Compliance Considerations for Fintech Organizations

Since the days of the Medici family and the rise of their 15th century banking system operation in Florence-Italy, the financial services industry has seen dramatic changes at various times over the centuries.

One of the most significant recent developments is the rise of the internet and mobile-technology, providing increased convenience and rocketing speed to a myriad of financial transactions. Whereas in the past, transactions tended to occur face-to-face with familiar people, and with cash or physical negotiable instruments (i.e. paper and ink)…today just about any financial transaction can be made digitally via the internet or a mobile device, from obtaining credit cards, mortgages, and auto loans, to trading stock, and even exchanging value through the increasing popular and relatively anonymous means of crypto-currencies (like Bitcoin).

However, with the benefits of this evolution comes an increased level of compliance and operational risk, corporate responsibility, as well as government regulation and oversight for financial services companies attempting to keep up with the times and their customers’ ever increasing set of demands.

According to Investopedia, fintech is defined as “a portmanteau of financial technology that describes an emerging financial services sector in the 21st century”. These days, people want to manage their financial lives with efficiency, ease, and by using less of their valuable time, while retaining a high level of concierge like service. The reality is that in today’s digital age many customers greatly prefer the use of online platforms and applications to execute their financial business needs, rather than conducting transactions in person or over the phone. This is especially true with millennials and an increasing number of generation-Z consumers reaching the age of majority and entering the financial marketplace.

Because of this, many mainly fintech companies have seen substantial growth. As a result, some financial services companies have unfortunately been left in the virtual dust because they offer their products only through more traditional channels.

However, it is not all wine and roses for the emerging fintech industry. Thompson Reuters’ Cost of Compliance Report for 2018 indicates “Technology is having a major impact on compliance. On the one hand, the benefits of new technology are driving an increase in the compliance function’s involvement in considering solutions, with 41% expecting to spend more time assessing fintech solutions over the next 12 months…balanced against the potential benefits of technology are the heightened regulatory risks associated with cyber resilience, data privacy, and IT infrastructure”. In his article How Fintech Companies Should Handle Compliance, Clayton Mitchell points out that “One challenge fintech companies face is the sheer number of regulators that have rule making or supervisory authority over them due to unique business models and state level licensing and regulators”, and that “in the absence of a uniform regulatory scheme, there is widespread confusion about rules”. One of the issues touched on is that that many fintech companies struggle to create a true culture of compliance, because they align and identify themselves as having more similarity to technology companies, than they do with other non-fintech financial services organizations that are familiar with maintaining a strong compliance foundation.

As mentioned prior, the anonymity factor is inherently embedded within many fintech transactions. This can be a downfall when trying to ensure that the proper level of due diligence is completed from an anti-money laundering (AML) and terrorist funding perspective. This goes beyond meeting a minimum level of KYC requirements, and requires that fintech companies truly know who they are doing business with, and whether there is a connection to nefarious intentions. In addition to this, being able to detect and respond to suspicious activity should lead to fintech companies knowing what their customers are up to, and as a result getting their company into. No legitimate fintech company wants to be in the position of having to defend themselves against evidence that they have conducted activity supporting a terrorist or criminal organization.

Likewise, data protection can be a challenge for many fintech companies, who by their very nature attract a more technologically advanced demographic. While some fintechs’ mantras upon launching their new customer interface platform may go something like “build it and they will come”… in many instances a more true representation would be better translated “build it and they will come to hack, circumvent, and infiltrate”. From the days of “War Games”, the term “hacking” use to be reserved for prodigies able to find their way into government systems, today the term is used to convey any means to bypass any life inconvenience, showing how much a part of popular culture it has become. Without strong preventative and detective controls, fintech companies can find themselves (and their customers) falling victim to yet another data breach, and the bad press, financial impacts, and regulatory scrutiny and enforcement actions that come with it. Responsibility for this rises to the top. As noted in the “Building the Cyber Security Community” speech from Elizabeth Denham, Information Commissioner at the ICO, “security is boardroom-level issue”…”if left solely to the technology teams, security will fail through lack of attention and investment”.

When outsourcing important functions such as loan servicing, it is important to understand, from a regulatory compliance perspective, the partner that has been chosen. Thompson Reuters’ Cost of Compliance 2018 indicates that 24% of responding companies report that they outsource at least some of their compliance function. As indicated by the International Chamber of Commerce’s Guide called “Outsourcing- a practical guide on how to create successful outsourcing solutions” (February 2018), “There is a significant regulatory duty imposed on these companies to ensure that they have the best understanding of existing risks as well as new and developing risks on an ongoing basis. Experience has shown that when risk-consciousness is present in a company’s daily business, bad things are less likely to happen”. This would include the compliance and operational risks inherently associated with the emerging fintech industry, which is why it is so important to select a business partner that understands what it means and what it takes to be successful in the world of fintech.