Intellectual property and data protectioni Intellectual property, technology and data ownership issues
When developing their products and technologies, fintech companies may believe that they have created a new and novel process or computer technology that could rise to the level of a patentable invention. The challenge of patenting financial services technology in the current environment is that court decisions over the past several years have narrowed the type of technology that is eligible for patenting. In 2014, the US Supreme Court issued what is commonly referred to as the Alice decision,2 which set forth a two-step eligibility test. If an invention is directed to a patent-ineligible abstract idea under the first step, the second step determines whether the patent's claim (which places the public on notice of the scope of the patentee's right to exclude) recites elements that transform the abstract idea into a patent-eligible invention. Courts have generally applied this test to determine that the mere use of commercially available computing devices and software to implement an abstract concept is ineligible for patent protection. While it is difficult to predict with certainty whether an invention may be patent eligible, fintechs should confer with patent counsel to obtain guidance that will allow a well-informed decision to be made. Fintechs should be aware that business models or proprietary operations carried out by standard software may not be enough to seek a patent.
Fintechs should consider taking steps to protect their developed technologies in terms of copyright protection. Copyright protection extends to software code and certain works within software applications (like user interfaces and original text or content). More precisely, copyright protection extends to the source code, as the expression of the idea underlying the software, whereas the idea itself, or the function of the software, is not eligible for copyright protection. For this reason, copyright grants protection against the copy or use of the source code but does not prevent third parties creating different source codes to replicate the functionality of a fintech software. If a fintech company is going to develop software utilising third-party software, the associated licence grants and restrictions from the licensing third party must be taken into account. In addition, if the third-party software involves open-source software, and the fintech's development consists of a 'derived work' resulting from a modification to that existing open-source software, it is possible that a 'copyleft licence' governing the open-source software may contain an obligation to distribute the derivative software under the same open-source licence, disclosing and making available to the public the source code.
As an alternative to obtaining a patent, a fintech may be able to maintain confidential information that provides an economic advantage over competitors as a trade secret. Trade secret law provides an avenue for obtaining protection for economically valuable information such as a formula or algorithm. Trade secret protection presents its own set of challenges. If a trade secret holder fails to maintain secrecy or if the information is independently discovered, becomes released or otherwise becomes generally known, protection as a trade secret can be lost. For those reasons, it is important to enter into appropriate contractual arrangements that provide for the protection of trade secrets, including non-disclosure agreements and also specific contractual language such as IP and proprietary ownership and confidentiality provisions.
Finally, the fintech company will also want to take additional measures to preserve IP rights in distinctive names and other signifiers, such as logos, brand names and domain names to preserve brand awareness and guard against potential confusion. Registration of trademarks, design logos, brand names and domain names can prevent others from using those items that may be confusingly similar to the fintech company, helping to protect name and brand identity as well as position and recognition in the marketplace.
The fintech company should develop and deploy a comprehensive strategy for IP development and ownership from product development through product launch and scale. First, the fintech company should ensure that its agreements with employees and independent contractors that may be performing development work contain 'work made for hire' or similar contractual language establishing that: (1) the fintech owns all IP developed for it; (2) that employee or independent contractor acknowledges inventions, works or other intellectual property made or created by the employee or independent contractor during the term of employment or engagement are owned by the fintech; and (3) that the employee or independent contractor will take all necessary steps and complete any required documentation to assign those IP rights to the fintech. This will ensure that the fintech owns all of its IP, whether or not it chooses to explore any or all of the IP protection strategies described above.
