Financial technology (fintech) continues to be one of the fastest growing industry sectors globally.
Various estimates put the amount of money invested in the global fintech sector in 2018 at more than $30 billion – a figure that is likely to be toppled by even greater funding levels this year.
Three of the fastest growing subsectors within the fintech market are financing platforms, Open Banking and Cloud-based products and services.
As with any rapidly evolving industry, bottlenecks have emerged in the wider fintech ecosystem which has grown up to support businesses based on innovative technologies, as not all parts of the sector develop at the same pace.
Errors in understanding are quick to proliferate and create problems for both early stage and established businesses at crucial points in their growth cycles.
Here, we look at some of the issues facing financing platforms, Open Banking and Cloud, from a legal perspective, and suggest ways of circumventing potential pitfalls.
Designing a successful financing/funding platform
Don't scrimp on regulatory compliance
Although usually established to provide access to familiar types of products and services – such as loans and mortgages – financing platforms are, by nature, highly innovative.
Therefore, establishing detailed regulatory analysis of your particular type of platform from the start is key.
Businesses which look similar on the surface often have different features.
These can include their sources of funding, the underlying asset base, sales model and whether the platform itself provides the servicing or whether this is outsourced.
These differences can affect the regulatory treatment of the platform and, if the platform operates in multiple countries, the regulatory analysis will be different in each jurisdiction.
In some cases, new businesses may set parameters on their activities and funding sources so that they do not require financial authorisation.
In other cases, they may welcome regulation, viewing it as positive for their industries generally and for investor perception.
Any assumptions anyone in the fintech industry may have held that regulators would apply a light touch to new technology-based financing models have been proved wrong.
For example, in the UK, the Financial Conduct Authority (FCA) continues to develop the regulatory framework for crowdfunding platforms.
In July 2018, it published a 156-page review of loan-based ('peer-to-peer') and investment-based crowdfunding platforms, advocating increased governance and risk management requirements.
The FCA has also hinted that it is considering imposing restrictions on the kinds of investors who participate in crowdfunding platforms, with the objective of protecting retail investors.
More recently, on 7 March this year, the FCA published a "Dear CEO letter", requesting owners of crowdfunding platforms to review their wind-down arrangements in the event that their platforms cease to operate
Regulatory action has also increased, with high profile cases in the last year of financing platforms entering administration or being placed under special supervision, following interventions by the FCA.
Structure your platform for institutional investment from the outset
Regulatory compliance is the first thing that an institutional funder will ask about when considering whether to invest in a new funding platform.
In addition, institutional investors will conduct full due diligence on customer documentation, policies and procedures.
They will also look for structural weaknesses in the funding platform, for example, whether cashflows from the assets they finance would be legally segregated if the platform becomes insolvent.
They will also assess the potential impact of the platforms' insolvency on the servicing and outsourcing arrangements for the portfolio.
Producing documentation and a legal structure which will satisfy institutional funders adds to start-up costs, but is always advisable.
First, even financing platforms which are open to retail investors will typically take at least a portion of their funding from institutions. According to the most recent report into the Alternative Finance Industry by the Cambridge Centre for Alternative Finance, 40% of all P2P Business Lending in 2017 was made by institutional investors.
Second, even if a financing platform's business model is not dependent on institutional investment, going through the due diligence process is a valuable discipline for the business.
Differentiate yourself to institutions
Lenders have commented that the majority of lending, servicing and reporting tools available to them are out of date and incompatible when it comes to checking customers' eligibility for products such as loans and mortgages; keeping up with regulation; and for reporting on loan-level data.
This has led to an explosion of financial services platforms and software as a service (SaaS) clients offering solutions and "borrower portals", all of which come under the fintech umbrella.
Consequently, competition between these platforms and solutions is fierce.
Successful fintechs can differentiate themselves by:
- Offering solutions to legacy systems
Fintechs focusing on lending need to make themselves the partners of choice for the more innovative lenders by demonstrating the ability to monitor compliance with funding requirements, track changes in regulations and generate audit and investor reports.
- Prioritising business continuity
Institutions with the capability to either fund fintechs or pay for SaaS require business continuity to be prioritised.
Ensuring your solution has a backup provider that can step in if your platform or service fails is essential.
- Making lending easy
Most of the current crop of fintechs are highly specialised on delivering specific solutions, which presents lenders or funding institutions with the often unattractive prospect of buying in different services from a patchwork of suppliers.
As a result, any fintechs that can offer a one-stop-shop for lenders or financial institutions are likely to be the most successful at securing buy-in.
Know your AML-obligations
One of the common misconceptions is fintech clients thinking that, because they are not FCA-regulated, this means they do not have to perform anti-money laundering (AML) checks in accordance with the regulator's AML rules.
Regardless of who you believe, or know, your customers to be, it is still a criminal offence not to perform AML checks if you should be doing them.
The aim of the UK's AML regime is to ensure businesses have a clear picture of who they are taking money from and who they are lending money to.
AML rules touch many kinds of activity where money is handled.
Unfortunately, the UK's AML rules are not always easy to navigate for those who are unfamiliar with them, which can make it tricky for businesses trying to be compliant.
Before accepting customers' applications, companies have to try, as far as is reasonably possible, to ascertain what the sources of funds are and what the intentions for deploying them might be.
Once you have on-boarded your customers, you then have to monitor their activities on an ongoing basis. The intensity with which you monitor a customer depends entirely on how risky you think they are, based on your initial AML analysis.
Don't rely on automation alone
Many businesses ask if the time-consuming process of AML checks can be automated.
To some degree, it can.
