Fintech Regulations and Compliance: State Regulators
With so much regulatory scrutiny happening in the BaaS space right now, we’ve prepared this guide to help you navigate regulations and avoid any unwanted attention from regulators.
Regulators protect customers and markets from wrongdoing. Sometimes, they even protect fintechs from themselves.
If things go wrong, someone ends up having to clean up the mess (and it’s usually the government). This is where investigations, settlements, and bailouts come into play – all things nobody wants their business to be involved in.
Failing to comply with regulations can also lead to big fines, reputational damage, stricter regulations, and even business shutdowns.
- Misstepping with regulators can lead to big fines or even the end of a business. Pushing legal boundaries too hard, like using potentially misleading marketing or miscategorizing products, can get you into more trouble than it’s worth.
- State regulators have the most impact on fintechs since they’ve been increasing disclosure requirements, which vary by state. States can also have securities laws, typically called “blue sky laws,” necessary to comply with when fundraising.
- When interacting with regulators, identify your products that require regulation or disclosures, check and apply for licenses, then wait for your review.
- Some products may require disclosures even if they aren’t regulated. Even if you work with a bank partner, some states will require disclosures. And others will require registration when engaging in certain activities.
- Tips for interacting with regulators: figure out if you need to engage, negotiate the request, and only answer what's asked.
Why should fintechs care about regulators?
Misstepping with regulators can lead to big fines or even the end of a business.
LendUp is a recent example. Regulators took issues with LendUp’s business practices and ultimately forced the company to stop making new loans and shut down.
Lately, federal and state regulators have increased scrutiny due to many companies pushing legal boundaries, including misleading marketing suggesting a fintech could have a bank charter when it doesn’t, or offering products that could be considered loans without having a lending license.
Historically, fintechs have not been subject to the same type of regular, direct supervision as banks. Much of the attention from regulators has previously centered around how sponsor banks ensure their fintech partners comply with BSA/AML and UDAAP requirements.
As a result, some BaaS players have been told to stop onboarding new fintech clients.
Now that regulators are looking at fintechs more closely, many companies are looking to de-risk their business by working with BaaS providers that have multiple bank partners, shopping around for better program managers, and tightening up their onboarding processes.
Pushing legal boundaries is more trouble than it’s worth
Some states are taking decisive action against fintechs.
Currently, California and Illinois are litigating neobanks describing themselves as banks. Connecticut and Minnosota both have cases against a different fintech for what it calls "unlicensed lending." And in a case brought by the Attorney General of Washington, D.C., a fintech was required to pay $1.5 million in restitution because of what the district called "exploitative interest rates."
The bottom line: pushing legal boundaries can get you in more trouble than it's worth. Look for proactive ways to interact with regulators and get ahead of any potential issues.
Types of State Regulators
Regulators compete for licensees and charter holders in their own mini marketplace. The two high-level buckets here are:
- state vs. federal
- bank vs. non-bank
State vs. federal regulators
Each state sets up their own regulators, and what those regulators have authority over can vary. Some state regulators don’t have a lot of power over financial products and services sold to businesses. Above all of the states, there’s a level of federal — or national — regulators like the U.S. Securities and Exchange Commission (SEC), who oversee securities issues across the country.
Bank vs. non-bank regulators
Bank regulators are primarily concerned with ensuring the banking system can hold up under stress. Non-bank regulators are generally more focused on protecting consumers and making sure markets are working well. They regulate issues like deceptive advertising and handle regimes like lending licenses.
It’s worth noting that state banks have a choice between being regulated by the Fed or the FDIC system, in addition to their relevant state’s bank regulator. We’re focused on state banks here, but federal banks are regulated by the OCC.
As non-bank entities, fintechs need to be aware of non-bank regulation, but it’s worthwhile to pay attention to bank regulators since fintechs partner with banks to operate.
Securities and commodities regulatory laws
These laws protect investors from fraud and make sure the markets are staying healthy on a federal level. But states can also have securities laws, typically called “blue sky laws.” Fintech startups run into these fairly quickly since disclosures need to be filed when fundraising.
How do you make state regulators’ jobs easier?
Regulators care about three main things:
- Safety and soundness
- Customer protection
- Investor protection
When regulators get curious about your company, it’s because they’re trying to understand how your fintech differs from what they're used to seeing from legacy companies like Fiserv and TSYS.
In our experience, it’s better to get ahead of that curiosity by taking a proactive approach. Attend the open office hours some regulators host and ask them questions. Draft a statement thoughtfully explaining how your business is structured, how you operate, and what products or services you provide to give context whenever you communicate with regulators.
Here are some ways you can be proactive:
- Identify your products that require regulation. Not all products require regulation. For example, some states will exempt a lending product if it stays under certain interest rate thresholds. Others might simply take a look at your money transmitter applications and say you’re not regulated. If you don’t know whether your products are regulated, ask your lawyer or hire an outside counsel to provide guidance.
- Figure out if your products require disclosures. Some products require disclosures even if they aren’t regulated. Small business (SMB) lending disclosures have become a big trend with state legislators. These will apply to most SMB term loan and credit substitute products that don’t revolve. Even if you work with a bank partner, some states will require these disclosures. And others will require registration when engaging in these activities.
- Check if you need a state license. Offering regulated products often triggers licensing requirements — this is different from registration. Licensing is like a contract with the state that obligates you to follow certain requirements and submit to periodic inspection. For example, New York requires licenses for money transmission and lending above certain interest rates.
- Apply for licenses. Fill out the appropriate forms and mail them in or acquaint yourself with the proper submission portal such as the Nationwide Mortgage Licensing System (NMLS).
- Follow up and avoid major changes. Licensing can take years, depending on your state. But while you wait, avoid any complicated business changes and keep track of when you last contacted each state. And it’s okay to politely follow up with regulators for a projected review time. Working with outside counsel or consultants who specialize in licensing projects since they’ll know how to pre-empt licensing staff concerns and potentially expedite your review.
What happens if you get mail from a regulator?
First, don’t be alarmed. Figure out why they’re contacting you and how serious it is. Is this a routine inquiry? Are they just looking to explore tech unfamiliar to them?
Depending on the types of questions and whether the regulator has clear enforcement powers over your product, you and your lawyer may really engage outside counsel that has expertise in these types of letters because this can get sensitive.
But sometimes, regulators send inquiry letters to hot companies and products just to learn about the upcoming tech. I’ve received these types of requests from regulators at various places that we’ve worked at through the years.
For example, a few years ago, California regulators asked SMB loan and merchant cash advance (MCA) providers to voluntarily share data about the activities that they were up to.
They were trying to get information about the market to understand what was going on, how big it was, and how it lined up with some complaints they were receiving in order to assess whether there was any harm or outsized risk for SMB providers.
While recipients of these requests may have been initially concerned, significant regulatory consequences were generally not reported.
Tips for responding to regulators
Here are a few tips from our experience interacting with regulators.
- Figure out if you need to engage. You want a lawyer to help you figure out if the regulator even has the authority to ask what they're asking about. If they don't, then you don't need to engage with them. Even if they don't have authority, it could still be a good idea to engage thoughtfully.
- Negotiate the request. Often, regulatory letters will request various minute details returned in an unreasonable time period. Point out if an ask is infeasible. Push back and ask for more time. Asking for more time can actually be a good negotiating tactic, for example, you may be able to wait to respond until a politicized issue becomes less politicized.
- Only answer what's asked. This is a classic lawyer tip. Don't volunteer info about your products or business if it hasn't been specifically asked for.
If you’re hungry for more about regulatory content, listen to our latest Fintech Layer Cake podcast episode “Fintech State Regulators.”