The FinTech Regulatory Landscape for Companies and Investors
The financial technology (“FinTech”) industry has experienced unprecedented and explosive growth in Georgia as investors are taking notice of Atlanta FinTech companies. Federal and state financial regulators have recently released a number of policies and proposals impacting the FinTech market. As new technology emerges and innovation continues to attract investment and generate economic growth companies should consider that state and federal regulators are paying attention to the development of this market. State and federal regulators are trying to understand how financial technology impacts consumers and which laws may apply to financial technology companies and are communicating to the public on these topics with increasing frequency.
For startups that want to attract investment and remain viable and competitive, compliance should be an essential element of the company’s operations. The financial system has a low tolerance for risk, and spotty compliance today could negatively impact the startup’s potential to attract future investment and could create red flags for potential acquirers tomorrow. FinTech investors should also closely monitor developments in regulation and enforcement in order to appropriately conduct diligence on the companies they have an interest in following or investing. By assessing a company’s compliance, investors can measure whether management’s focus extends to the concerns of key regulators. Georgia’s FinTech companies should pay careful attention to rules and regulations issued by the below agencies and assess compliance risks with legal counsel. The range of new regulation introduced in recent years and the penalties associated with getting it wrong have created demand for new and innovative ways of managing compliance and reducing risk. FinTech startups need a very clear regulatory and compliance strategy to support product and marketing strategies and mitigate legal risk.
In addition, FinTech companies should determine whether they must comply with new cybersecurity rules intended for financial services companies. For example, the New York State Department of Financial Services recently proposed a new rule intended to apply broadly and set to become final in the coming weeks. The requirements set forth in the rule require the establishment of a cybersecurity program, including the adoption of a written cybersecurity policy; written policies and procedures regarding application security and information systems and nonpublic information accessible to or held by third parties; designation of a Chief Information Security Officer (CISO); a written incident response plan and notification to the superintendent in the event of a Cybersecurity Event, among others.
The top five agencies to monitor for regulation and rules applicable to Georgia’s FinTech companies:
1. The Office of the Comptroller of the Currency (OCC)
The Office of the Comptroller of the Currency ("OCC"), the regulator of federally chartered national banks and savings associations, has released a white paper providing guidance for financial institutions and companies regarding the development of products and services in the FinTech sector. The OCC’s White Paper opened its formal discussion of whether it will create a specialized charter for FinTech companies. The OCC’s White Paper identifies the principles that the OCC plans to use as it continues to develop its comprehensive framework for understanding and evaluating innovative products, services and processes. To date, the White Paper is the most significant effort by a U.S. financial regulator to communicate its perspective regarding how FinTech products and services will be regulated. It is possible that the OCC will implement an OCC-sanctioned regulatory sandbox for banks or their partners, which could reach across many different FinTech sectors, from lending to digital currency to mobile banking, due to the OCC’s broad regulatory power over traditional banking activities.
2. The Consumer Financial Protection Bureau (CFPB)
In early 2016, the Consumer Financial Protection Bureau (“CFPB”) finalized its Innovation Policy, as a part of the CFPB’s Project Catalyst initiative. The Innovation Policy establishes a new process for financial institutions and companies to apply for No-Action Letters regarding the application of consumer regulations to new products that offer the potential for significant consumer-friendly innovation. Through this new process, the CFPB intends to permit financial institutions and companies to clarify regulatory uncertainty during the FinTech product development process. Note, however, that the process is limited in scope and the CFPB will only issue No-Action Letters for unreleased financial products or services, and not for “well-established products or purely hypothetical products.” The process to obtain a No-Action Letter requires that a requestor provide a substantial amount of information to the CFPB both initially and throughout the covered period.
In addition, the CFPB released its Final Rule on prepaid financial products, including traditional prepaid cards, mobile wallets, person-to-person payment products, and other electronic accounts with the ability to store funds. The new rule, which is effective on October 1, 2017, applies specific federal consumer protections to broad swaths of the prepaid market for the first time. The rule is intended to provide consumers with additional federal protections under the Electronic Fund Transfer Act analogous to the protections checking account consumers receive. The CFPB has indicated that it will focus on oversight of third-party vendors.
The CFPB has also penalized companies for misrepresentations regarding data security practices, this year subjecting the Iowa-based payment processing startup, Dwolla, Inc., to a consent order and hefty fine.
