For over a decade, financial firms have been collaborating with financial technology (fintech) companies on an array of products and services. The explosive growth of these collaborations has resulted in massive investments. As of Q3'19, these collaborations raised $24.6B. The growing use of fintech may be attributable to: (1) ongoing innovation, (2) more options and benefits for consumers, and (3) enhanced operational capabilities and efficiencies for financial institutions. Financial firms can use fintechs in place of outdated legacy models to deliver financial services to consumers. Tech-savvy consumers have access to services (often on their smartphones) that enable them to conduct trades, pay bills, and manage their funds. Start-up fintechs can leverage the name, resources, and access to well-established financial firms to deliver their technology products and services to a growing consumer pool.
Although these collaborations appear to be a win-win situation for all parties, growing risks have prompted greater regulatory focus, not to mention the need for better-defined compliance frameworks to manage risks.
For years, there was little to no oversight of fintech collaborations. The evolving and innovative nature of fintechs created the perfect environment for unknown or undetected compliance risks. Financial regulators were unfamiliar with these products and, as a result, unsure about how to regulate them. Requirements were murky at best, leaving the financial industry vulnerable to fraud, money laundering, terrorist financing, cybercrime, and other illegal activity.
More Focus, More Regulation
The “limited oversight” approach proved to be unsustainable as the growth and complexity of fintech partnerships triggered unique legal, regulatory, reputational, and other risks. In response, financial services regulators are stepping up their efforts to ensure better and more specific oversight of fintechs.
In the United States, regulators are incorporating fintechs into enforcement and rulemaking actions involving: (1) consumer protection laws; (2) licensing requirements; (3) anti-money laundering and know-your-customer rules and regulations; (4) privacy and data security regulations; (5) cybersecurity regulations; and (6) special considerations involving Blockchain and cryptocurrency.
As this is happening, regulators are trying to strike the right balance between promoting innovation and regulating these efforts properly. At the federal level, the Consumer Financial Protection Bureau (CFPB) has launched its Innovation Office that houses various resources, including a Compliance Assistance Sandbox, to help companies test innovative products and services for a limited period while sharing data with the CFPB. The CFPB has also launched the American Consumer Financial Innovation Network (ACFIN), a partnership with multiple state regulators to serve as a network that will help enhance coordination among federal and state regulators to facilitate financial innovation.
States are also getting into the act. Arizona’s fintech sandbox was the first state sandbox that allows participants to test-drive their products, under regulatory supervision temporarily. Other states such as Wyoming, Utah, and Nevada are following Arizona’s lead with similar models.
Growing regulatory focus at both the federal and state level is creating the potential for a patchwork of state and federal requirements. This potential outcome is further complicated by global regulations in that fintech arrangements often facilitate access to a global consumer base. With access comes the application of complex and often restrictive laws, such as the European Union’s General Data Protection Regulations (GDPR). Additionally, various countries around the world are assessing current requirements to ensure they adequately manage the risks posed by fintechs. The Global Financial Innovation Network (GFIN) has emerged as an international effort for collaboration by regulators and numerous U.S. federal and state regulatory agencies, including the CFPB and the New York Department of Financial Services.
So, what should fintech collaborations do? In response, these collaborations should have a practical and documented plan to establish and maintain a strong compliance program to manage risks and to prepare for expanded regulatory scrutiny. Begin with the following preliminary steps: (1) know the current regulatory environment and applicable requirements at the state, federal, and international levels; (2) document current controls (no one needs to begin with a blank slate); and (3) identify risks (by priority) for engaging in these collaborations.
The next step should be to launch efforts to establish and maintain effective compliance controls. A sample framework for a fintech compliance program can include: (1) a dedicated compliance program administrator; (2) risk assessments to identify and address risks; (3) policies and procedures; (4) oversight measures to periodically assess the effectiveness of program controls; (5) maintenance of program controls through ongoing monitoring of regulatory and internal developments; (6) third-party management; (7) delivery of training; (8) recordkeeping requirements; (9) an escalation process for reporting violations; and (10) periodic reporting on the program. Feel free to make adjustments based on your needs and requirements, but do not procrastinate critical measures, and plan for what cannot be done immediately.
Make sure to factor in special considerations for a fintech compliance program, such as: (1) controls around how personal information is collected, managed, stored, and handled in any other way; (2) AML/CFT and KYC controls to help flag, address, and manage money laundering and suspicious activities as well as maintain customer due diligence protocols; (3) information security controls to manage breaches of company information to ensure a timely and effective response.
Some final considerations revolve around who must be involved. It is critical to engage legal, compliance, and risk personnel early and throughout the planning and implementation of fintech collaborations and compliance programs. Separately, regular presentations should be made to educate and inform boards and management on the fintech compliance program, as well as existing and emerging fintech-related issues and challenges. Management and the governing authority of the company must be knowledgeable about risks to make well-informed decisions.
Fintechs are no longer market disrupters and are here to stay as integral players in the financial services sector. However, their success cannot be sustained without the responsible delivery of products and services, which is why fintech compliance must be an integral part of any collaboration. Effective compliance requires, at a minimum, knowledge of fintech regulatory requirements and issues. It also requires a documented and effective compliance program to help identify, manage, and possibly prevent regulatory, reputational, and unforeseen risks. Anything less could have an immediate or long-term impact on the fintech’s credibility, bottom line, and ultimately its business viability.