A fintech founder I spoke with earlier this year was sitting in the back of a black cab when her head of risk forwarded a letter from the FCA. The product had been live for nine months, volumes were tracking ahead of plan, the seed round had closed cleanly, and the engineering team had just pushed an update making cross-border transfers a little quicker. The letter asked, in the careful and slightly distant prose those letters tend to use, whether the firm could provide written evidence of the financial promotions sign-off process for a specific in-app banner shown to consumers in March. She had two hours to find an answer and the honest reply was that no formal sign-off had been written down, because at the point the banner was designed there were six people in the company and the legal advisor was the founder’s brother-in-law.
She is not the only founder to have lived through a version of this scene. A v1 ships on standard product-led MVP thinking. Volume grows. Around month nine to month fifteen a regulatory threshold gets tripped, a complaint reaches the FCA, or a Consumer Duty obligation becomes impossible to evidence. The founders did not get the product wrong. They got the build constraints wrong on day one. The fixable bit is upstream, by commissioning the MVP differently in the first place, with a builder who treats compliance as a design input rather than a bolt-on.
What “minimum viable” actually means in regulated payments
Outside regulated finance, the MVP playbook is well rehearsed. Strip the product to its smallest useful shape, ship it, learn from real users, iterate. The cost of being wrong about a feature is a sprint or two, and most founders coming into fintech have used the playbook before.
Inside regulated payments and consumer credit, the same instinct produces a different result. Viable in this context carries weight that the SaaS version does not. It means a real anti-money-laundering programme that an FCA supervisor would recognise as one, Strong Customer Authentication implemented to PSD2 standards rather than approximated with an SMS code, Consumer Duty design choices baked into the customer journey, evidenced fair-value statements written before the product takes its first payment, and a complaint-handling pathway that meets DISP rules. None of these are features in the product sense. They are the conditions of being allowed to operate.
The trap is that very few of them are visible to early users, which makes them easy to defer. Defer them long enough and they become the rebuild conversation eighteen months in.
The bars that cannot be retrofitted cheaply
Some compliance work really can be added later. Branding can change, copy can change, even pricing logic can change. The bars that resist retrofitting tend to be the ones tied to data architecture, audit trails, and the customer journey itself.
AML and KYC sit at the top of that list. A risk-based onboarding model is not a screen you bolt onto an existing flow; it touches identity verification providers, transaction monitoring rules, sanctions and PEP screening, SAR workflows, and the underlying data model that links a customer to their behaviour over time. SCA under PSD2 is similar in nature, with authentication factors, exemption logic, and dynamic linking that have to be designed into the payments architecture rather than added at the API edge. Consumer Duty cuts across product design, pricing, communications, and vulnerable-customer handling, and the FCA has been clear that firms must evidence outcomes. Complaint handling and FCA reporting rely on data being captured cleanly from the first transaction onwards; reconstructing a year of complaints history from logs and email threads is a piece of remediation work nobody enjoys paying for.
These are the items where a discovery-first build pays back the most. Designed in at the start they cost weeks; reverse-engineered into a live product with paying customers they cost months and sometimes the runway.
What 2025 Enforcement suggested for 2026 builds
The FCA imposed total fines of £124,221,367.45 across 2025 (FCA, 2025), and the published reasoning behind the larger ones is worth reading if you are commissioning a fintech build this year. Monzo Bank Limited was fined £21.1m, with the enforcement notice specifically citing the way rapid customer growth had outpaced the maturity of its compliance infrastructure. Nationwide Building Society, a much older institution, was fined £44.1m for breaches of Principle 3 covering systems and controls, which is a useful reminder that systems-and-controls gaps are not a startup-only problem. The FCA also disclosed six open investigations into potential Consumer Duty fair-value breaches in 2025, and confirmed it was using supervisory tools to restrict firms during investigations, including paused product lines, mandated remediation, and required customer communications. Across the UK and US, fintechs and payment processors paid out more than $160m in 2025 for inadequate fraud and AML controls.
The lesson sitting underneath those numbers has nothing to do with fintech being too dangerous to build in. The FCA is increasingly willing to look at how a firm’s controls scaled with its volumes, and to act when the answer is “they did not”. For a 2026 founder, the brief shifts from “what is the smallest product I can ship to validate demand” towards “what is the smallest product I can ship that would still hold up under a credible supervisory letter at five times today’s volume”. Those are different briefs and they produce different builds.
What a Compliance-aware MVP build actually looks like
Discovery work for a regulated MVP looks more like a structured conversation than a sprint plan. A serious builder sits with the founders and the prospective MLRO and walks the product flow asking awkward questions. Where does customer money sit, and under whose permissions. What is the threshold above which transactions trigger enhanced due diligence. Which parts of the product touch credit, which touch payments, which touch e-money, because the regulatory wrapper differs for each. Who signs off financial promotions and where is that recorded. What does the customer journey look like for someone in financial difficulty, and how is vulnerability identified. The output is a threat model, an AML control design, a transactional architecture diagram, and a consent-and-disclosure design the engineering team can build against.
This is the kind of work that London bespoke software developers building compliance-aware fintech MVPs are set up to handle. These firms build full custom fintech platforms from scratch as a primary line of work, and they also build smaller focused internal applications and v1 products for founders who need a defensible MVP rather than a stitched-together prototype. Both come from the same client conversations and use the same discovery-first method, with regulatory design treated as a build input alongside data integrity and latency.
Cost reality
UK fintech MVP cost bands sit higher than the SaaS equivalents most founders benchmark against, because the work being done is not the same. A standard MVP in the UK runs roughly £25,000 to £80,000 over ten to twenty weeks. A complex or regulated MVP, with proper AML design, SCA flows, audit logging, and Consumer Duty evidencing baked in, sits in the £60,000 to £200,000-plus range over three to six months. A recent UK guide to MVP development costs and timelines breaks the bands down further by feature set and team composition. Day rates feed into all of this; senior .NET contract rates were running at a £588 median in April 2026 according to ITJobsWatch, and a credible regulated MVP team usually pulls together senior backend, a security or compliance-aware lead, a product specialist who has been through an FCA supervisory cycle before, and design.
The figure that gets quoted at founders most often is that 68% of MVPs fail after launch. Used carelessly that statistic is misleading, because the dominant reason MVPs fail is the CB Insights finding that 42% of startups die from no market need. The fintech-specific failure mode sits alongside that one, and is the rapid-growth-outpacing-controls pattern the FCA enforcement notices keep describing. It is avoidable at commissioning time.
A different conversation at month nine
Founders who design the regulatory wrapper into their build from week one tend to have a different month-nine conversation than the one in the cab. The question stops being “can we evidence what we did” and becomes “which of these volume thresholds do we want to design through next, and on what timeline”. The FCA’s 2025 actions are pushing the market towards that position more firmly than at any point in the last decade. If you are commissioning a fintech build in 2026, the team you choose is doing more than writing code; they are setting the ceiling on how large you can scale before the next rebuild conversation arrives.
