How founders can avoid the regulatory graveyard

Tips for fintech founders to navigate the current regulatory environment

Recent headlines have driven up regulatory concerns for many fintech founders, including last week’s announcement of OCC actions against Blue Ridge Bank. Jason Mikula at Fintech Business Weekly has written a great overview of the regulatory landscape facing fintech founders, in particular those benefiting from the sponsor bank model. For fintech founders, these reports reinforce the fact that they operate within a heavily regulated industry. And although banking regulations have always (ideally) been within a founder’s repertoire, many are operating under increased uncertainty as the general regulatory tone seems to have shifted from innovation towards customer protection and risk mitigation. 

So, how can founders address this? We outline three areas where fintechs may be particularly vulnerable to regulatory scrutiny and some of the tactical steps they can take to mitigate risks. 

Before getting into specific tactics, an overarching action that cuts across all of these regulatory themes is creating policies and procedures early. Critically, it’s important to actually follow what is written in policies and procedures, and to have someone responsible for ensuring they are regularly updated and appropriate for your business. Any time there is an investigation, audit, or inquiry, these are some of the first documents that are referenced and what you are judged against. These are more important than just an outsourced, check-box exercise. 

‍Sponsor Banks

With the acceleration of sponsor bank models in the last few years, it should come as no surprise that regulators will want to study this model—and potentially update rules to better account for this new operational paradigm. The ramifications for fintech founders can range from a minor operational nuisance to something more catastrophic. As a fintech operating under a sponsor bank, you may have to provide data or program documentation to help your sponsor bank inform the regulator of their actions. If investigations into the bank yield something more worrying, you could face individual account investigations or closures on your platform, throttled or halted account growth, or even forced closure of your operations with the bank. 

Founders can take the following steps to mitigate risk: 

• If you’re interviewing with sponsor banks now, ask questions. Understand who they are regulated by, their relationship with those regulators, and how they are preparing for any increased scrutiny. Understand what procedures they have in place in the face of an investigation, and if they are altering any of their operations now to account for the changing landscape. 
• Design your architecture for flexibility. Make sure that you’re creating a structure that can easily port to other sponsor banks, and that your data and systems are not wired for the specific instances of your existing institution. This means that you should maintain an in-house ledger. 
• If you are large enough, build out multiple relationships to have redundancies in place. This will be hard with low user/transaction volumes, but after a certain threshold vendor diversification is a good strategy to reduce concentration risk in general. 

‍Data Privacy

Many fintechs engage with sensitive customer data, and data privacy should be of concern to both founders and regulators. The CFPB recently drafted a circular outlining their intent to bring enforcement actions against companies that provide “inadequate security for sensitive consumer information collected, processed, or maintained.” The circular goes on to note that such practices will be viewed as “unfair when they cause or are likely to cause substantial injury.”

Moreover, the CFPB is currently drafting the rule required by §1033 of the Dodd-Frank legislation, which provides the overarching framework under which financial institutions are obligated to make financial data available to consumers via data integrators like Plaid. Changes to the interpretation of this currently vague statute could have a substantial impact on the types of products that fintechs are able to offer and the constraints around those products. 

Founders can take the following steps to mitigate risk:

• Build security into the product foundation early-on. Fintechs by definition work with people’s money, so it’s important to take security seriously. This includes things like performing regular pen testing/ethical hacking, and ensuring 2FA is in place across the customer lifecycle - not just at onboarding and login. 
• Be cautious about the data that you store. There’s been a recent belief that data storage is cheap and that fintechs should store everything they can. Reflect on that perspective before you accept it into your practices. Although a wealth of data can produce insights, the more information you store, the more vulnerable all of that data is in the event of a breach. At a minimum, sequester your sensitive data, and avoid storing information like SSNs unless absolutely necessary. Follow the PKI data guidelines even if you’re not technically bound by them.
• Avoid the temptation to sell data to third parties unless absolutely necessary for your business model. In the current environment, the often-marginal benefits of these data-sharing relationships are simply not worth the risk.

‍Customer protection and UDAAP

Although many startups are created with the vision of improving customer experience over the status quo, regulators have still found grounds to investigate them for unfair, deceptive, or abusive acts or practices (UDAAP). One fintech company, Digit, was recently fined by the CFPB for UDAAP violations. These were in large part derived from Digit’s communication to customers that their savings algorithm would not spark overdrafts, and in the case that it did the company would reimburse any incurred charges. The CFPB alleged that in some cases those fines were not covered and required the company to reimburse at least $68,145 to customers and pay a $2.7M civil penalty. Based on the reimbursement penalty, the number of failed reimbursements were in the low thousands. For startups, the important thing is to make sure that you are following UDAAP rules—which includes following through on all of your promises to all of customers. 

Founders can take the following steps to mitigate risk: 

Understand UDAAP and other regulations that may apply to you. Have an expert ensure that you are not in violation of any of these rules: you can use the compliance policies and procedures as a great point of reference to direct them to. Experts can reference operational precedent for rules that are in the “gray area” that can help ensure you aren’t performing any “own goals” when it comes to consumer protection rules. 

• Details matter. Even with the loftiest of good intentions for the customer, just a handful of negative events or deviation from your stated procedures can cause headaches, fines, or more. Have someone on staff who is detailed-oriented and can make sure that issues are addressed and closed in a timely manner. 
• Be clear with your customers. Sometimes companies need to make decisions that customers won’t like, such as raising fees or deprecating a product. Be respectful of your customers and provide clear information about what is occurring. Obscuring information is not only a poor customer experience but can open you up to UDAAP issues.  

Fintech is putting a lot of positive pressure on the financial services industry, and we believe that it is ultimately a force for good. However, it also forces regulators and the industry-at-large to examine old paradigms in new ways, and to re-evaluate the risk that fintech practices pose to the broad industry. In fact, the Acting Comptroller of the Currency, Michael Hsu, recently previewed some of his thinking, including the fact that the “de-integration” of banking services (driven in part by fintechs) could ultimately lead to a “severe problem or even a crisis.” Under this umbrella we can expect more investigation or action, and we want to ensure that fintech founders won’t be caught flat-footed—and can even play a part in the evolution of financial services regulation. 

‍