A step-by-step guide to ensuring fintech compliance

How money moves in compliance with local regulation for US-based companies

Written by
Christina Rea Esq.

Editor’s note

In all the excitement of building and launching new fintech products, one important element that can’t be forgotten is ensuring regulatory compliance - no matter which market you operate in. Trusted compliance hires, particularly for businesses in the money movement space, that can think three steps ahead and prepare the business for its future moves can end up saving a significant amount of costs, legal headaches and future challenges. Here, a US compliance expert who has worked across the fintech space, including with Binance.US, shares a step-by-step guide.

Share this article

Before any fintech business or product launches, one key aspect needs to be considered: compliance. 

Everyone in the fintech industry is responsible for building their products with compliance at the forefront, and doing their part to maintain a safe and secure financial ecosystem for their customers. 

All fintechs that do not have a banking license will need to obtain a sponsor bank partner, or a bank that provides the banking license necessary for fintechs to offer financial products. These partners will need to understand how the new financial products being built behave in order to ensure compliance with applicable laws and regulations. 

Both sponsor banks and the regulators that oversee them require fintechs to build a compliance program before launching their product. When banks conduct their due diligence on a fintech before forming a partnership, they will want to see that the planning and execution of a fintech’s compliance program are comprehensive.  There’s a lot of compliance work to cover, but doing this work up front will set a fintech product up for success, keeping the business and its customers safe as it scales. 

Here’s a compliance checklist that can be used as a starting point:

  1. Gather all of the business documents needed for due diligence
  2. Establish compliance policies and procedures
  3. Build an information security program
  4. Develop a third-party risk management program
  5. Set up customer agreements and disclosures
  6. Institute a compliance training program
  7. Identify a Compliance Officer
  8. Establish customer support operations
  9. Develop a business continuity and disaster recovery plan

1. Gather all of the business documents needed for due diligence

These documents include things like: 

Gathering all of these documents before talking with regulators and potential sponsor banks will help streamline the due diligence process, speeding up time to launch.

2. Establish compliance policies and procedures

Before launching a fintech product, businesses need to create policy and procedure documents that include the details of how their team will manage all of the various compliance requirements and scenarios associated with the product.

These documents are specific to each unique product and should reflect the company’s use case, size, complexity and maturity.

The policy portion of these documents should cover the specifics behind the policy and how it applies to a product. 

The procedure portion should be more detailed, covering how a policy will be used and executed at the company. It should include the roles and responsibilities, review/approval process and escalation criteria for a given policy. 

It’s essential to work with a compliance expert to understand the policies that will apply to your product. For example, here are some of the policies that must be created for most of the financial products that are operating in the market today:

3. Build an information security program

Properly securing and handling customer information protects customers’ sensitive data from bad actors who may try to compromise a company’s systems. A strict yet agile information security program will help to reduce the likelihood of exposing customer data or sensitive information. 

Businesses should be:

Before launching and for the long term, businesses will need to perform regular vulnerability scans and penetration tests. These processes will identify vulnerabilities so teams can quickly address them before bad actors can exploit them. There are vendors that can be used to assist with these scans and tests. 

One of the most critical aspects of an information security program is that the whole company views this as a requirement rather than a nice-to-have. If partners or regulators see that this program isn't being adhered to or enforced, they will likely prevent launch or future operations. 

4. Develop a third-party risk management program

Fintech products likely rely on a number of third-party integrations to operate effectively. Importantly, regulators will want to understand:

Regulators want to see that the company has done due diligence on any third parties they rely on and have reviewed these relationships to identify the risks and necessary controls. 

5. Set up customer agreements and disclosures

When offering financial products, federal and state-level laws require customers to sign or agree to specific terms and conditions and have access to particular disclosure statements.

In the US, the language and requirements of these will depend on the product set and what states the business operates in. For example, specific disclosures are required for California customers as a part of the California Consumer Privacy Act (CCPA.) 

It is recommended that teams work with an external resource, such as a legal counsel, to understand what terms, conditions, and disclosures are required for the product. 

They will also need to determine how these will be signed by or become available to customers as a part of your onboarding process.

6. Institute a compliance training program

All employees at the company will need to understand the specific compliance requirements that apply to the product and their job functions, and regularly stay up to date on rules and regulations. For example, the marketing team needs to understand the regulations surrounding how they can and can’t market financial products, and importantly, make sure they’re refreshing their knowledge on these regulations regularly.

To keep employees up-to-date on these regulations, teams must develop a thorough compliance training program. An effective training program acts as a preventative measure, reducing the chance of regulatory issues or consumer harm by generating company-wide awareness. 

A compliance training program should outline: 

Special note: Compliance training programs should also track employee participation and completion.

7. Identify a Compliance Officer

A Compliance Officer is an important team member that will help with essential compliance decisions that affect the company, and also develop a collaborative relationship with regulators and partners. 

When preparing to launch a financial product, a company needs to designate an individual to lead critical risk and compliance functions. These functions include: 

The Compliance Officer should be qualified and knowledgeable in financial compliance and receive ongoing training. Initially, the Compliance Officer can be a part-time or fractional hire, and some consultants provide fractionalized Compliance Officer support until the company becomes more mature. 

8. Establish customer support operations

Fintechs are responsible (and, in the US, liable based on Regulation E from the Federal Reserve Board) for owning the customer relationship, including timely customer support. 

This means that anytime there is a customer complaint, dispute, or error, the team must bring it to resolution. Creating a process guide is essential to ensure an efficient and uniform process for teams to start handling and documenting customer support cases. This guide should include: 

9. Develop a business continuity and disaster recovery plan

Before launching a fintech product, the business and systems must be ready to handle the unexpected.  This means teams should have a business continuity plan, along with supporting incident response and disaster recovery plans, which ensures that they have programs and processes in place that will allow them to continue operating during a disruptive event. 

A disruptive event can include scenarios such as losing the primary availability zone within a cloud service provider, experiencing a distributed denial of service (DDoS) attack, or recovering critical files from prior instances.  

Additionally, in the case of a disaster, which is a partial or complete destruction of systems, businesses need to have a recovery plan in place. It is recommended that they perform simulations of these disruptive events to identify gaps or concerns before an actual event. 

This process will help to minimize the losses and impact of a disruptive event.

Next steps

Maintaining a compliant product should never be a “set it and forget it” process for fintechs. After building out a compliance program using this checklist, they should continue to update and review it as the product becomes more mature or regulatory requirements change. 

Teams should always speak to a compliance professional in the early stages, as each company will have unique requirements. 

Firms like RayCor can help provide fintech teams with the knowledge and resources they need to maintain a safe and compliant fintech product. 

About the author

Christina Rea Esq.

CEO, RayCor Consulting. Christina is a veteran CCO in the financial services space. She's worked as an outsourced CCO/BSA Officer for multiple fintech companies to obtain MTLs and has also developed complete enterprise-wide AML and consumer protection compliance programs. Some of her clients include Uphold.com, Binance.US, ByBit, and international law firms for whom she has performed expert witness work.