Ed Silverstein, Legaltech News
Erin Fonte, an attorney at Dykema Gossett, explains
the “5 Stages of FinTech Startup Grief.”
Startups need to consider a lot of risks when thinking about financial technology. In a recent interview with Legaltech News, Erin Fonte, an attorney at Dykema Gossett, explained that many tech companies—located in places like Silicon Valley; Austin, Texas; or North Carolina’s Research Triangle—often will try to build new products out as quickly as possible. It is known as covering the basics of their “minimum viable product” (MVP) roadmap, she said.
“Companies think that they will come back later
and fix some of the legal niceties once the product has legs and a user base,”
according to Fonte. “However, we caution startups that if you are getting into
the world of financial technology, understand you are entering a highly
regulated space where … federal and state regulators are focused on the
underlying activity that you are engaged in. Failure to make your products
compliant by design and address these issues on the front-end can have serious
consequences on the back-end.”
She warned that can include delaying launch,
enforcement actions and civil monetary penalties from regulators, to a “cram
down” in valuation from an acquirer who will have make fixes, and sometimes
even criminal penalties.
“You cannot just say ‘so and so is doing it’ and
expect that to be an excuse when regulators come knocking,” she said.
“Benchmarking has no value when the other company has been equally lax.”
Startups also need to remember they will likely
face privacy and data security concerns.
“Security is a huge issue that you will have to
address,” Fonte said. “If you are going to store, process or transmit credit or
debit card information, that raises Payment Card Industry – Data Security
Standard (PCI-DSS) compliance issues.”
The reality is that many attacks are blocked
daily by major banks and online financial companies. “Many FinTech companies
that want to partner with banks are shocked the first time they see the bank’s
due diligence checklist for working with third parties, and how much of that
checklist is focused on cybersecurity,” Fonte said. “But, when you hook up to
the bank, your product’s vulnerability essentially becomes their vulnerability,
and banks and financial institutions are required by law to vet the security of
their third party vendors. And to do that, the bank wants to see security
audits, such as SSAE16, or SOC 1 or SOC 2, on your systems, including your
hosting provider if you are using a cloud hosting provider.”
When it comes to privacy, there is the issue of
gathering and using information from your consumer or other customers, too. For
instance, using geolocation raises privacy issues and permissions that
customers have to provide, according to Fonte.
“If you want to mine the big data of your
services and sell to unaffiliated third parties, that is going to raise
opt-in/opt-out laws and issues,” she said. “And you are going to be surprised
that there are actually contractual restrictions on what you can and cannot do
with data you may receive from third parties, such as card networks.”
Moreover, many newer companies are surprised to
learn how regulated is the work they are doing. “Financial services is one of
the three most heavily regulated industries in the U.S.—energy and healthcare
being the other two,” Fonte said. Fonte calls the learning process on this the
“5 Stages of FinTech Startup Grief.” She says it
includes:
·
Denial: Here a company will say it is “just pushing a button on the app”
and “using technology to move money.” Also, “funds are only in our bank account
for a split second. How can that be regulated?”
·
Anger: It comes when finding out there could things like criminal penalties
for unlicensed money transmissions.
·
Bargaining: That leads these new companies to think (inappropriately) about
designing around or hacking around the regulation or licensing requirements.
·
Depression: That comes from spending money on legal costs and delaying
launch dates.
·
Acceptance: This is realizing that the licensing requirements and potential
criminal penalties are real, and companies need to get compliant.
There is also an issue related to “money
transmission,” Fonte said. When this relates to state and federal laws, it
means “you taking money from Party A, moving it through a bank account that you
own or control (where you or your company is the signer, and even for a split
second), and promising to send it to Party B. If so, then that falls within
most state and federal definitions of ‘money transmission,’” Fonte said.
Businesses may need to register for money
transmission licenses in the states in which they are offering services. “And
for online or mobile, that is all 50 states unless you do not offer services
based on zip code or other geographic screening of the user,” Fonte said. She
adds that typical time frame and costs for obtaining money transmission
licensing in all 50 states can range from about $250,000 to $500,000 and take
up to a year. In many states, companies need to provide bonding, too.
Overall, financial technology has gotten a lot
of attention from investors in recent years, so startups understandably want to
get their products to market soon, but they need to proceed with caution.
Otherwise, there could be stumbling blocks from regulators and others.
No comments:
Post a Comment