Podcast Episode 3: State Regulators

Matt and Reggie dive deep into how fintechs should think about regulators and regulation in this episode of the Fintech Layer Cake.

Fintech Layer Cake is presented by Lithic and hosted by Matt Janiga, our general counsel, and Reggie Young, our product counsel and author of the Fintech Law TL;DR newsletter.

Expand for full transcript

Reggie Young: Hi, I'm Reggie Young, product counsel of great companies like BlueVine and now Lithic, and author of the FinTech TL;DR newsletter.

Matt Janiga: Fantastic newsletter, by the way. If folks haven't signed up, you should absolutely get it. And why should you listen to me? I'm Matt Janiga. I'm the compliance officer and general counsel at Lithic, previously of Capital One, Square, Stripe and BlueVine.

Reggie Young: Today, we're going to talk about one of our favorite topics.

Matt Janiga: Aren't they all our favorite topics, Reggie?

Reggie Young: Well, yeah. But this one is required to be favorite topic. It's our primer on how fintech should think about regulators and regulation.

Matt Janiga: That's right. And fantastic framing. Today, we're going to start with an overview of what regulators are, talk about regulatory schemes, then talk about licensing and also what you want to do when regulators reach out to you, to talk about your company or your product. So let's get started.

Reggie Young: First, let's zoom out. What are regulations? Well, regulations are rules of the road that protect customers and markets. The government generally doesn't want you ripping people off because, well, it's the wrong thing to do, but also someone needs to clean up the mess.

Matt Janiga: Reggie, it's probably helpful for our listeners to understand where do these requirements come from. Can you step us through that?

Reggie Young: It's a great question. It's a good starting point. So legislators pass laws, and sometimes those laws give powers to regulators to do things like handle licensing or fill in the details that a law didn't cover, or otherwise just make rules about whatever is needed. We're American, so we'll focus on the main ways US legislation, the stuff that leads to regulations, is created.

There are few ways, the first of which is uniform law committees. These are groups of lawyers that come together to draft and update prototypical legislation or model laws, as they're known. One of the most common ones is the Uniform Commercial Code, which is a model law about contracts and secure transactions. A second source of legislation is state regulators, who can advocate for their preferred laws. For example, in financial services, the Conference of State Bank Supervisors or CSBS, as it's known, is a group of state financial regulators. They've created a model money transmission law that they're hoping to get states to adopt for consistency.

Matt Janiga: And it's also important to call out and not forget about, because it can impact your business, that companies and lobbyists are also another source of changes in laws. If you've ever run across a [inaudible 00:02:31] state law, odds are there's a large company or a group of well funded, large companies that created sample legislation and got a state to pick it up. A few years ago, for example, PayPal lobbied Washington State's legislature for a minor technical change in their law. You can actually still find these hearings online. You can watch PayPal discuss the pros of these changes with the state legislators.

Washington also did a recent overhaul of the law to pick up some crypto related elements. And part of the driver of this were lobbyists and law firms highlighting gaps in the current money transmission law, and how those laws didn't well apply to crypto related companies.

Reggie Young: But why should fintech founders and operators care about regulators and regulations? Well, the short answer is messing up with regulators can lead to big fines or even end your business. LendUp is a recent example. Regulators took issue with their business practices and ultimately forced the company to stop making loans and shut down.

Matt Janiga: This is a really good call out, Reggie. I worked with Sean Ruff. He's now a partner at Cooley, still a very good friend. Sean always liked to say, and I think this is right, "Regulators have the last gotcha." This is where you can be right on those technical merits of things, you can be right on your legal arguments, but at the end of the day, the regulators sometimes get to be the judge and they also get to be the executioner, as we've seen in unfortunately a couple of fintech examples.

All right. So next step, let's talk about regulators. Believe it or not, because we know we have some listeners out there, you love the marketplace of ideas. You're going to love this. There is a marketplace of regulators. Here's how that breaks down. Regulators basically have their own mini marketplace, where they compete for licensees and charter holders. Reggie, do you want to take us on a tour of this mini marketplace of regulators and regulator land, and what that looks like?

Reggie Young: Would love to. There are some high level buckets regulators can fall into. First, there's state versus federal. Each state sets up their own regulators however they want, and what those regulators have authority over can vary. Some states' regulators don't have a lot of authority over financial products and services [inaudible 00:04:32] businesses, where other states have higher standards for those sorts of products. And then above all those states, there's the federal level or national level of regulators. These are the agencies like CFPB or SEC who get to oversee things at a national level.

So that's the first bucket, state versus federal. The second is bank versus non-bank regulators. Bank regulators are primarily concerned with making sure the banking system can hold up under stress. Whereas non-bank regulators tend to focus more on protecting consumers or making sure that markets are working well. They regulate things like deceptive advertising or lending licenses regimes. Today, we're going to focus on state non-bank regulators.

Matt Janiga: That's right. We've got a wealth of information and expertise in that space, and so we're excited to share it with you all. One quick nugget though, that might be helpful. As folks know, here at Lithic we live in bank partnership land, as do many of you, building card programs or lending programs. So we want to call out that it's interesting because you can see, even at that small community bank level, banks have a choice between being regulated, for their prudential regulator, of the Fed or the FDIC system.

And I've been doing this long enough... In fact, back in law school, the general counsel of Minneapolis Fed was a teacher of mine. He was the first one that helped illuminate this for me. But he talked about how banks have that choice and they can lean in and they can be FDIC examined banks or they can be Fed examined banks, when they're down at that local state community chartered type of level.

And it's something that does stick out. As you're working across the fintech space, there's certain regions where you may find advantages partnering with a bank who's FDIC regulated, or others, you may find that they have great relationships with their local Fed examination staff. And the Fed staff is really deep on fintech. It really varies, depends on the market, and it's something you can pick up by talking to great practitioners, and we're always happy to chat about it here at Lithic. So with that helpful tip out of the way, Reggie, let's talk about regulatory schemes. I'm going to step listeners through a few things, then I'll to toss it over to you. Is that okay with you?

Reggie Young: That sounds great.

Matt Janiga: Awesome. We don't want you to feel like there's some hidden secret that you can't get a hold of. This is not a hard topic. Pretty much everywhere you go and everywhere you look within regulator land, you're going to see patterns that are going to emerge, and these are going to pop up across products and markets. And we're going to step you through some of them now. Just like there's only one or two ways to peel a banana, or skin a cat, as I wanted to say, but our lawyers made us cut it, there's really only a few structures that the government can use to drive regulation and oversight.

As Reggie mentioned earlier, regulators care about a few different things like safety and soundness. They want you to stay upright so you don't cause work for them via failure and you don't cause headaches for people who have to interact with various constituents. That's going to be politicians, other regulators and others. This is effectively what FDSC insurance is. It helps make sure that you stay upright. State insurance laws are also very similar. They're set up to structure, so that way, if there's a problem with that state insurer, consumers who have paid premiums, in some cases for many, many years, aren't left holding the bag and left without protection.

Another key mechanism that you'll see pop up from time to time is going to be customer protection. There's really good debate right now, going on on Twitter. We're taping this in June of 2022, in case you're looking at this at a later date. But there's a lot of great practitioners, a lot of great lawyers, talking about how consumer protection is historically driven by disclosures. And there's some debate, especially as the crypto world is seeing some turbulence right now, about how effective those disclosures can be. Because you've seen some of those companies disclose what their risks are and you can read their terms and find out what their products are, but people are still piling into them anyway. And in some cases right now, again, as we tape in June of 2022, seeing some losses.

Reggie Young: There's also securities and commodities regulatory schemes. These are mainly meant to protect investors from fraud and generally make sure the markets are staying healthy on a federal level. The SEC sets requirements for securities registration and disclosure, as well as rules that help keep the plumbing, the actual [inaudible 00:08:22] markets operate behind the scenes, working well. But states can also have their own securities laws. These are typically called blue sky laws, and fintech startups encounter these regimes pretty quickly, since you generally need to file disclosures whenever you fundraise.

Matt Janiga: Reggie, securities laws are really easy, right?

Reggie Young: Definitely not. They're tricky. So you should talk to a lawyer if you're doing something like building a broker dealer, which is what Robinhood is, or if you're fundraising.

Matt Janiga: That's right. These regulatory schemes, safety and soundness, consumer protection, and investor protection, are then applied across the different types of state non-bank regulators.

Reggie Young: That's right. The main lines break down today as payments versus lending versus securities versus insurance, all of which usually involves some type of non-bank state regulation. So you want to get regulated. Okay, so you don't want to get regulated. But you got to figure out if you are, how do you do it?

