Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions. 

Regulatory issues

Regulatory approach

How would you describe the regulatory policy for fintech products and services in your jurisdiction?

While the US government generally supports fintech innovation, it heavily regulates financial products and services provided to consumers – although this generally focuses on the contracting process and the delivery of information. Regulations restricting permissible terms and conditions for financial products and services also exist (particularly for consumer loans and insurance products), but are less prevalent. The United States also regulates many providers of financial products and services.

The United States employs a two-tier structure for regulating financial products and services – with statutes establishing general rules and regulations issued by government agencies often providing more detailed rules and guidance. In some circumstances, non-governmental entities may also issue rules that are quasi-regulatory.

The federal government actively regulates most financial products and services – in many cases, the federal regulation is extensive and complex. In addition, individual states (and the District of Columbia) may establish their own statutes and regulations – provided that the state rules do not conflict or interfere with the applicable federal rules. These additional state rules are not always the same in all jurisdictions and in some instances may even conflict with each other. Federal and state regulations may focus on the providers of the services or on the terms and conditions of the services themselves.

With respect to providers, the provider’s activities will frequently trigger licensing or registration requirements at the state or federal level, or sometimes both. Statutes and regulations may also address the provider’s financial condition and operations.

The features of the product or service being offered often trigger other specific regulatory requirements. The focus of these requirements is not usually on the technology used to deliver the product or service. Instead, the starting point for analysing applicable laws and regulations usually involves identifying the nature and purpose of the product or service. For example, when evaluating the regulations applicable to alternative lending products, the regulatory focus will be on:

  • the terms and purpose of the loan;
  • the location of the lender;
  • the location of the borrower; and
  • whether the intended borrower is an individual or a business.

The fact that the product or service may be delivered through an online or mobile channel or utilises innovative technology, such as a blockchain or advanced artificial intelligence, will usually be a secondary consideration.

With respect to those financial products that are considered securities, the Securities and Exchange Commission (SEC) requires entities acting as brokers or dealers in securities (ie, in the business of buying and selling securities for or of others (‘broker-dealers’), to register with the SEC and become members of the Financial Industry Regulatory Authority (FINRA)). Broker-dealers are subject to many detailed SEC and FINRA rules and regulations concerning their:

  • business practices;
  • capital and financial stability;
  • handling of customer assets; and
  • regulatory reporting.

Each state imposes similar requirements.

In addition, because many existing US regulations assume that financial transactions will be conducted on paper, applying those rules to fintech products and services can sometimes be challenging. To address this issue, the federal government has adopted the Electronic Signatures in Global and National Commerce Act. The act authorises the use of electronic records and signatures in commerce, even when existing regulation would require the transaction to be conducted on paper. The act applies to federal and state law unless the state has adopted an equivalent statute. Most states have adopted equivalent laws, usually in the form of the Uniform Electronic Transactions Act. However, the Electronic Signatures in Global and National Commerce Act and the Uniform Electronic Transactions Act have exclusions, and certain states have adopted additional exclusions and limitations of their own.

These acts differ from the electronic signature statutes adopted in some other countries, because they focus less on issues relating to the identity of the signatory and more on issues relating to the agreement to use electronic signatures and records, presentation, record integrity and retention. Therefore, in the United States, the number and types of effective electronic signatures is broad, but the enforceability of signed agreements often depends on other considerations relating to the electronic signing process itself.

Fintech involves not only the delivery of financial services, but also the development, licensing and deployment of technology solutions. For the most part, the establishment of formal IP rights (eg, patents, trademarks and copyrights) is regulated by the federal government. Licensing of intellectual property usually involves a mixture of federal and state law. 

Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?

Certain jurisdictions have enacted a licensing or chartering regime for cryptocurrency. For example, New York has the Bitlicence and has charted special purpose trust companies that engage in cryptocurrency exchange activities.

Regulatory authorities

Which government authorities regulate the provision of fintech products and services?

