I OVERVIEW

Fintech covers a wide swathe of activities and businesses in the United States, but the common feature is the use of new technology to innovate the delivery of financial services to customers or to make the way financial services are processed more efficient and swift.

The US government and regulators are still in the process of determining how fintech activities and firms should be regulated, which is playing out on both the federal and state levels. While the US government and regulators are broadly supportive of fintech companies, there are currently few dispensations or programmes for fintech firms, and, if anything, fintech firms and activities have been subject to similar regulation and enforcement actions as traditional financial services companies, such as anti-money laundering regulations and anti-fraud and anti-manipulation laws and regulations.

Among the federal regulators, some or all of the US Securities and Exchange Commission (SEC), the Commodities Futures Trading Commission (CFTC), and the banking regulators, including the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation, have input into and have laid claim to license and regulate various fintech activities and firms. At the state level, the state regulators of financial services, including the New York Department of Financial Services, and the state attorneys general, have also voiced their expectations and concerns about fintech developments and regulation. In the meantime, regulated financial institutions, such as banks, that partner with fintech companies, are subject to existing regulations that limit their investments and subject their arrangements to regulatory scrutiny.

We expect continued developments on the issue of regulation and jurisdiction as the policymakers, regulators and the courts grapple with these issues. For example, the US Department of the Treasury has assembled a working group involving the SEC, the CFTC, the Board of Governors of the Federal Reserve System (Federal Reserve Board), and the Financial Crimes Enforcement Network (FinCEN), a bureau of the US Department of Treasury, to discuss jurisdiction over cryptocurrencies among the agencies, and to understand where gaps exist and whether a new regulatory scheme is warranted. That working group could make recommendations that would influence regulation in this area.

ii REGULATION

i Licensing and marketing

Fintech businesses in the United States are not subject to a fintech-specific regulatory framework by any single federal or state regulator. Rather, depending on the activities of a fintech company, that fintech company may be subject to myriad federal and state laws and regulations, including licensing or registration requirements.

The number and complexity of potentially applicable US regulations to any single fintech firm has drawn some criticism as a potential barrier to entry and hindrance to growth of US fintech. As regulators work to develop regulations that govern the fintech space, there is also uncertainty as to precisely how the US regulation of fintech will evolve and the degree to which fintech companies will receive government support and collaboration as the industry develops.

Many fintech companies find that offering their services throughout the United States requires licensing and registration with multiple state regulators, subjecting such fintech companies to regulation and supervision by the laws and regulations of each such regulator. The types of licences that may be required at the state level include consumer lending, money transmission and virtual currency licences. Depending on the number of states and licences that are required to be obtained, a fintech company may find the compliance burden to be extensive as each state has its own distinct set of rules and regulations. There is currently a money services business licensing agreement between regulators in seven states, coordinated through the Conference of State Bank Supervisors, which standardises the elements of the licensing process and provides for recognition of other states' reviews. There is also a CSBS model regulatory framework for state regulation of certain virtual currency activities, all of which are efforts to help overcome the challenges of licensing in 50 states.

On the federal level, the Consumer Financial Protection Bureau (CFPB) has jurisdiction over providers of financial services to consumers. Because many fintech businesses are aimed at providing services predominantly to consumers, the CFPB has the ability to enforce a range of consumer protection laws (such as consumer lending laws and anti-discrimination laws) that apply to the activities of such companies. The CFPB also has authority to enforce against the use of unfair and deceptive acts and practices generally.

To the extent that the activities of a fintech provider fall within the licensing regimes of other federal regulators, such as the SEC or the CFTC, such fintech providers will be required to register with such agencies and become subject to enforcement by the same. For example, robo-advisers, being a subset of investment advisers, may be subject to SEC registration requirements for such advisers. Finally, fintech companies may also be required to register with the US Department of Treasury's Financial Crimes Enforcement Network (FinCEN) and thus, as described below, comply with the Bank Secrecy Act and other anti-money laundering laws and regulations.

