When Regulations Meet Fintech – Regtech is Born

Small startup companies driving the pace of innovation in the financial services sector have commonly characterised the fintech landscape. However, the incumbents are no longer sitting on the sidelines.

Legacy systems are still very much in use and have not been fully disintermediated.¹  These incumbents – in order to keep pace with the new, more consumer-centric²innovations pushed into the market by disruptors – are expanding their own investment and transformation initiatives. In recent years there has also been an upswing in partnerships with, and outright acquisitions of, fintech startups.³

With national regulators now fully alerted to these new developments, they are clambering to understand the space and provide forward-looking regulatory reforms on fintech compliance. The last three years has seen a plethora of regulatory changes in all major financial markets – largely to keep pace with the fintech evolutions and disruptions taking place in their regions. This changing environment further accentuates the opportunity for new and old companies, big and small, to seize a piece of this rapidly growing pie!

What is fintech?

Fintech, a portmanteau of “Financial Technology”⁴, describes an emerging financial sector focused on the innovative application of technology to design and deliver financial services and products. It’s a broad definition that includes a wide range of innovative technologies (e.g. mobile, P2P, API, AI, blockchain) applied to multiple spheres of financial services (e.g. payments, lending, wealth management, advisory).⁵

Financial services have been innovating and evolving for centuries. From clay tablet promissory notes used in ancient Babylon to Collateralised Debt Obligations (CDO’s) that many hail as a key contributing factor in the 2008 financial crisis. It is also not the first time that ‘technology’ is used as the driver of financial innovation. The abacus was used thousands of years ago and the ATM changed the face of consumer banking in the late 60’s and early 70’s. Financial services and technology have always intersected and evolved. In the past 10 years however, fintech has become not just a buzzword but also a multi-billion dollar industry – why?  Schindler.⁶ ascribes fintech’s meteoric rise as a result of two key factors.

Firstly, changes in the supply and demand of financial products, driven by changes in regulatory, technological and macroeconomic conditions. The financial crisis, for example, introduced new rules that made existing financial products less attractive. Technological advancements are allowing alternative solutions to be more easily developed.  At the same time, the world (specifically younger generations) has lost faith in the banking sector.

Secondly, Schindler describes the depth of innovation brought about by fintech solutions as being “genuine” and “foundational”.⁷ In other words, these are not just digitisations of legacy systems, but often involve a totally new approach to solving problems by delivering new technologically driven solutions that were not available until now.

What is the role of regulation?

New innovative technologies are driving fundamental changes in the financial ecosystem. As with any new idea, there is the potential for things to go wrong – inadvertently as well as intentionally – and this is what drives the need for regulatory oversight. Road safety laws, which were created in response to the first motor cars, have resulted in an normative expectation and a sense of safety when using the roads. In the same way, regulators in the financial ecosystem play an important role in establishing safety and trust in the financial system, and the products and players that are active in that system, in an effort to maximise opportunities and ensure fintech compliance.

Financial regulators have four main goals: to establish a trusted marketplace; to ensure that markets run fairly and effectively; to ensure the solvency of financial institutions and protection of consumer assets; and to protect consumers and investors though business conduct legislation.⁸

In the fintech space however, regulatory authorities are struggling to keep up with the rapid pace of technological disruption. Fintech regulation is traditionally targeted at institutional players (banks, insurance companies, asset managers, etc.) and mostly predates the fast-paced technological development synonymous with fintech startups. Most fintech startups are also not full-fledged financial services providers and, as such, fintech compliance can be far easier as they are not subject to all the same regulations that govern the established players.⁹

Regulators must play a careful balancing act to find a goldilocks zone between stability and efficiency.¹⁰ Over-regulating will stifle innovation, but a lack of regulation can lead to uncertainty, damages and missed opportunities. How then does one limit the risks that new technologies bring (cyber attacks, money-laundering terrorist financing, etc.) without completely stifling innovation through over enforcement of fintech compliance?

Finding the Goldilocks zone

Regulators around the world are choosing a number of different approaches to designing fintech regulation. Some have adopted a “wait-and-see”¹¹ approach, allowing innovation to progress while constantly measuring its impact, and only stepping in when needed. Others seek to actively partner with the disruptors in fintech sandboxprogrammes¹² in order to establish a clear and structured regulatory framework for fintech compliance. Then there are those who enforce outright bans, like in the case of cryptocurrencies in Bolivia, and Bangladesh.¹³

When designing regulation for fintech compliance, there are fundamentally two schools of thought – rules based vs. principles based.¹⁴ Rules-based fintech regulationattempts to set clear fintech laws that govern an entity’s behaviour.¹⁵ It is prescriptive and seeks to provide clear guidelines¹⁶, but is also often viewed as being excessively restrictive and costly to comply with. On the other hand, the principles-based approach aims to provide general standards that describe a desired outcome.¹⁷