First, identify what product you have that might require regulation. Fun fact, not all products require regulation. Here's two examples. In lending, some states will exempt you if your product is under a certain interest rate threshold or you don't require recourse. Another example is in payments. Some states will look at your money transmitter applications and tell you actually aren't regulated. Wisconsin used to do this a lot. Similar states didn't regulate B2B payments products, but those laws have generally changed since, to include them.

Matt Janiga: That's right. And I remember I was working at a money transmitter one time, and I think Wisconsin sent us back our license and said, "Sorry, you guys don't need this, so you're all set," which was really funny. A time to be there and funny mail to get. All right, so next after that, you need to identify what disclosures might you need. Again, you may not be regulated, as Reggie mentioned. But there are some instances where you're going to have some rules of the road around disclosures, even if you don't need things like licenses.

Disclosure requirements are becoming increasingly in vogue with state legislatures and they're driven by a couple different trends. The trend right now, again, as of June, 2022, a big one popping up is state S&B lending disclosures. California just finalized their rules, a few years after their statute passed. And we're seeing similar efforts in Illinois, New York and other states, to try and bring new disclosures because there is no federal version of this right now.

Now, these are going to apply to most S&B term loan and credit substitute products like merchant cash advances. So for those of you building and getting scale without licenses, pay attention. Even if you work with a bank partner, some states are also going to make you have these disclosures, even though the bank is the lender of record. And others may even actually push you to register. Again, not get a license, but register to let them know that you're doing these activities, just because.

Reggie Young: After you've figured out your product, including any disclosures, you also want to identify if you need a state license.

Matt Janiga: Yeah. And a lot of states offering a regulated product will, of course, trigger licensing. And I know this is different from registration. Registration is like an RSVP. Licensing is like a contract with the state. It's going to obligate you to follow certain requirements and submit to periodic inspection.

Reggie Young: Similar to car licensing and registration.

Matt Janiga: Oh, I guess that makes us similar to the car talk guys.

Reggie Young: Oh, stop. That's before my time. I'm not old like you.

Matt Janiga: All right, that's fair. I am pretty old these days. New York is a really good example of licensing. They require licenses for money transmission, and if you're above a certain interest rate, and remember interest rates can also pick up fees, you're going to need a lending license there as well.

Reggie Young: Once you figure out if you need a license, the next step is to go get one. This usually includes steps like filling out an application, disclosing a bunch of what your business is, what you do. Usually also involves disclosure forms for officers and directors. It's like doing KYC on steroids. It often requires fingerprints, background checks and financial disclosures, and often you can't get a license if founder or owner has gone through bankruptcy or has a criminal record. You might also need to disclose basics of your business plan, provide proformas. There's usually a capitalization requirement or a bond posting requirement. And you're going to need stamps. Sometimes. Not all the time. Nowadays, regulars will generally accept licensing applications via internet, but not all of them.

Matt Janiga: That's right. And the granddaddy of all of those internet portals is NMLS.

Reggie Young: Is that a hockey league?

Matt Janiga: They were going to be a soccer league. But no, just kidding. No, it stands for Nationwide Mortgage Licensing System, but it's been heavily used by the state money transmission regulators and it's actually starting to morph, where the name is getting away from mortgages to be more product agnostic. But most people know it by NMLS. I'll be honest, I had to look it up before we got on here to chat about it, Reggie, just because I forgot what the actual words were. And if you check now, it goes by two names, when you unpack that acronym. So it's the mortgage piece, but it's also more of a nationwide just product type of system.

Now, this basically allows you to submit applications and reuse key disclosures and affirmations from your control persons and beneficial earners. I've had to get into the weeds on this multiple times, working across Square and Stripe. And it's actually really helpful, because basically, you can go bother one bigwig. We had Larry Summers at Square, but now Block, and he was on our board. You get Larry to fill this thing out once, and then if you needed Larry to affirm something, you could basically push him an email trigger and he could go in and hit the button, click on again. Same thing for all those other bigwigs that you may have on the boards at these large companies. You think about PayPal. Super large, publicly traded. Believe it or not, they have to go through the same thing, including their board members because of how the licensing structure is set up.

Reggie Young: After you've applied, you'll need to do some waiting and then maybe some more waiting. A lot of fintech companies take years to get their licenses, with New York usually taking the longest. Some well-known fintech companies have waited two or three years to get their money transmission licenses from New York, for example. So it's a good reminder that it's okay to politely follow up with regulators to see if they need anything else for your file and ask them if they have an ETA when it'll be done.

Matt Janiga: Yeah. I've been in this boat a couple of times now. We've got a couple of tips for you on your waiting period. And we'd recommend, by the way, that you reach out to other folks that are licensed. It's usually a pretty friendly and small club, people who have money transmission or lending licenses. You're usually able to find somebody who will help you out, and if you notice somebody is half licensed, they're probably going through the same thing as you and you might even trade tips. You might even trade information on where you're each at in the process, particularly in a state like New York. I've done this before with other large fintechs, where as we were getting our New York license and it was stalled, we talked to other fintechs that looked like they were in a similar spot. We were able to trade information, get a little smarter about it and understand how we needed to help unblock the problem.

Here's a couple of tips on how to manage your waiting period. And I've been in your shoes a lot over the years, and so we've got a couple of good tactical steps that you may want to keep in mind. One is get organized. You're going to want to keep track of each state and when you last contacted them. We actually had a point person at Square and Stripe, [Chor Lee 00:15:06]. Absolutely fantastic, now at Ramp, who was there to help us keep organized and keep track of all this stuff. And without Chor, we would not have been as efficient as we were at those two companies in getting our licenses. You probably won't have Chor to work with you unless you're at Ramp. Great product, by the way. Still waiting on my metal card. Just kidding. So what you want to do is to tap somebody internally, make sure you keep a spreadsheet and understand when you're reaching out to them, when the last contact was and where you left stuff.

The next thing that you're going to want to keep in mind, try not to do any complicated business changes when you're in your waiting period, especially with a larger state like New York. This includes changing your name, changes in your officers and directors if you can help it, or changes to your product suite. We know that last one is really tough, but if you've got a couple of things you can hold off while you're through the window, that's great. Or if you can get them all out of the way before you get your application in, or at least get them live on your website even if they're not full-fledged products, maybe they're just MVPs or things like that, that can be really helpful.

Here's why. One of the historical problems with New York was that they would restart your application review if you changed any of that information I just mentioned. So startups that kept launching new products, which let's be honest, is most startups. That's what we do. We're built to launch new products. It would reset your entire review timeline, and in some cases they would even move you to the back of the pile. So they'd start looking at other companies before they'd pick your application back up.

Worst of all during this historical time, and I stress "historical time" because New York has gotten better, New York's licensing staff did this without telling anyone, including the managers and supervisors at the regulators. So you'd call maybe a higher up, or you may have some lobbyists or law firms that would have good connections at the New York state regulator, and the folks that they'd be contacting would have no idea about what was going on. And they'd actually have to go investigate to see what was happening.

Now, various political appointees, I won't name them as I don't know if they'd be comfortable with that, have helped clear out these log jams over time. Super helpful about getting licenses out to a lot of companies that are large, and you'd probably use on a regular basis or have friends and families that use on a regular basis. Or maybe you just copy their products, if you're Facebook. But the interesting thing is that these appointees tend to cycle out. They're only going to stay a couple of years and then they're going to move on to the next thing that's going on in their lives. The licensing staff stays behind.

So if they fall into bad habits, and I have encountered this twice, you need to reengage with some of those political appointees or basically folks higher up on the food chain. And quick callout. By "political appointees", we're not saying political favors per se, but those tend to be the folks who are appointed to leadership of those agencies and can drive change, including process changes, and unstick things in your licensing. So that's why we're calling it out here, in case it's helpful for you.

Reggie Young: It's also good to work with outside counsel or consultants that regularly do licensing projects, since they'll know the current ins and outs of each state's staff. In some cases, they can help expedite your review because they know what licensing staff is looking for and where they tend to get hung up.

Matt Janiga: Telling you there's nothing to do but wait. It's okay to go in and remind them that part of the reason why you're paying their usually expensive fees is because you're looking for value add, and one of the value adds is that they should be able to help you move faster, and in some cases unlock the granting of your license. Or, if you're looking at onerous requirements coming in, because a lot of those can be negotiated away at the state level, things like capital requirements or ownership percentages they have to disclose, and things like that, those can sometimes be negotiated with the regulators. And those outside consultants usually have done it and can help you, but they may not offer it out of the gates. You're going to have to sometimes press on them and tell them that you'd like those things or that you're expecting them to bring those value adds to the table, because they may either forget or they may not necessarily want to do it out of the gate.

Now, Reggie, we're going to play a fun little game called You've Got Mail. And again, I'm old. So yes, I did use AOL back in the day. Reggie, what happens if you get mail from a regulator?

Reggie Young: Well, first, don't freak out.

