Over the last few years, financial technology, commonly referred to as FinTech, has been used to describe a multitude of firms, activities, and capabilities for financial services. Some have posited that the firms representing FinTech are unregulated and in need of significant limitations akin to those restricting traditional providers of financial services. In fact, they are regulated and have a number of state and federal restrictions to which they are subject, depending on their activities.
This article identifies three of the biggest legal and regulatory challenges that FinTech firms encounter in financial services. The first is the overall regulatory landscape for consumer financial services providers—a challenge in and of itself. Second, and in many ways connected to the consumer financial services landscape, is third-party relationships and vendor management. The third key challenge is compliance with the Bank Secrecy Act and anti-money laundering rules.
Challenge #1: The Consumer Financial Services Landscape
Whenever an institution is dealing with a consumer, directly or indirectly, there are increased risks, sensitivities, and unknowns to consider. Moreover, these considerations have been brought to the fore in the wake of the financial crisis in 2008 and the enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the Dodd-Frank Act). As we know, the Dodd-Frank Act created, among other things, a new federal agency with a strict consumer protection mandate, the Consumer Financial Protection Bureau (CFPB). Since its establishment, the CFPB has been relentless in its mission of enforcing the consumer financial services laws of the United States in a new and meaningful way. So, why is the consumer financial services landscape so important to FinTech firms?
First, the CFPB has made it clear that any person that provides financial services to a consumer, directly or indirectly, will be subject to their jurisdiction. In addition, as the CFPB and other regulators in the banking context have made clear, the service providers to financial services firms may be subject to the jurisdiction of the CFPB. This broad scope of jurisdiction means that FinTech providers must pay attention to what the CFPB is saying and doing. For example, the CFPB has recently issued proposed rules that focus on the small dollar lending market, an area of the lending market where FinTech has expanded.
Second, the consumer financial services landscape is important because, unlike many other areas of banking and financial institution law, the consumer financial services laws apply based on the products or services being offered, not on the kind of institution providing such products or services. This means that the activities are key to determining what laws apply in consumer financial services. For example, a disruptive online lending platform providing loans directly to consumers will still have obligations to comply with very traditional lending laws, such as the Truth in Lending Act, anti-discrimination laws, and unfair and deceptive acts or practices statutes, as well as a multitude of state-specific licensing or registration requirements.
Challenge #2: Third-Party Relationships and Vendor Risk Management
Third-party relationships have taken a front row seat lately with banking regulators and the CFPB especially. The Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the CFPB have all released new or updated guidance over the last few years related to third-party relationships and vendor risk management (some of which predate the Dodd-Frank Act). Perhaps most comprehensive is the Office of the Comptroller of the Currency’s 2013 Risk Management Guidance on Third-Party Relationships.
In this guidance, the OCC not only describes best practices for risk management, but also identifies relevant modifications that may be necessary to the contractual relationship between the bank and its vendor. Such contractual modifications have been resisted by many vendors due to the potentially onerous nature of certain suggested provisions, such as provisions regarding compliance, internal controls, and regular audits of the vendor. However, the regulatory community views the significant third-party relationships as an outgrowth of the actual provider of financial services, such as the bank or mortgage company. Regulators therefore view the risks to consumers, and potentially the institution itself, as significant. This is where the rubber meets the road for FinTech firms partnering with banks and other financial services providers.
Going forward, FinTech firms have been, and will continue to be, subject to potentially onerous requirements in order to engage in a meaningful way with traditional providers of financial services to consumers. It is critical that FinTech firms and their counsel understand the contractual expectations that bank and non-bank regulators have to define the contours, limitations, and compliance related to these partnerships.
Challenge #3: Bank Secrecy Act and Anti-Money Laundering Compliance
The third challenge for FinTech firms is just as significant as the first and second challenges. Compliance with the Bank Secrecy Act and anti-money laundering (together referred to as BSA/AML) laws and regulations is significant because of the risks of getting it wrong. Such risks carry significant financial and reputational risks. Further, these risks may be heightened for firms operating largely in an electronic environment, such as FinTech, where some customers are intentionally using digital currency or other methods of transacting business electronically in a way that provides partial or even complete anonymity and an increased velocity of transactions.
In addition to current challenges of BSA/AML compliance in transacting business electronically, FinTech firms will find that the obligations on BSA/AML compliance will only increase. For example, there are already new obligations to understand the beneficial owners and control persons of certain customers, which banks and other financial institutions are facing as full implementation of those new rules is less than two years away now. Moreover, state and federal regulatory agencies appear to be reviewing BSA/AML compliance for broader sets of activities and exposures when examining their regulated entities as well as those entities’ vendors. There are even efforts underway to consider the imposition of personal liability for compliance failures in BSA/AML compliance.
As we can see from this brief synopsis of just three legal challenges facing FinTech firms in financial services, the thought that FinTech firms are somehow unregulated market participants is simply not true. It may be that some of these firms are less regulated than others, but that is more a function of the specific activities being conducted. In addition to the areas of law discussed above, FinTech firms also need to be aware of the evolving landscape of laws affecting data security, privacy, cybersecurity, payments systems, and electronic transactions. Each of these areas will subject FinTech to a broader range of regulation and compliance obligations in the near future, so stay tuned.