Financial technology, or fintech, companies have captivated the business world. A large number of these firms are seeking to unbundle established financial services by offering innovative products and services that leverage cutting-edge technology to transform the customer experience and drive further innovation into the financial services industry. Established financial institutions are also vying to capture opportunities at this crossroads of technology and finance. Collectively, large sums of money are being invested by private equity, venture capital, banking, and brokerage companies in this space.
Because fintech companies are encroaching more and more in the financial transaction space, regulators are increasing their focus on these types of organizations. The Office of the Comptroller of the Currency (OCC) published a paper in March 2016 outlining its intention to support innovation in financial services.1 Most recently, a bill was proposed to the U.S. Congress, dubbed the Financial Services Innovation Act of 2016, which seeks to create a financial services innovation office, or FSIO, within each financial services regulatory agency to help fintech and startups navigate their way through the labyrinth of regulatory agency rules.2 Although this bill is unlikely to pass, it and the OCC paper show the strength of support for fintech companies on a political level. On balance, however, regulators are keen to demonstrate that fintech companies are subject to regulatory scrutiny, as evidenced by actions by the Financial Crimes Enforcement Network (FinCEN) against Ripple Labs and by the Consumer Financial Protection Bureau (CFPB) against Dwolla.3 For startups still in the process of capturing market share, a civil money penalty could impact the company’s ability to refine its technology, while the negative publicity may also undermine the confidence of its customers and investors.
This paper aims to provide important first steps for fintech companies grappling with the difficult transition from technology innovator to regulator-ready financial firm, as well as some advice for traditional financial institutions entering the fintech space via partnerships or through their own incubator companies.
Challenges and Opportunities
The challenges for startup fintech companies that provide financial services for clients are many and varied. Listed below are a few of the more prominent challenges facing firms today.
Balancing innovation with compliance costs
The resources and costs required to install compliance programs at startups can represent a significant challenge for many firms in the fintech sector. Controlling compliance and regulatory costs can reach into the billions of dollars annually for the largest banks, and regardless of size, compliance burdens represent a significant and growing operational expense. While large financial institutions have dedicated significant resources to their compliance functions, fintech firms often have only a small team of employees, and even smaller budgets. To stay abreast of regulatory developments and ahead of scrutiny, compliance teams must stay vigilant in their efforts to: track, review and analyze emerging regulatory developments; produce meaningful metrics and reporting for senior management and the board; develop comprehensive policies, procedures and training; and serve as effective liaisons with the front lines.
As the majority of fintech companies are in the nascent stages of raising funds, they are eager to avoid regulatory scrutiny as enforcement-related activities could pose significant resource constraints and reputational challenges. Some firms have even petitioned for “no-action letters” from regulators which, if granted, would provide innovators with clearance to proceed in developing proposed products and services so long as there is no apparent conflict with existing regulations or statutes. Although these letters can be revoked at any time, they provide the unique opportunity of potentially opening up dialogue with regulators and easing into potentially significant compliance costs, while still enabling fintech firms to move forward with production.
Expansion and compliance
The regulatory cost of doing business for fintech firms can vary substantially based upon a company’s operations and geographical footprint. In the early stages of development, a fintech firm may be subject to limited regulatory oversight but, as the company grows, so too does the number of oversight agencies and regulatory requirements.
One growth strategy for many fintech firms involves partnering with banks. Such a partnership, however, may subject the fintech to rigorous third-party management practices by the banks as well as additional regulatory requirements and oversight by U.S. regulators. While the partnership could benefit the fintech firm in the long run, the cost of compliance in the short term puts an immediate strain on financial and physical resources.
Beyond partnerships, the physical expansion of fintech firms, depending on geographical reach and footprint, may require compliance with U.S. (federal and state) and international requirements such as European Union rules. Privacy laws, in particular, are a current area of increased scrutiny by both U.S. and EU regulators.4 Fintech firms must be able to demonstrate to regulators that the systems holding customer information are not only secure, but also that the customer information is being handled appropriately in accordance with the applicable privacy laws. The variation among these laws increases the immediate cost of expansion into new territories and the overall recordkeeping costs of the company. The implementation of an overall compliance program, which is flexible enough to address changes in U.S. federal and state requirements as well as European laws, could potentially reduce costs for fintech companies in the long term. A system of this magnitude, however, comes with significant up-front costs and can be difficult to design, implement and manage.
Unclear regulatory schemes
The lack of fintech-specific regulations and a dearth of clarity around existing financial services regulations and how they may apply to a variety of fintech types is serving as another challenge for the industry. The rapid pace of change and the amorphous nature of the fintech industry create new obstacles for regulators attempting to classify the variety of fintech companies and provide adequate oversight. Similarly, innovators are struggling to understand which enforcement authority supervises their business and the purview of each regulatory body. The process of understanding which regulator has oversight can become convoluted quickly. For instance, some companies, such as Square, focus on payment processing, while others, such as Lending Club, have found a niche opportunity in the peer-to-peer lending business. Furthermore, Betterment and Wealthfront have leveraged technology in the investment management sector of the financial industry.
