This country-specific Q&A provides an overview to Fintech law in United States.
It will cover open banking, regulation of data, cryptocurrencies, blockchain, AI and insurtech.
This Q&A is part of the global guide to Fintech. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/fintech/
What are the sources of payments law in your jurisdiction?
The Federal Reserve Act established the Federal Reserve, the body that issues notes, provides for payment services, acts as fiscal agent and depository of the United States, supervises and regulates banking institutions and sets monetary policy. The Federal Reserve issues payment system regulations, including Regulation E implementing the Electronic Funds Transfer Act (electronic transfers and credit cards), Regulation J (check processing) and Regulation CC implementing the Expedited Funds Availability Act (deposit holding periods).
The Bank Holding Company Act reserves certain activities to regulated banks. The National Bank Act established he Office of the Comptroller of the Currency (OCC), that has issued regulatory guidance to banks in connection with their payment system activities. The Consumer Financial Protection Bureau (CFPB), created under the Dodd-Frank Act, issues guidance to protect consumers in payment transactions. The Federal Deposit Insurance Act created the Federal Deposit Insurance Corporation (FDIC) that insures bank deposits and issues guidance on deposit activities.
The Uniform Commercial Code, adopted in all 50 states, governs transactions in negotiable instruments, bank deposits, ACH transfers, and investment securities. In addition, many states have enacted laws requiring the licensing f businesses engaged in money transmission activities, that require establishment of anti-money laundering procedures.
Can payment services be provided by non-banks, and if so on what conditions?
Non-bank banks (or limited-service banks) can make loans or accept deposits, but generally cannot do both. Only banks, as defined under the Bank Holding Company Act, can both make loans and accept deposits.
In 2016, the OCC proposed issuing a special purpose national banking charter for non-bank entities that engage in one or more of the following activities: receiving deposits, paying checks, and lending money. Although the OCC has begun accepting applications this year for the special purpose national banking charter, its unclear whether the OCC will require entities accepting deposits (as opposed to those only paying checks and making loans) to obtain a traditional national bank charter.
The Conference of State Bank Supervisors and the New York Department of Financial Services (“NYDFS”) sued to block the OCC’s special-purpose national bank charter for nonbank companies on the basis that the OCC overstepped its authority, among other things. In 2017, the OCC moved to dismiss CSBS’s and NYDFS’ lawsuits, arguing that the suits were premature because the OCC was still deciding whether it would actually exercise its newly claimed power. The court dismissed the complaints without prejudice in 2018.
What are the most popular payment methods and payment instruments in your jurisdiction?
The use of checks in the U.S. has been steadily declining over the past 20 years, with the increased adoption of electronic payments. Credit and debit cards, as well as cash currency, remain the most popular payment instruments. E-payment systems, such as PayPal, Stripe, Square and Apple Pay are gaining in popularity.
What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so to which entities, and what is state of implementation in practice?
The U.S. has lagged behind other countries in the promotion and adoption of open banking standards. Currently, U.S. laws and regulations do not require banks to make transaction data available to non-bank payment service providers.
Financial institutions can be compelled to share information with the public or law enforcement. Under the Bank Secrecy Act (amended by the USA PATRIOT Act), a law enforcement agency investigating terrorist activity or money laundering may request, through FinCEN, that financial institution provide information to the agency regarding specific people or entities.
In the summer of 2018, the U.S. Department of Treasury published A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation, which set out the Treasury Department's vision for the integration of the fintech and traditional banking sectors. It is the first government agency to publicly advocate for the adoption of open banking standards to allow non-bank fintech's access to bank transaction data.
How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
All 50 states have data breach notification laws that require notice to affected persons and remedial activities. The State of California recently enacted the California Consumer Privacy Act, regulating the collection, storage and processing of personal data.
Even where there are no substantive requirements regarding the processing of personal data, companies must comply with their own stated data privacy policies, or may be subject to enforcement actions by the FTC under their general §5 jurisdiction to prohibit unfair and deceptive business practices.
What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?
The OCC has issued the Responsible Innovation Framework in 2016, creating an Office of Innovation for banks and non-banks to consult regarding fintech activities, and promoting inter-agency cooperation.
In the summer of 2018, the U.S. Department of the Treasury released its Report on Nonbank Financials, Fintech, and Innovation that made over 80 recommendations on legislative and administrative action on the fintech sector, including endorsement of the OCC special purpose national banking charter and recommending the establishment of regulatory sandboxes for fintech companies.
