Neobanks face the full weight of banking regulation despite being mobile-first. EMD2's safeguarding requirements in the EU, FCA's conduct standards in the UK, and Brazil's BCB authorization create comprehensive oversight that extends to how neobanks collect and use customer data—including analytics. This guide explores these regulatory frameworks and how data minimization can simplify multi-jurisdiction compliance.
🇪🇺 EU: Electronic Money Directive (EMD2)
The Second Electronic Money Directive (Directive 2009/110/EC) regulates electronic money institutions across the EU. Under Article 2, "electronic money" means electronically stored monetary value as represented by a claim on the issuer.
Article 4: Capital Requirements
E-money institutions must maintain initial capital of not less than EUR 350,000.
Article 7: Safeguarding
E-money institutions must protect customer funds through segregation or insurance.
Coming: PSD3 Changes
PSD3 (Payment Services Directive 3) is expected to merge PSD2 and EMD2. Article 5 of the draft increases initial capital for payment institutions providing e-money to EUR 400,000. Neobanks should monitor this evolving landscape.
🇬🇧 UK: Financial Conduct Authority (FCA)
Under the Financial Services and Markets Act 2000 (FSMA), it is a criminal offence to carry on regulated activities without FCA authorization. The FCA has been particularly active in neobank oversight.
2024 FCA Enforcement
- ! £28.9 million fine to a prominent neobank for AML and sanctions screening failures
- ! $64.74 million total penalties in 2024 for AML control failures
FCA Authorization Requirements
- • E-money issuers: FCA authorization as e-money issuers
- • Payment services: Payment institution authorization
- • Full banking: Banking license for FSCS-protected deposits
Data Governance Obligations
FCA-regulated firms must maintain clear audit trails, transparent workflows, and detailed risk assessments. Third-party service providers—including analytics vendors—require appropriate due diligence and contractual oversight.
🇧🇷 Brazil: BCB Authorization
Brazilian neobanks operate under licenses from the Central Bank of Brazil (BCB). "Neobank" is a market term—companies typically operate under one or more regulatory licenses:
Payment Institution (IP)
Most common starting point—allows simplified payment accounts and e-money/card issuance. BCB Resolution No. 494 (September 2025) requires all payment institutions to obtain prior BCB authorization.
Direct Credit Company (SCD)
Allows offering loans with own capital. Payment institutions often add SCD license to build credit portfolios.
Full Banking License
Complete financial services including FGC-protected deposits. Companies like Nubank evolved from credit card → payment institution → full bank.
November 2025: "Bank" Naming Restrictions
BCB and CMN issued regulations restricting use of "banco" and "bank" by non-bank institutions—affecting corporate names, trade names, mobile apps, and advertising. Nubank announced it would obtain a full banking license in 2026 to comply.
⚠️ The Analytics Privacy Challenge
Traditional analytics collect data that, when combined with banking activity, creates sensitive information subject to multiple frameworks:
Device Identifiers
IDFA, GAID, or fingerprints linked to banking activity become identifiers of financial behavior.
IP Addresses
Personal data under GDPR; combined with transactions, reveals sensitive financial information.
Persistent User IDs
When tied to loan applications or investments, creates comprehensive financial profiles.
Custom Properties
Free-form fields may accidentally capture account balances, transaction amounts, or loan details.
When a neobank app sends events like "loan_application_submitted" alongside persistent identifiers, it creates data subject to EMD2 safeguarding, GDPR data protection, FCA conduct standards, and LGPD processing restrictions simultaneously.
🛡️ How Data Minimization Helps
Respectlytics helps developers avoid collecting personal data in the first place—our Return of Avoidance (ROA) approach. For neobanks under multiple regulatory frameworks, this simplifies compliance operations.
RAM-Only Session Identifiers
Anonymized identifiers stored only in device memory, rotating every two hours or on app restart. Banking customers cannot be identified across app launches.
Strict 5-Field Storage
Only these fields are stored:
- •
event_name(e.g., "account_created") - •
session_id(RAM-only, hashed) - •
timestamp - •
platform - •
country(approximate only)
Custom Properties Blocked
The API returns a 400 error for additional fields. This prevents accidental transmission of account numbers, transaction amounts, or loan balances.
What You Can Measure
✓ Account Creation Conversion
Where users drop off during KYC or document upload
✓ Feature Adoption
Which banking features drive session engagement
✓ Onboarding Completion
Session rates through verification and first deposit
✓ Geographic Trends
Country-level usage for market expansion decisions
Trade-offs (Cannot Track):
- ✗ Individual customer lifetime value across sessions
- ✗ Cross-session financial journeys
- ✗ Per-customer revenue attribution
Quick Integration
import RespectlyticsSwift
Respectlytics.configure(apiKey: "your-api-key")
Respectlytics.track("account_creation_completed")⚖️ Important Considerations
We Are Not Lawyers
Respectlytics provides a technical solution focused on data minimization. We do not provide legal advice. We do not claim our product satisfies any specific requirement under EMD2, FCA regulations, or BCB authorization.
Consult your legal and compliance teams to determine:
- • Which financial services regulations apply based on your licenses and services
- • Whether analytics implementation meets EMD2, FCA, or BCB requirements
- • What third-party vendor due diligence is required
- • How GDPR and LGPD apply to your analytics architecture
Data minimization reduces compliance surface area but doesn't replace regulatory compliance programs. Neobanks must still maintain AML controls, audit trails, and all financial services obligations.
Legal Disclaimer
This article provides educational information about financial services regulations and analytics architecture for neobank apps. It does not constitute legal advice. EMD2, FCA regulations, BCB requirements, GDPR, and LGPD vary based on your specific services, licensing structure, and jurisdictions. Consult your legal and compliance teams to determine applicable requirements.
Additional Resources
- Respectlytics SDK Documentation - Integration guides for Swift, Flutter, React Native, and Kotlin
- Fintech App Privacy Analytics - GDPR, PSD2, and DORA considerations
- Mobile Analytics Without Personal Data - Technical architecture deep dive