Why financial institutions are a top-tier accessibility target
Two regulators, one of the densest dockets in digital accessibility.
In the United States, financial services has sat in the top five sectors for ADA Title III digital-accessibility filings every year since the docket started being tracked at scale. Banks have settled high-profile class actions over inaccessible mobile apps, untagged PDF statements, and IVR systems that offered no escape to a human agent for screen-reader users. The "no physical nexus" defence — never strong for retail banking, which has branches — has collapsed further as online-only neobanks have grown; multiple circuits have rejected it outright, and parallel state-court filings under California's Unruh Act and New York's State Human Rights Law have grown the overall exposure even where federal claims falter.
In the European Union, the European Accessibility Act names "banking services for consumers" explicitly in Article 2(2)(e) — covering retail current accounts, savings, consumer loans, mortgages, and the digital channels that deliver them. Public-sector banks were already bound by the Web Accessibility Directive (WAD) since 2018; the EAA pulls in the private sector and the consumer-facing fintech layer alongside it. The microenterprise carve-out catches almost no real bank or licensed payment institution, and EN 301 549 — which the EAA references for technical conformance — is built on WCAG 2.2 success criteria.
The product-specific risk surfaces concentrate in five places. First, two-factor authentication flows that use aggressive 30-60s SMS-OTP timeouts and six-input code grids without correct aria-labelling. Second, PDF statement archives and tax-form delivery — a single untagged PDF/UA-non-conformant statement is enough to support a demand letter. Third, IVR systems without an early "press 0 for an agent" escape for users who cannot navigate menu trees by ear. Fourth, signature pads and identity-verification flows that rely on mouse-only drag-drop or unlabelled signature widgets. Fifth, mobile-banking app surfaces — VoiceOver / TalkBack labelling, biometric-prompt accessibility, and locked-screen widgets, each a separate audit surface on each platform.
The cost of inaction is concrete, and it lands in two places simultaneously: legal exposure and reputational risk. US ADA settlements against banks typically run materially higher than the $20,000-$50,000 first-defendant baseline seen in pure-ecommerce filings, because the plaintiffs-side firms know the regulator overlay is denser — a fair-banking angle, a CFPB consent-order possibility, an OCC supervisory question — and they price accordingly. In the EU, the EAA fine schedule is set at member-state level and ranges from the low five figures in some jurisdictions to a meaningful percentage of turnover in others; Germany, France, Italy, Spain, and the Netherlands all stood up enforcement teams during 2025 and began issuing the first round of fines in 2026. The reputational cost compounds: a single screenshot of an inaccessible mobile-banking screen, shared by a customer with a large disability-community following, has moved share price for at least one major US bank in the last five years.
The good news is that FI accessibility is a knowable shape. The same dozen failure modes recur across virtually every audit of a retail-banking, neobank, or payments-app product, and most are fixable in design tokens, shared-component libraries, or a focused engineering sprint — not a full rebuild. The checklist below is what we hand FI engineering and compliance teams when they ask "where do we actually start?" — six surfaces, five concrete checks per surface, all anchored to WCAG 2.2 AA and to the EN 301 549 functional-performance statements that the EAA technically references.
The 30-point checklist for FI products
Six surfaces × five checks. Print it, tick it, then audit it.
-
01 Account & onboarding
-
02 Authentication & 2FA
-
03 Transactions & payments
-
04 Statements & documents
-
05 Mobile app surfaces
-
06 Customer support
Platform-by-platform implementation notes
Where the checklist lands in code, by the platforms FI teams actually ship on.
Temenos, FIS, Finastra — core-banking tenancy
The big three core-banking vendors all ship customer-facing online-banking front-ends as tenant-configurable templates layered over a platform shell. The platform passes a baseline, but every customisation — your brand colours, your custom widgets, your CSR/agent handoff — adds risk you own, not the vendor. Ask Temenos / FIS / Finastra for their current VPAT or EN 301 549 conformance report against the specific product version you are deployed on, then audit your own customisation layer separately. The recurring failure mode is custom transaction widgets dropped into an otherwise-conformant shell without inheriting the shell's keyboard and screen-reader handling.