However, if you fail to tune your AML systems properly, they can throw up false positives, which require more time to check and amend than it would take to do the AML checks manually in the first place.
On top of this is the fact that AML rules are constantly being updated (see the EU's increasingly long list of guidance and secondary legislation regarding Money Laundering Directives) in an attempt to keep pace with ever more sophisticated criminal activity.
International bodies and individual countries publish and continually amend lists of countries which they consider present higher AML risks.
It is also necessary to look for "politically exposed persons" (PEPs) and people from internationally sanctioned countries, as well as others with adverse track records – although it is worth noting that different national lists may be highly partisan.
While some of these lists are public, many can only be accessed through private databases which have to be paid for.
Once you have access to the relevant data, you need to ask the right questions and interpret the data in a meaningful way – an exercise which, at present, is difficult to automate.
Scoring systems are useful for narrowing down lists of people who warrant further investigation, but this is not infallible.
It is important to adopt a "security by design" approach to AML when it comes to fintech.
This means embedding AML and know-your-customer (KYC) checking systems into your technology at the outset of designing a new product.
Open Banking – where are we now?
Levelling the playing field
In 2016 the UK's Competition and Markets Authority (CMA) finalised its investigation into the retail banking market.
It found that the UK's older and larger banks (collectively referred to as the CMA9) do not have to compete hard enough for customers' business and smaller and newer banks find it difficult to grow.
The "solution" was Open Banking – a reform which obliges all UK-regulated banks to share customers' financial data (such as bank, credit card and savings statements) with authorised providers, if customers gave their banks permission to do so.
The managed roll-out of Open Banking began in January 2018, coinciding with the EU's second Payment Services Directive (PSD2) coming into force in the UK.
Open Banking was promised as a way to level the playing field between the CMA9 and new challenger banks and financial services companies, which provide a combination of account information portals, credit analysis tools and access to savings and investment opportunities.
A new ecosystem of technology providers has also developed to support new entrants deciding whether to buy or build their own infrastructure.
Despite the opportunities presented by Open Banking, there have remained challenges for new entrants and 2019 will present some real tests to the development of the market.
Below are some of the issues new entrants need to consider:
Working with the CMA9
Cultivating relationships with the CMA9, making sure both sides can make use of each other's interfaces properly, is essential.
While the European Banking Authority (EBA) and Open Banking Initiative Entity (OBIE – the body created by the CMA in 2016 to deliver Open Banking) standards are intended to guarantee access to data, building platforms around access to bank data inevitably means close co-operation.
Consider what approvals you need
Once you have decided what authorisation you need for your particular fintech, you need to apply to the FCA.
Depending what kind of approval you need, the process is not always straightforward and, as the FCA handles a high number of applications, each one can take months to go through the system.
Get your security right
Work to improve the security of payment services platforms is continuing in 2019 and organisations will be required to implement strong customer authentication requirements from 14 September 2019 (although exemptions do apply for some types of transactions).
Companies that have set up a dedicated interface for the purposes of strong customer authentication need to be aware that there are certain KPIs and service level standards that need to be met – plus an obligation to set up contingency measures in the event that your dedicated interface is unavailable (unless you have consent from the regulator).
Think about consent frameworks
Under the EU General Data Protection Regulation (GDPR), explicit consent is required for processing personal data for the purposes of payment services.
Many may not be getting the boundaries right as to where explicit consent is required, how it is obtained in the consent frameworks for user interfaces and where other grounds for lawful processing (such as legitimate interests) may suffice.
This risks becoming a minefield following recent actions by regulators under data protection law, however seeking advice from privacy experts on consent frameworks should help companies navigate potential data protection pitfalls.
Closing knowledge gap(s)
Cloud computing is an essential part of fintech and most data platforms.
Many institutions are looking to execute digital transformation through Cloud services at the payments and Open Banking end of the market.
The Cloud is proving a key technology for fintechs and challenger banks and is being adopted more and more by larger institutions.
The Cloud is an incredible enabler; however, the speed of change in regulation, Cloud and SaaS offerings means many institutions still do not fully understand the Cloud and, equally, many Cloud service providers do not understand institutions.
This is creating a gap in understanding and is slowing down both sides from realising the benefits of the Cloud.
But 2019 could be a critical tipping point for fintechs and for institutions who embrace the Cloud.
As more institutions adopt Cloud services, there is more ability to bridge the gap and to get deals done.
Take steps to understand Cloud as a user and a provider
Some institutions now have a strong in-house capability and a mature risk assessment approach for Cloud providers.
However, there is still frequently a degree of education needed on the customer side when it comes to negotiating Cloud deals.
Equally, while the global cloud platforms are adopting regulatory compliant solutions, many SaaS and cloud providers do not understand the requirements placed upon their customers.
The present gap in understanding is leading to delay and unnecessary complexity in cloud deals.
New Cloud guidance from the FCA and the EBA is a welcome step towards helping customers and suppliers better understand what the regulatory requirements are.
We recommend firms and fintechs adopt the guidance to take on board what regulators find to be acceptable practice in areas such as service level agreements (SLAs), security, oversight and audit.
In addition to the FCA and EBA guidance, a raft of other regulation is impacting more specialist Cloud services, including Open Banking and PSD2.
Guidance and regulation in these areas provides useful parameters for firms to be confident in and the fintech sector to abide by and demonstrate compliance with.
If institutions close the education gap internally and establish a risk assessment model, while fintechs reflect the latest guidance in their services and terms, this will lead to faster and more constructive negotiations and reduce the risk of deals going off the tracks.
For more information on our services for fintech companies or for businesses seeking to partner with fintech providers, please contact the article's authors.
Sign up to our email digest