5 Principles To Simplify Compliance For Fintech Startups

Law 360

Authored Article


Compliance officers at financial technology (fintech) startups have one of the most daunting tasks in the financial services industry — giving the green light to a new product or service in the face of significant time and monetary constraints. New companies rarely have the time and resources to invest in a compliance management system that is equipped to incorporate every federal law, regulation and snippet of informal guidance (let alone state law) into a company’s decision to launch a new product or service. Over the past year, however, federal regulators have brought several enforcement actions against fintech firms and sent a clear message that fintech firms cannot simply ignore the complex web of regulations applicable to the financial services industry. While regulators expect companies to develop a robust compliance management system as they grow, small and emerging companies can engage in principle-based compliance to identify and minimize the risks that will most likely land them in a regulator’s crosshairs. Here are 15 words in five lines to get you started:

  1. Know your customers
  2. Know your vendors
  3. Ability to repay
  4. Good for grandma
  5. Candor in marketing

1.Know Your Customers

You’re offering a new financial service. Of course, you want new customers. Whether those customers are consumers or other businesses, make sure you can verify that they are who they say they are. It’s not enough to be a good actor that intends to provide a valuable financial product to the world. If your product is susceptible to use by bad actors, then it’s important to have a system of checks in place to prevent these actors from using your product for nefarious means.

The Bank Secrecy Act (BSA), among other things, requires certain regulated entities, including fintech firms, to develop and implement anti-money laundering (AML) compliance programs reasonably designed to assure and monitor compliance with the BSA and its implementing regulations. At a minimum, a fintech firm’s AML compliance program must include:

  • A system of internal controls to ensure ongoing compliance;
  • Independent testing of AML compliance;
  • Designation of an individual or individuals responsible for managing BSA compliance;
  • A comprehensive training program for appropriate personnel; and
  • A customer identification program.

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has also promulgated a number of regulations requiring certain financial institutions to establish customer identification programs (CIPs) to prevent the use of the financial system for illicit purposes. In order to comply with CIP requirements, financial institutions are required to implement procedures for account opening that, at a minimum:

  • Verify the identity of any person seeking to open an account, to the extent reasonable and practicable;
  • Maintain records of the information used to verify the person’s identity, including name, address and other identifying information; and
  • Determine whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency.

Fintech firms that fail to implement a comprehensive AML compliance program do so at the risk of significant penalties and fines. Over the last year, FinCEN and other federal regulators have demonstrated their proactive commitment to holding fintech firms accountable for failing to implement comprehensive, risk-based AML compliance programs.

2. Know Your Vendors

Fintech companies often place a great emphasis on hiring talent, but then only pay minimal attention to the third-party service providers they engage to deliver services that are outside of their company’s core offerings. By not having standards for third-party service providers akin to those you keep for your own employees, financial services companies risk encountering not only business setbacks, but also significant legal risk. Call it service provider liability, Operation Chokepoint, vendor management or substantial assistance, financial regulators have a plethora of tools at their disposal to hold third parties responsible for the bad, or negligent, acts of other providers. Whether you are hiring a service provider or are the third-party service provider, expect regulators to examine whether your practices have the effect of furthering a third party’s negligent or harmful acts.

The Consumer Financial Protection Bureau has already expressed a commitment to using its enforcement authority over third-party service providers to prevent consumer harm. In consent orders with ACE Cash Express, Universal Debt & Payment Solutions and GE Capital Retail Bank, the CFPB identified violations of the Consumer Financial Protection Act where a company failed to oversee and correct perceived harmful practices by third-party service providers. The CFPB has also recently made clear that it will begin utilizing its supervision authority to examine service providers. If an examination reveals that a service provider’s service to consumers falls short of the CFPB’s expectations, then the CFPB has the authority to assign that error to the principal party.

