The Financial Technology Law Review: USA

Overview

The US has one of the most complex financial regulatory regimes in the world. This is largely a result of the two-tiered regulatory environment, where states and the federal government both regulate financial activity. Currently, there are five primary federal financial regulators and each state also has its own financial regulator. There are overlapping, inconsistent and, occasionally, contradictory financial regulations that companies with multistate activities, including banks and fintechs, must navigate. Without the availability of options such as 'passporting' licences from one jurisdiction to another (which are available in other regions of the world, such as the European Union), thoughtful and well-staged operating and licensing strategies for fintechs launching online or mobile products and services that will essentially be operating in all 50 states is critical. In addition to the geographic regulatory complexity, federal and state regulators are focused on licensing the underlying activities that fintechs engage in, which can trigger a whole host of other regulations (and other regulators) that fintechs must address.

Regulation

i Licensing and marketing

There are few fintech-specific licences or regulations in the US at either the federal or state level. Instead, the regulatory regime that applies to a fintech company in the US depends on the activities that the fintech engages in and the products and services that it offers. Both federal and state regulators have made clear in regulations, guidance and enforcement actions that they are focused less on the channel of delivery of fintech services (e.g., online or mobile) and more on the underlying activities that a fintech engages in (e.g., payments, small-dollar lending, virtual currency).

The regulatory regime and required licensing for fintechs is complex and can touch upon several federal and state regulatory and licensing issues, and many non-US fintech companies that seek to operate in the US are often taken aback at the complexities of the US regulatory and licensing requirements. This is particularly true at the state level, where there is currently no option to obtain a licence in one state and then have that licence granted reciprocity for licensing in other states – a situation that contrasts strongly with the ability of EU countries to 'passport' certain licences in from one country to another. The complex nature and somewhat lengthy process of obtaining state licences in particular has been criticised as a barrier to entry and potential hindrance to innovation by non-bank fintech entities seeking to operate in the US.

By way of example, a fintech product such as a mobile wallet may trigger one or all of the following federal regulations, depending on its structure and the products and services offered: (1) the Electronic Funds Transfer Act (EFTA) (and corresponding Federal Reserve Board Regulation E); (2) EFTA and 'Regulation E Lite' (which applies to the issuers of 'access devices' even if they are not the issuers of the underlying payment account); (3) truth-in-billing laws (if payments are charged directly to a consumer's mobile wireless or mobile carrier account); and (4) the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations and corresponding know-your-customer (KYC) and customer identification programme requirements.

At the federal level, the Consumer Financial Protection Bureau (CFPB) has direct supervisory and regulatory authority over non-bank fintechs. The CFPB regulates non-bank fintechs that provide financial products and services directly to consumers, and has the authority to enforce several consumer protection laws, such as EFTA (and corresponding Federal Reserve Board's Regulation E) and the Truth in Lending Act (and corresponding Federal Reserve Board's Regulation Z), as well as the ability to take enforcement actions against the use of unfair, deceptive or abusive acts and practices by fintechs in marketing or providing their services. In addition, each federal functional regulator (the Federal Reserve, the Office of Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration) also has its own rules on marketing that apply to the entities it regulates (and it is important for fintechs to be aware of these because of the 'pass-through' or 'flow down' regulatory requirements discussed below). Generally, unfair, deceptive or abusive marketing practices are prohibited.

If a fintech's products, services or activities involve providing investment advice or acting as a broker or dealer of securities, in general it must be licensed and regulated by the Securities and Exchange Commission (SEC) or the Commodities Future Trading Commission (CFTC), as applicable. Robo-advising services, which are a type of investment adviser activity, fall within this category.

Providing automated digital advisory or asset management services may constitute acting as an investment adviser. The critical inquiry as to whether the fintech entity would be deemed an investment adviser is whether, in connection with the product, the fintech will be providing advice to others regarding securities or issuing reports or analyses regarding securities.

Fintechs that engage in credit information services may be subject to the Fair Credit Reporting Act (FCRA). The FCRA regulates the collection, dissemination and use of consumer information, including consumer credit information. To the extent that the fintech is supervised by a state or federal regulator, that regulator would be in charge of assessing and enforcing compliance with the FCRA.

