Natalie Monko Lead Project Manager

• Fintech

October 28, 2021 10 min read

Fintech Compliance Regulations: Tips For Effective Risk Management

The intervention of fintech into the area of financial services has not only resulted in multiple innovative products and services appearing in the market, but also brought some challenges to fintech firms themselves. While banks and credit unions have a long history of regulation, fast-growing fintech companies are just learning how to operate in a highly regulated space. This is especially difficult for small fintech startups that rather prioritize their product and engineering — sometimes there is a lack of resources and knowledge of how to manage risks and follow multiple fintech compliance requirements to avoid penalties from various regulators. 

In fact, as fintechs start acting more and more like banks, they are subject to more or less the same regulations. However, there are three additional challenges: 

• The core advantages of fintech — broadening access to financial services and quick integration of new technologies into financial products — also increases the risk to fail, as attracting a larger pool of customers makes it challenging to keep an eye out and maintain many guidelines;
• As many associate the future of fintech with further integration of new technologies into traditional banking services and bank-fintech closer partnerships, new players attract more attention from authorities and malicious third parties. So, this matter also requires quickly adopting a strong compliance culture from fintech companies. 
• The US regulatory landscape for fintech operations is very complex, as there is no specific fintech regulation in the country. Fintech businesses are required to register and comply with the obligations set out by one or (more likely) several regulatory bodies. Moreover, fintechs are subject to regulations at both federal and state levels.

Therefore, compliance should be a top-level priority for any fintech business. However, it’s important to remember that every business will be subject to specific regulatory requirements, that’s why many fintech players start to build their own compliance programs or apply to well-established regtech (regulation technology) companies.

In this article, we’ll shed light on core components and considerations regarding fintech compliance and best practices on how to successfully operate in the financial services industry. We will mostly base on our personal expertise, as Surf team has extensive experience of working with fintech companies that daily face the need to strictly monitor compliance with established guidelines in the financial services industry. 

Areas of risks in financial services

The main risks in the financial services area that have direct implications on fintech are the following: 

• Reputational risk. 

Reputational risks exist in every new product launched by any financial institution or a fintech firm. Both types of firms invest significant time and resources into building client relationships — even a tiny mistake can shatter users’ trust and loyalty. Moreover, reputational issues could affect the revenue from other products and the company’s viability in the market.

• Regulatory risk.

New technologies and innovations are disrupting the financial services market and developing at quite a fast pace so that regulatory bodies often don’t manage to provide new guidelines and oversight in time. It often takes years to review, finalize and approve new fintech standards or proposals to adjust existing rules. At the same time, fintechs who partner with banks are being monitored closely for compliance with regulatory standards through the partnership. For financial institutions in these relationships, communicating and fostering a clear foundation of compliance is paramount in reducing risk.   

• Financial risk.

The consequences of non-compliance can directly affect the revenue of the organization, the share price, potential future profit, the ability to attract additional rounds of capital and lead to a loss of investor and consumer confidence.

• Business risk.

In introducing something new, there’s always the risk of the unknown. Fintech creates business models that are primarily aimed at driving innovation, while traditional banks and credit unions are accustomed to working in narrow regulatory environments. These opposing forces could overlap and contribute to significant risk management “blind spots.” Moreover, unexpected economic, political, social events can also trigger changes in financial technology regulation. 

Key US regulations affecting fintech

Few key regulations affecting fintech companies are: 

• US anti-money laundering (AML) regulations. 

Fintech AML risks should always be properly managed. There are currently two AML documents in force in the US: Bank Secrecy Act (BSA) and US Patriot Act. 

1. BSA requires financial institutions to help the country’s authorities in detecting and preventing money laundering. In accordance with the act, companies should monitor and report cash purchases of negotiable instruments (for example, money orders and cashiers checks) with a monetary instrument report (MIS), or currency transaction report (CTR) if the transactions exceed $10.000, and to report potential suspicious activity that can lead to criminal activities or terrorist financing.  
2. The US Patriot Act is another paper that affects fintech standards and requires financial institutions to introduce customer identification programs and maintain related customer due diligence standards, referred to as “know your customer” (KYC). The act also requires establishing anti-money-laundering programs through internal policies, procedures, and controls, assigning compliance officers who provide continuous employee training, and test their programs through independent audits. 

• Gramm-Leach Bliley Act (GLBA) or the Financial Modernization Act. 

This fintech compliance regulation stipulates that all financial institutions should explain to their customers how their information is being shared, and take measures to protect their sensitive data.

• 2012 Jumpstart Our Business Startups Act (JOBS Act). 

The JOBS Act requires crowdfunding platforms to register with the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) to make their functioning more secure. The JOBS Act also introduces maximum fundraising amounts and disclosure requirements. As for P2P (peer-to-peer) lending, a crowdfunding platform is considered a third party if it partners with a bank, and the latter is responsible for regulations.

