For the first time, Who’s Who Legal brings together Rasmus Mandøe Jensen at Plesner, Joan Carette at Osborne Clarke, Adrian Ang at Allen & Gledhill, Angela Itzikowitz at ENSafrica and Charles Morgan, Laure Fouin and Ana Badour of McCarthy Tétrault to discuss some of the most important issues facing fintech lawyers and their clients today, including regulatory developments, investor interest in the sector and the threat of cyberattacks.
Rasmus Mandøe Jensen: Among the biggest commercial developments on the Danish fintech scene lately is the decision by the banks supporting payment initiation service Swipp to abandon the project and (for most of them) join the rival service MobilePay, created by Danske Bank.
On the legal side, I would mention first the adoption of the PSD2 implementing legislation in Denmark which will, inter alia, loosen previously very strict national rules on the use of payment data. Second, the recent establishment of a dedicated fintech policy and team, as well as a regulatory sandbox, with the Danish Financial Supervisory Authority is worth noting and will hopefully pave the way for even better interaction between the industry and the regulator in the coming years.
Joan Carette: It has been a busy year for the fintech sector in Belgium, with a lot of interest for disruptive technologies such as blockchain or robo-advisory. In the payments sector, both fintechs and traditional actors are currently looking into the new opportunities (and challenges) that PSD2 offers in terms of access to accounts (payment initiation service and account information service). In 2017 we have also seen the launch of itsme, an innovative solution for mobile identification and authentication developed by four banks and three mobile network operators.
Finally to be noted is the Belgian law on crowdfunding, adopted at the end of 2016, which created a legal framework for crowdfunding platforms and led to the registration of several platforms with the Belgian regulator.
Adrian Ang: Over the course of the past two years, the Singaporean government and related statutory boards have identified fintech as a potential growth area for the Singaporean economy. Following on from this, a not-insignificant amount of resources has been channelled into the space. By way of example, in August 2015, the Monetary Authority of Singapore (MAS) formed a financial technology and innovation group within the MAS to drive such initiatives. In addition, Singapore offers an open-banking platform via application programming interfaces (APIs) for faster innovation and integration of new and legacy IT systems within the sector. The MAS also launched a “sandbox” as a safe space for fintech companies to experiment and roll out innovative products and solutions within controlled boundaries and the financial sector technology and innovation scheme to support the creation of a vibrant ecosystem for innovation.
Angela Itzikowitz: At least half the fintech start-ups in South Africa provide payments and money transfer services (eg, Pay Secure Payment, VCPay, Sureswipe, Yoco Technologies, Maxicash, SnapScan, Entersekt and Makuru). The remainder of the market is roughly divided between trading investment and crowdfunding (eg, Wealth Migrate, EasyEquities, Livestock Wealth and StockFella); blockchain and bitcoin (eg, iceCUBED X, Bitsure and Bankmoon); lending and financing (eg, Jumo, Mobicred, Rainfin, LulaLend and Merchant Capital); and retail banking services (eg, 22seven, Luminous, Curve and Moneysmart). A number of South African companies accept bitcoin, including: Audico, which sells audio-visual equipment; Cape Coffee Beans which sells coffee, grinders and coffee machines; and Takealot, one of South Africa’s largest e-commerce retailers. There are no official statistics or metrics available to illustrate the volume of activity for any of the relevant activities referred to above.
Charles Morgan, Laure Fouin and Ana Badour: In February 2017, the Canadian Securities Administrators (CSA) launched a regulatory sandbox (the CSA sandbox) to support fintech businesses seeking to offer innovative products, services and applications. The CSA Sandbox allows firms to obtain exemptive relief from certain securities law requirements that may impede their innovative business models, provided that investor protection is not compromised. In August 2017, the CSA Sandbox granted Impak Finance an exemption from the dealer registration and prospectus requirements; and in October 2017, it granted Token Funder an exemption from dealer registration requirements, thereby approving two initial token offerings in Canada.
