After constructive discussion with the law experts, companies providing the RegTech services and based on our proven experience in FinTech industry, we've decided to make the detailed tutorial for FinTech startups and point out the most common mistakes having an impact on the growth. We will dive deeper into the issues that are very crucial for launching the successful innovative products in Fintech. For a more precise understanding, FinTech is an abbreviation of financial technology for designing and delivering financial services and products. The usual providers of such services are banks, insurers, traditional financial institutions. Why there are so many emerging FinTech startups nowadays?
In deed, all of them try to smooth the payment process, tackle fraud, make the lower customers costs and accessible for people who don't use traditional banking services. Global fintech investment has been growing each year, just for comparison in the 2015 year grew by 75 % ( from $9,6 billion to $ 22,3 billion, and such tendency remains till now) and it means that is a huge potential market. Such Top FinTech companies like Trasferwise, Lenddo, Revolut, Ripple have already transformed the way we are transferring money.
What should be taken into account for financial tech companies?
Let's start with compliance because 3 from 4 projects are blocked because of difficulties in getting license or assuring the legitimacy of their business.
- Legal compliance in FinTech
The success of any FinTech company depends on resolving the problems with legal compliance in the country where it will operate. This is a crucial success factor of the Revolut app because they have a robust legal department helping with the regulations/ compliance issues in 40 countries. There are lots of regulations for fintech companies in Europe; however, what could cause severe fines and came into effect in Europe last year - GDPR.
What could be treated as sensitive data based on GDPR:
- personal identity number
- IP address, cookies
- Info about the economic, cultural, physical, social statuses
So just first and last names are not treated as sensitive data, however when it is connected with the personal email/ phone, as it gives access to your internet banking.
The main principle of these regulations is assuring the transparency for the end users that could get:
- the right to get the confirmation of data processing
- the right to get a copy of personal data
- the right to get the purpose of data processing, data categories, timelines, recipients
- the right to protest against data processing
FinTech startups that process sensitive data, it is required to pay prime attention to Art17 GDPR "in certain circumstances" that could cause severe fines in cases when:
- there is the absence of necessity for data processing for the fulfillment of goals following which it was primarily collected/ processed
- work with illegal data processing
- when the personal data is not deleted under the legal requirements in the EU when the user requires it.
If your business operates in the EU and you choose a software development vendor you want to be sure that this vendor will share the responsibility for the security of your users' data, they should guarantee meeting the following measures:
- take care of security before it will be processed
- the vendor should take the risks related to personal data at each stage of data processing
- implement the technical and organizational measures of data protection
- informing the corresponding authorities within 72 hours about the data leakage or possible vulnerabilities
Thus, it is a common practice when the founders apply for the third party companies who could provide the independent GDPR audit and point out the vulnerabilities that could cause data leakage or severe GDPR fines. Based on GDPR, the penalty is split into two groups:
- serious violation (10 mln euros fine or 2 % of the total turnover)
- insignificant violation (20 mln euros fine or 4 % of the total turnover)
(however, it is not detailed declared what could be referred to a serious or insignificant violation)
The most common mistake of FinTech startups - not informing the corresponding authorities and end users about the data leakage within 72 hours. For instance, Mistertango ( popular FinTech startup from Latvia) was fined 61,5K EUR for failing to ensure data minimization, storage limitation, data security, and for violating an overarching principle of accountability. They also didn't inform the corresponding authorities in Latvia and their users about the appended data leakage. In the course of the investigation, the DPA established that a website listing payments processed by Mistertango along with the customer personal data were openly available online for at least two days in July 2018. Mistertango failed to notify the DPA about this a breach in contravention of Article 33 of the GDPR. GDPR vs. PSD2
- the responsibility of the banks to provide the Third Party Providers access to the info about the accounts
- if the bank refuses to provide such info, it could be treated as violation of anti-monopoly legislation. To the attention: what is needed if you operate under GDPR regulations:
+ Determination of potential risks of data collection by the Client in case of the
GDPR rules breach;
+ Identification of the purposes of the data processing allowed under the GDPR rules.
Drafting and development of the template of notification of persons, whose data has been collected about such collection and processing. Such notification will include information about the type of data being processed, the purposes of such processing, and the actions that will be taken towards the data;
+ Drafting and development of the legal evidence of the lawfulness of data processing and proof of its safe storage;
+ The company's internal policy on data collection and processing in order to meet the GDPR requirements, including the process of handling data leakage incidents;
+ Data processing agreements between the Client also, the third parties, as well as between the data controller and the data processor;
+ Search and negotiations with the Data Protection Officer (DPO). Development of a service agreement between the Client and the DPO, defining the responsibilities of the DPO;
+ AML/KYC due diligence counseling;
+ Assessment of AML/KYC requirements based on the Client's business model and corporate structure;
+ Advising on the establishment and maintenance of an internal AML/KYC policy, if necessary. KYC / AML compliance
KYC law is to an increasingly complex ruleset. Banks and financial service providers have to adhere to international anti-money laundering regulations as well as to local standards.