If a fintech qualifies as an insurance broker or underwriter, it is regulated at the state level by state insurance regulatory agencies. If a fintech makes loans, it may have to obtain state lender licences and be subject to oversight by state regulators that administer and oversee the licensing and ongoing activities of licensed entities, including consumer protection regulations.

If a fintech provides payments services, such as peer-to-peer money transmission or bill payments, and qualifies as a money services business, then it must register as a money services business with the US Department of the Treasury's Financial Crimes Enforcement Network (FinCEN), and generally must also obtain state money transmitter licences. In some instances, a fintech may mistakenly believe that registering as a money services business with FinCEN takes care of registration as a licensed money transmitter with individual states. This is absolutely not the case; an entity must comply with both federal money services business registration and reporting as well as the state-level money transmitter licensing requirements. In addition, if a fintech believes that it falls within the 'processor exemption' or 'agent of the payee' exemption contained in federal money service business registration requirements, it should be aware that recognition of these exemptions must be determined on a state-by-state basis.

To avoid the complex licensing process, many fintechs seek to partner with a financial institution as an alternative. Fintechs that partner with financial institutions to offer their products and services fall within the financial institution's obligations, and must submit to significant due diligence, monitoring and oversight by the financial institution partner. This gives rise to the concept of pass-through regulatory requirements where a financial institution must rely on and ensure that its fintech partner, as the primary point of customer onboarding and interaction, assists the financial institution in meeting its regulatory obligations, such as BSA and AML requirements, Office of Foreign Asset Control (OFAC) screening of new customers, Regulation E investigation and dispute resolution activities regarding consumer claims of unauthorised or fraudulent activities. In fact, federal functional banking regulators (the Federal Reserve, the OCC, the FDIC and the National Credit Union Administration) have the authority to take enforcement actions directly against third-party financial institution fintech partners, as well as the authority to examine these partners. The Federal Deposit Insurance Act contains provisions addressing enforcement actions against an institution-affiliated party, which includes in its definition any 'joint venture partner, and any other person as determined by the appropriate Federal banking agency (by regulation or case-by-case) who participates in the conduct of the affairs of an insured depository institution'. There have been several joint FDIC and US Department of Justice (DOJ) investigations and enforcement actions that have included both fintechs and their financial institution partners.

A fintech that desires to operate in the US and wants to explore obtaining a financial institution charter must carefully consider whether its contemplated activities would require it to be licensed by a state or federal agency, as well as whether the costs and other burdens associated with such a licence would be cost prohibitive.

ii Cross-border issues

Generally, if any entity, domestic or foreign, seeks to conduct regulated activities in a US jurisdiction, it must maintain the appropriate licence or registration, even if the entity is already licensed to conduct the same or similar activities in another jurisdiction or country. As noted above, there is no 'passporting' in the US of licences or registrations into the US from a foreign jurisdiction, and there is no 'passporting' of state licences or registrations into other states (although there are ongoing efforts to streamline and harmonise state regulation). However, in the US, the concept of federal pre-emption renders inapplicable certain state requirements that may apply to the provision of financial services if those services are provided by a federally licensed and regulated financial entity.

Each jurisdiction has its own rules with respect to physical presence requirements. Generally, foreign companies may provide financial services in any US jurisdiction by registering with the appropriate regulator or, if necessary, with the Secretary of State or tax authorities of the jurisdiction. Some jurisdictions even permit their own licensed entities to maintain some or all of their substantive business operations outside the jurisdiction. For US financial institution charter applications and state money transmitter applications, there are strict criminal background checks and financial records and fingerprinting requirements for owners, major shareholders, directors and executive officers.

All US persons are required to abide by federal trade and sanctions programmes. These programmes are managed by the US Department of Treasury's OFAC. Additionally, the Committee on Foreign Investment in the US is an inter-agency committee authorised to review certain transactions involving foreign investment in the US and certain real estate transactions by foreign persons, to determine the effect of these transactions on the national security of the US.

Digital identity and onboarding

i Digital identity

There is currently no generally recognised digital identity in the US. While the US Department of Commerce National Institute of Standards and Technology (NIST) has issued technical requirements for digital identity services, the guidelines are only mandatory for the federal government and voluntary for the private sector. Nevertheless, the NIST guidelines are generally seen as setting the standard for the direction of any potential federally recognised digital identity.

