The Financial Technology Law Review: USA
Most experts acknowledge that the United States has one of the most complex financial regulatory regimes in the world. This is largely due to the two-tiered regulatory environment, where states and the federal government both regulate financial activity. Currently, there are five primary federal financial regulators and each state also has its own financial regulator. There are overlapping, inconsistent and, occasionally, contradictory financial regulations that companies with multi-state activities, including fintechs, must navigate. Without the availability of options such as 'passporting' licences from one jurisdiction to another (which are available in other regions of the world like the European Union), thoughtful and well-staged operating and licensing strategies for fintechs launching online or mobile products and services that will essentially be operating in all 50 states is critical. In addition to the geographic regulatory complexity, federal and state regulators are focused on licensing the underlying activities that fintechs engage in, which can trigger a whole host of other regulations (and other regulators) that fintechs must address. While federal and state regulators are committed and have been moving over the last several years to harmonising inconsistent and sometimes conflicting regulations, in the near term regulatory challenges will continue to exist in the US.
i Licensing and Marketing
There are few fintech-specific licenses or regulations in the US at either the federal or state level. Instead, the regulatory regime that applies to a fintech company in the US depends on the activities that the fintech engages in and the products and services that it offers. Both federal and state regulators have made clear in regulations, guidance and enforcement actions that they are focused less on the channel of delivery of fintech services (e.g., online or mobile) and more on the underlying activities that a fintech engages in (e.g., payments, small-dollar lending, virtual currency). Regulators at the federal and state level have taken several enforcement actions in recent years against non-bank fintech companies, including enforcement actions involving alleged violations of federal securities laws (particularly with regard to initial coin offerings), insufficient data security practices and data breaches, failure to obtain necessary licensing, and unfair and deceptive acts and practices.
The regulatory regime and required licensing for fintechs is complex and can touch upon several federal and state regulatory and licensing issues, and many non-US fintech companies that seek to operate in the United States are often taken aback at the complexities of the US regulatory and licensing requirements. This is particularly true at the state level, where there currently is no option to obtain a licence in one state and then have that licence granted reciprocity for licensing in other states – a situation that contrasts strongly with the ability of EU countries to 'passport' certain licences in from one country to another. The complex nature and somewhat lengthy process of obtaining state licences in particular has been criticised as a barrier to entry and potential hindrance to innovation by non-bank fintech entities seeking to operate in the US.
By way of example, a fintech product such as a mobile wallet may trigger one or all of the following federal regulations, depending on its structure and the products and services offered: (1) Electronic Funds Transfer Act (EFTA) (and corresponding Federal Reserve Board Regulation E); (2) EFTA and 'Regulation E Lite' (which applies to the issuers of 'access devices' even if they are not the issuers of the underlying payment account); (3) truth-in-billing laws (if payments are charged directly to a consumer's mobile wireless or mobile carrier account); and (4) Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations and corresponding 'know your customer' (KYC) and customer identification programme requirements.
At the federal level, the only agency that has direct supervisory and regulatory authority over non-bank fintechs is the Consumer Financial Protection Bureau (CFPB). The CFPB regulates non-bank fintechs that provide financial products and services directly to consumers, and has the authority to enforce several consumer protection laws, such as EFTA (and corresponding Federal Reserve Board's Regulation E), the Truth in Lending Act (and corresponding Federal Reserve Board's Regulation Z), as well as the ability to take enforcement actions against the use of unfair, deceptive or abusive acts and practices by fintechs in marketing or providing their services. In addition, each federal functional regulator (the Federal Reserve, Office of Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration) also has its own rules on marketing that apply to the entities it regulates (and it is important for fintechs to be aware of these because of the 'pass-through' regulatory requirements discussed below). Generally, unfair, deceptive or abusive marketing practices are prohibited. An act or practice is unfair if it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and not outweighed by countervailing benefits to them or to competition. A deceptive act or practice involves a representation or omission that is likely to mislead a reasonable consumer in some material way. Section 1031(d) of the Dodd-Frank Act defines abusive conduct or activity as something that:
- materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or
- takes unreasonable advantage of:
- a lack of understanding on the part of the consumer of the material risks, costs or conditions of the product or service;
- the inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or
- the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.
While the CFPB has, since 2011, further defined or clarified what constitute abusive practices through its enforcement actions, on 24 January 2020, the CFPB issued a policy statement regarding abusive acts or practices, stating that the CFPB will challenge the conduct that may be defined as abusive only when harm to consumers is judged to outweigh the benefits, and that the CFPB will seek monetary damages in the instance that an entity acts with a lack of good faith to comply with laws.
If a fintech's products, services or activities involve providing investment advice or acting as a broker or dealer of securities, in general it must be licensed and regulated by the Securities and Exchange Commission (SEC) or the Commodities Future Trading Commission (CFTC), as applicable. Robo-advising services, which are a type of investment advisor activity, fall within this category.
Providing automated digital advisory or asset management services may constitute acting as an investment adviser. The critical inquiry as to whether the fintech entity would be deemed an investment adviser is whether, in connection with the product, the fintech will be providing advice to others regarding securities or issuing reports or analyses regarding securities. In addition to recommending individual stocks or bonds, providing advice about securities also includes advising on:
- market trends;
- the selection and retention of other advisers;
- the advantages of investing in securities versus other types of investments (e.g., coins or real estate);
- a selective list of securities even if no advice is provided as to any one security;
- the value of securities;
- asset allocation; and
- voting proxies.
Fintechs that engage in credit information services may be subject to the Fair Credit Reporting Act (FCRA). FCRA regulates the collection, dissemination and use of consumer information, including consumer credit information. To the extent that the fintech is supervised by a state or federal regulator, that regulator would be in charge of assessing and enforcing compliance with FCRA.
If a fintech qualifies as an insurance broker or underwriter, it is regulated at the state level by state insurance regulatory agencies. If a fintech makes loans, it may have to obtain state lender licences and be subject to oversight by state regulators that administer and oversee the licensing and ongoing activities of licensed entities, including consumer protection regulations.