In reality most jurisdictions have elements of both extremes of this continuum – the goal is to find the sweet spot. As Burgemeestre, Hulstijn and Tan states¹⁸, “Rules may become more principle-like through the addition of qualifications and exceptions , whereas principles may become more rule-like by the addition of best-practices and requirements”

Rules may become more principle-like through the addition of qualifications and exceptions, whereas principles may become more rule-like by the addition of best practices and requirements

Burgemeestre, Hulstijn and Tan

The approach and positioning of the presiding regulatory authority, along the rules-based vs principles-based continuum, impacts the ability of market players to innovate, develop, and test new ideas without losing fintech compliance.¹⁹

Navigating regulatory waters

Given the disruptive nature of fintech solutions, simultaneous compliance to multiple regulatory bodies is often required to regulate fintech compliance. In a Wall Street Journal article Bruce Wallace, chief digital officer of SCB Financial Group, mentioned that often the biggest problem for startups is finding out which regulatory agencies govern them. He mentions that [in the USA] “in addition to the Federal Reserve, you have the Consumer Financial Protection Bureau, the Financial Industry Regulatory Authority , Securities and Exchange Commission, Office of the Controller of Currency, Federal Deposit Insurance Corp., Financial Crimes Enforcement Network, etc. along with the 50 state regulators.”²⁰

Beyond fintech regulation, there are also cybersecurity fintech laws and data protection standards to abide by. The World Bank reports that cyber attacks on the financial sector are increasing and that authorities are responding by improving security measures.²¹ Some regions (like New York) necessitate the appointment of an Information Security Officer as part of an organisation’s fintech compliance to ensure a that a secure process is adopted and risk assessments are conducted.²² Other regions require that financial institutions develop an ICT strategy and risk management frameworks to mitigate risk and exposure in the event of a data breach.²³

To compound the issue further, this complex regulatory minefield often has to be navigated by a small team sans the army of compliance officers traditional financial institutions frequently field.²⁴ The potential make-or-break nature of non-compliance penalties, and the different regulatory approaches taken by fintech lawmakers around the world have resulted in many startups carefully considering their options before selecting a regulatory jurisdiction.

Choosing the right regulatory environment

Factors like business competitiveness, governance principles, intellectual property protection, the tax regime, access to human talent and high quality infrastructure, and quality of life all tie into the decision on where to launch a venture.²⁵ In the fintech setting, assuming that these services are generally aimed at a global audience, the decision on where to incorporate is heavily impacted by the regulatory benefits offered and limitations set by different regions. There are a number of locations being punted as “the best” place to launch a fintech startup, ranging from Beijing to Boston²⁶ but, as it ultimately boils down to the specific risks and benefits of each venture, there is no one-size-fits-all to fintech compliance.²⁷

That said, there are some key regulatory environments which are worth being aware of. The regulatory positions of the US, the UK and Singapore, as it relates to fintech, are particularly interesting.²⁸

In the US, fintech companies are regulated at the federal and state level,²⁹ with a number of states recently taking the decision to standardise their approach to fintech regulation and fintech compliance.^30. The overarching policy is to promote innovation whilst maintaining the same level of protection under the law for the public. While fintech entities are, in most cases, subject to the same fintech regulation as other traditional businesses, some state level regulators have created additional licenses for specific industries (e.g. Bit Licence in New York³¹). The US were slow to adopt a regulatory fintech sandbox, with Arizona becoming the first state to launch a regulatory sandbox in mid 2018.³² There appears to be no specific exemptions from the laws that apply to fintech entities in the USA, however legislators are looking into the creation of further licences tailored to fintech businesses (e.g. the JOBS Act that allows crowdfunding as a means to raise capital).³³ It is expected that the US government will continue partnering with the private sector to promote a innovation-friendly atmosphere in the fintech environment.

By consciously aiming to provide a regulatory environment where fintech businesses can compete and grow³⁴, the UK supports the development of new business models, innovative solutions and disruptive technologies. Stimulating financial-sector innovation, to maintain its status as a global financial center, is reportedly an even higher priority post-Brexit. Generally speaking, fintech companies in the UK are subject to the same fintech legal issues as traditional firms and will need to obtain authorisation from one of the UK’s financial regulators (i.e. the Financial Conduct Authority, FCA, or the Prudential Regulation Authority, PRA).³⁵ The FCA seeks to work with new organisations to remove regulatory hurdles where possible. The FCA also runs a fintech sandbox programme – called Project Innovate³⁶ – that launched in May 2016. This facility allows companies to test products and services in a controlled environment, reduces time to market, supports and identifies consumer protection safeguards, and allows better access to financing.³⁷ There are a number of exemptions for fintech companies.³⁸ and these are primarily provided for under the fintech sandbox programme.³⁹ As one of the global financial capitals, the UK was one of the first regulators to implement fintech-specific policy initiatives, but the rest of the world is quickly closing the gap.

By consciously aiming to provide a regulatory environment where fintech businesses can compete and grow, the UK supports the development of new business models, innovative solutions and disruptive technologies.

