This country-specific Q&A provides an overview of the legal framework and key issues surrounding fintech law in the United States.
This Q&A is part of the global guide to Fintech.
For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/fintech-2nd-edition
What are the sources of payments law in your jurisdiction?
United States payments law consists of many regulatory regimes, statutes, government-issued guidance, and industry-established rules. The responsibility for supervision and enforcement of these different regimes falls to several federal government agencies and state-level financial services regulators. While differing in purpose and scope, these various laws generally operate to protect consumers, ensure safety and soundness of the covered entities, and prevent money laundering and the funding of terrorism.
Some of the more prominent sources of payments law include the Dodd-Frank Act, Consumer Credit Protection Act, Bank Secrecy Act, Gramm-Leach-Bliley Act, Electronic Funds Transfer Act and Reg. E, Expedited Funds Availability Act and Reg. CC, Reg. J, Reg. II, the Uniform Commercial Code, and state-level money transmission, autorenewal, surcharge, and prepaid access laws. Additionally, each government agency periodically issues guidance on developing industries and several topics to help companies interpret their regulatory obligations. Lastly, certain industries develop rules that all participants must abide by. These include, among others, payment card industry data security standards (PCI-DSS) and NACHA Operating Rules. The applicability of these laws and guidance depends on the method of payment, the type of transaction, and the status of the party involved in the payment transaction and includes differing legal requirements for banks and nonbanks or those entities engaged in legacy or emerging payment systems and methods.
Payments are also being integrated into many services and products, which raises new and evolving issues and risks for payments services providers. These new applications include payments integration into internet-of-things (IoT) products, mobile technology, and wearables. The integration of payments services into these products and services will add overlapping privacy and other data security and retention issues to the already complex payments legal landscape.
Can payment services be provided by non-banks, and if so on what conditions?
Yes. Fintech companies and other nonbank entities can and do offer payment services to businesses and consumers. Much of the nonbank payments activity includes entities that operate as Money Services Businesses (MSBs). Typically, at the federal level, MSBs must register with the Financial Crimes Enforcement Network (FinCEN) and implement and comply with a risk-based, anti-money laundering program in addition to adhering to recordkeeping requirements, reporting obligations, transaction monitoring, and several other rules and regulations. Often, an MSB also has state-level obligations to encourage the protection of consumer funds as well as to ensure the MSB’s solvency. In addition to licensure and registration requirements, the varying legal requirements described above will apply to the methods of payment enabled by nonbank payment service providers. Nonbank payment service providers also enter into partnerships with banks, which may subject the nonbanks to supervision by financial regulators.
What are the most popular payment methods and payment instruments in your jurisdiction?
Consumers continue to increase their use of cashless forms of payment, including credit cards, debit cards (including prepaid), checks, and ACH payments. All forms of cashless payments continue to increase in both number of transactions and dollar volume. In the United States, debit and credit cards are used for most noncash payment transactions. Even so, ACH debit and credit transactions comprise the largest dollar volume of payments in the United States mainly resulting from business-to-business and direct deposit payroll transactions.
Recent trends have shown that debit card usage has increased by the greatest percentage of all noncash payment methods. Card-not-present transactions also continue to increase as more payments take place online and through mobile transactions. Finally, cryptocurrency payments remain nascent in the United States. While the extent of cryptocurrency’s use in payments is unclear, more retail outlets are now accepting certain cryptocurrencies for payment.
What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so to which entities, and what is state of implementation in practice?
In the United States, while some financial institutions open their platform and data to third-party service providers (TPPs), open banking has not been formally mandated and required in a broader sense. TPPs have integrated with several financial institutions: some through APIs others through different means. In reality, the integration of banks and TPPs is becoming a necessity as the parties engage to facilitate a myriad of services, including payments, investment management, saving, and budget planners. In late 2017, in lieu of issuing regulations, the Consumer Financial Protection Bureau (CFPB) outlined principles for protecting consumers that authorize TPPs to access consumers’ financial data through open banking applications. Without regulations specific to open banking, such applications are subject to contractual requirements between TPPs and banks.
How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
Data privacy regulations add layers of compliance concerns to the provision of financial services to consumers and businesses. Many parties that may not think of themselves as regulated financial institutions may in fact handle financial data or be a part of the transaction flow, which results in potential compliance obligations relating to data security as well as consumer protection regulation requiring consents and disclosures to users of the service. As financial services rely on multiple parties controlling and sharing data, including fintechs, cloud service providers, and incumbent financial institutions, there is an increased risk that data may be compromised in financial transactions.