As well as the OCC white paper, agencies such as the CFPB have indicated that forthcoming regulations will aim to protect consumers while providing a platform for continued growth. In response, the industry has criticized the regulatory approach, stating that the effort does not go far enough to encourage innovation and that the patchwork of U.S. federal and state regulations has left firms with great uncertainty about how to comply.
Our Point of View
While new entrants need to get up to speed quickly on their regulatory requirements, traditional financial services firms, which are acquiring new entrants and even developing their own fintech subsidiaries in-house, also need to be aware of any additional compliance requirements and boost their existing programs to account for their changing risk profiles. Initial action steps include:
- Before partnering with a fintech company, banks and other financial institutions should perform due diligence on their business models, which includes conducting a vendor risk management (VRM) assessment. Given the expectations around VRM from the OCC and the Federal Reserve, firms need to focus on assessing every facet of the proposed relationship, from the strategic purpose to engaging the vendor.
- Many banks have created their innovation platforms where they invite vendors to curate their product and service offerings. Driving responsible innovation into the research and development process requires effectively integrating fintech companies into the bank’s existing VRM program, while maintaining a balance of sound risk management and agility. A collaborative approach is comprised of four primary stage gates: exploration/discovery, prototype, pilot and implementation. As fintech firms progress through each stage gate of the research and development lifecycle, they should be prepared to address an increased amount of VRM due diligence and effectively articulate their own inherent risks and mitigating control environment. The benefit of this approach, to both banks and fintech firms, is that the VRM due diligence is applied appropriately throughout the R&D process, rather than just at the beginning of the relationship.
- Traditional firms need to consider large-scale technology changes the partnership may require, including integrating products based on new technology into existing core systems, which may require modernizing.
- Banks and other financial institutions should also use the assessment to communicate upward to senior management to explain how these risks affect the overall risk profile of the financial institution. A partnership with a fintech tends to be a new venture for a company, which means the stakeholders advocating for it should find a way to quantify the risk impact.
The steps necessary to achieve compliance readiness for fintech firms follow those applicable for most traditional financial institutions. The key first steps for fintech companies can be summarized as follows:
- Understand the context of their particular environment. The company needs to understand the regulatory landscape, identify which regulator(s) they are governed by, and discover which regulations are applicable to their company. There are numerous regulators that have purview over financial firms at the state, federal, and international levels. Firms must be aware of the applicability of traditional financial regulators such as the FinCEN, the OCC and the CFPB, as well as the Department of Justice and the Federal Trade Commission (FTC), for example.
- Next, companies should identify the body of laws, rules and regulations that may apply to their business models. Building a “global legal inventory” is a necessary step in the development of an effective compliance management system. Doing so will allow a company to see clearly the potential roadblocks to their innovative strategies and ensure they can operate in a manner that mitigates legal risks.
- Once the company has identified its supervisors and its regulatory requirements, it must decide how to prioritize its compliance efforts by using a risk-based approach and employing an agile philosophy to compliance. To do so, firms need to assess the compliance risks associated with the regulations identified in the discovery phase. Key risks to consider when assessing the risks of non-compliance include: the potential financial impacts from regulatory enforcement; the reputational risks associated with public actions; and the operational risks associated with potential cease and desist orders. Each of those risks will be weighed against the controls in place to mitigate them. An agile compliance program will address those highest risk issues with the least effective controls first.
- Once the current risk and control environment is understood, the next step is the development of a compliance management system. Each company will need a system that is commensurate with its nature, scope and complexity. An effective compliance program will include: governance and management oversight, policies and procedures, training, monitoring, quality control and independent audit. For fintech companies that operate in a fast-moving technology environment, comprehensive yet flexible policies and procedures may provide the best solution to ensure that operations can stay in compliance. Policies and procedures in an agile compliance program will have consistent standards across the company, be forward looking, and provide enough flexibility to maneuver in an evolving regulatory environment.
- If a fintech company partners with a bank (or banks), it should be prepared to work with the bank’s vendor management group and provide adequate information to ensure the bank can perform the necessary due diligence based on its VRM policies. A key assumption is that the level of due diligence may be different for the fintech company depending on the R&D lifecycle (as described above).
How We Help Companies Succeed
Protiviti has extensive expertise in understanding the applicability of regulatory requirements based on our professionals’ experience obtained during their employment at various regulatory bodies at the state and federal levels, such as the FinCEN, the Internal Revenue Service, the CFPB, the OCC and the Financial Industry Regulatory Authority. As a result, Protiviti can provide guidance in investigating and identifying applicable regulatory bodies and legislation relevant to fintech companies.