The Financial Technology Law Review: USA


Most experts acknowledge that the United States has one of the most complex financial regulatory regimes in the world. This is largely a result of the two-tiered regulatory environment, where states and the federal government both regulate financial activity. Currently, there are five primary federal financial regulators and each state also has its own financial regulator. There are overlapping, inconsistent and, occasionally, contradictory financial regulations that companies with multistate activities, including banks and fintechs, must navigate. Without the availability of options such as 'passporting' licences from one jurisdiction to another (which are available in other regions of the world like the European Union), thoughtful and well-staged operating and licensing strategies for fintechs launching online or mobile products and services that will essentially be operating in all 50 states is critical. In addition to the geographic regulatory complexity, federal and state regulators are focused on licensing the underlying activities that fintechs engage in, which can trigger a whole host of other regulations (and other regulators) that fintechs must address. While federal and state regulators are committed and have been moving over the last several years towards harmonising inconsistent and sometimes conflicting regulations, in the near term, regulatory challenges will continue to exist in the United States.


i Licensing and marketing

There are few fintech-specific licences or regulations in the United States at either the federal or state level. Instead, the regulatory regime that applies to a fintech company in the United States depends on the activities that the fintech engages in and the products and services that it offers. Both federal and state regulators have made clear in regulations, guidance and enforcement actions that they are focused less on the channel of delivery of fintech services (e.g., online or mobile) and more on the underlying activities that a fintech engages in (e.g., payments, small-dollar lending, virtual currency).

The regulatory regime and required licensing for fintechs is complex and can touch upon several federal and state regulatory and licensing issues, and many non-US fintech companies that seek to operate in the United States are often taken aback at the complexities of the US regulatory and licensing requirements. This is particularly true at the state level, where there currently is no option to obtain a licence in one state and then have that licence granted reciprocity for licensing in other states – a situation that contrasts strongly with the ability of European Union (EU) countries to 'passport' certain licences in from one country to another. The complex nature and somewhat lengthy process of obtaining state licences in particular has been criticised as a barrier to entry and potential hindrance to innovation by non-bank fintech entities seeking to operate in the United States.

By way of example, a fintech product such as a mobile wallet may trigger one or all of the following federal regulations, depending on its structure and the products and services offered: (1) Electronic Funds Transfer Act (EFTA) (and corresponding Federal Reserve Board Regulation E); (2) EFTA and 'Regulation E Lite' (which applies to the issuers of 'access devices' even if they are not the issuers of the underlying payment account); (3) truth-in-billing laws (if payments are charged directly to a consumer's mobile wireless or mobile carrier account); and (4) Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations and corresponding know-your-customer (KYC) and customer identification programme requirements.

At the federal level, the only agency that has direct supervisory and regulatory authority over non-bank fintechs is the Consumer Financial Protection Bureau (CFPB). The CFPB regulates non-bank fintechs that provide financial products and services directly to consumers, and has the authority to enforce several consumer protection laws, such as EFTA (and corresponding Federal Reserve Board's Regulation E), the Truth in Lending Act (and corresponding Federal Reserve Board's Regulation Z), as well as the ability to take enforcement actions against the use of unfair, deceptive or abusive acts and practices by fintechs in marketing or providing their services. In addition, each federal functional regulator (the Federal Reserve, Office of Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration) also has its own rules on marketing that apply to the entities it regulates (and it is important for fintechs to be aware of these because of the 'pass-through' regulatory requirements discussed below). Generally, unfair, deceptive or abusive marketing practices are prohibited.

If a fintech's products, services or activities involve providing investment advice or acting as a broker or dealer of securities, in general it must be licensed and regulated by the Securities and Exchange Commission (SEC) or the Commodities Future Trading Commission (CFTC), as applicable. Robo-advising services, which are a type of investment adviser activity, fall within this category.

Providing automated digital advisory or asset management services may constitute acting as an investment adviser. The critical inquiry as to whether the fintech entity would be deemed an investment adviser is whether, in connection with the product, the fintech will be providing advice to others regarding securities or issuing reports or analyses regarding securities.

Fintechs that engage in credit information services may be subject to the Fair Credit Reporting Act (FCRA). FCRA regulates the collection, dissemination and use of consumer information, including consumer credit information. To the extent that the fintech is supervised by a state or federal regulator, that regulator would be in charge of assessing and enforcing compliance with FCRA.