On 7 July 2017, the Department of Finance of Canada published a consultation paper, “A New Retail Payments Oversight Framework”, which proposes a federal oversight framework for retail payments. Key elements of the proposed oversight framework include broadening its scope, registration of payment service providers, end-user fund safeguarding measures, security and operational principles, disclosure requirements, third-party dispute resolution, liability for unauthorised transactions, promotion of awareness and compliance with privacy laws, being principles-based, with tiering of measures and recognition of equivalent requirements under other legislative frameworks.
In August 2017, the CSA released CSA Staff Notice 46-307, “Cryptocurrency Offerings”, weighing in on the applicability of Canadian securities laws to cryptocurrencies, including coins and tokens. Substantially, it asserted that Canadian securities laws and regulations apply irrespective of technology.
On 11 August 2017, the Department of Finance Canada published its second consultation paper on the review of the federal financial sector legislative and regulatory framework: “Potential Policy Measures to Support a Strong and Growing Economy: Positioning Canada’s Financial Sector for the Future”. While the first consultation paper, published in August 2016, identified certain trends and sought input on stability, efficiency and utility, the second seeks input on more detailed policy measures and potential directions, including specific potential changes to the federal financial institution statutes. The issues identified by the Department of Finance consist of supporting a competitive and innovative sector; improving the protection of bank consumers; modernising the framework; and safeguarding a stable and resilient sector.
The Bank of Canada experimented testing the viability of distributed ledger technology (DLT) as the basis for a wholesale payment system with Project Jasper, which was launched in March 2016. Two phases of Project Jasper have been completed so far with Phase 1 using the Ethereum platform as the basis for the DLT and Phase 2 using the custom-designed R3 Corda platform. The third phase of Project Jaspar, announced on 17 October 2017, will create a proof of concept for the clearing and settling of securities by means of the central bank cash-on-ledger model.
Rasmus Mandøe Jensen: The uncertainty around the RTS on secure communication; the availability of screen scraping as a fallback; and, generally, the open discord between the EBA and the Commission on these issues continue to be a significant legal risk factor in payments.
While smart contract-related and DAO projects are still relatively nascent, it is already becoming clear that widespread adoption of this technology across the financial sector and beyond will suffer in the absence of a sui generis legal framework addressing the multitude of legal issues relating to smart contract use – especially in a cross-border context – such as legal capacity, choice of law/jurisdiction, standing to represent a DAO, enforcement, amendment/interpretation of terms, etc.
More generally, there continues to be a significant task in educating regulators on fintech business models – but on the other hand, also in fintechs becoming perhaps more realistic about the extent of their regulatory footprint and the legal complexity of operating a regulated business.
Finally, while not in itself a regulatory challenge, the difficulty many fintechs across Europe seem to experience in achieving scale of operations after they go live means that some of them will struggle to generate the revenue needed to support expensive internal regulatory and compliance functions.
Joan Carette: Regulations such as GDPR, PSD2, the Belgian law on crowdfunding and AMLD4 have proved to be challenging for fintechs. However, I believe that the biggest challenge for the sector is not one or two particular laws, but the combination of all of those – making it difficult for fintechs to find their way in, and keep track of, the applicable regulation. As fintechs gain market shares, the regulator’s scrutiny on them will most likely increase, as will the amount of regulation applicable to them.
Adrian Ang: Thematically, I believe that the biggest regulatory challenges facing the industry are: first, a lack of understanding of the legal and regulatory issues that surround the roll-out of a fintech product or service; and second, laws and regulations that were enacted in the past and that may not be readily applicable to the fintech industry.
In relation to the first of these challenges, I have come across many instances where a fintech company may be at its final stages of roll-out but has not considered licensing or related regulatory issues (that may be triggered by its product or service). This often results in a delay in the operationalisation of the product or service as a licence (if required) may take some time to obtain. I have been vocal on this issue and very active in running and participating in talks, seminars and workshops to bring attention to the issue. I believe that sufficient time must be allocated to ironing out a fintech company’s licensing and regulatory issues prior to roll-out.
