One lesson fintechs should learn from the prepaid industry is that financial regulators will come directly to them if there are any regulatory violations assoicated with their products. They cannotoffload complaince to their bank partners.
So, how can start-ups create effective compliance programs with limited resources?
It’s a question many founders struggle with because compliance is more than just a good set of documents. It’s critical to get compliance right because history shows us what could happen.
For example, in 2013, the Federal Deposit Insurance Corp. (FDIC) placed a consent order and assessed a civil money penalty against Achieve Financial Services LLC, a prepaid program manager. Hhow could the FDIC do this when Achieve was not a bank?
The Federal Deposit Insurance Act gives banking regulators the right to take action against any non-bank third party that is an “institution-affiliated party.” The definition includes:
- any independent contractor (including any attorney, appraiser, or accountant) who knowingly or recklessly participates in:
- any violation of any law or regulation;
- any breach of fiduciary duty; or
- any unsafe or unsound practice which caused or is likely to cause more than a minimal financial loss to, or a significant adverse effect on, the insured depository institution.
This means that like prepaid program managers, so-called challenger banks or neobanks can be subject to direct action from regulators when they are working with a third-party bank to deliver services.
Banks already know they are not immune from regulatory scrutiny from their partners, and in the case of Achieve, the regulators also laid a consent order and civil money penalty on the issuing bank.
Fintechs that want to succeed would benefit from taking the time to read the consent order against Achieve. It details the expectations that the banking regulator had for a non-bank entity. Some of the provisions would be worth adding to a compliance program well before a consent order. A few of the actions required of Achieve included:
- Developing a risk-based compliance management system and comprehensive written compliance program;
- Including compliance matters in the communication between the board and company personnel;
- Training appropriate personnel on compliance.
Additionally, as shown by the RushCard penalties in 2015, the Consumer Financial Protection Bureau (CFPB) has taken up the mantle of enforcing most consumer financial protection laws. Nonetheless, it is worth noting that the Achieve action was taken two years after the CFPB’s founding, and the actions that led to the enforcement action also took place after the CFPB was created.
Regardless of who the governing regulator is, fintechs need to realize that once they are handling consumers’ money, they need to have in-house compliance programs. They cannot depend on third-party banks alone to comply with consumer protection and anti-money laundering rules, or the Bank Secrecy Act for them.
And that brings us back to our initial question: How can start-ups create effective compliance programs with limited resources?
Fintechs need to take a comprehensive look at their risk and ask how the risk is being mitigated. Additionally, a small or medium fintech can’t run a gigantic compliance or risk program. But there are steps you can and must take – because for a financial service product, compliance issues could mean the end to an innovative product.
With that in mind, the first step may be as simple as a phone call to your banker, another banker or legal and compliance experts who can help fintechs assess the organization’s product and quickly pinpoint the biggest risk areas, which will differ from fintech to fintech.
The next step is designing your compliance program, when fintechs need to ask themselves:
- What due diligence is neccessary with partners?
- Does the compliance program have a methodology?
- Is there employee training for compliance?
- Who will be the champion for compliance in the organization?
- How will errors be tracked and corrected?
- Do we need to hire someone to help with compliance?
As history has shown, neglecting compliance can be a costly endeavor. Instead, collaborating with banks and compliance experts before trouble emerges can keep fintechs from repeating history.