If a fintech qualifies as an insurance broker or underwriter, it is regulated at the state level by state insurance regulatory agencies. If a fintech makes loans, it may have to obtain state lender licences and be subject to oversight by state regulators that administer and oversee the licensing and ongoing activities of licensed entities, including consumer protection regulations.

If a fintech provides payments services, such as peer-to-peer money transmission or bill payments, and qualifies as a money services business, then it must register as a money services business with the US Department of the Treasury's Financial Crimes Enforcement Network (FinCEN), and generally must also obtain state money transmitter licences. In some instances, a fintech may mistakenly believe that registering as a money services business with FinCEN takes care of registration as a licensed money transmitter with individual states. This is absolutely not the case; an entity must comply with both federal money services business registration and reporting as well as the state-level money transmitter licensing requirements. In addition, if a fintech believes that it falls within the 'processor exemption' or 'agent of the payee' exemption contained in federal money service business registration requirements, it should be aware that recognition of such exemptions must be determined on a state-by-state basis.

In order to avoid the complex licensing process, many fintechs seek to partner with a financial institution as an alternative. Fintechs that partner with financial institutions to offer their products and services fall within the financial institution's obligations, and must submit to significant due diligence, monitoring and oversight by the financial institution partner. This gives rise to the concept of pass-through regulatory requirements where a financial institution must rely on and ensure that its fintech partner, as the primary point of customer onboarding and interaction, assists the financial institution in meeting its regulatory obligations, such as BSA and AML requirements, Office of Foreign Asset Control (OFAC) screening of new customers, Regulation E investigation and dispute resolution activities regarding consumer claims of unauthorised or fraudulent activities. In fact, federal functional banking regulators (the Federal Reserve, OCC, FDIC and National Credit Union Administration) have the authority to take enforcement actions directly against third-party financial institution fintech partners, as well as the authority to examine such partners. The Federal Deposit Insurance Act contains provisions addressing enforcement actions against an institution-affiliated party, which includes in its definition any 'joint venture partner, and any other person as determined by the appropriate Federal banking agency (by regulation or case-by-case) who participates in the conduct of the affairs of an insured depository institution'. There have been several joint FDIC and US Department of Justice investigations and enforcement actions that have included both fintechs and their financial institution partners.

Given the complexity of the US regulatory regime for fintechs, there has been widespread debate in the past several years in the US regarding the creation of a more comprehensive licensing regime for fintech entities. The OCC has been the most active among the federal regulators in seeking to develop new ways for fintechs to offer their products and services at a national level and announced several new initiatives in 2020, including what is generally referred to as a 'payments charter'.

However, several fintechs recently received full national bank charters or state industrial loan company charters (ILCs) – ILCs are jointly regulated by the state granting the ILC charter and the FDIC. Applications for ILCs have been met with criticism from financial institution trade associations such as the American Bankers Association and the Independent Community Bankers Association of America (ICBA), that each claim ILCs are a loophole fintechs are attempting to exploit to get into banking.

A fintech that desires to operate in the US and wants to explore obtaining a financial institution charter must carefully consider whether its contemplated activities would require it to be licensed by a state or federal agency, as well as whether the costs and other burdens associated with such a licence would be cost prohibitive.

ii Cross-border issues

Generally, if any entity, domestic or foreign, seeks to conduct regulated activities in a US jurisdiction, it must maintain the appropriate licence or registration, even if the entity is already licensed to conduct the same or similar activities in another jurisdiction or country. As noted above, there is no 'passporting' in the United States of licences or registrations into the United States from a foreign jurisdiction, and there is no 'passporting' of state licences or registrations into other states (although there are ongoing efforts to streamline and harmonise state regulation). However, in the United States, the concept of federal pre-emption renders inapplicable certain state requirements that may apply to the provision of financial services if those services are provided by a federally licensed and regulated financial entity.

Each jurisdiction has its own rules with respect to physical presence requirements. Generally, foreign companies may provide financial services in any US jurisdiction by registering with the appropriate regulator or, if necessary, with the Secretary of State or tax authorities of the jurisdiction. Some jurisdictions even permit their own licensed entities to maintain some or all of their substantive business operations outside of the jurisdiction. For US financial institution charter applications and state money transmitter applications, there are strict criminal background checks, financial records and fingerprinting requirements for owners, major shareholders, directors and executive officers.

