Today, you can snap a photo of a check and deposit it without ever leaving your couch, making banking and investing more convenient than ever. This revolution is largely thanks to the rise of Financial Technology or Fintech. Fintech’s impact reaches beyond ordinary people, allowing companies to improve operational efficiency and customer convenience. With this new technology comes a greater responsibility to protect consumers’ financial and personal information by keeping up-to-date on Fintech compliance regulations.
Are you a financial institution or startup trying to achieve Fintech compliance? Read on to find out how to comply with the rules and regulations.
What is Fintech?
The debate is ongoing as to whether Fintech is an entirely new industry – or simply a natural progression of the financial industry. In either case, experts can agree that Fintech generally refers to “companies or services that use technology to provide financial services to businesses or consumers.” Cryptocurrency, Venmo (the money transferring app popular with Millenials), and PayPal are all examples of Fintech in action. The Internet, financial operations software, cloud technology, and portable devices serve as the base for the Fintech revolution.
Blockchain vs DLT
In order to capitalize on the Fintech boom, it’s necessary to understand the underlying technology, such as blockchain and distributed ledger technology (DLT). Most people have heard of blockchain in some form but few truly understand it. Consequently, terms have become confused and inaccurate comparisons have occurred. One building block of Fintech is distributed ledger technology (DLT).
A DLT is a database that exists across several locations or among multiple participants versus a centralized fixed database.
DLT allows for decentralized processing, validation, and authentication. The decentralized characteristic allows all participants (on the business side) to view the records, which receive timestamps and cryptographic keys. In other words, it combines broader accessibility with security.
Blockchain is a type of DLT. By definition, blockchain is a shared database filled with entries that must be confirmed and encrypted. The “chain” aspect refers to the nature of the blockchain process – each new document is linked to its predecessor by a logical association. Between each block “link”, a cryptographic hash occurs. Blockchains are decentralized like all DLTs, but they use a sequential form of linking transaction histories. Blockchain is particularly useful for cryptocurrency transactions. Unlike the information “blocks”, DLTs can be in any form but they must be distributed in some manner, either over multiple sites, regions, or participants. A blockchain is a DLT but not all DLTs follow the blockchain structure. The incorporation of DLT and blockchain into Fintech improves consumer trust in transactions while saving companies money and time.
As noted above, Fintech transcends typical industry barriers because of its multilateral usefulness. In addition to banks, insurance companies, and stockbrokers, Fintech offers new opportunities for financial management companies, clothing companies, and even food companies. Below are three of the emerging uses for Fintech.
1. Consumer Control – A 2016 report by Prosper found that Fintech applications improve consumer control over finances. Among the popular apps are BillGuard, Prosper, Mint, and CreditKarma. The apps available offer a range of services at minimal cost — everything from financial management tools to lending services to credit monitoring services. So what does this mean for your company? Consumers want easy access for accessing documents and making account modifications. Incorporating Fintech into operations provides the opportunity to improve customer satisfaction and potentially gain more customers.
2. SaaS – Fintech offers opportunities beyond consumer service. Selling Fintech software (SaaS) has become increasingly prosperous, according to a 2018 S&P Global report. Traditional banks serve as the major customer for SaaS Fintech mainly because those banks need to reach the younger generation. Realizing this, banks increasingly seek out the latest technology, whether it be price comparison tech or fraud alert systems. For example, Capital One recently released Eno, a fraud alert “companion”.
3. Startups – Fintech startups are also garnering a lot of attention, particularly in regard to the “InsuraTech” movement. S&P Global reported that as of December 2018, USD 1.8 billion in capital flowed into the insuratech sector. Investopedia loosely defines insuratech as the use of technology innovations designed to squeeze out savings and efficiency from the current insurance industry model.
The benefit of insuratech lies in a greater ability to customize policies and to use technology to determine adequate premiums. Some car insurance providers now promote their ability to monitor the speed of a customer’s car and then offer them discounts for safe driving. Moreover, Fintech enables the “grassroots movement” form of financing (e.g., GoFundMe and microloan companies).
Regulating Fintech is a balancing act between making sure safety procedures are followed but not inhibiting the growth of the sector. Many of the traditional financial oversight bodies are extending their jurisdiction to include Fintech companies and procedures. The major oversight bodies include:
- The Federal Reserve – Not all banks have released documents on Fintech, but the Federal Reserve Bank of San Francisco provides support for Fintech companies and financial institutions.