In Singapore, the financial authority MAS (Monetary Authority of Singapore) is the primary regulator of fintech businesses ⁴⁰, is an avid promoter of fintech initiatives, and oversees all fintech compliance and fintech legal issues. The MAS has indicated that their stance is that fintech regulation should follow innovation and not dictate it.⁴¹ The goal is to balance the risks of new technologies by developing new fintech regulations as specific risks become significant.⁴² Given that fintech entities may be engaged in a wide range of activities, additional regulatory oversight will depend on the specific activities in which the fintech company participates. For example, securities crowdfunding is regulated under the Securities and Futures Act, cross-border remittances are regulated under the Money-Changing and Remittance business Act, and businesses that are active in the lending space have to comply with the Moneylenders Act.⁴³

The MAS also runs a regulatory fintech sandbox⁴⁴ with the aim of encouraging fintech experimentation and is working with the disruptors to develop the necessary licensing requirements, specific to the activities of the business. The fintech sandbox allows participants to access a controlled environment, consisting of a limited number of people, in order to test their ideas in a more relaxed regulatory setting where the authorities have oversight.⁴⁵ This testing period allows for risks arising from the disruptive solution to be assessed and mitigated.  

Navigating the near-future of fintech

Traditionally fintech companies have maintained that they are not financial institutions – that they are instead technology firms disrupting traditional financial institutions. A not-so-subtle difference to attempt to evade the worst of fintech compliance issues. This has allowed them some safeguard from the regulatory requirements placed on banks and other financial services (like insurance and wealth management). However, the fintech future might see the definitions of fintechs and banks align more closely.

A number of tech companies are considering obtaining bank charters that will grant them broader access to the market while limiting the individual regulatory requirements across different regions of operation.⁴⁶ On the other side, to address the increasingly consumer-centric demands, banks are increasingly starting to partner with and buy up fintech companies to acquire access to the disruptive technologies developed by these startups.⁴⁷

Other key developments include the proliferation of “Open Banking”, a global trend in banking regulation with a focus on security, innovation and competition.⁴⁸ In January 2018 the EU’s Second Payment Services Directive (PSD2) came into effect and permanently changed the nature of retail banking and Fintech compliance in general.⁴⁹ The aim of the open banking initiative is to accelerate digital innovation and to create seamless customer experiences.⁵⁰ The fintech regulation requires that banks grant automated access to customer accounts for qualified third parties – this levels the playing field somewhat and will allow smaller fintech companies to compete more directly with larger banking institutions. ⁵¹

Similarly, data protection has recently become a hot-button topic with the EU’s GDPR (General Data Protection Regulation) coming into effect – legislation which not only applies to EU organisations, but to any entity that does business in Europe.⁵² According to the official GDPR website, the body of legislation is designed to enforce stronger rules on data protection to give people more control over their personal data, and to benefit businesses by providing a more level playing field.⁵³ Non-compliance with GDPR will result in hefty fines of up to 4% of global turnover!⁵⁴

Ultimately, these new standards will bring significant changes to the consumer banking space – additional regulatory considerations, increased pressure on traditional players’ margins due to increased competition, and more control for citizens over their digital identities.

A new frontier

The broader challenges associated with fintech regulation and compliance are also being tackled with new disruptive tech solutions. Constantly evolving regulation, along with the increasing demand for reporting and data oversight, has created a demand for alternative fintech compliance solutions, and a number of tech startups have already stepped up to tackle this problem.⁵⁵ Hailed by some as “the new fintech”⁵⁶, this budding industry is promising to deliver advanced solutions to the challenging task of compliance within the financial services industry.

The cost of fintech compliance has traditionally been high and is continually rising. ⁵⁷ The cost of non-compliance is even greater, with ever-increasing penalties enforced by authorities. Regtech solutions aim to address these rising costs by engineering alternative, more efficient means of providing oversight. Regtech solutions are commonly data acquisitive and often make use of real time data, through the use of advanced algorithms and analytics, to develop new approaches to compliance checks.⁵⁸

Similar to fintech, regtech is open-ended in nature. The Deloitte report, RegTech Universe, identifies over 240 active RegTech companies across multiple spheres of activity, ranging from regulatory reporting and risk management, to identity control, compliance, and transaction monitoring.⁵⁹ Tech solutions can be effectively leveraged to facilitate the development of a secure and trusted financial services environment; however, governance needs to be strengthened, through the development of rules and standards, to ensure that this data and these services are secure and safe to use. Furthermore, legal principles have to be updated to clarify individual rights and obligations in this new global financial landscape. ⁶⁰

As with all of fintech, regtech is in a state of rapid evolution, disruption, and fundamental change. Many of the regulatory principles that got us here are simply too slow and costly to sustain us into the fintech future. As regulations evolve to match the changing landscape, many of the fundamental rules governing the financial industry will need to be reviewed, altered, or outright changed. Informed and forward-looking fintech businesses and employees will find opportunities to leverage these changing rules to address old problems, in new markets, in fundamentally new ways.