All US persons are required to abide by federal trade and sanctions programmes. These programmes are managed by the US Department of Treasury's OFAC. Additionally, the Committee on Foreign Investment in the United States (CFIUS) is an interagency committee authorised to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons, to determine the effect of such transactions on the national security of the United States.

Digital identity and onboarding

i Digital identity

There is currently no generally recognised digital identity in the United States. While the US Department of Commerce National Institute of Standards and Technology (NIST) has issued technical requirements for digital identity services, the guidelines are only mandatory for the federal government and voluntary for the private sector. Nevertheless, the NIST guidelines are generally seen as setting the standard for the direction of any potential federally recognised digital identity.

The US Department of Treasury released a report in 2018 (generally referred to as the 'Fintech Report') that includes two recommendations focused on the creation of a national digital legal identity and encourages private and public sector stakeholders to leverage the NIST guidelines to develop trustworthy digital identity products and services. The Fintech Report describes digital legal identity as using electronic means to unambiguously assert and authenticate a real person's unique legal identity, and highlights two essential components of digital identity systems: identity proofing, enrolment and credentialing; and authentication. Federation is a potential third component that would allow identity to be portable. Another recommendation in the Fintech Report urges the Office of Management and Budget to fully implement the long-delayed government federated identity system. As emphasised by the Treasury, the creation of a nationwide digital legal identity framework will ultimately require close collaboration between the government and the private sector in the United States.

ii Digital onboarding

Fully digitised onboarding of clients is the method by which many digital-only fintechs have been able to achieve staggering growth in the number of customers in relatively short time frames. While digital onboarding poses numerous risks, regulators in the United States acknowledge the benefits for providing access to innovative products and services. Digital onboarding again raises the concept of pass-through regulatory requirements discussed above, where fintechs must ensure specific regulatory obligations are met, namely BSA, AML and OFAC screening. Unlike the EU, where fintechs are able to rely on specific digital onboarding regulations such as the new European Anti-Money Laundering Directive, digital onboarding in the US requires compliance with the standard Customer Identification Program (CIP) and customer due diligence (CDD) requirements to ensure BSA and AML compliance – CIP requirements involve verifying the identity of customers while CDD requirements involve identifying and verifying the identities of beneficial owners of legal entity customers.

As part of a comprehensive CIP, fintechs partnering with US financial institutions to open accounts for customers must obtain the following information before opening an account: name, date of birth (for natural persons), address, identification number (e.g., a tax identification number) and a government-issued document bearing a photograph for a natural person or government-issued documentation certifying the existence of an entity. Other than various additional CIP requirements, fintechs may also be required to establish comprehensive CDD programmes (as well as enhanced due diligence programmes for higher-risk customers). Additional specific onboarding requirements vary greatly based on the underlying product or service being offered.

Digital markets, payment services and funding

Generally speaking, digital marketplaces for goods and services are not regulated as fintech companies in the United States. Most marketplaces are only regulated based on their underlying goods or services. For example, Uber and Lyft are subject to the same regulations as taxis in many US jurisdictions. These digital marketplaces are generally not subject to fintech regulations because either the funds for the purchase of goods flow through a separate payments company – for example, payments for eBay purchases have historically been handled by PayPal – or the marketplaces do process payments but do so under an exemption to fintech regulation (such as 'agent of the payee') or only accept credit card payments, which do not require fintech licences in the United States. However, in recent years some of these marketplaces have chosen to register with FinCEN as money services businesses (MSBs) and obtain state money transmission licences to able to process a wider variety of payments.

In recent years, peer-to-peer lending, social-lending and crowd-lending have become popular alternatives to standard bank loans in the United States. However, many of the consumer protection laws applicable to traditional loans may also apply to loans made via these marketplace lending platforms, including the Truth in Lending Act, Equal Credit Opportunity Act and Fair Debt Collection Practices Act. The regulators primarily responsible for enforcing these consumer protection laws include the CFPB and the Federal Trade Commission. Depending on the particular business model, marketplace lenders may also be regulated by the Federal Reserve, FDIC and the OCC. In addition, marketplace lenders may be subject to state consumer protection laws, including laws prohibiting unfair, deceptive or abusive acts and practices, and may be subject to state licensing requirements to act as a lender, broker, debt collector or solicitor.