Plaid, Yodlee, MX — data-aggregator embeds
Account-linking is one of the most-used flows in modern fintech and almost universally
delivered as a third-party-embedded iframe. Plaid Link, Yodlee FastLink, and MX Connect all
ship accessibility-aware widgets, but the iframe boundary breaks focus management on entry
and exit — focus often drops to <body> when the modal closes, and screen
readers lose the announcement of "linked successfully". Wrap the embed in your own
aria-live region, restore focus to a known anchor on close, and test the failure paths
(institution unavailable, MFA challenge) explicitly with assistive tech.
Stripe, Adyen — payment-element accessibility
Stripe Payment Element and Adyen Drop-in are both materially better than the legacy "card iframe" generation, but each ships in an iframe with its own focus and live-region handling. The most common bug is the parent page's submit button not waiting for the iframe's focus state to settle — leading to silent submission failures that the screen reader never announces. Wire the iframe-onReady / onChange events to a parent-level aria-live status region, and never disable the submit button without a textual reason announced via aria-describedby.
DocuSign, Adobe Sign — e-signature flow
E-signature flows are one of the most-cited litigation surfaces in US ADA bank cases, because the signature widget is often the gating control on a loan agreement, a mortgage disclosure, or a card-application document. DocuSign and Adobe Sign both ship accessibility features (keyboard signing, screen-reader-announced fields), but each requires the envelope-builder on your side to apply them — the platform defaults do not. Configure envelope templates with explicit field labels, accessible reading order, and a non-image signature option (typed-name signature) before sending any production envelope.
Bloomberg Terminal-style trading UIs
Specialty desktop and web trading UIs are a known accessibility gap, with most platforms optimised for keyboard speed for sighted power users — not for screen-reader users. If you are building a custom trading or treasury UI, treat each cell of the watchlist / order book as a labelled landmark, expose updates via aria-live with throttling (or you will flood the assistive-tech queue), and ship a non-real-time read-only mode for users whose assistive tech cannot keep up with sub-second updates. Bloomberg-style density is achievable accessibly, but only with deliberate engineering — it is not free, and it is not what your framework defaults will give you.
Native iOS / Android banking apps
The mobile-banking app is the highest-traffic surface for most retail banks and the densest litigation target in US ADA mobile filings. On iOS, every interactive element must carry an accessibility label, accessibility traits set correctly (button vs. header vs. adjustable), and a logical accessibility-element order that does not skip the active-account selector or the transfer amount. On Android, the parallel requirements are content-description on every clickable view, correct importantForAccessibility on decorative ones, and TalkBack order verified manually — not just inferred from layout. Run XCUITest and Espresso a11y assertions in CI as a backstop, but never as a substitute for a real assistive-tech pass on every release candidate.
The monitoring + audit cycle
A one-time audit doesn't survive a single banking sprint.
Banks and fintechs deploy as frequently as any modern software team. Marketing flips a rate-card hero on Tuesday, the lending team ships a new pre-qualification flow on Thursday, a third-party widget pushes an update over the weekend. A one-time accessibility fix lasts about as long as your next sprint — which is why the model that actually holds for FI teams is three layers, not one. Each layer catches different defects, and the layers are not substitutes for each other.
First, run a free WCAG 2.2 scanner against your public marketing site and online-banking landing pages today, to establish a baseline. Second, plug in continuous automated monitoring against every preview build and every production deploy — this is the layer that catches regressions before the customer does, and the only layer that scales to the deploy cadence a real bank ships at. Third, commission a manual audit by testers with disabilities at least annually, and after any major redesign, replatform, or new-product launch — automated tooling will never catch screen-reader legibility of a transaction confirmation, focus-order intent on a 2FA flow, or whether a sign-up flow is actually usable end-to-end. Statement archives in particular need manual testing; see accessible PDFs end-to-end for the PDF/UA workflow.
For the monitoring + manual-audit handoff specifically, our monitoring buyer's guide covers the platforms that handle the scan-to-audit workflow end-to-end — Qualibooth, axe Monitor, Siteimprove, and Level Access. Pick on three FI-specific criteria: integration fit with your CI and your change-management process; whether the platform's manual-audit network actually includes testers with the disabilities your customers have (cognitive, motor, low-vision, blind, deaf, and hard-of-hearing — not just blind users); and whether the platform's reporting maps onto the regulator-facing artifact your compliance team needs (VPAT/ACR, EN 301 549 conformance report, accessibility statement). Not all of them do.