The US Department of Treasury released a report in 2018 (generally referred to as the 'Fintech Report') that includes two recommendations focused on the creation of a national digital legal identity and encourages private and public sector stakeholders to leverage the NIST guidelines to develop trustworthy digital identity products and services. The Fintech Report describes digital legal identity as using electronic means to unambiguously assert and authenticate a real person's unique legal identity, and highlights two essential components of digital identity systems: identity proofing, enrolment and credentialling; and authentication. Federation is a potential third component that would allow identity to be portable. Another recommendation in the Fintech Report urges the Office of Management and Budget to fully implement the long-delayed government federated identity system. As emphasised by the Treasury, the creation of a nationwide digital legal identity framework will ultimately require close collaboration between the government and the private sector in the US.

ii Digital onboarding

Fully digitalised onboarding of clients is the method by which many digital-only fintechs have been able to achieve staggering growth in the number of customers in relatively short time frames. While digital onboarding poses numerous risks, regulators in the US acknowledge the benefits for providing access to innovative products and services. Digital onboarding again raises the concept of pass-through regulatory requirements discussed above, where fintechs must ensure specific regulatory obligations are met, namely BSA, AML and OFAC screening. Unlike the EU, where fintechs are able to rely on specific digital onboarding regulations such as the EU Anti-Money Laundering Directive, digital onboarding in the US requires compliance with the standard 'customer identification program' (CIP) and customer due diligence (CDD) requirements to ensure BSA and AML compliance – CIP requirements involve verifying the identity of customers while CDD requirements involve identifying and verifying the identities of beneficial owners of legal entity customers.

As part of a comprehensive CIP, fintechs partnering with US financial institutions to open accounts for customers must obtain the following information before opening an account: name, date of birth (for natural persons), address, identification number (e.g., a tax identification number) and a government-issued document bearing a photograph for a natural person or government-issued documentation certifying the existence of an entity. Other than various additional CIP requirements, fintechs may also be required to establish comprehensive CDD programmes (as well as enhanced due diligence programmes for higher-risk customers). Additional specific onboarding requirements vary greatly based on the underlying product or service being offered.

Digital markets, payment services and funding

Generally speaking, digital marketplaces for goods and services are not regulated as fintech companies in the US. Most marketplaces are only regulated based on their underlying goods or services. For example, Uber and Lyft are subject to the same regulations as taxis in many US jurisdictions. These digital marketplaces are generally not subject to fintech regulations because either the funds for the purchase of goods flow through a separate payments company, or the marketplaces do process payments but do so under an exemption to fintech regulation (such as 'agent of the payee') or only accept credit card payments, which do not require fintech licences in the US. However, in recent years, some of these marketplaces have chosen to register with FinCEN as money services businesses (MSBs) and obtain state money transmission licences to enable them to process a wider variety of payments.

In recent years, peer-to-peer lending, social-lending and crowd-lending have become popular alternatives to standard bank loans in the US. However, many of the consumer protection laws applicable to traditional loans may also apply to loans made via these marketplace lending platforms, including the Truth in Lending Act, the Equal Credit Opportunity Act and the Fair Debt Collection Practices Act. The regulators primarily responsible for enforcing these consumer protection laws include the CFPB and the Federal Trade Commission. Depending on the particular business model, marketplace lenders may also be regulated by the Federal Reserve, the FDIC and the OCC. In addition, marketplace lenders may be subject to state consumer protection laws, including laws prohibiting unfair, deceptive or abusive acts and practices, and may be subject to state licensing requirements to act as a lender, broker, debt collector or solicitor.

Payments services are heavily regulated in the US and are required to both register as a money services business with FinCEN and also obtain state money transmitter licences. As mentioned above, some fintechs mistakenly believe that registering as an MSB with FinCEN is sufficient to operate as a payments service in the US; that is not the case, as state-level money transmitter licences are also required. Furthermore, payments services must obtain a licence in each state in which they intend to operate because the US currently lacks a reciprocity or passporting option as in the EU. The lack of passporting or reciprocity in the US is particularly notable because obtaining all state money transmission licences is extremely burdensome, often taking years and costing hundreds of thousands of dollars. While the current US licensing regime is onerous, state regulators are taking steps towards licence reciprocity and a standardised application process.

