Panama's 2026 Fintech Law, a Practical Roadmap for Payment Firms, Vasps and Banks

Panama’s panama fintech law landscape is undergoing its most significant transformation in over a decade, driven by the draft Framework Fintech Law 2026 and updated rules from the Superintendencia de Bancos de Panamá (SBP). For years, commentators described the regulatory environment for FinTech in Panama as a “legal nothingness”, a patchwork of general banking and AML statutes with no dedicated framework for payment service providers, virtual asset service providers, or digital wallet operators. The draft legislation and accompanying SBP Rule updates now propose to close that gap with new licensing categories, strengthened AML/CTF reporting mandates, and explicit supervisory expectations around bank access.

This guide provides the operational roadmap that founders, compliance officers and banking-relations teams need to navigate the 2026 changes, from licensing triggers and payment-flow mapping through to assembling a bank-pack that satisfies both local and correspondent banks.

Executive Summary: What the 2026 Framework Fintech Law Changes and Why It Matters

The draft Framework Fintech Law represents Panama’s first attempt at a unified, proportional licensing regime for FinTech activities. Previously, only general rules applied, most notably Law No. 23 of 2015 (AML) and the broader Banking Law administered by the SBP, leaving significant regulatory uncertainty for payment processors, crypto exchanges, and lending platforms. The 2026 changes aim to resolve that ambiguity in three critical ways.

• Licensing re-categorisation. The draft law introduces distinct licence types for payment service providers (PSPs), virtual asset service providers (VASPs), and entities conducting “PSP-like” intermediation. Each category carries different capital, governance, and reporting requirements proportional to the risk profile of the activity.
• Stronger AML/CTF reporting. The SBP Rule updates align supervisory expectations with FATF guidance, requiring enhanced customer due diligence, transaction monitoring thresholds, suspicious activity reporting (SAR/STR), and, for VASPs, on-chain wallet tracing and attestation obligations.
• Bank-access expectations. For the first time, the regulatory framework explicitly addresses the relationship between licensed FinTechs and the banking system, setting expectations for what a “bank-pack” submission must contain and providing a pathway for supervised entities to secure and maintain commercial bank accounts.

Industry observers expect the draft law to move through the Asamblea Nacional in the second half of 2026, with a transitional period for existing operators. The SBP has already signalled it will begin accepting pre-applications and informal consultations ahead of formal enactment, making immediate preparation essential for any firm operating in or targeting the Panamanian market.

Quick Decision Framework: Should You Apply, Restructure, or Wait?

Before diving into licensing categories and compliance checklists, every FinTech team needs to answer one threshold question: does this panama fintech law apply to us, and if so, what should we do right now? The answer depends on three scenarios.

Decision Tree, Three Scenarios

• Scenario A: You conduct in-scope activity in Panama. If your entity is incorporated in Panama and you accept, transmit, or process payments (fiat or crypto), provide custody of virtual assets, or operate an exchange with fiat on/off ramps, a licence will almost certainly be required. Action: Begin the licensing application process immediately, map your payment flows, prepare your bank-pack, and engage Panama counsel.
• Scenario B: Panamanian-facing customers, but hosted abroad. If your platform serves Panamanian customers but is domiciled elsewhere, the draft law’s jurisdictional scope provisions are relevant. Early indications suggest that entities actively marketing to or onboarding Panamanian residents will trigger registration obligations, even if the technology infrastructure sits outside the country. Action: Obtain a formal legal opinion on jurisdictional exposure, and prepare a contingency plan for either local licensing or geo-blocking.
• Scenario C: Pure technology provider. If your company provides white-label software, APIs, or infrastructure to licensed PSPs or VASPs but does not itself hold customer funds or control payment flows, the licensing trigger is unlikely to apply. Action: Document your role clearly, ensure contracts allocate regulatory responsibility to the licensed entity, and monitor the final law for any “significant outsourcing” provisions that could bring you into scope.

The practical effect is that most FinTech operators with Panamanian touchpoints should be preparing now, either for a full licence application or for a formal assessment of their regulatory exposure under the new framework fintech law Panama is introducing.

Licensing Categories Under the Panama Fintech Law 2026 and SBP Rule Updates

The draft legislation creates a tiered licensing structure, supervised by the SBP. Understanding which category your activity falls into is the single most important compliance decision under the panama fintech law 2026 framework.

