The US doesn’t have an overarching compliance regime for its fintechs, making it difficult to determine which regulations and licences they need to follow at any given time.
The more a fintech grows, expanding its marketing, increasing its profile and attracting press attention (both positive and negative), the more likely it is to be exposed to state and federal scrutiny of its compliance status. Non-compliance can quickly lead to huge fines, jail time, and reputational damage. US fintechs have seen an increase in the scrutiny of their compliance status in 2022. If you’re one of the 73 per cent of fintechs without a dedicated compliance officer, now is the time to get an idea of what you need to know.
Five compliance factors US fintechs need to know, right now
Whether US-based or working with US clients, fintechs need to know what they want to achieve and have the necessary regulatory cover to ensure they can operate and fulfil their goals.
Know the compliance laws
There’s a whole alphabet soup of compliance laws on both state and federal levels that every fintech operating in the US needs to be aware of and follow. These laws ensure that financial transactions proceed smoothly, with safety and security at every stage. They should be a non-negotiable element of every fintech’s business.
Three key federal regulations for fintechs to be aligned with:
Financial Crimes Enforcement Network (FinCEN) – gathers information about financial transactions to help prevent and mitigate financial crimes.
Commodities Future Trading Commission (CFTC) – regulates US derivatives markets.
The Office of the Comptroller of Currency (OCC) – one of the primary banking regulators in the United States overseeing, regulating, and examining chartered banks.
Other key Federal regulators:
- The Securities and Exchange Commission (SEC)
- Federal Deposit Insurance Corporation (FDIC)
- The Federal Trade Commission (FTC)
- Consumer Financial Protection Bureau (CFPB)
- Financial Industry Regulatory Authority (FINRA)
But it doesn’t stop there. Fintechs must stay up to date and compliant with a whole range of regulations that cover data privacy, security, and chartered banking laws. To add even more complexity, these laws vary from state to state.
Each state can have several industry regulators as well as the State Attorney General’s Offices who oversee often overlapping portions of the fintech industry. Banking, mortgages, loans, credit cards, insurance, money transfer, checks, consumer protection and privacy are all subject to an individual state’s regulatory authority.
Know about AML
Just as bricks and mortar banks have had to comply with strict anti-money laundering (AML) regulations, so do fintechs. In the US, AML compliance is both federal and state regulated so fintechs need to be up to speed with AML regulations. Money laundering causes around $2trillion to be lost to governments and companies annually. As a result, countries worldwide have developed AML policies which fintechs are expected to comply with. Having the right programme in place to detect and eliminate money laundering is essential.
There are penalties for non compliance
Non-compliance can land a fintech with hefty fines. These have the knock on effect of negatively impacting revenue, share price and future profits. State regulators and State Attorney Generals are often very active in going after smaller companies like fintechs. In 2021 a US-based fintech company was fined $6million by the Consumer Finance Protection Bureau (CFPB) because its lending practices had violated CFPB consumer protection guidelines.
Fintechs, as financial businesses, need to have a strong AML programme embedded in their strategy from Day One. In 2015, FinCEN levied a $700,000 penalty against a digital currency operator because it didn’t have an adequate AML programme. There are many instances where fintechs were fined either for their inability to adopt consumer security compliance or provide user data protection.
In 2021, the San Francisco-based neobank Chime was ordered by the California Department of Financial Protection and Innovation (CADFI) to pay a fine and to cease and desist language that the regulator says falsely portrayed the fintech as a bank, specifically to stop using chimebank.com, and to stop using the word ‘bank’ or ‘banking.’ This finding has rippled across the industry as a shot across the bow putting fintechs on notice.
There are non compliance penalties that can’t be wiped away with a checkbook. Reputational damage can last for years and negatively impact a fintech’s ability to attract investors and consumers.
Non-compliance can land a fintech with hefty fines. These have the knock on effect of negatively impacting revenue, share price and future profits.
Know about KYC
Fintechs are subject to increasingly punitive fines in cases of know your customer (KYC) negligence. That’s why it’s vital that all fintechs apply due diligence and have KYC compliance processes that are embedded and impeccable. Due diligence must be applied when onboarding customers in order to root out fraud, close off possible terrorist funding, and help mitigate AML risks.