Matt Janiga: All right. That's really good advice. And by the way, for folks who are wondering, Reggie actually does provide that advice, even to me, on a somewhat regular basis, because I am prone to freak out. [inaudible 00:19:04]. All right. I've stopped freaking out. What do I do next?

Reggie Young: Next, figure out what it's about and how serious it is. Is this a routine inquiry? Are they just going on a fishing expedition to explore unfamiliar tech to them? You're going to want to talk to your lawyer, who may also want to reach out to outside counsel as expertise in these sorts of letters. And depending on the types of questions and whether the regulator has clear enforcement powers over your product, you may really want to engage outside counsel, because some of this stuff can get sensitive. California and New York both sometimes like to send inquiry letters to hot companies and products just to learn about the upcoming tech.

Matt Janiga: That's right. And I've been in your shoes. I know Reggie has as well. We've gotten requests from regulators at various places that we've been, or when we've worked as outside counsel to various companies. Here's a couple of good examples for you, to help listeners contextualize this and also unpack what this might look like if you're sitting at the company and you get one of these letters.

Years ago, and I'm talking back when I was just starting in-house West Coast fintech, California asked S&B loan and MCA providers to voluntarily, key word, share data about the activities that they were up to. Now, the folks in California were really great. They were just trying to get some more information on the market to size up what was going on, how big was it and how did it maybe line up with some complaints that they were getting? And again, just trying to size it up and see, was there any harm or outsized risk for S&B providers?

In that scenario, you wanted to engage with them, and at the companies that I was at, we did. We worked with them. Some of the asks they had didn't line up well with their database. It was going to be hard for us to produce because of other internal company efforts. What we did at those points in time was, we talked to them about, "Here's what we can give you and why. Or if you need certain other things, what's our timeline to go get them over to you?" And again, the folks in California were absolutely fantastic. They still are. Love engaging with them, and when they want to learn about a market, it's great to help them out.

Similarly, New York and other large state sent inquiry letters, Reggie and I did not work on this, to earn wage access providers. These were companies offering early access to paychecks and there are a couple different models under which companies were operating here. Now, it looked like these companies might get challenged for being unlicensed lenders, but the group was really buttoned up. They'd done some good work with outside counsel in advance, figuring out where their products were regulated and where they weren't, mapping the plot points in state law, things like interest rates, fees, et cetera, to make sure they were on the right side of those things.

And so what ended up happening, coming out of this, was not much. It looked like maybe some of the regulators might come out, use that last gotcha, and force some of these companies to get certain licenses or maybe do product concessions. And then usually when they do that, there's a fine or a fee attached and something public, so there can be some type of admission of this and then also signal to the market, "Don't do this again." Never happened. Or at least if it hasn't happened, we're still waiting for it. Again, this was a few years ago. So I think at this point it's likely put to bed.

Reggie Young: Those are great examples of how, just because you get mail from a regulator, you don't necessarily need to freak out about that. It might not be anything to worry about in the long term. They're also good reminders to be polite, professional and thoughtfully engaged with regulators if they do reach out.

Matt Janiga: That's right. Regulators are just like all of us. They're doing their job. The reason they're at those government agencies is because they're mission driven, just like a lot of us. Reggie and I are mission driven by the work we do at Lithic and privacy.com. We know you listeners are as well. So it's helpful to keep in mind, they're people just like anybody else. They're juggling home and work responsibilities, and at the end of the day, they're just trying to fulfill their mission and their job and really what their managers and bosses have asked of them.

Okay, Reggie. So we've gone through some good nuggets and tidbits there. Help us tie this all off. What are your general rules of the road for founders and newer in-house counsel or anyone else that has to interact with regulators on this point?

Reggie Young: Yeah, it's a great question. I think there's some high level principles you can keep in mind. First one is, if you get a letter that's more serious, ask, "Does this regulator even have the authority to ask what they're asking about?" If they don't, then you don't need to engage with them. You want a lawyer to help you figure that out though because you want to make sure you're right on that. Even if they don't have authority, it could still be a good idea to engage thoughtfully, like New York's earned wage access inquiries that Matt mentioned. It's likely they died out because the relevant companies had their acts together and did engage. So yeah, first make sure the regulator actually has the authority to do what they're asking for.

Second, negotiate. Point out how an ask is infeasible. Oftentimes, these letters may say, "Hey, we want to see data on X, Y, Z, about your products." All of these various tiny minute details about it for an unreasonable time period. It's totally okay to push back on that stuff. It's totally okay to ask for more time. Asking for more time can actually be a good negotiation tactic, to drag something out until maybe some issue becomes less of a political issue in the public's mind. So there's a lot more room to maneuver than most people would expect.

And my last big principle is, only answer what's asked. This is a classic lawyer tip. Don't volunteer info about your products or business if it hasn't been specifically asked for.

Matt Janiga: That's right, and it's not so much that you have anything to hide. It's just sometimes, without context, those comments that may seem innocent or you may think are helpful, may be misinterpreted or misconstrued, and you're not always going to get the chance to unpack or explain them until you're in a stickier bucket and maybe somebody's kind of loaded for bear. All right, Reggie, it is summertime, especially in my household where school finished yesterday. You know what one of the best things is about summer, Reggie?

Reggie Young: What's that?

Matt Janiga: Going to the beach and playing in the sand. You know what is similar to summertime here on the West Coast?

Reggie Young: Is it sandcastles?

Matt Janiga: It's sandcastles. But Reggie, it's even one step further. Regulators have sandboxes and there's a whole bunch of other ways to engage with regulators. So we are going to unpack here, in our next segment, playing with sandcastles. How to think about engaging with regulators once you're through that licensing period.

So let's start with this. We've talked about what happens if your license gets stuck. We've talked about ends if the regulator knocks on your door. Reggie, let's say you have an idea to build something really, really cool. Or maybe you don't. Is it ever good to talk to a regulator without them asking for it?

As long as you've come ready to bribe them, yes. No, kidding. Kidding. There are some tools that fintech can use with regulators. First up is sandboxes. Arizona was the first state to implement a sandbox in 2018. Now there's a handful of other states that have them.

Reggie Young: These regulatory sandboxes are basically safe spaces for testing out products that might not clearly be addressed by current regulations. They're generally a lot more flexible, but they come with some cons. They can be really uncertain. A big risk is you're potentially raising your hand to be regulated, as opposed to pursuing something that's in a regulatory gray area and then asking for forgiveness, if need be, later. Recently, at the time of taping this in June, 2020, CFPB has come out saying, "Hey, we have this regulatory sandbox that's been pretty ineffective." So they're great in theory. They often struggle in practice.

A second tool you can possibly use to knock on the door of regulators is No Action letters. These are basically when you write to regulators and say, "Hey, I'd like to offer this product, structured this way. Is that okay?" And if it is, the regulator will give you a letter that says, "Yeah, go ahead." The pro is, you can get guidance directly on point for what you want to do. The cons are, they can be costly and slow. You send a letter to a regulator, they have no obligation to respond. So they may never respond, and you don't know. You could just sit around twiddling your thumbs for a while. They also tend to be pretty narrowly tailored to the specific program elements, so you're limited to what you described and other companies can't technically rely on them. Though, practically, a lot of them will look to those No Action letters for guidance.

Matt Janiga: Oh yeah, Reggie. Just to hop in, if folks are curious [inaudible 00:26:46]. Especially when you're functioning on a 50 state basis and you're going state by state licensing requirements, one of the things you might do is you might go to agencies that are generally up for engaging these types of things and will work with you proactively or collaborate with you on some of the legal reasoning. As we mentioned earlier, a lot of the state laws tend to be converging. And so if you can get favorable rulings in one state, you might be able to take that to another regulator to show, "Hey, we've done our work. We've been thoughtful. Another state has kicked the tires. Will you adopt the same rationale formally for us?"

Washington State and New York have always been really fantastic on this. California as well. California is very well staffed on this point. And sometimes you can engage with staff in advance, to see if they would consider a formal opinion letter for you on this [inaudible 00:27:29], and they'll give you a heads up of, "Yeah, we think that's something we could do, or we can't." Same thing, you'll sometimes be able to do this with Finsen. Finsen is actually moving towards a No Action letter model, so not state non-bank regulator, as we've been talking about for the rest of the podcast, but is an important regulator for those Zoom payments to think about engaging with. Vincent is currently considering a No Action letter process as we tape this.

And the SCC, of course, is the granddaddy of them all, and they've got a ton of No Action letters. And that's why hiring practitioners that are skilled in that space is really great, because they can tell you if something's been tried before and also what the outcome is. Sorry, Reggie, I'll let you take over because I know there's a few other times you may want to engage with regulators, and you've got good tips for our listeners.

