Does complying with regulations seem like a pain to you?
Well, we can’t blame you. Going the extra mile to satisfy some abstract authority can be quite a hassle. Plus, it can significantly add to your expenses.
But regulations are there for a reason. In fact, they’re actually critical to your success.
Aside from helping you avoid fines and sanctions, compliance with regulations helps make your fintech app much safer. This builds trust with your users, leading to a better user experience and eventual app success.
So it’s best to treat compliance as a necessary part of your success and not just another thing you need to cross off your list.
Here are the most important regulations you should be aware of.
Data governance
Data governance has to do with how well a company manages its data. It is a wide scope of activities that ensure data is available, usable, and consistent.
But in this discussion, we’re focusing on two areas: security and privacy.
Source: DECODE
Data protection and privacy are some of the most heavily regulated aspects of the financial industry worldwide.
This fact is reflected in the World Bank database of fintech-related legislations of over 200 countries.
Source: World Bank
As you can see, most countries on the list (167 of them) have a law that covers data protection. So, it’s something that your fintech app probably has to comply with.
One of the most well-known data protection regulations is the General Data Protection Regulation (GDPR) in the EU. It has a reputation as one of the strictest data privacy laws in the world.
GDPR governs how companies collect, process, and store the personal data of EU users. The fines for violators are exceptionally high, maxing out at €20 million or 4% of the firm’s revenue, whichever’s higher.
What’s more, GDPR isn’t limited to just EU firms. As long as you have European users, regardless of where you are in the world, GDPR applies.
So it’s worth making sure you’re complying with it if your app serves an international audience.
Source: Emotiv
Other regulations worth exploring include the Consumer Data Right (CDR) in Australia and the California Consumer Privacy Act (CCPA) in the US.
American fintech regulation, in particular, can be very confusing since there’s no single law that governs everything. We’ll discuss this in more detail later.
But compliance with data regulations isn’t just something you do to operate in a country legally. It’s key to a successful fintech app.
Fintech apps deal with a huge amount of sensitive financial data, such as credit card numbers, bank accounts, and credit scores.
Compliance means that the company does everything possible to safeguard that data from hacks and breaches. This is fantastic for building trust with your users and thus keeps them engaged with your app for longer.
So, how do you comply with data protection and privacy regulations?
The best way is to have a data governance framework—a collection of rules and systems for working with data.
Some examples include PwC’s EDG framework and the ARMA framework.
Source: Varonis
Compliance with data protection regulations can be tricky and even expensive. But data is the most precious resource in your app, so you should treat it in the best way you can.
KYC compliance
Know Your Customer (KYC) is a fundamental regulatory requirement of any financial firm.
Virtually all banks and financial service providers like insurance and lenders need to oblige with it—and so do you.
The goal of KYC is to verify the identity and risk profile of the user. This ensures that they’re legal entities and not criminals posing as organizations. KYC is mainly used to prevent fraud and money laundering schemes.
A typical flow looks like this:
Source: DECODE
Each region has its own KYC requirements, which in turn satisfy anti-money laundering (AML) regulations. In the US, for example, KYC is under the Banking Secrecy Act (BSA) and, to some extent, the US Patriot Act.
Canada has the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), while Australia has the AML/CTF Act.
In practice, compliance with KYC is straightforward. You just need to implement it in your app, often as part of user onboarding.
However, there are challenges to doing this. For one, KYC processes can extend the onboarding times significantly.
A study reported that KYC adds a delay that could extend processing times and costs by 21% on average.
Source: GetID
Another issue is that fraudsters are getting more sophisticated at fooling KYC processes. For instance, they can use fake IDs or videos when submitting KYC requirements or even use wax figures to pose for them.
The way to get through these hurdles, as with anything else, is through technology. Innovations like Liveness Detection Technologiescan spot whether a person on a live video is fake.
RegTech and eKYC platforms can streamline the process by verifying identity digitally.
Source: Manch
But sometimes, a change in approach is all you need to streamline your KYC. A good example is the investment app Fisdom.
The developers recognized the need for KYC, but they also knew that it could be a tedious process that could turn off users.
Their solution was to place it later on in the process. By doing so, they gave people a chance to explore and trust the app first, making them more willing to complete the KYC process.
Source: Toptal
The key with KYC is to balance the process with a great user experience. Do this right, and you can easily comply with regulations without alienating users.
FTC compliance
As we mentioned in a previous section, the US fintech regulatory landscape is confusing at best. There are typically a couple of laws that you must comply with, depending on your app’s nature.
But the one regulatory body you’ll most likely deal with is the Federal Trade Commission (FTC). For fintech, two of its most relevant regulations are the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA).
The GLBA is a regulation requiring financial services institutions to safeguard customer data and be transparent on how it’s processed. These provisions are covered by the Safeguards Rule.
However, one common pitfall of the Safeguards Rule is that the term “financial services institutions” extends to non-banking companies as well.
As long as they are processing financial operations, they are within the jurisdiction of the Safeguards Rule.
A good example of this distinction is the FTC’s ruling on Dealerbuilt, a developer of dealership software.
Though they didn’t process financial services directly, their software did allow users (in this case, dealers) to collect sensitive financial data on their customers.
Because of this, the GLBA rules still apply to Dealerbuilt.
