Fintech in the USA

DLA Piper - David Whitaker, Margo H. K. Tank, Andrew Grant, Kate Lucente, Jeffrey L. Hare, Victoria Lee, David D. Luce and Edward Johnsen

What is the general state of fintech innovation in your jurisdiction, including any notable trends, innovations, innovators and future prospects?

The United States is home to a vast variety of fintech companies and initiatives. US companies are leading innovators in the development and deployment of:

• virtual currencies;
• blockchain-based technologies;
• electronic payments; and
• digital delivery of consumer and commercial financial products and services.

Notable trends include:

• the growing use of digital delivery channels as the primary or exclusive means of delivering financial products and services;
• the introduction of a wide range of person-to-person and consumer-to-business electronic payment systems;
• the widespread availability of marketplace and alternative loans;
• the innovative pricing of automobile insurance through use of electronic monitoring of driving habits;
• easy-to-implement financial account aggregation and investment analysis through online service providers; and
• capital fundraising through digital strategies such as crowdfunding and initial coin offerings (ICOs).

Future prospects are generally positive. The United States has a long history of encouraging business innovation. Consumers and businesses have ready access to sophisticated digital devices and delivery channels. However, because financial activities are subject to regulation by both the federal government and individual states, fintech products and services may be more complicated and more expensive to implement than in some other countries.

Key technologies

Have there been any particular developments – regulatory or commercial – in any of the following fintech sectors?

(a) Distributed ledger technology and digital currencies (eg, blockchain, smart contracts and Bitcoin)?

Federal regulatory developments Regulating ICOs Both the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have taken the position that they can regulate cryptocurrencies and similar products as securities or commodities respectively, depending on the attributes of the particular product. Further, the Financial Crimes Enforcement Network (FinCEN) has stated that it likewise may have jurisdiction to regulate cryptocurrency companies that engage in money transmission. An ICO is a means for companies to raise capital by selling a crypto token in exchange for Bitcoin or Either (or sometimes fiat currency).

The SEC concluded that ICOs can be securities offerings if the token meets the definition of an ‘investment contract’ under US law and as such, must be registered or sold pursuant to an exemption from registration. Many individuals in the ICO industry contend, and some at the SEC have agreed, that certain tokens should be considered ‘utility’ tokens and thus outside the SEC’s jurisdiction.

The SEC has warned that ICOs present many risks (eg, promising guaranteed returns) and that customers should be wary when investing. The SEC has initiated numerous actions against companies that have failed to register or comply with exemptions before selling their ICOs. Allegations of fraud are also frequently included within these enforcement actions. This will be an area of continued interest for the SEC and will likely remain a dynamic area of securities law in the coming years.

The CFTC’s jurisdiction arises when a virtual currency is used in a derivatives contract or if there is fraud or manipulation involving a virtual currency that is traded in interstate commerce. Like the SEC, the CFTC has engaged in enforcement actions against individuals and companies that were allegedly involved in fraudulent virtual currency schemes. The CFTC has issued advisories warning customers of the risks involved with virtual currency trading.

FinCEN’s role is to enforce compliance with the Bank Secrecy Act, and its jurisdiction covers financial institutions, which is defined broadly and includes money transmission. Because money transmission itself is broadly defined – the acceptance and transmission of value that substitutes for currency, including virtual currency) – FinCEN regulates not only fiat, but also virtual currency transmission.  Regarding ICOs, FinCEN has stated that it expects any ICOs that fall within its jurisdiction to comply with their Bank Secrecy Act and anti-money laundering requirements.

State regulatory developments Uniform Regulation of Virtual Currency Business Act and state actions The Uniform Law Commission (ULC) completed a draft Uniform Regulation of Virtual Currency Business Act in July 2017. The act would require a licensee to maintain compliance programmes that include procedures to prevent:

• fraud;
• money laundering; and
• the funding of terrorist activities.

Each US state may consider adopting the Uniform Regulation of Virtual Currency Business Act, either with changes or as it stands. Before the approval of the act, a handful of states, including New York, Oregon and Tennessee, enacted legislation defining virtual currency and requiring money transmitters dealing in the exchange of US dollars with virtual currencies to obtain licences.

State regulation of virtual currency and smart contracts In 2017 and 2018 numerous state legislature proposed bills to regulate virtual currency and Bitcoin, as well as to draw virtual currency and Bitcoin businesses to their jurisdictions. One prominent state initiative was from Delaware, which amended the Delaware General Corporation Law to allow companies to maintain shareholder information on a blockchain. Further, Delaware corporations using distributed ledger technology (DLT) for their stock ledgers can use this as the basis for their required investor communications. As further examples (not an exhaustive list), Arizona, Nevada, Vermont and Wyoming also passed laws promoting the use of virtual currency and Bitcoin and DLT. Arizona recently enacted laws that:

• define and support blockchain technology for public use, including recognising smart contracts;
• expand the scope of blockchain technology transactions to apply to certain written corporate transactions; and
• adopt a regulatory sandbox programme that allows companies to test new products and technologies without need of a licence.