Reggie Young: That's true. There's also recent a trend of office hours. Regulators hold open office hours where you can just show up and ask questions. The OCC has done this a little bit. California Department of Innovation does this fairly regularly nowadays as well. So it's a good example where you can show up and just, on a more friendly basis, ask questions about how regulators are thinking about certain things.

Matt Janiga: And it's really helpful, if you approach office hours, to at least come prepped with a little bit about your company. You can shorten it or throw it away if the regulators understand what your industry is and how you function. But a lot of times, and I've been poked over the years by the OCC, or rather have engaged with the OCC and have been asked in some cases by the FDIC to come in and present on what some of my companies have been up to, all in a very positive manner.

Regulators are curious. They want to understand how you're different from what they're used to seeing, Fiserv and TSYS or great companies like Capital One and Chase, who have done these things over and over again. They don't understand how you might be different if you're in fintech land. In a lot of cases, you're really similar to what they're used to seeing under the hood, and that's where helping them understand that can help set the table for why what you might be asking for or why some of the things you might be launching aren't actually scary. They're just helpful innovations that consumers or small businesses are looking for.

All right. So we've talked about being proactive. There's a couple other things here. Or we've talked rather about engaging with regulators. One other thing you might consider doing is going in proactively. And this is when you're well staffed. So we're talking about your past product market fit as a stage. If you're a seeder and A round founder, you probably don't want to be considering this unless your market is really novel, your product is really novel, and you have to proactively engage with regulators to get it to market. Only happens a couple of times each cycle so isn't likely to be you. But if it is, obviously staff up, get well prepared, get good counsel for you.

If you're a larger company and you are well staffed, got a couple lawyers on hand, maybe you've even got a full regulatory counselor, you've got a really great compliance officer that can help step through things with partners, you might be ready to go proactively talk with various regulators, state or otherwise. Top regulators again, like we just mentioned, often don't get great line of sight beyond exam memos or reports or what they read in publications like TechCrunch and American Banker. So this gives you a chance to talk directly about your product and your company, which can be helpful as well. The positive impacts that it has for customers, how many persons in the state may be using that product or even might be employed by your product, because those are things regulators are generally interested to know more about.

If regulators can see the value in your product... And this is about you educating. This is the same thing if you're a founder that you do every time you fundraise. You're educating the VC community, you're educating the folks who are help investing in you, on the value of your product, what you're unlocking, what's new in market and how you're going to gain market share. You're really doing the same thing here with regulators. Once they see the strength of your product, the thoughtfulness of your program and the strength of your team, it helps you have a better conversation, up-leveled conversation, around a novel offering, a novel quirk or a novel operation that you have on things.

Now, I have never worked there so I'm going to caveat this, but I have heard some really interesting and positive stories about how PayPal used to do this in its earlier days. And so I think I want to thank, first off, the folks that PayPal that did that because they kind of set the table for the rest of us. And I've heard some great stories about other large fintechs, now at scale, public and otherwise, doing this as well and following a similar route. And again, it's immensely helpful for the regulators, and if they have time, they'll generally engage with you.

Reggie Young: The last way, or there are other ways you can engage with regulators, but the last interesting one, I think is TechSprints. I find these personally pretty interesting. Good examples, recently, the FDIC has been launching FDI tech programs, which are basically two to three week TechSprints. For example, they've recently done one on tools for reaching the un-banked and another on digital identity verification tools. It's pretty cool. Folks from AWS, FIS, Galileo and community banks show up and participate in these TechSprints. And so it's a good way to build rapport with a regulator and possibly have an impact along the way.

Matt Janiga: Yeah. And if your product is really mature or in cruise control, you're not necessarily planning a lot of updates or things like that and you have a team that's interested, also really fantastic. Great way too to think about broadening the horizons of your internal teams, because usually engineers and others that would participate in the TechSprint aren't out there interacting with government agencies. And so it's a fun change of pace for them. You can think of them effectively like an external hack week.

Reggie Young: All right. Well, Matt, I think it might be time to turn to audience questions that we've gotten on Twitter.

Matt Janiga: I love our listeners who are on Twitter. They're just fantastic. And I saw some of those questions come in so I'm really stoked about this. Reggie, do you want to kick off the question and then we can freehand this?

Reggie Young: Okay.

Matt Janiga: I'm going to start over, so we can get a clean clip on that. I love our listeners, especially those folks who took the time to send us some great questions on Twitter. Reggie, do you want to kick off with the question? And then we'll preface for folks, Reggie and I usually map out what we're going to talk about in each episode, so that way you can get really impactful insights from us. We are going to just do this one freestyle, so I'm excited.

Reggie Young: We'll do it live. Yeah, I think one of the big questions that came up on Twitter is, why are state AGs so important? And we didn't necessarily mention them as a regulator, but I think they are an important player to consider. I don't know. Matt, do you have any thoughts there?

Matt Janiga: Yeah. There's a couple of different dimensions that you want to think about, and you want to slice various things. The state AGs often have deep and tenured staff who are very knowledgeable about markets and harms in their states. They're up on trends, they coordinate with other regulators, particularly other enforcement regulators, and they tend to work together. So that's why you'll see, when a company gets sued by one AG, usually there's potentially a dozen other AGs that are attached to that. And so as you think about, what are state AGs up to? They are really synergistic eyes and ears, where if one of them spots something with your company, they're likely going to put it on the radar and discuss it with others. And then you may have a multi-state issue, where you're trying to engage and educate multiple different stakeholders or multiple different decision makers.

If you're ever in that situation or if you've ever found yourself in the situation where you've got to educate multiple cooks in your kitchen at once, it's tough, because one holdout can cause something to spiral in a bad direction for your company. Sometimes these companies deserve it, so definitely want to stress that. We've talked about staff. The other thing to separate out is that AGs are led by people who have to run and stand for election in their states. AGs typically are fairly savvy politicians, and a lot of times the state AG position is a stepping stone to something else. Maybe Senator, maybe even Vice President, as we saw in California recently. And so sometimes you'll see state AGs go for the gusto or they'll look to score political points if they think it makes sense.

And that's something where... Again, we talked about the last gotcha earlier in the podcast. Something may not be right on the technical merits. It may not even be wrong from a policy perspective. What you're doing might make sense. But if from a political perspective, it makes sense to make an issue out of you and the facts are there, you potentially could have an issue with some of the AGs. One other funny thing before we leave the AG topic, or Reggie would definitely be interested in any other thoughts that you have on this, is there is the National Association of AGs, jokingly amongst the Washington Beltway group referred to as the National Aspiring Governors' Association.

So again, folks who like to be visible, like to be present, like to grab news headlines and cycles... In some parts because it's the right thing to do. It's great and it's prophylactic to announce when there's a wrongdoer and they're getting raked over the coals so other companies don't do the same thing. But sometimes, unfortunately for those of us on the company side, done because they want to be governor or they want to be senator or have some other further life after their AG term is up. Reggie, any other thoughts on AGs from you? I know you've seen some stuff as well.

Reggie Young: I think you covered all the key ones. So I don't don't want to repeat stuff for our listeners. There's some other really interesting questions we've got too. I think Alex Johnson asked a great one that focuses on this concept of innovation per capita. Given a state's population and economic significance generally, are there states that are particularly innovation friendly or not, or dragging their feet on innovation? I've been thinking and reading a lot about crypto lately, so that's where my head went. I'll start and give my answer and then hand it over to you, Matt. There've been a ton of crypto policy developments recently. The one that's top of mind for me is a draft bill from senators around, how should we regulate crypto? It's a big federal framework, the likes of which we really haven't seen yet.

I've been thinking a lot about crypto and I think the obvious innovation per capita winner there, in my mind, is Wyoming. They've just been very friendly and have had a lot of thought leading legislation. They were one of the first states that developed a Dow entity type, for example. They've also just generally been a bit more friendly as a bank regulator with banks that want to engage in crypto. Surprisingly, New York, a little less so. A little lower on the innovation per capita, which is surprising given how much the finance industry is there. But when it comes to crypto, the general consensus is they fumbled the ball with a BitLicense, which is just generally an unworkable licensing framework for anybody in crypto.

California, I'd probably put middle of the pack. They've recently started doing some... Again, I'm thinking mainly in crypto here. California has recently started some good positive proposals. There was a great exec order from Governor Newsom recently that looked at crypto in a very positive light. I'd say the downside is, California's dragged its feet on some of this stuff. So those are the first three states that come to mind. And again, I'm mainly thinking through a crypto lens. But Matt, I'd be curious if you have any other takes on innovation per capita.

