Financial Infrastructure as a Service: Top Legal Considerations for Innovators

Posted by February 22, 2023 Infra

A growing number of fintech companies are providing services to traditional financial institutions, coming together to modernize our financial infrastructure. As these business models continue to grow and gain popularity, they raise important legal and regulatory questions: What regulations apply to the fintech company’s activities? Where does the fintech company end and the regulated financial institution begin? Do the answers change if the services are customer-facing versus behind the scenes? Can fintech companies better manage their legal and compliance risk through thoughtful and strategic contracting?

In this article, we highlight four key legal considerations for fintech companies operating in this space.

1. Depending on the fintech company’s role in the arrangement, it may be subject to financial regulatory oversight. For example:

  • A fintech company that provides critical back-office functions, such as clearing and settling payments, to a bank under contract may be considered a bank service provider subject to oversight by the bank’s supervisor (the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, or the Office of the Comptroller of the Currency) under the Bank Service Company Act.
  • A fintech company that provides an application programming interface (API) connecting users of a social media platform with a broker-dealer could be required to register as an introducing broker and be subject to oversight by the U.S. Securities Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA). 
  • A fintech company that sells access to sophisticated pricing services, underwriting tools, or trading algorithms used by brokers or investment advisers may itself be subject to regulation as an investment adviser, and/or may be exposed to liability for failing to providing sufficient information to an investment adviser or broker about its services.

In each case, oversight comes with significant regulation, including customer protection (such as potential custodial, cybersecurity notification, net capital, and other requirements depending on the type of activity and registration involved), reporting, examination, and other potential obligations that increase the time, money, and liabilities associated with conducting business. And these examples are the tip of the iceberg—the more innovative or complex the services provided to a regulated financial institution, the more regulatory questions they may raise.

 

2. Regardless of how they are structured, fintech companies must comply with privacy, cybersecurity, and consumer protection laws. In particular:

  • With respect to privacy, fintech companies may be subject to Regulation P, which requires financial institutions (defined broadly to include a range of entities) to provide consumers with privacy notices detailing their data collection, use, and sharing practices. If the company shares nonpublic personal information with unaffiliated third parties, it must allow consumers to opt out. Both the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) are charged with enforcing this regulation.
  • With respect to security, the FTC recently updated its Standards for Safeguarding Customer Information, requiring many fintech companies to implement reasonable security safeguards for the consumer information they maintain. The amendments are coming into effect in June and require, among other things, designating a “qualified individual” to oversee, implement, and enforce the information security program; developing written risk assessments; conducting a periodic assessment of fintech company’s risk and safeguards; and having the qualified individual submit a written report at least annually to the business’s governing body.
  • Consumer protection always raises an important set of consideration. In recent years, the FTC and CFPB have brought enforcement actions alleging that fintech companies have engaged in deceptive or unfair practices based on misleading disclosures about fees, consumers’ access to their funds, and qualification of experts hired by the company. 

 

3. Regulated financial institutions may push their own regulatory obligations onto fintech companies, or even be required to scrutinize the fintech company’s business—which can expose a fintech company to unanticipated liabilities and other costs. For example:

  • Banks, broker-dealers, and money services businesses often try to pass their anti-money laundering (AML) compliance obligations to service providers. Banks and other regulated financial institutions are required to implement and maintain a written AML program, conduct customer due diligence, and verify the identity of customers before opening a customer account. Banks, for instance, may seek to pass down AML compliance obligations to a fintech company that provides other services to their customers, by contractually requiring the fintech company to either collect and pass along customer information, or conduct its own diligence and provide the bank with the results of its diligence. In many cases, the bank may also require the fintech company to either adopt the bank’s AML program or adopt its own—subject to the bank’s approval. While the bank remains principally liable for AML compliance from a regulatory standpoint, this could open the fintech company up to its own independent liability under contract.
  • Brokers and investment advisers often have fiduciary or other customer-protection obligations that require them to diligence service providers and scrutinize their businesses on an ongoing basis. For example, investment advisers need to have a basis for believing that forms of innovative alternative data provided by a fintech companies are reliable and collected in a methodologically sound way, and they must ensure those data do not constitute insider information. In addition, a set of proposed rules could codify and augment that obligation. These obligations may increase the cost and complexity of doing business with an investment adviser.
  • Community banks may feel compelled to follow the advice of federal banking agencies to protect their interests when partnering with fintech companies by including contract terms that, beyond requiring compliance with relevant legal and regulatory requirements, also authorize the community bank and its supervisor to access the fintech company’s records. This could cost a fintech time and money when and if it is required to comply.

