The FinTech market is continuing to expand and disrupt the banking sector. New types of FinTechs have emerged in the past few years to offer more and more complex products including secured and unsecured loans, cards, deposit and savings accounts, cross-border/currency transactions, trading, and real estate. However, with this expansion and increased risk-taking by FinTechs, regulators have begun to signal that oversight and supervision are not far off.
This regulatory focus on FinTechs will require new risk management and controls to proactively address exposures that they have not historically faced, or that are today the responsibility of their banking partners. It’s likely that FinTechs will need to develop and manage programs in areas including fair lending, Bank Secrecy Act/Anti-Money Laundering (BSA/AML), and security.
Regulators Signal FinTech Action
One signal of what’s to come was sent in April 2022, when the Consumer Financial Protection Bureau (CFPB) announced its intent to utilize a previously unused authority, known as dormant authority, to examine nonbank financial companies it has “reasonable cause” to believe pose a risk to consumers. This capability, derived from Title X of the Dodd-Frank Act, allows the CFPB to include a broader scope of companies that offer consumer financial products or services as well as affiliates that act as service providers to those companies. In this instance, the CFPB is referring to FinTech companies, many of which are currently unregulated or working with bank partners that are responsible for their risk management functions.
This summer, the CFPB closed out the public comment period on this new authority and indicated that it intends to move forward. “Given the rapid growth of consumer offerings by nonbanks, the CFPB is now utilizing a dormant authority to hold nonbanks to the same standards that banks are held to,” said CFPB Director Rohit Chopra. FinTechs were singled out for this treatment. In addition, in presenting the CFPB’s agenda to Congress, Chopra doubled down on FinTechs, promising increased information gathering, particularly from “buy now, pay later” (BNPL) companies.
Simultaneously, the agency issued a procedural rule to increase transparency in its risk-based determinations and to make final decisions and orders accessible as precedents in future proceedings. Risky conduct may involve potentially unfair, deceptive, or abusive acts or practices (UDAAPs) or other acts that might violate federal consumer financial law.
Recent moves by other government agencies further demonstrate that FinTechs should prepare for stronger oversight and implement corresponding risk management programs. For example, the Government Accountability Office (GAO) recently published recommendations for federal agencies to oversee FinTechs, and the Office of the Comptroller of the Currency (OCC) increased oversight of companies with special purpose charters and companies that are designated as bank service providers.
FinTech Compliance vs. Growth
An increase in regulatory scrutiny means that FinTechs will need to establish more robust risk management frameworks and controls as part of their growth strategy. However, this will likely harm some FinTechs, particularly those in the startup/funding stage, since these compliance management systems (CMS) can be costly to build and maintain. Because of the wide range of products FinTechs offer, and their often complex transactions, their CMSs will likely need customization to suit their risk profiles. Off-the-shelf solutions will generally not serve FinTechs’ purposes. Heightened regulatory scrutiny, with FinTechs shouldering the burden of proof of compliance, could impact their speed to market and ability to innovate, as well as the overall application of technology to the financial sector.
As it focuses on FinTechs, the CFPB has indicated that it will use a multitude of inputs including complaints, state and federal partner feedback, judicial options, administrative decisions, whistleblower complaints, and negative/adverse news reports. It’s safe to say that the CFPB will begin by targeting FinTechs that have drawn negative attention or complaints from consumers and state attorneys general. Chopra recently said the CFPB had issued a series of orders to get answers from key FinTech players on their use of data and credit reporting. Several large BNPL FinTechs have already received requests, as this convergence of finance and commerce apps has drawn CFPB scrutiny. “We are expecting to issue one or more reports related to this,” Chopra said.
Once the bureau proclaims jurisdiction over a company, it can generally examine any consumer-related product or service the company offers for compliance with relevant consumer protection requirements. Therefore, if the CFPB perceives risk in one product offered by a FinTech, it could also exercise authority over all of the company’s consumer-focused products and services.
Steps Toward FinTech Compliance
FinTechs and other nonbank entities should begin to prepare for increased oversight and requirements coming either directly from traditional banking regulators or from bank partners facing heightened scrutiny of the FinTech products they use. Activities that should be considered include:
- Establish a robust CMS. Ensure that you have a clearly defined compliance risk management program in place, including clear roles, responsibilities, and documentation of expectations for the organization.
- Evaluate Anti-Money Laundering Risk. Implement and assess programs for measuring and monitoring AML and BSA risk, including controls around CIP/KYC, Periodic Monitoring, OFAC Screening, Regulatory reporting (e.g., SARs, CTRs), and information sharing.
- Implement a formal complaint management program. You should have a strong understanding of your customers’ feedback, especially as it relates to compliance matters. Your company should understand where and how to identify a complaint and what to do with it. Complaints should be included in regular reporting to senior management, including trends and resolution tracking.
- Perform a risk assessment. Evaluate the risk of the regulations applicable to the products and services you are offering. Analyze the adequacy and robustness of controls in light of recent speeches, announcements, enforcement actions, and penalties for non-compliance with these regulations.
- Update/develop policies and procedures. Ensure all policies and procedures have been recently reviewed and approved, and that they include relevant compliance considerations, such as who to contact for compliance questions or how to escalate compliance issues.
- Train the organization. Ensure that all employees have completed training related to the regulatory requirements and expectations associated with the products, services, and roles they are responsible for.
- Discuss compliance. Ensure there are governance forums (e.g., a compliance committee) that are responsible for and regularly discuss compliance topics and issues. Include relevant compliance information in reporting to senior management and the board.
- Review partnerships and third parties. Analyze third-party relationships for potential compliance risks and engage with partners to establish controls where risks are unmitigated.
- Conduct an Independent Review. Engage subject matter advisors or third-party advisory firms to conduct a review of the design and operating effectiveness of your program ahead of a regulatory inquiry.