At a federal level, the primary regimes that protect privacy and govern the regulation of data stem from the Gramm-Leach-Bliley Act (GLBA), the Right to Financial Privacy Act (RFPA), the Bank Secrecy Act (BSA), the Fair Credit Reporting Act (FCRA), and the USA PATRIOT Act. Generally speaking, these regimes require customer notice and stipulate limitations on how data can be used. States also impose regulations relating to the collection, handling, and use of personal data. For instance, beginning on January 1, 2020, the California Consumer Privacy Act (CCPA) will go into effect and impose sweeping restrictions on the handling of California residents’ data. In addition, all fifty states have implemented data breach notification laws.
The totality of these regulations requires financial institutions to be more transparent and put in place numerous controls and procedures to ensure continued compliance. Finally, many financial services providers offer services to customers in foreign countries, resulting in additional compliance obligations with foreign data privacy laws such as the European Union’s General Data Protection Regulations (GDPR).
What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?
A number of U.S. financial regulators, across federal and state agencies, have launched innovation incentive programs and proposals. From the Office of the Comptroller of the Currency (OCC) to the Commodity Futures Trading Commission (CFTC); from the Securities and Exchange Commission (SEC) to the Conference of State Bank Supervisors’ (CSBS) Vision 2020, many agencies are seeking to promote responsible and prudent innovation in financial services. For example, the U.S. CFTC has introduced LabCFTC to promote “responsible innovation and fair competition for the benefit of the American public.” In addition, in June 2019, the CFTC announced the launch of LabCFTC Accelerator, which is focused on “deploying a variety of tools, including internal pilots and tests, market research, and innovation competitions in order to drive better understanding and potential adoption of emerging technologies.” The SEC also launched an innovation effort in 2018: its Strategic Hub for Innovation and Financial Technology (FinHub) serves as a resource to the public through which the SEC engages on fintech issues and acts as a liaison between SEC divisions and other regulators regarding emerging technologies.
In addition, several States (e.g., Arizona) are introducing regulatory sandboxes to enable innovators to experiment with new products or services in a controlled fashion with some flexibility. Under these regulatory sandboxes, the companies may be exempt from certain aspects of existing regulation.
Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?
While the risks are not considered imminent or detrimental, the lack of harmonization among federal and state laws and the uncertainty over the applicability of laws to new and emerging technologies and business models remain key areas of concern. In the first instance, the application of the Commodity Exchange Act and related CFTC regulations is often a circumstance of first impression, carrying with it potential overlapping jurisdictions among multiple state and federal agencies, as well as, the potential for international regulators to assert jurisdiction depending upon the nature of the innovator’s business and customer base. These overlapping jurisdictional boundaries may result in significantly increased compliance burdens and costs that present fintech start-ups with an important barrier to entry.
What tax incentives exist in your jurisdiction to encourage fintech investment?
In the United States, there are no widespread tax incentives tailored specifically to technology in the financial sector, such as distributed ledger technology. However, the United States has tax incentives designed to encourage innovation at the federal, state, and local levels. For example, technology innovators may be entitled to the Research and Development Tax Credit (R&D Credit), which provides tax credits for research and development expenses incurred by technology companies. Similar credits also exist in major jurisdictions like New York, which gives tax credits to qualified emerging technology companies based on their expenses. California designed its R&D Credit based on the federal R&D Credit, but it is only granted for activities conducted in California. Fintech companies may also take advantage of tax incentives designed generally for emerging companies or companies that are significantly expanding their business.
Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?
Investment in fintech by venture capitalists and other institutions continues to be strong and healthy in the United States. While there has been some decrease in the number of new fintech start-ups, 2018 and 2019 saw an increase in investment in the fintech sector with payments/billing enjoying the majority of the investments. In addition, important investments are taking place relating to technology in investment management, distributed ledger technology, data analytics, and artificial intelligence. Investments are taking many shapes and, considering that most fintech companies are maturing, tend to be in Series B and C. In addition, M&A activities are continuing to grow in this space, are complemented by key strategic partnerships between banks and fintech companies, and are providing fintech companies additional sources of investment and funds.
If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?
While the U.S. government heavily regulates financial products and services provided to consumers, it generally supports fintech innovation. In addition, access to the U.S. capital markets remains extremely attractive, despite the current issues as to regulatory jurisdiction of various state and federal agencies. Part of the attractiveness of the U.S. capital markets is the integrity of the regulatory structure. Additionally, uncertainty as to the operation of a business does not necessarily equate to the uncertainty with respect to an investor’s position in a business—many investors prefer the robust and regulated characteristics of the U.S. markets. Therefore, we expect that many fintech entrepreneurs will continue to begin operations in the United States.
Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?
The H-1B visa for “speciality occupation” workers is the most common temporary visa utilized by fintech and other technology companies. There are annual caps on the number of H-1B visas selected.
- H-1B Regular Cap (cap: 65,000) is a nonimmigrant visa designed to allow qualified companies to sponsor foreign nationals who have bachelor’s degrees in specific specialties to come to the United States and work in specialized jobs.
