Regulatory compliance for fintech startups

Key takeaways

• Fintechs have long thrived in a relatively unregulated environment, but are now facing increased scrutiny and strict compliance with anti-money laundering (AML) and know-your-customer (KYC) laws.

• Key risks in fintech include data breaches, cyberattacks, and money laundering, which makes compliance crucial for operational security and customer trust.

• Financial regulations vary greatly by region and specific fintech services, so companies should align their compliance strategies with their unique business models and operational scopes.

Fintech regulatory compliance is the observance of and adherence to any and all laws, rules, restrictions, and regulations that apply to a fintech company. What it means in practice, however, differs for every company — and it can seem like a daunting labyrinth of law and protocol to find your way through.

No matter how pesky it can be, financial regulatory compliance is an absolute necessity for any company operating in the fintech space: It protects the company and its clients and customers and helps avoid expensive — sometimes ruinous — penalties for failure to meet regulatory standards.

Fintech compliance requires an understanding of the financial laws set out by local and international government regulators — and that’s no small feat. Sometimes getting it fully in hand requires a compliance expert or team at your side.

As is the case with financial services as a whole, there are three major threats that fintech regulations are designed to police: data leaks, cyberattacks, and money laundering.

Fintechs often deal with a huge amount of personal data, which can range from financial information like account numbers and security info to personal data such as names, contact info, and social security numbers. IBM’s 2022 Data Breach Report found that 83 percent of organizations studied had suffered a data breach. If firms don’t impose adequate protections, a single breach can result in enormous amounts of data being stolen or compromised — and a company’s reputation going out the window.

Whether by stealing, altering, disabling, or destroying system functions and data, cyberattacks are responsible for unauthorized access to mountains of private data every year. A cyberattack doesn’t inherently have to target data. Some forms of cyberattack specifically target the destruction of a system itself or restrict access to the system until a ransom is paid.

The UN states that $800 billion to $2 trillion is laundered every year — a fuzzy figure given the nature of the activity — roughly equal to up to 5 percent of the global GDP. To reduce this illegal activity, countries institute laws and regulations aimed at detection and prevention known as anti-money laundering (AML) policies aimed at staunching the flow of illegally acquired assets converted into other assets, or transferred between financial accounts, in an attempt to conceal their origin from investigators.

On the subject of the next phase of compliance, Mary Kopczynski, CEO of RegAlytics, a US-based regtech, has this to say: “Future challenges will be based on the next market shock, whatever it is. You see another ‘Robinhood’ type scandal and all entities of that type will suddenly be in deepwater,” referring to the stock-trading app’s decision to halt trading on certain high-volatility stocks. That action cost the company $70 million in regulatory fines alone, just weeks before the company’s planned submission of an IPO prospectus.

Regulations require an enforcer. And for a fintech operating in the US, there are five relevant agencies that handle enforcement.

The Financial Crimes Enforcement Network, known as FinCEN, is a bureau of the US Department of the Treasury. It’s responsible for collecting and assessing data relevant to criminal investigations, such as analyzing financial transactions, with the intention of identifying both domestic financial crime as well as international money laundering.

The Federal Trade Commission protects consumers and preserves a competitive business environment by weeding out what its mission statement calls “anticompetitive, deceptive, and unfair business practices.” The FTC has the authority to issue federal regulations and monitor businesses for compliance. As regulators begin to more closely evaluate tech-driven financial services, new regulations for the industry will be created largely by the FTC. (If you’re looking for something to read over lunch, the FTC’s cases and proceedings pair well with a burrito.)

The Federal Deposit Insurance Corporation is charged with the majority of regulation for banks, including mobile banks. It not only insures bank deposits but determines if a bank qualifies for that insurance.

The US Securities and Exchange Commission handles compliance and regulation for all business activity related to the stock market. Its role is to protect both investors and the market itself. The SEC inspects companies for honest disclosure regarding the risk and value of the securities they’re offering. It also monitors securities brokerages to ensure fairness in their dealings with investors. (Speaking of a good read: the SEC’s press releases, there’s just no drama like stock market drama.)

The Office of the Comptroller of the Currency, known as OCC, monitors banks for compliance with federal consumer protection laws, rules governing lending practices, and broader financial regulations that apply to most financial institutions. Where the FDIC provides the insurance needed to protect consumers, OCC keeps a close eye on banks to make sure they comply with the standards needed to qualify for insurance. (Worth perking your ears up: The OCC is opening an Office of Financial Technology in early 2023.)

There’s no one-size-fits-all, universal framework for fintech compliance. With so much variation among fintech businesses, companies can follow a number of paths to compliance. For example, a company that facilitates mobile payments is going to need to contend with different regulations than a robo-advisor investment company. (And yes, we can’t get over how cool it is that ‘robo-advisors’ are a thing either.)

There, however, are strategies that can set you up for success no matter what corner of the fintech world your business occupies.

Many aspects of compliance are fairly static: Your niche — whether that’s payment processing, online banking, or any tech-based financial service — likely has a certain set of transparent regulations that every company within needs to comply with. It’s the businesses themselves that vary — in things like size, scope of work, customer base, and funding source.

The first step to achieving compliance is sussing out the compliance needs of your business; not someone else’s. Ensuring that you’re ticking the boxes that apply to you — and not ticking the ones that don’t — not only provides you with the protection of being in compliance but also heads off wasting resources on adherences that you don’t need.

You’ve looked at your business, you have an idea of your budget and your structure and now you’re ready to start building your own, custom-made compliance framework tailored to the needs of your business.

So, what are your options now? The two most popular choices for fintech startups consist of hiring an in-house compliance expert or outsourcing your compliance needs. Again, the right choice depends on your business.

• Hiring a designated compliance expert. Adding a compliance expert to your in-house team allows for the development of a comprehensive understanding of how your company maintains compliance. It also puts you on track to institutionalized archiving of those processes and the ability to course-correct. You gain a go-to expert you can get advice and implementation tailored to your business.
• Outsource your compliance solution. As a cost-effective way to ensure your company has skilled and experienced compliance experts, bringing in an outside compliance firm is especially popular with newer startups. External compliance solutions let companies stay lean and keep costs low while also guaranteeing the job is handled by expert talent.

Modern compliance has seen a huge boom in software aimed at making the process easier and, in some cases, automatic, and that’s changed the compliance dramatically. “KYC and AML have become the main checkpoints for financial services organizations and electronic money movement in general,” says Andrew Haines, Global Head of Fintech at Vention. “Manual processes like checking your customer and identity verification used to take days. Now, with AI and ML, it can take seconds.”

You’ve taken two big steps towards regulatory compliance: first, understanding why it’s important, and second, learning how to find a person or team who knows how to make compliance happen for your company. From there, achieving compliance is a matter of incorporating the solutions that your compliance officer or compliance service proposes in a bunch of ways, including into your software.

The continuing debate over how governments will regulate digital platforms means that how and where a fintech operates are open to potential tidal shifts in the coming years, whether that’s due to new global regulations or operating in regions with differing rules in the case of the EU enacting the Digital Markets Act or the creation of entirely new agencies, like the OCC’s Office of Financial Technology we mentioned. This means that — after establishing a compliance process — for fintechs, adaptability needs to be a guiding principle in compliance strategy.