Regulation is coming to the growing financial technology industry. As fintech innovation increasingly reshapes financial services of all kinds, Congress and regulators are moving to address emerging issues. The urgency has intensified with the rising controversy around regulation of the tech industry overall – especially the use of consumer data.

Fintechs stand at the nexus of two industries. One of them, financial services, is possibly the most highly regulated of all sectors and receives constant regulatory attention. The other, technology, faces a surge of new law and regulation. The combination means that every fintech will experience regulatory turbulence arising from both of the industries they straddle. Even fintechs that currently are compliant with existing rules may not remain so as regulations change. The companies that come out on top will be those that are adept at managing policy and regulatory action in an inherently unstable environment fraught with both threat and opportunity. Companies caught by surprise may not survive, but those who prioritize regulatory compliance and best practices can seize this change as competitive opportunity.

What Is Happening and What Does It Mean for Fintechs?

Fintechs no longer will be able to fly under the radar with regulators and legislators. Many startups have had the advantage (and the risk) of developing technology that has crossed regulatory jurisdictions as well as the authority of existing statutes. The fast pace of innovation has left Congress and regulators largely in the dust. On privacy and cybersecurity, for instance, Congressional hearings have made it clear that many Members of Congress may lack technical expertise concerning how much consumer data is easily available to companies, but remain concerned about potential negative consequences to consumers. As we have seen, large institutions as well as mid-sized businesses have experienced data breaches exposing the personally identifiable information (PII) of millions of people.

Legislative and regulatory activity is ramping up across a wide spectrum of issues, and Congress has the ability to help create clear guidelines that could be helpful to fintechs and their customers. If they are overly cautious or heavy handed, however, they may stifle innovation and prevent companies from ever getting off the ground. For example, data privacy discussions and proposed related legislation will encompass all entities - of any size - that collect, process, store, and disclose covered data. If stringent restrictions are placed on third-party access, movement, storage, and other handling of consumer data, then fintechs that rely on use of that data may struggle as they will no longer have access to the information required for their businesses to function. Meanwhile, fintechs that use cash flow patterns and other non-traditional data for credit underwriting, especially those using machine learning, may be impacted by whether and how changes emerge on disclosure for adverse action against a consumer under the Fair Credit Reporting Act (FCRA). The FCRA and the Equal Credit Opportunity Act (ECOA) currently require that customers be told the reasons for “adverse action” on a credit application, so that they can try to address the issues involved. However, machine learning techniques are beginning to produce credit decisions for which the “reasons” do not fall into the boxes on the disclosure form. It is unclear how they should be disclosed – and whether difficulty with disclosure should be allowed to discontinue use of these techniques which show promise to enable more inclusive, sound lending.

Similarly, the FDIC’s recent guidance to banks about mitigating third-party security risk will directly impact fintech partners as fintechs may soon find their banks revisiting contract terms on security and continuity. Problems and costs can be avoided if fintechs learn about bank regulators’ latest priorities at the same time that its bank partners do, then fintechs can proactively strengthen their internal practices and prepare to show solid risk management.

On the state level, the most striking example with respect to data regulation is California, which passed a law similar to the European Union’s General Data Protection Regulation (GDPR), and created sweeping new privacy rights. California’s governor has proposed a “data dividend” from tech companies in various circumstances involving the downstream sale of consumer data to other businesses for marketing or other purposes. Congress, too, has begun to discuss the monetary value of consumer data during Congressional hearings on consumer privacy and how and whether consumers should be compensated. This could lead to entirely new and onerous responsibilities for tech companies. For example, the potential for new disclosure and compliance rules (such as consumer opt-in and opt-out options on data usage) may prove very difficult for small and mid-size companies.

Another issue that may affect many fintechs is modernization of the Community Reinvestment Act (CRA). Fintechs may find their business models significantly impacted, for better or for worse, by whether an updated CRA will incentivize banks to work with them. Congress and regulators are examining reform concepts, including the idea of giving banks “CRA credit” for activities they undertake with or through fintechs that benefit low- to moderate-income consumers, such as enabling access to loans for consumers who have low (or no) credit scores, or making it easier to save money or pay bills.