- Office of the Comptroller of the Currency (OCC) – Published a white paper on Fintech innovation in 2016
- Federal Deposit Insurance Corporation (FDIC) – In spring 2019, the FDIC held a conference on Fintech and the Future of Banking.
- Financial Stability Oversight Council (FSOC) – In a 2018 Annual Report, FSOC briefly addressed the growing Fintech industry and the security threats that accompany it.
- US Securities and Exchange Commission (SEC) – Over the last few years, the SEC has hosted several forums on Fintech as part of its Fintech Hub initiative. In May 2019, the SEC hosted a formum on DTL technology and digital assets.
- Commodity Futures Trading Commission (CFTC) – In fall 2018, the CFTC hosted its first conference regarding Fintech. The Fintech Forward conference covered topics such as crypto assets, cloud technologies, and emerging financial technology. The Fintech Forward conference webcasts are available freely online.
- Financial Crimes Enforcement Network (FinCEN) – In May 2019, FinCEN announced its Innovation Hours Program which focuses on innovative products within the Fintech and Regtech sectors to counter AML.
- Office of Foreign Assets Control (OFAC) – The OFAC has yet to publish a stand-alone document on Fintech, but if your business conducts business outside the USA, it would be wise to contact a compliance professional.
- Consumer Financial Protection Bureau (CFPB) – In 2018, the CFPB launched the Office of Innovation to help dialogue about regulation in the Fintech industry.
- Federal Housing Authority (FHA) – Although it may seem like an odd regulatory body, the FHA has some jurisdiction over Fintech because of mortgages. For example, FHA now accepts digital signatures and has shifted toward storing digital files. The U.S. Department of Treasury released a comprehensive report on Fintech outside traditional financial institutions, which details the FHA’s adoption of Fintech innovation.
One of the challenges in regulating Fintech comes from the peer-to-peer (P2P) nature of many transactions. Since Fintech expands the pool of financial participants (unlike a few traditional banking/financial companies), developing realistic and enforceable guidelines is difficult. Currently, Fintech regulations are in a piecemeal fashion, and the burden for determining/researching what rules apply fall largely on companies, that is until a citation is given. Although not comprehensive, below are a few key regulations to consider if you are in the Fintech business.
2012 Jumpstart Our Business Startups Act (JOBS Act) – The JOBS Act established an internet-based intermediary in order to increase the security of online monetary funding. The goal of the act is to facilitate easier funding for small businesses through crowdfunding. Consequently, it requires all such platforms to register with the SEC. The act placed ceilings on the amount an individual could offer based on their net worth. With regard to P2P lending, if a lending platform partners with a bank, it is considered a third-party and the bank holds the responsibility of regulations. However, if the lending platform sells loans as securities, it is subject to SEC oversight. The JOBS Act provides more confidence in innovative lending methods, many of which grew out of the Fintech revolution.
Payment Platforms – States, the federal government, and industry associations possess the power to regulate Fintech payment platforms. This makes compliance difficult as there are not one or two central rules to follow. The National Automated Clearing House Association (Nacha), which develops rules and standards for the payment industry, introduced a new Fintech Act to the House of Representatives during March of 2019. Although the act is still in the early stages, it focuses on establishing a Fintech Council within the Department of Treasury, creating “innovation” offices within other financial departments, and reducing duplicate regulations.
Electronic Signatures in Global and National Commerce Act (E-Sign Act) – Went into effect in 2000 and outlined policies for signatures and e-documents both in the US and outside. Among the provisions of the act, companies must detail options for paper copies (if available), any disclosures of e-documents, how future electronic contact will be made with the consumer, and how consumers can submit a request for hard copies of documents. With Fintech, consumers may prefer paperless bills or documents, but sometimes, hard copies are necessary or helpful. Financial companies should strive for transparency in how to request documents like electronic transaction records.
Electronic Fund Transfer Act (EFTA) – The EFTA, also called Regulation E, was established in 1979 to address the growing popularity of phones, computers, and magnetic strip credit cards. Since then, technology has progressed significantly and, the EFTA has taken on new meaning. Under the EFTA, consumers have the right to challenge transaction errors within 45 days. EFTA also highlights how customers can limit liability if their accounts or cards are jeopardized. ATM, direct deposits, pay-by-phone, Internet services, debit card activity, and electronic check conversions fall under the protection of the EFTA.
Again, the problem lies in that Fintech spans many industries and thus acquires pertains to certain regulations from each industry. Consequently, the above regulations are only the tip of the iceberg. For a more comprehensive explanation of the Fintech regulation landscape, check out BBVA’s Fintech regulation: trends for a new era.