Payments services are heavily regulated in the US and are required to both register as a money services business with FinCEN and also obtain state money transmitter licences. As mentioned above, some fintechs mistakenly believe that registering as an MSB with FinCEN is sufficient to operate as a payments service in the United States; that is not the case, as state-level money transmitter licences are also required. Furthermore, payments services must obtain a licence in each state in which they intend to operate because the United States currently lacks a reciprocity or passporting option as in Europe. The lack of passporting or reciprocity in the United States is particularly notable because obtaining all state money transmission licences is extremely burdensome, often taking years and costing hundreds of thousands of dollars. While the current US licensing regime is onerous, state regulators are taking steps towards licence reciprocity and a standardised application process.

Unlike under the EU Revised Payment Services Directive, there is no law or regulation in the United States directly requiring financial institutions to share customer data with fintech entities. Although Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd–Frank) requires banks and other financial service firms to make customers' financial data available to the customer in a usable form, no promulgated rules define what 'usable form' means or identify sanctions for financial institutions that limit what information they share. In October 2020, the CFPB issued an advanced notice of proposed rulemaking (ANPR) requesting information related to consumer access to financial records. The ANPR is intended to assist the CFPB with effectively developing regulations to implement Section 1033 of the Dodd–Frank Act.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

It is difficult to overestimate the tremendous popularity and widespread adoption of digital assets that occurred over the course of 2020. Despite this, regulatory uncertainty and a patchwork of evolving legal frameworks continue to impact the evolution of cryptocurrencies, security tokens and other digital assets in the United States. At the federal level, the SEC, the FinCEN, the Internal Revenue Service (IRS) and the CFTC have taken turns to issue administrative guidance and enforcement actions to shape the regulatory landscape for this new asset class. In addition, a majority of states have either enacted or proposed formal legislation related to digital assets or the underlying blockchain technology, with certain states adopting extensive legislative frameworks designed to attract blockchain and crypto entrepreneurs to their jurisdictions. At the core of all regulation on digital assets is the cumbersome effort to fit digital assets into existing legal frameworks for more traditional assets like securities, commodities and currencies.

The most significant regulatory developments in 2020 surrounding digital assets came from the OCC and, perhaps surprisingly, the state of Wyoming. The OCC issued a series of interpretive letters that clarified the authority of national banks and federal savings associations to provide a variety of digital asset products and services. Additionally, the state of Wyoming granted charters to two new banks that will focus exclusively on providing cryptocurrency products and services. It is not just a small number of small banks that have started exploring digital assets, several Fortune 500 companies as well as the US's oldest and largest banks have either announced direct investments in cryptocurrencies or announced significant efforts to begin allowing their customers to invest in cryptocurrencies.

i Digital assets as securities

Since it first published the DAO Report on 25 July 2017, the SEC has consistently applied the 75-year-old definition of an investment contract using the 'Howey test' to determine which digital assets are securities and most recently summarised its position in 2019 in the Framework for 'Investment Contract' Analysis of Digital Assets (the Digital Asset Framework). Under the Howey test, a digital asset is an investment contract and, therefore, a security, when there is the investment of money in a common enterprise with a reasonable expectation of profits to be derived predominantly from the efforts of others. The Digital Asset Framework applies the prongs of the Howey test to common characteristics of digital assets and, importantly, also acknowledges the possibility that a digital asset can evolve over time and cease to be deemed a security under certain circumstances. With the SEC's framework heavily dependent on the facts and circumstances of each digital asset, those seeking to issue a security token or new cryptocurrency are faced with the choice of either complying with SEC registration requirements or seeking no-action relief that they are not issuing a security. To date, the SEC has only granted two such no-action letters and the companies seeking to register their digital tokens in reliance on Regulation A have faced heightened scrutiny and questioning from regulators with only two offering statements being made effective.