With regard to third-party service provider agreements that the fintech may enter into for development or operation of the fintech services (such as hosting agreements, software-as-a-service agreements, agreements for identity verification services, etc.), the fintech will want to make sure that it is preserving the fintech's IP rights while also acknowledging and recognising the rights of the third-party licensor of the software or services. For example, the fintech may grant a limited licence to a software or service provider to use anonymised and aggregated data (incapable of being reassociated with an individual) for the service provider to monitor their service performance, fix bugs or offer new products or services to the fintech. The fintech will want to establish via contract that it owns all of its own and its customers' data, and may want to limit or prohibit the extent to which the service provider can use the fintech's information or data to sell new or improved products or services to others, and the fintech will want to prohibit a third-party service provider from selling any of the fintech or fintech customers' data to third parties (and this prohibition and related analysis ties into the privacy and data security issues discussed below).
Finally, in customer-facing agreements, fintech providers will want to include robust provisions for confidentiality, intellectual property ownership, end-user terms of licensing and use (including allowed and prohibited activities under the licence) and may also want to disclaim all warranties of non-infringement or disclaim any liability or indemnification for third-party claims of infringement. In addition, the customer-facing agreements are also the appropriate place to obtain consumer or business-end customer consent for data collection, data usage by the fintech and specific permission to use fintech customer information in product improvement or data monetisation initiatives (all subject to the privacy and data security laws, rules and regulations highlighted below).ii Privacy and data protection
In the United States, there is no overarching privacy law that applies broadly to all businesses. Rather, the Gramm-Leach-Bliley Act (GLB) is the primary federal privacy law that regulates the activities of fintech firms. GLB applies to the use and disclosure of any non-public personal information (NPI) by a financial institution. NPI includes any personally identifiable financial information that either: (1) is provided by a consumer to a financial institution; (2) results from a transaction or service with the financial institution; or (3) is otherwise obtained by the financial institution. The term 'financial institution' is broadly defined to include any entity that is significantly engaged in financial activities such as lending funds, servicing loans or transferring money. GLB is implemented by two distinct rules: (1) the Privacy Rule, which requires financial institutions to provide privacy notices to their consumers and customers and offer them an opportunity to opt out of certain disclosures of their NPI; and (2) the Safeguards Rule, which requires financial institutions to ensure the security and confidentiality of NPI through the development of a written information security programme. A wide variety of federal regulatory agencies have rulemaking and enforcement authority over financial institutions (and that can result in pass-through regulatory requirements to financial institution fintech partners), but fintech firms themselves would most likely be directly regulated by either the Federal Trade Commission or the CFPB with regard to privacy and data protection.
On top of GLB, several other important federal and state laws and regulations for fintech firms to bear in mind and comply with include:
- the federal FCRA, which regulates the use and disclosure of consumer reports;
- the federal Red Flags Rule, which requires financial institutions and creditors to develop, implement and update a written identity theft prevention programme to detect and respond to red flags that might indicate identity theft;
- the federal Affiliate Marketing Rule, which limits the sharing of certain information among affiliated entities for marketing purposes;
- if the fintech will be interacting with children, the federal Children's Online Privacy Protection Act, provisions of the California Consumer Privacy Act (CCPA) that apply to opt-in requirements for sale of data for children aged 13–16 (and parental opt-in consent for children 13 years and younger), and other California and additional state privacy laws that apply to children under the age of 18; and
- the federal Health Insurance Portability and Accountability Act (if the fintech will be interacting with healthcare data).
In addition to laws that are straightforward in their applicability, other federal and state privacy and data protection laws may be triggered based on the type of security processes, procedures and tools fintechs deploy in their product offerings. For example, a fintech that utilises biometric recognition or verification tools through a mobile device must comply with state-specific laws on biometric identification and information. The number of biometric privacy class actions has increased in recent years, with the decades-old Illinois Biometric Information Privacy Act (BIPA) continuing to pose the greatest concern to companies. While BIPA remains the only biometrics legislation to date in the United States that provides for a private right of action, five other states (Texas, Washington, California, New York and Arkansas) have now passed their own biometric statutes or expanded existing laws to include biometric identifiers. These five states, however, either do not address the private right of action or expressly allow enforcement by the state attorneys general. Other states are also in the process of proposing their own state-specific biometric privacy statutes.