Matt Janiga: Yeah, no. And I think this is a really great question because obviously we've done this a lot, whether at Square, at Stripe, or now here with Lithic, whether it's privacy.com or Lithic types of offerings. And we sometimes will chat, or some of our Lithic customers come in if they want to pick our brain. Reggie and I are happy to chat about it on this. When you're trying things, especially when you're trying to figure out, "Is there a product market fit?", and this is why I love Alex's question, you want to find a big marketplace you can play in and you want to figure out what the contours are, the rules of the road, how wide is that road and how long is it to get things going?

And so when you're thinking about lending, you could think about interest rates, other fees, other types of things, and then do you need a license flat out? I think Ohio, you need a license flat out, on a regular basis. California usually has I think a five loan di minimis [inaudible 00:38:53], but both for consumer and commercial, particularly small business. You're going to get that license, as Reggie and I know well, because we worked in that space for a while. So I tend to think about, what are the rules of the road? And then I think about, okay, how can you unlock large customer segments?

Because yeah, it's great that you might be able to get your product live in Iowa. And Iowa's fantastic. I've visited. I've been. I've been to the Corn Palace. It's wonderful there. But as folks know, if you're going to look for bang for buck, if you do a bus and billboard bio campaign in Houston versus Des Moines, you're going to get different lift. You're going to get more eyeballs seeing that in Houston, or New York or Miami or somewhere else along those lines. So I tend to think about that.

Florida and Texas, I think are some of the best bang for buck. Texas especially has just a really fantastic regulator that will engage with folks, is very thoughtful and doesn't try to squeeze blood from stones when it comes to regulatory powers. There's also a long history in Texas of helpful and I think fair, but industry friendly, regulations around agent to payee and other things that will allow you, if you structure a payments product right, to not have to worry about licenses. And I believe similarly, but it's been a while since I've cracked the actual statutes and regs, that there's also some favorable rulings around lending, which is helpful as well.

Florida tends to have favorable lending licensing, but their money transmitter regulator has historically been very aggressive and sometimes hard to deal with. I think we've seen this, where they sued Square before I joined. I forget when it was resolved, if I was there or not, but it's public so you can go take a look at it. I believe they sued Airbnb at a certain point and there were others. Having lived through having a Florida license, I can also tell you they have an outbound and inbound data element that other states generally don't ask about, on their, I think it's quarterly reporting for Florida. That can be complicated, because how do you map that? And especially if you're seeing it for the first time, you haven't looked at those reports in advance of getting your license, your data and your data science teams are not going to be organized to get that answer easily.

Having also called them... I think I was in Alaska at one point on vacation and I got a call from an internal colleague that said, "We don't know what to do with Florida. Please call them." I called them and I remember being, I think, up near Denali, talking to the regulator. And they just basically said, "You pick, and just tell us how you decided what was inbound and outbound." So, helpful in that they gave the power to us, but then I recall that then when the examiners came on site, I think they took some issue with us down the line on those things.

But helpful stuff to call out. I think I might say California, I'd move them up towards the top of the pack. And there's a couple reasons why. I also want to call out, Washington State is a really fantastic regulator to work with. Washington, obviously sizable population, big metro market in Seattle. So if you want to target physical ads or things like that, you can do that and get pretty good bang for buck. And also good income status and things like that. So it might be helpful, especially if you're targeting a higher net worth or higher spend consumer segment to go after some of those folks. And tech savvy, is another nice thing that I love about Washington State. I love the Washington State regulators because they have been super thoughtful and really at the forefront about thinking about updating their law, as you mentioned earlier on the podcast.

They also, last I checked, were part of a multi-state compact, where if you got licensed in Washington... And Washington, again, deep expertise in this. They know what's good, they know what's bad and they're very fair. They're not easy, but they're fair. If you get licensed in Washington, I think other states will flip you to yes, where you can almost kind of passport, similar to what you see with payment licensing over in Europe, across the states. That's not everyone, but that's where going in the front door with Washington could be helpful, because again, I believe they're part of that compact. I'd have to go double check that. And you can unlock it there.

They also are very willing, and I've done this in the past, to pick up the phone. And you say, "Hey, I'm doing this thing. I don't know... Or my product team wants to launch and build this." Ideally you'd call them before you launch whatever you're doing. You say, "I'm looking at your law. I think it should be read this way, but I want to make sure we don't get into trouble." And especially if you're licensed, this is a good idea to do, because regulators don't like surprises. Rightfully so. And you can say, "What do you guys think?"

And I know when I've dealt with folks in Washington, if it's gray and it's not clear, how do you wrestle that statute or reg down and how does it apply to your product? They are willing to use the policy basis lens and they think about consumer harm. And if the answer is, "Well, you don't have consumer harm because, hey, there's this Visa and MasterCard backstop, maybe around chargebacks." Or there's a Reg E disclosure around receipts or something else like that. Even though you want to do this, they are sometimes willing to entertain the gray and bend it in your favor, where maybe the product doesn't have to be fully regulated or all the licensing requirements don't apply, again because of the pro-consumer structural things that the industry is baked in.

And so I love that about Washington. I love that they've been open to consider those things in the past. They don't always say yes. Again, they're tough but fair on this stuff. But I think they're really great. And to circle back to California. California, very similarly, well staffed agency, very thoughtful people. A lot of really great tenured folks, especially on the money transmission side. And you have some great folks that have come up from the examiner ranks. Inside, you may be like, "Oh my God, we're not buttoned up. We're not..." But they've seen it all before. And they focus on consumer harm. They'll grade you on that letter grade scale. B-plus is passing, just as well as A-plus. So they've seen everything and they understand what's important and the give and take in your operations, and where they can wait a little bit for things to be up-leveled or maybe take some time. So California has really thoughtful folks you can engage with.

Also really great legal division. Tenured legal division. Really great legal division that knows their staff knows how to apply the law. And because they're so well staffed, they can engage with you on a fairly reasonable timeframe. What I mean by that is, it might take a few months, but again, if you ask upfront, "What do you think? Should we even come in and consider something formal on this?", they usually can give you a directional view. And then you can figure out, do you want to go get counsel or use staff to do it in-house?

One other shout out on California, they have been doing a lot of work to speed up how long it takes to get a license from them, particularly on the lending side. And I think that's something where it used to take a while to get a lending license, but the last I checked on this, I think they're about four months to market. California unlocks such a large market. There's so many large metro areas here. Reggie and I are biased because we currently live in California. But it's a really fantastic place to consider getting a license, even if you're just going to go get one. Now again, if you're trying to get to market, you may start in Texas, especially if you find you don't need a license. It's unregulated. But while you're doing that, would encourage folks to think about getting the California license. You can unlock one of those other really large markets, and then have that to play in while you're finding private market fit. A great question from Alex. Thank you, Alex.

Reggie Young: Should we take through one more question maybe?

Matt Janiga: No, let's do them all. I can see the list. These are great questions. Let's do them all.

Reggie Young: Let's do it. Which do you want to start with?

Matt Janiga: Let's start with Io. I think he's got some great questions. And for background, Io and I worked on Square Cash together. He was a product manager. I was a lawyer to the company at that point in time. So, love Io. He also writes some great posts. You can pick him up on Twitter. I think he's got a website somewhere. You can find those things. Reggie, why don't you kick us off with some of Io's questions?

Reggie Young: Yeah. When do you need a money transmitter license versus not?

Matt Janiga: That's a good question. I think the way to think about it is, if you have... And again, talk to your lawyers. This is not legal advice, but this is generally historical precedent based on what we've seen. If you have a contract with the person who's receiving money, if it's for a good or a service, if you're giving receipts, you are often going to fit the state prongs of the exemption and the Finsen exemption around payment processing. This will be true whether you're doing physical card processing, like Square is doing now and was doing when I got hired to the company. It's also true for things like bill pay. If you have a contract with that end biller or merchant, it's going to look more like payment processing than not. There's a couple other considerations here. Reggie, do you want to talk to folks about FBOs?

Reggie Young: Yeah. FBO stands for For Benefit Of. They're basically bank accounts that are set up to kind of custody funds for others. So for example, a business isn't holding its own funds in this bank account. They would hold their customers' funds. And the FBO name comes from, when you set that bank account up, it'll actually have "Company X for the benefit of their customers" in the name. And it tends to use the bank's EIN as the relevant EIN for the bank account. What that does is, that effectively takes the company out of ownership of those funds so that they're not touching and managing the customer's funds, which is one of the key triggers for money transmission.

Matt Janiga: That's right. And in our experience, you want to work with really good seasoned outside counsel in money transmission and payments. You can find them at Davis Wright or Cooley. Sean, I mentioned earlier in the episode, he's been through all of this with Square and then his outside clients. When I was at Stripe, we used Sean a lot for this, as well as Davis Wright. Both really fantastic [inaudible 00:47:23] law firms. And there's some smaller practitioners as well. Peter Lewis at Katzel is really fantastic. And there are other folks that I'm forgetting and I apologize for not calling you out.

