FinTechtris

View Original

SECTOR SPOTLIGHT: FinTech Compliance

William Morales, Founder

SECTOR SPOTLIGHT is a monthly series on FinTechtris that explores a specific sector within the expansive FinTech space by defining its history, frameworks, business model, leading companies, and outlook.

Banks and credit unions are very familiar with the need for compliance. The financial services industry has a long history of regulation and government agencies in place to enforce consumer protections, reduce fraud, and ensure a a stable, financial ecosystem for all. Financial institutions have paid millions in regulatory penalties for the times they failed were out of compliance.

FinTech companies are the new kids on the block, bringing dynamic innovation and a “break things fast” mindset, which doesn’t mesh well with regulators and risk frameworks. Similar to many emerging banks from 30 years ago, fintechs have had to learn the hard way of how to operate in an ambiguous, yet highly regulated space. As bank partnerships with FinTech companies increase and deepen, many fintechs have started to build robust compliance programs internally, while others seek vendor offerings in outsourcing compliance-as-a-service.

Let’s cast the spotlight on the less exciting, but very critical area of compliance in FinTech and what firms need to focus on when it comes to regulation and risk programs, and the outlook for compliance in 2020.

SUMMARY:

  • Areas of risk in financial services;

  • Key regulators and regulation;

  • FinTech demand in managing risk;

  • Trends and outlook in industry compliance.

This discussion is not meant as an exhaustive or complete discussion on all compliance needs for financial services companies, but it does speak to core components and considerations for fintechs starting out.

Compliance concerns within fintech

The regulation of FinTech is also that of banking — the majority of guidance and controls that traditional banks and credit unions follow are the same. The difference is that these established institutions have history, experience, and large teams focused on risk. For emerging FinTech companies starting out small, with teams prioritizing product and engineering, there is a lack of resources and knowledge in managing risk as an organization.

The general areas of risk in financial services are:

  • Reputational risk: as a financial institution or a fintech company, reputational risk exists in every new product launched. Both types of firms invest significant time and resources into building client relationships — having a critical mistake can quickly destroy trust. Reputational damage could have a cascading effect in the industry, affecting the revenue for additional products and the company’s viability as a whole.

  • Regulatory (or legal) risk: this is the most urgent and immediate concern for companies in financial services. The dynamic nature of innovative financial products make it difficult on regulators and lawmakers to provide timely guidance and oversight. Proposals to modify current regulations for FinTech companies often take years to be reviewed, finalized, and approved. The premise is that fintechs who partner with banks are being monitored closely for compliance with regulatory standards through the partnership. For the financial institutions in these relationships, communicating and fostering a clear foundation of compliance is paramount in reducing risk.

  • Financial risk: The ramifications of non-compliance would directly impact an organization’s bottom line, share price, potential future earnings, ability to raise additional rounds of capital, and result in loss of investor and consumer confidence.

  • Business (unexpected and unforeseen) risks: In introducing something new, there’s always the risk of the unknown. Business models or product structures that are created by FinTech to drive innovation, contrast risk-averse banks and credit unions who are accustomed to working in narrow regulatory environments. It’s not hard to imagine how these opposing forces could overlap and contribute to a significant risk management “blind spot.” Additionally, events outside of the control of the company (e.g. economic, political, social, etc.) can also force a FinTech to change its compliance focus.

Regulation of fintech companies

The core strength of FinTech in broadening access to financial services also increases the risk in its offerings — attracting a larger pool of customers makes its challenging to create and maintain guidelines. Here are a few key regulations in banking that impact FinTech:

  • Bank Secrecy Act (BSA) — aka the Currency and Foreign Transactions Reporting Act, requires financial institutions to assist the government in detecting and preventing money laundering. Key tasks are for companies to monitor and report cash purchases of negotiable instruments (e.g. money orders and cashiers checks) with a monetary instrument report (MIS), or currency transaction report (CTR) if the transactions exceed $10,000, and to report potential suspicious activity that can lead to criminal activities or terrorist financing;