- H-1B Advanced Degree Exemption (cap: 20,000) is for beneficiaries who have earned a U.S. master’s degree or higher (in specialized fields directly related to the duties of the position).
Another common type is the Permanent Immigrant Visa (which is part of the permanent residence or green card process). The number of green cards issued is limited based on preference category and an immigrant’s country of birth. These criteria affect how long it takes to get a green card. See the U.S. Citizenship and Immigration Services and Department of State websites for current processing times.
If there are gaps in access to talent, are regulators looking to fill these and if so how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?
The technology community is concerned about access to talent. Technology companies are widely critical of the annual limit placed on skilled foreign workers. In response, some large technology companies, many of which have a fintech affiliate or service, invest in lobbying efforts aimed at changing federal policy; others have created a coalition and are suing the U.S. Citizenship and Immigration Services.
What protections can a fintech use in your jurisdiction to protect its intellectual property?
Fintech companies can benefit from comprehensive, layered intellectual property (IP) strategies to protect different aspects of their business operations. By pursuing appropriate applications and registrations, a company can protect its brands and trademarks which differentiate its products and services from those of competitors. Patents can be pursued, and although it is difficult to patent business methods by themselves, patents that focus on technical aspects of implementing a business method (e.g., APIs, security/privacy mechanism, communication protocols) may make it difficult for a competitor to compete effectively. In some circumstances, the fintech may need to employ trade secret policies to protect sensitive business information, such as confidential business processes or back-end code which is not easily discovered or reverse-engineered outside the fintech while attaching copyright protection to other types of work relating to the fintech’s offerings. Such copyrightable works might include underlying programming code, APIs, and various other audio, video or written works embodied in tangible mediums of expression. Fintechs, in particular, should also be mindful of the legal implications relating to the use of open source software, particularly when used in conjunction with other propriety code. In short, a properly implemented and comprehensive IP strategy is not only advisable to complement a fintech’s business offerings but can go a long way to help create a competitive advantage in an already highly competitive market.
How are cryptocurrencies treated under the regulatory framework in your jurisdiction?
In the United States, no single regulation governs cryptocurrencies. Rather, based on the facts and circumstances presented by a cryptocurrency, that cryptocurrency’s larger project or ecosystem, and that cryptocurrency’s creator, distributor, or administrator, several federal and state regulatory regimes may apply.
A company that creates, distributes, administers, or uses a cryptocurrency should be aware of the rules governing securities, commodities, money transmission, economic sanctions, tax, and privacy and cybersecurity, as well as, any laws or regulations that apply to its specific industry. Of these, securities and commodities laws are of importance to creators, distributors, administrators, exchangers, and users of cryptocurrency; money transmission and economic sanctions are of importance to exchangers and users of cryptocurrency; and tax and privacy and cybersecurity are of importance to everyone.
How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?
The SEC, which regulates the issuance and trading of security instruments, has been the most active regulator of initial coin offerings (ICOs). Beginning in Dec 2017, the SEC brought several enforcement actions against the entities behind several ICOs, asserting that the ICOs constituted unlawful securities offerings. The SEC asserted that the cryptocurrencies in the ICOs were securities (as “investment contracts,” as defined in SEC v. W.J. Howey Co.). Generally, any offering of securities must be either registered with the SEC or exempt from registration; the SEC alleged these ICOs were neither registered nor exempt.
The SEC has established a new division within the SEC dedicated to cooperation with innovators, developers, and entrepreneurs in the fintech and blockchain industries (FinHub) for, among other issues, ICOs. In the next 12-24 months, we expect that entities contemplating ICOs will engage with FinHub prior to conducting an ICO. This will not only slow the number of new ICOs but will also produce ICOs that are on sound legal footing. Additionally, the SEC has released at least one public “no action letter” to a digital coin project, and there is the possibility of more over the next 12-24 months.
Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?
The United States is host to dozens of live blockchain projects covering a broad range of industries, as well as, many protocol-level projects that seek to build better or more efficient blockchains for use by others. In each of the following industries, there is at least one live blockchain solution that entities are actively using that is publicly known; there may be additional blockchain solutions that entities have not yet made public: banking, financial payments, investment and money management, voting, identity, cybersecurity, supply chain, advertising, IoT, data storage, computation, intellectual property rights, real property rights, prediction markets, insurance, healthcare and pharmaceuticals, energy, loyalty programs, public records, retail, charity, corporate governance, commodities, gaming and gambling, travel, and transportation.
To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?
Artificial intelligence (AI) technology is gaining wider adoption across the financial services industry as businesses learn of the benefits that AI offers to a whole host of processes. Fuelled by the deluge of data created over the past decade and the meteoritic rise of computing power thanks to cloud computing, the U.S. financial industry is adopting AI at an accelerated pace, revealing a sharp increase in the number of uses of AI technologies in the financial sector. For instance, proprietary trading firms and hedge funds have long used algorithms that trade on an automated basis. So-called “automated trading” or “high-frequency trading” has come under the scrutiny of the SEC and the CFTC, particularly following the “flash crash” in 2010. Both agencies have considered new regulations to address these concerns and have brought enforcement actions against trading firms to police the use of such algorithms to manipulate securities and commodities markets.