In 2019, the SEC and FINRA issued the Joint Statement on Broker-Dealer Custody of Digital Asset Securities (the Joint Statement), in which 'digital asset' refers to any asset that is issued and transferred using distributed ledger or blockchain technology, and a 'digital asset security' is any digital asset that is also a security for purposes of the federal securities laws. The Joint Statement discussed the application of digital asset securities to the SEC's Customer Protection Rule, which, among other things, requires broker-dealers to hold customers' securities at a 'good control location', which is typically a third-party custodian like a trust company. The Customer Protection Rule deems banks a good control location; however, FDIC-insured banks are currently restricted from providing custody for digital asset securities. As a result of this hole in the market, Wyoming recently passed legislation creating special purpose depository institutions (SPDIs), which are banks that receive deposits and conduct other incidental activities, including fiduciary asset management, custody and related activities, focusing heavily on digital assets. In addition to providing a good control location for the purposes of the Customer Protection Rule, SPDIs are also designed to ensure digital assets are protected in federal bankruptcy proceedings. Other states, like Colorado and Missouri, are working towards creating similar digital asset banking institutions.

ii Digital assets as virtual currencies

In 2013, FinCEN issued interpretive guidance clarifying its position that the BSA applies to persons creating, obtaining, distributing, exchanging, accepting or transmitting virtual currencies. FinCEN classifies such individuals as exchangers or administrators of virtual currencies, which are treated as money transmitters required to register as MSBs. Money transmitters are required to comply with the BSA obligations that apply to MSBs, including: registering with FinCEN; developing, implementing and maintaining effective AML and KYC programmes; filing suspicious activity reports and currency transaction reports; and maintaining certain other records. In the years since its initial 2013 guidance, FinCEN has issued numerous civil money penalties against cryptocurrency and digital asset enterprises for violation of the BSA.

The IRS issued the agency's first crypto-related guidance in 2014 formally defining a virtual currency as 'a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value'. According to the IRS, Bitcoin is a convertible virtual currency because it can be digitally traded between users and can be purchased for, or exchanged into, US dollars, euros and other real or virtual currencies. The IRS treats virtual currencies as property and applies the general tax principles applicable to property transactions to transactions using virtual currency. This means every sale or exchange of a virtual currency must recognise capital gain or loss on the sale.

Since 2015, the CFTC has exerted regulatory control over virtual currencies as commodities under the Commodity Exchange Act that can be purchased on the cash or spot market or through initial coin offerings (ICOs). The CFTC exercises its general anti-fraud and manipulation enforcement authority over virtual currencies under the authority of the Commodity Exchange Act. Federal courts have upheld the CFTC's interpretation that virtual currencies are commodities within its regulatory jurisdiction.

The US Department of Justice released a comprehensive report produced by the Attorney General's Cyber Digital Task Force titled 'Cryptocurrency: Enforcement Framework' in October of 2020. This report outlines a variety of criminal and national security threats that cryptocurrency is deemed to play a role in. While this is a significant report that contains a detailed overview of the virtual currency landscape, it remains to be seen whether the framework will be followed by the new administration.

New York State has created its own regulatory regime for virtual currencies and requires anyone engaging in any of the following to obtain a special licence called a BitLicense: virtual currency transmission; storing, holding or maintaining custody or control of virtual currency on behalf of others; buying and selling virtual currency as a customer business; performing exchange services as a customer business; or controlling, administering or issuing a virtual currency. Since the BitLicense was first required in 2015 until the end of 2020, the New York Department of Financial Services issued 26 BitLicenses.

While Wyoming and New York are at the forefront of developing a clear digital asset regulatory framework. Other states and the federal government will continue to develop rules and regulations as the digital asset industry matures. It can be expected that federal agencies will issue new and revised rules as their understanding of cryptocurrency, security tokens and blockchain technology evolves, which is increasingly needed to create alignment with the interpretive letters issued by the OCC. The SEC and CFTC may also turn to Congress to request expanded powers to account for the vast changes occurring in the industries they regulate. It remains to be seen whether the United States can strike the proper balance of protecting the public without pushing investment in the technology to other jurisdictions. Industry participants need to continue working together with experts to avoid running afoul of rules or regulations in the increasingly complex and rapidly evolving regulatory environment.