It's also helpful to call out that these things are somewhat cyclical. I like to think of it like a pendulum or a swinging grandfather clock arm there, where there are times where regulators will look unfavorably at FBOs. I think there was a period of time where they didn't understand them. And so you had some innovators in the industry who worked with counsel, rightfully spotted this quirk and said, "Look, the law says I am taking the money, and that's what makes me a money transmitter. I am taking the money from the person who wants to send it and I'm giving it to the person that wants to receive it. If I am not legally in possession of the money, AKA through an FBO structure, the bank is in possession of the money, then I don't need a money transition license."

And this was novel. I think if this has been around back when PayPal was getting started or Square was getting started, they may not have licenses. Or they may have them now for cross-border activity, but they may not have had them to start. So you're seeing companies that start now, that have similar products, that's not obtained licenses, and this is likely the reason why. Obviously it's between them and their regulators and any lawyers that they've hired. But that's generally, I think, the view on this stuff.

The thing to keep in mind is that, even if you have this structure and you're not getting poked now, there may be a point in time where you'll need to articulate it and defend it to your regulator. Not aggressively defend it, but you have to educate them on what it is. Because the folks who understand, "Why does the FBO structure fall outside of money transmission law?", they may leave. They may retire, they may go into private industry, or they might switch to a different part of the government or a different part of the regulator, because that happens from time to time.

The other thing is, be careful because there are some regulators that just do not care. And then you have to figure out, how well capitalized are you and are you willing to go to the mat? I think that was one of the things that I found really interesting at Square. Our general counsel when I was there, Dana Wagner, who was really fantastic, now he's at Twilio, Dana was willing to fight on the principled matter where the law was on our side. And we also had the scale and we were de-risked, where we could take those liberties and do those things. We followed a similar but slightly softer path when I was at Stripe. Obviously, if you're a large company, a PayPal or someone else, Western Union, you can do those types of things if you choose to. But if you're an A or a seed round fintech, it may not necessarily work.

The other thing is regulators sometimes... And I don't know that they do this on purpose, but I think it's just how it happens. They will sometimes pick on smaller companies who will not hire counsel. We hope you all listen to this podcast and you go get counsel if you're [inaudible 00:49:44]. But sometimes they'll set precedent with smaller companies and that precedent then will start to lock you in or create an uphill battle. Even again, if you're right, on the merits. So all interesting things to really consider about whether you need money transmission licenses or MTLs, as people often call them.

Reggie Young: Matt, we've got another great question. What are the different types of protections on digital wallet balances?

Matt Janiga: Ah, this is really good. Thank you, Io, for asking this one as well. The answer is, a lot of digital wallets certainly won't have protections. They can. It's legally possible, but there's going to be a couple different parties that have to be involved to suss this out, and it's going have to be presented in the terms and then the bank's going to have to do some things in the backend. So let's unpack it.

The legal basis for this comes from the FDIC's general counsel opinion number eight, which is just like it sounds. It's a letter from the FDIC's general counsel that says, "We, the FDIC, will honor claims of FDIC insurance on what's called a pass-through basis." I.e., you can have one of those big FBO omnibus accounts, hold my money, Reggie's money, your money, Ms. or Mr. Listener, in there, and each of us can have FDIC insurance up to the FDIC insurance limits, which I believe are $250,000 these days. I'm old, so it used to be lower. Or if they've changed throughout various downturns and things like that. But anyway, you can have protection up to these limits, even though the bank does not have an actual account for me, Reggie, or you, our listener, or they don't have you listed as an exact account. And that's called pass-through.

Now, what happens here is you then have someone, usually a program manager or a fintech, as we might refer to them, keep a ledger. And there's a lot of great companies out there that can help you keep ledgers these days, if you don't want to build your own. And we partner with a lot of them at Lithic, so I encourage you to check our website if you need to find some. And by keeping that ledger, if the bank also agrees that they will classify the funds on their balance sheet in a certain way... Usually there's broker deposits and then they have to be reported that way on the bank's quarterly reports to the regulators. Used to be called a call report. Now I believe it's called something else. Again, I'm old. I apologize. Those funds can qualify for FJC insurance.

Now, I've also heard some more stories of large companies, Fortune 100 and Fortune 10 companies, going out and actually talking to the FDIC about, "What do we have to do to make sure our balances in these omnibus accounts, or digital wallets or other things, are qualified for FDIC insurance?" I've heard different things about back and forth, proving data, et cetera, versus just make sure the bank reports them, make sure you're keeping a balanced subledger, and then be capable of quickly producing that subledger in case the bank fails. For folks who are trying to think about this or going through this, you might obviously reconsider, talk to counsel. Counsel doesn't know, you can't find anybody that knows, you might consider engaging directly with the FDIC and asking them.

The other thing you're going to want to keep in mind is that the FDIC usually shows up on a Friday afternoon to close down a failed bank, because banks don't move money over the weekends. And what they'll do is, they'll look to quickly resolve that bank and generally port the assets to a healthier bank. And as part of that, if you want your funds to qualify for FDIC insurance, or if the bank needs to be resolved and cleaned up and the FDIC doesn't want to honor all the liabilities, which can happen in really exigent circumstances... I'm not this old, but the Savings and Loan crisis created a lot of issues around smaller institutions and put deposit funds at risks. Or even I lived through this, when Lehman went under, there was contagion risk and worries about, "Well, what if a large bank like Bank of America fails?" If you're a high roller, you've got a million dollars in cash... Boy, would I love to have that problem. Not all of it's going to be safe if Bank of America were fail or something like that.

So, heard different things, but generally I think if you're building on this direction or you want to approach the FDIC, you want to make sure your data teams can get accurate close of business type of records out on a Friday and over to the regulator. Obviously, those jobs have to run so it could take a little bit to pull the data. But I think you want to be able to get accurate data out probably by Saturday. Or if you engage with the FDIC, they might give you guidance on hopefully a later date, if you need it for your systems. But those are some of the things to think about.

Now, if your digital wallet doesn't say "FDIC insured," it's not. That's the key takeaway. So as you're thinking about putting your money in Square or Venmo, or I don't know if people are still using Luna and Terra, but they're out there. Those things should say if they're FDIC insured or not. A little tongue in cheek around crypto. It's not FDIC insured. But there's various things like that, that you can see. And money market funds, another thing to watch out for, is not always FDIC insured or protected. You can read the terms and conditions and check the advertising on those websites.

Reggie, we've got some good ones around what it's like to go for an audit, but we got that from Io and from Rogue CFPB, one of our anonymous Twitter friends. Maybe we wait on the audit one and go to Io's last one, which is penalties and consequences that a state regulator can apply to you. Do you want to take this for us?

Reggie Young: Yeah. I think it's a great one. Most folks tend to think about monetary penalties, like big fines, but state regulators also have other arsenals of tools that they can call on. Some good examples is, they can go get an injunction to stop activity as it's happening. One of the interesting things, if you ever read FTC... This is federal, but also happens at the state level. If you ever read FTC settlements with really egregious actors, they can just ban people from being in a certain industry for a certain amount of time.

So penalties and consequences can often be not just money, which money can be, "Here's whatever hundred thousands or millions that you have to pay in penalty." It often can include restitution, which is fancy legalese that says, "Hey, you have to right all the wrongs that you did to your consumers, your customers." So, yeah, penalties can not only be monetary like that. Regulators tend to have some stronger teeth to potentially ban actors from industries. Matt, are there any other penalties or consequences you think that are worth mentioning?

Matt Janiga: No, I think you've hit it right. And I think on the operational impacts of this, it's helpful to keep in mind that as you read those things, it always goes beyond what's in the black letter law. And that's why it's better to comply up front. That's why we've built a strong compliance and legal team at Lithic, to help ourselves, also help our customers. But it's better to comply up front because if you don't, more likely than not, you're going to have to do what's beyond the actual regulation and it could put you at a competitive disadvantage, usually from a cost perspective. Because you're going to have to build some new systems, you have to spend time on that, as opposed to launching new products and features, and you may have to have extra staff, to staff whatever the new operational requirement is. But those are really good.

Reggie, I'm going to pick up on the exam and audit question, because I think that's pretty good. I'm going to talk about what it's like to go through a non-bank exam. Because Lord knows, I've been through dozens of those from my time at Square and at Stripe. And then I think [inaudible 00:56:19] I think there's an interesting second element which is, what is it like to help a bank go through their audit or examination? And I know you are very thoughtful and have done this subtly at BlueVine but also here at Lithic, to help support our bank partners. So I'm going to take it first with the non-bank examination side and then love to toss it over to you, if that's okay, for the bank audit piece. Does that sound good?

Reggie Young: That sounds great.