3. Federal Trade Commission (FTC)
A variety of federal laws apply to FinTech companies, including the Gramm-Leach-Bliley Act (“GLBA”), Fair Credit Reporting Act (“FCRA”), Federal Trade Commission Act (“FTC Act”), and the Wiretap Act and the Electronic Communications Privacy Act, and the Federal Trade Commission (the "FTC") has the jurisdiction to enforce these laws. A multitude of state laws analogous to the GLBA and the FTC Act apply as well. These state laws include limitations on the collection, use and storage of sensitive information, including social security numbers, drivers’ license information, financial data, health data, and others, as well as data breach reporting and notification laws.
In August 2016, the FTC announced plans to review the Safeguards Rule of the Gramm-Leach-Bliley Act (“GLBA”). The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive, written information security program which contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. The areas in which the FTC seeks comment suggest that the FTC is evaluating a broader definition of financial institutions and security requirements, issues that could have important implications for FinTech companies.
In addition, both the GLBA and the FTC Act require FinTech companies to explain their information-sharing practices to their customers and to safeguard sensitive data.
4. New York State’s Department of Financial Services (NYDFS)
The New York State Department of Financial Services (NYDFS) has implemented or proposed model regulations which other state regulators are likely to mimic. If a FinTech company operates in New York or has New York customers, these regulations may apply. FinTech companies should consider complying with New York’s standards or at least modeling their practices based on these regulations. As a financial capital, New York State is establishing lasting models of regulation.
Anti-Money Laundering Rules. NYDFS has issued a final anti-money laundering regulation that requires regulated institutions to maintain programs to monitor and filter transactions for potential Bank Secrecy Act (BSA) and anti-money laundering (AML) violations and prevent transactions with sanctioned entities. The final regulation, which impacts money transmitter, check cashing and banking firms operating in New York State, requires regulated institutions annually to submit a board resolution or senior officer compliance finding confirming steps taken to ascertain compliance with the regulation.
BitCoin Licensing Rules. NYDFS for businesses that engage in Bitcoin or other virtual currencies apply to both persons located in New York that engage in activities related to virtual currency and persons located outside New York that engage in activities related to virtual currency with persons located in New York. The Rules require persons engaged in specified “Virtual Currency Business Activities” to establish and maintain an effective cybersecurity program, including establishing and maintaining written, board-approved compliance policies, among other requirements related to obtaining and maintaining a license.
Cybersecurity. NYDFS has recently proposed a cybersecurity regulation which would apply to all entities licensed, required to be licensed, or subject to other registration requirements under New York banking, insurance or financial services laws. The proposed cybersecurity regulation prescribes specific instructions to financial service companies to protect customer information and the information technology systems of regulated companies. The rules require covered companies to establish a cybersecurity program, adopt a cybersecurity policy, designate a chief information security officer (CISO), ensure the security of Nonpublic Information held by third parties, and conduct annual penetration testing and vulnerability assessments and train personnel on cybersecurity, among other requirements.
The NYDFS’s proposed cybersecurity regulation for financial service companies will further require that regulated entities who allow their vendors to access certain information will have to also engage in appropriate risk assessment, implement written policies and procedures concerning the minimum cybersecurity practices for vendors, and conduct due diligence processes of third-party vendors and an annual assessment of third-party vendors’ cybersecurity practices. FinTech firms and investors should understand whether and to what extent their businesses are subject to New York’s regulations.
5. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), Financial Industry Regulatory Authority (FINRA), and the Federal Financial Institutions Examinations Counsel (FFIEC)
FinTech companies are subject to standards promulgated by FinCEN, FINRA, and the FFIEC. These regulators focus on anti-money laundering (AML) compliance, and new classes of market participants are becoming subject to the FinCEN’s AML rules now that requirements for registered investment advisors have been proposed and are expected to come into force in the next year. In its 2016 Regulation and Exam Priorities Letter, FINRA explicitly identified a firms’ cybersecurity preparedness as an area of focus, stating it will review firms’ approaches to cybersecurity risk management, as well firms’ data governance, quality controls and reporting practices to ensure the accuracy, completeness, consistency and timeliness of data reported to firm management and to firms’ surveillance and supervisory systems. FFIEC has assessed the state of the industry's preparedness and identified gaps in the regulators’ examination procedures to strengthen the oversight of cybersecurity readiness. In June 2015, the FFIEC released a Cybersecurity Assessment Tool to help institutions assess their cybersecurity risk. It is critical that Fintech firms and investors understand whether and to what extent their businesses are subject to AML laws and regulations.