If a fintech provides payments services, such as peer-to-peer money transmission or the payment of bills to third parties, and qualifies as a money services business, then it must register as a money services business with the US Department of the Treasury's Financial Crimes Enforcement Network (FinCEN), and must also obtain state money transmitter licences when required, which makes the fintech subject to ongoing state money transmitter licence renewals, reporting and examination. In some instances, a fintech may mistakenly believe that registering as a money services business with FinCEN takes care of registration as a licensed money transmitter with individual states. This is absolutely not the case; an entity must comply with both federal money services business registration and reporting as well as the state-level money transmitter licensing requirements. In addition, if a fintech believes that it falls within the 'processor exemption' or 'agent of the payee' exemption contained in federal money service business registration requirements, it should be aware that recognition of such exemptions must be determined on a state-by-state basis.
A fintech company may acquire the necessary regulatory licences by creating a new business entity and applying for licences for that entity. Alternatively, a fintech company may acquire an entity that already has the category of licence desired or may partner contractually with such an entity to jointly provide the products and services (provided the fintech also follows the required 'notification of change' requirements for informing and gaining regulatory approval for a change in ownership of a licensed entity). While each strategy comes with its own advantages and disadvantages, many fintechs have found that in order to enter the market, they must partner with either a financial institution or other existing licensed entity.
Fintechs that partner with financial institutions to offer their products and services (which includes almost all fintechs that must gain access to the payment systems or maintain pooled or other bank accounts for clearing and settlement of transactions) are third parties partnering with the financial institution and fall within the financial institution's obligations to perform due diligence, monitoring and oversight as part of its overall third-party risk management regulatory obligations. This gives rise to the concept of pass-through regulatory requirements where a financial institution must rely on and ensure that its fintech partner, as the primary point of customer onboarding and interaction, assists the financial institution in meeting its regulatory obligations, such as BSA and AML requirements, Office of Foreign Asset Control (OFAC) screening of new customers, Regulation E investigation and dispute resolution activities regarding consumer claims of unauthorised or fraudulent activities. In fact, federal functional banking regulators (the Federal Reserve, OCC, FDIC and National Credit Union Administration) have the authority to take enforcement actions directly against third-party financial institution fintech partners. The Federal Deposit Insurance Act contains provisions addressing enforcement actions against an institution-affiliated party, which includes in its definition any 'joint venture partner, and any other person as determined by the appropriate Federal banking agency (by regulation or case-by-case) who participates in the conduct of the affairs of an insured depository institution'. There have been several joint FDIC and US Department of Justice investigations and enforcement actions that have included both fintechs and their financial institution partners.
Given the complexity of the US regulatory regime for fintechs, there has been widespread debate in the past several years in the US regarding the creation of a more comprehensive licensing regime for fintech entities. On 31 July 2018, after several years of discussion, the OCC announced that it would be accepting applications for special purpose national bank charters for fintech companies. Long anticipated by the fintech industry and opposed by multiple state regulators, the OCC fintech charter is viewed as a way to potentially alter the financial services landscape for non-bank fintech entities. For fintech companies serving customers in multiple states, the OCC fintech charter could reduce the administrative and compliance challenges posed by the existing patchwork of state licensing requirements. But applying for such charter could come at a steep cost because fintech companies would have to meet stricter, bank-like regulatory requirements associated with an OCC charter.
As of 1 March 2020, no fintech company had officially submitted an application to the OCC for the limited-purpose fintech charter, although a few are reportedly in pre-application discussions. The hesitation from fintech companies to apply for the new charter may be based on the heightened regulatory requirements, as well as a series of lawsuits the OCC is facing from state regulators and the Conference of State Banking Supervisors (CSBS), the nationwide organisation of state financial regulators. Two sets of lawsuits have been brought by both the CSBS and Maria Vullo, the then Superintendent of the New York State Department of Financial Services. Both the CSBS and the New York State Department of Financial Services have criticised the OCC's decision to permit limited purpose fintech charters as 'lawless, ill-conceived, and destabilizing of financial markets'. In response, the OCC has said that it will vigorously defend its authority to grant national charters to qualified companies engaged in the business of banking.
However, even with the uncertainty and litigation regarding the OCC's limited purpose fintech charter, there are several fintechs that are exploring or have applied directly for full national bank charters or state industrial loan company charters (ILCs) that would be jointly regulated by the state granting the ILC charter and the FDIC. Applications for ILCs have been met with criticism from financial institution trade associations such as the American Bankers Association and the Independent Community Bankers Association of America (ICBA), that each claim ILCs are a loophole fintechs are attempting to exploit to get into banking. In March 2019, ICBA put out a White Paper entitled 'Industrial Loan Companies: Closing the Loophole to Avert Consumer and Systemic Harm'. In the White Paper, ICBA raises concerns that there are regulatory blindspots in the ILC model that pose a threat to safety and soundness as well as stating that ILCs are the functional equivalent of full-service banks and that commercial company ownership of ILCs will effectively combine banking and commerce, contrary to long-standing American economic policy.
However, current FDIC Chairman Jelena McWilliams has indicated a willingness for the FDIC to look at and evaluate ILC charter applications. She has commented that issues of capital and profitability are key themes in the FDIC's interactions to date with fintech companies seeking banking charters, and that conversations about regulatory capital – which must be at 8 per cent by the third year – have been cumbersome as the FDIC has been educating fintechs that 'capital doesn't equal equity'. Additionally, the FDIC has been evaluating the potential effects of fintech ILC applicants' profitability on the deposit insurance system, and the agency is also reminding applicants to focus on how they are going to meet community needs in order to satisfy that element of the FDIC's ILC application.
A fintech that desires to operate in the US and wants to explore obtaining a financial institution charter must carefully consider whether its contemplated activities would require it to be licensed by a state or federal agency, as well as whether the costs and other burdens associated with such a licence would be cost prohibitive.