Definitions and Thresholds

The draft law defines three primary categories of licensable activity:

• Payment Service Provider (PSP). Any entity that accepts, processes, transmits, or settles fiat-denominated payments on behalf of third parties. This captures merchant acquirers, payment gateways, remittance operators, and e-money issuers. PSP licensing Panama requirements include minimum capital thresholds, operational resilience standards, and reconciliation reporting obligations.
• Virtual Asset Service Provider (VASP). Any entity that provides exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets, transfer of virtual assets, or safekeeping and/or administration (custody) of virtual assets. Panama VASP licensing will require enhanced AML controls, wallet tracing capabilities, and cold-wallet attestation procedures.
• PSP-like intermediaries. A catch-all category for entities that facilitate payments or value transfer without directly holding funds, for example, payment initiation service providers or account information aggregators. The regulatory burden is lighter, but registration and basic AML compliance are still required.

Trigger Examples by Payment Flow

Licensing triggers are best understood by tracing the payment flow rather than reading abstract definitions. Consider the following:

• Receiving fiat from customers into a pooled account. This triggers PSP licensing because the entity exercises control over customer funds, even temporarily.
• Providing custody of crypto assets. This triggers VASP licensing because the entity holds private keys or equivalent control on behalf of clients.
• Operating a fiat on/off ramp for a crypto exchange. This likely triggers both PSP and VASP licensing, depending on the entity’s role in the payment chain.
• Facilitating peer-to-peer settlement without touching funds. This may fall under the PSP-like category, requiring registration but not a full licence.

Payment-Flow Mapping Under the Panama Fintech Law: Step-by-Step Template

Payment flow mapping Panama is the operational foundation for every licensing decision and bank-pack submission. Banks and the SBP will expect a clear, visual diagram of exactly how funds move through your system, who touches them, where they rest, and what controls apply at each stage. Without this, neither a licence application nor a bank account opening will succeed.

How to Map: Data Required, Participants, and Rails

1. Identify every participant. List the payer, payee, your entity, any intermediary banks, payment processors, wallet providers, and settlement agents involved in each transaction type.
2. Trace the movement of funds. For each transaction type, draw the path from source (customer’s bank account, card, wallet) through your platform to destination (merchant, exchange, recipient wallet). Mark every point where funds are held, even momentarily, by your entity.
3. Label the rails. Specify whether each leg of the flow uses ACH, wire transfer, card network, blockchain, or internal ledger. This determines which regulatory regime governs each leg.
4. Annotate control points. At each point where your entity holds, converts, or redirects funds, note the applicable licence category (PSP, VASP, PSP-like) and the AML controls in effect (KYC check, transaction screening, SAR threshold).
5. Document custody arrangements. For any leg involving virtual assets, specify the custody model (hot wallet, cold wallet, third-party custodian), key management procedures, and attestation frequency.

Three Real-World Examples

Example A: Cross-border merchant PSP. A Panamanian-incorporated company receives USD payments from international customers via card networks, settles into a local pooled bank account, then disburses to Panamanian merchants minus fees. The PSP licence is triggered at the point the entity holds funds in the pooled account. The bank-pack must include the merchant onboarding policy, the reconciliation process, and proof that customer funds are segregated from operational capital.

Example B: Crypto exchange with fiat rails. An exchange allows Panamanian users to deposit USD via local bank transfer, convert to BTC/USDT, and withdraw to external wallets. Both VASP and PSP triggers are engaged, the fiat deposit leg triggers PSP obligations, and the crypto custody/exchange triggers VASP obligations. The bank-pack must include both fiat flow diagrams and on-chain tracing procedures.

Example C: Non-custodial wallet provider. A wallet application that allows users to manage their own private keys and interact with decentralised exchanges, without the provider ever holding custody. Under the draft law, the likely practical effect will be that this entity falls outside the VASP licensing requirement, but it should still document the non-custodial architecture clearly, as banks and regulators will want written confirmation that the provider does not control user assets at any point.

Bank-Pack Checklist: What Banks Expect Under the Panama Fintech Law

Securing bank access Panama fintech companies need is the single biggest operational bottleneck. Panamanian commercial banks and their correspondent banking partners conduct intensive due diligence before onboarding FinTech clients. A well-prepared bank-pack significantly accelerates this process and reduces the risk of account refusal or closure.

