The FinTech Challenge
The convergence of financial services and technology may have simplified our lives, but it presents a regulatory and legal maze for companies to navigate.
FinTech – the convergence of financial services and technology – touches consumers and businesses in many ways. Mobile payments and funds transfers, online banking, virtual currencies, on-demand retail payments processing, online lending and investing platforms, remote insurance claims settlements, merchant loyalty rewards programs, and wealth management applications are among the many FinTech services burgeoning in the marketplace.
While financial services businesses have long relied on extensive computing infrastructures to make their services possible and economical, innovative technologies only recently provided the nexus through which users accessed those services. By contrast, FinTech product and service offerings encompass a wide array of financial products and services that are accessible to consumer and business users through multiple personal computing devices and, in many cases, on an on-demand basis.
From a user perspective, the range of readily available financial services is immensely convenient. From a legal perspective, the issues that must be dealt with by a FinTech business involve the overlap of financial services regulation with concerns that are peculiar to mobile and online technology businesses.
Key FinTech legal concerns
Financial services of many types are the subject of meticulous regulation at a federal and state level, with many governmental agencies having broad (and often overlapping) jurisdiction over products and services offered by regulated entities.
1. Financial services regulation
Banking services are subject to the oversight of the Office of the Comptroller of the Currency, the Federal Reserve, the Federal Deposit Insurance Corporation and state-specific banking authorities, among other agencies. Insurance providers must be licensed by state insurance commissions, while services related to the insurance ecosystem may have obligations under federal laws (such as for health care reimbursements). Payment processors and credit card and other payment-card companies must adhere to obligations under federal statutes that regulate permissible levels of fees for payment cards, as well as mandatory guidelines set by industry bodies such as the Payments Card Industry (PCI) Security Standards Council. Money services businesses providing funds transfers and money order services are subject to state-by-state money transmitter licensing.
Virtually all financial services companies must also implement detailed programs to address anti-money laundering, financial fraud and anti-terrorism concerns under the requirements of the Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) or other agencies. One further regulatory concern FinTech companies must contend with is the growing and somewhat omnibus authority of the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission, each of which has far-reaching jurisdiction over the manner in which many financial services are offered to consumers. This spring, the CFPB brought the first-of-its-kind (for the CFPB) enforcement action against Dwolla, a FinTech payments company, for inadequate data protection practices.
On top of the fact that the list of applicable federal and state statutes and government agencies is lengthy in any given subsector of financial services, many FinTech services do not neatly fit within well-defined regulatory categories. A cautious approach to compliance is therefore required. This consideration has prompted many FinTech companies to err on the side of “opting in” to a regulatory scheme where there is meaningful concern about the applicability of particular statutes. As an example, U.S. providers of one of the most widely used virtual currencies, bitcoin, generally have sought state-level licenses as a money service business or money transmitter, although it is not clear that this is even necessary.
While delivering financial services through innovative technologies makes the services offered by FinTech companies more attractive to users, the panoply of regulation means that legal compliance obligations must be a central component of FinTech businesses.
2. Technology services regulation and practices
On the nonfinancial side of these businesses – the “tech” element of FinTech – there are many other legal considerations that require significant attention. Although the offering of technology services has not generally been the subject of government regulation (with some notable exceptions, such as telecommunications), certain concerns that cut across many technology service offerings, particularly where consumers are involved, have received more scrutiny and resulted in legal compliance obligations.
Concerns over data privacy, data security, and deceptive and unfair business practices have spurred a patchwork of federal and state regulation and compliance requirements that impact FinTech businesses. Data privacy and security concerns among consumers, businesses and regulatory agencies have increased considerably within the United States over the past five years. Although previously regarded mostly as an afterthought when a data breach occurred, compliance with data security requirements is now a fundamental consideration at the front end as applications are developed and deployed. While many factors account for this – from newsworthy major data breaches by retailers and health care companies to the increased incidence of financial fraud facilitated by the explosion of electronic data – because of the type of data required to enable financial services transactions, FinTech companies must pay special attention to data privacy and data security obligations.
In addition, businesses within the online and mobile sectors of the technology industry, which dominate FinTech, have developed a series of customary legal-contracting practices that most FinTech business are well advised to follow. These include requiring user assent (and a specified manner of doing so) to a set of protective service or application terms, the posting of data privacy practices, copyright notice and infringing content takedown policies under the Digital Millennium Copyright Act, and specific consent requirements under the Telephone Consumer Protection Act for text messages and other electronic communications.
3. Intellectual property concerns
Intellectual property is both a valuable asset and, potentially, a significant risk to players within the FinTech industry. This is especially true of patents. To protect their investment in innovation, many FinTech companies actively pursue patent protection for their inventions,for various reasons: leverage to exclude others from a market segment, extraction of licensing revenue from third parties, offsetting patent portfolios of competitors, and increasing the value of their companies.
Patent applications are filed with and granted by the U.S. Patent and Trademark Office (USPTO), an agency of the U.S. Department of Commerce, to encourage the development of new inventions for the ultimate benefit of society by granting innovators exclusive rights with respect to their inventions for a limited period of time. In this way, patent owners can achieve a return and profit on their investment, providing an incentive for them to innovate.
FinTech companies, on the one hand, embrace patent protection, but, on the other hand, often struggle with how best to mitigate the risk posed by third-party owners of other patents. This challenge is further compounded by recent case law, from the U.S. Supreme Court and lower appellate courts, that has severely limited patent protection for automated methodologies (such as those driven by a computer), where the invention merely performs by computer what previously was performed manually. Because many fall into this category, it has become more difficult to obtain and enforce patents for certain FinTech inventions for financial services methodologies.
Moreover, as a result of recent changes in U.S. patent law, there are an increasing number of techniques available to challenge the validity of granted patents. For example, new procedures exist at the USPTO to challenge patents after issuance, based on, for example, prior art (i.e., prior publications and prior patents). And a special procedure is now available to challenge covered business methods, or “CBMs,” which include certain types of FinTech inventions. These new procedures resemble litigation in many ways, yet offer a less expensive alternative to federal district court litigation to challenge granted patents.
Thus, while in some ways it has become more difficult to obtain and enforce patents for FinTech inventions, patent protection for financial technologies can still be obtained. However, the strategies and tactics for obtaining such patent protection has changed markedly, especially in light of the new procedures available at the USPTO to challenge patents. But through a thoughtful approach to applying for and pursuing patent protection at the USPTO, with a similarly thoughtful approach to mitigating the risks posed by third-party patents, FinTech companies can pursue suitable strategies for offensively and defensively protecting their investments in innovation.
As with other technology sectors that have experienced rapid growth in recent years, FinTech companies and their service offerings present tremendous opportunities for innovations and conveniences that benefit consumers and businesses alike. That growth also poses for FinTech businesses and their users many new regulatory, legal and intellectual property challenges that will need to be sorted out further as the FinTech sector continues to develop and grow.
Greg Kirsch is the head of SGR’s Intellectual Property Practice. firstname.lastname@example.org.
Brett Lockwood is the head of SGR’s Technology Law Practice. email@example.com.