On 31 July 2018, the US Department of the Treasury (the Treasury) released a report on 'Non-bank Financials, Fintech, and Innovation' (the Fintech Report), its fourth and final report on the US financial system pursuant to Executive Order 13772. Many of the Treasury's recommendations would have a positive impact on creating a national and state regulatory environment to foster innovation in financial services, and the Fintech Report called specifically for (1) aligning the US regulatory framework to combat unnecessary fragmentation and addressing new business models enabled by new financial technologies; (2) updating activity-specific regulations across a range of products and services offered by non-bank financial institutions; and (3) promoting agile regulation and responsible experimentation. Several US federal regulators have launched 'offices of innovation' or similar units within their organisations, such as the OCC's Office of Innovation and the FDIC's FDiTech innovation lab. In addition, the Federal Reserve has recently held a series of 'fintech innovation office hours' across the country to meet with banks and companies engaged in emerging financial technologies. While these initiatives do not provide all the functionality and safe harbour environment that, for example, the UK's Financial Conduct Authority's (FCA) 'Innovation Hub' regulatory sandbox where fintechs can get feedback from the FCA on product design and compliance issues does, US federal regulators are taking a more proactive and hands-on approach to understanding technology, products and services that non-bank fintechs are developing and seeking to offer.
The Fintech Report also called for harmonising state regulations, stating that for several years running, non-bank fintechs have raised concerns about the lack of regulatory harmonisation across US state-based regulatory regimes, particularly on money transmission and lending activities. An online or mobile fintech start-up could potentially reach customers in all 50 states upon launch, and with that national, multi-state reach come significant regulatory and licensing requirements and costs if the fintech start-up's activities were to require state level licensing (and also some costs to determine whether licensing is even required or not).
The Fintech Report did not recommend complete pre-emption of state laws and regulations, but instead that state regulators should strive to achieve greater harmonisation. The Treasury suggested states should consider drafting model laws that can be uniformly adopted, and also applauds states' current efforts to streamline licensing requirements and coordinate examinations. For example, the Treasury specifically supports Vision 2020, an effort by CSBS to improve state regulation by harmonising the multi-state supervisory processes and redesigning the Nationwide Multistate Licensing System (NMLS). While there has not been much movement on states adopting reciprocal licensing regimes (for example, where a fintech could get a licence in California and then get reciprocal licensing in all other states), there have been significant advances made in streamlining and harmonising the state money transmission licensing process. The Multistate Licensing Agreement came out of the Vision 2020 initiative in 2018, launching with seven participating states. As of 1 March 2020, there are 27 participating states (11 of which are Phase 1 only states). Under this programme, one state regulatory agency reviews the common licensing requirements across all states such as: business plan; direct and indirect owners, including background checks; and financial information and compliance with the AML provisions of the BSA. These important components of any money transmitter entity represent a large part of an application review workload. The state communicates the review, called a certification, to all other participating states that have agreed to accept the findings (the Phase 1 Review). Each state then reviews the remaining, state-specific elements, and licences follow this Phase 2 review. The purpose of the Multistate Money Services Businesses Licensing Agreement (MMLA) Program (as administered under the NMLS) is to create a more efficient money transmitter licensing process among state regulators. While much work is still to be done on the state harmonisation front, moving from seven to 27 participating states in two years is good progress.
ii Cross-border issues
Generally, if any entity, domestic or foreign, seeks to conduct regulated activities in a US jurisdiction, it must maintain the appropriate licence or registration, even if the entity is already licensed to conduct the same or similar activities in another jurisdiction or country. There is no 'passporting' in the US of licences or registrations into the US from a foreign jurisdiction, and there is no 'passporting' state licences or registrations into other states (although there are ongoing efforts to streamline and harmonise state regulation as discussed above). However, in the US, the concept of federal pre-emption renders inapplicable certain state requirements that may apply to the provision of financial services if those services are provided by a federally licensed and regulated financial entity.
Each jurisdiction has its own rules with respect to physical presence requirements. Generally, foreign companies may provide financial services in any US jurisdiction by registering with the appropriate regulator or, if necessary, with the Secretary of State or tax authorities of the jurisdiction. Some jurisdictions even permit their own licensed entities to maintain some or all of their substantive business operations outside of the jurisdiction. For US financial institution charter applications and state money transmitter applications, there are strict criminal background checks, financial records and fingerprinting requirements for owners, major shareholders, directors and executive officers.
All US persons are required to abide by federal trade and sanctions programmes. These programmes are managed by the US Department of Treasury's OFAC. Additionally, the Committee on Foreign Investment in the United States (CFIUS) is an interagency committee authorised to review certain transactions involving foreign investment in the United States and certain real estate transactions by foreign persons, in order to determine the effect of such transactions on the national security of the United States.
Digital identity and onboarding
i Digital identity
There is currently no generally recognised digital identity in the United States. While the US Department of Commerce National Institute of Standards and Technology (NIST) has issued technical requirements for digital identity services, the guidelines are only mandatory for the federal government and voluntary for the private sector. Nevertheless, the NIST guidelines are generally seen as setting the standard for the direction of any potential federally recognised digital identity.
The Fintech Report discussed above includes two recommendations focused on the creation of a national digital legal identity and encourages private and public sector stakeholders to leverage the NIST guidelines to develop trustworthy digital identity products and services. The Fintech Report describes digital legal identity as using electronic means to unambiguously assert and authenticate a real person's unique legal identity, and highlights two essential components of digital identity systems: identity proofing, enrolment, and credentialing; and authentication. Federation is a potential third component that would allow identity to be portable. Another recommendation in the Fintech Report urges the Office of Management and Budget to fully implement the long-delayed government federated identity system. As emphasised by the Treasury, the creation of a nationwide digital legal identity framework will ultimately require close collaboration between the government and the private sector in the United States.
ii Digital onboarding
Fully digitised onboarding of clients is the method by which many digital-only fintechs have been able to achieve staggering growth in the number of customers in relatively short time frames. While digital onboarding poses numerous risks, regulators in the US acknowledge the benefits for providing access to innovative products and services. Digital onboarding again raises the concept of pass-through regulatory requirements discussed above, where fintechs must ensure specific regulatory obligations are met, namely BSA, AML and OFAC screening. Unlike the EU, where fintechs are able to rely on specific digital onboarding regulations such as the new European Anti-Money Laundering Directive, digital onboarding in the US requires compliance with the standard Customer Identification Program (CIP) and customer due diligence (CDD) requirements to ensure BSA and AML compliance – CIP requirements involve verifying the identity of customers while CDD requirements involve identifying and verifying the identities of beneficial owners of legal entity customers.
