"Fintech companies often do not fit within the existing regulatory framework, and their small, agile nature means that the risk associated with these businesses are likely to be very different to other, more established firms," according to our Professional Refresher module on fintech and regulatory compliance. 

Regulation of fintech companies and services around the world varies from country to country. Some regulations, which are expected to be rolled out in 2021, will impact fintech in the UK, according to an article by AltFi. These include regulations around buy-now-pay-later services, EU passporting and banking licences.

According to a Business Insider article by Victor Chatenay, the China Banking and Insurance Regulatory Commission is calling on internet platforms offering fintech services to review their compliance. This announcement "follows years of fintech regulatory overhaul in the country", Chatenay says. The news comes after the regulator suspended the initial public offering (IPO) of Ant Group, the world's largest fintech company, in November 2020 due to non-compliance with regulation.

A Financial Times video explains that the IPO was cancelled due to regulators announcing new draft measures for online microlending, which makes up almost 40% of Ant Group's revenue, just before it was due to go public. In the run up to its IPO, the company rebranded itself as a tech company (and even removed the word financial from its name), however, the new draft measures mean that online lenders, such as Ant Group, will be treated like banks (not as a technology company).

Here are five things worth knowing about fintech and regulatory compliance, taken from our Professional Refresher.

1. Risks to consumers

"To date, most regulators have tended to take a cautious, watchful approach to fintech, assessing the risks it poses and increasing their understanding before taking any action," the module says. To understand the need for regulation, it's important to note the risks fintech can pose to consumers. Risks include, but are not limited to:

• Transparency and understanding – consumers' lack of understanding can be a risk, heightened by a lack of transparency from companies. For example, "if a number of firms are involved in providing a product or service to a consumer, how do they understand their rights?" Firms should be transparent around the technology being used, the firms that are involved and how they intend to process consumers' data. This should be explained in clear and simple language.
• Mis-selling – automated processes can increase the risk of mis-selling. For example, an error or a bug could lead to consumers being mis-sold products or services before the issue can be identified.
• Vulnerable customers – as defined in the module, vulnerable customers are "those that have a physical or mental illness, or have recently had a significant life event that makes them vulnerable, such as bereavement and redundancy". This group of people may not be treated fairly, or could be excluded or exploited as a result of the reliance on digital systems.
• Data security – with more consumer data being collected digitally, the data security risks also increase. The level of security should be considered with any technology that collects and processes data.

2. Fintech licences

"Regulators have taken very different views when it comes to licensing and authorising fintech firms." For example the US has introduced specific fintech licences, whereas in the UK, fintech firms are required to apply for a regular licence.

The type of licence will determine what the company can do, the rules it needs to follow and the reporting and governance requirements. For new firms, applying for and obtaining a licence can be costly, too.

3. Data insights

With an influx of data, the roles of compliance departments are changing. Professionals working in compliance can turn data into insights for a business. This can help to identify trends, positive or negative, and allow firms to act quickly to prevent further issues. Also, alerts and automated checks can be put in place to prevent issues. Risk professionals can also model and predict to a greater extent with more data, "so that the impact of events can be more accurately assessed".

Data insight could be used to create a dashboard "using the large volume of data collected and data management tools to conduct proactive investigations and mitigate issues". However, a data audit should be conducted, recording the data collected, to determine what data is relevant from a risk and compliance perspective.

Trend analysis can also be conducted regularly to help find themes that indicate issues so action can be taken quickly.

4. Data breaches

With more data being collected, there is a potential for an increased number of data breaches through cyber attacks and hacking. "It could also mean that, once integrated with other technology, it may make other, secure technology vulnerable". Established firms should consider how new technology will integrate with existing legacy systems. Incomplete integration could expose the firm to additional data security risks.

However, cyber attacks and hacking are not the only sources of data breaches. The module says that "the most common source of data breaches is internal", which could be malicious or due to human error. According to the UK's Information Commissioner's Office, between 2017 and 2018, 90% of data breaches were a result of human error. With this in mind, staff should be trained in data security issues.

Firms should also be aware of any new technology and its role in collection, processing and storage of personal data. Also, consider which jurisdictions the data will pass through and be processed in – different regulations may apply.

5. Regulatory sandboxes

Some regulators have established sandboxes or 'innovation hubs', which allow a business to test its propositions in the market with real consumers in a safe environment, in order to identify and assess risk. "This process is sometimes called 'proof of concept' because a new concept is being tested to see if it is workable or not."

Regulators in the EU and Asia have tried to work collaboratively with fintech firms to help "drive innovation and competition", but for this to be successful, regulators must balance this with ensuring that firms are financially stable and consumers are protected.

If a firm is thinking about using a regulatory sandbox, there are some things to consider first, such as:

• Who is overseeing the sandbox? Is the regulator responsible for supervising? For example, in Australia, the fintech sandbox is supervised by the capital markets regulator, not the banking regulator.
• What are the supervisor’s timelines for the sandbox? These could be different to what the fintech firm is working towards. The firm may want to launch its technology as quickly as possible, but the sandbox may have a much slower pace.
• There are no agreed international definitions or principles around sandboxes, so it could differ from jurisdiction to jurisdiction. Therefore, a new technology that complies in one may not comply in another.

The module concludes, "fintech does not always fit easily into existing financial regulations, and operating within the regulations and laws is always a significant risk for fintech firms, especially for ones that operate across numerous jurisdictions or on the perimeter of regulations".

Fintech is here to stay and brings many positives for the financial services sector and its consumers. However, the risks new technology and new firms pose must be assessed, and "as long as a compliance culture exists and the new technology is developed, launched and monitored in an appropriate and transparent way, these risks can be mitigated".