FinTech entrepreneurs: make sure you’re on the right side of the law

The established banking and finance world is subject to extensive regulation, but as a young industry, the rules around FinTech are harder to navigate.

To help clear up some of the legal issues in financial technology law, including mobile financial services, cloud computing, information governance and cybersecurity, this week saw treasury technology experts bobsguide host a webinar with Kevin Taylor, Partner at Schnader Harrison Segal & Lewis LLP and author of FinTech Law: A Guide to Technology Law in the Financial Services Industry.

Here are Taylor’s top takeaways from the event.

1. Mobile Financial Services

Taylor predicted that in the near future, around 50 million consumers will be using mobile phones or personal digital assistants as their primary choice of payment, saying that NFC-enabled devices are fast overtaking Bluetooth for contactless payments.

This trend means that data theft is becoming a hot FinTech law topic. Vendors need to be aware of how to authenticate consumer information and protect information under the Gramm-Leach-Bliley Act (GLB), which relates to the security and privacy of a consumer’s non-public information (NPI). Also, Section 404 of the Sarbanes-Oxley Act (SOX) requires companies to have controls in place to increase financial data and systems security.

2.  Cloud Computing

A major risk with cloud-based security is that data security breaches can go unnoticed by the provider, leave jurisdiction data without adequate protection and incur issues related to noncompliance with privacy and data protection laws. Accountability for these problems can be hard to defines, since there is often a long chain of subcontractors, making it is difficult for companies to monitor their cloud service provider and in turn, their data.

Taylor believes that it is important to note how service levels and “knowing what you’re getting” is more difficult with cloud computing, as data is controlled by a third party and termination rights can get complicated. However, organisations like the Cloud Security Alliance (CSA) provide more information on cloud computing and suggest ways for companies to decrease security breaches in future.

3. Information Governance

It is essential to distinguish between different kinds of data when using a third party provider, said Taylor. Companies should also take a more holistic view of how data is treated because third party providers occasionally run their own analytics on the information to create statistical data. According to Taylor, the same types of data could have different record keeping regulations but because data processing is now done electronically this also needs to be tracked.

4. Cybersecurity

Cybersecurity affects people on all levels. Taylor described how countries, businesses and individuals are all vulnerable to threats from hackers, who often get hold of whole identities as well as information. According to Taylor, businesses should have solutions in place, but it is ultimately the government’s responsibility to provide this. An example of this is in the US is the Comprehensive National Cyber Security Initiative, initially launched by George W. Bush, but supported by Barack Obama to this day, which helps to educate those new to technology about cyber security risks and also helps companies to establish a stronger defence against cyber threats.

It’s also important to factor in the human element – everyone makes mistakes, and increasingly, will be held personally accountable for them. Under vendor management, third parties are required to handle personal data, but to make this work regulations should be overseen by service providers, said Taylor.

Lastly, even if you’re using totally new technologies, remember that the law still applied to you. Bitcoin, mobile payments and wearables are all subject to regulations devised for older systems, so if you have concerns, it’s better to seek legal advice than to take the risk.

Related reading

Leave a comment