Core Bank-Pack Documents

1. Corporate documents. Certificate of incorporation, articles of association, shareholder register, UBO declaration (with passport copies and proof of address for all beneficial owners holding 10% or more).
2. Ownership and group structure chart. Visual diagram of the corporate group showing all entities, jurisdictions, and ownership percentages down to the ultimate beneficial owners.
3. Business plan and financial projections. A clear narrative of the business model, revenue sources, target markets, projected transaction volumes, and a 12-month cash flow forecast.
4. Payment-flow diagrams. The diagrams produced in the mapping exercise above, covering every transaction type, rail, and custody point.
5. AML/CTF policy. The complete policy document, not a summary, covering KYC procedures, transaction monitoring rules, SAR/STR reporting processes, PEP and sanctions screening, and staff training schedules.
6. Compliance officer appointment. Name, qualifications, and contact details of the designated compliance officer, plus evidence of their authority within the organisation.
7. Technology and security documentation. Description of the technology stack, data storage locations, encryption standards, penetration testing reports, and business continuity plans.
8. Regulatory status. Copies of any existing licences (domestic or foreign), confirmation of licence applications in progress, and evidence of regulatory correspondence with the SBP.
9. Wallet and address documentation (VASPs only). List of corporate wallet addresses, cold-storage procedures, multi-signature governance protocols, and third-party audit reports.
10. Sample KYC file. A redacted example of a completed customer onboarding file demonstrating the KYC process in practice.

Sample Transaction Table for Bank Submissions

AML/CTF and Compliance Controls Aligned to SBP Expectations Under the Panama Fintech Law

The SBP’s updated rules bring Panamanian AML CTF Panama fintech expectations into closer alignment with FATF Recommendations and the standards imposed by correspondent banking partners. Firms that fail to meet these expectations face not only regulatory sanctions but, more immediately, loss of bank access.

KYC Tiers and Transaction Monitoring

The framework establishes tiered KYC obligations based on transaction value and customer risk profile:

• Simplified due diligence. Available for low-value, low-risk transactions (e.g., small-balance e-wallets below defined thresholds). Basic identity verification, limited to name and government-issued ID number.
• Standard due diligence. Required for most customer relationships. Includes full identity verification, proof of address, source-of-funds declaration, and PEP/sanctions screening.
• Enhanced due diligence. Mandatory for high-risk customers, including PEPs, customers from high-risk jurisdictions, and any account exceeding elevated transaction thresholds. Includes ongoing monitoring, periodic re-verification, and senior management sign-off.

SAR/STR Reporting and Sanctions Screening

All licensed entities must file suspicious activity reports (SARs) and suspicious transaction reports (STRs) with the Unidad de Análisis Financiero (UAF) in accordance with Law No. 23 of 2015. The SBP Rule updates reinforce the expectation that FinTechs implement automated transaction monitoring systems calibrated to their specific risk profile, not generic off-the-shelf rules. OFAC and UN sanctions screening must be applied to all customers and counterparties at onboarding and on an ongoing basis.

VASP-Specific Controls

For VASPs, the SBP expects additional controls that reflect the unique risks of virtual assets:

• On-chain analytics. Use of blockchain analysis tools to screen wallet addresses against known illicit clusters, sanctioned addresses, and darknet-associated wallets.
• Travel Rule compliance. Implementation of protocols to transmit originator and beneficiary information alongside virtual asset transfers, in line with FATF Recommendation 16.
• Cold-wallet attestations. Periodic third-party audits confirming the existence and control of assets held in cold storage.
• Proof-of-reserves reporting. Regular (at least quarterly) disclosure of reserves backing customer balances, verifiable against on-chain records.

Correspondent Banking Panama: Commercial Bank Access Strategies

Even with a licence in hand, securing and maintaining correspondent banking Panama relationships remains the most challenging operational hurdle for FinTechs. De-risking pressures on Panamanian banks, driven by their own correspondent banking partners in New York, London, and Frankfurt, mean that FinTech account openings face intense scrutiny. The panama fintech law reforms are designed in part to address this dynamic by giving banks regulatory comfort through the licensing regime, but practical challenges remain.

How to Prepare the Business Case

Banks evaluate FinTech clients on risk-adjusted revenue potential. Your business case must demonstrate:

• Predictable, transparent transaction flows. Use the payment-flow diagrams from your bank-pack to show exactly how funds move and where risk concentrates.
• Robust AML infrastructure. Emphasise your compliance programme, not just the policy document but the technology, team, and processes behind it.
• Revenue contribution. Quantify the fee income, deposit balances, and cross-sell opportunities the bank will gain from the relationship.

