The Big Idea: Fintech, Meet Regulation
The uneven playing field of fintech regulation and the rise of Compliance-as-a-Service
Financial regulations (and the bodies that create them) are often less heralded than the companies and products typically making headlines in fintech – but recently, regulatory oversight has been having its day in the sun. Just try searching “banking as a service” these days without seeing something about enforcement actions, regulatory scrutiny, or bank regulatory-motivated model changes. There’s no question that regulators are taking a closer look at many of the fintech companies and business models that have popped up in the wake of the financial crisis and pandemic, with particular interest in partner bank models. So that’s what we’re exploring this week in our latest Big Idea. As always, if you have any ideas for us, or if there’s anything you’d like to know more about, drop us a note at fintechupdate@gmail.com.
So what’s this all about?
Over the past few years, critics of fintech businesses have accused the industry of gaining an unfair advantage via regulatory arbitrage (i.e., exploiting differences in regulatory approaches to banks vs. non-banks) to gain a competitive advantage. Banking is one of the most heavily regulated industries in the world, costing U.S. banks an average of $10,000 per employee (over $2.9 billion a year at a large bank like Chase!). Most traditional banks are subject to safety and soundness rules which require a “three lines of defense” model:
First line: The front line business unit is responsible for owning and managing risk;
Second line: The bank’s compliance department, which tests, monitors, and identifies any compliance gaps
Third line: The bank’s internal audit function, which reviews the reporting done by the compliance team and catches anything they may have missed.
Sound inefficient? Yes. On its face. But banks do this for a reason…
Blood. There’s a saying that regulations are written in it, since many new policy and safety initiatives are driven by tragic events (in financial services, this usually means recessions or other economic shocks). In the case of U.S. and European banking, many of these rules stem from major financial crashes that could (in theory) have been prevented with more prudent behavior, or by additional safeguards. For example, the Federal Deposit Insurance Corporation (FDIC) was born out of the Great Depression, after consumers panicked by the stock market volatility caused a set of bank runs that further panicked everyone and ultimately brought the entire U.S. economy to its knees. Similarly, the 2008 Financial Crisis exposed weaknesses in banks ensuring that people could afford to pay the mortgages they were originating, leading to an overhaul of banking regulations and the creation of the Consumer Financial Protection Bureau (CFPB). (The CFPB promulgated dozens of new regulations in its first two years and continues to churn out new rules and regulatory guidance every month.)
Another consequence of the 2008 Financial Crisis was an erosion in consumer trust of banks, which rapidly accelerated the growth of the then-nascent fintech industry and arguably brought fintechs into the mainstream consumer marketplace. Banks were facing a PR nightmare with repeated bailouts, and the onslaught of new regulations did nothing to improve the competitiveness of their offerings; it’s hard to invest in new technology infrastructure when so much money has to be funneled into building out new and long-overdue compliance. Enter the rise of the “shadow banks” - the term adopted by federal regulators for the fintechs that rose to offer alternatives to the traditional banking sector.
At the time, most financial regulations were written with federal- and state-chartered banks in mind, aligned to the U.S.’s “dual banking system,” in which the largest banks hold federal charters and are supervised by a single federal “prudential” regulator, and smaller banks hold state charters, and benefit from reciprocal state regulation. In order to hold a federal or state bank charter, a bank must hold deposit insurance from the FDIC, ergo, any bank not in the business of taking and holding deposits - most fintechs - would not qualify for a federal or state bank charter. Non-banks (including most fintechs) typically have to register for a license (typically a “money transmitter license”) to operate in each state and territory individually. (Take a look at a few fintechs’ licensing portfolios on NMLS Consumer Access, e.g., Coinbase, Binance, Venmo, etc.). This is a double-edged sword. While it is more time-consuming to become licensed in all 50 states, there are a lot of ways in which this operating model can save fintechs money and allow them to operate more competitively.
Why should fintechs pay attention to this?
First, not having to pay to insure deposits saves a company a lot of money. A bank’s safety and soundness rating, or CAMELS rating, will determine the cost of deposit insurance (a lower rating leads to increased costs for deposit insurance) as well as the percentage of deposits the bank must keep on hand (not lend out, not make money on). Crypto and digital wallet companies are not banks and not held to the same regulatory requirements, perhaps most importantly, they are not required to hold deposits in insured accounts. If the company goes bankrupt, customers who put money in those digital wallets may not see a dime. Additionally, lost passwords have become synonymous with the loss of access to eight and nine figure crypto wallets (see Prime Trust and Stefan Thomas, former CTO of Ripple), and one founder is even accused of faking his own death to flee with $250 million in crypto from QuadrigaCX crypto exchange. These are things that are just not possible with a traditional bank.
Second, not having to comply with most federal banking laws (which are generally written to apply only to banks), allows a fintech to use that money for more innovative technology, better user experiences, and to take greater risks that a bank may be unwilling or unable to take due to its CAMELS rating or liquidity requirements.
Third, a ban on operating in one state will not prohibit a company from continuing to operate in every other state in which it maintains a license. If you take a look at cease-and-desist orders on NMLS, you will see that it often takes years for state regulators to identify problems, after which time the fines issued are relatively minimal (when compared to the same violation caught by a federal regulator). For example, Venmo was operating in Vermont without a license for years and only paid $35,000 to settle the matter, Coinbase paid $5,000 to settle a claim with Minnesota, or that time Binance had to pay the state of Ohio a $500 per day fine for operating in the state without a license - for over a year - which was ultimately settled for just $28,606, rather than the $213,000 allowed under state law. Compare those examples to the fines assessed by federal regulators - typically eight figures - and you can see how being state-regulated pays off.
What's coming and which fintechs are likely to succeed?
However delayed regulators have been in closing these gaps, they are starting to close. From the introduction of new regulations for big tech, digital wallet, and payment app companies, to the Executive Order on AI, to the increased pressure from federal regulators to insure deposits or more clearly disclose that deposits are not insured, to state regulation of buy-now-pay-later (BNPL) companies, the walls are closing in on the opportunities for fintechs to benefit from regulatory arbitrage. Of course, not all regulatory attempts have been successful in this space, including the CFPB’s ongoing battle over its expanded reading of the prohibition against unfair, deceptive, or abusive acts or practices (UDAAP), but the overall direction of financial regulation has been to level the playing field between banks and fintechs. The fintechs that invested early in compliance infrastructure are now beginning to reap the benefits of this long-term plan. As competitors leveraging regulatory arbitrage are beginning to come under regulatory scrutiny, pay fines, and even close up shop, fintechs that planned ahead have aligned themselves for long-term growth both as independent companies and through bank-fintech partnerships. A number of fintechs have specifically positioned themselves for this moment, offering compliance-as-a-service offerings, including companies like Hummingbird, Plaid, Persona, and Alloy. This cadre of fintech companies have set out to try and solve many of the various compliance problems that exist in the space after witnessing the pain point for themselves.
While some pundits have tried to argue that fintech is dead, the general consensus is more commonly that expectations from regulators and consumers are changing, and those fintechs that rise to meet the challenge will remain alive and well.