The legal and regulatory landscape continues to evolve for FinTech companies. Those companies that identify legal and regulatory risks during the initial product development phase and incorporate compliance into their operations from the outset could create additional value and ultimately be in the long term strategic interest of the company. For investors, understanding risk in these areas and knowing the questions to ask could be a valuable source of market intelligence.
If addressed correctly, regulatory compliance tends to bring with it legitimacy that can be a market differentiator which elevates FinTech companies above competitors and go a long way towards more sustainable growth. Get it wrong, however, and a FinTech company can face difficulty raising funding, criminal and regulatory sanctions, and damage to the value of the business and reputation of the brand. The challenge for FinTech companies remains staying on the right side of legislation and regulators in the highly scrutinized industry of financial services. FinTech companies should be forward-looking when it comes to compliance and bake in these strategies to help make their company attractive to investors:
- Budget for compliance as a cost of doing business.
- Seek adequate investor funding to address the requirements imposed or anticipated in a rapidly-changing regulatory landscape.
- Establish processes to effectively implement the necessary regulatory changes within the required deadlines.
- Evaluate whether to employ a vendor to manage the company’s data security and to secure sensitive data.
- Engage experienced outside counsel under the attorney client privilege along with information security experts to conduct a comprehensive legal and security risk assessment to evaluate current compliance against current and anticipated regulations;
- Establish an internal working group and work with qualified outside counsel and security consultants to create and develop a comprehensive audit plan for the cybersecurity programs, policies and procedures that may be required under current and anticipated regulations.
- Review existing third party vendor contracts with counsel and work to develop and then negotiate a contractual addendum that will comply with current and anticipated regulations’ requirements, including cybersecurity requirements.
 See Office of the Comptroller of the Currency, “Supporting Responsible Innovation in the Federal Banking System: An OCC Perspective,” available at https://www.occ.gov/publications/publications-by-type/other-publications-reports/pub-responsible-innovation-banking-system-occ-perspective.pdf.
 See Consumer Fin. Protection Bureau, Policy Statement on No-Action Letters, available at http://files.consumerfinance.gov/f/201602_cfpb_no-action-letter-policy.pdf
 See Consumer Fin. Protection Bureau, available at http://files.consumerfinance.gov/f/201602_cfpb_no-action-letter-policy.pdf.
 See id. at p. 26.
 See Consumer Fin. Protection Bureau, Final Rule Prepaid Accounts under the Electronic Fund Transfer Act (Regulation E) and the Truth In Lending Act (Regulation Z), available at http://files.consumerfinance.gov/f/documents/20161005_cfpb_Final_Rule_Prepaid_Accounts.pdf.
 See CFPB, Bulletin Regarding Service Providers (Apr. 12, 2012), available at
 See Client Alert, “For First Time Ever, Consumer Financial Protection Bureau Penalizes a Company Over Misrepresentations of Data Security” (March 8, 2016), available at /newsletters/for-first-time-ever-consumer-financial.
 Press Release, N.Y. Dept. Fin. Serv., http://www.dfs.ny.gov/about/press/pr1606301.htm
 See N.Y. Dept. Fin. Serv., Final Rule § 504.1 et seq., available at http://www.dfs.ny.gov/legal/regulations/adoptions/dfsp504t.pdf.
 See New York Comp. Codes R. & Regs. tit. 23, § 200.1 et seq., available at http://www.dfs.ny.gov/legal/regulations/adoptions/dfsp200t.pdf.
 See New York Comp. Codes R. & Regs. tit. 23, § 500 et seq. [proposed rule], available at http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.
 See id.
 See New York State Department of Financial Services, Proposed 23 NYCRR 500, “Cybersecurity Requirements for Financial Services Companies,” § 500.11.
 See Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers, 80 Fed. Reg. 52680 (Sept. 1, 2015), available at https://www.federalregister.gov/documents/2015/09/01/2015-21318/anti-money-laundering-program-and-suspicious-activity-report-filing-requirements-for-registered.
 See SEC’s Office of Compliance Inspections and Examinations, Examination Priorities for
2016 (Jan. 11, 2016), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf.
 See Press Release, Federal Financial Institutions Examination Council, FFIEC Releases Cybersecurity Assessment Tool (June 30, 2015), available at https://www.ffiec.gov/press/pr063015.htm; see FFIEC Cybersecurity Assessment Tool, available at https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_June_2015_PDF2.pdf.
For more information, contact:
The articles published in this newsletter are intended only to provide general information on the subjects covered. The contents should not be construed as legal advice or a legal opinion. Readers should consult with legal counsel to obtain specific legal advice based on particular situations.