Nevada enacted a law recognising the legality of smart contracts and prohibiting the state from imposing taxes, fees or other requirements on the use of virtual currency and Bitcoin. Vermont implemented a law providing for broader business and legal application of DLT. Wyoming also passed five laws that expand the use of blockchain technology in the state, including:

• exempting virtual currencies from the money transmitter laws;
• exempting utility tokens from securities and money transmission laws; and
• amending its business law to allow for the use of DLT in various corporate scenarios (eg, to accept shareholder votes).

This remains a robust area for state legislation and it is expected that numerous additional laws will be passed in the coming years addressing the use of blockchain technology.

(b) Alternative lending platforms?

Alternative lending platforms continue to receive great interest (and scrutiny) from both federal and state regulators. A major issue that state regulators have focused on concerns their ability to regulate the terms of a loan made within their state, even when the alternative lending platform partners with a bank (typically referred to as a bank partnership model) that is headquartered in another state (and thus able to export that state’s interest and fees). In addition to lending, companies which use alternative data to help underwrite loans have garnered regulatory interest. Below is a discussion of some recent newsworthy events.

U3C v Avant and Marlette In January 2017 the Colorado Uniform Consumer Credit Code (UCCC) administrator filed lawsuits against Marlette Funding and Avant to shut down the bank partnership model that they employed within the state, taking the position that consumer loans offered by those online lenders in Colorado cannot exceed the rates permitted for a state-supervised lender (ie, 21% Annual Percentage Rate). Marlette and Avant partnered with New Jersey-based Cross River Bank and Utah-based WebBank, respectively, to offer consumer loans through an online lending platform. The UCCC administrator claimed that once the loans were purchased by Marlette and Avant, they became subject to Colorado rate limitations and were usurious. The UCCC administrator also claimed that state banks cannot assign their interest rate pre-emption authority to non-bank partners when they purchase the loans. The administrator identified the following factors to argue that the non-bank partners had the predominant economic interest in the transactions:

• The non-bank partners paid the bank's costs associated with the initiation of the lending programme, as well as the marketing costs.
• The non-bank partners decided which applicants would receive loans, applying lending criteria established by Marlette and Avant and their respective bank partners.
• The banks bore little or no risk of financial loss in the event the borrower defaulted on the loan.

Cross River and WebBank have since also sued the UCCC administrator.

OCC’s proposed fintech charter The Office of the Comptroller of the Currency (OCC) fintech charter has been a hot topic for some time but it was not until 31 July 2018 that the OCC stated that it would begin accepting applications for national bank charters from non-depository fintech companies engaged in the business of banking. To assist fintech companies, the OCC released a policy statement, in which it stated that companies “engaged in the business of banking should have a path to become a national bank, provided they meet the rigorous standards necessary to become and succeed as a national bank”. The OCC also released a Licensing Manual Supplement, which “provides detail on how the OCC would evaluate applications for a special purpose national bank charter from fintech companies”. Before the OCC formerly announced that it would accept applications, some states had challenged its regulatory authority (eg, New York, but that case was dismissed because the OCC had not started accepting applications). Therefore, now that the OCC has said that it will begin accepting applications, states may renew their lawsuits.

Upstart receives no action letter from CFPB Since its inception, Upstart has used alternative data in its underwriting models and the models themselves have relied heavily on artificial intelligence. It has never been completely clear that the use of this data was in alignment with all fair lending laws. Therefore, Upstart applied for a no action letter from the Consumer Financial Protection Bureau (CFPB) which was received in September 2017. This means that the CFPB has essentially validated Upstart’s use not just of alternative data but of the underwriting models themselves.

(c) Digital payments, remittances and foreign exchange?

See above and below.

(d) Alternative financing (including crowdfunding)?

ICOs In brief, an ICO is a means for companies to raise capital by selling their underlying crypto token in exchange for Bitcoin or Either (or sometimes fiat currency). Start-ups raised $5.6 billion through ICOs in 2017. By mid-September 2018 ICO funding reached $14.3 billion.

As discussed above, ICOs may be considered securities offerings and subject to US securities laws and regulations.

Crowdfunding Equity crowdfunding under the Jumpstart Our Business Startups Act has been slow to take off; some companies opt for Reg A+, but that also has not caught on. The SEC published a bulletin to educate investors on crowdfunding.

(e) Investment, asset and wealth management?