Fintech Best Practices
As Fintech grows, more industry overlap and partnerships will likely occur. Consequently, it’s important to understand how your company can adapt and comply with Fintech regulations. The decentralization of Fintech increases the difficulty of reducing risks and identifying the relevant regulations. Thomson Reuters recommends 5 best-practices when it comes to entering the world of Fintech:
1. Keep abreast of digital-only banking
Some banks are turning solely to an online presence. While the OCC is considering how to regulate this changing banking environment, online-only Fintech companies should proactively develop a consumer interaction policy as well as a security policy. Likewise, emerging online-only Fintech companies should seek FDIC charters to gain more confidence both by industry partners and with consumers.
2. Develop an AML policy
Just like regular banks, Fintech companies must incorporate anti-money laundering (AML) into security procedures. This also extends to the software. If considering the acquisition of a Fintech company, first check to see if there are already AML checks in place. If not, it is vital to implement such checks before rolling out any Fintech platforms. Digital currency is particularly vulnerable to AML as it allows for anonymous and cross-border transactions. To combat digital currency AML, some countries now track device identifiers and digital wallet addresses. Two major Fintech AML fighters include blockchain and machine learning (i.e., algorithms that can detect subtle irregularities). Notably, not implementing an adequate AML plan can result in hefty fines.
3. Consumer awareness
The Consumer Financial Protection Bureau (CFPB) has shifted more attention to Fintech in the last few years. Fintech companies, particularly lenders, must ensure standard CFPB standards are carried over into Fintech operations. For example, lending Fintech companies must ensure customers are given opportunities to improve their credit or be considered for loans at reduced rates. The CFPB provides a free, complete list of the Code of Federal Regulations that will help identify which regulations apply to your company’s operations. Although the list does not specifically mention Fintech, the CFPB can still fine Fintech companies as they fall under financial institutional purview.
4. Know Your Customer (KYC) Compliance
KYC applies to Fintech. This means Dodd-Frank reforms, Fair and Accurate Credit Transactions Act (FACTA), and the Customer Due Diligence Final Rule apply. The regulations address onboarding digital customers and identifying who really operates a bank account. KYC goes hand in hand with AML, as the goal is to mitigate fraud by better monitoring customer activity. For example, under KYC regulations companies must flag suspicious activity. KYC technology is necessary for both big and small financial institutions. Experts have noted with increased scrutiny (since the 2008 financial crash) more money laundering has occurred through smaller, regional banks. To better understand how a KYC plan can benefit your company, check out Medium’s KYC Fintech guide.
5. Look to the future
Fintech is by no means stagnant; it continues to evolve and expand at a rapid rate. Likewise, regulations continue to change. It is absolutely vital that companies dialogue with regulators and industry experts to stay abreast of changing standards or to help in the process of creating new standards.
PCI and Fintech
PCI DSS focuses on helping payment card companies institute system safeguards and helping those vendors develop internal security standards. PCI DSS centers on a three-step process: assess, report, and remediate. The goals of PCI DSS carry over into the Fintech industry through the following practices:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
How exactly does this apply to Fintech? First, for traditional banking companies looking to expand into Fintech, the software offers the chance to improve the strength of PCI DSS compliance. For example, Fintech can help tremendously in securing cardholder data in the form of Public Key Infrastructure (PKI) and digital certificates. Second, for online-only Fintech companies, PCI DSS standards must be applied. The PCI Security Standards Council provides a PCI DSS Quick Reference Guide. Yet, it falls on the financial institutions to determine to what extent the guidelines apply or if they are applicable to the Fintech in use. To determine the best approach to reconciling Fintech and the PCI standards, consider the following question: Is your company seeking to incorporate Fintech into other operations or is your business solely as a Fintech company?
The scope of Fintech is astounding. The current regulations for Fintech are not at all clear, and this can make Fintech compliance seem daunting. While the OCC is developing new guidelines for the Fintech industry, the existing financial regulations apply. The Financial Services Innovation Act, proposed in 2016, and the OCC’s push for Fintech charter policies are just a few of the recommendations currently under review. In the meantime, the decentralized pool of regulations makes it difficult for financial institutions to ensure compliance. If you need help navigating the decentralized pool of Fintech regulations, contact RSI Security today.
Download Our Guide to Payment Data Security for Fintech Companies Whitepaper
Fintech (Financial Technology) companies that process payments or handle sensitive financial customer data can – and should – take steps to secure critical systems and information. Learn everything you need to know in this whitepaper. Upon filling out this brief form you will receive the whitepaper via email.