The OCC, the primary federal bank regulator for national banks, previously announced that it will provide a special purpose national bank charter to fintech companies that receive deposits, pay checks or lend money. Fintech companies that choose to apply for and receive this special purpose national bank charter will become subject to the laws, regulations, reporting requirements and ongoing supervision that apply to national banks, and will also be held to the same standards of safety and soundness, fair access, and fair treatment of customers that apply to national banks. The OCC intends that, among other things, this special purpose national charter may help level the playing field between national banks and competing fintech companies, while also protecting consumers and providing greater consumer access to fintech services. The chartering of fintech companies by the OCC has drawn some criticism from state regulators, among others, who argue that the regulation of such companies is better accomplished at the local level by regulators who may have a deeper knowledge of certain fintech industry participants and more tailored regulations. In fact, the charter has been on hold in part because of lawsuits from certain state regulators that believe that an OCC charter exceeds the agency's authority.

Regulators with jurisdiction over fintech businesses have not shied away from issuing enforcement actions where fintech businesses are conducting activities in violation of law. In recent years fintech companies have been subject to enforcement actions by regulators, including the CFPB, SEC and CFTC. Enforcement orders have been issued for, among other things, insufficient data security practices, violations of federal securities laws, including anti-fraud laws, failing to obtain requisite licences or registrations, and unfair and deceptive practices.

ii Cross-border issues

Even as financial services are increasingly provided across borders, the regulation of such financial services is still largely territorial. The regulation of financial services in the United States generally applies to firms offering services and products in the United States and to people in the United States, and so the same issues and regulations that apply to US fintech companies apply to non-US fintech services offered from abroad into the US jurisdiction. Broadly speaking, there is no passporting of regulated or licensed activities from outside the United States into the United States.

iii DIGITAL IDENTITY AND ONBOARDING

There is no generally recognised digital identity in the United States at present, and no fully digitised onboarding of clients.

IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES

The funding for fintech initiatives can come from a variety of sources that track traditional funding for new and growing businesses, including private equity funds and hedge funds, financial institutions, corporates, family offices and high net worth individuals. Such capital raises are used to both finance the company itself, and for lending purposes, where the company is engaged in lending activities.

i Crowdfunding

Crowdfunding, which generally refers to the use of the internet by small businesses to raise capital through limited investments from a large number of investors, is permitted under SEC rules and regulations. The Jumpstart Our Business Startups Act (the JOBS Act), established provisions that allow early-stage businesses to offer and sell securities, and the SEC subsequently adopted Regulation Crowdfunding to implement these provisions of the JOBS Act. The Financial Industry Regulatory Authority (FINRA) oversees the registration of crowdfunding portals. Broker-dealers and funding portals that are registered with the SEC and are FINRA members are permitted to offer and sell securities on behalf of issuers to the investing public using crowdfunding.

ii Peer-to-peer lending

Peer-to-peer lending and crowd-lending are also permitted in the United States. Examples of peer-to-peer lending include Lending Club and Prosper. Online lending marketplaces often rely on bank partners to actually originate loans, and thereby rely on the licensing and regulation to which those banks are already subject. However, even such marketplaces are subject to a wide range of regulations, including state licensing statutes that can impose requirements relating to record keeping, servicing practices, disclosure requirements, examination requirements, surety bond and minimum net worth requirements, financial reporting requirements, change in control notification requirements, restrictions on advertising, and requirements regarding loan forms. Peer-to-peer lenders are also subject to consumer protection laws, including state usury limitations, state disclosure requirements and other substantive lending regulations, Truth in Lending Act disclosure requirements, Equal Credit Opportunity Act non-discrimination provisions, and Fair Credit Reporting Act, Fair Debt Collection Practices Act and CFPB regulations.

iii Sales, transfers and securitisations

Such loans and financings can generally be traded on a secondary market, subject to certain limitations. So, for example, securities purchased in a crowdfunding transaction generally cannot be resold for a period of one year, unless the securities are transferred to the issuer of the securities, an accredited investor, as part of an offering registered with the SEC, or to a family member of the purchaser. Loans that are originated as part of peer-to-peer marketplaces can be subject to limits on the ability to 'export' the interest rate at origination upon a sale or transfer of the loan. Transfer to securitisation vehicles is not uncommon, and is generally subject to risk retention rules that require the securitiser or sponsor of the securitisation transaction to retain at least 5 per cent of the credit risk of the securitised assets.

iv Payments services

Payments services are also subject to state licensing requirements. So, for example, states may license payment services as money transmitter businesses in the relevant states where money transmission services are provided. Such activities can also trigger registration requirements with FinCEN as a money services business. The board of governors of the Federal Reserve System has adopted Regulation E, which specified requirements for mobile banking or mobile payment transactions made via electronic fund transfers from a consumer's asset account.