• Fair Credit Reporting Act (FCRA). 

The FCRA sets up ways to protect information collected by consumer reporting agencies such as credit bureaus, medical information companies, and tenant screening services. Information in a consumer report cannot be provided to anyone who does not have a purpose specified in the FCRA. 

• Truth in Lending Act (TILA). 

TILA can also be considered as not only a financial regulation but also a fintech standard. It contains consumer protection requirements for credit card holders that are designed to improve credit card disclosures, rate increases, payment allocations (above minimum payment), and a reasonable amount of time to make payments. 

• Security Act and Exchange Act.

Initial Coin Offerings (ICOs) are popular among fintech firms, but no specific treatment has been developed to regulate them. The precedent has now been set with what is known as the Howey Test, determining the legal status of the ICO. If the ICO meets the threshold requirements, it will be subject to the Securities Act and Exchange Act.

Required fintech licenses explained 

Whether you are about to launch a fintech app or just research the market to start working on a separate product — be certain about needed policies to follow and licenses to obtain. Taking into account the complexity of the US regulatory environment in this sphere, even a small nuance could be critical in determining whether a concrete fintech project should obtain one or another paper. The main documents and registrations that could be required from fintech firms are: 

• Money Service Business (MSB) registration is needed by all firms that are prone to fintech AML risks and subject to BSA’s reporting and compliance rules: digital wallets, mobile payment systems, and peer-to-peer transfer systems.
• Money Transmitter License (MTL) should be obtained by any business performing money transmissions. In the United States, activities falling under this category vary state-by-state, and the process for obtaining coverage in each state is lengthy and costly, with certain states being less restrictive than others. 
• Offerings through Reg A. Reg A is an exemption from the registration requirements, allowing companies to offer and sell their securities, which are capped at $50 million for one year, without having to register the offering with the SEC. At the same time, state and federal jurisdictions still fall under the SEC. There are similar frameworks for private placements and smaller companies (Reg D). So, fintech companies with new security offerings must ensure proper registration and adherence to these requirements before launch. 
• BitLicense is needed by firms that deal with cryptocurrency activities. The document is issued by ​​the New York State Department of Financial Services (NYSDFS). 

Four best fintech compliance and regulatory practices

AML scrutiny. In 2015, the Financial Crimes Enforcement Network (FinCEN) levied a $700.000 penalty against a digital currency operator, as it was found to have broken a fintech law by not enforcing an adequate AML program. Since your company offers financial services, you should have a scalable and solid AML program from day one. 

Keeping consumers in mind. It’s important to show vigilance in this area, as many regulatory bodies are paying particular attention to monitoring respect for consumer rights. The Consumer Financial Protection Bureau (CFPB) is the regulator that investigates financial institutions that reportedly violated consumer rights. This has extended not only to established financial institutions, but fintechs as well. 

Know your customer. Operating in line with the KYC concept should be a top priority for any fintech firm. Banks are putting much effort than ever before into rooting out fraud and shutting off terrorist financing, and fintechs should follow. 

Plan ahead and be ready to scale up your compliance program. Fintech regulation is still not drafted and constantly evolving in multiple directions as an addition to guidelines for banks. Like banks, fintech companies should interact with regulators and stay updated on the latest compliance developments to ensure consumers have access to the most innovative digital financial services and products.

Bottom line

Let’s summarize: 

• The operation in the financial services industry generates multiple concerns companies should be aware of, including reputational, regulatory, financial, and business risks. 
• The US regulatory environment is complex: there are multiple documents that regulate the activities of fintechs that perform banking functions, while formalized guidelines exclusively for the fintech market have not been developed yet. Moreover, existing regulations are in force on different levels (state and federal). 
• The type of activity of a fintech firm determines the exact rules and licenses it should obtain to continue operation (for example, regulations for an electronic wallet and banking app will be different at some point).
• Put special attention to your company’s AML program, ensure that it’s scalable and comprehensive.
• Respect for consumer rights should be at the center of your product development. There are also specialized bodies that monitor this treatment. 
• The KYC concept should be a top priority for any fintech firm to eliminate fraud.
• Planning ahead your compliance strategy is the key to success. You should also be ready to scale up your compliance program, as the pool of rules in this area is constantly evolving and changing. 

Surf team closely works with fintech projects, delivering industry expertise and best fintech app development practices to our clients. We are also ready to advise you on how to build a proper compliance program for a fintech project and integrate necessary tools in your app – look at how we integrated a mobile app for one of the top-15 European banks with the State Information System on State and Municipal Payments (GIS GMP) and KYC to make sure that compliance requirements are fulfilled.