Pitching the Bank, Key Talking Points

• Regulatory status. Lead with your licence (or application status) and reference the SBP’s supervisory framework as providing comfort to the bank’s compliance team.
• Segregation of funds. Confirm that customer funds will be held in segregated accounts and that operational funds are clearly distinguished.
• Transaction filtering and carve-outs. Offer to implement specific transaction filters (e.g., excluding high-risk jurisdictions, capping single-transaction values) if the bank’s risk appetite requires it.
• Correspondent bank alignment. Ask the relationship manager which correspondent bank reviews their FinTech clients, and tailor your documentation to that correspondent’s known due diligence requirements.

Handling Adverse Decisions and Remediation

If a bank declines the relationship or threatens closure, the following remediation steps are available:

• Request specific deficiency feedback. Ask the bank’s compliance team to identify exactly which elements of your submission were insufficient. Remediate and re-submit.
• Offer operational carve-outs. If the bank’s concern relates to a specific transaction type (e.g., crypto-related flows), offer to exclude that activity from the account and process it through a separately banked entity.
• Escalate through the SBP. Under the new framework, the SBP has signalled its interest in ensuring that licensed FinTechs can access banking services. While the regulator cannot compel a bank to open an account, early indications suggest that formal licensing status will carry weight in supervisory dialogues.

Practical Next Steps and Recommended Timeline for Panama Fintech Law Compliance

The following six-step timeline provides a structured approach for founders and compliance teams preparing for the 2026 changes:

1. Days 0–30: Map all payment flows. Complete the payment-flow mapping exercise described above. Identify every licensing trigger and custody point. Document non-custodial arrangements in writing.
2. Days 0–30: Engage Panama counsel. Obtain a formal legal opinion on your licensing category and any jurisdictional exposure questions. Do not rely solely on secondary commentary.
3. Days 30–60: Assemble the bank-pack. Compile all documents listed in the bank-pack checklist. Prepare the AML/CTF policy, payment-flow diagrams, and sample KYC files.
4. Days 30–90: Upgrade AML infrastructure. Implement or upgrade transaction monitoring systems, sanctions screening tools, and (for VASPs) on-chain analytics platforms. Test and calibrate rule sets to your actual transaction profile.
5. Days 60–90: Initiate bank conversations. Approach target banks with the completed bank-pack. Prioritise banks known to have FinTech-friendly compliance teams and active correspondent relationships.
6. Days 90–180: Submit licence application. Once the formal application window opens (or pre-application consultations become available), submit a complete application to the SBP. Expect iterative rounds of supplementary questions, responsiveness is critical to timeline.

The first three actions any FinTech team should take with their bank are: (1) provide the complete payment-flow diagram unprompted, (2) disclose all virtual-asset-related activity transparently, and (3) offer a face-to-face meeting between the compliance officer and the bank’s compliance team. Industry observers expect that proactive transparency in these areas will be the strongest predictor of successful bank onboarding under the new regime.

Appendix: Sample Bank-Pack Index and Downloadable Templates

The following index summarises the documents that should be compiled into a single, professionally formatted bank-pack for submission to Panamanian commercial banks and their correspondent partners:

1. Corporate documents pack. Incorporation certificate, articles, shareholder register, UBO declarations with supporting ID.
2. Group structure chart. Visual diagram with ownership percentages and jurisdictions.
3. Business plan and financial model. 12-month projections with revenue breakdown by product and geography.
4. Payment-flow diagrams. One diagram per transaction type, annotated with licence triggers and AML controls.
5. AML/CTF policy (full document). Including KYC tiers, transaction monitoring rules, SAR/STR procedures, and sanctions screening.
6. Compliance officer profile. CV, appointment letter, and evidence of reporting authority.
7. Technology and security summary. Architecture diagram, encryption standards, pen-test results, BCP.
8. Regulatory status file. Copies of licences, applications, SBP correspondence.
9. Wallet documentation (VASPs). Address list, cold-storage procedures, audit reports.
10. Sample KYC file. Redacted example of a completed onboarding.

Preparing this pack in advance, before approaching any bank, demonstrates institutional seriousness and dramatically reduces the time from first meeting to account activation. Firms seeking assistance with bank-pack preparation and Panama fintech law compliance should contact a qualified FinTech lawyer through the Global Law Experts directory.

Sources

1. Superintendencia de Bancos de Panamá, Banking Law
2. Global Law Experts, Panama Fintech Law 2026
3. Kraemer & Kraemer, Crypto and Fintech Regulations Coming to Panama
4. Lexology, The Legal Nothingness of Fintech in Panama
5. Chambers and Partners, FinTech Legal Panama Rankings
6. Central Law, Panama Fintech Overview
7. Revista UP (University of Panama), Fintech en Panamá