The SEC has announced that it will host a roundtable on the proxy process in November 2018. The roundtable is expected to provide SEC staff an opportunity to engage with market participants on topics, including:

• the voting process;
• retail shareholder participation; and
• the role of proxy advisory firms.

In advance of the roundtable, the staff withdrew two no-action letters issued in 2004 (Egan-Jones Proxy Services, SEC staff letter (27 May 2004) and Institutional Shareholder Services, Inc, SEC staff letter (15 September 2004). These letters were cited extensively in the staff’s 2014 Legal Bulletin Number 20, “Proxy Voting: Proxy Voting Responsibilities of Investment Advisers and Availability of Exemptions from the Proxy Rules for Proxy Advisory Firms”, within which the staff emphasised the significant and ongoing duties of investment advisers relating to, among other things, voting client proxies and retaining proxy advisory firms. The withdrawal of the two 2004 no-action letters is seen as an attempt to open up a discussion at the roundtable around the importance and influence of proxy voting services on the proxy voting practices of investment advisory firms.

The SEC staff provided updated answers to frequently asked questions relating to Rule 206(4)-2 under the Investment Advisers Act 1940 (the Custody Rule). Prior guidance had identified circumstances in which a custodial agreement between a client and qualified custodian, to which the client's adviser is not a party, may permit the adviser to instruct the custodian to disburse or transfer funds or securities. In response to a question about such inadvertent custody, the staff stated that an adviser that does not have a copy of a client's custodial agreement, and “does not know, or have reason to know whether the agreement would give the adviser ‘inadvertent custody’”, need not comply with the custody rule with respect to that client's account provided that such inadvertent custody would be the sole basis for a determination that the adviser has custody. However, the staff noted that this position would not apply where the adviser “recommended, requested, or required a client's custodian”.

(f) Robo-advice and artificial intelligence?

Robo-advice SEC publishes guidance update for robo-advisers The SEC has published information and guidance for investors and the financial services industry on the fast-growing use of ‘robo-advisers’, a catch-all term for investment advisers that use computer algorithms to provide investment advisory services online, often with limited human interaction.

In light of the unique issues raised by robo-advisers, the SEC’s Division of Investment Management issued a guidance update on 23 February 2017 for investment advisers with suggestions on how robo-advisers can best comply with disclosure, suitability and compliance obligations imposed by the Investment Advisers Act of 1940.

A second publication, an investor bulletin issued by the SEC’s Office of Investor Education and Advocacy, provides individual investors with information that they may need to make informed decisions if they consider using robo-advisers.

Requirement to act in client’s best interest US advisers are subject to fiduciary duties from a number of sources depending on the type of advice given and the type of adviser giving it. The Massachusetts Securities Division (MSD) has stated that robo-advisers and traditional advisers have the same fiduciary duty. However, the MSD and the SEC have raised questions over the ability of robo-advisers to comply with the duty and hold themselves out to be fiduciaries. The MSD is particularly concerned that from its research it appeared to be usual for robo-advisers not to perform any significant due diligence on client circumstances which is needed to make appropriate investment decisions.

Massachusetts issues guidelines for using third-party robo-advisers In April 2016 the Massachusetts Securities Division issued a policy statement with respect to the fiduciary obligations of state-registered advisers providing robo-advice. The MSD has now issued further regulatory guidance in a new policy statement with respect to the use of third-party robo-advisers by state-registered investment advisers. The MSD noted the significant growth in popularity of third-party robo-advisers and the increasing number of state-registered investment advisers working with third-party robo-advisers.

The new guidance describes minimum disclosure that state-registered investment advisers using third-party robo-advisers must provide to investors to meet Massachusetts regulatory requirements, including:

• clearly identifying the robo-advisers and explaining their services;
• notifying investors that, when applicable, they could get the services directly from the robo-adviser without paying additional fees to the state-registered investment adviser;
• describing the value provided to the investor by the state-registered investment adviser;
• specifically identifying the services that the state-registered adviser cannot perform (eg, having no ability to access, select, change or customise the portfolio structure or investment products at the robo-adviser);
• identifying limitations of available investment products offered to the client through the robo-adviser; and
• using customised, easy-to-understand disclosure language.

Investment advisers must charge an advisory fee that is reasonable in light of fees charged by others providing essentially the same services. An investor is usually charged a fee by both the investment adviser and the robo-adviser based on a percentage of the investor’s assets under management. Massachusetts state-regulated advisers must demonstrate the value behind the fees that they charge on top of the robo-adviser’s fees, such as specialised knowledge of the products or the investor’s personal circumstances.

(g) Any other technologies?

 N/A.

Regulatory issues

Regulatory approach

How would you describe the regulatory policy for fintech products and services in your jurisdiction?