3. Ability to Repay

If you intend to offer your financial service to consumers then it is imperative that you determine whether the consumers that want to buy your service have the ability to pay for that service. Leave your beliefs about consumer responsibility and free market economics at home — that ship has already sailed in the offices of most financial regulators. The era of no-income, no-job or assets (NINJA) financial products will not soon be forgotten by regulators; regulators will continue to rely on ability-to-repay principles in bringing enforcement actions against financial services providers. The ability-to-repay principle was born out of the residential mortgage crisis, but it is applicable in any market where a company is offering a financial service directly to consumers.

In the small-dollar lending market, the CFPB has proposed rules, and the Arizona Senate recently considered legislation, that would allow small-dollar consumer loans as long as providers first evaluated a borrower’s ability to repay the loan. While the CFPB regulation may be on indefinite hold given recent political winds, it is fair to expect that states will continue to make the ability-to-repay principle a hallmark of consumer lending legislation and regulation.

Even absent an express prohibition, regulators can still find means to discourage a company from offering a consumer product without first evaluating a borrower’s ability to repay. For example, in March 2017, Santander Consumer USA paid $26 million in a settlement with the Delaware and Massachusetts attorneys general offices for funding auto loans without having a reasonable basis to believe that the borrowers could afford them. There, the attorneys general offices relied on their states’ respective unfair trade practices laws to allege that Santander violated state law by not considering a borrower’s ability to repay prior to extending credit to the consumer.

4. Good for Grandma

In a similar vein, it is important to make sure that the financial service you’re offering is appropriate for the audience that will be using it. Ask yourself the question, if your grandma was in the shoes of the person to whom you’re marketing your product, would you want her to buy that product? If grandma has an 850 credit score, high income, and a deep reserve of assets, the service you offer her is likely going to be different than if she had a low income with a poor credit score and a history of defaults. Not all financial services need to be equal, but they all do need to be fair for the audience to whom they’re offered. Regulators have struggled with applying this principle to areas like prepaid cards and small-dollar loans as those products are most often utilized by low-income individuals without impeccable financial credentials. If you’re offering those products, you should expect more scrutiny from regulators and be prepared to defend your product against other products in its class. In preparing to launch a new product, consider whether, given the credit profile of the audience, the product you’re offering is reasonable compared to other products being marketed by competitors to that space.

5. Candor in Marketing

Last but not least, you must make sure that the marketing team is only selling a service as good as the one you’re offering today, not the service you hope your company can offer in the future. It’s OK to dream big — but until you get there, don’t oversell. Overstating the value, hiding the real terms, and not providing effective disclosures are surefire ways to land yourself in the crosshairs of a regulator’s deceptive trade practices claim.

In March 2017, the CFPB and Experian entered into a consent order that required Experian to pay a $3 million penalty for allegedly deceiving consumers over how their credit scores were used by lenders. In 2016, the CFPB’s enforcement action against Dwolla was based on Dwolla’s misrepresentation that its data security practices exceeded industry standards. While the CFPB listed a number of areas where Dwolla’s data security practices were inadequate, the CFPB’s claim was not that the inadequate practices were unfair, but rather that Dwolla’s representations that their practices were adequate were deceptive. If Dwolla had omitted statements about its data security practices in its consumer-facing marketing materials, then the CFPB’s enforcement action would have looked vastly different.


As fintech companies grow, so too will their compliance burdens. Regulators have made it clear that they are willing to bring enforcement actions for technical violations of laws and regulations, even without a showing of consumer harm. With that in mind, it is important for fintech startups to recognize when they’re no longer small fry and need to expand their investment in compliance. As fintech companies begin developing effective compliance programs, incorporating the principles outlined above will undoubtedly help fintech startups diminish the risk of becoming a target of a government enforcement action.

Sean C. Wagner is an associate in the Charlotte, North Carolina, office of Bradley Arant Boult Cummings LLP.

Nathan P. Viebrock is an associate in Bradley Arant's Charlotte and Washington, D.C., offices. He is a former CFPB enforcement attorney.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

Republished with permission. This article, "5 Principles To Simplify Compliance For Fintech Startups," first appeared in Law360 on April 25, 2017.