Unlike under the EU Revised Payment Services Directive, there is no law or regulation in the US directly requiring financial institutions to share customer data with fintech entities. Although Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act (the Dodd–Frank Act) requires banks and other financial service firms to make customers' financial data available to the customer in a usable form, no promulgated rules define what 'usable form' means or identify sanctions for financial institutions that limit what information they share. In October 2020, the CFPB issued an 'advance notice of proposed rulemaking' (ANPR) requesting information related to consumer access to financial records. The CFPB received numerous comments to the ANPR, which is intended to assist the CFPB with effectively developing regulations to implement Section 1033 of the Dodd–Frank Act. However, it is anticipated that the CFPB will not take further action releasing a final proposed rule until sometime in 2023.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

2021 saw a remarkable increase in regulator activity regarding cryptocurrencies, stablecoins and other digital assets. The SEC increased investigations, enforcement and rule-making regarding cryptocurrencies that 'walk and talk' like a security through application of the Howey test (see below). State-level securities boards and regulators also saw an increase in enforcement activity along these same lines.

In autumn 2021, the SEC told a major cryptocurrency exchange that the agency would bring a lawsuit if the cryptocurrency exchange launched a 'lending-against-crypto' product, and while a disappointment to that particular exchange, the extreme volatility and price reduction in the cryptocurrency market as a whole from autumn 2021 to early 2022 has made both industry participants and regulators think hard about regulatory and business guard rails that may need to be in place for lending against digital assets that are still subject to massive market fluctuations. States continue to enact or propose formal legislation related to digital assets or the underlying blockchain technology, with certain states adopting extensive legislative frameworks designed to attract blockchain and crypto entrepreneurs to their jurisdictions.

Three major federal functional bank regulators (the Federal Reserve, the FDIC and the OCC) announced a '2022 Interagency Crypto Sprint' that will include analysis and potential joint rule-making on issues including the following.

  1. Which activities by banks/credit unions are legal, and how should current regulated financial institutions and entities comply with existing regulations on safety and soundness and consumer protection issues?
  2. Bank capital and liquidity requirements for holding digital assets (in continued consultation with the Basel Committee on Banking Supervision), and whether to recommend risk weighting of digital assets.
  3. Whether to treat digital asset solutions the same as the product they are seeking to replicate (specifically aimed at the growth of 'decentralised finance' (DeFi), which involves blockchain and digital assets).

On 1 November 2021, the President's Working Group on Financial Markets issued its report on stablecoins that included both analysis and recommendations for lawmakers and regulators. The report urged the US Congress to mandate that stablecoin issuers become banks subject to oversight by the Federal Reserve and the OCC, and highlighted that there is a concern about a 'run on the stablecoin' scenarios. The report also recommended that digital asset wallets should be subject to oversight, including restricting digital asset wallet companies from lending stablecoins, and requiring these companies themselves to meet minimum capital requirements. The report also recommended involving the Financial Stability Oversight Council to address the risks of stablecoins, which could include designating certain stablecoin activities as 'systemically important' or putting stablecoin issuers on a watch list for engaging in activities that are likely to become systemically important.

In autumn 2021, both the US House Committee on Financial Services and the US Senate Committee on Banking, Housing and Urban Affairs held hearings on digital assets, stablecoins and more general DeFi issues, with starkly contrasting views of the nature and type of policymaking that should be considered.

Continuing the flurry of lawmaker and regulator activity in autumn 2021 into 2022, on 14 January 2022 the Federal Reserve Board issued its long-awaited central bank digital currency report entitled 'Money and Payments: The U.S. Dollar in the Age of Digital Transformation'. This report was focused on an analysis of the pros, cons and challenges of the Federal Reserve Bank issuing a central bank digital currency (CBDC). The report recognises that CBDC and privately issued stablecoins may overlap, and each may serve distinct purposes. Safety of a US CBDC should be understood within the broader context of operational risk, and the report stated that an intermediated CBDC design would appropriately leverage the private sector's innovation and frameworks, while promoting a more open market for CBDC services (and more ubiquitous acceptance).