V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS

There is currently no specific federal regulation of blockchain and distributed ledger technology (DLT), as the current regulatory framework consists mostly of guidance focused on the applications of such technology, such as cryptocurrency and initial coin offerings (ICOs). Many federal regulators have repeatedly spoken of the potential benefits of such technology, however, this optimism has not translated into any concrete rulemakings.

To date, almost all blockchain and DLT regulation has occurred at the state level. Some noteworthy legislation includes Delaware legalising the use of blockchain for the creation and maintenance of corporate records; Arizona amending its Electronic Transactions Act to affirm the validity of electronic signatures recorded on blockchains and permit the use of smart contracts; and Nevada banning local governments from taxing blockchain use.

Several federal and state regulators are also weighing blockchain and DLT legislation. The Commodity Futures Trading Commission's Technology Advisory Committee recently voted to recommend the formation of subcommittees on DLT and cryptocurrency. Additionally, Illinois, North Dakota and Vermont have passed bills to create task forces to determine whether financial technology and blockchain regulation is necessary, and bills have been proposed in New York and Hawaii that would follow suit.

Through its investigative report of the decentralised autonomous organisation (DAO), the SEC determined that the organisation's tokens were in fact securities, setting the precedent that issuers of digital tokens may be subject to SEC oversight and securities registration requirements. The report further states that whether or not a token is a security shall be determined on a facts-and-circumstances basis, and that the SEC will apply a multi-pronged test to determine if tokens are securities.

In the case of the DAO, the SEC found that investors had invested money in a common enterprise, had a reasonable expectation of profits from that investment and profits were derived from the managerial efforts of others. The SEC provided additional clarification in an enforcement action against Munchee Inc for its token offering, arguing that even if the tokens had a practical use when issued, they may still be securities. SEC Chairman Jay Clayton has publicly reaffirmed this stance on multiple occasions, stating that marketing coins as 'utility tokens' will not preclude them from SEC scrutiny.

Additionally, the SEC recently issued a statement warning exchanges that offer trading of digital assets that are deemed securities that they must register with the SEC as a national securities exchange or be exempt from registration requirements.

Under its 2013 guidance, the Treasury Department's Financial Crimes Enforcement Network (FinCEN) stated that those in the business of exchanging and circulating virtual currencies are money services businesses subject to Bank Secrecy Act (BSA) regulation. An individual who obtains virtual currency to purchase goods or services, however, is not subject to money service business registration, reporting and recordkeeping requirements. FinCEN has issued two enforcement actions against virtual currency businesses for violating BSA requirements since publishing the guidance.

The Treasury Department's Office of the Inspector General's Annual Plan also highlights virtual currencies as a particular area of concern as a money laundering instrument, and notes that Treasury is examining how FinCEN identifies, prioritises and addresses money laundering and terrorism risks associated with virtual currency.

Additionally, there are currently two proposals relevant to combatting virtual currency use in money laundering schemes. One would establish an independent task force to combat terrorist and illicit use of virtual currencies, while the other would expand the definition of financial institution under the BSA to include issuers of digital currencies and require a report be submitted to Congress on a strategy infrastructure needed to detect digital currencies at border crossings.

The IRS declared through Notice 2014-21 that cryptocurrencies are to be treated as 'property' and not foreign currency for US tax purposes. As a result, any taxpayer who receives cryptocurrency in exchange for goods or services when computing gross income must report the fair market value of the cryptocurrency measured in US dollars at the time of the transaction. Notice 2014-21 also states that transactions involving cryptocurrency are taxable under the general tax principles applicable to property transactions and that cryptocurrency may be held as a capital asset in the hands of taxpayers. Despite industry calls for further clarification, the IRS has not provided any subsequent guidance.