As part of a comprehensive CIP, fintechs partnering with US financial institutions to open accounts for customers must obtain the following information before opening an account: name, date of birth (for natural persons), address, identification number (e.g., a tax identification number) and a government-issued document bearing a photograph for a natural person or government-issued documentation certifying the existence of an entity. Other than various additional CIP requirements, fintechs may also be required to establish comprehensive CDD programmes. Additional specific onboarding requirements vary greatly based on the underlying product or service being offered. For example, prepaid products will have far less strict requirements than mortgage products. There are a variety of companies, such as Verafin (anti-fraud services) and Okta (single sign on and multi-factor authentication services), providing identity verification solutions to the financial sector that fintechs may be able to leverage in bringing new products or services to market.
Digital markets, payment services and funding
There are a variety of different digital marketplaces operating in the US, from more traditional marketplaces like eBay, Amazon, Mercari and Etsy that offer diverse goods from a variety of sellers, to newer niche marketplaces like Uber and Lyft (for ridesharing), Airbnb and VRBO (for home rentals), and Grubhub, DoorDash and Postmates (for food delivery). Generally speaking, these marketplaces for goods and services are not regulated as fintech companies in the US. Most of these marketplaces are only regulated based on their underlying goods or services. For example, Uber and Lyft are subject to the same regulations as taxis in many US jurisdictions. These digital marketplaces are generally not subject to fintech regulations because either the funds for the purchase of goods flow through a separate payments company – for example, payments for eBay purchases have historically been handled by PayPal – or the marketplaces do process payments but do so under an exemption to fintech regulation (such as 'agent of the payee') or only accept credit card payments, which do not require fintech licences in the US. However, in recent years some of these marketplaces have chosen to register with FinCEN as money services businesses (MSBs) and obtain state money transmission licences to able to process a wider variety of payments. For example, both Airbnb and Amazon have created separate subsidiaries (Airbnb Payments, Inc and Amazon Payments, Inc, respectively) to be able to offer more payments services, including processing payments for other merchants and making faster payments to their sellers. For those marketplaces that choose to cross over into fintech and payment services, the whole host of fintech regulations, as discussed above, will apply.
Digital marketplaces specifically for buying, selling and trading digital assets or cryptocurrencies are subject to significant regulations in the US. As discussed in detail below, the underlying assets are subject to a range of regulations from a variety of different state and federal regulators. In addition, the marketplaces themselves are also regulated. In some cases, they are MSBs that are registered with FinCEN and licensed as a state money transmitters: for example, both Coinbase and CoinZoom are digital currency trading platforms that are subject to money transmission regulations in some US jurisdictions because of their handling of crypto or fiat currencies or both. Gemini Trust Company is another digital currency exchange that is a regulated fintech company, although it is primarily regulated by the New York State Department of Financial Services as a New York trust company, rather than as an MSB. As discussed below, the New York State Department of Financial Services also regulates cryptocurrency marketplaces under its special 'BitLicense' regime; fintech entities including Ripple, BitPay, Coinsource and Robinhood have all been awarded BitLicenses in New York.
While a 'collective investment scheme' is a term of art used in the UK, colloquially collective investment schemes in the United States may refer more broadly to pooled investment vehicles or funds, such as 'public' investment funds (e.g., mutual funds) or 'private' investment funds (e.g., a private equity fund, real estate fund or hedge fund). These funds are generally regulated by the SEC, but may also be subject to the regulation of the CFTC, Financial Industry Regulatory Authority (FINRA), National Futures Association and United States state regulatory agencies. Depending on the structure of the funds and the nature of the funds' holdings, these funds and their managers or sponsors may be subject to the Investment Company Act of 1940, the Securities Act of 1933, the Investment Advisers Act of 1940, the Securities Exchange Act of 1940 and the Commodity Exchange Act.
In recent years, peer-to-peer lending, social-lending and crowd-lending have become popular alternatives to standard bank loans in the United States. However, many of the consumer protection laws applicable to traditional loans may also apply to loans made via these marketplace lending platforms, including the Truth in Lending Act, Equal Credit Opportunity Act and Fair Debt Collection Practices Act. The regulators primarily responsible for enforcing these consumer protection laws include the CFPB and the Federal Trade Commission. Depending on the particular business model, marketplace lenders may also be regulated by the Federal Reserve, FDIC, and the OCC. In addition, marketplace lenders may be subject to state consumer protection laws, including laws prohibiting unfair, deceptive, or abusive acts and practices, and may be subject to state licensing requirements to act as a lender, broker, debt collector, or solicitor.
Payments services – including traditional peer-to-peer (P2P) funds transfer companies like Western Union and MoneyGram and new fintech entities like Venmo and TransferWise – are heavily regulated in the US and are required to both register as a money services business with FinCEN and also obtain state money transmitter licences. As mentioned above, some fintechs mistakenly believe that registering as an MSB with FinCEN is sufficient to operate as a payments service in the US; that is not the case, as state-level money transmitter licences are also required. Furthermore, payments services must obtain a licence in each state in which they intend to operate because the US currently lacks a reciprocity or passporting option as in Europe. The lack of passporting or reciprocity in the US is particularly notable because obtaining all state money transmission licences is extremely burdensome, often taking years and costing hundreds of thousands of dollars. Although each state generally has the same application requirements, they are not uniform and fintech entities cannot submit one standard application to all states. Instead, they must apply to each state individually. State money transmission licensing requirements include, but are not limited to, paying an application fee, obtaining a surety bond or other form of security, having a significant net worth (usually around $500,000), submitting audited financial statements, and having shareholders and principals of the entity undergo fingerprinting and background checks. While the current US licensing regime is onerous, state regulators are taking steps towards licence reciprocity and a standardised application process. As discussed above, the states have made significant strides towards a standardised licensing process with the Multistate Money Services Businesses Licensing Agreement Program and state regulators continue to work toward their goal of an integrated, 50-state system of licensing and supervision for money transmitters by the end of 2020.
