‘Compliance’ is the watchword in financial services, perhaps more now than ever. With new rules and regulations being introduced across Europe, most notably 4MLD, MiFID II, PSD2 and GDPR, Heads of Compliance across multiple industry verticals are now under major pressure to ensure their processes and procedures are up to date, adequate and compliant.
Those attempting to outplay this line of regulation, risk substantial regulatory penalties, along with severe reputational damage that could turn away investors and potentially result in a detrimental, even terminal, decline in business.
This huge focus on compliance has been particularly felt within the FinTech arena, and a direct result of the increasing regulatory scrutiny of financial firms, by partners, investors and regulators alike, in the post-financial crisis era. This has also been accompanied by increased complexity within specific sectors and associated regulatory frameworks. PSD2 and GDPR anyone?
In this heavily scrutinised industry, the reality is that most FinTech businesses may not be here today but for effective compliance auditing.
Here are three reasons why:
Despite anecdotal evidence to the contrary, not all banks want to steer away from FinTechs. Often the trouble is that the FinTech firm, or the people behind it, have no track record upon which the bank can rely or take comfort. Banks may look to an external review or audit as a means of assurance that the FinTech is up to muster, and an acceptable risk as a customer. Respected compliance consultants may still identify issues as part of an audit but, with an appropriate mitigation action plan, the bank may still be interested in establishing a relationship with the FinTech.
Banks are not necessarily looking for a clean sheet, although that might be preferable! Any issues picked up as part of the audit should be accompanied with remedial action to achieve compliance with the relevant legislation. The banks are looking to reduce their exposure to risk as far as possible and will want to see that the FinTech has at least a plan to achieve compliance; a compliant firm is clearly a better risk that a non-compliant firm.
In the payments space, authorised payment institutions and electronic money institutions will need a ‘safeguarding’ account with a credit institution before they will be able to be authorised. No safeguarding account, no licence. Immediately, the ability to obtain such an account will be critical to the FinTech’s ability to operate that business model. Similarly, a FinTech will also need a business account to function. Here though, there are more options available to the FinTech, with challenger banks entering the market and electronic money institutions offering alternatives to the traditional bank account.
For the sake of clarity, compliance audits are not required to be submitted to the FCA as part of an application for authorisation. The FCA will look at the information provided by the firm itself, rather than the content of any audit or review undertaken on the firm. However, a pre-application ‘audit’ may identify to the firm any risks or issues that might be picked up by the FCA as part of its assessment of the information provided in the application, allowing them to address these before submission of the application. More obviously, audits can assist in providing the firm with assurance that, once authorisation has been granted, the firm is complying with its obligations under the relevant legislation. Such audits can be as broad or narrow as the firm requires.
FinTech firms that are operating, or wish to operate, within the regulatory perimeter will need to be authorised or registered to do so. Failure to apply to and gain approval from the FCA may mean that the firm is unable to continue to carry on that business. This could result in reputational damage and lost investment opportunities, or even failure of the business. FinTech is always in a hurry, but firms should not be in a rush to submit an incomplete application to the FCA as it will simply delay the application; if you can’t answer all the questions or provide all the information, don’t submit. As a recent ‘ex-regulator’, with particular focus on payment services and FinTech firms, this is an area where I can speak with some authority!
Investors are always looking for the potential for a return on their investment but, at the very least, that they don’t lose money. As we have seen, failure to become authorised by the FCA or secure a banking partner, may critically impact the FinTech’s business model. Investors look to each as key indications of risk inherent in an investment proposition. Without external investment, the business is likely to wither and die.
Where a FinTech can demonstrate it has FCA approval and support from a banking partner, the compliance audit may yet provide that vital additional assurance to a potential investor to give it extra comfort and assurance to commit to that investment. The independence of the audit provides added value on top of the FinTech’s regulatory status. Indeed, the breadth of the FCA’s regulatory scope, with over 56,000 firms subject to its oversight means that very few smaller firms, as many FinTechs will be, will ever ‘enjoy’ an actual on-site visit from the regulator (although I understand that the FCA’s new Payments Supervision Department is beginning to mobilise and has commenced an ‘engagement’ programme of visits to existing payments and e-money firms to better understand the sector). Comfort can therefore be gained from an independent external audit and be the difference between a thriving business and a dying business.
If you would like any help to understand how an audit may help your business, please get in touch. Or join us at our client briefing on the information demands of PSD2 and GDPR.