Congressional auditors call on FinTech regulators to do a little more
Chris Hamblin, Editor, London, 31 July 2018
America's Congress has asked the General Audit Office to provide it with information about various fintech activities; it has now reported, placing emphasis on US regulators' efforts to oversee them, the regulatory problems that beset fintech firms, legal or regulatory 'protection' for users and the steps that regulators are taking to encourage financial innovation around the world.
The report starts off badly, stating that fintech was "originally short for financial technology" without saying what the GAO believes the abbreviation to be short for now. Moreover, the findings it enumerates in its first few pages are at times non-committal, with sentences such as "with numerous regulators, fintech firms noted that identifying the applicable laws and how their activities will be regulated can be difficult." The report nonetheless improves as it goes on, at first referring occasionally to 'providers' (a term it uses 70 times or so) without saying what they are providing but gradually growing out of this habit, except in its footnotes.
This report looks at four types of fintech activity, namely wealth and financial advice, payments, lending and distributed ledger technologies (some of which are known as blockchain). Traditional financial firms such as banks or investment advisors also offer products through mobile devices or the Internet that are similar the offerings of fintech firms, but the authors of the report say that they want to concentrate on things offered to consumers by "non-financial firms." This peculiar American term seems to make little sense in a world where every business is trying to make money and, more to the point, where no firm that uses the word 'fintech' to describe itself can pretend not to be offering a service that has a great deal to do with finance. Nonetheless, the US Treasury and its agencies have used it a good deal throughout the years.
Robo-advisors
Fintech firms offer wealth management advice, some with no human interaction. Robo-advisers (provided by Betterment, Personal Capital, Wealthfront and others) offer investors advice using algorithms that base themselves on those investors’ data and risk preferences to provide advice on recommended asset holdings and allocations.
A typical digital wealth management interaction works as follows. The customer enters information about his age, income, goals, risk tolerance, investment time and financial assets. The wealth management platform's algorithms translate these scraps of information into a strategy which it then recommends to the customer. He selects the strategy. The platform then executes trades for him and rebalances his portfolio in response to his goals the performance of the underlying investment. Periodically, the customer can go back to the first step and adjust his information.
A firm called Business Insider Intelligence, in a research paper entitled "Evolution of Robo Advising" in June 2017, estimated that robo-advisor firms would have as much as $1 trillion in assets under management by 2020 and as much as $4 trillion by 2022.
Fintech robo-advisors that offer wealth management advice are generally subject to the same federal and state supervision as traditional investment advisors. Under the Investment Advisors Act 1940 and state securities laws, any entity or individual that offers investment advice for money must, in general, register as an investment advisor (with the SEC or the states) and send in various reports and conduct itself in a prescribed manner. When providing advice, investment advisors — traditional or fintech — are considered fiduciaries to their clients, which means that they owe them a duty of care and loyalty and must disclose all actual or potential conflicts of interest to them and act in their best interests. No robo-advice firms were
solely regulated by the states at the last count in October last year. As of November 2017, the Federal Depository Insurance Commission and the Office of the Comptroller of the Currency had not completed any visits ('examinations') of fintech firms that fall within the ambit of the report. Some fintech firms may be subject to indirect federal oversight as part of relationships they have struck up with regulated financial institutions, but the GAO is very vague about this.
Why use fintech?
The audit office thinks that fintech products and services score over their rivals by being more convenient for consumers to use, especially as they operate outside office hours; being cheaper, although this is debatable; being faster to use; and being more secure. On this last point, everybody knows that credit and debit transactions transmit sensitive information that hackers use to make fraudulent transfers. Fintech providers’ mobile wallets generally replace this sensitive information with randomly generated numbers that stop transactional information being used fraudulently (tokenisation), according to the Federal Reserve’s Mobile Payments Industry Workgroup. Similarly, while lost or stolen credit and debit cards can be used to make fraudulent payments, a lost or stolen mobile device often has security features that protect a mobile wallet from unauthorised use.
