You have a brilliant FinTech innovation idea. This product will truly benefit consumers and businesses alike, and you want to bring it to market. You have the technology down, you’ve simplified your user interface, and you’ve secured seed funding. All systems go, right?
Except that other than healthcare, regulation in the finance industry is as complex as it gets in the United States. There are so many overlapping federal and state laws that relate to consumer protection. Rules come from banking regulators as well as the FTC—and keeping track of it all can be overwhelming. Before taking the next step, it’s worth taking a moment to familiarize yourself with the landscape and its alphabet soup of acronyms.
A few areas you must be sure to address include:
ACH (Automated Clearing House)
ACH is the standard for electronic funds transfer used by financial institutions to move money. Payroll, direct deposit, tax payments, tax refunds, most consumer bills, and most any credit or debit transaction.
Anti-Money Laundering (AML)
Anti-money laundering (AML) regulations require financial institutions to monitor customer transactions and report on suspicious financial activity. For example, institutions must verify the origin of large sums of money, monitor suspicious activities, and report cash transactions exceeding $10,000.
BSA (Bank Secrecy Act)
BSA is a federal regulation that sets recordkeeping and reporting requirements for banks and other financial institutions. Now including provisions of the USA Patriot Act, the BSA also requires financial institutions to adopt a customer identification program and screen their customers against Office of Foreign Assets Control (OFAC) lists.
KBA (Knowledge Based Authentication)
KBA is a security protocol that asks users to identify themselves by answering specific, personal questions to prove they are who they claim to be. These “shared secrets” are agreed upon ahead of time with the user and allow financial institutions to authenticate requests and authorize access to password-protected accounts.
Know Your Customers (KYC)
Know Your Customer (KYC) is the process of verifying that your customer is really who they say they are. It’s up to you to ensure this hurdle is accurately and easily cleared. Make your customers jump through too many hoops, and they’ll leave for a more user-friendly provider. Failure to adequately comply with regulations can lead to heavy federal penalties.
IAV (Instant Account Verification)
IAV systems confirm within seconds a customer’s credentials and ensures whether there are sufficient money in their account to cover their transfer or purchase. IAV is an essential component of any internet-based financial application.
Money Transmitter License
Under federal law—part of the Financial Crimes Enforcement Network (FCEN) of the U.S. Treasury—businesses are required to register for a license to transmit money from one entity to another. It’s a felony to engage in money transmission without a license. Additionally, many states carry their own patchwork of regulations regarding money transmission. For example, internet and mobile-based payments providers are required to have a state money transmitter license to offer services to state residents.
Non-Public Information (NPI) and Personally Identifiable Information (PII)
Non-Public Information (NPI) and Personally Identifiable Information (PII)—the information you may collect to verify customer identity—must be scrupulously guarded. Federal law requires that you take steps to safeguard this data and restrict what third-parties you share it with.
OFAC (Office of Foreign Assets Control)
OFAC regulations ban transactions with anyone – individuals, groups, or nations – considered terrorists or narcotics traffickers. OFAC keeps a list of those prohibited from doing business in the United States. Financial Institutions must monitor this list and cross reference with their customers to ensure compliance.
Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS) is the credit card industry standard for protecting card and transaction data. It requires any business that processes credit or debit card transactions to follow these regulations to safeguard sensitive information. In addition, businesses must restrict access to cardholder data and monitor access to network resources.
PCI (Payment Card Industry) Compliance
The PCI sets operating standards for businesses to safeguard credit card data is protected. Compliance is regulated by the PCI Standards Council. Every business that stores, processes or handles credit card data electronically must comply with the guidelines, and is subject to validation tests.
PEP (Politically Exposed Person)
PEP refers to an individual who, because of their political power or influence, is more likely to be involved in bribery, intimidation or corruption. They can be foreign or domestic politicians, judges, or military figures. Senior executives in private companies also make this list, as do their family members – anyone with position and the power to engage in financial crimes. The FATF (Financial Action Task Force) is an international organization that issues guidelines requiring financial institutions to practice due diligence in identifying potential PEPs.
Omnibus or FBO (For Benefit Of)
Omnibus refers to the situation where a single transaction, or master account, is used to transact business for the benefit of two or more account holders. Care must be taken to ensure that the accounts are kept separate and identifiable and comply with BSA (Bank Secrecy Act) regulations.
And of course, extensive documentation must also be kept for all transactions that pass through your platform.
Banking and securities laws change often and quickly. One of the many advantages of Productfy’s infrastructure system is our team’s deep knowledge in this area. Our products are always designed to align with the most current financial regulatory requirements.
If you’ve got an idea for an innovative FinTech product, be sure you are aware of the full scope of regulations that will need to be addressed.