While the US government generally supports fintech innovation, it heavily regulates financial products and services provided to consumers – although this generally focuses on the contracting process and the delivery of information. Regulations restricting permissible terms and conditions for financial products and services also exist (particularly for consumer loans and insurance products), but are less prevalent. The United States also regulates many providers of financial products and services.

The United States employs a two-tier structure for regulating financial products and services – with statutes establishing general rules and regulations issued by government agencies often providing more detailed rules and guidance. In some circumstances, non-governmental entities may also issue rules that are quasi-regulatory.

The federal government actively regulates most financial products and services – in many cases, the federal regulation is extensive and complex. In addition, individual states (and the District of Columbia) may establish their own statutes and regulations – provided that the state rules do not conflict or interfere with the applicable federal rules. These additional state rules are not always the same in all jurisdictions and in some instances may even conflict with each other. Federal and state regulations may focus on the providers of the services or on the terms and conditions of the services themselves.

With respect to providers, the provider’s activities will frequently trigger licensing or registration requirements at the state or federal level, or sometimes both. Statutes and regulations may also address the provider’s financial condition and operations.

The features of the product or service being offered often trigger other specific regulatory requirements. The focus of these requirements is not usually on the technology used to deliver the product or service. Instead, the starting point for analysing applicable laws and regulations usually involves identifying the nature and purpose of the product or service. For example, when evaluating the regulations applicable to alternative lending products, the regulatory focus will be on:

• the terms and purpose of the loan;
• the location of the lender;
• the location of the borrower; and
• whether the intended borrower is an individual or a business.

The fact that the product or service may be delivered through an online or mobile channel or utilises innovative technology, such as a blockchain or advanced artificial intelligence, will usually be a secondary consideration.

With respect to those financial products that are considered securities, the Securities and Exchange Commission (SEC) requires entities acting as brokers or dealers in securities (ie, in the business of buying and selling securities for or of others (‘broker-dealers’), to register with the SEC and become members of the Financial Industry Regulatory Authority (FINRA)). Broker-dealers are subject to many detailed SEC and FINRA rules and regulations concerning their:

• business practices;
• capital and financial stability;
• handling of customer assets; and
• regulatory reporting.

Each state imposes similar requirements.

In addition, because many existing US regulations assume that financial transactions will be conducted on paper, applying those rules to fintech products and services can sometimes be challenging. To address this issue, the federal government has adopted the Electronic Signatures in Global and National Commerce Act. The act authorises the use of electronic records and signatures in commerce, even when existing regulation would require the transaction to be conducted on paper. The act applies to federal and state law unless the state has adopted an equivalent statute. Most states have adopted equivalent laws, usually in the form of the Uniform Electronic Transactions Act. However, the Electronic Signatures in Global and National Commerce Act and the Uniform Electronic Transactions Act have exclusions, and certain states have adopted additional exclusions and limitations of their own.

These acts differ from the electronic signature statutes adopted in some other countries, because they focus less on issues relating to the identity of the signatory and more on issues relating to the agreement to use electronic signatures and records, presentation, record integrity and retention. Therefore, in the United States, the number and types of effective electronic signatures is broad, but the enforceability of signed agreements often depends on other considerations relating to the electronic signing process itself.

Fintech involves not only the delivery of financial services, but also the development, licensing and deployment of technology solutions. For the most part, the establishment of formal IP rights (eg, patents, trademarks and copyrights) is regulated by the federal government. Licensing of intellectual property usually involves a mixture of federal and state law. 

Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?

Certain jurisdictions have enacted a licensing or chartering regime for cryptocurrency. For example, New York has the Bitlicence and has charted special purpose trust companies that engage in cryptocurrency exchange activities.

Regulatory authorities

Which government authorities regulate the provision of fintech products and services?

The number and variety of federal and state authorities that may regulate fintech products and services is substantial and depends on the nature of both the provider and the product or service. Some federal regulators include:

• the Consumer Financial Protection Bureau (covering virtually all financial products and services for consumers);
• the Federal Reserve Board of Governors (covering bank holding companies and processing of certain payments);
• the Federal Deposit Insurance Corporation (covering insured deposits at banks and credit unions);
• the Federal Housing Authority (covering residential mortgage loans);
• the Office of Federal Housing Enterprise Oversight (covering residential mortgage loans);
• the Federal Financial Institutions Examination Council (covering the examination of most licensed or chartered financial institutions);
• the Financial Crimes Enforcement Network (covering financial institutions, including money transmitters);
• the SEC (covering investment securities); and
• the Commodity Futures Trading Commission (covering commodities, including many virtual currencies).

At the state level, relevant regulators usually include:

• state banking departments;
• consumer protection agencies;
• secretaries of state; and
• state securities commissions.

