Current regulations on financial technology are a “significant market barrier” for would-be fintech disruptors and “sometimes [serve] to protect incumbent providers from new competition,” according to a white paper released in July by Financial Innovation Now, a consortium of those incumbents: Amazon, Apple, Google, Intuit and PayPal.
Technology companies have introduced “new and innovative ways to make payments, lend money, lower costs and increase choices” for consumers, according to the paper.
“Unlike in other markets, however, innovators in financial services must devote significant time and resources to regulatory compliance that can chill investment and innovation or slow time to market — ultimately harming consumers and businesses that benefit from easier access and more affordable services,” FIN wrote in the paper.
FIN acknowledges that many of the regulations fintech providers are subject to provide important protections for consumers and small businesses but says others are “redundant, conflicting or antiquated.”
Furthermore, some new technologies may solve an issue previously managed through regulations, rendering them unnecessary, according to the paper.
The paper examined two channels, payments and lending, that face regulations from state and federal agencies, as well as those imposed by depository institutions and credit card companies.
“Regulation impacts every aspect of the online lending process, from customer acquisition and disclosures to data security, underwriting and debt collection,” according to the paper, and current regulations don’t distinguish between nonbank and bank lenders.
The problem for nonbank lenders is that they have a “patchwork” of state lending laws, each with their own “registration requirements, license fees, training requirements, staffing rules, etc.”
To get around this, many nonbank lenders partner with a traditional bank; however, that introduces other regulations. By working with an FDIC-insured bank, the nonbank lender is subject to examinations by the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.
Among the various regulations that online lenders have to comply with, according to the paper, are the Equal Opportunity Credit Act, the Gramm-Leach-Bliley Act; the Bank Secrecy Act; the Electronic Funds Transfer Act and Electronic Signatures Act; the Unfair, Deceptive and Abusive Acts or Practices prohibition of Dodd-Frank; the Fair Debt Collection Practices Act;, the Telephone Consumer Protection Act; the CAN-SPAM Act and Do Not Call Rule; the Servicemember Civil Relief and Military Lending acts; the Fair Credit Reporting Act; the Truth in Lending Act; and requirements to make sure borrowers can pay back the loans they take.
New payment technologies are clearly more convenient for consumers, but they’re also more secure, the paper claims, as customer information is encrypted and customers are “verified and authenticated through dozens of techniques.”
There’s an extensive network of hardware, software and multiple providers that goes into the payment process, according to the paper. “This large ecosystem of payments providers is part of the vital financial infrastructure of the nation and, in fact, the world. For this reason, protection of the data that flows through the payments system is essential to the safe functioning of the economy.”
Payment processors face regulations in on-boarding merchants, protecting data, monitoring transactions and many other aspects of their business, according to the paper.
In addition to many of the regulations faced by online lenders, like the Gramm-Leach-Bliley and Bank Secrecy acts and anti-money laundering regulations, payments processors must also comply with “know your customer rules,” Customer Identification Program requirements under the USA PATRIOT Act, state money transmitter and escheatment laws, operating and data security rules for credit card networks, the Unlawful Internet Gambling Enforcement Act and the Consumer Financial Protection Bureau’s “Nine Consumer Protection Principles.”
Data security is clearly an important factor in online lending and payments processing, but the paper argues that “there is no evidence that data breaches and hacking […] would be prevented by more financial regulator examinations of lenders or processors.”
Furthermore, cybercriminals are “highly sophisticated” and can move quickly to respond to security measures.
“To adapt to the everchanging data security challenges, companies must have the flexibility to move as fast as the criminals,” the paper says. “They must be free to develop and deploy new systems and technology to protect their customers’ data.”
The FTC doesn’t have the same examination authority that bank regulators do, but it can “accomplish much the same thing” by issuing a civil investigative demand (CID) to gain access to documents and employee testimony at lenders or processors it believes is not adequately protecting customers’ privacy.
The CFPB has its own authority and can issue CIDs, as well as cease and desist orders and civil money penalties, the paper noted.
“Suggestions that this extensive examination and auditing regime are inadequate are misplaced,” according to the paper. “Few, if any businesses are more closely scrutinized for the adequacy of their data security than new technology companies engaged in payments or lending.”
In fact, new fintech providers, whose sole business is digital, have “strong incentives to employ exceptional data security practices.”
FIN argues that rather than leaving data security in the hands of bank examiners, policymakers should work to create regulations that enable “modern data security through a principles-based approach that ensures technology neutrality” that would apply to traditional banks and new fintech providers.
“The greater risk is that well-meaning regulators may impose overly rigid standards or best practices that are designed to prevent the last breach, rather than the next one.”
— Read USAA Nabs Citi’s FinTech Chief on ThinkAdvisor.