The CFTC has created LabCFTC in an effort to promote responsible fintech innovation and competition. The initiative serves as a platform to inform the Commodity Futures Trading Commission about new technologies through engagement with the fintech market participant community.
Additionally, Arizona became the first state to launch a fintech sandbox, which is administered by the state's attorney general. To participate, companies must submit an application explaining its plan to test, monitor and assess its product or service while assuring that consumers are protected in the event the test fails. Individual transactions caps per customer are in effect.
Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?
In general, there is a lack of uniform regulation and substantive guidance from U.S. regulators for fintech companies. Regulatory uncertainty may be hampering the development of fintech in the U.S.
In addition, the fragmented regulatory landscape contributes to the complexity of navigating fintech regulation in the US. There are multiple federal financial regulatory agencies, as well as state level regulation. These regulators are not well coordinated, which adds to regulatory uncertainty for fintech activities.
What tax incentives exist in your jurisdiction to encourage fintech investment?
There are no tax incentives specifically aimed at fintech companies. The Research and Experimentation Tax Credit (also called the R&D tax credit) provides a tax credit for certain expenses for wages, supplies, contract research payments and basic research. Under various calculation methods, between 15% to 20% of these expenses can be credited against a company's federal tax liability.
Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?
KPMG reporting indicates that fintech investment in the US reached $5.8 Billion in Q4 2017, accounting for nearly two-thirds of global fintech investment. Payments and lending services attracted the most significant investments, while insurtech solutions are starting to gain traction after historically lagging other investment opportunities.
Of the top 10 fintech deals in Q4 2017 reported by KPMG, three were buyouts, five were M&A transactions, along with one Series D and one Series E investment.
If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?
Despite its complex regulatory scheme for fintech companies, the US offers significant opportunities for fintech companies. US consumers and institutions have demonstrated an appetite for new technologies to simplify access to financial services, and the maturity of US financial institutions has created a market for new and disruptive fintech offerings.
Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?
While the US is home to world class universities producing talented engineers and computer scientists, the political climate is hostile to immigration. U.S Citizenship and Immigration Services agency put out a new policy memo requiring 'detailed documentation' about H-1B workers employed at third-party work sites to demonstrate that employees are actually filling specialty roles for which they were hired. The Department of Homeland Security is considering a new rule entitled Strengthening the H-1B Nonimmigrant Visa Classification Program that would narrow the pool of foreigners eligible for the visa program, further restricting companies' access to skilled talent.
If there are gaps in access to talent, are regulators looking to fill these and if so how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?
The technology community generally in the US has been critical of restrictions on access to skilled foreign workers. Some tech companies have sued the U.S Citizenship and Immigration Services arguing its policy memo infringes the authority of the Department of Labor. While big tech companies consume the lion's share of these foreign skilled worker visas, the sector appears to have little impact on US immigration policy.
What protections can a fintech use in your jurisdiction to protect its intellectual property?
Software is protected by U.S. copyright laws and international treaties. Registration of copyright is available (and required for enforcement proceedings), but copyright protection attaches from the moment the work is fixed. The source code to software, if properly maintained in confidence, may be treated as a trade secret. Software may also be eligible for patent protection; however, the patent-eligibility of software has been narrowed significantly by the courts in recent years.
The U.S. Supreme Court recognized software implemented business processes as patentable in its 1998 State Street Bank decision. After a decade of overly broad software patents were issued by the patent office, the Supreme Court once again ruled on the patentability of software-implemented business processes in Bilski v. Kappos and substantially narrowed their eligibility for patent protection. Subsequently, in Alice Corp v. CLS Bank, the Supreme Court emphasized that embodying otherwise common aspects of business operations in software would not be eligible for patent protection.
A patentee is entitled to damages in the event of infringement, which may include reasonable royalties or lost profits. A copyright owner is entitled to actual damages, or alternatively statutory damages (if the copyright has been registered prior to the infringement). Both a patentee and copyright owner may obtain injunctive relief to restrain continued infringement of the intellectual property.
Trade secrets protect information that derives value from not being known by competitors or readily ascertainable, provided that reasonable measures have been used to keep it confidential. Misappropriation of a trade secret is a tort at common law, and is actionable under the Uniform Trade Secrets Act (enacted in 48 states) and under the federal Defend Trade Secrets Act. Civil remedies for trade secret misappropriation include recovery of damages and injunctive relief to restrain further use or disclosure. In some circumstances, theft of trade secrets may constitute a criminal violation.