Unlike under the EU Revised Payment Services Directive, there is no law or regulation in the US directly requiring financial institutions to share customer data with fintech entities. Although Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) requires banks and other financial service firms to make customers' financial data available to the customer in a usable form, no promulgated rules define what 'usable form' means or identify sanctions for financial institutions that limit what information they share. While the CFPB has the authority to pass regulations on data sharing under Dodd-Frank, it has opted not to do so thus far. In October 2017, the CFPB published a set of nine non-binding Consumer Protection Principles that affirmed consumers' ownership rights over their financial data, but they did not mandate how financial institutions must share that data with consumers and third parties in the US. However, new rules from the CFPB may be on the horizon. In February 2020 the CFPB held a symposium on consumer access to financial records and Section 1033 of Dodd-Frank. The CFPB stated that it specifically organised the symposium to solicit feedback to guide the agency in its policy development process, therefore rules requiring financial institutions to share customer data with third parties are likely forthcoming. Additionally, the CFPB announced support of the work being pursued by the Financial Data Exchange (FDX), a consortium of leading financial institutions and fintechs, focused on creating a global standard for data sharing through the development of the FDX application programming interface (API).
Cryptocurrencies, initial coin offerings (ICO) and security tokens
After more than a decade in the market since Bitcoin first went live on 3 January 2009, regulatory uncertainty and a patchwork of evolving legal frameworks continue to impact the evolution of cryptocurrencies, security tokens and other digital assets in the US. At the federal level, the SEC, the FinCEN, the Internal Revenue Service (IRS), and the CFTC have taken turns to issue administrative guidance and enforcement actions to shape the regulatory landscape for this new asset class. In addition, a majority of states have either enacted or proposed formal legislation related to digital assets or the underlying blockchain technology, with certain states adopting extensive legislative frameworks designed to attract blockchain and crypto entrepreneurs to their jurisdictions. State securities regulators and private plaintiffs are also involved, mostly through enforcement or civil action against potential fraudsters. At the core of all regulation on digital assets is the cumbersome effort to fit digital assets into existing legal frameworks for more traditional assets like securities, commodities and currencies.
i Digital assets as securities
Since it first published the DAO Report on 25 July 2017, the SEC has consistently applied the 75-year old definition of an investment contract using the 'Howey test' to determine which digital assets are securities and most recently summarised its position in 2019 in the Framework for 'Investment Contract' Analysis of Digital Assets (the Digital Asset Framework). Under the Howey test, a digital asset is an investment contract and, therefore, a security, when there is the investment of money in a common enterprise with a reasonable expectation of profits to be derived predominantly from the efforts of others. The Digital Asset Framework applies the prongs of the Howey test to common characteristics of digital assets and, importantly, also acknowledges the possibility that a digital asset can evolve over time and cease to be deemed a security under certain circumstances. With the SEC's framework heavily dependent on the facts and circumstances of each digital asset, those seeking to issue a security token or new cryptocurrency are faced with the choice of either complying with SEC registration requirements or seeking no-action relief that they are not issuing a security. To date, the SEC has only granted two such no-action letters and the companies seeking to register their digital tokens in reliance on Regulation A have faced heightened scrutiny and questioning from regulators with only two offering statements being made effective.
In an attempt to modernise the SEC's approach, SEC Commissioner Hester Peirce (whose favourable public statements on digital assets have earned her the nickname, 'Crypto Mom') recently released a model rule on digital token sales in connection with a public speech entitled, 'Running on Empty: A Proposal to Fill the Gap Between Regulation and Decentralization'. Commissioner Peirce's proposed solution to the current regulatory uncertainty would revolutionise the crypto markets because it proposes a three-year safe harbour from SEC registration while a development team builds out a functional, decentralised network supporting the digital token. In Commissioner Peirce's view, once a network cannot be controlled or unilaterally changed by any single person, entity, or group of persons or entities under common control, the token that operates on that network will not look like a security. Accordingly, upon the conclusion of the three-year period, the model rule provides that the development team would be required to determine whether token transactions involve the offer or sale of a security under the Howey test. Nevertheless, Commissioner Peirce's model rule exists wholly outside of the SEC's formal rulemaking process and formal action on her proposal is not expected.
In 2019, the SEC and FINRA issued the Joint Statement on Broker-Dealer Custody of Digital Asset Securities (the Joint Statement), in which 'digital asset' refers to any asset that is issued and transferred using distributed ledger or blockchain technology, and a 'digital asset security' is any digital asset that is also a security for purposes of the federal securities laws. The Joint Statement discussed the application of digital asset securities to the SEC's Customer Protection Rule, which, among other things, requires broker-dealers to hold customers' securities at a 'good control location', which is typically a third-party custodian like a trust company. The Customer Protection Rule deems banks a good control location; however, FDIC-insured banks are currently restricted from providing custody for digital asset securities. As a result of this hole in the market, Wyoming recently passed legislation creating special purpose depository institutions (SPDIs), which are banks that receive deposits and conduct other incidental activities, including fiduciary asset management, custody and related activities, focusing heavily on digital assets. In addition to providing a good control location for the purposes of the Customer Protection Rule, SPDIs are also designed to ensure digital assets are protected in federal bankruptcy proceedings. Other states, like Colorado and Missouri, are working towards creating similar digital asset banking institutions.
ii Digital assets as virtual currencies
In 2013, FinCEN issued interpretive guidance clarifying its position that the BSA applies to persons creating, obtaining, distributing, exchanging, accepting or transmitting virtual currencies. FinCEN classifies such individuals as exchangers or administrators of virtual currencies, which are treated as money transmitters required to register as MSBs. Money transmitters are required to comply with the BSA obligations that apply to MSBs, including: registering with FinCEN; developing, implementing and maintaining effective AML and KYC programmes; filing suspicious activity reports and currency transaction reports; and maintaining certain other records. In the years since its initial 2013 guidance, FinCEN has issued numerous civil money penalties against cryptocurrency and digital asset enterprises for violation of the BSA.