The number and variety of federal and state authorities that may regulate fintech products and services is substantial and depends on the nature of both the provider and the product or service. Some federal regulators include:

  • the Consumer Financial Protection Bureau (covering virtually all financial products and services for consumers);
  • the Federal Reserve Board of Governors (covering bank holding companies and processing of certain payments);
  • the Federal Deposit Insurance Corporation (covering insured deposits at banks and credit unions);
  • the Federal Housing Authority (covering residential mortgage loans);
  • the Office of Federal Housing Enterprise Oversight (covering residential mortgage loans);
  • the Federal Financial Institutions Examination Council (covering the examination of most licensed or chartered financial institutions);
  • the Financial Crimes Enforcement Network (covering financial institutions, including money transmitters);
  • the SEC (covering investment securities); and
  • the Commodity Futures Trading Commission (covering commodities, including many virtual currencies).

At the state level, relevant regulators usually include:

  • state banking departments;
  • consumer protection agencies;
  • secretaries of state; and
  • state securities commissions.

Quasi or non-governmental entities that also perform some de facto regulatory functions include:

  • the FINRA (covering investment brokers and dealers);
  • the National Automated Clearing House Association (covering certain electronic fund transfers);
  • the Federal National Mortgage Association (covering residential mortgage loans);
  • the Federal Home Loan Mortgage Corporation (covering residential mortgage loans); and
  • the major debit and credit card networks (including VISA, MasterCard, American Express and Discover).

Financial regulatory framework

Which laws and regulations governing the provision of financial services apply to fintech businesses?

The laws and regulations governing fintech businesses are extensive. Statutes governing fintech are often accompanied by implementing regulations. These statues and regulations may address the products or services themselves or related issues (eg, licensing or registration, money laundering or data use).

At the federal level, a non-exhaustive list of statutes and regulations addressing financial products and services includes:

  • the Electronic Fund Transfer Act and Regulation E;
  • the Equal Credit Opportunity Act and Regulation B;
  • the Fair Credit Reporting Act and Regulation V;
  • the Expedited Funds Availability Act and Regulation CC;
  • the Truth-in-Savings Act and Regulation DD (covering deposit accounts);
  • the Truth-in-Lending Act and Regulation Z (covering consumer loans);
  • the Graham-Leach-Bliley Act and Regulation P (covering privacy);
  • the Securities Act 1933;
  • the Securities and Exchange Act 1934; and
  • the Commodities Exchange Act.

Other federal statutes that are not directly aimed at financial products and services, but may significantly affect fintech, include:

  • the Electronic Signatures in Global and National Commerce Act and the Uniform Electronic Transactions Act;
  • the Americans with Disabilities Act (covering the accessibility of online and mobile services to people with disabilities);
  • the Telephone Consumer Protection Act (covering the use of autodialers and recorded calls to communicate with consumers via telephone);
  • the Controlling the Assault of Non-solicited Pornography and Marketing Act (covering the use of email to market to consumers);
  • the Federal Arbitration Act (permitting parties to agree in advance to mandatory arbitration for many consumer and commercial disputes); and
  • US laws relating to patents, trademarks and copyright.

State statutes affecting fintech products and services often include state banking laws, including laws governing bank branching, use of video tellers and ATM/kiosk placement and usage. Most states also have statutes prohibiting certain unfair and deceptive acts and practices – these statutes are often broadly written and allow considerable latitude for interpretation by US courts. Many states also have separate laws governing the use of electronic records in connection with notarised documents and real estate records.

Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?

Fintech businesses that are engaged in providing money transmission or exchange services or that are acting as lenders or brokers must be licensed. Typically, if the activity is otherwise regulated, the fact that it is being provided by a technology company does not avoid the need for a licence.

Are any fintech products or services prohibited in your jurisdiction?

No.

Data protection and cybersecurity

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

US privacy law is a complex patchwork of privacy laws and regulations addressing specific industries, communications media or marketing methods, supplemented by a backdrop of federal and state prohibitions against unfair or deceptive business practices and state laws that specifically address privacy and security of personal information. US law does not generally restrict cross-border transfers of personal data, aside from certain government and tax information.

Generally, companies that operate websites, mobile applications and other online services that collect personal information must have a privacy policy posted on the respective online service, pursuant to several state laws and guidance from the Federal Trade Commission (FTC). The privacy policy should, among other things, describe:

  • how personal information may be collected;
  • how it is used and disclosed; and
  • how individuals may access or update personal information.

It is also necessary to disclose how third parties (eg, advertising networks) may collect personal information about consumers who visit or use a company’s website, app or service.  