Having said this, the GAO goes on to point out that fintech and traditional products generally pose risks of the same kind to the consumer. Unauthorised transactions can occur in either medium, although consumers who fund their mobile wallets by linking them to traditional funding sources such as debit or credit cards or bank accounts generally benefit from "consumer protection" laws such as the Electronic Fund Transfer Act and the Truth in Lending Act. The former Act does not yet cover payments funded by mobile wallet balances or mobile carrier billing, so the Consumer Financial Protection Bureau enacted a rule to extend existing protection for consumers on the subjects of error resolution and liability for unauthorised transfers to prepaid accounts and mobile wallet balances. It timed this rule for April this year but then delayed it until 1 April next year.
Available information from regulators shows that the number of complaints by consumers against fintech activities appears modest in proportion to traditional financial activities.
A multi-layered plethora of regulatory guidelines
The US has a tangled skein of regulations that emanate from many authorities, and that is only at the federal level. People whom the GAO interviewed said that the cost of obtaining all state licenses for fintech payment firms and lenders cost between $1 million and $30 million, including legal fees, state bonds and direct regulatory costs. Also, market participants and observers told it that fintech firms may spend a lot of time coping with state examinations because states' requirements vary and many of them may examine fintech firms once a year. For example, staff from a state regulatory association said that states may examine fintech firms subject to co-ordinated multi-state exams two or three times per annum and as many as 30 different state regulators may examine firms that are subject to state-by-state exams in the same year.
Some US regulators have issued rules and guidelines to help fintech start-ups plot a course through the federal-and-state web and work out what their obligations may be. In December 2017, the Federal Reserve’s Consumer Compliance Outlook newsletter included an article that offered financial institutions and fintech firms general guideposts for evaluating unfair and deceptive practices and "fair lending risks" related to fintech, with an emphasis on alternative data. Also in that year, a special edition of the same magazine summarised some federal laws, regulations and guidelines that may apply to mobile payments, fintech lending and digital wealth management. In February 2017, the Securities and Exchange Commission issued guidelines about the substance and presentation of disclosures that robo-advisors must make to clients about themselves and the investment advice they offer, along with their obligation to obtain information from clients so as to ensure that the investments they recommend are suitable, and compliance programmes. Similarly, in March 2016, FINRA (the SEC's 'little brother') issued a report about effective practices related to digital investment advice and reminded the broker-dealers it had licensed of their obligation to obey its rules.
In 2013, the US Treasury's Financial Crimes Enforcement Network issued guidelines that clarified the applicability of anti-money laundering and related regulations to participants in certain virtual currency systems. The next year, FinCEN issued administrative rulings that was even clearer about the types of market participant to which the guidance of 2013 applies. In October 2017, the Commodities and Futures Trading Commission issued a report on virtual currencies in which it said that it considers virtual currencies to be commodities, outlines related examples of permissible and prohibited activities, and cautions investors and users about making use of this new phenomenon. In July 2017, the SEC issued a report on distributed ledger technology (blockchain) token sales, in which it warned market participants that sales with certain characteristics may be subject to the requirements of federal securities laws. In January 2017, FINRA issued a report on the broader uses of the blockchain, outlining important regulatory considerations for firms that want to use it in the equity, debt and derivatives markets.
The OCC is in a beleaguered position on this subject, as on many others. Last year, state banking regulators signalled their unwillingness to share the fintech market with their federal counterparts by taking that regulator to court, alleging that it went ultra vires by proposing to issue a 'FinTech charter.' A bitter OCC official told the GAO this year that this special-purpose national bank charter was 'on hold' because his organisation was no longer sure about whether to go forward with the proposal.
