The settlement with which Block, the payments company chaired by Jack Dorsey, closed the claims of 46 U.S. states for $45 million marks far more than a simple fine. The case – inadequate fraud handling on Cash App, the group’s money-transfer and digital-banking platform – highlights a realignment of regulatory power that is already shaping technology choices at fintech companies, especially those integrating artificial intelligence systems.

With the federal Consumer Financial Protection Bureau (CFPB) retreating under the new administration, the states have filled the void. The result is a fragmentation of oversight that forces anyone dealing with financial data to rethink the control and location of their infrastructure. For those developing LLMs for fraud detection or risk assessment, the stakes are twofold: algorithm accuracy on the one hand, and the ability to demonstrate, during audits, that personal data never left a certified perimeter on the other.

A new front for financial regulation

The Trump administration has drained the CFPB’s aggressiveness, but it hasn’t extinguished public interest. It’s no accident that forty-six states moved: where the federal government withdraws, consumer protection becomes a local political battleground. The result is a regulatory patchwork in which any state attorney general can demand accountability for security procedures, fraud reporting, and the transparency of automated systems that make decisions affecting accounts.

For a company like Block, which moves billions of dollars through Cash App, the fine is a cost, but the real impact is operational: adapting to disparate demands requires flexible architectures, with data easily segregable by jurisdiction. That’s why the settlement isn’t just for the lawyers – it directly challenges those who design the data infrastructure, an increasingly pivotal role in AI-driven fintechs.

The sovereignty factor

The temptation to dump everything onto the public cloud is strong, but multi-state compliance introduces a risk factor that makes self-hosting or on-premise deployment more attractive. When a fraud-detection algorithm trained on millions of transactions must prove it hasn’t exposed personal information outside permitted boundaries, running models and data on owned machines in dedicated data centers simplifies audits and reduces the regulatory attack surface. This isn’t just about privacy: it’s a matter of compliance TCO, where penalties from insufficient protection can outweigh the savings gained with shared infrastructure.

In this landscape, hybrid architectures are gaining ground: LLM inference happens locally, on corporate servers, while only anonymized or aggregated results are exposed via APIs. Those involved in on-premise deployment for AI workloads know the trade-offs mostly concern computational efficiency and horizontal scalability, but when data sovereignty enters the equation, the calculus shifts. And the Cash App story shows that regulators, even at the state level, don’t cut any slack.