Quasi or non-governmental entities that also perform some de facto regulatory functions include:

• the FINRA (covering investment brokers and dealers);
• the National Automated Clearing House Association (covering certain electronic fund transfers);
• the Federal National Mortgage Association (covering residential mortgage loans);
• the Federal Home Loan Mortgage Corporation (covering residential mortgage loans); and
• the major debit and credit card networks (including VISA, MasterCard, American Express and Discover).

Financial regulatory framework

Which laws and regulations governing the provision of financial services apply to fintech businesses?

The laws and regulations governing fintech businesses are extensive. Statutes governing fintech are often accompanied by implementing regulations. These statues and regulations may address the products or services themselves or related issues (eg, licensing or registration, money laundering or data use).

At the federal level, a non-exhaustive list of statutes and regulations addressing financial products and services includes:

• the Electronic Fund Transfer Act and Regulation E;
• the Equal Credit Opportunity Act and Regulation B;
• the Fair Credit Reporting Act and Regulation V;
• the Expedited Funds Availability Act and Regulation CC;
• the Truth-in-Savings Act and Regulation DD (covering deposit accounts);
• the Truth-in-Lending Act and Regulation Z (covering consumer loans);
• the Graham-Leach-Bliley Act and Regulation P (covering privacy);
• the Securities Act 1933;
• the Securities and Exchange Act 1934; and
• the Commodities Exchange Act.

Other federal statutes that are not directly aimed at financial products and services, but may significantly affect fintech, include:

• the Electronic Signatures in Global and National Commerce Act and the Uniform Electronic Transactions Act;
• the Americans with Disabilities Act (covering the accessibility of online and mobile services to people with disabilities);
• the Telephone Consumer Protection Act (covering the use of autodialers and recorded calls to communicate with consumers via telephone);
• the Controlling the Assault of Non-solicited Pornography and Marketing Act (covering the use of email to market to consumers);
• the Federal Arbitration Act (permitting parties to agree in advance to mandatory arbitration for many consumer and commercial disputes); and
• US laws relating to patents, trademarks and copyright.

State statutes affecting fintech products and services often include state banking laws, including laws governing bank branching, use of video tellers and ATM/kiosk placement and usage. Most states also have statutes prohibiting certain unfair and deceptive acts and practices – these statutes are often broadly written and allow considerable latitude for interpretation by US courts. Many states also have separate laws governing the use of electronic records in connection with notarised documents and real estate records.

Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?

Fintech businesses that are engaged in providing money transmission or exchange services or that are acting as lenders or brokers must be licensed. Typically, if the activity is otherwise regulated, the fact that it is being provided by a technology company does not avoid the need for a licence.

Are any fintech products or services prohibited in your jurisdiction?

No.

Data protection and cybersecurity

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

US privacy law is a complex patchwork of privacy laws and regulations addressing specific industries, communications media or marketing methods, supplemented by a backdrop of federal and state prohibitions against unfair or deceptive business practices and state laws that specifically address privacy and security of personal information. US law does not generally restrict cross-border transfers of personal data, aside from certain government and tax information.

Generally, companies that operate websites, mobile applications and other online services that collect personal information must have a privacy policy posted on the respective online service, pursuant to several state laws and guidance from the Federal Trade Commission (FTC). The privacy policy should, among other things, describe:

• how personal information may be collected;
• how it is used and disclosed; and
• how individuals may access or update personal information.

It is also necessary to disclose how third parties (eg, advertising networks) may collect personal information about consumers who visit or use a company’s website, app or service.  

Sector-specific laws The United States has taken a sectoral approach to data privacy, adopting statutes or promulgating regulations in areas that it deems to be of specific concern, including:

• financial data;
• credit data;
• health information;
• telecoms data;
• student records;
• children’s information; and
• email, telephone, fax and SMS marketing.

Consequently, some industries are subject to extensive regulation, while others are subject to privacy and security regulation under unfair and deceptive business practices, including the following:

• Financial privacy – the Gramm-Leach-Bliley Act applies to financial institutions and governs the collection, use, disclosure and safeguarding of ‘non-public personal information’ belonging to consumers. The definition of ‘financial institution’ is broad and may apply to companies (ie, non-banks) offering consumers finance plans or lines of credit for personal, family or household purposes. Financial institutions subject to the act:

o must provide their customers with an annual privacy notice;

o are limited in how they may use and share non-public personal information;

o must provide adequate safeguards for non-public personal information; and

o must notify regulators and customers in the event of a data security breach.

