FinTech, Regulation, and the Law
By Jim Smith, Partner, Blue Dun | In collaboration with Mike Whalen, Partner, Goodwin
Goodwin advises an impressive list of FinTech startups and is one of the five most active U.S. law firms advising on FinTech deals. They have expertise in every area of FinTech, including alternative lending, payments, digital currency and blockchain technology, wealth management, insurance, and bank partnerships and charters. They have nearly 200 lawyers nationwide who handle early and growth stage venture deals. Goodwin is also a supporter of innovation in financial services and financial technology as a sponsor of FinTech Sandbox.
Mike Whalen is a Partner in Goodwin’s Washington, D.C., office and co-leader of the firm’s FinTech Practice. He has a full-service practice counseling on the regulatory and transactional aspects of consumer and small business financial products and services and advises both incumbent financial institutions and startups.
Mike, is it fair to say we can expect U.S. FinTech firms to face more scrutiny from federal and state regulators going forward, or, given the leanings of the current administration, will they see less?
A. As you say, they may not see more scrutiny from the federal government. Last month, we saw the acting CFPB director, Mick Mulvaney, write a letter to the Fed saying the CFPB doesn’t need more operating funds for the second quarter of this year. As you know, the CFPB gets its funding from the Fed though these quarterly requests. This is the first time that there has been no request for funds from the CFPB. In Mulvaney’s letter to the Fed, he wrote that the Bureau has enough in the bank to cover the $145 million that is budgeted for the second quarter. The previous director had a reserve fund in case of overruns or emergencies and Mulvaney is saying he doesn’t see a reason for it.
Beyond the funding, the CFPB recently announced that it is reconsidering its new payday lending rules and dropped a lawsuit against payday lenders. And last week, there were reports that Mulvaney stripped the Bureau’s Office of Fair Lending and Equal Opportunity of its enforcement powers. I’ve always felt that FinTech lenders’ AI-based loan underwriting could be a focus of fair lending inquiries when the Bureau wrapped its head around it more, but that’s less likely now. So, there is definitely a sense that the CFPB is going to be less active during the Trump years.
On the state front, though, states are saying they’re going to fill the void. But I believe the reality is that states are trying to compete with the OCC’s FinTech national bank charter, so they want to be more welcoming to FinTech companies.
Things may be different for those engaging in virtual currency business activities. I think we’ll see more states follow New York’s lead and put in place regulations similar to New York’s BitLicense. But the dual banking system is alive, and I think states want to compete for the FinTech business. We may very well see less activity from the states, also.
How soon should a startup think about acquiring legal advice? Is there a specific point at which you say, now you need legal advice, now you need regulatory advice?
You need it right off the bat, but in a phased way. The reality is that a startup can’t gold-plate everything. They and their counsel have to think about compliance in terms of a continuum.
Think about it in terms of improving compliance at each successive investment round. Investors understand this and expect it. There is an understanding that compliance will be more sophisticated at a C round than at an A round. So, on limited funds, you still have to talk to legal counsel at the beginning but sparingly. You ramp it up at each successive round.
How soon should a FinTech startup think about hiring a chief compliance officer or chief legal officer? What makes a good CCO or CLO for a startup?
It depends on the product. Sooner in lending than in payments because there’s a lot more regulation in lending. There are even differences in lending. If you are into small business lending, there is much less regulation than in consumer lending.
If you are in lending, and you want to get into a partnership with Celtic Bank, Web Bank, or Cross River Bank, they won’t enter into a partnership with you if you don’t have a chief compliance officer. That’s a gating item. But it depends on the product and it depends on the relationships you are forming.
What makes a good CCO for a FinTech company? Experience, confidence, and being a good juggler. There will be so much to do for a one-woman or one-man show. You have to be able to give good, risk-based advice.
You advise a lot of early stage companies on their initial financing rounds. What trends are you seeing in early stage financing?
One thing that I’ve recently noticed is global investment firms getting involved in cryptocurrencies — betting on the next bitcoin. I’ve read a number of whitepapers on virtual currencies with solutions that control for the wide swings in value. Bigger investment firms are showing interest in these solutions and actually signing on. This is a new development.
What about the terms VCs are asking for? Are we still founder-friendly, are we VC-friendly, are we headed in one direction or the other?
It’s really driven by how badly people want to be in. If you’ve got a strong solution, then it’s more founder-friendly. We’re advising founders with strong solutions that they have more power than they think they do.
What do startups need to think about as they negotiate their first partnership agreements? What needs to be in these agreements? What shouldn’t be?
A. The biggest thing is you have to protect your solution. If you are entering into a partnership and the partnership doesn’t work out, you have to be able to pick up the tent and take it with you. I’d focus on IP ownership, early outs (if it’s just not working out), on provisions that say upon termination you own the customer and you can take the customer with you. Watch out for exclusivity and don’t lock yourself into paying high minimum fees for long periods of time.
Again, founders with great solutions have more leverage than they think they do. They should exercise it.
