Home > News & Insights > Insights & Publications

5/9/19 - A Brave New World Governed by the Same Old Rules: Why Fintechs Need to Take Compliance Seriously

By Mike Sullivan and Chris Seigle

Like other startups, fintech companies1 must confront difficult decisions when it comes to allocating limited funds and resources. Particularly in their nascent stages, firms face tremendous pressure in the quest for growth, additional funding, and — if all goes well — profitability, while simultaneously endeavoring to meet operating costs and deliver to customers. It’s understandable, given these challenges, that a young fintech company might focus its spending on the areas that most directly affect the firm’s bottom line, such as product development or sales, while putting off significant investment in managing compliance and regulatory risk. After all, compliance (e.g., anti-money-laundering), is costly to maintain and does not directly generate revenue. Put simply, the value proposition of building a robust compliance program is not always clear.

Such thinking, though, is dangerous. Generally, fintech firms operate in a highly regulated space. This often sets fintechs apart from other disrupters in that matching borrowers and lenders or facilitating the sale of a financial instrument is fundamentally different from, for instance, matching a rider and driver or a homeowner and carpenter. Any firm that competes or partners with traditional financial services companies — like banks, brokerages, or exchanges — is likely engaged in a regulated activity. The restrictions and obligations associated with such activity are numerous, including, just to name a few, provisions relating to registration, reporting, disclosure, supervision, and advertising. Failure to properly mitigate the risk of noncompliance will sooner or later come at a significantly larger cost than that of building a robust program in the first place, be it in the form of fines, loss of business opportunities, expensive and complicated large-scale program overhauls, or a lower valuation.

An Evolving Regulatory Landscape, Sort of

As fintech continues its dramatic expansion2 and fintech firms increasingly compete and/or partner with traditional financial services companies, regulators and lawmakers have begun grappling with the implications of this new frontier. In the fall of 2018, for example, the U.S. Securities and Exchange Commission launched its Strategic Hub for Innovation and Financial Technology3 to serve as a resource to market participants and the public for information regarding SEC actions and initiatives in the fintech space, as well as a forum for engaging directly with SEC staff. Similarly, in 2017, the Commodity Futures Trading Commission introduced LabCFTC,4 an effort to promote collaboration between the CFTC and innovators in the commodities and futures markets and to educate fintech companies on the CFTC’s regulatory framework and oversight approach. Banking regulators have also joined this movement,5 which includes the Consumer Financial Protection Bureau’s launch in July 2018 of its new Office of Innovation, and the Office of the Comptroller of the Currency’s decision that same month to accept applications for special-purpose national bank charters from non-depository fintech companies.6  

Yet, as financial regulators have sought to bring fintech companies into the fold, they have also made clear that these firms remain subject to the same standards governing their more conventional peers. A variety of recent enforcement actions underscore this notion, including:

  • A Financial Industry Regulatory Authority action against the broker-dealer subsidiary of an online robo-adviser for violations of customer-protection, books and records, and supervision rules7  
  • Numerous SEC actions against entities involved in the issuance and trading of digital-asset securities8 (The SEC also recently published a framework for determining whether digital assets, including those issued through initial coin offerings, constitute securities and are therefore subject to federal securities laws.9)
  • A Financial Crimes Enforcement Network action, along with a parallel action by the U.S. Attorney’s Office for the Northern District of California, against a virtual currency exchanger for its failure to register as a money services business and implement an adequate AML program10  
  • A CFPB action against an online lender for violations of consumer financial protection laws relating to misleading claims and inadequate customer-disclosure and credit-reporting practices11  
  • A CFPB action against an online payment platform for deceiving customers about its data security practices and the safety of its payment system12  
  • A Treasury Department Office of Foreign Assets Control action against a prominent online payment service for its failure to screen payments against OFAC sanctions lists13  

Further complicating matters, fintech companies must contend with evolving standards relating to privacy and cyber. Last year, for example, the Federal Trade Commission fined the parent company of a popular payment application for inadequate customer disclosures and violations of the Gramm-Leach-Bliley Act’s safeguards and privacy rules.14 In an earlier FTC action, a company that operated websites aimed at connecting personal loan applicants with lenders reached a $104 million settlement with the FTC over charges that it unlawfully collected and sold sensitive personal information, ultimately leading to the company’s collapse.15 Moreover, the European Union’s sweeping General Data Protection Regulation imposes strict requirements — and severe penalties for noncompliance — on any entity that collects or processes the personal data of an individual in the EU. This past summer, California passed a similar measure, the California Consumer Privacy Act, which codifies numerous rights and restrictions aimed at protecting the personal information of California residents.16  

Finally, fintech companies increasingly face pass-through regulation from their private-sector partners. This is especially true for companies that rely on traditional banks for safeguarding customer funds or routing payments. Because the banks themselves must enact measures to prevent the misuse of their services, they often undertake a rigorous vetting process to verify that their fintech partners maintain robust and well-documented compliance and AML programs, both prior to commencing the business relationship and on an ongoing basis thereafter.