• Credit information – both federal and state laws require protections for, and strictly limit the use of, consumer reports (ie, credit reports and background checks). Consumer reports include any information provided, in any medium, by a consumer reporting agency that will be used for decisions related to consumer credit, employment or insurance purposes. Individuals may obtain a consumer report from a consumer reporting agency only if they have a permissible use for the data and must use adequate safeguards and properly dispose of the consumer report information. If a person takes an adverse action against a consumer because of information contained in a consumer report (ie, denies credit or employment), the person must provide the consumer with a written notice. Federal law provides consumers with a private right of action for the misuse of their consumer reports. Federal regulations also apply to business reporting data (eg, financial transactions) to consumer reporting agencies requiring such businesses to ensure the reported information is accurate and to investigate consumer disputes.

Unfair or deceptive acts or practices The FTC regulates privacy and data security under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in commerce. The FTC has become increasingly focused on data privacy and security legal actions against organisations for not living up to their stated privacy and security promises or for failing to adequately protect personal information.

In evaluating whether entities are engaging in unfair and deceptive trade practices, the FTC examines whether the entity has provided appropriate notice to consumers about its privacy or other practices that are in question. The FTC has found that a failure to provide appropriate notification about the information collected and/or the failure to abide by representations made in privacy policies (including those about the security of information), as well as a failure to have in place adequate security measures are unfair and deceptive trade practices.

Similar to the Federal Trade Commission Act, each state has statutes prohibiting unfair or deceptive acts or practices in commerce that are enforced by the state attorneys general. These ‘mini-Federal Trade Commission Acts’ are often used by state regulators to regulate privacy and data security.

State laws Each of the 50 US states has its own consumer privacy and protection framework. Myriad state laws address privacy-related issues, including requirements for:

• safeguarding data;
• storage of data;
• privacy policies;
• employee privacy;
• education privacy;
• appropriate use of social security numbers; and
• data breach notification.

State statutes typically track the location of the data subject; therefore, even if a business does not have operations or employees in a given state, it is still likely to be subject to the privacy and data security laws in the state if it has individual customers in that state.

What cybersecurity regulations or standards apply to fintech businesses?

Entities operating in regulated industries (eg, financial, health and telecoms) are generally subject to sector-specific data security regulations.

Several states generally require all entities that hold personal information about state residents to implement data security protections for that information. Generally, these laws require businesses to:

• implement and maintain reasonable security procedures and practices appropriate to the nature of the information;
• protect the personal information from unauthorised:

o access;

o destruction;

o use;

o modification; or

o disclosure; and

• securely destroy personal data.

Some states impose more specific security obligations; for example, Massachusetts’ data security regulations impose specific data security requirements and set forth minimum security standards for computer systems. Massachusetts and Nevada laws also require certain more sensitive personal information to be encrypted when transmitted wirelessly, on portable media or outside the physical or logical controls of a company. In addition, some states have adopted portions of the Payment Card Industry Data Security Standard into their data security laws and some states require entities that hold personal information to impose contractual provisions requiring service providers to protect personal information that is shared.

Data breach notification All US states and the District of Colombia, Puerto Rico, Guam and the US Virgin Islands require organisations to provide notices to consumers and in some states, to state regulators and consumer reporting agencies, in the event of a data breach. Notification triggers and exceptions vary by state. All states with breach notification laws require notice if the information breached includes a state resident’s name in combination with:

• a social security number;
• state identification or driver’s licence number; or
• financial account information.

Some states include other types of personal information as a trigger (eg, health information, biometrics, login credentials, tax ID or date of birth). The timing for providing notice varies by state.

Financial crime

What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?

Certain aspects of anti-money laundering regulations, such as sanctions compliance and criminal liability for money laundering, apply universally to businesses and people in the United States. However, the applicability of requirements to adopt and follow an anti-money laundering programme to a fintech company with key elements such as risk assessments, know your customer, transaction monitoring, currency reporting and suspicious activity reporting is determined by an assessment of whether the company meets the definition of a ‘financial institution’ for the purposes of the Bank Secrecy Act and its implementing regulations adopted by the Treasury’s Financial Crimes Enforcement Network (FinCEN). It is often the case that activities performed by fintech firms, whether money transmission, currency exchange, prepaid access or other activities, cause them to fall within that definition.

What precautions should fintech businesses take to ensure compliance with these provisions?

The first steps would be to review the products and activities of the fintech firm to see whether it meets the definition of a financial institution for the purposes of the Bank Secrecy Act. One of the most useful tools for such a review is a funds flow diagram depicting how money moves within the firm’s products. If so, there are often regulatory exemptions, opinions and guidance issued by FinCEN, which may allow for the firm either to satisfy an exemption or to modify its products or activities in order to do so. Some states, such as New York, also seek to affirmatively apply the Bank Secrecy Act to fintech firms regulated at the state level. This can effectively obviate the utility of an exemption at the federal level as it relates to products offered or activities conducted in that state.

