Disruptive technology is taking over the financial services industry, much like technology has reshaped the retail, hotel, music, and taxi industries in recent years. While investment in the Fintech market has been growing rapidly and substantially—from $514.5 million in 2010 to $7.6 billion in 2015—the regulatory framework is still immature, and we should expect to see substantial development in the near future. Fintech innovations bring major benefits to the economy and consumers, but they also raise concerns in relation to data privacy, security, and equality of access. For example, mobile payments create a parallel system outside the banking system, which central banks do not have the authority to oversee. Bank regulators worry that consumer data can be breached by, or through, third parties that gain access to data in the course of processing transactions, performing marketing roles, and offering shared or co-branded products or other services. Target’s major security breach in 2013 was initiated through its air-conditioning vendor.
Unlike other industries disrupted by technology thus far, the financial industry is a highly regulated sector. Five federal agencies directly supervise financial institutions, at least 20 federal agencies regulate financial products (e.g., mortgages, student loans), and state agencies impose their own regulations. Each of these agencies has their own mandates, and they often overlap. Fintech enthusiasts claim that certain state laws and the federal government’s uncertain position are holding back innovation. To address this, a number of House Representatives are drafting a new Fintech-friendly legislation package called “Innovation Initiative,” which will include provisions that will remove restrictions for crowdfunding and facilitate a federal regulatory framework that will trump strict state regulation. This is the approach taken by the U.K., the world leader in Fintech, whose regulatory regime encourages competition and imposes light restrictions on Fintech companies. Through the Financial Conduct Authority’s Project Innovate, the U.K. allows market access to any company developing new business models that fall outside of current regulation.
Recently, the U.S. Consumer Financial Protection Bureau (CFPB) finalized a new policy, similar to that of the UK, which will offer more regulatory certainty to Fintech companies. The CFPB will grant revocable no-action letters that ensures it will not take enforcement action against a Fintech company for introducing a new financial service.
Critics worry that both the existing uncertainty in this field and the lack of oversight over non-bank entities providing financial services may harm consumers. The forthcoming legislation should not only enable access to the market for Fintech companies, but should also provide consumer protection. In the meantime, executive agencies are responding to existing threats to consumer data. In March 2016, the CFPB announced its first data security enforcement action by issuing a consent order against Dwolla, an online payment platform company, for failing to maintain adequate data security practices despite representations made by the company. Dwolla must pay a fine of $100,000 and repair its security platform. Thus, while the CFPB will issue revocable no-action letters to Fintech companies to encourage their market participation, the same agency (and potentially other agencies) may eventually take enforcement action against them for data security inadequacies.
While it is difficult to predict how technology will evolve, the Fintech legal and regulatory community should facilitate solutions for today’s challenges and be prepared to quickly adapt and provide solutions for future developments. An unclear regulatory regime has the potential to drive entrepreneurs out of consumer financial services due to unwarranted risk.
Fintech Driving Regulatory Changes in the Financial Sphere (PDF)