Compliance regulations in fintech: What to consider when making a fintech app
For years, fintech solutions have been filling gaps in the traditional banking sector and addressing the need for more flexible payment systems. On the one hand, fintech is becoming more connected to traditional financial services; the majority of banking services and insurance organisations expect to partner with fintech companies, for instance. On the other hand, banks are actively investing in technological innovations, creating greater competition in fintech.
Both factors are driving rapid growth in the global fintech market, which is estimated to reach more than $300 billion by 2023.
If you’re thinking about creating a new fintech app, learning about the regulatory landscape should be a key priority. Since financial technology deals with sensitive data, it's crucial that products are built in compliance with laws and in accordance with the best security practices.
In this post, we’ll overview the major fintech compliance regulations and the most common challenges.
The fintech regulations landscape
Fintech solutions are more vulnerable than digital solutions in other sectors because they store personal and financial data and perform money transfers. Regulations vary depending on the type of business, the amount and type of data collected, and the service location, so there’s no universal set of rules that apply to all fintechs globally.
Plus, the regulatory landscape is fragmented and control over fintech compliance is distributed among many organisations — so it’s important to have qualified assistance in regards to applicable laws, requirement updates, and possible penalties.
First, let’s see what types of risks associated with fintech lead to mandatory protection measures.
What risks do fintech solutions face?
Besides the strategic and operational risks any fintech startup faces, there are many data security and regulatory compliance risks that fintech shares with traditional banks:
- Money laundering. It leads to global losses worth up to $2 trillion a year, which makes anti-money-laundering (AML) policies a top priority for any business dealing with financial information. Australian fintech EML Payments’ recent share crash — the company lost half its value overnight because of money laundering risks and will likely face legal action — shows what a blow to both reputation and profits money laundering issues can be.
- Data privacy. Protecting sensitive information and preventing data breaches are among the most pressing issues for fintechs. When a data protection problem is identified, regulatory bodies can impose fines on companies. In EU member states, GDPR non-compliance can result in fines of two to four per cent of a company’s annual revenue.
- Cyberattacks – Financial organisations are a hot target for cybercriminals, and both traditional banks and fintechs rank cybersecurity as a major concern. Several headline-making cases of hacks on cryptocurrency exchange platforms prove that the digital financial sector is extremely vulnerable.
What legislative enactments concern fintech?
Most regulations are location-specific, but there are some globally recognised authorities. For instance, the Financial Action Task Force (FATF) issues fintech standards for preventing money laundering, terrorist financing, and other illegal financial operations. FATF is actively observing fintech’s scope of development to adjust to the changing landscape with adequate regulations. In 2017, FATF held the first roundtable dedicated to fintech and regtech to discuss AML measures and the increasing vulnerabilities in new payment services.
Below is an outline of regulatory authorities and documents applicable to the fintech industry in the US, Australia, and Europe.
Who regulates fintech in the USA?
Two major institutions are responsible for safe and compliant financial services in the US: the Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC). FinCEN collects information on transactions to identify and prevent financial crimes, and the Comptroller of the Currency supervises businesses to ensure they comply with fintech laws and regulations.
Key regulatory agencies also include the Consumer Financial Protection Bureau (CFPB) and the Securities Exchange Commission (SEC). Regulating all companies engaged in the sale of securities, the SEC provides guidance on how to report fintech cyber risks and incidents, as well as imposing fines: a single act of omission can cost up to $775,000 per company).
What are financial technology regulations exactly? Since fintech is intertwined with and somewhat dependent on banks, many key banking regulations are relevant in fintech as well:
- The Gramm-Leach-Bliley Act (GLB) is the primary privacy law in the US that requires financial organisations to ensure personal data confidentiality, provide privacy policies to customers, and allow opt-out options for personal data disclosure.
- The Bank Secrecy Act (BSA) is aimed at the detection and prevention of money laundering. Financial companies are obliged to monitor their systems against suspicious activities and report potentially criminal transactions.
- The US Patriot Act controls customer identification standards and Know Your Customer (KYC) policies. Financial organisations are required to establish anti-money-laundering practices and train employees to comply with these practices.
- The Electronic Signatures in Global and National Commerce Act (E-Sign Act) sets rules for signatures and electronic documents.
- The Truth in Lending Act (TILA) aims to protect credit card holders via credit card disclosures, rate increases, payment allocations, and mandating a reasonable amount of time to make payments.
- The Truth in Savings Act (TISA) requires clear disclosure of fees and interest rates.
- The Electronic Fund Transfer Act (EFTA) controls authorisation practices applied to online transactions.
- The federal Red Flags Rule requires financial institutions to have theft prevention programmes in place.
- The federal Affiliate Marketing Rule sets limits for using information for marketing purposes across affiliates.
This list is not exhaustive, and you need to do research related to your business’ specific niche and service locations. Furthermore, there are additional laws for particular security practices, for example, how biometric recognition technologies are regulated vary from one state to another. Additional regulations also apply if fintechs integrate health data (HIPAA) or if they interact with childrens’ information in any way.
Currently, the federal system still lacks a dedicated controlling agency for fintech businesses, but steps are being made in this direction. The FINTECH Act introduced by NACHA in 2019 implies the establishment of a dedicated fintech council within the Department of the Treasury, creating innovation offices with fintech advisory services, and controlling conflicting regulations that affect the sector.
Who regulates fintech companies in Australia?
The Australian Transactions Reports and Analysis Center (AUSTRAC) regulates fintechs and transactions taking place in the digital space. For example, AUSTRAC limits the anonymity of virtual currencies by requiring currency exchange platforms to report customer identifiers.