  • US Patriot Act — Section 326 of the USA PATRIOT Act requires that financial institutions have customer identification programs in place and maintain related customer due diligence standards, referred to as “know your customer” (“KYC”); Title III of this act amended the BSA to require financial institutions to establish anti-money-laundering programs through internal policies, procedures, and controls, assigning compliance officers who provide continuous employee training, and test their programs through independent audits;

  • 2012 Jumpstart Our Business Startups Act (JOBS Act) – The goal of the act is to facilitate easier funding for small businesses through crowdfunding by increasing the the security of online monetary funding — these platforms must register with the SEC. The act placed ceilings on the amount an individual could offer based on their net worth. Regarding P2P (peer-to-peer) lending, if a lending platform partners with a bank, it is considered a third-party and the bank holds the responsibility of regulations. However, if the lending platform sells loans as securities, it is subject to SEC oversight;

  • Payment Platforms – Multiple entities (e.g states and federal government, industry associations) possess the capability to regulate FinTech payment firms. The National Automated Clearing House Association (NACHA), which monitors closely standards for ACH, introduced a new Fintech Act in March 2019. Although the act is still to be approved, it would establish a FinTech Council within the Department of Treasury, and help reduce duplicate regulation with other departments;

  • Electronic Signatures in Global and National Commerce Act (E-Sign Act) – Starting in 2000, this outlined policies for signatures and e-documents both in the US and outside. Among the provisions of the act, companies must provide options for paper copies (if available), disclosures of e-documents, and how future electronic contact will be made with the consumer;

  • Truth in Lending Act (TILA) - In 1968 (implemented by Reg Z), consumer protection requirements for credit-card holders were enacted to protect and improve credit card disclosures, rate increases, payment allocations (in excess of minimum payment), and reasonable amount of time to make payments;

  • Savings Withdrawal Limits - As part of Regulation D, this limited individuals to 6 monthly withdrawals or transfers from a savings account. Customers that exceeded this monthly limit were given warnings by their bank, and eventually had their savings account converted to a checking account if the behavior didn’t change. In April 2020, the Federal Reserve discontinued Reg D since bank reserves were sufficient in minimizing liquidity risk and during the pandemic many customers were transacting off of savings due to employment conditions;

  • Truth in Savings Act (TISA) - From Regulation DD, this helped the financial services industry build transparency in disclosing terms and conditions regarding interest and fees when giving out product information and when opening a new savings account. This level of disclosures would extend to all new account openings — similar protections already existed with consumer lending through the Truth in Lending Act;

  • Electronic Fund Transfer Act (EFTA) – The EFTA (or Regulation E), was established in 1979 to address the growing ability of funds movement due to phones, computers, and magnetic strip credit cards. Reg E has become a critical protection in which consumers can challenge transaction errors within 45 days, and limit their liability if accounts or cards are compromised. All ATM, direct deposits, pay-by-phone, card activity, and electronic check negotiation falls under the EFTA.

There are other regulations focused on consumer protection, such as Home Mortgage Disclosure Act (HMDA, passed in 1975 through Reg C), Equal Credit Opportunity Act (ECOA, passed in 1974 through Reg B), Fair Credit Reporting Act (FCRA, of 1970), and Unfair Deceptive or Abusive Practices (UDAAP) (as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act).

regulatory Oversight of fintech

The extensive list of regulations is then monitored by regulators, who play a critical role in protecting the financial ecosystem. In the U.S., the regulatory ecosystem is vastly complex, spanning multiple federal groups responsible for enforcement — many of these agencies and organizations are now expanding their reach to include FinTech companies. To help navigate this environment, governing bodies have released communication recently as guidance for fintechs:

  • The Federal Reserve – Not all banks have released documents on Fintech, but the Federal Reserve Bank of San Francisco provides direct advisory support for Fintech companies and financial institutions;

  • Office of the Comptroller of the Currency (OCC) – Published a white paper on Fintech innovation in 2016;

  • Federal Deposit Insurance Corporation (FDIC) – FDIC held a conference on Fintech and the Future of Banking (in 2019);

