The importance of Compliance for FinTechs

risk management

It might not be sexy, but not adhering to the rules is not an option, regardless the size of an organisation. Jochen Heussner from explains in the following article why Compliance is important for FinTechs, too, and why even StartUps need to think about basic Compliance provisions as well as consider the impact of regulations.

A few years ago, a friend and I were working on bringing the crowdfunding revolution to Italy. Our idea to setup an equity crowdfunding platform seemed to be the thing Italian companies needed: struggling banks and a massive funding gap for small and medium sized companies. It seemed to be an opportunity to good to be true. We had been talking to start-ups and small firms that were very keen on getting the financing they desperately needed in this new fashion, especially since their experiences with traditional institutions had left them disappointed.

We were already working on the website, when we got hit by a regulatory freight train: Italy was amongst the first countries to issue dedicated rules for equity crowdfunding platforms in the summer of 2016 and though the intentions might have been good, the consequences were severe and in our case deadly (at least for the project). Regulation has a purpose and a set of rules in particular in financial services aiming to maintain trust and integrity isn’t necessary a bad thing. The Italian lawmakers though did what every good regulator should be very aware of and try to avoid at all costs. That is not to stifle innovation and make it impossible for businesses to prosper; after all they also pay the taxes that pay for government jobs. However, that is what happened and without going into too much detail (if you are interested though, take a look at our article on the subject), the new rules created limitations that made it very difficult for firms to obtain funding through crowdfunding and in turn very challenging for the platforms themselves to make money. The result is that three years after the introduction of the initial rules and two sets of modifications later (the most recent in March 2016), the number of successful campaigns is very manageable and the industry has in total raised a mere €5 million (in contrast, in the UK in 2015 alone the total transaction volume attributed to investment-based crowdfunding models was a whopping £250 million, even after excluding real-estate equity crowdfunding and debt-based securities).

Now you might say what do I care about Italy, it isn’t exactly the home of FinTech innovation or that this was one example of foolish planning. Well, valid points, but as you will see even big shots in the FinTech industry have got a taste of the bitter medicine of not paying enough attention to compliance obligations.

The Ripple effects of disregarding Compliance

Take Ripple, for example, the creator and a developer of the Ripple payment protocol and exchange network. Recently, it has been in the headlines for its partnerships with industry heavyweights like Santander, UBS, Royal Bank of Canada and Unicredit to use its blockchain for cross-border payments.

Last year, however it has been in the press with regard to a fine for $700,000 it received on the hands of U.S. regulator FinCEN. Ripple was charged with violation of several requirements of the Bank Secrecy Act (BSA) by acting as a money services business (MSB) and selling its virtual currency, without registering with FinCEN, and by failing to implement and maintain an adequate anti-money laundering (AML) program designed to protect its products from use by money launderers or terrorist financiers. This fine didn’t cause the breakdown of operations at Ripple, but it is possible that it caused a couple of sleepless nights while they could had it so much cheaper and put the money for the fine to much better use somewhere else in the firm.

Being honest about Data Security and Safety of Payment Systems

Earlier this year, the U.S. Consumer Financial Protection Bureau took action against online payment platform Dwolla for deceiving consumers about its data security practices and the safety of its online payment system. The CFPB ordered Dwolla to pay a $100,000 penalty and fix its security practices. Since December 2009, Dwolla has collected and stored consumers’ sensitive personal information and provided a platform for financial transactions. As of May 2015, it had more than 650,000 users and had transferred as much as $5 million per day. From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They claimed also that they encrypted all sensitive personal information and that its mobile applications were safe and secure. But rather than setting “a new precedent for the payments industry” as asserted, Dwolla’s data security practices in fact fell far short of its claims.

It is also important to note that this isn’t a problem that is specific to payment services platforms. Many FinTech firms collect large amount of data and in particular at the start-up stage may have to focus on product development, so it could easily be the case that they do not consider compliance with privacy and data protection rules. If such an issue exists and is not dealt with in just time, the consequences for the business could be catastrophic.


The rise and fall of Lending Club

To conclude our little tour of FinTech enforcement action, let’s turn to LendingClub. In case you hadn’t heard about the company that raised $1 billion in what became the largest technology IPO of 2014 in the United States, Lending Club is the world’s biggest marketplace lending platform. In May 2016 though the U.S. Department of Justice opened an investigation. Its CEO was forced out after an internal review found the company had falsified documentation when selling a package of loans. The investigation is on-going, but the share price has suffered massively in what seems to be a case of lacking sufficient internal controls. In any case, it has led to a series of discussions and even probes into the wider crowdfunding industry on both sides of the Atlantic. Also, it highlights the need for FinTechs to consider regulation and creating the right compliance culture at all stages of their development.


What value do you get from a regulatory expert?

Well for starters, just think about this: There are about 10 regulatory authorities in the United States that oversee financial services, plus each of the 50 American states has its own rules and regulators.

In the European Union, national regulators regulate financial services firms. A lot of legislation is based on EU law though, so it might not hurt to understand what European institutions are doing. Even if you were to ignore that some countries have more than one regulatory authority. Take the UK: though the Financial Services Authority is likely to be your first port of call, the Bank of England and its Prudential Regulatory Authority and the Financial Policy Committee. Depending on the kind of activity, the Competition and Markets Authority (CMA) might have something to say about what you do. Then there would be the Payment Systems Regulator (PSR), which – you might have guessed it – regulates the payment services industry in the UK. And so on, but probably you have already lost track of the who’s who of regulatory authorities and would rather return to developing the next Google or Facebook, which is very understandable.

Luck may have it though that a regulatory advisor or experienced lawyer can help you with this and a couple of other things:

They will be able to tell you right from the start what the regulatory implications for your business model. Take the example of our Italian crowdfunding platform from above, which wouldn’t fly from the start. Also, sometimes there is a reason for the space start-ups occupy to disrupt an industry and that reason may be regulation.

If your business model manages the first test, they will advise you, which regulations apply and how to go about it, pointing you to the right authorities and providing guidance regarding your regulatory obligations.

They might even be able to propose modifications to your products and services based on their experience in the sector. Unless you speak to your uncle’s son who’s recently graduated from law school (no offence meant!), they will likely have worked with plenty of other firms in similar situations and will have a very good understanding of the financial services industry. Who know, maybe they can even point you to the solution banks need and that your firm could develop.

In case you need to obtain a license or registration, they should also be able to help with the process to make sure you don’t spend more time on it than you have to.

And lastly, if things go wrong, which might happen despite the best of plans, you will want an expert by your side in case you have to talk to the regulators



This article was first published at and you can find it here.

Jochen Heussner is an experienced lawyer and compliance professional who has worked for financial institutions, law firms and consultancies for many years and in several jurisdictions. He analyses and writes about regulatory initiatives for the financial sector as well as the change innovation and technology are bringing to the industry. You can follow him on Twitter at @JochenHeussner