the survival stack

Why neobanks die: the compliance stack behind $245M-a-week crypto cards

July 7, 2026 · 10 min read · ← all posts · the U-card index

Last week crypto-card top-ups hit an all-time high: over $245M in a single week, 18% above anything previously recorded, per Paymentscan ↗. Demand is emphatically not the problem. And yet the honest read of the last eight years is that most of the companies riding that chart will not exist when the market is ten times bigger — not because users leave, but because of what they built underneath. This post maps the stack that actually decides who survives, layer by layer, grounded in our data on 365 tracked neobanks.

the core numberOf the 365 neobanks we track, only 92 hold a full banking licence. The other 273 operate on rented rails — e-money licences, partner banks, BIN sponsors, card issuers. Every one of those relationships is a kill switch someone else's compliance team can flip. The licence structure is stated on every profile page.

The graveyard has a pattern

YearEventThe lesson
2018Visa terminates WaveCrest, the issuer behind most of Europe's crypto cardsEvery card in the portfolio died overnight — Bitwala, TenX, Cryptopay and more, in one stroke
2020Wirecard collapses; the FCA freezes Wirecard Card SolutionsCurve, Pockit, Anna and dozens of "real" fintechs went dark for days — customer funds untouchable
2022FTX implodesCommingled customer funds are an insolvency bomb, whatever the terms of service say
2023Binance loses Visa in Europe (July), then Mastercard in LatAm and the Middle East (September)Network confidence is a compliance judgment; when it goes, the card is gone by Christmas
2026Ready (ex-Argent) cuts all non-EEA cards after its issuer Kulipa changed footprint — users got one hour's noticeSelf-custody protects the assets, not the spending rail; the card layer is always someone else's decision

Five failures, one mechanism: the customer-facing brand didn't control the layer it died on. The names change, the lesson doesn't.

Layer 1: the card — a three-party relationship you're the junior partner in

A card program is you, your issuer, and the network — and the network's due diligence sits on top of the issuer's. If either loses confidence in your screening, monitoring or KYC, the card stops. Not gradually. The Ready case is the clean demonstration: a self-custodial USDC card, assets fully safe on-chain, and spending still ended with sixty minutes' warning because a Paris-registered e-money issuer tightened its footprint.

Our dataset makes the dependency visible. All 35 web3-native card programs we track ride on a thin layer of BIN sponsors and issuing platforms: Rain (behind Karta and Hyperbeat's card), Baanx (behind MetaMask Card), Wirex (behind COCA), DCS, Immersve and Fiat24 (splitting Bitget Wallet's geography three ways), Marqeta (behind BFinance). That concentration is exactly the WaveCrest topology of 2018, one layer more professional. When one of these sponsors sneezes, a dozen brands catch pneumonia simultaneously.

And the bar keeps rising. Starling — a fully licensed UK bank — was fined £29M in 2024 because its automated system had screened customers against only a fraction of the sanctions list for years. If that's the standard applied to a licensed bank, imagine the diligence a network runs on a two-year-old stablecoin card startup.

Layer 2: ramps — a compliance event before it's a UX event

Every on-ramp is an account opening: identity, source of funds, risk scoring before a dollar moves. Every off-ramp is where regulators actually look, and where teams underinvest because users don't see it. The failure mode is predictable: screening happens at signup and never again, the banking partner pulls a transaction sample at quarterly review, the per-transaction trail isn't there, and the relationship ends at the worst possible moment. The SurfCash-style QR-rail products make this concrete — every VietQR or Pix payout is an off-ramp with a local counterparty, which is why "licensed local partners" appears in their structure and why that line matters more than the app design.

Layer 3: earn — the ledger question that kills diligence

Yield products look like a product decision and are actually a legal-structure decision. The question that ends shared-vault architectures is one sentence: show me the ledger entry for user X's balance. If the answer requires reconstructing it from pool accounting, there is no answer — not for a banking partner, not for a regulator, not for an insolvency court. FTX is the terminal case study of commingling; every "up to 15%" headline in our dataset should be read with that question in mind, and it's why we record yield claims verbatim rather than endorsing them.

Europe adds a twist most teams haven't priced in: MiCA prohibits paying interest on e-money tokens — euro stablecoin balances can't earn as stablecoins. The compliant path runs through tokenized T-bills and RWA wrappers, where yield comes from an underlying asset rather than the token. Whoever industrializes that first owns European earn. Background: MiCA and the crypto neobanks.

Layer 4: rewards — the cheapest layer to get wrong

Rewards with monetary value carry reporting obligations, and paying them in your own token adds volatility risk for the user plus securities-classification risk for you. The clean structure is boring: fund from interchange, pay in a regulated instrument, reconcile per user per period. The dataset already shows the pattern of promotional gravity: Kolo quietly cut its headline cashback from 5% to 2%, Lava reversed its entire custody model after raising $200M. Terms are variables, not constants — which is precisely why the U-card comparison tracks them as claims.

Layer 0: screening — the layer underneath everything

Most teams assemble compliance reactively: something breaks, a partner flags a transaction, then the stack gets built. The survivors build it in the opposite order — screening and monitoring before the card, source-of-funds framework before the ramp volume, isolated ledger before the earn product. Point tools (Chainalysis, Elliptic, TRM, Sumsub, ComplyAdvantage and peers) each do a slice well, but every gap between tools is a reconciliation problem discovered during an audit.

There's a newer twist: your compliance vendor is now itself a counterparty risk. In February 2026, researchers reported that a database linked to KYC provider IDMerit had exposed roughly a billion identity records across 26 countries (the company disputes that its own systems were breached). The identity data you're required to collect is also the data you're liable for — choosing who holds it is a survival decision, not a procurement line item.

What this means for reading the chart

The $245M week is real, and it's not a card story or a yield story — it's a stress test arriving on schedule. As volumes grow, issuer diligence tightens, network reviews deepen, and the gap between "shipped fast in year one" and "rebuilt everything in year two" becomes existential. When you compare neobanks in our directory, the fields that predict survival aren't cashback and APY — they're the boring ones: licence type, custody model, and who actually issues the card. We put them on every profile for exactly this reason.

Volume data: Paymentscan (July 2026). Historical events compiled from public reporting — FCA notices, network statements, court filings; licence and issuer structures per entity are sourced on each profile. Nothing here is legal or investment advice. Spotted an error? Suggest a fix.