i Digital assets as securities

Since it first published the DAO Report on 25 July 2017, the SEC has consistently applied the 75-year-old definition of an investment contract using the Howey test to determine which digital assets are securities, and most recently summarised its position in 2019 in the 'Framework for “Investment Contract” Analysis of Digital Assets' (the Digital Asset Framework). Under the Howey test, a digital asset is an investment contract and, therefore, a security, when there is the investment of money in a common enterprise with a reasonable expectation of profits to be derived predominantly from the efforts of others. The Digital Asset Framework applies the prongs of the Howey test to common characteristics of digital assets and, importantly, also acknowledges the possibility that a digital asset can evolve over time and cease to be deemed a security under certain circumstances. With the SEC's Framework heavily dependent on the facts and circumstances of each digital asset, those seeking to issue a security token or new cryptocurrency are faced with the choice of either complying with SEC registration requirements or seeking no-action relief that they are not issuing a security. To date, the SEC has only granted two such no-action letters, and the companies seeking to register their digital tokens in reliance on Regulation A have faced heightened scrutiny and questioning from regulators with only two offering statements being made effective.

In 2019, the SEC and the Financial Industry Regulatory Authority issued the 'Joint Statement on Broker-Dealer Custody of Digital Asset Securities' (the Joint Statement), in which 'digital asset' refers to any asset that is issued and transferred using distributed ledger or blockchain technology, and a 'digital asset security' is any digital asset that is also a security for purposes of the federal securities laws. The Joint Statement discussed the application of digital asset securities to the SEC's Customer Protection Rule, which, among other things, requires broker-dealers to hold customers' securities at a 'good control location', which is typically a third-party custodian such as a trust company. The Customer Protection Rule deems banks a good control location; however, FDIC-insured banks are currently restricted from providing custody for digital asset securities.

ii Digital assets as virtual currencies

In 2013, FinCEN issued interpretive guidance clarifying its position that the BSA applies to persons creating, obtaining, distributing, exchanging, accepting or transmitting virtual currencies. FinCEN classifies these individuals as exchangers or administrators of virtual currencies, which are treated as money transmitters required to register as MSBs. Money transmitters are required to comply with the BSA obligations that apply to MSBs, including: registering with FinCEN; developing, implementing and maintaining effective AML and KYC programmes; filing suspicious activity reports and currency transaction reports; and maintaining certain other records. In the years since its initial 2013 guidance, FinCEN has issued numerous civil money penalties against cryptocurrency and digital asset enterprises for violation of the BSA.

The Internal Revenue Service (IRS) issued the agency's first crypto-related guidance in 2014 formally defining a virtual currency as 'a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value'. According to the IRS, Bitcoin is a convertible virtual currency because it can be digitally traded between users and can be purchased for, or exchanged into, US dollars, euros and other real or virtual currencies. The IRS treats virtual currencies as property and applies the general tax principles applicable to property transactions to transactions using virtual currency. This means every sale or exchange of a virtual currency must recognise capital gain or loss on the sale.

Since 2015, the CFTC has exerted regulatory control over virtual currencies as commodities under the Commodity Exchange Act that can be purchased on the cash or spot market or through ICOs. The CFTC exercises its general anti-fraud and manipulation enforcement authority over virtual currencies under the authority of the Commodity Exchange Act. Federal courts have upheld the CFTC's interpretation that virtual currencies are commodities within its regulatory jurisdiction.

The DOJ released a comprehensive report produced by the Attorney General's Cyber Digital Task Force, titled 'Cryptocurrency: Enforcement Framework', in October 2020. This report outlined a variety of criminal and national security threats that cryptocurrency is deemed to play a role in. In October 2021, the DOJ created and launched the National Cryptocurrency Enforcement Team (NCET) to spearhead complex investigations and prosecutions of criminal misuses of cryptocurrency and to recover the illicit proceeds of crimes facilitated by cryptocurrency. The DOJ stated that the purpose of the NCET is to 'tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services and money laundering infrastructure actors'. The NCET seeks to continue the DOJ's recent successes in seizing and returning cryptocurrency paid in organised ransomware attacks, including the high-profile arrest (and arguably a future Netflix true crime documentary) of a US married couple who allegedly attempted to launder US$3.6 billion in Bitcoin lost to Bitfinex hackers in 2016, some of which was allegedly used to buy gift cards and non-fungible tokens. It is clear from the volume of lawmaker and regulatory activity in 2021 that states and the federal government will continue to develop rules and regulations as the digital asset industry matures. Federal agencies will issue new and revised rules during the course of 2022 through their own rule-making initiatives (such as the Interagency Crypto Sprint) and as their understanding of cryptocurrency, security tokens, stablecoins, DeFi and blockchain technology evolves. The SEC and the CFTC may also turn to Congress to request expanded powers to account for the vast changes occurring in the industries they regulate.

