What every fintech needs to know to manage risk and compliance successfully
What is fintech compliance? In an increasingly regulated financial ecosystem, fintechs are just as responsible for compliance as banks are. By not actively participating, you could face multi-million-dollar fines, fall victim to a costly fraudulent scheme, or be forced to shut down some central piece of your business. Either outcome is a huge setback. Needless to say, compliance needs to be at the core of your business strategy.
While it can seem daunting, fintechs successfully navigate compliance all the time. The key is to have the right toolkit: know what rules apply to you, and have a clear plan for how to follow them. You want experts helping to create your compliance processes, but you also need your staff to be fully involved — because if anything goes wrong, your company ultimately will be responsible for any alleged regulatory violations. Most importantly, you know your customers best and are in the best position to detect and mitigate nefarious conduct that could signal financial crime or fraud.
While there is no one-size-fits-all approach to regulatory compliance, at the heart of an effective program is engagement and participation. The more a fintech is involved with understanding its risk and creating appropriate controls, the more it is positioned to scale and grow its business. Put simply, a robust regulatory compliance program leads to financial and regulatory success.
Here’s what your fintech should know about bank compliance to get started, including some key regulations that are likely to apply to your company.
What is compliance risk in banking?
So, what is compliance in the banking industry? Compliance risk in banking is the danger of violating any number of laws, regulations, or rules imposed by governments or industry self-regulating organizations. Oftentimes, the risk and regulatory violations directly relate to the potential of financial crime, terrorist financing, and other illicit conduct flowing through your transactions. The relevant regulations will vary based on your specific use case but frequently targets the financial services industry as well as more general laws aimed at protecting consumers from predatory or unfair practices.
Those regulations include restrictions on interest rate increases, requirements to report suspicious activity, and rules against discrimination in lending.
The consequences of compliance failure can be steep. The Department of Justice fined JP Morgan Chase $13 billion in 2013 for allegedly overstating the value of mortgages it sold to investors just before the financial crisis.
Smaller banks, too, face costly consequences for harming customers. The Federal Deposit Insurance Corp. (FDIC) fined the relatively small Cross River Bank $641,750 for deceiving borrowers about loan terms. The bank and business partner Freedom Financial Asset Management were together required to reimburse customers up to $20 million.
What do fintechs need to know about compliance?
Even for fintechs that are not directly regulated, regulatory violations can come with indirect fines to a fintech that are just as hefty and potentially deadly for its business. Exactly which rules are relevant to your business depends on the use case of your app or product. Whatever your business, you’ll be required to conduct appropriate know your customer (KYC) and sanctions screening, guard against money laundering, and other illegal practices. And if you lend money to customers, you will have to follow loan regulations.
These are some of the first steps you should take to build a compliance program.
- Step 1: Understand which rules and regulations apply to you. Your banking as a service (BaaS) provider, bank partner, and third-party companies that specialize in compliance can help you figure this out. BaaS provider Treasury Prime is enhancing its Compliance Toolkit to help provide fintechs with a foundational framework for its compliance program. Additionally, Treasury Prime has partnered with leading vendors in the space including Alloy and Unit 21.
- Step 2: Understand your risk profile and build corresponding controls with the help of experienced partners, thereby creating a program that manages your specific risks and ensures you comply with relevant laws. Treasury Prime recommends fintechs be fully involved in developing their compliance program. It’s important to thoroughly understand how this central part of your business works; the more you understand it, the better equipped you’ll be to adjust it to meet your changing needs as your company grows. While it can be time-consuming initially, early engagement and ownership of your compliance program will allow you to scale quickly and effectively. Remember you are not just building for today, but innovating for tomorrow.
- Step 3: Get your partner bank on board. While bank and fintech partnerships are often a symbiotic relationship, they are difficult to augment at the outset. This is because banks are often wary of the risks that come with partnering with fintechs. If you can get your bank’s compliance program on board with your compliance process and foundational aspects of your program, you have a powerful ally to help you build trust with your bank as you take calculated risks to grow your business. Treasury Prime stands out from other BaaS providers because it has developed stronger relationships with more bank partners in this space and can facilitate a bank partnership that is appropriate for your fintech.
- Step 4: Identify vendors to build your compliance program. We recommend early-stage startups do this in coordination with expert specialists. Some vendors, like Alloy, specifically focus on KYC identity verification. Others, like Unit 21, focus on monitoring risk and detecting fraud such as money laundering. Treasury Prime will work with your organization to identify and foster critical partnerships with vendors.
When it comes to building out your compliance program, you have three options: You can work with specialized partners, work just with your general BaaS provider, or build a program internally on your own. Whatever your initial path, your company needs to be directly involved and have full visibility into compliance operations involving your product.
- Working with specialized partners: This option is the safest for small- to medium-size fintechs that are still figuring out their product and scaling their business. Specialized partners can tailor solutions to your specific use case, protecting your company against its unique risks. This option is also more cost-effective than building your internal program early on.
- Working just with your BaaS provider: Some BaaS providers provide general, one-size-fits-all compliance solutions. If you go this route, make sure you have full, transparent visibility into what your BaaS partner is doing. There’s a chance that a basic program like this won’t cover some risk or compliance need that is specific to your use case. You should be aware that compliance can never be fully outsourced. Even with a BaaS provided facilitating a compliance solution, you will have to be engaged and participate in the process.
