As financial technology (FinTech) companies continue disrupting traditional financial services functions, such as lending and payments, these companies and their potential bank partners are wise to step back from the technology and consider the consumer experience. As bankers know, consumer protection laws and regulations are agnostic with respect to the kind of institution providing the consumer financial product or service; therefore, there is a constant need to consider the full slate of consumer protection laws and the regulatory activity in this area. Compliance demands are expanding and, in light of the expansion of FinTech in the consumer finance space, a review of some more critical components of the compliance landscape in this emerging area may be helpful for banks interested in, considering, or already engaged in FinTech.
Before we review some of the more challenging compliance issues emerging from engagement with certain areas of FinTech, it is helpful to first outline what we mean when we say “FinTech.” Broadly, FinTech refers to the use of technology in providing a financial product or service. This may be an online loan origination model that uses new or novel data points to determine creditworthiness in a more individualized manner, payments technology that allows for faster or (arguably) more secure payments, or online “wallets” that can be used for automatic savings or other electronic transfers.
Once upon a time, automatic teller machines (ATMs) represented the cutting edge of FinTech. As before, FinTech—and the companies that develop, license, or sell such technology—are gaining significant traction in the banking industry; however, such traction comes with significant compliance considerations that must be addressed, primarily in a few hot button areas of consumer protection. These hot button areas include fair lending, unfair, deceptive, and abusive acts or practices, third-party vendor management, data security, and privacy and anti-money laundering.
Fair Lending and UDAAP
Fair lending and unfair, deceptive, and abusive acts or practices (UDAAP) have maintained their status as hot button consumer protection issues since the Equal Credit Opportunity Act and Section 5 of the Federal Trade Commission Act were enacted decades ago. They represent areas of perpetually heightened compliance risk. Indeed, fair lending risks permeate FinTech’s use of new data points used for innovative origination models and credit analyses. Additionally, UDAAP seems to operate as a catch-all for compliance risk. UDAAP violations are a constant tag-along to regulatory enforcement actions, especially since the Dodd-Frank Act was passed in 2010 in the wake of the financial crisis. This is of particular importance for FinTech, as the companies and the technologies may be interfacing directly with consumers.
Like fair lending and UDAAP, regulators are becoming more demanding with respect to compliance in the use of third parties to provide certain products or services directly or indirectly to consumers. The Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency (OCC), and the CFPB have each released new or updated guidance over the last few years (some of which predates the Dodd-Frank Act) related to third-party relationships and vendor risk management.
For example, guidance released by the OCC in 2013 includes due diligence expectations and suggested contractual provisions that define the vendor relationship and outline the bank’s expectations of the vendor, including diligence and audit requests from the bank partner, as well as possible scrutiny from the bank’s regulator. Many contractual modifications have been resisted by vendors due to the potentially onerous nature of certain provisions. However, the regulatory community views material third-party relationships as an outgrowth of the bank and, therefore, views the risks to consumers, and potentially the institution itself, as significant. This is where the rubber meets the road for FinTech and bank partnerships.
Data Security and Privacy
Laws and regulations governing the acquisition, use, and storage of sensitive data are directly implicated by many FinTech applications. For example, when a consumer logs in to an online portal, such as one used for a loan transaction, for the purpose of providing or verifying information necessary to consummate the transaction, the consumer expects that such sensitive information is submitted and stored in a secure manner. In the age of online accounts, payments, and other transactions where sensitive personal information is stored electronically, the risks of data breach and information security incidents are constant. Banks and FinTech companies need to be sensitive to the use and storage of such information on their systems and should develop and monitor specific policies, procedures, and response plans related to the loss of sensitive customer information.
Finally, FinTech companies need to consider how their product or service could be used by illicit actors seeking to conceal the source or use of funds that are otherwise obtained illegally. Compliance with the Bank Secrecy Act and anti-money laundering (BSA/AML) laws and regulations is critical. The consequences of a BSA violation can be crippling for financial institutions. Moreover, BSA/AML risks are heightened for firms operating in an electronic environment, including FinTech companies, where some customers may seek to conceal their identity or the source of funds through digital currency or creative electronic transactions.
In this vein, banks and FinTech companies will find that BSA/AML compliance obligations will only increase. Indeed, there are already new obligations to understand the beneficial owners and control persons of certain customers, which banks are facing as full implementation of those new rules is less than two years away. State and federal regulatory agencies are also reviewing broader sets of activities and exposures when examining their regulated entities, as well as those entities’ vendors, such as FinTech partners, for BSA/AML compliance.
One of the most important considerations for any relationship with, or use of, FinTech is the consumer experience. Compliance risks abound in banking and financial services, and those risks may be heightened with the addition of new technology or vendor relationships. Most consumer protection laws are agnostic with regard to the kind of institution providing a consumer financial product or service; therefore, FinTech companies will subject themselves to the same slate of consumer protection laws and regulations to which banks are subject when engaging with consumers. It is critical to consider these obligations, among others, before engaging with FinTech.