It remains to be seen what policy initiatives and action may arise from the Federal Reserve's CBDC report, but the US does not want to fall behind globally with regard to CBDCs. Eighty-seven countries (representing over 90 per cent of global GDP) are exploring CBDCs; in May 2020, only 35 countries were considering a CBDC. Of the jurisdictions with the four largest central banks (the US, the EU, Japan and the UK), the US is arguably furthest behind.

A final important development that may influence the nature and type of digital asset regulations in the US is how well (or poorly) cryptocurrency exchanges can comply with the Department of Treasury's Crypto Rules for Russia Sanctions. Many may look to the ability for crypto exchanges to comply with OFAC restrictions on specially designated individuals and countries, including the speed of implementation of large OFAC and sanctions changes, as a bellwether of how mature the compliance regimes are for cryptocurrency exchanges and the digital asset industry as a whole.

Other new business models

i Self-executing 'smart' contracts

Self-executing contracts, or 'smart' contracts, are subject to general contract law and are legally permissible provided the particular contract satisfies the elements of a standard contract under US law. The enforceability and interpretation of contracts is generally a matter of state law in the US. Several states have enacted statutes aimed at ensuring smart contracts are granted the same legal validity as standard contracts, but there has yet to be any case law interpreting smart contracts in a commercial, or any, scenario. While smart contracts are technically permitted, the specific legal framework will depend on a variety of factors, such as the subject matter of the contract, and significant uncertainty remains around how smart contracts will ultimately be interpreted by courts. Until a consistent legal framework is developed, parties wishing for a smart contract to be interpreted as intended would be well advised to enter into a corresponding standard textual contract that courts can more easily understand in evaluating the enforceability of the smart contract counterpart.

ii Artificial intelligence in financial products

The CFPB has publicly supported the use of artificial intelligence (AI) and machine learning in financial products and services. AI has already been deployed by financial institutions through the use of regulatory technology products for BSA/AML compliance and OFAC screening, and is increasingly being used in lending and credit underwriting analysis and decisions. As it currently stands, financial products and services leveraging AI are subject to the existing regulatory framework of the underlying product or service. Nearly all of the federal financial regulators have launched an office or programme aimed at financial technology innovation and facilitating adoption of beneficial AI and related technologies in the financial sector. Central to regulatory issues regarding the use and deployment of AI in financial services, and also what is central in regulators' reviews of AI in certain heavily regulated areas such as credit scoring and underwriting for lending, is how companies can explain the methodology and operation of an algorithm underlying the AI product, and also how the financial institution can provide regulators with a black-box test version of their AI without compromising the underlying intellectual property (IP) and proprietary elements of the AI algorithm or process.

Intellectual property and data protection

i Intellectual property, technology and data ownership issues

When developing their products and technologies, fintech companies may believe that they have created a new and novel process or computer technology that could rise to the level of a patentable invention. The challenge of patenting financial services technology in the current environment is that court decisions over the past several years have narrowed the type of technology that is eligible for patenting. In 2014, the US Supreme Court issued what is commonly referred to as the Alice decision,2 which set forth a two-step eligibility test. If an invention is directed to a patent-ineligible abstract idea under the first step, the second step determines whether the patent's claim (which places the public on notice of the scope of the patentee's right to exclude) recites elements that transform the abstract idea into a patent-eligible invention. Courts have generally applied this test to determine that the mere use of commercially available computing devices and software to implement an abstract concept is ineligible for patent protection. While it is difficult to predict with certainty whether an invention may be patent eligible, fintechs should confer with patent counsel to obtain guidance that will allow a well-informed decision to be made. Fintechs should be aware that business models or proprietary operations carried out by standard software may not be enough to seek a patent.

Fintechs should consider taking steps to protect their developed technologies in terms of copyright protection. Copyright protection extends to software code and certain works within software applications (such as user interfaces and original text or content). More precisely, copyright protection extends to the source code, as the expression of the idea underlying the software, whereas the idea itself, or the function of the software, is not eligible for copyright protection. For this reason, copyright grants protection against the copy or use of the source code but does not prevent third parties creating different source codes to replicate the functionality of a fintech software. If a fintech company is going to develop software utilising third-party software, the associated licence grants and restrictions from the licensing third party must be taken into account. In addition, if the third-party software involves open-source software, and the fintech's development consists of a 'derived work' resulting from a modification to that existing open-source software, it is possible that a 'copyleft licence' governing the open-source software may contain an obligation to distribute the derivative software under the same open-source licence, disclosing and making available to the public the source code.