The IRS issued the agency's first crypto-related guidance in 2014 formally defining a virtual currency as 'a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value'. According to the IRS, Bitcoin is a convertible virtual currency because it can be digitally traded between users and can be purchased for, or exchanged into, US dollars, euros and other real or virtual currencies. The IRS treats virtual currencies as property and applies the general tax principles applicable to property transactions to transactions using virtual currency. This means every sale or exchange of a virtual currency must recognise capital gain or loss on the sale. The IRS used its subpoena power in 2018 to identify and collect unpaid federal capital gains taxes from thousands of individual customers of the cryptocurrency exchange, Coinbase. Towards the end of 2019, the IRS released additional cryptocurrency tax guidance, including Revenue Ruling 2019-24 as well as a list of 45 frequently asked questions, to assist taxpayers to better understand reporting obligations for specific transactions involving virtual currencies. Revenue Ruling 2019-24 focuses on hard forks of virtual currencies and how hard forks impact whether an individual has received gross income for tax-reporting purposes. With what is considered a blow to the spread of cryptocurrencies for everyday use, such as purchasing a cup of coffee, the IRS refused to create a de minimis exemption for transactions below a certain threshold. Absent clear instructions from Congress, the IRS is adamant that it will not create a de minimis exemption for virtual currencies since there is no such exemption for other types of property.
Since 2015 the CFTC has exerted regulatory control over virtual currencies as commodities under the Commodity Exchange Act that can be purchased on the cash or spot market or through initial coin offerings (ICOs). The CFTC exercises its general anti-fraud and manipulation enforcement authority over virtual currencies under the authority of the Commodity Exchange Act. Summarising its position, LabCFTC, the CFTC's fintech group released 'A CFTC Primer on Virtual Currencies' in 2017 and the CFTC has taken numerous enforcement actions against bad actors in the virtual currency markets. Additionally, federal courts have upheld the CFTC's interpretation that virtual currencies are commodities within its regulatory jurisdiction.
New York State has created its own regulatory regime for virtual currencies and requires anyone engaging in any of the following to obtain a special licence called a BitLicense: virtual currency transmission; storing, holding or maintaining custody or control of virtual currency on behalf of others; buying and selling virtual currency as a customer business; performing exchange services as a customer business; or controlling, administering or issuing a virtual currency. Since the BitLicense was first required in 2015 until the end of 2019, the New York Department of Financial Services issued fewer than 25 BitLicenses.
State and federal governments will continue to develop rules and regulations as the digital asset industry matures. It can be expected that federal agencies will issue new and revised rules as their understanding of cryptocurrency, security tokens and blockchain technology evolves. The SEC and CFTC may also turn to Congress in order to request expanded powers to account for the vast changes occurring in the industries they regulate. Lawmakers are already becoming increasingly active as over 20 pieces of legislation will be considered by Congress in 2020, covering a wide range of digital asset and blockchain policy. It remains to be seen whether the US can strike the proper balance of protecting the public without pushing investment in the technology to other jurisdictions. Industry participants need to continue working together with experts to avoid running afoul of rules or regulations in the increasingly complex and rapidly evolving regulatory environment.
Other new business models
i Self-executing 'smart' contracts
Self-executing contracts, or 'smart' contracts, are subject to general contract law and are legally permissible provided the particular contract satisfies the elements of a standard contract under US law. The enforceability and interpretation of contracts is generally a matter of state law in the US. Several states have enacted statutes aimed at ensuring smart contracts are granted the same legal validity as standard contracts, but there has yet to be any case law interpreting smart contracts in a commercial, or any, scenario. While smart contracts are technically permitted, the specific legal framework will depend on a variety of factors, such as the subject matter of the contract, and significant uncertainty remains around how smart contracts will ultimately be interpreted by courts. Until a consistent legal framework is developed, parties wishing for a smart contract to be interpreted as intended would be well advised to enter into a corresponding standard textual contract that courts can more easily understand in evaluating the enforceability of the smart contract counterpart.
ii Artificial intelligence in financial products
The CFPB has publicly supported the use of artificial intelligence (AI) and machine learning in financial products and services. AI has already been deployed by financial institutions through the use of regulatory technology products for BSA/AML compliance and OFAC screening, and is increasingly being used in lending and credit underwriting analysis and decisions. As it currently stands, financial products and services leveraging AI are subject to the existing regulatory framework of the underlying product or service. The uncertainty around how AI fits into the complex US financial regulatory framework is often cited as the cause of the lack of proliferation of AI-enabled financial products and services. Nearly all of the federal financial regulators have launched an office or programme aimed at financial technology innovation and facilitating adoption of beneficial AI and related technologies in the financial sector – these new offices include those of the CFPB and FDIC mentioned in Section II, as well as the OCC's Office of Innovation, the CFTC's LabCFTC, and the SEC's FinHub. The CFPB has been particularly active in encouraging companies to engage in responsible testing of innovative technologies by creating various sandboxes and safe harbours, but the fact that many financial activities are also subject to overlapping state regulations complicates the agency's efforts to provide companies with meaningful relief at this time. Central to regulatory issues regarding the use and deployment of AI in financial services, and also what is central in regulators' review of AI in certain heavily regulated areas such as credit scoring and underwriting for lending, is how companies can explain the methodology and operation of an algorithm underlying the AI product, and also how the financial institution can provide regulators with a black-box test version of their AI to allow regulators to run independent testing, analysis and validation of AI technology (without compromising the underlying IP and proprietary elements of the AI algorithm or process).
iii Cannabis fintechs
The US currently has a complicated problem with respect to cannabis, which includes both marijuana and hemp. Although the majority of states have legalised hemp (and cannabidiol products derived from hemp) and some forms of medical marijuana, and many other states including California and Colorado have legalised recreational marijuana, at the federal level marijuana remains an illegal drug. This conflict between state and federal law has left cannabis-related entities in a difficult position, especially when it comes to payments. Some relief was provided at the federal level through the farm bill that became law in 2018 removing hemp from the controlled substances list and making it an ordinary agricultural commodity, but the same is not true for marijuana (which is defined as cannabis with more than 0.3 per cent THC). Marijuana, while legal at some level in many states, remains classified as an illegal substance at the federal level and has resulted in state-licensed cannabis-related entities being unable to access the banking system. This means that the vast majority of cannabis-related payments in the US are made in cash, both by consumers purchasing cannabis and companies making business-to-business payments, including to suppliers, landlords and taxing authorities. States, as well as public and private organisations, have urged the federal government to address this systemic problem, but so far little meaningful progress has been made. This conflict between states and the federal government has led to a proliferation of fintechs specifically targeted at addressing the financial issues faced by legitimate cannabis companies. Some of these fintechs attempt to address consumer-related payments issues, while others focus on business-to-business payments. Approaches for offering payments outside the traditional financial system include fintechs based in cryptocurrencies and digital assets, marketplaces for bartering and trading goods and services, and closed-loop stored value and mobile wallets specific to the cannabis industry. Despite general bipartisan consensus at all levels of the government that these cannabis-focused fintechs are providing vital solutions, fintechs operating in this space remain in a grey area as far as the law is concerned and need to work closely with expert legal counsel to ensure they are not exposed to significant legal liability.