Consumer protection

What consumer protection laws and regulations apply to the provision of fintech products and services?

Federal consumer protection laws and regulations applicable to fintech include:

• the Electronic Fund Transfer Act and Regulation E;
• the Equal Credit Opportunity Act and Regulation B;
• the Fair Credit Reporting Act and Regulation V;
• the Expedited Funds Availability Act and Regulation CC;
• the Truth-in-Savings Act and Regulation DD (covering deposit accounts);
• the Truth-in-Lending Act and Regulation Z (covering consumer loans); and
• the Graham-Leach-Bliley Act and Regulation P (covering privacy).

Other federal statutes addressing consumer protection that are not directly aimed at financial products and services, but that may significantly affect fintech, include:

• the Electronic Signatures in Global and National Commerce Act;
• the Americans with Disabilities Act (covering the accessibility of online and mobile services to people with disabilities);
• the Telephone Consumer Protection Act (covering the use of autodialers and recorded calls to communicate with consumers via telephone); and
• the Controlling the Assault of Non-solicited Pornography and Marketing Act (covering the use of email to market to consumers).

State laws addressing consumer protection often target specific products or services, and vary from state to state. Most states also have statutes prohibiting certain unfair and deceptive acts and practices – these statutes are often broadly written and allow considerable latitude for interpretation by US courts.

Compliance with consumer protection statutes or regulations may not be waived or avoided by agreement with the consumer, unless the statute or regulation specifically permits the waiver.

Competition

Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?

N/A.

Cross-border regulation

Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?

Some regulatory issues concerning the cross-border provision of fintech products and services include the following:

• The regulation of cross-border payments remains inconsistent, but no major changes occurred in 2017 (see ).
• In 2017 digital wallets continued to emerge as a universal way to make payments.
• The Electronic Payments Association (NACHA) proposed various modifications to its Operating Rules as relating to cross-border payments (see ).
• In late 2016 the Consumer Financial Protection Bureau (CFPB) issued its remittance transfer rule, an amendment to Regulation E, which establishes disclosure, error resolution and other requirements for depository institutions that offer cross-border remittance transfer services. On 5 October 5 2016 the CFPB issued its final prepaid account rule, also part of Regulation E, which sets out consumer protection rules for prepaid accounts, including prepaid cards used for cross-border payments. The final rule makes several revisions to the rules governing remittance transfers in Regulation E that are intended to continue the current application of those rules to prepaid products. The effective date for the provisions of the prepaid account rule that affect the rules regarding remittances is April 2018 (see ).
• In April 2017 the “Report to Congress on the Use of the ACH System and Other Payment Mechanisms for Remittance Transfers to Foreign Countries from the Federal Reserve” was released, which documented the state of the regulatory environment for cross-border payments (see ).

Financing, investment and government support

Government support

Does the government provide any incentives or support programmes to promote fintech innovation in your jurisdiction (eg, tax incentives, grants and regulatory sandboxes)?

Arizona passed regulatory sandbox legislation that allows companies to launch products on a limited scale to test their services, business models and delivery mechanisms without incurring traditional regulatory costs and burdens. Arizona began accepting applications for its sandbox in August 2018.

Has the government concluded any international cooperation agreements to promote and facilitate the cross-border expansion of fintech businesses?

The Cooperation Arrangement between the US Commodity and Futures Trading Commission and the UK Financial Conduct Authority states that “in order to enhance mutual understanding, identify market developments and trends, facilitate innovation with respect to financial technology ("FinTech"), and foster the use of technology for more effective and efficient regulation and oversight of financial markets and participants”.

Financing and investment

What private financing and investment schemes are available and commonly used for fintech start-ups in your jurisdiction?

From a legal perspective, raising capital for fintech start-ups is much the same as for other venture capital and emerging growth companies. However, the investor base may be smaller or more concentrated given the specialised nature and regulatory complexity of many fintech companies. In some cases, the more limited scope for growth of fintech companies (eg, projected valuation capping out at $100 million to $200 million) may deter ‘unicorn-hunting’ venture capital firms seeking that magic billion-dollar valuation. However, the nuts and bolts of fintech financing are not that different from other start-ups. Most initially raise money from family, friends and angel investors in a seed round, before hopefully proceeding to series investment rounds until the much-hoped for exit – which is almost always a merger or acquisition and not an initial public offering. Unfortunately, most fintech companies, like most start-ups, fail along the way. Most series financing rounds follow the form documents published by the National Venture Capital Association (NVCA).

Increasingly, fintech companies are swiftly joining incubators or accelerators, some of which are sponsored by industry participants (eg, Wells Fargo and some indirectly such as Plug and Play). Specialised fintech venture capital funds and the venture capital arms of financial institutions often wait until later financing rounds to invest in start-ups, including fintech companies.