As an alternative to obtaining a patent, a fintech may be able to maintain confidential information that provides an economic advantage over competitors as a trade secret. Trade secret law provides an avenue for obtaining protection for economically valuable information such as a formula or algorithm. Trade secret protection presents its own set of challenges. If a trade secret holder fails to maintain secrecy or if the information is independently discovered, becomes released or otherwise becomes generally known, protection as a trade secret can be lost. For those reasons, it is important to enter into appropriate contractual arrangements that provide for the protection of trade secrets, including non-disclosure agreements and also specific contractual language such as IP and proprietary ownership and confidentiality provisions.

Finally, the fintech company will also want to take additional measures to preserve IP rights in distinctive names and other signifiers, such as logos, brand names and domain names, to preserve brand awareness and guard against potential confusion. Registration of trademarks, design logos, brand names and domain names can prevent others from using those items that may be confusingly similar to the fintech company, helping to protect name and brand identity as well as position and recognition in the marketplace.

The fintech company should develop and deploy a comprehensive strategy for IP development and ownership from product development through product launch and scale. First, the fintech company should ensure that its agreements with employees and independent contractors that may be performing development work contain 'work made for hire' or similar contractual language establishing that: (1) the fintech owns all IP developed for it; (2) the employee or independent contractor acknowledges inventions, works or other IP made or created by the employee or independent contractor during the term of employment or engagement are owned by the fintech; and (3) the employee or independent contractor will take all necessary steps and complete any required documentation to assign those IP rights to the fintech. This will ensure that the fintech owns all of its IP, whether or not it chooses to explore any or all of the IP protection strategies described above.

With regard to third-party service provider agreements that the fintech may enter into for development or operation of the fintech services (such as hosting agreements, software-as-a-service agreements and agreements for identity verification services), the fintech will want to make sure that it is preserving its IP rights while also acknowledging and recognising the rights of the third-party licensor of the software or services. For example, the fintech may grant a limited licence to a software or service provider to use anonymised and aggregated data (incapable of being reassociated with an individual) for the service provider to monitor their service performance, fix bugs or offer new products or services to the fintech. The fintech will want to establish via contract that it owns all of its own and its customers' data, and may want to limit or prohibit the extent to which the service provider can use the fintech's information or data to sell new or improved products or services to others, and the fintech will want to prohibit a third-party service provider from selling any of the fintech or fintech customers' data to third parties (and this prohibition and related analysis ties into the privacy and data security issues discussed below).

Finally, in customer-facing agreements, fintech providers will want to include robust provisions for confidentiality, IP ownership and end-user terms of licensing and use (including allowed and prohibited activities under the licence) and may also want to disclaim all warranties of non-infringement or disclaim any liability or indemnification for third-party claims of infringement. In addition, the customer-facing agreements are also the appropriate place to obtain consumer or business-end customer consent for data collection, data usage by the fintech and specific permission to use fintech customer information in product improvement or data monetisation initiatives (all subject to the privacy and data security laws, rules and regulations highlighted below).

ii Privacy and data protection

In the US, there is no overarching privacy law that applies broadly to all businesses. Rather, the Gramm-Leach-Bliley Act (GLB) is the primary federal privacy law that regulates the activities of fintech firms. The GLB applies to the use and disclosure of any non-public personal information (NPI) by a financial institution. NPI includes any personally identifiable financial information that either: (1) is provided by a consumer to a financial institution; (2) results from a transaction or service with the financial institution; or (3) is otherwise obtained by the financial institution. The term 'financial institution' is broadly defined to include any entity that is significantly engaged in financial activities such as lending funds, servicing loans or transferring money. The GLB is implemented by two distinct rules: (1) the Privacy Rule, which requires financial institutions to provide privacy notices to their consumers and customers and offer them an opportunity to opt out of certain disclosures of their NPI; and (2) the Safeguards Rule, which requires financial institutions to ensure the security and confidentiality of NPI through the development of a written information security programme. A wide variety of federal regulatory agencies have rule-making and enforcement authority over financial institutions (and that can result in pass-through regulatory requirements to financial institution fintech partners), but fintech firms themselves would most likely be directly regulated by either the Federal Trade Commission or the CFPB with regard to privacy and data protection.