Other new business models

i Self-executing 'smart' contracts

Self-executing contracts, or 'smart' contracts, are subject to general contract law and are legally permissible provided the particular contract satisfies the elements of a standard contract under US law. The enforceability and interpretation of contracts is generally a matter of state law in the US. Several states have enacted statutes aimed at ensuring smart contracts are granted the same legal validity as standard contracts, but there has yet to be any case law interpreting smart contracts in a commercial, or any, scenario. While smart contracts are technically permitted, the specific legal framework will depend on a variety of factors, such as the subject matter of the contract, and significant uncertainty remains around how smart contracts will ultimately be interpreted by courts. Until a consistent legal framework is developed, parties wishing for a smart contract to be interpreted as intended would be well advised to enter into a corresponding standard textual contract that courts can more easily understand in evaluating the enforceability of the smart contract counterpart.

ii Artificial intelligence in financial products

The CFPB has publicly supported the use of artificial intelligence (AI) and machine learning in financial products and services. AI has already been deployed by financial institutions through the use of regulatory technology products for BSA/AML compliance and OFAC screening, and is increasingly being used in lending and credit underwriting analysis and decisions. As it currently stands, financial products and services leveraging AI are subject to the existing regulatory framework of the underlying product or service. The uncertainty around how AI fits into the complex US financial regulatory framework is often cited as the cause of the lack of proliferation of AI-enabled financial products and services. Nearly all of the federal financial regulators have launched an office or programme aimed at financial technology innovation and facilitating adoption of beneficial AI and related technologies in the financial sector – these new offices include those of the CFPB and FDIC mentioned in Section II, as well as the OCC's Office of Innovation, the CFTC's LabCFTC, and the SEC's FinHub. Central to regulatory issues regarding the use and deployment of AI in financial services, and also what is central in regulators' review of AI in certain heavily regulated areas such as credit scoring and underwriting for lending, is how companies can explain the methodology and operation of an algorithm underlying the AI product, and also how the financial institution can provide regulators with a black-box test version of their AI to allow regulators to run independent testing, analysis and validation of AI technology (without compromising the underlying IP and proprietary elements of the AI algorithm or process).

Intellectual property and data protection

i Intellectual property, technology and data ownership issues

When developing their products and technologies, fintech companies may believe that they have created a new and novel process or computer technology that could rise to the level of a patentable invention. The challenge of patenting financial services technology in the current environment is that court decisions over the past several years have narrowed the type of technology that is eligible for patenting. In 2014, the US Supreme Court issued what is commonly referred to as the Alice decision,2 which set forth a two-step eligibility test. If an invention is directed to a patent-ineligible abstract idea under the first step, the second step determines whether the patent's claim (which places the public on notice of the scope of the patentee's right to exclude) recites elements that transform the abstract idea into a patent-eligible invention. Courts have generally applied this test to determine that the mere use of commercially available computing devices and software to implement an abstract concept is ineligible for patent protection. While it is difficult to predict with certainty whether an invention may be patent eligible, fintechs should confer with patent counsel to obtain guidance that will allow a well-informed decision to be made. Fintechs should be aware that business models or proprietary operations carried out by standard software may not be enough to seek a patent.

Fintechs should consider taking steps to protect their developed technologies in terms of copyright protection. Copyright protection extends to software code and certain works within software applications (like user interfaces and original text or content). More precisely, copyright protection extends to the source code, as the expression of the idea underlying the software, whereas the idea itself, or the function of the software, is not eligible for copyright protection. For this reason, copyright grants protection against the copy or use of the source code but does not prevent third parties creating different source codes to replicate the functionality of a fintech software. If a fintech company is going to develop software utilising third-party software, the associated licence grants and restrictions from the licensing third party must be taken into account. In addition, if the third-party software involves open-source software, and the fintech's development consists of a 'derived work' resulting from a modification to that existing open-source software, it is possible that a 'copyleft licence' governing the open-source software may contain an obligation to distribute the derivative software under the same open-source licence, disclosing and making available to the public the source code.

As an alternative to obtaining a patent, a fintech may be able to maintain confidential information that provides an economic advantage over competitors as a trade secret. Trade secret law provides an avenue for obtaining protection for economically valuable information such as a formula or algorithm. Trade secret protection presents its own set of challenges. If a trade secret holder fails to maintain secrecy or if the information is independently discovered, becomes released or otherwise becomes generally known, protection as a trade secret can be lost. For those reasons, it is important to enter into appropriate contractual arrangements that provide for the protection of trade secrets, including non-disclosure agreements and also specific contractual language such as IP and proprietary ownership and confidentiality provisions.

Finally, the fintech company will also want to take additional measures to preserve IP rights in distinctive names and other signifiers, such as logos, brand names and domain names to preserve brand awareness and guard against potential confusion. Registration of trademarks, design logos, brand names and domain names can prevent others from using those items that may be confusingly similar to the fintech company, helping to protect name and brand identity as well as position and recognition in the marketplace.