The Tax Cuts and Jobs Act of 2017 limited the scope of 1031 tax-free like-kind exchanges under the Internal Revenue Code to real property. This likely means that when cryptocurrency is traded for like-kind property, the transaction may no longer receive 1031 treatment and may thus be taxable.

There is no legislation or regulation preventing tokens from being offered to US residents by international issuers. However, international issuers of tokens often choose to exclude US residents from participating in offerings due to potential regulation. If the token is deemed a commodity under US law, an international issuer may be subject to CFTC anti-fraud and anti-manipulation regulation, along with regulations on leveraged transactions. The SEC has also made it clear that some tokens may be classified as securities subject to US securities laws, meaning if an international issuer offers a token to a US resident and the token is considered a security, the international issuer will be forced to comply with US securities, tax and anti-money laundering regulations, among others.

Regulators have taken a cautious stance towards US residents' participation in international token sales. While they have not provided any specific guidance on the matter, many have repeatedly warned market participants that regulators may be unable to obtain information from persons or entities located overseas, and that they may be unable to retrieve any lost or stolen funds.

VI OTHER NEW BUSINESS MODELS

Fintech business models are still developing, providing traditional financial services to consumers in more innovative, direct ways, and leveraging new technologies, including blockchain, for doing so. While fully automated financial services are not part of the model, and self-executing contracts and fully automated investment advisers a future possibility, fintech firms are particularly adept at using artificial intelligence and big data to make the borrowing and investing experience easier to execute online and more complete. In addition to licensing and regulatory issues that these activities raise, as discussed above, they also raise issues relating to data protection and data ownership that are only beginning to be addressed.

VII INTELLECTUAL PROPERTY AND DATA PROTECTION

Fintech endeavours may use a combination of patents, copyrights, trade secrets and trademarks to secure and protect their intellectual property rights.

Regarding patent protections, fintech companies' inventions often involve methods practised using computer technology. As such, it is important to consider the patentability of such methods. While patent protection of methods at first may appear broad, recent court decisions have narrowed it considerably. In Alice Corporation Pty. Ltd v. CLS Bank International, the Supreme Court held that certain claims in a patent were ineligible for patent protection because they constituted an abstract idea. Under United States law, abstract ideas are not patentable. Furthermore, claiming the use of a generic computer implementation failed to transform the abstract idea into patent-eligible subject matter. Thus, under Alice, methods that simply require an otherwise abstract method to be performed on a computer will not be considered patent-eligible subject matter. It is important for fintech businesses to consider this restriction when evaluating how to protect their intellectual property. Their business models, as concepts, or proprietary operations carried out by software may not be eligible for patents.

In terms of copyright, software code and certain works within software applications, such as original visual design elements and original text are protected. Copyright prohibits others from making or distributing copies a firm's software without permission. Copyright does not prohibit others from independently developing similar software.

Finally, fintech companies can protect their inventions and innovations, particularly the source code in computer programs, through trade secret law. Unlike patents and copyright, trade secrets do not expire. Since trade secrets are primarily protected by state law, there is a patchwork of different laws protecting trade secrets across the United States. However, in 2016, the Defend Trade Secrets Act created a federal cause of action for trade secret misappropriation. Fintech companies should be aware that trade secrets must be continuously guarded by them from public disclosure and do not protect against independent development by another party.

Fintech companies may also use trademarks in order to prevent others from using their names or other signifiers, such as logos, or from using names or logos that are confusingly similar. Trademarks do not protect business models or proprietary technology, but they may be valuable in establishing and protecting a brand identity or positioning a firm within a market.

i Ownership of intellectual property

Ownership rights in inventions originate in the inventor. Whether the inventions are ultimately protected by patent or trade secret, the inventor is the initial owner of such intellectual property. Similarly, ownership in copyright originates with the author of the copyrighted work, unless the copyrighted work is a work made for hire, in which case, provided certain formalities are followed, the employer or entity that commissioned the work is considered its author for purposes of copyright ownership.