 

4. Commercial contracting is critical to all the above: For fintech companies engaging with regulated financial institutions, commercial contracting is critical to risk management and formalizing clear responsibility for the regulatory considerations above. A few examples of best practice include the following:

  • Commercial agreements should be tailored to the nuances of a particular arrangement. Parties with bargaining power (often regulated financial institutions) tend to insist their counterparty use complex, pre-drafted or “form” commercial agreements which may not always align with the business deal or accurately represent the services being provided—or even worse, may expose the arrangement as a whole to regulatory risk which could otherwise be avoided with more careful contracting practices. Fintech companies can mitigate these risks by engaging in discussion with legal counsel early and often in the contracting process.
  • To ensure that contracts accurately represent the engagement between the parties, fintech companies should seek early buy-in across both the business and legal teams of the counterparty, to ensure that all parties have an accurate picture of the engagement and a shared understanding of each party’s responsibilities. This means, among other things, clearly assigning responsibility for compliance activities to the appropriate parties and, if the counterparty insists on including contract provisions that do not seem to fit the services being provided, clarifying that those provisions apply to the fintech company only to the extent required by applicable law or as relevant to the services being provided.
  • Fintech companies should also negotiate for provisions that mitigate the risk of their counterparty’s contractual and regulatory noncompliance. For example, if a fintech company is the subject of a private lawsuit or an enforcement action or investigation by a regulator as a result of a regulatory violation or breach by the counterparty, that counterparty ought to make the fintech company whole via indemnification or other contractual protections.
  • Contract negotiations—and not a point of regulatory failure—are the time to address these questions. Fintech companies should consider early in the contracting process whether they are agreeing to obligations with which they can realistically comply, particularly if those obligations will demand more resources than the fintech company might expect—and are not otherwise directly required by regulation or applicable to the services provided by the fintech company.
  • All of these considerations are also important to a fintech company’s outward-facing terms of service, if it has any—that is, terms that represent a contract between the fintech company and its end users or customers. Fintech companies should consider how that contract manages and assigns responsibility for relevant regulatory and compliance obligations. Do the terms of service set accurate consumer expectations in light of applicable regulation—and accurately reflect the functionality of the fintech’s platform or service? Is the company obtaining sufficient protective representations from users? Is the company including required disclosures in its privacy policy? These considerations can be crucial to ensuring that the company is complying with both regulatory requirements and contractual obligations.   

 

Takeaway

As fintech companies deepen their roots in the financial sector and its infrastructure, the potential consequences of failing to address the considerations above increase significantly. Careful consideration of potential regulation and the nuances of commercial contracting is crucial for a fintech company to succeed.

Wilson Sonsini Goodrich & Rosati advises fintech companies regarding the integration of their innovative technologies into regulated financial systems and counsels them on how to intelligently navigate associated novel and evolving legal issues. Please do not hesitate to contact a member of Wilson Sonsini’s fintech and financial services, national security, privacy and cybersecurity, and/or technology transactions practices for more information.

Related

HOUSTON STUDENTS HELPING OVERSEAS: Houston students heading to Zimbabwe to…

Posted by June 6, 2023

HOUSTON - We have a follow-up story on several Houston-area students who were fundraising to travel to Zimbabwe to help improve infrastructure at a college the

Read More

‘Infrastructure is critical to our safety’: Much maligned Grand Forks…

Posted by June 5, 2023

GRAND FORKS (KVRR) – The railroad crossing at 42nd St. and DeMers Ave. in Grand Forks is getting some much needed upgrades thanks to a grant a

Read More

Summer infrastructure work affecting Bailey Howell Drive access

Posted by June 5, 2023

Read More

Brookfield Infrastructure Partners L.P. stock falls Monday, underperforms market

Posted by June 5, 2023

Shares of Brookfield Infrastructure Partners L.P. BIP.UT, -0.63% slipped 0.63% to C$49.10 Monday, in what proved to be an a

Read More

Follow Us

Recent post