Trademark protection may be obtained by federal registration with the US patent and trademark office, or may arise at common law. Unlike many other jurisdictions, trademark protection in the US requires use in commerce, and not mere registration alone.
The Lanham Act prohibits unfair competition through the infringement of another's trademark, trademark dilution and false advertising. Both civil damages and injunctive relief is available for violation of the Lanham Act. In rare circumstances, civil seizures and treble damages are available.
How are cryptocurrencies treated under the regulatory framework in your jurisdiction?
The Commodity Futures Trading Commission (CFTC) has determined that, under the Commodity Exchange Act, a virtual currency (i.e., a cryptocurrency)is a “commodity” (which determination has been confirmed by federal court rulings). The CFTC’s broad authority extends to fraud or manipulation in derivatives markets and underlying spot markets. In addition, cryptocurrencies have been designated as currencies by the Financial Crimes Enforcement Network (FinCEN) for anti-money laundering purposes, and have also been determined to be securities by the Securities and Exchange Commission for purposes of regulating public offerings of cryptocurrencies.
At the federal level, anti-money laundering legislation requires cryptocurrency exchanges and other crypto-related business to register with the FinCEN and report annually for anti-money laundering compliance. Many states have enacted money transmitter licensing requirements that may apply to cryptocurrency exchanges. New York's Bitlicense applies specifically to transmission and exchanges of cryptocurrencies, whereas Illinois' money transmitter law excludes cryptocurrencies.
There is no legislation in the U.S. that specifically regulates the use of cryptocurrency or digital wallets. Access devices used in e-money transactions are regulated under the Electronic Funds Transfer Act (EFTA) and the Fed's related Reg E with respect to electronic funds transfer. The Truth in Lending Act, and Fed's related Reg Z apply to access devices used for lines of credit and loan applications. The Gramm Leach Bliley Act and Fed's Reg P regulate the treatment of non-public personal financial data.
The Bank Secrecy Act's anti-money laundering provisions, and the FinCEN registration and reporting requirements, apply to cryptocurrencies. The Fair Credit Billing Act (FCBA) and EFTA establish procedures for resolving mistakes on credit billing and electronic fund transfer account statements.
Each of the SEC and the CFTC has issued guidance regarding the operation of cryptocurrency exchanges and brokerages in the United States. Generally, engaging in any such activity will trigger a registration requirement.
In particular, the SEC has issued a Statement on Potentially Unlawful Online Platforms for Trading Digital Assets. The guidance suggests that a cryptocurrency exchange may be required to register as a “national securities exchange” under Section 6 of the Securities Exchange Act of 1934 (the “1934 Act”) or an “alternative trading system,” or “ATS,” under SEC Regulation ATS under the 1934 Act. An ATS is a trading system that meets the definition of “exchange” under federal securities laws but is not required to register as a national securities exchange if the ATS operates under the exemption provided under Exchange Act Rule 3a1-1(a). To operate under this exemption, an ATS must comply with the requirements set forth in Rules 300-303 of Regulation ATS.
How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?
The SEC has indicated that ICOs are generally subject to federal securities regulation and enforcement. This position was put forward by SEC Chairman Clayton at a February 2018 Senate hearing in which he stated that ‘‘every ICO I’ve seen is a security.’’ Over the ensuing months, the rigid stance has softened a bit, with the understanding that some cryptocurrencies—such as bitcoin and ether—do not fit the definition of a security. The latest announcement reflects this ongoing evolution of the SEC’s understanding of cryptocurrencies.
Generally, under Section 2(a)(1) of the Securities Act and Section 3(a)(10) of the Exchange Act, the definition of security does not specify a token or coin, but does specify an “investment contract.” The term “investment contract” is the residual category in the definition that captures securities that do not fall within other categories.
In SEC v. W.J. Howey Co., the U.S. Supreme Court articulated a test for determining whether something is an “investment contract.” The test—which has become known as the “Howey test”—provides that an “investment contract” is an investment of money in a common enterprise with a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others. According to the SEC, this definition embodies a “flexible rather than a static principle, one that is capable of adaptation to meet the countless and variable schemes devised by those who seek the use of the money of others on the promise of profits.” In considering whether something is a security, “the emphasis should be on economic realities underlying a transaction, and not on the name appended thereto.”