Matt Janiga: Awesome. All right. So let's unpack the money transmission side. A money transmission exam is actually very similar, for those of you that have fintech bank and partners, especially top tier sponsors. Celtic, Webb, Cross River, bank corp. They'll ask you for a couple hundred things. They're usually going to sample across a wide variety of your operations. They're going to ask for complaints. They may ask for the log of things, "Give me all your transactions for this month, this month and this month." And they're going to ask for financials, balance sheet. They're going to look for your marketing file. They're going to ask for a rundown of products and services. And what they're going to do is this. They're going to match up what you provide to them, they're going to look at what was in your licensing file, and they're going to look... Especially a state that likes to be kept up to date. Most of them do. New York and California are like this. They're going to look and see what ancillary things you've done along the way.

As they look at this, for example, what have you done lately or the products and services that you've done, if you have not been actively notifying them, that's going to be a negative mark against you. It's not make or break, but it can potentially tally where you fall and whether you get a private memorandum of understanding, whether you get a relatively clean bill health, which I believe is a score of four or greater from those larger states on these types of things. They're also going to look at your transactions and other stuff.

Now, the interesting thing here is, if you're a really big fintech at scale, and I've worked at a few of them, the regulators will use tools like Excel. And Excel, as folks who have been in it at least are used to, crashed when your CSV file had over a million lines. So if you have a lot of transactions, you actually might need to go to the regulators and say, "Hey, look, we've been through this before. What you're asking for is going to crash your tooling. Why don't we give you a day or a week instead? And let's zoom in and you pick the dates, we'll pull the data. We'll pull transaction logs for Thursday, June 16th. As opposed to, "Let's give you all of June," which you aren't going to be able to open and is going to be a waste of time for us to produce, because we're going to have to go back anyway and do the sampling on these types of things."

For folks who are really curious, outside counsel will generally have these lists. I know when I worked with outside counsel, I would always send it to them. So that way, they could be aware of what are we dealing with. And then also if we needed to call in outside counsel to help us with any extra muscle, or just explanations on things during exams, we could do that. So outside counsel will generally have them. I believe the states, some of them at least, also list what their examination procedures are. Because they want you, when you're building your products... And your program structure, because you are going to have to build a compliance program behind this, including the muscle to deal with the state examiners. They're going to want to come visit you on site. We got a fun question about that we'll get to in a minute.

They have lists. I want to say Washington might be another one of those that has the exam list on their website. Maybe California. But there's a big state that is definitely very reputable. It could be Ohio. They're another one that's a very good examination team. Well skilled and staffed examiners. You can actually get a peek at things. And the larger states, New York and California... Sometimes Texas will be a little bespoke. They'll have extra bolt-ons they do, just for them. But just by seeing the peek at the main list, you're going to be 90 percent prepared if you're building towards that, and think about how you're going to get that data or an answer out to examiners.

One other thing that's helpful. Those lists are kitchen sink basis, which means they cover everything. That may not apply to your product. For example, you may be doing domestic peer-to-peer, not cross border. There could be a whole section that isn't going to apply. In these instances, what I've historically done is I've written a letter or a Word doc, and then usually printed it out as a PDF. So that way, the examiner has something that's responsive to their question, but it explains why what they're asking for doesn't apply to the business model. Another thing you can do is, maybe you can just do a whole "Things that don't apply" list, put all those answers in one document. That may be easier for the examiner. But you generally can do these things.

Now, when you're in an exam, they'll come on site. The examiners are very busy and generally they're overloaded. So what they're doing is, they're coming in and they're usually opening your file for the first time either on their plane flight out to see you, or when they're on site. And so what you'll find is, your first day or two might be heavy. Usually the companies I've been at, we've tried to give them an overview of the company, have them meet the compliance officer and then established some touch points, people they should talk to about these various things. Once the main intro sessions, "This is the company, this is what we do. Here's what the products are. Product demo. Here's how it works," type of thing. Once those are established, the examiners often will take time back. Because what they're going to do is, they're going to take the information you've given them in the overview sessions, and they're going to read through all the pre-work you've done for the examination, and start to prepare.

It's also good to check in with them daily, ask what they need, when they need it, do some of those things. But generally the folks are just absolutely fantastic professionals. There usually is someone who is very thoughtful in the room, especially during multi-states. So if you're having problems with one state, you might try and find the person that's a little more thoughtful or understanding of your business model or technology, and try to see if they'll help you explain to the other examiners why what they're asking for isn't reasonable.

The other wild card to touch on is privilege. This goes back to the regulatory pendulum thing. Some of the states do not believe in attorney-client privilege and they will threaten to fine you and write you up and fail you on your exam if you don't hand over board minutes and things like that. So it used to be, companies would say, "Well, everything's privileged so we'll give you a readout." Or, "Everything's privileged so we'll do something else." You didn't have to produce maybe the full doc. I don't recommend doing that these days and I don't recommend getting too cute, because it'll eventually catch up with you and cause more headaches than it's worth. Reggie, do you want to take us through what it's like to support a bank during an audit or exam?

Reggie Young: Yeah. Happy to. It's a little less stressful than the non-bank exams because your bank partner review process or audits or exams or however you want to call them, it's much more a routine process that happens regularly. So most fintechs partner with banks. Their banks are going to be subject to at least annual exams, and typically, that trickles down to the fintech partner. What this often means is just, they ask for your most updated policies. They ask to see maybe potential samplings of how you're handling complaints, things like that.

But these reviews can actually be a really interesting strategic tool for fintechs, because you can make yourself basically a trusted partner and build credibility with your bank partner this way. And it's super simple ways to do it, like ask your bank partner what questions they got last year, so that you can prep ahead of time so that you don't drag down the process. Because when this happens to a bank, it basically stops the bank. The compliance team is going to focus entirely on this. So you want to tee up and make it as smooth and as frictionless as possible for your bank partner, and an easy way to do that is just to figure out what was asked last year and the year before. Can we start prepping some of this stuff now? What info is expected? Are there any of your own policies that you want to refresh, to make sure that they're in tip-top shape?

A big trick I've seen is just communicating that at a fintech, if you have compliance headcount, they're probably going to be a little jammed up during this period, because the bank is going to send you requests and they're going to be pretty important. Like, "We need this because the regulator's asking for info." Not for any bad reasons, but they just are kicking the tires. You need to check boxes and so they're asking for certain information.

So all that is to say, bank partner, their exams are actually a really good opportunity for fintech partners to build strength and relationship, in a way that doesn't slow your product down and gives you credibility when you may need to go to the bank later for asks that they would push back on if you weren't such a great partner. So something to think about.

Matt Janiga: That's right, and Reggie, I love that tip that the compliance teams get really busy during this period. So it's a good call out that if you're looking at launching a new product or service and you know the exam is coming up, get that marketing approved in advance or ask the bank, "Do you have capacity to see this now?" And make sure that your products, design and other teams are positioned internally to seize upon that window before you have to wait a month or a month and a half.

Because we've talked about, everybody's human, they're just doing their jobs. The compliance staff will go through a heavy cycle with the bank examiner and then they may take so off, because honestly they've earned it and they need it to recharge. So it's a good callout to think about your own product launches and marketing cycles, especially if you're in the credit space because the bank going to need to sign off as that true lender.

Reggie, we have a couple other good questions. I think Keila Haslet asked us a good question. She was curious for a comparison of a couple different state banking regulators. I think we've covered that already. Does that sound right to you?

Reggie Young: Yep. That sounds right.

Matt Janiga: And then she had another one which was good, which was, how can the public figure out which fintechs have gotten Master Fed accounts and what can it tell us about the future apps? I'll take the lead on this one and then obviously would love any thoughts or nuggets you've got on it. I think this is something that's been kicking around for a while. You've seen, I think, a lot of great fintechs, particularly those that have gained scale in Europe first or gained scale in Europe at the part of the US, say, "Look, we have direct access to European rails, given the way their licensing structure is set up. Why can't we have it here in the US?"

And I love that first principles thinking. At the same time, you have a group of folks at the Fed who are starting to consider and think about the same thing. And I think we've seen that now, with some of the rule proposals or some of the policy proposals that the Fed has done through the federal register, talking about scale of fintechs and when should they allow non-bank type access? Or quasi banks, because the OCC's special charter I think is still rolling around. And you can be a credit card bank. You can be special purpose bank, a merchant bank, et cetera, under the OCC. People forget about that because it hasn't been done in a while, but those things are still out there.

What I would say for folks who are trying to watch or read the tea leaves, my guess is that if somebody has a Master account, they'll tell you. The other thing you might do is, if you can figure out a way to check the ABA register, the ABA maintains a registry of the ACH and routing numbers. You might watch and see what kind of names are in there. A couple of things that I have heard about on this space are that generally, the ABA will only let somebody who's got a Master account, today a bank, put their name on the ACH numbers or on the... I'm going to call it a bin. I'm blanking now on what it is. Too much stuff in my head.