Fintechs are expected to adopt and comply with US laws and regulations, which includes the Bank Secrecy Act (BSA), Office of Foreign Assets Control (OFAC), and individual state requirements. Fintechs have a duty to maintain AML-related procedures and controls designed to comply with these laws and regulations, to combat financial crime.
Apply data privacy
Consumer protection and privacy laws are both federally and state regulated, so fintechs need to know how and if they apply to their business. People will only place their finances in an institution they trust, and fintechs are only as strong as the trust they inspire. People expect that their personal data is secure from fraudsters at all times.
Fintechs, as a bridge between customers and traditional banks, must ensure there are no data leaks which could impact their customers and breach a bank’s security measures. If this happens, fines, lawsuits, financial losses and reputational damage quickly follow.
Much personal data is lost and compromised through phishing (sending emails posing as a reputable company to get personal data from individuals). It’s the cause of 60 per cent of companies’ lost data, with fraudsters accessing credentials and personal data like passwords, usernames and addresses.
The Gramm Leach Bliley Act (GLBA) requires fintechs to protect consumer data, limit some data sharing, explain their information-sharing practices to their customers, and allow consumers to opt out of some sharing. States US-wide are tightening up their consumer data privacy and protection rules, requiring companies to maintain security plans.
“Valuing and protecting user privacy is an essential role of fintech companies, large and small. Fintechs can gain user trust by clearly disclosing what data they collect, how they use it, and who they share it with,” says Lauren Martin, VP of legal at Dwolla. “This trust is the foundation of a fintech’s relationship with its users and is essential to helping users find new ways to use the data around their financial lives to improve their financial health. And fintechs can keep user trust by maintaining a robust program to protect the security of the information users have entrusted to them.”
You are part of an ecosystem
Just because you have a legal opinion that says you don’t need to be regulated doesn’t mean Fintechs don’t have to comply. Banks, money service businesses, other fintechs and payment companies, will all have a host of requirements that mirror regulatory requirements because they are regulated and will expect the fintechs they work with to adhere to their standards. Each component of the global financial industry plays a different role and each will have its own set of requirements you’ll need to navigate.
Aside from all the legal aspects of compliance, fintechs should embrace:
- Awareness and education: know and understand the laws. Get help from in-house compliance officers or consult with someone with compliance experience.
- Preparation: create a compliance plan. Brainstorm worst case scenarios.
- Activate and document: have compliance policies and procedures in place for your systems and your people.
- Maintain and audit: check you know that compliance is working, build relationships with your partners and regulators to keep on top of your compliance strategy.
“Reputation, competency, knowledge, transparency, and strategy are the underpinnings of a financial industry compliance programme,” says Josh Ramsey, head of compliance, Currencycloud Americas.
“Fintechs and the financial industry as a whole need compliance people and programs they can trust to balance the ever-changing regulations and obligations in our industry with the business’s short and long term demands and expectations. Compliance can’t be a ‘check the box’ exercise you put on a shelf; rather, it has to be a cornerstone of your business.”
It’s complicated but it doesn’t have to be
Fintechs and neobanks are in the ascendant, increasingly popular among consumers. Many have goals of becoming banks, which is why regulators and lawmakers will be scrutinising the industry closely and intensely.
Fintechs need to protect themselves by building their own compliance programs, or work with well-established regulation technology companies. Just like traditional banks, Fintechs should have compliance embedded in their business strategy.
As a fintech, we at Currencycloud, are only as strong as our clients, and so have stringent KYC processes and onboarding procedures. Our clients, in turn, benefit from leveraging Currencycloud’s licences, regulation and compliance processes. Which means they can focus on growing their business, empowered by the knowledge that they have the right regulations in place.
Since 2012, Currencycloud has processed more than $100billon to over 180 countries, working with banks, financial institutions and Fintechs around the world, including Starling Bank, Revolut and Lunar.
Based in London with offices in New York, Amsterdam, Cardiff, and Singapore, Currencycloud works with partners including Dwolla, GPS and Mambu to deliver simple, clear cross-border infrastructure solutions for clients. They are regulated in the UK, Canada, US, Australia and the EU and were acquired by Visa in December 2021.
Get in touch with an expert at [email protected] to find
out more, and start your more secure journey today.