Sector-specific laws The United States has taken a sectoral approach to data privacy, adopting statutes or promulgating regulations in areas that it deems to be of specific concern, including:

  • financial data;
  • credit data;
  • health information;
  • telecoms data;
  • student records;
  • children’s information; and
  • email, telephone, fax and SMS marketing.

Consequently, some industries are subject to extensive regulation, while others are subject to privacy and security regulation under unfair and deceptive business practices, including the following:

  • Financial privacy – the Gramm-Leach-Bliley Act applies to financial institutions and governs the collection, use, disclosure and safeguarding of ‘non-public personal information’ belonging to consumers. The definition of ‘financial institution’ is broad and may apply to companies (ie, non-banks) offering consumers finance plans or lines of credit for personal, family or household purposes. Financial institutions subject to the act:

o must provide their customers with an annual privacy notice;

o are limited in how they may use and share non-public personal information;

o must provide adequate safeguards for non-public personal information; and

o must notify regulators and customers in the event of a data security breach.

  • Credit information – both federal and state laws require protections for, and strictly limit the use of, consumer reports (ie, credit reports and background checks). Consumer reports include any information provided, in any medium, by a consumer reporting agency that will be used for decisions related to consumer credit, employment or insurance purposes. Individuals may obtain a consumer report from a consumer reporting agency only if they have a permissible use for the data and must use adequate safeguards and properly dispose of the consumer report information. If a person takes an adverse action against a consumer because of information contained in a consumer report (ie, denies credit or employment), the person must provide the consumer with a written notice. Federal law provides consumers with a private right of action for the misuse of their consumer reports. Federal regulations also apply to business reporting data (eg, financial transactions) to consumer reporting agencies requiring such businesses to ensure the reported information is accurate and to investigate consumer disputes.

Unfair or deceptive acts or practices The FTC regulates privacy and data security under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in commerce. The FTC has become increasingly focused on data privacy and security legal actions against organisations for not living up to their stated privacy and security promises or for failing to adequately protect personal information.

In evaluating whether entities are engaging in unfair and deceptive trade practices, the FTC examines whether the entity has provided appropriate notice to consumers about its privacy or other practices that are in question. The FTC has found that a failure to provide appropriate notification about the information collected and/or the failure to abide by representations made in privacy policies (including those about the security of information), as well as a failure to have in place adequate security measures are unfair and deceptive trade practices.

Similar to the Federal Trade Commission Act, each state has statutes prohibiting unfair or deceptive acts or practices in commerce that are enforced by the state attorneys general. These ‘mini-Federal Trade Commission Acts’ are often used by state regulators to regulate privacy and data security.

State laws Each of the 50 US states has its own consumer privacy and protection framework. Myriad state laws address privacy-related issues, including requirements for:

  • safeguarding data;
  • storage of data;
  • privacy policies;
  • employee privacy;
  • education privacy;
  • appropriate use of social security numbers; and
  • data breach notification.

State statutes typically track the location of the data subject; therefore, even if a business does not have operations or employees in a given state, it is still likely to be subject to the privacy and data security laws in the state if it has individual customers in that state.

What cybersecurity regulations or standards apply to fintech businesses?

Entities operating in regulated industries (eg, financial, health and telecoms) are generally subject to sector-specific data security regulations.

Several states generally require all entities that hold personal information about state residents to implement data security protections for that information. Generally, these laws require businesses to:

  • implement and maintain reasonable security procedures and practices appropriate to the nature of the information;
  • protect the personal information from unauthorised:

o access;

o destruction;

o use;

o modification; or

o disclosure; and

  • securely destroy personal data.

Some states impose more specific security obligations; for example, Massachusetts’ data security regulations impose specific data security requirements and set forth minimum security standards for computer systems. Massachusetts and Nevada laws also require certain more sensitive personal information to be encrypted when transmitted wirelessly, on portable media or outside the physical or logical controls of a company. In addition, some states have adopted portions of the Payment Card Industry Data Security Standard into their data security laws and some states require entities that hold personal information to impose contractual provisions requiring service providers to protect personal information that is shared.

Data breach notification All US states and the District of Colombia, Puerto Rico, Guam and the US Virgin Islands require organisations to provide notices to consumers and in some states, to state regulators and consumer reporting agencies, in the event of a data breach. Notification triggers and exceptions vary by state. All states with breach notification laws require notice if the information breached includes a state resident’s name in combination with:

  • a social security number;
  • state identification or driver’s licence number; or
  • financial account information.