But the ABA routing number is going to say something like Chase Bank or a Vault Bank. But if you keep an eye out and watch, my guess is that if a fintech gets a Master account, it's not going to say that anymore. It's going to say Brex or Square or Stripe or something like that, or Rapid. Along those lines. And so that's one way to look at it. Now, I have no idea how operationally check that registry, but my guess is that banks at least have that superpower. So if you're in banking or friends with a banker, you might be able to go look that up if it's not public. And I apologize, I just don't know off the top of my head.

The other thing to keep in mind is that some folks may not necessarily need Fed Master accounts, because you may find helpful partners.That'll do things. I know over time, Wells Fargo has offered virtual bank account numbers and other things. I think those products have gotten reined in. I think Citi was looking at some of the same things as well. I wouldn't be shocked if we see more of these come out. And obviously there's a lot of great fintechs out there. Reggie and I are friends and in regular touch with the founders who are building really interesting things on top of just the legacy infrastructure, but that help create some of those special things.

So Master accounts, understand why people want them. I don't know that you can figure out yet who's got one. And I think if somebody does have one, it's because they have a bank-like charter. But very good question and very timely, obviously, because we've seen it come up, including in some congressional areas lately. Reggie, any other thoughts on that from your end?

Reggie Young: No, I think you covered all the key points.

Matt Janiga: All right. I love this last question from Steven Walter. Do you want to kick it off for us?

Reggie Young: Yeah. Hardest hitting question for the end. So, question from Steven. What class of hotel do regulators stay at when examining a fintech? My first idea was maybe Four Seasons.

Matt Janiga: You joke, Reggie, but there's a couple of things here. Because I know when someone comes on site for a week or two weeks, there's a lot of downtime and sometimes you're going to make small talk with them, or it's helpful to make small talk. You got to fill gaps, et cetera, waiting for somebody to come in for a meeting or presentation. So I have actually picked at this and uncovered it. Couple of things. One, a lot of fancy hotels including, I believe, the Four Seasons, will have a government rate. So it is actually possible to book. In fact, it's a perk if you're employee of government, state or federal, and you're traveling, you can ask sometimes for the government rate and get it, and stay in some pretty nice places at a discount, which is nice.

The other thing is, they do have budgets. So I know the Holiday Inn in San Francisco, which is close to Market Street, back when I worked on Market Street. Not necessarily the best neighborhood and safe neighborhood, but not a lot of stuff to do. There might be some needles around and stuff like that. That actually was a big one for regulators. I forget if it was because they had a contract with the Holiday Inn or the Holiday Inn would honor the government rate, or if it was just because that's what would be in budget.

The other thing is, sometimes you'll see regulators get hit with a strict budget. And so, especially if they're coming to town, like San Francisco, during Oracle's convention or Salesforce's convention, they are actually staying outside of the city. They're in Oakland, or one time I think there was a regulator that I knew, was staying in South San Francisco. [inaudible 01:09:02] used to live there. A separate city, by the way, from San Francisco. But the regulator would stay there, closer to the airport, because it was the only place they could get it in rate, and they'd take a cab in every day to come into the office, which is interesting. Very good question. The answer is, regulators, just like all of us, stay in moderately priced, family friendly budget hotels. Unless you're Reggie and you're a regulator, then you can stay at the Four Seasons.

Reggie Young: Great. Well, this has been awesome. This has been a fun episode and I hope you listeners got some good education out of it.

Matt Janiga: Absolutely. Thank you all for listening and we'll see you soon on Fintech Layer Cake. Reggie, should we go get that cake out of the fridge?

Reggie Young: Oh yeah, we should do that. I'm hungry.

Matt Janiga: Oh, it's so good. But let's not tell Bo. I think he ate too much last time.

Reggie Young: Wasn't it for his birthday? Wasn't that his birthday cake?

Matt Janiga: Ah. You can keep your lawyers and rules.

Reggie Young: Thanks for joining us on the Fintech Layer Cake podcast. We hope you learned something useful today.

Matt Janiga: Fintech Layer Cake is sponsored by Lithic, the fastest and most flexible way to launch a card program.

Reggie Young: If you're hungry for more content about fintech, regulation, compliance cards and payments, we have all kinds of information on our website, from light snacks to full course meals and cake.

Matt Janiga: Check the other episodes of Fintech Layer Cake podcast on all streaming platforms today.

Highlights

What are regulations?

Reggie: Regulations are rules of the road that protect customers and markets. Legislators pass laws, and sometimes those laws give powers to regulators to do things like handle licensing or fill in the details that a law didn't cover, or otherwise just make rules about whatever is needed.

Where does legislation/regulations come from?

Reggie: There are few ways, the first of which is uniform law committees. These are groups of lawyers that come together to draft and update prototypical legislation or model laws, as they're known. One of the most common ones is the Uniform Commercial Code, which is a model law about contracts and secure transactions. A second source of legislation is state regulators, who can advocate for their preferred laws.

Matt: And it's also important to call out and not forget about, because it can impact your business, that companies and lobbyists are also another source of changes in laws.

Why should fintech founders and operators care about regulators and regulations?

Reggie: Messing up with regulators can lead to big fines or even end your business. LendUp is a recent example. Regulators took issue with their business practices and ultimately forced the company to stop making loans and shut down.

What are the structures the government can use to drive regulation and oversight?

Matt: That's going to be politicians, other regulators and others. This is effectively what FDSC insurance is. It helps make sure that you stay upright. State insurance laws are also very similar. They're set up to structure, so that way, if there's a problem with that state insurer, consumers who have paid premiums, in some cases for many, many years, aren't left holding the bag and left without protection.

Consumer protection is historically driven by disclosures. And there's some debate, especially as the crypto world is seeing some turbulence right now, about how effective those disclosures can be.

Reggie: There's also securities and commodities regulatory schemes. These are mainly meant to protect investors from fraud and generally make sure the markets are staying healthy on a federal level. The SEC sets requirements for securities registration and disclosure. But states can also have their own securities laws. These are typically called blue sky laws, and fintech startups encounter these regimes pretty quickly, since you generally need to file disclosures whenever you fundraise.

You should talk to a lawyer if you're doing something like building a broker dealer, which is what Robinhood is, or if you're fundraising.

How do you know if you're regulated?

Reggie: First, identify what product you have that might require regulation. Not all products require regulation. Two examples:

  1. In lending, some states will exempt you if your product is under a certain interest rate threshold or you don't require recourse.
  2. Another example is in payments. Some states will look at your money transmitter applications and tell you actually aren't regulated. Wisconsin used to do this a lot. Similar states didn't regulate B2B payments products, but those laws have generally changed since, to include them.

Figure out your product, including any disclosures, and identify if you need a state license. Registration is like an RSVP. Licensing is like a contract with the state.

What do you do during your waiting period after filing your application?

Matt: Here's a couple of tips on how to manage your waiting period. One is get organized. You're going to want to keep track of each state and when you last contacted them. Tap somebody internally, make sure you keep a spreadsheet and understand when you're reaching out to them, when the last contact was and where you left off.

Try not to do any complicated business changes when you're in your waiting period, especially with a larger state like New York. This includes changing your name, changes in your officers and directors if you can help it, or changes to your product suite.

What happens if you get mail from a regulator?

Reggie: Don't freak out. Next, figure out what it's about and how serious it is. Is this a routine inquiry? Are they just going on a fishing expedition to explore unfamiliar tech to them? You're going to want to talk to your lawyer, who may also want to reach out to outside counsel as expertise in these sorts of letters.

If you get a letter that's more serious:

  1. Ask, "Does this regulator even have the authority to ask what they're asking about?" If they don't, then you don't need to engage with them. You want a lawyer to help you figure that out though because you want to make sure you're right on that. Even if they don't have authority, it could still be a good idea to engage thoughtfully
  2. Negotiate. Point out if an ask is infeasible. It's okay to push back and ask for more time.
  3. This is a classic lawyer tip. Don't volunteer info about your products or business if it hasn't been specifically asked for.

Check out our post Fintech Regulations and Compliance: State Regulators for more on state regulators.

If you liked this episode, subscribe to the podcast on your favorite podcast app and give us a review on iTunes.

About Fintech Layer Cake

Fintech compliance. It can be complicated and overwhelming — even if you've been in the industry for a while. But what if there was a podcast that made learning about it a piece of cake? That's what Fintech Layer Cake is about.

It's hosted by two popular fintech lawyers, Matt Janiga and Reggie Young. In each episode, they use their experience from working at companies like Lithic, Stripe, Square, and BlueVine to break down some of the toughest topics in fintech.

Listen on iTunes, Spotify, or your favorite podcast app.