Intellectual property and data protection
i Intellectual property, technology and data ownership issues
Owing to the fact that fintech products and services involve not only fintech-specific technology, software and user interfaces, but also mobile and online technology (not to mention a great many hosted services, cloud computing and software-as-a-service in the background), there are several intellectual property (IP) issues and potential claims that can arise for developers and users of fintech technologies.
When developing their products and technologies, fintech companies may believe that they have created a new and novel process or computer technology that could rise to the level of a patentable invention. The challenge of patenting financial services technology in the current environment is that court decisions over the past several years have narrowed the type of technology that is eligible for patenting. In 2014, the US Supreme Court issued what is commonly referred to as the Alice decision,2 which set forth a two-step eligibility test. If an invention is directed to a patent-ineligible abstract idea under the first step, the second step determines whether the patent's claim (which places the public on notice of the scope of the patentee's right to exclude) recites elements that transform the abstract idea into a patent-eligible invention. Courts have generally applied this test to determine that the mere use of commercially available computing devices and software to implement an abstract concept is ineligible for patent protection. For instance, the use of a standard computer system to implement an escrow service for financial transactions was deemed in the Alice case to be ineligible for patent protection. However, a court might determine that the use of an innovative database technology to more efficiently conduct various aspects of financial transactions could transform abstract ideas relating to financial transactions into a patent-eligible invention. While it is difficult to predict with certainty whether an invention may be patent eligible, fintechs should confer with patent counsel to obtain guidance that will allow a well-informed decision to be made. Fintechs should be aware that business models or proprietary operations carried out by standard software may not be enough to seek a patent.
Fintechs should consider taking steps to protect their developed technologies in terms of copyright protection. Copyright protection extends to software code and certain works within software applications (like user interfaces and original text or content). More precisely, copyright protection extends to the source code, as the expression of the idea underlying the software, whereas the idea itself, or the function of the software, is not eligible for copyright protection. For this reason, copyright grants protection against the copy or use of the source code, but does not prevent third parties creating different source codes in order to replicate the functionality of a fintech software. If a fintech company is going to develop software utilising third-party software, the associated licence grants and restrictions from the licensing third party must be taken into account. And if the third-party software involves open-source software, and the fintech's development consists of a 'derived work' resulting from a modification to that existing open-source software, it is possible that a 'copyleft licence' governing the open-source software may contain an obligation to distribute the derivative software under the same open-source licence, disclosing and making available to the public the source code.
As an alternative to obtaining a patent, a fintech may be able to maintain confidential information that provides an economic advantage over competitors as a trade secret. While patent law is premised on granting a temporary right to exclude others in exchange for the public disclosure of an invention, trade secret law provides an avenue for obtaining protection for economically valuable information such as a formula or algorithm. Trade secret protection presents its own set of challenges. If a trade secret holder fails to maintain secrecy or if the information is independently discovered, becomes released or otherwise becomes generally known, protection as a trade secret can be lost. For those reasons, it is important to enter into appropriate contractual arrangements that provide for the protection of trade secrets, including non-disclosure agreements and also specific contractual language such as IP and proprietary ownership and confidentiality provisions.
Finally, the fintech company will also want to take additional measures to preserve IP rights in distinctive names and other signifiers, such as logos, brand names and domain names to preserve brand awareness and guard against potential confusion. Registration of trademarks, design logos, brand names and domain names can prevent others from using those items that may be confusingly similar to the fintech company, helping to protect name and brand identity as well as position and recognition in the marketplace.
The fintech company should develop and deploy a comprehensive strategy for IP development and ownership from product development through product launch and scale. First, the fintech company should ensure that its agreements with employees and independent contractors that may be performing development work contain 'work made for hire' or similar contractual language establishing that (1) the fintech owns all IP developed for it, (2) that employee or independent contractor acknowledges inventions, works or other intellectual property made or created by the employee or independent contractor during the term of employment or engagement are owned by the fintech, and (3) that the employee or independent contractor will take all necessary steps and complete any required documentation in order to assign those IP rights to the fintech. This will ensure that the fintech owns all of its IP, whether or not it chooses to explore any or all of the IP protection strategies described above.
With regard to third-party service provider agreements that the fintech may enter into for development or operation of the fintech services (such as hosting agreements, software-as-a-service agreements, agreements for identity verification services, etc.), the fintech will want to make sure that it is preserving the fintech's IP rights while also acknowledging and recognising the rights of the third-party licensor of the software or services. For example, the fintech may grant a limited licence to a software or service provider to use anonymised and aggregated data (incapable of being reassociated with an individual) for the service provider to monitor their service performance, fix bugs, or offer new products or services to the fintech. The fintech will want to establish via contract that it owns all of its own and its customers' data, and may want to limit or prohibit the extent to which the service provider can use the fintech's information or data to sell new or improved products or services to others, and the fintech will want to prohibit a third-party service provider from selling any of the fintech or fintech customers' data to third parties (and this prohibition and related analysis ties into the privacy and data security issues discussed below).