Some states include other types of personal information as a trigger (eg, health information, biometrics, login credentials, tax ID or date of birth). The timing for providing notice varies by state.

Financial crime

What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?

Certain aspects of anti-money laundering regulations, such as sanctions compliance and criminal liability for money laundering, apply universally to businesses and people in the United States. However, the applicability of requirements to adopt and follow an anti-money laundering programme to a fintech company with key elements such as risk assessments, know your customer, transaction monitoring, currency reporting and suspicious activity reporting is determined by an assessment of whether the company meets the definition of a ‘financial institution’ for the purposes of the Bank Secrecy Act and its implementing regulations adopted by the Treasury’s Financial Crimes Enforcement Network (FinCEN). It is often the case that activities performed by fintech firms, whether money transmission, currency exchange, prepaid access or other activities, cause them to fall within that definition.

What precautions should fintech businesses take to ensure compliance with these provisions?

The first steps would be to review the products and activities of the fintech firm to see whether it meets the definition of a financial institution for the purposes of the Bank Secrecy Act. One of the most useful tools for such a review is a funds flow diagram depicting how money moves within the firm’s products. If so, there are often regulatory exemptions, opinions and guidance issued by FinCEN, which may allow for the firm either to satisfy an exemption or to modify its products or activities in order to do so. Some states, such as New York, also seek to affirmatively apply the Bank Secrecy Act to fintech firms regulated at the state level. This can effectively obviate the utility of an exemption at the federal level as it relates to products offered or activities conducted in that state.

Consumer protection

What consumer protection laws and regulations apply to the provision of fintech products and services?

Federal consumer protection laws and regulations applicable to fintech include:

  • the Electronic Fund Transfer Act and Regulation E;
  • the Equal Credit Opportunity Act and Regulation B;
  • the Fair Credit Reporting Act and Regulation V;
  • the Expedited Funds Availability Act and Regulation CC;
  • the Truth-in-Savings Act and Regulation DD (covering deposit accounts);
  • the Truth-in-Lending Act and Regulation Z (covering consumer loans); and
  • the Graham-Leach-Bliley Act and Regulation P (covering privacy).

Other federal statutes addressing consumer protection that are not directly aimed at financial products and services, but that may significantly affect fintech, include:

  • the Electronic Signatures in Global and National Commerce Act;
  • the Americans with Disabilities Act (covering the accessibility of online and mobile services to people with disabilities);
  • the Telephone Consumer Protection Act (covering the use of autodialers and recorded calls to communicate with consumers via telephone); and
  • the Controlling the Assault of Non-solicited Pornography and Marketing Act (covering the use of email to market to consumers).

State laws addressing consumer protection often target specific products or services, and vary from state to state. Most states also have statutes prohibiting certain unfair and deceptive acts and practices – these statutes are often broadly written and allow considerable latitude for interpretation by US courts.

Compliance with consumer protection statutes or regulations may not be waived or avoided by agreement with the consumer, unless the statute or regulation specifically permits the waiver.

Competition

Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?

N/A.

Cross-border regulation

Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?

Some regulatory issues concerning the cross-border provision of fintech products and services include the following:

  • The regulation of cross-border payments remains inconsistent, but no major changes occurred in 2017 (see ).
  • In 2017 digital wallets continued to emerge as a universal way to make payments.
  • The Electronic Payments Association (NACHA) proposed various modifications to its Operating Rules as relating to cross-border payments (see ).
  • In late 2016 the Consumer Financial Protection Bureau (CFPB) issued its remittance transfer rule, an amendment to Regulation E, which establishes disclosure, error resolution and other requirements for depository institutions that offer cross-border remittance transfer services. On 5 October 5 2016 the CFPB issued its final prepaid account rule, also part of Regulation E, which sets out consumer protection rules for prepaid accounts, including prepaid cards used for cross-border payments. The final rule makes several revisions to the rules governing remittance transfers in Regulation E that are intended to continue the current application of those rules to prepaid products. The effective date for the provisions of the prepaid account rule that affect the rules regarding remittances is April 2018 (see ).
  • In April 2017 the “Report to Congress on the Use of the ACH System and Other Payment Mechanisms for Remittance Transfers to Foreign Countries from the Federal Reserve” was released, which documented the state of the regulatory environment for cross-border payments (see ).

Click here to view full article.