Every fintech company should take steps to make sure that it owns the intellectual property created by its employees or contractors, or otherwise generated by or for its business. To do so, a firm may insert an intellectual property assignment clause into all contracts with employees and contractors. Such a clause acts as an assignment of, and requires the employee or contractor to assign, all rights to the firm in any inventions, works or other intellectual property made during the engagement or in the course of employment. This clause may also specify that any copyrightable works made by the employee or contractor during the term of engagement are, by agreement of the parties, works made for hire with the authorship attributed to the firm. Similar provisions may be included in agreements with service providers.

Such agreements with employees and independent contractors may be drafted such that the salary or payment acts as consideration for the assignment of intellectual property. Under US law, no additional compensation must be paid to inventors or authors.

In addition, in order to protect trade secrets or other proprietary information of the firm, such contracts may contain confidentiality provisions that obligate the other party to maintain the confidentiality of all proprietary information received or generated by them in the course of employment or during the engagement.

ii Privacy and data protection

In the United States, there is no national data protection law, and no single or centralised authority is charged with jurisdiction over privacy and data protection issues. Rather, the United States has taken a sectoral approach, with a variety applicable federal and state laws, and numerous federal and state agencies have authority to make and enforce rules in this area, depending on industry and context.

For fintech firms, applicable federal laws include the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Federal Trade Commission Act (FTC Act) and the Electronic Communications Privacy Act (ECPA). Obligations under such laws vary, from obligations to provide adequate notice of a firm's data practices, to maintaining appropriate security measures for individuals' financial information, to specific requirements for the use of consumer credit reports. The rules that may apply to a firm may depend on the nature of the firm and the type of data that it handles, and may be affected by other contextual factors. (Fintech firms that maintain an online presence should also be aware of the Children's Online Privacy Protection Act, and those that interact with health data should be aware of their obligations under the Health Insurance Portability and Accountability Act.)

Similarly, numerous federal agencies have authority to enforce privacy and data protection rules, and agencies with applicable jurisdiction may vary by firm, based on the nature of the firm and the data it holds. Key federal agencies charged with responsibility in this area include the SEC, OCC, CFTC, CFPB and FTC. Most if not all of these regulators have stated that cybersecurity is a pressing and systemic concern deserving of investment and scrutiny. In addition, states' attorneys general have authority to bring suits against firms in order to enforce state privacy and data protection laws.

VIII YEAR IN REVIEW

Over the past year, the US regulators, policymakers and courts have continued to focus on the issue of how virtual currency markets should be regulated and who should regulate them.

The CFTC chairman has touted the potential for technological innovations, including blockchain and digital ledger technology, to transform the way that regulators gather information and lower operational costs for financial institutions. The regulatory challenges stem from rapid technological developments, the disintermediation of key economic actors and the high levels of technological literacy necessary for regulators to keep pace. To address these issues, the CFTC has developed policies with the certain elements in mind, including adopting an exponential growth mindset that is predicated on anticipating market developments; creating an internal fintech stakeholder in LabCFTC; becoming a quantitative regulator capable of robust data collection, automated data analytics and artificial intelligence deployment; and embracing market-based solutions, rather than applying a 'paternalistic hand on markets' to steer them in regulators' preferred direction. This reinforces the CFTC's 'do no harm' approach to fintech regulation to date.

Meanwhile, the SEC chairman has reiterated the SEC's 'facts and circumstances' position as to whether a digital asset transaction involves the offer and sale of a security and highlighted the agency's balanced regulatory approach, which 'fosters responsible innovation in this area, while also protecting investors and markets'. The SEC chairman has acknowledged market participants' requests for further dialogue on the subject of when a token offering is a security, and has said that SEC staff are currently drafting additional guidance that will further assist market participants in determining whether a digital asset is offered or sold as a security.

IX OUTLOOK AND CONCLUSIONS

As this area continues to develop, we expect to see further clarity regarding regulatory oversight over fintech-related matters.


Footnotes

1 Jordan Altman and Reena Agrawal Sahni are partners at Shearman & Sterling. The authors would like to thank Mark Elzweig, Sean Anderson and Eli Kozminsky, all associates at Shearman & Sterling, for their assistance in preparing this chapter.