On top of the GLB, several other important federal and state laws and regulations for fintech firms to bear in mind and comply with include:

  1. the federal FCRA, which regulates the use and disclosure of consumer reports, and defines what activities will trigger a fintech to be deemed a 'consumer reporting agency' under the law;
  2. the federal Red Flags Rule, which requires financial institutions and creditors to develop, implement and update a written identity theft prevention programme to detect and respond to red flags that might indicate identity theft;
  3. the federal Affiliate Marketing Rule, which limits the sharing of certain information among affiliated entities for marketing purposes;
  4. if the fintech will be interacting with children, the federal Children's Online Privacy Protection Act, provisions of the California Consumer Privacy Act that apply to opt-in requirements for sale of data for children aged 13–16 (and parental opt-in consent for children 13 years and younger) and other California and additional state privacy laws that apply to children under the age of 18; and
  5. the federal Health Insurance Portability and Accountability Act (if the fintech will be interacting with healthcare data).

In addition to laws that are straightforward in their applicability, other federal and state privacy and data protection laws may be triggered based on the type of security processes, procedures and tools fintechs deploy in their product offerings. For example, a fintech that utilises biometric recognition or verification tools through a mobile device must comply with state-specific laws on biometric identification and information. The number of biometric privacy class actions has increased in recent years, with the decades-old Illinois Biometric Information Privacy Act (BIPA) continuing to pose the greatest concern to companies. While BIPA remains the only biometrics legislation to date in the US that provides for a private right of action, five other states (Texas, Washington, California, New York and Arkansas) have now passed their own biometric statutes or expanded existing laws to include biometric identifiers. These five states, however, either do not address the private right of action or expressly allow enforcement by the state attorneys general. Other states are also in the process of proposing their own state-specific biometric privacy statutes.

Year in review

The year 2021 saw an incredible amount of investment in fintech and a rapidly increasing number of fintech companies across many discrete areas, including payments/neo-banking, lending and digital assets, with lawmakers and regulators paying much closer attention. If a major takeaway of 2020 was that covid social distancing measures created a sea change in the acceleration of the digitalisation of financial services for a variety of reasons, 2021 was marked by that acceleration going even faster, but with regulators paying much closer attention and developing new regulatory initiatives to keep pace. 2022 will most likely see greater regulatory scrutiny on a variety of fintech-related areas, including bank–fintech partnerships and digital assets. As a result of this, and all of the regulatory initiatives and trends discussed above, we expect to see quite a bit of rule-making and guidance in the next 12–24 months. On the business side, the nature of fintech products and services, and the movement to have multiple fintechs plugging into broader 'reseller platform' models, continues to add complexity to the functionality and feature of fintech products and services, as does establishing who the fintech's back end service providers and front-end distribution channel partners are. Platforms interacting with platforms is much more like coordination among cruise ships versus coordination among speedboats, and there are complex business and legal challenges in these types of arrangements and partnerships.

Outlook and conclusions

As highlighted in last year's edition, the Biden administration has sought to foster responsible innovation in fintech, but has placed a heightened focus on consumer protection and systemic risk issues. While it is important that the US continues to provide an environment to encourage financial innovation, it must be done in a way that does not leave those who are most vulnerable behind.

It is important to highlight that while federal and state financial regulators continue to be generally supportive of financial innovation, they are definitely more active and engaged, which means that more rules, regulations and guidance will be forthcoming in the near future. Companies that have been operating without much regulatory concern or attention should start paying closer attention now. Fintechs that have as their main focus helping businesses and consumers gain access to better financial products and services, and creating user-friendly products and services that are 'compliant by design', will likely continue to receive favourable regulatory treatment, provided they actively work with the appropriate regulators and stay attuned to the shifting regulatory environment.

Footnotes

1 Erin Fonté and Scott Kimpel are partners, and Carleton Goss is counsel, at Hunton Andrews Kurth LLP. The authors wish to thank Mayme Donohue for her contributions to this chapter.

2 Alice Corp Pty Ltd v. CLS Bank International.

The Law Reviews content