The fintech company should develop and deploy a comprehensive strategy for IP development and ownership from product development through product launch and scale. First, the fintech company should ensure that its agreements with employees and independent contractors that may be performing development work contain 'work made for hire' or similar contractual language establishing that: (1) the fintech owns all IP developed for it; (2) that employee or independent contractor acknowledges inventions, works or other intellectual property made or created by the employee or independent contractor during the term of employment or engagement are owned by the fintech; and (3) that the employee or independent contractor will take all necessary steps and complete any required documentation to assign those IP rights to the fintech. This will ensure that the fintech owns all of its IP, whether or not it chooses to explore any or all of the IP protection strategies described above.

With regard to third-party service provider agreements that the fintech may enter into for development or operation of the fintech services (such as hosting agreements, software-as-a-service agreements, agreements for identity verification services, etc.), the fintech will want to make sure that it is preserving the fintech's IP rights while also acknowledging and recognising the rights of the third-party licensor of the software or services. For example, the fintech may grant a limited licence to a software or service provider to use anonymised and aggregated data (incapable of being reassociated with an individual) for the service provider to monitor their service performance, fix bugs or offer new products or services to the fintech. The fintech will want to establish via contract that it owns all of its own and its customers' data, and may want to limit or prohibit the extent to which the service provider can use the fintech's information or data to sell new or improved products or services to others, and the fintech will want to prohibit a third-party service provider from selling any of the fintech or fintech customers' data to third parties (and this prohibition and related analysis ties into the privacy and data security issues discussed below).

Finally, in customer-facing agreements, fintech providers will want to include robust provisions for confidentiality, intellectual property ownership, end-user terms of licensing and use (including allowed and prohibited activities under the licence) and may also want to disclaim all warranties of non-infringement or disclaim any liability or indemnification for third-party claims of infringement. In addition, the customer-facing agreements are also the appropriate place to obtain consumer or business-end customer consent for data collection, data usage by the fintech and specific permission to use fintech customer information in product improvement or data monetisation initiatives (all subject to the privacy and data security laws, rules and regulations highlighted below).

ii Privacy and data protection

In the United States, there is no overarching privacy law that applies broadly to all businesses. Rather, the Gramm-Leach-Bliley Act (GLB) is the primary federal privacy law that regulates the activities of fintech firms. GLB applies to the use and disclosure of any non-public personal information (NPI) by a financial institution. NPI includes any personally identifiable financial information that either: (1) is provided by a consumer to a financial institution; (2) results from a transaction or service with the financial institution; or (3) is otherwise obtained by the financial institution. The term 'financial institution' is broadly defined to include any entity that is significantly engaged in financial activities such as lending funds, servicing loans or transferring money. GLB is implemented by two distinct rules: (1) the Privacy Rule, which requires financial institutions to provide privacy notices to their consumers and customers and offer them an opportunity to opt out of certain disclosures of their NPI; and (2) the Safeguards Rule, which requires financial institutions to ensure the security and confidentiality of NPI through the development of a written information security programme. A wide variety of federal regulatory agencies have rulemaking and enforcement authority over financial institutions (and that can result in pass-through regulatory requirements to financial institution fintech partners), but fintech firms themselves would most likely be directly regulated by either the Federal Trade Commission or the CFPB with regard to privacy and data protection.

On top of GLB, several other important federal and state laws and regulations for fintech firms to bear in mind and comply with include:

  1. the federal FCRA, which regulates the use and disclosure of consumer reports;
  2. the federal Red Flags Rule, which requires financial institutions and creditors to develop, implement and update a written identity theft prevention programme to detect and respond to red flags that might indicate identity theft;
  3. the federal Affiliate Marketing Rule, which limits the sharing of certain information among affiliated entities for marketing purposes;
  4. if the fintech will be interacting with children, the federal Children's Online Privacy Protection Act, provisions of the California Consumer Privacy Act (CCPA) that apply to opt-in requirements for sale of data for children aged 13–16 (and parental opt-in consent for children 13 years and younger), and other California and additional state privacy laws that apply to children under the age of 18; and
  5. the federal Health Insurance Portability and Accountability Act (if the fintech will be interacting with healthcare data).

