The Compliance Factor

18726537498_d0e78b35e8_o

 

FinTech – or – It takes more than a few lines of code and an API to crack the bank-dominated world open.

We started developing online payment systems and eMoney wallets all the way back in 2001. Looking back at the past decade and the development that took place in the financial technology sector during this time, with certainty we can tell: Now is the right time to be in FinTech! All eyes are on FinTech startups – but not just on the innovations it brings. Regulators are watching the innovative startups closely as they fall into the trap of underestimating “The Compliance Factor“ one after the other.

One thing you will hear from FinTech entrepreneurs over and over again is how strict the regulatory bodies are when it comes to operating a financial services business. How stupid the requirements, how extensive the reporting and how expensive it is to maintain compliance.

Yet, one needs to understand: Regulatory frameworks result from decades of counter-fighting financial crime, identity theft and money laundering of all sorts – no wonder they are extensive and demanding.

How can a FinTech startup with limited financial resources live up to the challenge?

Before launching your product into the market, we highly recommend to consult with a compliance professional and have your business model reviewed in order to understand what regulatory framework you fit in. While this might be significant cost factor to consider, it will provide you valuable guidance on what legal ground to build up on.

Depending on factors like: business model, industry and business location, different regulatory frameworks may apply:

  • State level regulatory frameworks (PSD2, ZAG, Banking / E-Money or Money Transmitter Licensing)
  • Industry specific regulatory frameworks (PCI DSS, SWIFT, SEPA)
  • Money Laundering Regulations
  • KYC – Know Your Customer

The Easy Way

The probably easiest, cheapest and fastest way to launch a fintech product is what we call the „Plug and Play“ model. If your business model allows for it, select an already regulated partner (e.g. Bank, PSP or E-Money Institution) and let them handle, process and safeguard your customer funds. This way, you avoid spending thousands of EUR on regulatory compliance and your time to market is significantly reduced. Don’t be fooled by the easiness of this model though, there’s also a bitter pill to swallow:

  • You are not in 100% control of the customer assets
  • More importantly though: Your product now has a deep dependency on the partner of choice. Every new product feature you wish to introduce, that touches the consumer funds needs to be approved by the regulated party. Further, there’s plenty of room for potential conflicts between you and the service provider: starting with product development, over fraud management, down to customer service…just to name a few.

The Hard Way

Once the regulatory framework to comply with is identified, it´s time for you to dive into the regulator´s documentation and understand the requirements.

Do a gap-analysis on what you already have in place and what is still to be done.

  • As a startup, Documentation, AML and KYC will be your biggest gaps – I bet you
  • Once the gaps are understood and total efforts have been estimated, it´s time to recap whether your financial backup and revenue forecast allows for the cost of becoming a regulated financial institution.

Becoming a sEMI (small Electronic Money Issuer)

We will merely touch on the EU e-money licensing model here, as it is the type of licensing we have the most experience with.

Ok, Let’s assume your business model fits into the Electronic Money Issuer category where you are allowed to issue electronic money into your system at par value (the e-money issued must be for the same amount as the funds received), and you accepted the challenge.

Some regulatory bodies within the EU, offer a staged approach for companies aiming to become an authorized e-money institution. For startups with clear focus on their home market, a so called sEMI (small Electronic Money Institution) licensing model has been introduced. The regulatory requirements are nearly identical to those of regular EMIs, making it relatively easy to “upgrade” at a later stage.

Key differences between a sEMI and EMI:

  1. sEMI registration process is cheaper and more straightforward than authorization
  2. sEMI´s are not required to hold an initial capital of €350.000 minimum
  3. Monthly total of payment transactions must not exceed €3m
  4. Average outstanding e-money must not exceed €5m
  5. Passporting the licence to other EU countries is not allowed.

What is passporting? http://ec.europa.eu/finance/payments/docs/emoney/passporting_guidelines_en.pdf

Other than that, same regulatory requirements apply as for a full EMI. For more details, please go to:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009L0110

Regulators react

Some regulators well understood the FinTech industry´s need for support to be able to compete with the big players in the market. The UK seems to be one of the main drivers of this positive development and positioned itself as the innovator hub for financial technology. The FCA (Financial Conduct Authority) revealed its plans to introduce what they call a „regulatory sandbox“, aiming to help startups to reduce the time and potentially the cost of getting innovative ideas to market.

FCA Sandbox at a glance:

  • Applications open May 9th 2016
  • Two annual cohorts to begin with
  • Successful applicants will be able to test ideas without incurring the costs and consequences of going through the full regulatory process

See: https://innovate.fca.org.uk

Fintech´s should bear in mind that with the UK leaving the EU over the course of the next 2 years, it may no longer be possible to passport British licences to the EU!

Anti Money Laundering

Fasten your seatbelts FinTechs, here comes AML!

All electronic money issuers must comply with legal requirements to deter and detect financial crime, which includes money laundering and terrorist financing. Relevant EU legislation includes:

  • The financial crime provisions in the EMRs (Electronic Money Regulations)
  • Section 21A of the Terrorism Act 2000
  • The Proceeds of Crime Act 2002
  • The Money Laundering Regulations 2007
  • The EC wire transfer regulation 22  
  • Schedule 7 to the Counter-Terrorism Act 2008

Electronic money issuers are also subject to the various pieces of legislation that implement the local financial sanctions regime. Further, regular monitoring for PEPs (Politically Exposed Persons) is required.

Make sure you have appropriate controls in place to monitor all transactions for suspicious activity and your customer base for individuals or companies listed on the sanctions or PEP list, on a regular basis. Have written policies and procedures that clearly define how to deal with suspicious activities and how to report them to the authorities, See “SAR” – Suspicious Activity Report.

The FCA Handbook for firms to preventing financial crime:

https://www.handbook.fca.org.uk/handbook/document/FC1_FCA_20140401.pdf

Similar guidelines are available from your local regulatory body.

KYC – Know Your Customer

Apart from AML, KYC – Knowing your customer will be one of the bigger topics for you to learn about.

Although there are no specific legal or regulatory KYC (as opposed to simple identification) requirements, high-level obligations in the Money Laundering Regulations (see above) require a firm to counter the risk of money laundering.

To “Know You Customer” means to have valid and verified proof that the person is who he or she pretends to be. KYC requirements differ from country to country and the requirements also need to be reviewed at this level. In considering what KYC information to obtain and maintain, firms need also to meet their obligations under the Data Protection Act.

Details on how to meet country specific KYC requirements can be found in PwC’s  “Know Your Customer” quick international reference guide:

 https://www.pwc.co.uk/assets/pdf/anti-money-laundering-quick-reference-guide-2015.pdf

Maintaining compliance

“Do not comply just to be compliant, comply to keep your business safe from money laundering and terrorist financing“

Achieving regulatory compliance is hard, but maintaining it is harder. Be prepared for:

  • Regular reporting to the regulatory authorities
  • Training your staff in Security Awareness and AML on a regular basis
  • Investigating suspicious transactions and accounts
  • Reviewing every new feature you introduce for compliance
  • Monitoring the compliance status of your business partners

From here on, compliance becomes a non-negotiable and growing cost factor for your business. With it comes the responsibility of safeguarding your customer funds.

Final thoughts

Regulatory compliance clearly makes the difference between fintechs and established financial institutions today. The former highly depend on the latter. But with every EUR earned, Fintechs are closing the gap and will soon reach out for full control over customer funds. With better products, innovations and a much faster development pace, if not acquired by banks in time, they might leapfrog into unreachable distances and replace established financial institutions in the long run.

 

Author: Mark Caruso

Image used under CC licence by Andre Gunawan https://www.techinasia.com