The Australian Securities and Investments Commission (ASIC) is a national regulator that protects customers and investors. ASIC not only enforces laws but also provides assistance programmes to fintech startups to help them navigate the regulatory system.
The Australian Prudential Regulation Authority (APRA) also regulates banking and insurance institutions to protect the financial well-being of Australian customers. Recognising the value and popularity of fintech and regtech solutions, APRA proposed a new regulatory framework in 2020 to reduce the complexity of rules and distribute supervision according to service type.
The potential role of regulators as proposed by APRA. Source: APRA
Who regulates fintech in Europe?
Digital banking regulatory compliance measures in European countries include:
- The New Payment Services Directive (PSD2) is aimed at guaranteeing payment security throughout the EU and European Economic Area. PSD2 enforces rules on third-party access to payment information and requires banks to implement access interfaces for payment service providers and customer accounts.
- The European Union Directives and Financial Action Task Force proposals accentuate the importance of KYC policies and claim that customer data checks decrease money laundering risks.
- The General Data Protection Regulation (GDPR) and the ePrivacy Regulation control data access rules.
In 2017, the European Banking Authority (EBA) published a discussion paper on fintech to describe the sector in general and address state-specific regulatory differences. Of the 1,500 fintech businesses identified, 31 per cent were not subject to any particular regulatory regime, which means financial organisations and their customers might suffer because of legislative loopholes.
Some legislations practice regulatory sandboxes that control emerging financial technologies in a safer testing environment. For instance, since 2014 the Financial Conduct Authority in the UK has supported a regulatory sandbox regime for fintechs. However, it’s debatable whether any company dealing with sensitive information is treated differently within a strictly controlled environment.
What areas of compliance should fintech companies consider?
Now that we know there’s a plethora of regulations, let’s summate the payment security and data privacy measures fintechs should take.
- AML compliance. As we’ve seen with the regulatory acts, preventing money laundering is key for financial companies. To protect customers and stay afloat, any fintech business should have anti-money laundering practices in place. Plus, AML regulations require financial companies to submit suspicious transaction reports to Financial Intelligence Units.
- KYC compliance. Know Your Customer standards regulate customer identification before a financial transaction to prevent fraud and tax evasion.
- Data security compliance. The Payment Card Industry Data Security Standard (PCI DSS) applies to any company dealing with international payment systems. The PCI DSS includes 12 requirements that cover fintech data protection programs, and these vary depending on the country and card issuer (for example, Cardholder Information Security for Visa cards in the US and Account Information Security for Visa cards in Europe).
- Digital Signature Certificate. For online transactions, fintech companies should integrate secure digital keys to validate user identities.
- Customer Due Diligence (CDD). The CDD regulation requires financial organisations to establish and maintain the following processes: customer verification, identity verification of owners of company accounts, customer risk profile development, and suspicious transaction monitoring. Information collected about each customer includes name, contacts, date of birth, nationality, and other details. When a customer performs a financial operation, the system should identify the customer, scan the data and activities against possible risks, and perform Enhanced Due Diligence (EDD) when needed.
- Adverse media screening. The majority of fintech compliance professionals agree that adverse media screening is important for AML compliance. It’s not an official fintech regulation at the moment, but it does represent a helpful practice in review processes that detect and prevent financial crimes.
Besides that, any fintech product should be developed with the best security standards. At MadAppGang, we developed a banking app named WebMoney and strong security measures represented both our biggest challenge and achievement. We implemented:
- Two-factor authentication for each transaction to secure the app from unauthorised access and session hijacking attacks
- Data encryption on both system and application levels to prevent hacking
- Certificate pinning to protect the app from man-in-the-middle attacks
- Custom DNS server to prevent DNS attacks
- Custom hash algorithms, data wiping, and automated app blocking on jailbroken devices
What practices should fintechs adopt?
Certain practices and tools help fintechs stay on top of legislative changes and provide robust security:
- Risk-based approach. Fintechs should implement regular risk assessments to prevent financial crimes or data breaches. It makes sense to continuously monitor the regulatory landscape and adjust as needed with the help of robust fintech risk and compliance management.
- Use of regulatory technology (regtech). Stringent regulations have led to a whole new type of software called regtech. Various solutions are designed to help financial organisations comply with laws and regulations. For example, AML software analyses customer data to detect suspicious activities and checks customers and transactions against sanction lists. It solves business pain points by automating the creation of compliant reports about suspicious transactions.
- Adoption of AI. Using AI-based technologies for suspicious activity identification, adverse media screening, or other preventive measures can result in higher precision and fewer errors. For example, AML systems often produce a lot of false alerts and struggle to tell criminal transactions from legitimate ones, while AI techniques can teach systems to better differentiate. AI-powered solutions can significantly reduce false positives: the HSBC bank’s case shows a 20 per cent decrease and Lucinity’s example shows a five time improvement in capture rates.
Fintechs have similar responsibilities as banks and, therefore, are heavily regulated, with new regulations raising the compliance bar over time. The fintech sector’s strongest suit is its innovative use of technologies and ease of use, while compliance and security issues remain its toughest challenge.
Companies can lose a lot of their capital, as well as their customers and reputations, because of data breaches, thefts, and regulatory laws violations. It’s crucial to know the regulations your business needs to be aware of, and ensure that transactions and data usage within your product are secured and compliant.
At MadAppGang, we opt for sustainable security practices and a solid risk management approach. If you’re launching a fintech startup and need an app, or if you’re considering the development of an app related to finances, contact us and we’ll discuss the scope of work and all the regulatory challenges.