Compliance and Regulatory Resource for FinTechs, Brands, and Banks
While we feel our comments and compilation of resources could be very helpful for FinTech startups, Brands, and Banks looking at new and innovative approaches in the industry, we are not offering legal, compliance, or regulatory advice. Always consult the appropriate resources for your business.
You’ll likely want to just go find quick summaries that highlight how each of the regulations work, rather than reading pages of regulation. We get why, and understand how that can be helpful; however, we highly recommend you don’t just read summaries when it comes to critical aspects of your business. It’s helpful to be familiar with the entire regulation as you consider new innovative approaches you plan to bring to market.
resources for fintech startups, Brands, and banks
OCC Office of Innovation - I can’t overstate the value of this group as a resource to FinTechs, Brands, and Banks. They make themselves available via email, phone number (202) 649-5200, or in-person at various locations. Get more specific on ways the OCC Office of Innovation can help you here and consider signing up for their newsletter here. The Chief Innovation Officer for the OCC is Beth Knickerbocker. I’ve found her, and her team, to be extremely helpful.
Federal Reserve - The Federal Reserve shares news and event information here. You can subscribe to receive e-mail updates from the Federal Reserve here.
FDIC - The FDIC publishes regular updates including press releases, financial institution letters, speeches & testimonies, as well as conferences & events. You can also sign up for e-mail alerts from the FDIC here.
CFPB - Kathy Kraninger is the director of the CFPB. In my conversations with her and her staff I’ve found her to be open to very helpful when it comes to understanding regulation so that we can work within the regulatory guidelines.
GRC - A community for the governance, risk, and compliance community. William Fisher is the right person to connect with here.
CBANC - You can think of CBANC as an online community for financial professionals. People regularly upload contractual / legal questions and get feedback from the community. The nature of this peer network is such that you can find great answers to your questions from people that are walking in your shoes every day.
important regs to know about
BSA (Bank Secrecy Act) / AML (Anti-Money Laundering) - The Bank Secrecy Act requires financial institutions in the U.S. to help government agencies identify and prevent money laundering. It’s also commonly referred to as AML. Another item that gets lumped into this is CFS (countering of the financing of terrorism).
KYC (Know Your Customer) - Included in the Patriot Act, the requirements for KYC are typically split between how you identify your customers (CIP), and due diligence performed on your customers (CDD). Plaid provides an excellent overview of KYC requirements. You can get some of the more granular information from FINCEN (Financial Crimes Enforcement Network).
UDAAP - The unfair, deceptive, or abusive acts of practices for parties offering financial products and services. This piece of legislation was a direct result of the 2008 financial crisis and was introduced in 2010 as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act. While many believe this needs adjusting, you should be very familiar with UDAAP.
Reg E - Regulates how funds can be transferred electronically, emphasizing the protection of consumers engaging in electronic funds transfer. This is a Federal Reserve regulation. Reg E outlines where liability falls for card usage, specifically for debit cards.
Reg Z (also known as “Truth in Lending”) - Protections for consumers that access credit. Consumer credit includes everything from a mortgage to a credit card or installment loan. The regulation addresses how disclosures should be represented, as well as servicing requirements, annual percentage rates, and more.
Durbin Amendment - As part of Dodd-Frank, the Durbin Amendment significantly reduced the fees banks could charge merchants to accept payments. One reason the Durbin amendment is so important for FinTech is that banks above the asset threshold of $10 billion cannot participate in interchange revenue opportunities at the same level as those below the $10 billon threshold. So if you’re a FinTech looking to participate in interchange revenue and you partner with an FI above the $10 billion limit you’re going to be severely limited in the interchange revenue that can be collected. See the regulation regarding debit interchange fees here.
Community Reinvestment Act (CRA) - Governor Brainard delivered a speech in March of 2019 addressing the pros and cons of the CRA as it stands today. While we can’t be certain, we’re hopeful there will be changes to this in the not too distant future. Regulators are aware of many of the CRA short-comings and working toward potential solutions.
California Consumer Privacy Act (CCPA) - CCPA has been compared to GDPR in Europe. This law goes into effect January 1, 2020. It “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.” (Source) Interestingly, the way this law was drafted it applies to Californian citizens wherever they go. The CCPA fact sheet provides in depth information on this new law.