  • Financial Stability Oversight Council (FSOC) – FSOC addressed the growing Fintech industry and the security threats that accompany it (in a 2018 Annual Report);

  • US Securities and Exchange Commission (SEC) – Over the last few years, the SEC has hosted several forums on Fintech as part of its Fintech Hub initiative including a forum on DTL technology and digital assets (in 2019);

  • Commodity Futures Trading Commission (CFTC) – CFTC hosted its first conference regarding Fintech (in Fall 2018), which covered topics such as crypto assets, cloud technologies, and emerging financial technology. [these Fintech Forward conference webcasts are freely available];

  • Financial Crimes Enforcement Network (FinCEN) – In May 2019, FinCEN announced the Innovation Hours Program to discuss innovative products within RegTech (regulation technology) to counter anti-money laundering;

  • Office of Foreign Assets Control (OFAC) – hasn’t published an open document on the industry, but all companies considering international operations or activity should be aware of its policies with specific countries;

  • Consumer Financial Protection Bureau (CFPB) – launched the Office of Innovation to discuss regulation in the Fintech industry (back in 2018);

  • Federal Housing Authority (FHA) –  U.S. Department of Treasury issued a comprehensive report on Fintech outside traditional financial institutions discussing FHA’s adoption of Fintech innovation.

Added to this mix are state-by-state requirements, which also influence the financial services activity that fintech companies can have.

the Compliance challenge for fintech

So far we’ve covered the areas of risk, and the impact of regulators and regulation in financial services — but what is THE path to follow here for fintechs? What’s required from the beginning to ensure ongoing compliance?

For these emerging companies, launching something new without being certain of policies to follow is extraordinarily complex. Two separate firms can be providing the same type of service and product, but operate differently when it comes to collecting user information and facilitating funds movement. These nuances are critical in determining whether a FinTech should obtain registrations or licensing at the federal or state level, such as:

  • MSB Registrations — digital wallets, mobile payment systems, and peer-to-peer transfer systems are typically considered money service businesses (MSBs); they are subject to the Bank Secrecy Act’s reporting and compliance requirements.  Specifically, MSBs must: (1) register with the Treasury Department; (2) develop an AML program; (3) file Currency Transaction Reports; and (4) file Suspicious Activity Reports (SARs) when the company suspects a transaction may involve money laundering;

  • Money Transmitter Licenses (MTLs) — Any business performing money transmission is subject to money transmitter license requirements, any activity which varies state-by-state. In California, monetary transmission means any of the following: “selling/issuing payment instruments OR stored value, and/or receiving money for transmission.” The process for obtaining coverage in each state is lengthy and costly, with certain states being less restrictive than others;

  • Offerings through Reg A — As an exemption to the Securities Act, companies utilizing Reg A to offer securities (or alternative investments) must follow less stringent reporting requirements and are capped at $50M for a one-year period. State and federal jurisdiction still applies under the Securities Act. There are similar frameworks for private placements and smaller companies (Reg D) that minimize the complexity to file with the SEC. FinTech companies with new security offerings must ensure proper registration and adherence to these requirements before launch;

  • BitLicense - specifically for virtual currency (cryptocurrency) activities; issued by the New York State Department of Financial Services (NYSDFS) for companies with activities involving the state of New York or New York residents (living, having a company, or doing business in NY).

Until there is a movement towards uniformity in regulatory guidelines in FinTech, companies will continue to take a case-by-case look at specific services they offer and how they’re providing these services to their users. Besides making sure that they adhere to industry guidelines and obtain proper registration and licensing, there are general considerations fintechs should have as best practices for compliance:

  • AML programs starting Day 1:  FinTechs need fully operational AML programs as soon as they start offering financial services — since startups often start small but move fast, there may be a gap which increases the risk of unmonitored transaction activity.  This leaves exposure to regulatory enforcement actions;

  • Rapidly growing fintechs should ensure scaled growth of their compliance program:  With an operational program in place, the company must confirm it keeps pace with growth of financial activity. KYC controls are a critical concern here as an initial customer base may scale quickly to a diverse assortment of users with new requirements. A higher volume of customers also increases the need for more transaction reporting and dispute processing, which can carry penalties if not processed in a timely manner.