In relation to the second challenge cited above, it is often the case that a number of different laws and regulations may be applicable to a particular fintech product or service. This may prove to be cumbersome to navigate and confusing in terms of differing requirements that may apply. The MAS is aware of the issue and has said in the context of payment systems that:With technological advancements and the advent of fintech, the lines between payment systems, SVFs, and remittances are blurring rapidly. This is especially striking for remittance, which has traditionally accepted cash at a physical storefront but where a fintech company could allow customers to fund payments through a SVF or directly from a bank account.More generally, the payments ecosystem, consisting of banks, merchant acquirers, processors, and other payment service providers, is also becoming more complex and integrated. A single payment service provider may acquire transactions for multiple payment systems, and simultaneously offer SVFs to customers. The provider could also decide to leverage on its customer base to offer cross-border remittances or facilitate online payments to overseas merchants.While technological advancements have made for a more convenient and seamless payments experience for users, new risks are also emerging. Payment service providers around the world have been subject to cyber-attacks, leaving users vulnerable to personal data leaks. The increasing complexity and globalisation of the payments ecosystem have also led to reduced transparency for the user, as various fees and foreign exchange charges could be embedded into users’ statements with minimal explanation prior to the purchase.A more calibrated regulatory regime, applied on an activity basis to payment service providers, rather than specific payment systems, would allow MAS to better address specific issues such as consumer protection, access and corporate governance. It would also give MAS the flexibility to address emerging risks such as cyber security, interoperability, technology, and money laundering and terrorism financing. It is envisioned that activity-based regulation of payment service providers would build public confidence and encourage the use of electronic payments.
Following on from the above, in August 2016 the MAS has consulted on the above issue in its Consultation paper on Proposed Activity-based Payments Framework and Establishment of a National Payments Council.
Angela Itzikowitz: There is currently no specific regulatory regime for the regulation of fintech activities or fintech innovators. Fintech innovators are obliged to comply with existing financial market and consumer protection legislation, such as the Banks Act, Credit and National Payment System regulation. Financial markets are tightly regulated in South Africa and, while such regulation is necessary to protect consumers and the sector from systemic risk, it does create high and sometimes insurmountable barriers to entry for fintech innovators. While the regulators such as the South African Reserve Bank (SARB) (the central bank) and the Financial Services Board (FSB) are open to discussion with these innovators and are giving serious thought to the regulatory challenges posed by fintech, they have been slow to adapt or amend the relevant laws to embrace fintech. Unlike in other jurisdictions (such as the UK, Australia, Malaysia, Hong Kong and Singapore), neither the SARB nor the FSB has to date created “regulatory sandboxes” for these companies. From an anti-money laundering perspective, fintech poses novel and increased risks and the SARB and Financial Intelligence Centre (FIC) have adopted a very cautious approach to non-face-to-face fintech KYC methods.
Virtual currencies such as bitcoin are not regarded as legal tender by the SARB but the SARB is exploring cryptocurrencies and blockchain, and is interested in innovations that may stem from its development. Recently a number of South African banks have pushed ahead with plans to test blockchain applications in a partnership that has drawn support from the SARB and FSB.
Charles Morgan, Laure Fouin and Ana Badour: Typically, laws and regulations apply irrespective of technology used, it is “technology neutral”, as the CSA Staff Notice 46-307 Cryptocurrency Offerings reaffirmed. Initial coin offerings, initial token offerings, the use of distributed ledger technology and even certain use of artificial intelligence/machine learning may be limited by such securities laws and regulations, unless the CSA Sandbox grants exemptions.
Canadian banks and insurance companies are still navigating the extent to which they can get involved in fintech and the conditions under which they can partner, create joint ventures, co-invest with fintechs or acquire fintechs. Similarly, fintechs are still assessing the activities that can be carried out by entities that are not banks of insurance companies. Future interpretation and OSFI’s guidance will be primordial in circumscribing the respective roles/place of Canadian banks, insurance companies’, fintechs (including major technology players) in the Canadian industry.
Rasmus Mandøe Jensen: Much of the VC attention has so far been focused on payments and more recently blockchain. With payments already a relatively mature fintech segment and blockchain perhaps on the verge of entering the “trough of disillusionment” (or just becoming more aware of the huge challenges still ahead before that technology is ready for widespread adoption), it is not obvious that the historical strong growth in VC investment will continue in the short term.