Invest Now or Pay Later

Fintech companies risk serious short- and long-term consequences for failing to invest in compliance at an early stage. For starters, a weak compliance program increases the likelihood of violating one or more rules, and thus of regulatory actions and lawsuits. Any fines, settlements, or other financial penalties can be costly, and navigating the enforcement or other legal processes requires considerable time and resources and creates an unwanted distraction. The associated reputational damage can erode public trust and impede a company’s ability to attract and retain customers, business partners (including traditional market players like banks and brokerages), and investors. Regulatory actions also frequently result in an order or agreement requiring the firm to overhaul its compliance program anyway and go through the onerous process of demonstrating to the regulator that the terms of the order or settlement have been satisfied. Moreover, a firm that lands itself in the regulatory doghouse in its early years can find it difficult to escape. Greater regulatory scrutiny means more time and money dealing with inquiries and enforcement actions. In short, it is easier to build a reputation for compliance than repair it.

Additionally, waiting too long to invest in compliance tends to compound the difficulty involved in getting up to speed. When something eventually goes wrong — an increasingly likely prospect as a firm grows — the cost and effort required to fix the problem, and the complexity of the solution, increase exponentially with the degree of neglect. If serious issues present, a company may find itself scrambling to make urgent, wholesale changes to its compliance setup in order to satisfy external stakeholders and meet operating targets on schedule. These efforts often require third-party vendors and consultants, new systems, and additional personnel, as well as the time and attention of employees throughout the organization, and place undue, largely avoidable stress on the firm. And, of course, a hasty or complicated rollout is more prone to error and inefficiency than a deliberate, forward-looking approach. Rather than waiting for problems to manifest, a young company would do well to account for compliance risks from inception and build out its programs incrementally and proactively as the business and regulatory landscape evolves.

Finally, compliance and regulatory issues can affect a fintech firm’s valuation, and, consequently, its ability to raise capital or locate a buyer. A firm that has failed to implement an effective compliance program, even while managing to avoid scrutiny, cannot evade discovery indefinitely as it contemplates a sale, initial public offering, or additional funding. Potential acquirers, private equity and venture firms, and other market participants regularly engage experts to assess the strength of the target’s compliance risk management program as part of the due diligence process. This process includes a comprehensive review of the target’s disciplinary history, policies and procedures, governance framework, systems, personnel, training, compliance risk assessments, and other key components of the program, as well as the degree to which the program conforms to regulatory and industry expectations. Unsurprisingly, the risks arising from any weaknesses, and the costs associated with remediating them, factor into the target price. Critical shortcomings may disqualify an acquisition target entirely where the risks and remediation costs outweigh potential returns.

Start Early and Revisit Often

The right approach to compliance investing can help fintech companies avoid costs, maximize value, and pursue new business opportunities. Above all else, firms should establish a robust compliance risk management program as early as possible and develop a plan to adjust course as the business and regulatory environment evolve. While no two programs are identical, an effective compliance framework should contain the following elements:

  • Policies and Procedures. A firm must document in writing how it manages compliance risk and make these documents available to employees. Policies and procedures should identify the risks arising from relevant obligations and unlawful or other prohibited conduct and clearly describe roles and responsibilities in controlling for them. Each policy or procedure should be assigned an owner responsible for periodically reviewing and updating it and describe the process for doing so. Obligations and Controls Inventory. A firm should identify and catalog the laws, rules, and regulations applicable to its business and the corresponding internal controls it maintains to mitigate risks arising from those obligations. The obligations and controls inventory is a compliance program’s foundational element — after all, a firm cannot design effective controls without first identifying its risks. The inventory should be updated regularly to reflect changes to the business or applicable regulations.
  • Compliance Risk Assessment. Firms should conduct periodic compliance risk assessments to determine their most important compliance risks. Following its risk-assessment methodology, a firm assigns ratings to its compliance risks using a predetermined set of inputs, such as the amount of business subject to a particular obligation and the potential financial or reputational harm in the event of a compliance breach. After obtaining the “inherent” risk score, each risk is then reevaluated in light of the controls associated with it to produce the “residual” risk score. This score aids the firm in identifying areas requiring new or enhanced controls and in focusing limited resources on the highest-risk areas. Done correctly, these risk assessments also empower a firm to take smarter risks and boost its business prospects.
  • Compliance Monitoring and Testing. Firms should enact a compliance monitoring and testing program to provide ongoing risk-based, independent oversight, validate adherence to compliance obligations, and identify control weaknesses. A monitoring-and-testing program seeks to identify actual instances of noncompliance and guides the development and execution of corrective action plans to prevent future breaches.
  • Resources and Skills. Firms should adequately staff their compliance function with individuals possessing the knowledge and expertise to properly manage the firm’s compliance risks in light of the business’s size and complexity. In addition, a firm should establish a formal training program, to be updated and delivered periodically, to educate all relevant personnel on the key compliance risks facing the firm and their obligations to control for them.

Fintech companies are already revolutionizing the financial services industry. However, their continued success depends on their ability to recognize their status as regulated entities. A healthy and robust regulatory regime reinforces public trust in the industry and ultimately benefits both consumers and financial services companies, even if navigating it requires ongoing resources and attention. By building an effective, forward-looking, and right-sized compliance program, a fintech company can demonstrate to regulators, customers, and investors that it can weather compliance risks and remain a viable player in the industry for the long term.

How Promontory Can Help

Promontory is uniquely qualified to help fintech companies design and implement right-sized and forward-looking compliance risk management programs. Our fintech group is comprised of a number of industry experts and former regulators.

Contact Us

Mike Sullivan
Managing Director
+1 202 370 0507

David Cook
+1 202 384 1054

Julian Sevillano
Senior Advisor
+1 305 481 0229

Chris Seigle
+1 202 370 0444


1. Much has been said about what the term “fintech” really means. For our purposes, it refers broadly here to young, non-public, technology-centered companies seeking to compete with more established players in the financial services space.

2. According to a report by the U.S. Department of the Treasury, between 2010 and the third quarter of 2017, 3,300 new financial technology firms were founded, with global financing growing thirteen-fold to reach $22 billion. Over this same period, lending by fintechs increased from providing 1% to 36% of all U.S. personal loans.

3. “SEC Launches New Strategic Hub for Innovation and Financial Technology,” Securities and Exchange Commission (Oct. 18, 2018).

4. “CFTC Launches LabCFTC as Major FinTech Initiative,” Commodity Futures Trading Commission (May 17, 2017).

5. Consumer Financial Protection Bureau

6. “OCC Begins Accepting National Bank Charter Applications From Financial Technology Companies,” Office of the Comptroller of the Currency (July 31, 2018).

7. FINRA AWC No. 2015048047101

8. Case No. 18CV2287-GPB(BLM), U.S. District Court for the Southern District of California (Feb. 14, 2019). Also see “Statement on Digital Asset Securities Issuance and Trading,” SEC (Nov. 16, 2018), which summarizes several recent cases.

9. “Framework for ‘Investment Contract’ Analysis of Digital Assets,” SEC (April 3, 2019).

10. “FinCEN Fines Ripple Labs Inc. in First Civil Enforcement Action Against a Virtual Currency Exchanger,” Financial Crimes Enforcement Network (May 5, 2015).

11. “CFPB Orders LendUp to Pay $3.63 Million for Failing to Deliver Promised Benefits,” CFPB (Sept. 27, 2016).

12. “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices,” CFPB (March 2, 2016).

13. Settlement Agreement, U.S. Department of the Treasury.

14. “PayPal Settles FTC Charges that Venmo Failed to Disclose Information to Consumers About the Ability to Transfer Funds and Privacy Settings; Violated Gramm-Leach-Bliley Act,” Federal Trade Commission (Feb. 27, 2018).

15. “FTC Halts Operation That Unlawfully Shared and Sold Consumer’s Sensitive Data,” FTC (July 5, 2017).

16. Harvard Business Review, What You Need to Know About California’s New Data Privacy Law, https://hbr.org/2018/07/what-you-need-to-know-about-californias-new-data-privacy-law