  • Non-identified payments should not be allowed for any transaction or amount.  Conducting KYC review on all users is an industry best practice, no matter the size of the transaction.  This helps reduce funds from illicit activities entering the financial system, which can lead to criminal or terrorist financing.  When multiple payments are layered, criminals have a way to finance attacks on others.  Regulators would be quick to take action on companies that allow illegal activity due to poor KYC controls and monitoring.

  • Peer-to-peer lending companies should implement fully operational AML programs.  On a similar note, peer-to-peer lending companies should ensure robust AML programs to avoid lending that finances criminal activity. Having this standard in place would help avoid potential reputational risk for lenders providing a loan that leads to violent crimes.

The demand for compliance-as-a-service through regtech

Between the mix of agencies, regulations, and program requirements, launching and maintaining a solid compliance program is difficult for emerging startups in FinTech. These firms may have the best intentions of following best practices, but have poor execution due to lack of resources.

The solution is RegTech (regulatory technology), a sector which focuses on optimizing and ensuring the highest levels of compliance in the industry through 3rd party partners. RegTech firms advise on critical risk areas and provide guidance to keep fintechs from harm’s way as they deliver new products or experiences in financial services. There are five broad categories (and various subsets) that RegTech companies are responsible for leading:

Compliance:

  • Regulatory watch and online library - platforms showcase upcoming and current regulations, and notify users on relevancy to their company;

  • Compliance project management - provides tools for fintechs to plan the activities, prepare resources, and respond promptly to new regulatory guidelines;

  • Compliance health check - shows companies their current level of compliance regulation through a real-time dashboard;

  • Web due diligence and security - specialized focus on privacy and data security management through artificial intelligence (AI) and machine learning, in order to minimize data compromise and increase fraud detection;

Identity:

  • Identity management - KYC tools for onboarding new clients;

  • Identity controls - continuous checkpoints on existing customers with high-profile relationships such as politically exposed persons (PEP) and key business relationships regarding anti-money laundering activity;

Risk Management:

  • Scenario modeling and forecasting - enable the use of data to fulfill regulatory tasks such as stress tests;

  • Risk assessment - determines current risk exposures and asset qualities, which can help calculate various regulatory requirements such as capital or liquidity ratios;

  • Risk reporting - increases faster and effcient reporting of risk issues;

Transaction Monitoring:

  • Transaction monitoring and auditing system - enable fintech companies to scan all customer transactions and respond to suspicious activity on a timely basis;

Regulatory reporting:

  • Regulatory reporting - automated critical components for regulatory reporting requirements;

RegTech firms have helped fintechs navigate the complexities of the US regulatory environment and potential complaints or inquiries from governing bodies. On a separate ‘Sector Spotlight’, we’ll explore in detail the top RegTech companies and the specific value each provide in the industry.

Once fintechs grow and scale, they can readily create and maintain their own in-house compliance team of analysts / officers to provide guidance and advise on risk implications of products in their roadmap.

THE NEXT DECADE OF compliance

Multiple articles and books can be written about financial services regulation in the US and the challenges it presents for financial innovation. There is overlap between agencies on enforcement, as well as different perspectives on proper governing authority. Ultimately, the government sector as a whole needs to evaluate a simpler, transparent framework that achieves a healthy financial ecosystem AND allows for new companies and products to participate. We’ve seen such pro-FinTech initiatives in other countries through the development of regulatory sandboxes and legislation promoting open banking.

As advanced as the US is in financial services, the country is still considered a laggard in financial innovation. The decade of 2020 should be a time for open development and collaboration between organizations and agencies (both at the federal and state level) to come together and make it easier for industry growth.

. . . . . . . . . . . . . . . . . . .

Be part of the FinTech community with FinTechtris! For more industry content and discussions (including trends, deep dives on unicorns, and sector analysis), signup for our newsletter and Slack channel today!