One FI-specific note on governance: the monitoring layer needs to live inside whatever change-management process your bank or licensed fintech already runs for production changes. If your release process gates on a security-team sign-off, an accessibility gate sits in the same place — typically as a CI check on the deploy pipeline plus a quarterly review in the same forum that handles SOC 2, PCI-DSS, and ISO 27001 evidence. Treating accessibility as a separate compliance silo is how it falls off; treating it as one more risk-and-controls item alongside the ones your team already runs is how it sticks.
FAQ
The questions FI engineering and compliance teams ask before they buy in.
Are banking apps in scope under the European Accessibility Act?
Yes. The EAA names "consumer banking services" explicitly in Article 2(2)(e), which covers retail current accounts, savings, personal loans, mortgages, and the digital channels through which they are delivered — websites, mobile apps, ATMs, and self-service terminals. Business-to-business banking sits largely outside the EAA scope, but any product an EU consumer can open and operate online is in. The microenterprise carve-out (under 10 staff AND under €2M turnover) realistically exempts no licensed bank in the EU.
Do PDF statements count as a "banking service" for accessibility purposes?
Yes, and this is one of the most-litigated surfaces in US ADA filings against banks. A monthly statement delivered as a tagged-incompatible PDF is functionally inaccessible to many screen-reader users — the EAA treats it as part of the in-scope service, and US courts have consistently found that statement delivery is integral to the banking relationship. Issue PDFs that are PDF/UA-conformant, and offer an HTML or CSV alternative for transaction history.
How does 2FA actually work for a screen-reader user?
It depends on the channel. SMS-OTP is broadly accessible but the timeout windows are aggressive — most banks ship a 30-60s expiry which fails WCAG 2.2.1 Timing Adjustable. Authenticator-app codes work well if the input accepts paste; they break when banks split the six digits across six separate inputs without correct aria-labelling. Hardware keys and passkeys are increasingly the most accessible option because the user-interaction primitive (touching a device, biometric prompt) is OS-native and well-announced — but a fallback for users without keys is mandatory.
Is there a financial-services-specific accessibility certification?
There is no banking-specific equivalent of EN 301 549 — the same standards apply as to any digital service. What is FI-specific is the regulator overlay: in the US, the CFPB and OCC have published guidance referencing accessibility under fair-banking obligations, and the EU's EAA enforcement is being run at member-state level through the same agencies that supervise consumer-banking conduct. Banks typically commission a VPAT/ACR against WCAG 2.2 AA and a parallel EN 301 549 conformance report.
What is the litigation exposure for an inaccessible mobile banking app?
In the US, mobile-banking apps are one of the densest filing surfaces under ADA Title III, with multiple major banks having settled class actions in the high six-figure to low seven-figure range. The DOJ has formally stated that public-accommodation services must be accessible, and the 11th and 9th Circuit positions on the "physical nexus" defence have weakened to the point that an online-only neobank is no safer than a traditional bank with branches. In the EU, EAA fines started being issued in 2026 in several member states.
Can a screen-reader user verify a transaction without sighted help?
They should be able to — and on a well-built banking product, they can. The minimum requirements are: the transaction-confirmation screen reads back amount, currency, recipient, and date as a coherent phrase; the confirm button is unambiguously labelled (not just "Confirm" but "Confirm transfer of $250 to Jane Doe"); the success state is announced via aria-live; and the resulting receipt is available as selectable text, not as an image. If any of those is missing, the user cannot independently verify what they just authorised — which is a fair-banking issue as well as an accessibility one.
How often should a bank or fintech audit its digital surfaces?
Automated scanning should run on every deploy. Continuous monitoring should run against production daily. Manual audits by testers with disabilities should be commissioned at least annually for steady-state products, and after every major release, replatform, or regulator-mandated change. Banks change frequently — a marketing landing flip on Tuesday, a 2FA tweak on Friday — and a once-a-year audit does not survive a single sprint.
Three next steps
Pick the one that matches where your team is today.
-
Run the scanner
A live free WCAG 2.2 scanner against any public URL. Powered by Qualibooth, opens in a new tab. Best place to start if you have no current baseline for your online-banking or marketing surfaces.
-
Read the monitoring buyer's guide
Our monitoring buyer's guide covers the platforms that handle scan-to-audit end-to-end — with the FI-specific criteria (CI integration, regulator-mapped reporting, real tester networks) that actually matter for banks and licensed fintechs.
-
Get an audit quote
Read our guide to commissioning a manual audit by testers with disabilities — what to ask for, what to budget for an FI engagement, and which platforms include a real tester network versus contracting it out.