Is FinTech regulated?
In the United States, FinTech is not regulated by any specific or centralized body, per se. It is subject to the banking regulations that oversee general banking organizations at both the state and federal level. Depending on the organization’s charter and organizational structure, organizations may be subject to complying with regulations from one or both national levels.
The primary federal regulation agency, however, is the Federal Deposit Insurance Corporation (FDIC). You might have noticed their seal at your local bank’s branch office or on the website of a FinTech organization you interact with. Unlike other global countries, the system in use in the U.S. is considered highly fragmented. Additionally, federal laws preempt state laws when joint regulations are in effect further adding to the fragmentation.
By contrast, the United Kingdom’s (UK) governing body over the financial services industry is the Financial Conduct Authority (FCA). They provide a centralized agency that is responsible for:
- Protecting consumers
- Enhancing market integrity
- Promoting fair competition
Accordingly, the FCA is controlled by Parliament and the Treasury in the UK. Overseeing the financial sector for businesses, individuals and the overall economy of the country, requiring all financial services to register with the FCA and commit to scheduled regulatory reporting. The FCA achieves this by invoking certain powers to:
- Enforce mandates
- Implement and execute rules
- Investigate financial cases
- Raise service fees
How are violations handled and who does the handling?
What happens when a law is broken or violation to a regulation occurs? That’s a good question, but unfortunately one that varies in its answer. In the U.S., some of the reasons for this include what law(s) were broken, in what state or region did this occur, which regulations were violated and to what degree, did the suspect knowingly or unknowingly commit a crime and so forth.
There is no single, defining answer as each case will likely vary from the next. Hence why, similar to variations in non-financial criminal cases, each case must be investigated thoroughly before a clear determination can be made.
What is known are the laws and regulations that are in place to regulate financial services and businesses alike. Below is a non-exhaustive list and how they fit within a broader application to FinTech:
- Sarbanes-Oxley (SOX) Act: U.S. federal law that sets requirements on public companies, obligating them to provide proof of accurate and secure financial reporting. The aim being to protect investors from fraudulent accounting practices by organizations.
- Gramm-Leach-Bliley (GLBA) Act: U.S. federal law requiring financial institutions to provide details on how they protect and share PII and customer privacy data.
- Keeping the Promise for a Strong Economy Act: Omnibus bill issued in Ontario, also known as the Canadian Sarbanes-Oxley Act, or C-SOX, and agreed upon by the Canadian Securities Administrators that offers oversight, regulation and auditing provisions to any company issuing securities.
- Financial Security Law of France: French law adopted by French Parliament to strengthen legal provisions in relation to corporate governance. Particularly applicable to public companies, including those that manage public savings for financial transaction, beginning on or after January 1, 2003.
- Financial Instruments and Exchange Act: Japanese statutes codified into law on June 14, 2006, providing regulation and registration of brokers and their representatives, disclosure obligations and internal controls like U.S. SOX law.
Another known quantity are the consequences of violating these laws and regulations. What types of repercussions may stem from violating any of them varies from law to law, and region to region, however some of the more common threads found in the enforcement of these regulations – applying to both organizations and/or individuals, such as officers of the company – include, but are in no way limited to:
- Financial penalties in the form of fines or fees
- Criminal prosecution, resulting in prison terms
- Withdrawing authorizations or business licenses
- Prohibiting or suspending business functions
- Issue alerts warning against business practices
- Loss of reputation or business standing in public
- Court ordered injunctions, restitution orders and bankruptcy proceedings
How does one comply with regulations?
Underneath the veil, FinTech is the merging of information technology and cybersecurity for the financial sector. What this means from a solutions perspective is that, ultimately, many of the traditional security solutions are applicable to securing FinTech:
- Endpoint management
- Identity management
- Network management
- Malware protection (Antivirus, Antimalware, etc.)
- Security appliances, like Firewalls and Intrusion Prevention Systems
- Security policies (Patch management, Incident Response & Remediation, Acceptable Use Policy)
- Leveraging advanced technologies (Biometrics, Multifactor Authentication, Encryption)
- Penetration testing
- Training staff and informing users
Many of the same information security best practices apply wholly to FinTech – after all, these are run on the same types of hardware that consumers utilize to access their data.
What does make it different, at least in how it’s applied, is the requirements behind the regulations that govern the safekeeping of the data being protected. For example, securing websites provides not only encryption of the data within each session, but also allows users to verify the validity of the website in question.
This type of security relies on certificates that are issued by a trusted 3rd-party, or Certification Authority (CA). The certificates generated use public and private keys which are both fast and efficient, requiring little processing power which is great as websites are accessed from web browsers across a variety of different device types with a wide range of underlying hardware – some high powered, others not so much.
By choosing asymmetrical encryption ciphers, data can be processed very quickly with little overhead or delays in processing. However, say a symmetrical cipher were used. Depending on the strength of the key, connections would take far longer to establish and exchange data, thereby slowing down the entire process. Worse still, the user’s experience would vary depending on the device used. More powerful computers could encrypt and decrypt data at a decent rate, however, smartphones would likely experience delays due to the levels of processing power needed for each connection.
Simply put: The right tools are needed for the right job. While some tools might work well and good, others might work just that much better, and that is where regulations play a large role. By stipulating what types of data must be protected and setting the expectations for its protection, FinTech firms can apply a wide range of solutions, adopting the ones that best meet the businesses needs and the overarching regulations that govern them.
Which regulations specifically apply to FinTech?
FinTech may be viewed in the context of the “wild west vs sheriff” analogy. With the “wild west” being the former and the “sheriff” in these here parts would be categorized as the regulations that effectively “police the streets and keep the peace”. Similar to how the health industry has the Health Insurance Portability and Accountability Act (HIPAA) to regulate the private health information of individuals, the financial sector has its own set of regulations that govern what can and cannot be done, providing guidelines as to what steps should be taken to ensure the confidentiality, integrity and availability of data and transactions.
Among the variety of regulations available worldwide, FinTech is still in its relative infancy compared to other, more mature regulatory bodies found in other industries. This is not to say there aren’t some solid regulations in place, but rather to say that as technology advances, existing regulations will transition, while new ones will spring up as more countries globally develop laws to address the unique needs of this growing sector.
For now, here are some of the most common regulations that impact FinTech directly or indirectly:
- Payment Card Industry Data Security Standard (PCI DSS): Develops standards and support services to educate, guide and drive implementation by stakeholders in the payment card industry.
- General Data Protection Regulation (GDPR): EU-based privacy and security law that affects organizations worldwide that target and/or collect data related to European citizens.
- Financial Conduct Authority (FCA): UK-based body that regulates persons and organizations that provide financial services to consumers. Also, maintains the integrity of the financial market.
- Financial Services Agency (FSA): Japan-based body that regulates their financial system to provide market stability, fairness and transparency. Also, provides user protections.
- Securities and Exchange Commission (SEC): US-based government agency that regulates securities markets, enforce federal laws and provide information and protection for investors.
Find out how Jamf helps organizations around the world
meet their audit and compliance requirements to secure their Mac fleet and protect their users.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.