The Internet of Things and FinTech are among the fastest growing markets, but their intersection leads to new legal issues to which operators might not be ready.

The FinTech market and its connections with the IoT

According to the estimates of Goldman Sachs,  traditional financial institutions and banks might lose $4.7 trillion in revenue to the benefit of fintech companies. Fintech firms are not expected to kill off traditional banks, but will act as disrupters cutting costs and improving the quality of financial services.

What differentiate them from traditional banks is, among others, that they

  • have lower regulatory, network and IT costs;
  • can better exploit big data to assess risks and take decisions; and
  • can diversify the credit landscape through for instance P2P lending platforms that just match lenders and borrowers, while traditional banks are concerned about how their liabilities should be covered.

And the perfect marriage for FinTech is with Internet of Things technologies. Both technologies rely on a massive usage of data which leads to services that are customized to customers’ preferences. Additionally, fintech can operate as an additional facilitator of Internet of Things technologies. This can happen for instance through blockchains that can be used to reduce the number of intermediaries of monetary transactions activated by IoT devices, such as our watch, as part of the so called Internet of Value.

The main legal issues of FinTech when associated to the IoT

Below is a snapshot of those that are the current main legal issues of FinTech:

1. Financial Services Regulations’ obligations

Fintech start-ups have been notoriously operating in an unregulated environment during the last years or at least have been trying to avoid regulatory restrictions. Such practice is going to terminate with reference in particular to payment services as a consequence of the coming into force of the EU Payment Services Directive 2 (PSD2) which will regulate not only banks, payment institutions and e-money issuers, but also

  1. operators of eCommerce marketplaces, gift cards and loyalty programs;
  2. providers of bill payment services which is a massive business in Italy;
  3. providers of payment initiation services and
  4. suppliers of account and digital wallet services.

These entities will be subject to a different regime depending on the category in which they fall. But what really matters is that they will be obliged to operate in a regulatory framework dedicated to them.

The PSD2 shall be implemented by January 2018, but companies are already working on the adopting of its obligations. But, this does not mean that all the services above are unregulated for the next two years. It is necessary to assess on a case by case basis the regulatory environment applicable to them.

2. Compliance in the usages of data

The new EU Privacy Regulation is in the process of being adopted and among the changes that are going to be introduced there will be a massive increase of the potential fines up to 4% of the global turnover of the breaching entity. Likewise, the development of technologies such as fintech that require the collection and the analysis of large amounts of data will require a so called “privacy impact assessment” to be submitted and validated by privacy authorities.

The implementation of a privacy by design approach can be the sole defense in a regulatory framework where the burden of proof of having complied with regulations will be on the investigated entity i.e. the company exploiting the fintech platform.

In addition to privacy issues, there are legal issues as to the ownership of data which need to be reviewed under a privacy, an intellectual property and a contractual confidentiality perspective. Likewise, as stated by the European Commissioner, Margrethe Vestager, big data can become an antitrust issue.

3. Cyber-security measures to be adopted

Both the PSD2 and the EU Privacy regulation provide for strict security obligations. The EU Privacy Regulation requires that security measures are “adequate” leaving to operators in a kind of “limbo” to assess when such parameter is met. The PSD2 is more detailed in the applicable obligations and requires to introduce strong authentication tools, fraud controls and risk management measures.

And all such obligations are coupled under both privacy and PSD2 rules by a notification obligation in case of data breach to the regulators and, in some cases, to the affected individuals (i.e. the customers) with consequential follow up claims and reputational damages.

These risks can be “mitigated” through a cyber risk insurance policy that however because of statutory restrictions cannot cover any potential liability.