On the other hand, there are also events (or potential events) on the horizon which could easily de-risk projects/business models prompting appetite among VCs for another surge in fintech investment. Some of these events would include: proof of concept of truly large/global-scale blockchains; removal of some of the technical uncertainties related to PSD2 and in particular third-party access; the upcoming transposition deadline of MiFID II and entry into force of MiFIR, and 4ALMD and 5ALMD, particularly for reg-tech.
Joan Carette: The sector still seems to be growing and there are no indications for the moment that the investment in fintechs will slow down in the near future.
Adrian Ang: I believe that the investor interest in the sector will continue to grow but the quantum of such investments will likely change. As things stand, I believe that the fintech industry has just passed the “proof of concept” stage in terms of the products and services that are being offered. As such, many venture capital firms spread their investments widely (among a fairly broad spectrum of fintech companies) with a lower quantum per investment. As the fintech sector matures, stronger fintech companies will emerge and weaker ones will either fold or be subsumed by their competitors. Following on from this, I believe that the nature of venture capital investments in Singapore will become more targeted, with a potential increase in the quantum of investment.
Angela Itzikowitz: Venture capital and private equity firms are on the rise and I do not foresee a downturn in investment going forward. Government grant funding and soft loans by private companies to employment equity-compliant fintechs are other avenues for capital raising.
Charles Morgan, Laure Fouin and Ana Badour: We think that investor interest in the sector will continue to grow for several reasons.
First, venture capital investments in general will continue to grow, with interest rates remaining low while private companies’ valuation remain attractive.
Second, the fintech sector has substantially gained in momentum and credibility with the creation of institutional fintech funds, such as the fund announced on 10 October 2017 by La Caisse and Mouvement Desjardins who will jointly invest $50 million, in addition to PowerCorp’s Portag3, which was announced on 17 October 2016.
Third, international technology and fintech powerhouses (Facebook, Samsung, IBM, Google, Microsoft) have invested in fintech-related research initiatives (more particularly artificial intelligence) with Canadian universities (University of Montreal, McGill University).
Fourth, the government of Canada announced on 22 March 2017 that it will be funding $125 million for the creation of a Pan-Canadian Artificial Intelligence Strategy for research and talent, which will be administered by the Canadian Institute for Advanced research.
Finally, all of the aforementioned translates to very substantial funds currently committed to investing in Canadian fintechs needing to be invested.
Rasmus Mandøe Jensen: Fintech in general is probably no more (or less) exposed to cyber risks than incumbent firms, but there are clearly specific sectors within fintech where cyber risks are – or are perceived by society in general to be – significant.
As one example, the unfortunate case of the DAO has illustrated the yet unsolved conflict between the immutability of a blockchain – one of its celebrated core strengths – and the security risks stemming from any flaw in the code underpinning that blockchain or the smart contract put on a blockchain.
Another example is all things cryptocurrency-related, which – to a wide extent, wrongly – continue in the general public and at the political level to be viewed as inextricably linked to serious AML/CTF concerns.
A final example would be third-party payment service providers where there is, particularly on the incumbent and consumer sides of the market, an apprehension about whether such third-party providers’ own systems or their communications interface with account servicing payment service providers will increase the level of cyber risks in the payments system.
Joan Carette: Cybercrime and cyberattacks are indeed a threat, but fintech entities seem to be aware of those. Their structure and way of working may also be an advantage for addressing those issues, as they may be more agile, creative and flexible in their reactions than traditional actors.
Adrian Ang: Yes, I believe that this poses a significant threat to the fintech industry. This concern has not gone unnoticed by the authorities. I note that the Ministry of Communications and Information and the Cyber Security Agency of Singapore (CSA) have issued a public consultation paper on the Draft Cybersecurity Bill, noting:Cybersecurity is especially essential for Singapore, as we are a small and highly connected nation. As we become more dependent on info-communications technology in our daily lives, cybersecurity has taken on a much greater significance to our society…. Singapore has consistently taken cybersecurity threats seriously and developed timely responses.