Meanwhile, state regulators are taking steps to make life easier for fintech firms that want to operate in more than one state. For example, they are making use of the Nationwide Multistate Licensing System, which enables firms to submit one application with information that fulfills most of the licensing requirements of every participating state. States can only co-ordinate their rules to a certain extent, however, because the American constitution does not permit them to make treaties with one another. There is, however, a plan to 'harmonise' (if the US uses this term in the same sense as the European Union, it means 'standardise closely') multi-state supervision by establishing model approaches types of non-bank supervision, making regulatory visits or 'examinations' more uniform, identifying and reporting transgressions to one another and creating a "technology platform" for examinations next year, all of which is acceptable constitutionally.
Regulatory co-ordination is less of an issue for financial regulators outside the US than inside because most jurisdictions have fewer of them. The UK has three agencies involved in financial regulation, Singapore has one financial regulator and Hong Kong has four. The US, meanwhile, has ten federal agencies involved in the regulation of fintech in some capacity.
Around the world
The United Kingdom's Financial Conduct Authority receives an honourable mention, with the GAO praising it for its "Innovation Hub," part of "Project Innovate" whose aim is to help fintech start-ups while keeping technically challenged regulators more abreast of developments than they would otherwise be. Also mentioned is Looking Glass, a project through which the Monetary Authority of Singapore offers fintech firms training and consultation about regulation and provides a venue on which fintech firms can demonstrate products to banks. Regulators and fintech firms that the GAO interviewed abroad said that innovation offices of this kind helped firms understand their regulatory obligations better, while helping regulators spot risks at an early stage.
The GAO notes that the UK, Singapore and Hong Kong all have "innovation offices;" the FDIC and the NCUA in the US do not, although all other federal financial regulators have. This is also the case for authorities that have a decidated web-page and email address and hold fintech events. However, only the CFTC and the OCC in the US and the FCA in the UK have a dedicated phone number. Everyone except the NCUA has published something on the subject.
The GAO believes that US regulators have much to learn from their go-ahead foreign counterparts, especially the FCA. It looked at "regulatory sandboxes," proofs of concepts, innovation competitions or awards and 'agency-led' (an undefined term) accelerators (not defined but definitely providing start-ups with funding, connections with investors, access to regulators and teachers, access to prospective customers and working space). The GAO is as inarticulate in its attempts to define a "regulatory sandbox" as the FCA has been in the past, merely stating that it "allows" firms to test innovative products, services, business models, delivery mechanisms etc, subject to agreed-upon testing parameters. This is the case with all firms with new products anyway, so the auditing office leaves the reader wondering why any firm would want to avail itself of a "sandbox," especially as not all "sandboxes" offer any relaxation of normal regulatory rules - the only lure, it seems evident, by which a regulator can motivate a start-up to participate. No American regulator operates one and only a couple operate anything similar, although some like the idea of using "no-action letters" (not originally possible in the UK under the Financial Services and Markets Act 2000 but now, according to the GAO, an option) to relieve some start-ups of their usual regulatory duties. In US parlance, this is known as "regulatory relief."
The GAO's conclusions
The auditors have found that market participants do not agree about whether consumers who use account aggregators will be reimbursed if they experience fraudulent losses in their financial accounts. Until regulators clarify the valid interests of consumers, financial account aggregators and financial institutions and strike some formal balance between them, the GAO thinks that consumers might be put off using this valuable financial service.
It therefore makes many bureaucratically useful recommendations. Bigwigs from the Federal Reserve should talk to the FCC about the possibility of one of its representatives sitting on the Fed’s Mobile Payments Industry Working Group. The Director of the Consumer Financial Protection Bureau should engage in collaborative discussions with other financial regulators. The Comptroller of the Currency and the chairmen of the Board of Governors of the Federal Reserve System, the National Credit Union Administration and the the Federal Deposit Insurance Corporation should do the same, but only on the subject of consumers’ use of account aggregation services. The FDIC should think about setting up an office of innovation or clear contact point, including at least a website with a dedicated email address. Many other conclusions are equally circumscribed and tentative, and it comes as no surprise that the GAO does not reach the most obvious conclusion of all: that even though the United States is two years ahead of the rest of the world technologically, it is probably two years behind the UK and other jurisdictions in its regulation of fintech.