In some quarters of the startup universe (cough — Silicon Valley — cough) the approach has been to ask for forgiveness rather than for permission. Even in FinTech, some companies — notably PayPal — have taken that approach. Others, such as Prosper, chose to fight their regulators, and some have chosen to deceive them. Even though PayPal got away with it, I suggest most FinTech startups work early and openly with the appropriate regulators, rather than trying to hide their intentions or defy them. What is your view?
It’s funny. I went through a stretch during which many FinTech clients wanted to make a pilgrimage to the CFPB and meet with someone there to discuss their solutions. I generally advise against it. Many still wanted to do it and I did go with them.
If you think you can be buddy-buddy with a regulator, and that’s going to make a difference, you’re mistaken. My position is to have a good legal and compliance plan and stick with it. Don’t ask a regulator to endorse your plan.
At all times, follow the spirit of the law. Say you come up with a new product that resembles a loan but you’re on sound legal ground taking the position that it’s not a loan. You should still give cost disclosures that substantially comply with the Truth in Lending Act and Regulation Z. You are less likely to attract regulator interest if you are compliant with the spirit of the law.
Under which conditions should a startup consider approaching the CFPB for a no-action letter?
A. Extending the notion of having a good legal and compliance plan and sticking with it, I’m not a fan of no-action letters. The CFPB has only given out one. Not many more will be forthcoming.
A number of startups believe they can expand access to credit to currently underserved communities by using alternative datasets. The CFPB did issue a “no action” letter to one of them. What are the legal issues surrounding the use of alternative data in this way?
A. The biggest issue is to test your approach to ensure that it’s accurately predictive and not discriminatory. I’ll be honest — I always wonder what’s under the hood of these alternative approaches. The Equal Credit Opportunity Act prohibits discrimination on prohibited bases in all aspects of credit. Among the prohibited bases are race, sex, age, and national origin. There is this concept of disparate impact. Even though your algorithm may be neutral on its face, if the effect is that it has a discriminatory impact, there could still be a violation.
Let me give you an example. If in underwriting or pricing, you give extra points to students in a certain major or employees in a certain profession, and those majors and professions are not represented well by persons in protected classes, it could have disparate impact. So, in lending, the factors you use should be isolated and tested for disparate impact.
So, if my new lending startup is targeting graduates of certain colleges and universities, that sounds to me as is it could have a disparate impact.
It could. But when you start zeroing in closer to things like major or zip code, you run a greater risk.
Where do we stand with the OCC’s efforts to grant special purpose national bank charters to financial technology companies engaged in lending and payments-related activities?
One legal hurdle has been removed, for now, but another remains.
Last month, a New York court dismissed the New York Department of Financial Services challenge to the OCC’s proposal, saying it lacked subject matter jurisdiction. The Conference of State Bank Supervisors filed a similar challenge by lawsuit. Its suit is still alive.
The charter is up in the air at the OCC, but the new Comptroller, Joseph Otting, said in a press conference last month that it is still in the cards. He said there is a place in the banking world for some kind of FinTech charter, though the exact parameters of such a charter are still unclear. Bottom line, we are a ways away on the FinTech charter, so don’t bank on it in the short term.
Speaking of 50-state regulation as a burden, it appears to be holding back innovation in several categories, including insurance and international money transfer, compared to what we are seeing in Europe. Your thoughts?
It’s a big-time burden. If you are in payments and considered a money transmitter, you’re staring down the barrel of having to get licensed up across the country. If you are a money transmitter, you may need licenses in 40+ states. All in, the cost can approach $1 million, with preparation help, application fees, fingerprinting and background checks, and surety bonds. And, it will take you a year to get all of those licenses.
Now, there may be ways to partner with a bank early on to minimize money transmitter licensing by having the bank do the things that trigger licensing and having the FinTech payments company supply administrative support.
Although 50-state regulation is a burden, I do think FinTech companies with strong solutions can emerge nationally through bank partnerships.
I view those partnerships as potentially problematic because 1) your pricing has to reflect what you pay the bank, and 2) your customer experience isn’t what it should be — it’s what your banking partner is able to support.
A. I agree, but in keeping with the continuum approach, a partnership can allow you to operate on a 50-state basis more quickly and, when you develop enough business and you have enough money, you can flip to getting your own licenses and controlling your own destiny. If you make it big, you can get your own bank charter.
So that’s one of the things you want to anticipate when negotiating these partnership agreements. You have to be thinking long term.
Yes. I mean, we’ll put provisions in the agreement that say, if we get a FinTech bank charter or our own licenses, we have the option of terminating the agreement. You definitely need to be thinking about the next iteration of your business.
Are startups operating in New York aware of the state’s cybersecurity requirements and in compliance with them?
I think so. These cybersecurity requirements came into play about a year ago. Under the requirements, covered persons must adopt an approved, written cybersecurity policy and supporting policies and procedures that protect their information systems and non-public personal information. There are penetration testing and encryption requirements, among other things.
Covered persons include companies licensed by the New York DFS, so lenders, insurers, and banks. These entities also have to make sure their service providers meet these requirements.