The Bill has four objectives: to provide a framework for the regulation of CII, which formalises the duties of critical information infrastructure (CII) owners in ensuring the cybersecurity of their respective CIIs; to provide the CSA with powers to manage and respond to cybersecurity threats and incidents; to establish a framework for the sharing of cybersecurity information with and by the CSA, and the protection of such information; and to establish a light-touch licensing framework for cybersecurity service providers.
Angela Itzikowitz: The growth of fintech creates opportunities for cybercrime in the same way any growing industry creates opportunity for abuse. Although digital currencies have been hacked, I do not think cybercrime poses a significant threat to the growth of the fintech industry and there are very effective means of securing fintech systems. The Cybercrimes and Cybersecurity Bill is one of a set of laws that aim to regulate the ever-expanding online economy and cyber related crimes. Given the number and value of fintech transactions that take place every day, incidences of cyber crime are in fact proportionately low. It is therefore not something that I believe will stifle the growth of the fintech industry.
Charles Morgan, Laure Fouin and Ana Badour: Credibility and public perception remain a concern for fintechs and, for every cybercrime or cyberattack that occurs, all the successful attempts to make technology-driven tools more secure that non-technology-driven tools disappear. The fintech industry must cope with the fact that there is a generalised lack of trust in the public and that the assumption, no matter how it may be repealed by facts, is that technology is less safe than “business as usual”. Fintechs are largely about the collection and use of sensitive personal data. For this reason, they likely are, and will remain, prime targets for hackers, and so they will have to be particularly cautious.
In addition, like many start-ups, fintechs will often rely on “open source” code to reduce coding costs, which means that they may face incremental security risk. For example, whereas licensors of proprietary code will typically “push” security fixes to their licensees; licensees who have integrated open source code in their works will have to actively “pull” security patches if, and when, made available.
Rasmus Mandøe Jensen: We expect to see a continuous maturation of the sector and an increasing number of fintechs going from the development/proof of concept phases to full-scale operations. We also consider there to be a good chance that regtech – centred around issues such as AML and GDPR compliance – will grow very significantly.
In payments we are obviously expecting the effects of PSD2 and third-party providers to be felt, but in the domestic market we see some uncertainty about the speed of penetration of account-to-account products and third-party providers in general. This is due to the continued popularity of the domestic debit card scheme Dankort, and also the national rules regarding use of payment data, which may make it difficult for some third parties to realise the full potential of value-add business models
Joan Carette: In my opinion, we can expect to see more and more cooperation between fintechs and the traditional actors (such as banks or insurance companies). This cooperative model is already applied today in Belgium, where we have seen banks partnering with fintechs to offer disruptive services on the market. This cooperation will probably increase with the emergence of regtech entities, which offer innovative solutions to address compliance issues that traditional actors are facing.
Adrian Ang: When we first started advising on fintech-related matters, many of the fintech companies were not looking to be licensed and wanted to structure their product or service to rely on available licensing exemptions. Subsequently, as certain models of fintech products and services became more common (eg, peer-to-peer lending and equity crowdfunding models), the MAS provided greater guidance on the regulatory treatment of these models. Following on from this, there was a shift towards fintech companies seeking to be licensed. I believe that the current models of fintech companies will probably persist but the manner in which they will be operationalised will change. In this respect, I believe that many of these models will utilise blockchain technology in their products or services. You will also likely see other models that leverage off blockchain technology appear in the market (eg, tokenised assets).
Angela Itzikowitz: Fintech products will become more accessible and will enable even greater financial inclusion and mobile payments will be on the rise. The development of new products and software will simplify the use of fintech and facilitate integration with established retail banking systems as an accepted means of transacting. New technology will lead to improvement in customer service and a fall in cost of fees. Blockchain technology will be used widely across the financial industry. Blockchain has a number of potential adaptions and uses outside of virtual currencies and we expect to see a number of these offerings enter the market in the next few years.
Charles Morgan, Laure Fouin and Ana Badour: We expect the sector to gain in maturity, with each player being at a more mature stage, and players generally being bigger. We also expect institutional investors, banks and insurance companies, but also technology companies and other big-tech (such as Amazon, Apple, Windows, Google, etc) to become more and more involved in the space, and to see growing collaboration, co-investments and joint ventures between fintechs and these other players.