- Building your own program: Relying on partners to structure and manage your compliance program ceases to be cost-effective once you reach a certain size. As you grow, you may also find that your partners have trouble scaling their services to meet your needs. At that point, you need to build your own internal program.
Fintech regulation — What you should know
Different fintechs will need to focus on different banking compliance regulations, but here are a few that are fairly universally applicable. A common theme in these rules is transparency and fundamental fairness. Each of them, in some way, calls for financial institutions to disclose important information to customers and/or regulators.
Bank Secrecy Act
The Bank Secrecy Act, adopted in 1970, is the basis of numerous compliance practices for banks, including know your customer (KYC) and due diligence processes. The BSA requires banks to help federal authorities detect and prevent money laundering and other financial crimes, which can indicate other criminal activity. Specifically, the law calls for banks to maintain records of customer activities and report large transactions to the government. The law was expanded under Title III of the Patriot Act. The BSA is in large part operationalized by a transaction monitoring process, which helps identify deviations from transaction patterns and acceptable use cases
Electronic Fund Transfer Act (Reg E)
The Electronic Fund Transfer Act, also called Reg E or Regulation E, sets foundational rules governing EFTs. Under the regulation, financial institutions must disclose all terms related to EFTs to consumers; only issue cards or other “access devices” if consumers request them; and investigate any reports from customers of unauthorized EFTs. The law also limits customer liability for unauthorized EFTs that they report. The law defines an EFT to include transactions such as “POS and ATM transfers, direct deposits or withdrawals, telephone transfers, and transfers initiated through a debit card transaction.”
Equal Credit Opportunity Act (Reg B)
The Equal Credit Opportunity Act (ECOA, also called Reg B or Regulation B), prohibits lenders from discriminating against applicants based on race, age, gender, or other identifiers not relevant to creditworthiness. The rule applies to any organization that extends credit to consumers and covers all kinds of loans or lending instruments including credit cards, personal loans, small business loans, student loans, loan modifications, and more.
Truth in Savings Act (TISA) and UDAAP
The Truth in Savings Act (TISA) requires financial institutions to disclose terms, fees, and information about interest rates to consumers opening various types of accounts. The law requires financial institutions to share this information when consumers open the accounts, when consumers ask for it, whenever terms change, and if relevant, when accounts mature. Regulation DD is a Federal Reserve directive that was enacted to implement TISA. In the current regulatory environment, regulators often review a fintech’s website and marketing material to gauge compliance with Reg DD.
Fintech compliance regulations — Make your bank a compliance ally
While many view compliance as an impediment to financial growth and innovation, compliance is often a key to growing your business in the right way. Rather than being viewed as a hindrance, compliance should be at the forefront in building your fintech. Tools built without fintech compliance in mind are sure to run into problems, cause massive fraud losses, and may require drastic revisions down the line.
To balance compliance requirements with innovation, founders should think in terms of how to make their partner bank’s compliance department an ally. If the compliance department at your partner bank trusts your business model and approach, it will be much easier to get bank management on your side as you experiment and grow.
Tips for working with your bank partner’s compliance department:
- Transparency: Be transparent with your bank from the very start of your relationship. The better they can see into your company, the better they can advise you on how regulators may view your features or changes to your product as you grow.
- Get in touch: If your primary contacts with your bank partner don’t already include the bank’s compliance department, request an introduction. Copy the bank’s compliance team on important communications to ensure they are in the loop. Your BaaS provider can also advise you on how best to handle this communication.
- Ask for input: Imagine if the interest rate on your loan doubled without notice or explanation. Or, imagine if a fraudster emptied your account, and you couldn’t get your money back. Thanks to regulations, you don’t have to worry about those scenarios when working with a reputable, chartered bank. Regulations are a necessary piece of the larger financial system. You want your fintech to align with them. That’s why your bank partner’s compliance department is an amazing partner. Ask them for input on features before you build them, and you’re less likely to run into resistance from your bank’s executives – or worse, from regulators
To follow these tips, you need a BaaS partner who enables you to communicate directly with your partner bank. That sounds straightforward, but it’s not necessarily the industry norm. A lot of BaaS providers will restrict communication between banks and fintechs, insisting all conversations move through the BaaS intermediary. Some providers may also fail to share important information about their fintech clients with the banks that support them. These setups are sometimes called “rent-a-charter” or “rent-a-bank,” and you should be wary of them.
You also want a BaaS partner that has the tools you need to build the right compliance program for your use case. That means finding an API banking provider who offers a broad spectrum of tools and who can also connect you with other third-party compliance specialists as needed.
Treasury Prime enables fintechs and other companies to embed and build fully customizable flows for KYC, compliance, and transaction monitoring for their neobanks, applications, and services. We provide as much guidance as you need while ensuring the process stays entirely under your command. We can also connect fintechs with compliance and KYC partners Unit 21, Alloy, Middesk, and LexisNexis to meet additional needs.
Ultimately, your partners can help you build the right program — but they shouldn’t take your place in running it. Your compliance program is central to the continuing success of your business and you should not give up control of it by deferring to others. This is especially true as your company grows and draws greater scrutiny from regulators.