To comply with the GLBA, you should have a security plan in place that describes how you’ll protect user data. More importantly, you should identify all the security risks involved and implement systems to mitigate them.
Source: Tech Target
The Fair Credit Reporting Act (FCRA) is a regulation that specifically covers consumer credit information. This applies if your fintech app deals with lending or processing a user’s credit scores.
The law limits what credit information you can collect, as well as whom you can share it with.
While staying on top of US fintech regulations can be a challenge, like anything else, they only exist to safeguard the privacy and rights of US citizens. So as long as your data policies cover this, it shouldn’t be too hard to comply with them.
Cybersecurity requirements
With cyberattacks reaching an all-time high (up to 50% more in 2021 than in 2020, according to CheckPoint Research), the need for cybersecurity measures is more important than ever.
It’s surprising, therefore, that 55% of large companies are not prioritizing it as well as they should.
This was the finding of a study by Accenture, which also found is that only a small percentage of these companies are “Cyber Champions”, i.e., those that have excellent cybersecurity measures in place:
Source: Help Net Security
In the fintech space, it’s a similar story, since these startups aren’t as heavily regulated as bigger financial institutions. The absence of stronger cybersecurity regulations makes many fintech firms lax, so make sure you’re not one of them.
Hackers know this fact, and that makes them want to target fintech apps more. There’s no shortage of attacks on financial platforms, such as the Finastra ransomware incident and the data breach at US fintech app Dave.
The Dave incident is noteworthy because it was caused by a breach of a third-party provider and not the Dave app itself.
It highlights an important fact: your cybersecurity should extend to your app’s entire ecosystem as well.
Everything from your servers to your network endpoints needs to be protected. The seven layers of cybersecurity are a great way to ensure this.
Source: DECODE
You should also implement as many security measures as you can. For example, authentication protocols like biometrics and 2FA (two-factor authentication) are vital to protect users while logged in.
Encryption also keeps your data secure.
It also helps to get certified with a security standard such as ISO 27001. Going through the process forces you to overhaul your cybersecurity programs, improving your overall security.
Source: TUV
The bottom line is that you shouldn’t wait for any regulations to force you to improve your cybersecurity game. Knowing that it’ll give the best experience to your users should be reason enough to do it.
PCI DSS compliance
PCI-DSS (Payment Card Industry Data Security Standard) is a regulation that governs credit card payments, ensuring transactions are processed in a secure and safe environment.
The standard outlines six broad areas that firms need to cover for compliance.
Source: Imperva
As a fintech app, chances are that you’re accepting credit cards for tasks like cashing in or sending payments. So it’s likely that you need to comply with PCI-DSS regulations.
Non-compliance with PCI-DSS can carry hefty fines, which are levied by their credit card processor. This can range from $5,000 to $100,000 for every month that you’re not compliant.
Also, note that simple non-compliance with PCI-DSS is enough to get fined – a data breach incident isn’t necessary.
PCI-DSS is based on four compliance levels, with each level having specific requirements for compliance.
Entities qualify based on their annual credit card transactions.
Source: Imperva
The higher the tier, the more stringent the requirements get. For example, at Level 1, firms need to undergo an annual audit and submit quarterly PCI scans. In contrast, firms at Level 4 need only submit the quarterly scans.
So how do you comply with PCI-DSS?
Start by protecting credit card data. At the minimum, you should have both in-transit and at-rest encryption protocols in place. Then, put up safeguards at the perimeter, such as firewalls and anti-virus software for further protection.
Having a robust access control protocol is important. You only want people who need credit card data to access them.
A security information and event management (SIEM) system is also vital for monitoring and detecting potential data breaches.
But more importantly, PCI-DSS compliance shouldn’t exist in a vacuum. Protecting your credit card data is useless if the rest of your network is compromised. But if you put cybersecurity as your top priority, your PCI-DSS efforts should largely fall into place.
Electronic Fund Transfer Act (EFTA) compliance
The Electronic Fund Transfer Act (EFTA) is regulated by the Consumer Financial Protection Bureau (CFPB), which governs electronic money transfers through debit cards, ATMs, and POS terminals.
Its goal is to protect users in case of an error; for example, when funds get transferred wrongfully to another account.
To comply with EFTA, you need to disclose certain information to users regarding their fund transfer transactions.
It mostly lists down the liabilities regarding unauthorized transactions and what happens when an error occurs.
While more than 40 years old, the EFTA is still relevant today thanks to its constantly updating provisions.
For example, the CFPB has recently ruled that peer-to-peer payments through apps like Venmo are considered electronic fund transfers and therefore subject to EFTA.
And the CFPB has started to include Buy Now Pay Later (BNPL) companies in its ruling. It even subjected five BNPL companies to further scrutiny in an effort to refresh the EFTA provisions that cover them.
So, if you think that EFTA rules don’t apply to your fintech app, re-check and make sure that it really doesn’t.
How to make compliance easier
Compliance gets a bad rap, but it’s only challenging if you go at it alone.
But try partnering with an agency that has extensive experience in fintech compliance, and you’ll see how much less confusing the process can be. It’s by no means easy, but with guidance, at least you’ll know how to move forward.
So if you’re developing a new fintech app idea and need help going through compliance, give us a call. We’ll be happy to lighten the load for you.