Thus there are many fintech law firms ( or your software dev vendor could also have the legal department with such expertise) which provide services for assuring the high-profile matters of the day-to-day operation of FinTech businesses in compliance with the corresponding jurisdiction. Sometimes the dev software agencies partner with the legal firms for providing such services as it also requires a close collaboration while preparing the KYC/AML compliance documentation or GDPR declarations. The average price for developing such documentation range from $5-$10 K in the Eastern Europe ( Ukraine, Russian, Latvia) and $30-$50 K in Scandinavian countries or in the Western Europe as lawyers prefer to work based on hour rate instead of providing the fixed price for such services. Thus some quotations could be even higher.
On the contrary, even early-stage fintechs are well-advised to give regulatory compliance a high priority in their business development plan. The can also apply to large banking institutions, as they are also certified AML/ KYC providers. A fascinating insight that KYC provider Mtpelerin
is one of the certified providers. It means that they take full responsibility for legal proceedings and inconsistencies. While you will be considering the KYC providers, take into account that uncertified providers don't take responsibility if some differences could come up. Assuring the legal compliance for the FintTech companies
Development of new or improved risk-based AML/KYC Compliance Program and internal controls that incorporate international and local requirements, as well as best practices. This normally includes:
+AML Compliance Policy Declarations. Includes recommendations on Anti-Money Laundering Compliance Policy Declarations, Ascertainment of Customer Identity, Transaction Monitoring, Internal Reporting of Unusual/Potentially Suspicious Transactions, Reporting of Unusual/Suspicious Transactions, Internal Security Measures and Record Keeping, etc.;
+ Terms of Service;
+ Cookies Policy;
+ API Terms of Service. Includes API Use Restrictions, information regarding transmitted data using the API, etc.;
+ Law Enforcement Requests Policy;
+ Risk Disclosure Statement;
+ Anti-Spam Policy;
+ Trademark Notices.
Take into account, that lost of FinTech companies related to crypto operations forgot about the Data Protection Impact Assessment. The regulation authorities in the EU consider such companies as a high-risky. Thus they could conduct an inspection, and you should be ready for that. It will simplify this whole process if the fintech company would have the audit report held by the authorized legal firm initially. This report is done as a summary after the audit related to data collection and protection of end users. All these paperwork is also required for getting EMI ( EMl ELECTRONIC MONEY LICENSE), that could take from 2-4 months and range from 10-50 K depends on the country.
Design thinking in FinTech
The design thinking is also an inevitable part for launching FinTech products that could surface unmet needs of the people for whom you are creating
Design thinking is not just about improvising the usability. It could help to think over the product idea with the tech specialist, Lead UX designer, Product Owner, and Marketing Expert.
What benefits it could bring for your FinTech product :
1. It reduces the risk associated with launching new ideas.
2. It generates solutions that are revolutionary, not just incremental.
3. It helps organizations learn faster.
4. It helps faster get the users' feedback and prioritize the scope
Based on the statistics of companies providing such service, around 40 % of the initial product functionality is modified after the design thinking session with the founders and expert team. Here is a list of best practices for design thinking approaches that are used in our practice:
- How-now-wow matrix , when we prioritize and select your most innovative ideas
- Innovation blueprint, when we overview of key elements of an innovation activity. Identify clear roles and allow your activities to be compared.
-Persona, when we help you visualize and better understand your customer segment. It is the starting point of your problem exploration journey.
-Pitching checklist, when you want to sell a killer business idea, your pitch needs to pack a punch. This 5-part checklist is the best way to make sure your pitch hits home.
-Fragment cards means document stories and observations uncovered during empathy sessions.
One of these techniques could help to validate the idea with the expert team better.
Why design is also so important?
The global statistic states that the number of mobile users using internet banking on mobile devices is significantly growing each year. Just compare 27 % in 2017 and 43% in 2018.
Around 23 billion apps are launched each year globally. However, smartphone users install a new app each 4-5 months. It means that is it getting harder to attract new users and gain their trust. Fintech is a domain where usability, simplicity in usage, authentic relationship with end users are crucial for growth.
Take a look at the diagram reflecting the percentage of comments related to Design Look.