The prongs of an investment contract, as articulated in Howey, are thus fourfold: (i) an investment of money (ii) in a common enterprise (ii) with a reasonable expectation of profits (iv) to be derived from the entrepreneurial or managerial efforts of others.
Prior to July, 2017, the SEC had not applied the Howey test to an ICO. However, on July 25, 2017, the SEC provided important initial guidance on its application of the Howey test to ICOs when it released a Section 21(a) Report of Investigation on its findings regarding the token sale by The DAO. The DAO functions as a decentralized autonomous organization, which essentially means a virtual organization embodied in computer code and executed on a distributed ledger or blockchain.
In its analysis of whether The DAO had improperly offered and sold securities via an ICO, the SEC noted that new technologies do not remove conduct from the purview of U.S. federal securities laws. Based on the facts and circumstances regarding The DAO’s offering of tokens, the SEC found that (i) DAO tokens are securities under federal securities law, (ii) The DAO was required to register the offer and sale of DAO tokens under the Securities Act absent a valid exemption, and (iii) any exchange on which DAO tokens were traded was required to register under the Securities Act as a national securities exchange or operate pursuant to an exemption. In its report, the SEC did not say that all tokens would be securities. Rather, the SEC noted that the determination depends on the particular facts and circumstances and economic realities of the transaction.
As noted, more recently, SEC staff has made statements that certain cryptocurrencies that exhibit sufficient decentralization (i.e., bitcoin and ether) may cease to be securities over time. Certain SEC commissioners have expressed some willingness to consider that certain digital tokens may not be securities. The SEC has appointed a cryptocurrency czar that has expressed an openness to consideration of non-security tokens.
Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?
There are numerous active blockchain projects in the US. Two of the most notable are Walmart and Maersk. Walmart has a blockchain-enabled food traceability platform, and recently required all leafy green suppliers to Walmart to participate in its traceability blockchain. Maersk has a live blockchain for container identification and one for trade finance, although the latter is currently available only to early adopters. Other blockchain solutions have gone live, from lending platforms to artificial intelligence to digital pets.
To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?
Artificial intelligence is in active use as part of so called "robo-advisories" that harness artificial intelligence to provide wealth management advice and structure investment portfolios. These AIs have attracted some regulatory scrutiny, with the Massachusetts Securities Division ruling that a registered investment company cannot fulfil its fiduciary duties in reliance on AI robo-advisors alone; rather, some human intervention is required.
The US has been slow to regulate in the fintech area, and we do not see specific regulation of AI as a priority issue. While the lack of regulation won't act to impede its use in financial services, other jurisdictions may foster use of AI through regulation.
Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?
US investments in new insurtech companies peaked in mid 2017, and has been steadily declining, while investment in established insurtechs has increased during that period. Accenture reports that the most popular insurance segment for investment is in property & casualty, or general insurance, which accounts for about 42% of insurtech investment. The majority of insurtech investment continues to come from private equity and venture capital funds.
Are there any areas of fintech that are particularly strong in your jurisdiction?
Most sectors of fintech have strong representation in the US. Payments were an early fintech sector, and as a result there is particular strength in payment providers and systems, with market leaders such as PayPal, Stripe, Apple Pay and others.
What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?
There is a healthy "coopetition" between fintechs and traditional financial institutions. Some financial institutions have developed products and services aimed at competing directly with non-bank fintechs. JP Morgan has a large internal development group that has developed COIN, a machine learning contract intelligence tool, as well as the Quorum blockchain. Non-bank fintechs, such as Stripe's payment platform and Kabbage's on-line lending platform, compete directly with financial institutions.
Other financial institutions have chosen to partner with non-bank fintechs, such as Citizen's Bank partnering with fintechs to provide robo-advisory services to its customers, and US Bank partnering with Plug and Play in its cybersecurity program. Both Citibank and Goldman Sachs have longstanding accelerator programs for fintech startups.
To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?
Many banks have large internal development groups working to compete with non-bank fintech offerings, notably in the area of online banking, mobile payments and lending platforms. See also response to Question 20 above.
Are there any strong examples of disruption through fintech in your jurisdiction?
Non-bank payment systems, including Stripe, PayPal, Apple Pay, Braintree and Square have gained significant market adoption in payment services traditionally dominated by financial institutions.