Now, there a number of small business exemptions from many of the requirements. There are exemptions for companies with fewer than 10 employees, including independent contractors, and for companies with less than $5 million if gross revenue for the last three fiscal years from New York business operations. Or if you have less than $10 million in year-end total assets including assets of affiliates. So, a pure startup may have a break there. Not an exemption from all the requirements but from the major ones.
Should U.S. regulatory agencies consider the creation of a regulatory sandbox, following the lead of the UK, Singapore, Hong Kong, Canada, Australia, and Malaysia?
A. No. Not at all. I see regulation and business as separate.
Access to data is an important enabler for innovation in financial services. Yet many banks and insurance companies are worried about making that data available. What guidance do you have for firms that would like to work with startups but are concerned about data security and regulation?
I love the work that organizations like FinTech Sandbox in Boston are doing in this area. The way forward is more support for organizations like FinTech Sandbox.
The bottom line is that any concerns can be alleviated by due diligence. At the end of the day, if you have leading data security in place, then banks and insurance companies are going to be willing to work with you.
On the flipside of this issue, many consumer-oriented FinTech startups rely on consumers’ ability to grant them access to their financial account information. Some incumbents would like to withhold that access in an effort to thwart competition. In light of this, what do the recently released CFPB principles for consumer-authorized financial data sharing and aggregation mean for innovation, competition and consumer control?
The CFPB principles on consumer-authorized data sharing and aggregation focus on the push-pull tension between 1) widespread access to information that fosters consumer financial product innovation, and 2) the need to protect consumer data and to give consumers a say in how their data is shared. It’s a challenge to reconcile them. I do think we are seeing movement toward greater consumer control over their own financial data.
I’ve read a few whitepapers on so-called ICOs in the advertising space that are premised on consumers deciding what information they want to share with advertisers, what advertisements they want to see, advertisers rewarding consumers with tokens for sharing that information, and consumers being able to use those tokens for discounts on advertisers’ products. The whole use case is based on consumers having control over their information and being rewarded for allowing others to use it. I do think we’ll see more of this on the blockchain and beyond.
What are the regulatory issues surrounding AI-based individually-managed accounts?
There are a lot of them. First off, most advisers that sponsor AI-based separately managed accounts will need to register as investment advisers under the Investment Advisers Act of 1940 and comply with regulations under the Advisers Act. Over all, advisers have a duty to act in the best interest of their clients and must disclose and mitigate conflicts of interest, including conflicts about the receipt of third-party fees, such as from broker-dealers. As far as execution is concerned, an adviser can select either a broker that executes securities transactions for its clients or work with its clients’ existing brokerage firms. Advisers have a responsibility of best execution in working with any brokerage chosen. And if an adviser touches client money, it must comply with requirements concerning holding client cash, securities and other assets; mandatory audits of client accounts; and reporting to clients.
Performance fees are only available with clients having at least $2 million in net worth or $1 million in investments with the adviser. You have to be careful not to take any compensation based on the size or successful completion of securities transactions, which may trigger broker-dealer registration.
Advertising practices should be reviewed. The anti-fraud provisions in the securities laws prohibit testimonials in advertising, false or misleading claims, and employing performance information without significant disclosures. The world of social media brings nuances to these issues. Facebook “likes” and comments by clients can be viewed as testimonials. And character limitations on Twitter brings challenges to tweets that should have disclaimers.
AI is all is all about information, so the issues around information are most important. You have to protect clients’ personal non-public information, and you must have an effective information security program that protects against data breaches and hacking. In an AI-based platform, advisers have access to, create and store information about clients that is much more extensive than a typical adviser. One data breach could cause irreparable damage to the adviser’s reputation and business.
The question of what is a security tripped up some of the early P2P lenders and is vexing Initial Coin Offerings in the U.S. today. How do I know if I need to register my upcoming ICO with the SEC?
A. The window is closing on utility tokens. SEC Chairman Jay Clayton said that he hasn’t seen a ICO that doesn’t have some attributes of a securities offering. The SEC recently has taken some actions on ICOs, but they’ve been the blatant ones touting that their tokens will go up in value, not their use case, and marketing to investors and not users. The SEC is triangulating tokens by issuing subpoenas to exchanges and warning lawyers who work on them. But, even Chairman Clayton said in a statement that there very well may be legitimate utility tokens that are not securities. In his statement, the Chairman gave an example of a hypothetical book-of-the-month token that represents a participation interest in the arrangement, acknowledging that the token may not implicate securities laws as it would be an efficient way for the club’s operators to fund the future acquisition of books and facilitate the distribution of those books to token holders. So, if you have a fixed-price, arcade-like or subscription-like token, you may be able to get in under the closing window. We do think the future here is securities tokens, working with exemptions in the securities laws and Reg. A+ offerings.
My partners Grant Fondo and Mitzi Chang are among the very best lawyers in this area. I encourage readers who have a token idea to speak with Grant and Mitzi about their possibilities.
