finance/origination charges. (Federally chartered banks may not be subject to state interest caps due to preemption.) Zero-interest “pay-in-4” BNPL plans are unaffected since they charge no APR.
Late/Penalty Fees
$8 safe harbor cap; limits on multiple fees
Applies to all BNPL lenders (licensed or authorized). $8 per late payment or violation is the safe harbor max; higher fees require regulator approval. No multiple fees for one missed payment; total penalties can’t exceed the amount owed.
Dispute Resolution and Refunds
TILA-like billing error process
Applies to all BNPL lenders. Must allow consumers to dispute errors within 60 days; acknowledge in 30 days and resolve in ≤90 days. During disputes, no collection or negative credit reporting on disputed sums. Lenders must pursue merchant refunds for returns/cancellations and credit the consumer promptly.
Unauthorized Use Liability
Cap on consumer’s responsibility
Applies to all BNPL lenders. Consumer’s liability for unauthorized charges is capped at $50 (or less, if the unauthorized amount is smaller), mirroring credit card protections under federal law.
Disclosure Requirements
Pre-sale, post-sale and periodic statements
Applies to all BNPL lenders. Must provide pre-transaction disclosures (key loan terms, fees, consequences) before each purchase; written confirmation after each loan; and periodic billing statements for any month with a balance or charge. Disclosures must be in English and other languages used in service or advertising to NY consumers.
Underwriting Standards
Ability-to-repay evaluation required
Applies to all BNPL lenders. Must perform reasonable, income and debt-based underwriting on each BNPL loan and maintain written underwriting policies. Use of social networks or friends’ data for credit decisions is banned outright.
Data Privacy and Consent
Limits on data use and sharing
Applies to all BNPL lenders. Use, sharing or sale of “covered data” (any nonpublic consumer info) beyond servicing the loan requires opt-in consent for each specific use. Consent expires in one year and is never a condition for obtaining the loan. Lenders must allow easy opt-out/withdrawal and delete data (and ensure third parties delete it) if consent is withdrawn. Activities like targeted ads, cross-selling or selling data require separate annual consent.
Operational and Reporting
Customer service, records, capital, etc.
Applies to all BNPL lenders (licensed/authorized). Must provide a toll-free customer service line with live support at least 10 hours/day on weekdays and a contact email. Record-keeping (advertisements retained seven years), limited payment retries (max two attempts per due amount), capital requirements (surety bond or reserve for loan obligations) and periodic financial reporting and compliance officer designation are also mandated.

(“Exempt organizations” under NY Banking Law – e.g., federally chartered banks, federal credit unions and similar institutions – are not subject to the state’s BNPL licensing and many operational requirements. However, non-bank fintech companies and out-of-state state-chartered banks should assume full compliance obligations when serving New York consumers.)

Why FinTech Companies Should Pay Attention

  • Revenue and Margin Pressure: The 16% APR cap and $8 late fee limit restrict traditional revenue sources like interest, late fees and tips. Even interest-free “pay-in-4” models are affected, as limits on late and merchant fees are curtailed, squeezing margins. TILA-style rules for underwriting, disclosures, disputes and data privacy mean fintech companies need stronger compliance systems. Companies should expect more audits and higher standards for controls, which will increase costs for systems, staff and customer support.
  • Investor Diligence and Valuations: Regulatory compliance is now a key factor for investors. Showing you are ready for a complex market like New York can help with valuations and raising capital. On the other hand, noncompliance can lead to penalties, reputational harm and less investor interest.
  • Product and Growth Strategy: Required ability-to-pay checks and stronger data consent processes will impact onboarding, conversion rates and product design. Companies entering New York may need to rethink partnerships, licensing or go-to-market plans. Since other states may follow New York’s lead, early compliance could become a competitive advantage.

Industry Impact and Next Steps

New York’s BNPL regulation introduces significant compliance and operational demands for fintech companies. Firms must invest in licensing, customer service, underwriting, disclosures and data privacy systems. Business models reliant on fees, tips or consumer data, especially for interest-free “pay-in-four” products, face new constraints, including the 16% APR cap and an $8 late fee limit.

Data privacy rules require BNPL providers to overhaul consent processes, track expiration and ensure easy opt-outs and data deletion. This could disrupt partnerships involving targeted advertising or cross-selling.

Key strategic considerations:

  • Non-bank BNPL fintech companies must prepare for full licensing and compliance or consider partnerships with exempt banks.
  • NY-chartered banks and licensed lenders need authorization but must still meet most consumer protection standards.
  • Merchants offering in-house BNPL are exempt but may be indirectly affected through their BNPL partners.

Looking ahead, New York’s rule is likely to influence other states. While consumer advocates support the move, industry groups warn it may hinder innovation. The light-touch era for BNPL is ending. Fintech leaders should assess compliance gaps, engage in the rulemaking process and adapt their strategies accordingly.

Withum plus signs

Have Questions or Need Guidance?

Connect with a member of our FinTech Services Team to discuss compliance strategies and next steps.

Contact Us

Trending Insights

Read more
fvs-financial-services-private-credit
Redemptions and Reality: Rethinking Liquidity in Private Credit

As the Financial Times reported on April 2, the U.S. Treasury is urging regulators to convene now on the risks building in private credit—an indication that concerns around governance gaps in the sector are beginning to intensify. Recent redemption constraints weren’t a sign of failure in private credit, but they did bring a long-standing tension…

Read more
online payment, payment successful
AI at the Checkout: How ChatGPT Instant Checkout Is Reshaping Shopping and Payments

OpenAI has just taken a bold step into the future of online shopping with the launch of Instant Checkout, a new feature that allows users to purchase products directly through ChatGPT. This opens a new avenue for e-commerce growth while representing a structural shift in how payments are initiated, processed, and safeguarded in an AI-driven…

Read more
etfs, stock trading
ETFs: The Onboarding Layer of the Future for Institutions and Retail Investors Alike

ETFs have gone from being mysterious tools of the trading floor to becoming the unsung heroes of modern finance. They’re quietly transforming into “onboarding vehicles” across asset classes and strategies giving investors a frictionless way to participate in almost any market. ETFs are now the front door to the latest investing trends, from emerging and…