Finally, in customer-facing agreements, fintech providers will want to include robust provisions for confidentiality, intellectual property ownership, end-user terms of licensing and use (including allowed and prohibited activities under the licence), and may also want to disclaim all warranties of non-infringement or disclaim any liability or indemnification for third-party claims of infringement. In addition, the customer-facing agreements are also the appropriate place to obtain consumer or business-end customer consent for data collection, data usage by the fintech and specific permission to use fintech customer information in product improvement or data monetisation initiatives (all subject to the privacy and data security laws, rules and regulations highlighted below).
ii Privacy and data protection
In the United States, there is no overarching privacy law that applies broadly to all businesses. Rather, the Gramm-Leach-Bliley Act (GLB) is the primary federal privacy law that regulates the activities of fintech firms. GLB applies to the use and disclosure of any non-public personal information (NPI) by a financial institution. NPI includes any personally identifiable financial information that either (1) is provided by a consumer to a financial institution, (2) results from a transaction or service with the financial institution or (3) is otherwise obtained by the financial institution. The term 'financial institution' is broadly defined to include any entity that is significantly engaged in financial activities such as lending funds, servicing loans or transferring money. GLB is implemented by two distinct rules: (1) the Privacy Rule, which requires financial institutions to provide privacy notices to their consumers and customers and offer them an opportunity to opt out of certain disclosures of their NPI; and (2) the Safeguards Rule, which requires financial institutions to ensure the security and confidentiality of NPI through the development of a written information security programme. A wide variety of federal regulatory agencies have rulemaking and enforcement authority over financial institutions (and that can result in pass-through regulatory requirements to financial institution fintech partners), but fintech firms themselves would most likely be directly regulated by either the FTC or the CFPB with regard to privacy and data protection.
In addition, several states, such as California and New York, have enacted financial privacy or cybersecurity laws and regulations that may apply to fintech firms and are more stringent than GLB. For example, California's new law, the California Consumer Privacy Act (CCPA) recently came into effect on 1 January 2020. CCPA does not apply to personal information 'collected, processed, sold, or disclosed pursuant to' GLB or the California financial privacy statute, but it does apply to any other personal information financial institutions collect that would not be considered NPI, such as the personal information of a financial institution's employees..
On top of GLB, several other important federal and state laws and regulations for fintech firms to bear in mind and comply with include: (1) the federal Fair Credit Reporting Act (FCRA), which regulates the use and disclosure of consumer reports; (2) the federal Red Flags Rule, which requires financial institutions and creditors to develop, implement and update a written identity theft prevention programme to detect and respond to red flags that might indicate identity theft; (3) the federal Affiliate Marketing Rule, which limits the sharing of certain information among affiliated entities for marketing purposes; (4) if the fintech will be interacting with children, the federal Children's Online Privacy Protection Act, provisions of the CCPA that apply to opt-in requirements for sale of data for children aged 13–16 (and parental opt-in consent for children 13 years and younger), and other California and additional state privacy laws that apply to children under the age of 18; and (5) the federal Health Insurance Portability and Accountability Act (if the fintech will be interacting with healthcare data).
In addition to laws that are straightforward in their applicability, other federal and state privacy and data protection laws may be triggered based on the type of security processes, procedures and tools fintechs deploy in their product offerings. For example, a fintech that utilises biometric recognition or verification tools through a mobile device must comply with state specific laws on biometric identification and information. The number of biometric privacy class actions has increased in recent years, with the decades-old Illinois Biometric Information Privacy Act (BIPA) continuing to pose the greatest concern to companies. While BIPA remains the only biometrics legislation to date in the US that provides for a private right of action, five other states (Texas, Washington, California, New York and Arkansas) have now passed their own biometric statutes or expanded existing laws to include biometric identifiers. These five states, however, either do not address the private right of action or expressly allow enforcement by the state attorneys general. Other states are also in the process of proposing their own state-specific biometric privacy statutes.
Year in review
In the US, it was the states that led the charge with respect to new regulations impacting the fintech industry this past year. New financial privacy, cybersecurity and biometric laws are adding yet another layer of regulatory patchwork issues for fintechs to navigate. In particular, the new California Consumer Privacy Act has been a significant burden on the fintech industry as entities have had to revamp their privacy policies and restructure their operations to comply with California consumers' new rights to access their data, have their information erased or opt out of data sharing. Additionally, while New York City's decision to ban cashless businesses may not have been targeted at them, fintechs operating in the state are cautioned to carefully consider how the ban might apply to various products and services. Although the OCC is committed to moving forward with issuing its new fintech bank charter, states are equally committed to fighting any such charters. Meanwhile the CSBS continued to push Vision 2020 initiatives that will hopefully lead to significant uniformity among states regarding state licensing and regulatory issues that affect fintechs.
The past year has also shown significant maturation of the fintech industry with a number of major industry developments. The announcement early in 2020 that Visa acquired Plaid (a major US fintech that has API connections with thousands of US financial institutions) for US$5.3 billion is an important reminder that while fintech start-ups often get the headlines, more established 'legacy' companies in financial services technology and payments are continuing to evolve, pivot and execute strategic moves to remain competitive. In addition, fintechs may find more creative ways to acquire, rather than file de novo for bank charters, as illustrated by Lending Club's announcement in February 2020 that it is in the process of acquiring Radius Bank, a technology-focused and API-driven financial institution, illustrating that fintechs may acquire banking charters and the people, processes, procedures and regulatory expertise of financial institutions to assist in running the combined entities. Additionally, Facebook's ambitious unveiling of the Libra Initiative invited intense US, as well as international, regulatory scrutiny while companies continue both to join and abandon the project. These are just a few of the industry developments that foreshadow more unpredictable announcements on the horizon.
Outlook and conclusions
The US financial regulatory regime is incredibly complex and ever-evolving, and can pose unique challenges to fintechs that seek to operate in the US. States and the federal government are interested in promoting innovation, but are also exceedingly cautious of new challenges and risk that innovation in the financial sector poses due to the high potential for consumer harm, as well as potential impacts on entity-level and systemic risk. As the industry matures and regulators become more educated, it is hoped that clear and consistent financial regulations will emerge.
In concluding this chapter, it is important to highlight that federal financial regulators have been overwhelmingly supportive of financial innovation for several years, but there will be a presidential election in the US in November 2020 and it is quite possible that a different administration at the federal level will take a less hands-off approach. Companies that have been operating without much regulatory concern or attention could very well find themselves in a very different position a year from now. However, fintechs that have as their main focus helping businesses and consumers gain access to better financial products and services, and those that strive to create user-friendly products and services that are 'compliant by design' will likely continue to receive favourable regulatory treatment, provided they actively work with the numerous applicable regulators.
1 Erin Fonte and Scott Kimpel are partners, Carleton Goss is counsel, and Brenna McGee and Patrick Boot are associates at Hunton Andrews Kurth LLP. The authors wish to thank Rachael Craven, Mayme Donohue and Ryan Logan for their contributions to this chapter.
2 Alice Corp Pty Ltd v. CLS Bank International.