In addition to laws that are straightforward in their applicability, other federal and state privacy and data protection laws may be triggered based on the type of security processes, procedures and tools fintechs deploy in their product offerings. For example, a fintech that utilises biometric recognition or verification tools through a mobile device must comply with state-specific laws on biometric identification and information. The number of biometric privacy class actions has increased in recent years, with the decades-old Illinois Biometric Information Privacy Act (BIPA) continuing to pose the greatest concern to companies. While BIPA remains the only biometrics legislation to date in the United States that provides for a private right of action, five other states (Texas, Washington, California, New York and Arkansas) have now passed their own biometric statutes or expanded existing laws to include biometric identifiers. These five states, however, either do not address the private right of action or expressly allow enforcement by the state attorneys general. Other states are also in the process of proposing their own state-specific biometric privacy statutes.

Year in review

The year 2020 is one that will be reflected upon in history books for many years to come. It is not unreasonable to expect that the covid-19 pandemic will ultimately be considered to have played a significant part in the digitisation of the economy, particularly the financial industry. Those who may have still been wary of online banking or digital payments were generally forced to begin utilising these services and solutions considering in-person activities were essentially impossible for the majority of the year (the use of cash in the United States saw its most dramatic decrease in the history of the Federal Reserve). This also forced companies to think differently about remote work and investments in information technology systems, each of which is likely to lean heavily towards leveraging financial technology in ways that would not have been considered a priority prior to the pandemic.

As noted above, after many years the CFPB is finally moving forward with developing regulations to implement Section 1033 of the Dodd–Frank Act regarding consumer financial data. The initial actions were taken under a different administration, so we should expect the focus of the potential regulations to shift along with the leadership of the CFPB. It is possible that the regulations developed to implement Section 1033 of the Dodd–Frank Act will finally result in the US establishing open banking laws that are similar in nature to those in the EU, where consumers are intended to have far greater control over their personal financial information.

At the end of 2020, the US Senate passed the Anti-Money Laundering Act of 2020 (AMLA) and the AMLA was signed into law early in January 2021. The AMLA represents the most significant change to the BSA since the USA PATRIOT Act that was enacted following the terrorist attacks of 11 September 2001. Among the more notable changes include broad changes intended to modernise the AML and countering of financing of terrorism framework. Embracing technology and innovation is one of the central themes of the AMLA. Because the implementation of the AMLA will require extensive rulemakings and other measures, we will not know the ultimate impact for some time.

Outlook and conclusions

As this chapter should demonstrate, the US financial regulatory regime is incredibly complex and ever-evolving, which can pose unique challenges to fintechs that seek to operate in the United States. States and the federal government are interested in promoting innovation but are also exceedingly cautious of new challenges and risk that innovation in the financial sector poses because of the high potential for consumer harm, as well as potential impacts on entity-level and systemic risk. As the industry matures and regulators become more educated, it is hoped that clear and consistent financial regulations will emerge.

With a change in administration comes a change in the approach to financial regulation. It is expected that the Biden administration will seek to foster responsible innovation, but this will no doubt involve a heightened focus on consumer protection and a significant focus on diversity and inclusion. While it is important that the United States continues to provide an environment to encourage financial innovation, it must be done in a way that does not leave those who are most vulnerable behind. In addition to a focus on promoting financial inclusion, the Biden administration has demonstrated that it intends to take a top-down approach with respect to creating more diversity and inclusion among financial regulatory leadership.

In concluding this chapter, it is important to highlight that federal financial regulators continue to be generally supportive of financial innovation for several years, but the change in administration at the federal level will almost certainly have a significant impact on the financial technology industry. Companies that have been operating without much regulatory concern or attention could very well find themselves in a very different position a year from now. As just an example, the CFPB has already begun a hiring spree and will certainly take a more active role in regulating consumer financial products and services. However, as we stated in the conclusion of last year's chapter, fintechs that have as their main focus helping businesses and consumers gain access to better financial products and services, and those that strive to create user-friendly products and services that are 'compliant by design' will likely continue to receive favourable regulatory treatment, provided they actively work with the appropriate regulators.


1 Erin Fonté and Scott Kimpel are partners, Carleton Goss is counsel and Patrick Boot is an associate at Hunton Andrews Kurth LLP. The authors wish to thank Mayme Donohue and Ryan Logan for their contributions to this chapter.

2 Alice Corp Pty Ltd v. CLS Bank International.

Get unlimited access to all The Law Reviews content