OFAC (Office of Foreign Assets Control) - The Treasury Department administers sanctions through OFAC to certain governments, but also to people and entities. This list includes some ~6,400 names of companies or people that are connected to to sanctioned targets. Financial institutions, as well as any third party working with a financial institution, cannot send money to anyone on this list. For more information on OFAC, checkout their website here.
PCI DSS Compliance - While listed under regs to know about, it is important to understand that PCI DSS Compliance is not government regulated. PCI DSS standards are established by the card networks. If you want to process with the card network you’ll need to familiarize yourself PCI DSS. Plaid provided an excellent overview of PCI in this article.
Note - As explained in the third-party relationship section, if you’re a FinTech or Brand partnered with a Bank, the management team and board of directors are responsible for ensuring that you’re being held to the same standards as any activity happening within the institution. It’s critical that you understand these regulations so you can be a good partner to the financial institution(s) you plan to / are working with.
THIRD-PARTY Relationships
If you’re a Bank looking to partner with a FinTech / Brand, or visa versa, that is classified as a third-party relationship when it comes to the OCC and FDIC. The OCC has issued guidance on multiple occasions regarding these relationships, as has the FDIC.
This information can be extremely helpful to FinTechs / Brands looking to approach financial institutions for partnership, and also to financial institutions looking to partner with FinTechs / Brands. By better understanding what will be needed in order to be able to enter into a third-party relationship, parties can better prepare themselves.
OCC Bulletin 2017-21 | June 7, 2017 (most recent) - This guidance provides supplemental material and thoughts on the original guidance below.
OCC Bulletin 2013-29 | Oct 30, 2013 (original, more meaty) - This publication provides guidance for assessing and managing risks associated with third-party relationships. Any business relationship between a financial institution and another entity is considered a third-party relationship.
FIL-44-2008 FDIC - This letter was issued by the FDIC in June of 2008. It provides financial institutions with guidance on managing third-party risk. This letter makes clear that the responsibility of managing activities related to third-party relationship lands squarely on the shoulders of the a financial institutions board of directors and senior management. It lays out a framework to help financial institutions seeking partnerships with a third-party, and includes several specific things financial institutions should do when vetting third-party providers. One concept I found especially illuminating is this that the financial institution is responsible for “identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.” (Source)
FIL-19-2019 - Provides specific guidance with regard to technology service provider contracts. According to this letter, “Recent FDIC examination findings noted that some financial institution contracts with technology service providers lack sufficient detail regarding the contract parties’ respective rights and responsibilities for business continuity and incident response.” (Source) Guidance is given to help shore up these issues.
Brokered Deposits - Most deposits that come into a financial institution via a neobank / fintech partnership for depository accounts are considered brokered deposits and they’re handled differently than traditional deposits. The FDIC recently proposed new rules on how to handle brokered deposits. Learn more about that here.
SOC Compliance Standards
SOC (Service Organization Controls) standards were created to help organizations understand the rigor that has been applied to financial data and internal system design to protect customer data. Many firms offer SOC compliance audits, the results of which you can present to partners as a demonstration of your company’s soundness.
SOC 1 Type I - Point in time demonstration of the internal controls at an organization with regard to financial reporting.
SOC 1 Type II - Demonstration of internal controls at an organization with regard to financial reporting on an ongoing basis - a minimum six-month time period.
Note - SOC 1 is more about financial controls. An organization that has been audited for SOC 1 compliance has not necessarily fulfilled the much more stringent requirements of SOC 2 with regard to how systems within the organization are designed and implemented to protect customer data.
SOC 2 assesses how an organization handles the 5 trust service principles: security, confidentiality, processing integrity, availability, and privacy of the organizations customer data.
SOC 2 Type I - Similar to SOC 1 type I, SOC 2 Type I is focused on point in time compliance of the organization and its systems with regard to the 5 trust service principles.
SOC 2 Type II - Similar to SOC 2 Type I, SOC 2 Type II focuses on the how the systems in an organization are designed to support the 5 trust service principles on an ongoing basis - with a minimum requirement of 6 months.
additional resources
Speech by Governor Lael Brainard of the Federal Reserve “FinTech and the Search for Full Stack Financial Inclusion.”
Money Service Business Overview and Extended Information.
Money Transmitter Definition by Financial Crimes Enforcement Network.
It’s difficult to hone in on the most important regulatory / compliance components for FinTechs, Brands, and Banks. If there are mission-critical regulatory / compliance pieces you feel we’re missing, please feel free to reach out to us.