Most fintech companies will raise some mixture of series seed convertible preferred, series convertible preferred shares for subsequent financing rounds and the occasional convertible note and even warrants offered as sweeteners. A typical capital raise involving a new series of convertible preferred shares will involve a purchase agreement, an amended and restated certificate of incorporation, an investor rights agreements, a right of first refusal and co-sale agreement and a voting agreement, again typically utilising NVCA forms. These securities are offered in transactions exempt from the registration requirements of the Securities Act 1933, either under Section 4(a)(2) of the act or Regulation D.

Some fintech companies may also seek venture lending from banks such as Silicon Valley Bank or Comerica, particularly if they need to invest in regulatory licences or other infrastructure. These are typically secured lendings.

Some fintech investments may qualify investors for the qualified small business stock (QSBS) exclusion (Section 1202 of the US Internal Revenue Code). Under this provision, investors are permitted to exclude a percentage of the gains on the sale of QSBS that is held for more than five years (currently 100%). However, fintech companies structured as holding companies of regulated companies may not qualify. A qualified small business generally must be a C-corporation for federal income tax purposes with aggregate gross assets that do not exceed $50 million before and immediately following the QSBS offering. The corporation must also be engaged in one or more qualified businesses, which must have:

• no more than 10% of their assets consisting of stock or securities of other corporations; and
• at least 80% of their assets involved in the active conduct of one or more qualified businesses, during substantially all the time that the investor holds the stock.

Ancillary issues

IP rights

What forms of IP protection are available for fintech innovations?

Fintech innovations are most likely protectable under copyright, patent and trade secrets. Branding relating to fintech innovations can be protectable as trademarks. Below is a further summary of the most relevant types of IP protection for fintech developments.

Copyright Copyright is available for original works of authorship fixed in a tangible medium of expression. The rights arise at the time that the original work of authorship is fixed in a tangible medium of expression and registration is not required to validate the copyright. Registered copyrights are denoted by the symbol ‘©’. Copyright owners have the exclusive right to reproduce, distribute, prepare derivative works, publicly perform and publicly display their works of authorship.

Patents A patent is a statutory right, granted consistent with a mandate in the US Constitution. Patents grant the right to exclude others from making, using, selling, offering for sale and importing the claimed invention. Given some recent case law, the review of patent filings for process and method patents, which are most likely for software developments, has become more fixed. As software patents generally come under greater scrutiny, the description of the claims covering patents on software should be carefully crafted.

Trade secrets In the United States, trade secrets can be protected under federal law and state law.

The Uniform Trade Secrets Act, which has been adopted by 48 of the 50 US states, as well as the District of Columbia and the US Virgin Islands, defines trade secrets under a two-prong test:

Information, including a formula, pattern, compilation, program, device, method, technique or process, that derives actual or potential economic value from not being known and not being readily ascertainable by proper means by others.

Such information is subject to "reasonable efforts by the owner to maintain its secrecy". Some states have slightly broader or narrower definitions of trade secrets than others.

The remaining states (New York and Massachusetts) have adopted an approach to trade secret protection under the Restatement of Torts (Section 757), which defines a ‘trade secret’ as follows:

A trade secret may consist of any formula, pattern, device or compilation of information which is used in one's business, and which gives him an opportunity to obtain an advantage over competitors who do not know or use it.

States adopting the Restatement of Torts approach require unauthorised use or disclosure for liability to accrue.

The Federal Defend Trade Secrets Act creates a trade secret action under federal law that is intended to supplement, rather than pre-empt, state laws.

What rules govern the ownership of IP rights to fintech innovations?

It is customary for employees to sign inventions assignment and confidentiality agreements. However, some states (eg, California and Washington) have statutory prohibitions on employers requiring employees to assign inventions that the employees have developed entirely in their own time without the use of employer resources and that are unrelated to the employer's business. US copyright law recognises a ‘work for hire’ doctrine in which an employer owns works of authorship created by an employee within the scope of employment.

The work for hire doctrine does not apply to inventions or patents. Employee inventors own their inventions and the resulting patents in the absence of an assignment by the inventor to their employer. US patent law recognises a ‘shop right’, which is an implied licence for an employer to use an invention of an employee who developed the invention within the scope of their employment using the employer's resources (equipment or funding). The implied licence is not transferable except in the sale of a business.

It is customary for consultants and contractors to sign written agreements. In the absence of a written present assignment of developments, consultants and contractors will retain ownership of the intellectual property developed by them, even if they are contracted and paid for by another party.

Immigration

What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the tech or financial sector?

 N/A.

What immigration schemes are available for foreign investors and entrepreneurs wishing to invest in or establish a fintech business in your jurisdiction?

 N/A.

Original