Service providers have designed both retail and institutional trading software products that automate the selection of investments for the trader’s portfolio and trade or provide trade signals based on an AI algorithm (such products oftentimes referred to as “robo-advisors”). These software providers may be regulated as investment advisers or broker-dealers by the SEC or as commodity trading advisors, introducing brokers, or futures commission merchants by the CFTC. Moreover, robo-advisors raise novel consumer protection issues for state and federal agencies.
Financial institutions and software companies are also incorporating AI into applications to help consumers manage their finances. These applications may make suggestions to users about how to allocate money or automatically move funds on the user’s behalf. These businesses must consider banking, money services, and consumer protection laws.
Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?
Some insurance regulations have slowed insurtech’s development compared to other forms of fintech. As more U.S. jurisdictions adopt and implement GDPR-style consumer protection regulation, it will also likely affect insurtech, particularly those capitalizing on data gathering technology. Much of the insurtech activity has involved collaboration with incumbents. Brand new start-ups are down, but insurtech financing is still robust, with investors focusing on more mature players. More product launches are coming out of incumbents than in prior years.
Insurtech is generally viewed to be entering a new phase of development, where companies are focusing on new forms of data (from mobile phones, social media, IoT sensors, wearables, big data, and satellite imagery). Data from artificial intelligence and machine-learning is also a centerpiece of new insurtech investment. Early phases focused on (1) market efficiencies and service improvements, and (2) marketing and selling by online brokers with 24/7 access and digital marketing. Customers want to research and purchase products online and expect communications largely through digital channels. This includes more frequent, meaningful, and personalized communications. Insurtech in personal lines is still way ahead of development in commercial lines.
Are there any areas of fintech that are particularly strong in your jurisdiction?
Payments/billing continue to lead the way in innovation and growth in fintech in the United States. That is followed closely behind by technology investment in Investment/Wealth Management. These trends are not different from other jurisdictions, but the United States continues to provide a fertile market for these areas to grow and develop.
What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?
Over the past couple of years, collaboration between fintech companies and incumbent financial institutions is on the rise. This collaboration is taking several forms including partnerships, increased investment by incumbents, and joint development activities. At the same time, a healthy level of competition remains which is leading to additional efficiency and resiliency in the financial system as consumers are presented with more options.
The approaches that fintech companies and established technology companies take in offering new, innovative services differ to some extent. For example, fintech companies typically do not have the scale or user base to compete with incumbent financial institutions in mature industries. Therefore, fintech offerings tend to be complementary and collaborative with financial institutional offerings. Contrarily, established technology companies usually have vast networks, brand recognition, and large user bases that enable offerings to be tailored to individual consumer preferences. Additionally, these established technology companies, in some cases, can leverage their customer data to innovate in spaces and offer new products that fintech and incumbent financial institutions simply can’t access.
Prudential financial regulators have issued TPP guidance that outlines requirements for when banks engage with fintech companies and other TPPs in order to properly assess and manage risks associated with such relationships. This guidance emphasizes proper risk management that considers planning, due diligence, contract negotiation, ongoing monitoring, and termination throughout the life of the relationship.
To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?
There is an increase in new product offerings from banks and other incumbent financial institutions nationwide likely resulting from an increase in industry competition and a desire to continually improve current offerings. These offerings stem from a variety of places, including in-house developments, joint ventures, partnerships, and collaborations. As the financial system continues to grow and mature, incumbent financial institutions are increasingly turning toward new technologies including artificial intelligence, machine learning, and blockchain to ensure their customers are being offered efficient and effective products.
Are there any strong examples of disruption through fintech in your jurisdiction?
In just the last few years, we have seen fees charged to consumers in industries like trading, payment processing, money transmission, and lending decrease drastically as a result of the increase in competition and the advent of new business models. Development in fintech offerings will continue to disrupt fee structures and how services are delivered to consumers.
One example in the United States (and around the world) is the rise of the neo-bank. Neo-banks are fintechs that offer financial services once only offered by incumbent financial institutions, such as checking and savings accounts, money transfer services, and loans. Neo-banks operate solely online to keep costs low and to be able to compete with incumbent financial institutions. The low cost, consumer benefits, and mobile delivery of services can lead to adoption by tech-savvy consumers and the unbanked. Neo-banks pose risks by operating and advertising themselves as providing bank services. However, often neo-banks are not banks, and therefore may not offer the same deposit insurance or consumer protection that banks can unless they partner with a chartered bank.