Numerous regulatory issues are undergoing review and potential modernization. There is bipartisan work underway on updating the Bank Secrecy Act’s (BSA) anti-money laundering (AML) rules, which would affect fintech and regtech firms that perform customer identity verification, transaction monitoring, and similar functions. Now that the CFPB has a Director in place those fintechs focused on small businesses should expect movement toward the small-business data collection rule set out in Section 1071 of the Dodd-Frank Act. This rule directs the Bureau to collect data on small business lending to improve understanding of how businesses that are owned and operated by women and minorities are faring in the space. Those working with crypto currency should pay close attention to several bills introduced this Congress, including H.R. 922, the Virtual Currency Consumer Protection Act, H.R. 923, the U.S. Virtual Currency Market and Regulatory Competitiveness Act, and most recently, the H.R.2144, the Token Taxonomy Act, and H.R. 2154 the Digital Taxonomy Act. The list goes on.

Some of these developments can open doors to fintechs. Some can close doors. Regardless of the impact of proposed law or regulation, fintechs should not sit on the sidelines while the future of their industry is debated.

What Should Fintechs Do?

ASSESS and then TRACK what is happening now that could impact your fintech. Tracking is important for two reasons. First, it is an early alert system about issues that are likely to land on the fintech’s doorstep. Second, tracking opens an opportunity to shape emerging legislation and regulation before it is enacted.

Congress does not need to legislate for regulators to act. Legislative and oversight activity often encourages regulators to issue new rules themselves, on existing law, rather than waiting for Congress to issue mandates. For example, the OCC, the FDIC, the CFPB and the Fed are all developing offices of innovation to help them regulate fintech activities, partially spurred on by legislation that has been discussed in Congress over the last several years.

With regulatory uncertainty, fintechs have been held accountable for unintentionally running afoul of regulators. If your fintech partners with banks, you should follow the bank regulators’ bulletins, just as your banking colleagues do. You can sign up for these updates online and have them emailed to you.

UNDERSTAND what is driving regulatory activity. Find out whether there is pending legislation that is causing a regulator preemptively to issue guidance. Which Members of Congress are championing these issues and why? Do they have constituents that have been harmed by data breaches or other issues? Are un-banked and underbanked consumers in their districts in need of better access to financial services? Is Congress being lobbied by large companies that feel threatened by innovation? Understanding what is incentivizing action can help fintechs create a plan of action to mitigate potential threats. In order to stay ahead, fintechs need to understand the policy environment they are operating in, just as they have to understand their own technology and their customers.

COMMUNICATE with those who need to know what is occurring. Regulatory fitness is both about day-to-day compliance and readiness to address new, unexpected risks, which may lie just ahead as the regulatory landscape shifts and as the fintech grows. Demonstrating to clients, investors, partners, and state regulators that you are on top of what is happening in Washington conveys that you are taking compliance and consumer protection seriously. Companies have to guard against inadvertently faltering on regulatory issues. When this happens, they are more likely to win the benefit of the doubt from regulators and enforcement agencies if they can demonstrate their commitment to regulatory compliance. Recent headlines have spotlighted dramatic regulatory failures by companies perceived to be on a fast track to growth and success. One regulatory mistake can undo years of business success.

STRATEGIZE how to be proactive. If your alert system shows you that Congress and/or regulators are becoming active in your space, engage with them to help shape the outcomes. Establishing relationships with Members of Congress can be hugely beneficial, both to educate them as they fashion potential legislation and regulation and lay the groundwork for seeking their help if issues arise. If a fintech runs into an issue with a regulator but has an established trusting relationship with a Member of Congress, that Representative may be willing to intercede on the company’s behalf and help resolve the issue. Regulatory agencies are answerable to Congress and will give priority to responding to Congressional inquiries. In addition, most agencies have office hours where companies can meet with them and discuss issues.

Ultimately, legislators and regulators want the same thing as fintechs – a safe and robust marketplace – but policymakers are not technology innovators. They need proactive input from fintech companies as they create the guidelines that will impact the ability for this vital sector to flourish.

Recommended Resources

Fintech Cos. Should Help Create Consumer Data Regulations, Law360

Crossing Party Lines Fintech Podcast, Barefoot Innovation Group