The complexity and uncertainty of law and regulation pose challenges for FinTechs and other startups in the financial services sector. Early stage FinTechs may structure their business to keep outside the relevant regulatory perimeter, but over time many find themselves within it, and subject to some form of regulation. Even outside the regulatory perimeter, certain regulations can apply to those operating in the financial services arena. Uncertainty over the precise scope of regulation creates further challenges. One way or another, most FinTechs need to engage with the regulatory system, which brings with it risks and costs.

In response, startups must:

  • understand the impact of regulation on their business, including those areas of uncertainty;
  • develop an approach for engaging with the regulators;
  • establish legal and compliance functions that define and implement a controls framework that meets regulatory requirements; and 
  • implement a governance structure to ensure effective senior management oversight of regulatory compliance.

Assessing the impact

This can be expensive. Startups, naturally, are focused on developing their business model. Founders, management and funders are focused on financial performance. Funds are limited and the desire is to deploy scarce resources, financial and otherwise, on business generation and growth. Nonetheless, the risks of getting compliance wrong — in terms of regulatory enforcement, financial and other sanctions, and reputational damage – are too great to ignore. Early investment in legal and regulatory compliance, in the necessary people, structures, processes and procedures, is money well spent. 

Legal uncertainty is a recurrent challenge for startups. Business innovation runs ahead of the law. Crypto is one area where companies are creating, distributing and growing products in a new and fast evolving arena. Is the crypto instrument under consideration regulated and, if so, by which agency? Is it a security? Can it be sold to the public? Unsurprisingly, it takes time for lawmakers and regulators to respond, and they respond in different ways in different jurisdictions. In the meantime the gaps need to be filled by interpreting the existing law, as best one can. The UK, EU and US approach crypto regulation differently and startups must be sensitive to uncertainties in the places they operate. A lack of regulation, where it exists, may be useful, giving startups freedom to grow in a regulation-free environment. However, this is likely to be a temporary reprieve. The regulation of crypto is inevitable. The question is simply: when and to what extent.

In response, it is critical for startups to engage with the detail of current law and regulation, to understand its existing scope, the gaps and how law and regulation will likely evolve. Working with internal and external lawyers is the most effective way to address this challenge. Working with the right experts can help startups navigate the areas of uncertainty and find opportunities for business growth. Startups may also want to develop a regulatory affairs capability able to engage with lawmakers and regulators as regulation develops. 

Engaging with the regulators

Startups, crypto or otherwise, will find themselves under increasing regulatory scrutiny as they progress their operations. It is vital to engage, where appropriate, with the regulators in a thoughtful manner. A topical area of concern in the current environment is sanctions compliance. Within the last couple of years, the UK’s Office of Financial Sanctions Implementation has fined FinTechs for violations of sanctions law. The Russia/Ukraine war and related sanctions will likely trigger an increase in enforcement. 

The importance of credible legal and compliance functions

The challenge of compliance with anti-money laundering rules is an area of perennial concern for startups. The UK Financial Conduct Authority has been made responsible for registering for AML purposes entities undertaking crypto-asset activities but which are otherwise not regulated. FCA has been scathing about the poor quality of current compliance.

Operational resilience is therefore a topic of interest for the FCA encompassing, among other things, cyber security. The FCA’s operational resilience requirements, similar to those in the EU, will capture regulated entities. They may also ensnare non-regulated entities providing services to regulated entities. This is one area where startups may be caught even if they have arranged their business to remain outside the regulatory perimeter.

The UK’s introduction of a new “consumer duty” is yet another area where regulatory developments may catch startups even in their early stages, and where compliance processes will need to be sophisticated. The FCA is casting its net widely, potentially to capture all participants in the process of product development and distribution, even if the particular entity does not deal directly with consumers.

This means that, in order to respond to the host of challenges posed by regulatory compliance, startups must develop a robust and effective compliance controls framework. This requires the establishment of standalone legal and compliance functions, staffed by skilled, experienced professionals. It requires the production of policies, processes and procedures across all relevant areas and the training of front office staff. It requires investment in IT systems (often an area of strength for FinTechs) to effect surveillance and similar tasks. Startups must implement governance structures to ensure effective senior management oversight of the compliance controls framework. This will involve a clear articulation of management roles and responsibilities, clarity as to how management should carry out their responsibilities, and a coherent committee structure.

Senior management involvement

The demands outlined are very similar to those expected of much more established financial institutions. Understandably, startups may recoil at the imposition of what feels like a cumbersome bureaucracy, the very antithesis of the small, nimble startup. Such a reaction is understandable but overdone. Startups often plead for the imposition of regulation to be proportionate to their size and maturity, and it may be that regulators show some forbearance. It is important however to work with internal and external legal and compliance advisors to ensure that the compliance framework implemented meets legal requirements without becoming overly complicated or overly dependent on a box ticking exercise. Lawyers can be instrumental in producing an appropriate, effective and efficient compliance framework. The responsibility for having appropriate arrangements ultimately resides with senior management, and is seen by the regulators as resting with them even where they have appointed specialist help. The costs of getting compliance wrong are too great to ignore and are potentially fatal. It is essential that senior managers in startups grapple with the challenges of developing a compliance controls framework that allows them to continue their development and growth journey without significant risk of enforcement.