Introduction to Vector View
We are excited to introduce the first edition of Vector View, a periodic newsletter which will provide insights on some of the priority issues for the fintech industry, upcoming events and other matters of interest. In this edition, Bryan Mulcahey breaks down the importance of the role of the Chief Compliance Officer (CCO), Amy Friend provides insight into the OCC’s pilot program for innovation, David Cotney outlines what FinCEN’s innovation office is doing, and John Collins explains what Travel Rule reform is and what may happen in the near future.
With FS Vector’s first anniversary around the corner, it is a good time to reflect on why we started the firm. Our goal was to fill a critical gap by building an advisory firm focused on helping fintech companies grow in an evolving marketplace that is faced with an uncertain regulatory landscape. We have been privileged to work with a wide variety of fintech companies focused on providing better products to consumers, including payments, credit, wealth management, and blockchain related services. Our clients range from early stage start-ups to large global institutions.
We are often asked what type of services FS Vector provides. It can best be explained in three categories. First, we help these businesses comply with relevant laws and regulations through analysis, licensing, building risk management programs and implementing regtech tools. Second, we advocate for firms through our public policy efforts which includes education and lobbying for clear regulatory frameworks that allow technology to thrive. Finally, we partner with businesses to help them grow and expand capabilities as a strategic advisor on regulatory, operations, governance, investment and partnership matters. We have built a strong senior team with unparalleled expertise to oversee these functions.
Based on client demand, we are pleased to highlight two service offerings. As the OCC recently stated, hiring and retaining compliance staff is a big risk for financial firms. We have developed a Compliance Officer Services Program that will provide support for the compliance function through outsourced/interim CCO services, training/coaching of compliance staff and support for building and enhancing risk management programs. Related to the goal of building strong compliance programs, we are hosting the first in a series of training sessions for fintech compliance. The Regulatory and Fintech Training (RAFT) bootcamp will be a two-day session that will take place in San Francisco on September 26-27.
Challenging and exciting times are ahead. We look forward to continuing to be part of these changes.
A FinTech Dilemma: The Chief Compliance Officer
Almost all fintech companies have debated the need for a Chief Compliance Officer (“CCO”) by asking questions, such as:
Can one of our existing employees serve as the CCO?
When do we need to have an experienced CCO in place?
What are the right qualifications?
Can we afford and find such a qualified person?
Should we consider a part-time or outsourced CCO?
Companies offering innovative products, especially those in fintech, are finding that answering these questions and recruiting the right person, particularly in this tight labor market, is a difficult and frustrating process. Furthermore, many companies find that hiring a qualified CCO who understands the business and fits with the existing team is going to come at a significant expense that may frustrate the objectives of a growing business. Below, we summarize a few thoughts on why, when, and how to bring on a CCO that fits the company’s size and risk-profile.
Why do we need a dedicated and experienced CCO?
The CCO oversees all of a company’s compliance related functions, including the policies, procedures, processes, and technology that enable compliance with the industry’s regulatory framework. In addition, the CCO manages licensing, regulatory examinations, regulatory reporting, compliance training, and audits. Depending on the business model, the compliance program may need to cover a range of compliance areas, including anti-money laundering (“AML”), sanctions, customer protection laws, and information security. An inexperienced resource, or one that is dividing their time between business and compliance responsibilities, is likely to spend an unreasonable amount of time learning the subject and managing the compliance process. Ultimately, a resource dividing their time will need to forego their business responsibilities to manage the compliance workload on a full-time basis. More important, compliance requirements may conflict with business and revenue objectives. A dedicated compliance officer is necessary to ensure independence and a culture of compliance.
In addition, regulators, bank partners, and other partners such as law firms, RegTech vendors, and other associated businesses may be hesitant to engage with a company that does not have an experienced and dedicated counterpart in place to work with them and manage these processes and relationships.
Lastly, the CCO must stay abreast of any regulatory changes that might threaten the business model. Maintaining a dedicated CCO helps manage emerging risks and can bring them to the attention of senior management, the board of directors, and other stakeholders in a timely fashion and at regular intervals.
When to bring on a CCO?
Once the need for a dedicated CCO is identified, the next question is when the CCO must be in place. Although some licensing regimes and bank partners require a CCO before the company can commence a desired activity, there is otherwise no uniform date or deadline. However, for highly regulated industries, such as financial services, there are a few benchmarks that are useful when considering the appropriate time to bring on a CCO, including:
Fundraising: The fundraising stage serves as a good benchmark. First, as a practical matter, it may signal the ability to pay a compliance officer. Equally important, many FinTech investors who understand the regulatory climate will be keen to understand how a new company will be licensed and how it plans to comply with relevant regulations. Therefore, we generally recommend seeking a CCO around the time of a series A round of investment but almost always before a series B round.
Operations: The onset of operations is also a good benchmark. Commencement of formal operations and marketing of a product to the public often initiates compliance obligations. In this regard, it may be sound to conduct alpha and beta testing without a CCO, but the company will want to make sure that compliance is in order before go-live. As mentioned above, a company may need a CCO to assist with obtaining licenses and establishing a bank partnership. If not, the onset of licensing and bank partnerships are still useful benchmarks for when to hire a CCO, as further described below:
Licensing: The licensing process can be very time consuming. For example, obtaining money transmission licenses in nearly every state is a tremendous undertaking, even with the help of an external advisor, such as a law firm or consulting firm. The CCO can help manage not only the license filing process but also ongoing compliance obligations and communication with external parties, such as regulators, examiners, auditors, and external advisors.
Bank Partnership: Establishing a bank partnership can be a lengthy and time-consuming process but may be a necessity for conducting business. For example, the bank will request compliance-related documentation, such as an AML and sanctions policy, among many others. In addition, the bank will expect the company to maintain a framework of personnel and controls to promote ongoing compliance. Throughout the course of a relationship with a bank, there will be many interactions, site-visits, and document requests to manage. Thus, even if a CCO is not explicitly required as part of the relationship, a dedicated CCO will assist the company in fostering a healthy bank partnership.
In many cases, it is unlikely that the ideal point in time to hire a CCO using the fundraising benchmark will align with the ideal point of time using the operations benchmark. Therefore, we combined the two strategies in the table below and provide our recommendations for the best time to bring on a CCO.
How to select a CCO?
The CCO must have the requisite experience and seniority to satisfy the demands of regulators, bank partners, and investors. The required experience depends heavily on the business model and related compliance requirements. We generally recommend seeking someone with at least 10 years of relevant experience. It is important to remember that compliance is not “one size fits all,” and a firm should find a CCO that has the right experience and knowledge for the firm’s compliance efforts.
Qualified fintech CCOs are currently in high demand and are likely to come at a steep cost (e.g., $200,000-$300,000 for salary, bonus, benefits, etc.). In addition, it may take 6-12 months for an organization to identify and hire a full-time CCO if they are putting out feelers into the market and fintech community to let them know the company is seeking a CCO. There are also many recruiting firms that will assist with placing a CCO, but these firms are an additional cost and they may not understand the company’s particular compliance needs, thus risking a poor fit.
If the company is not yet in a position to hire a full-time CCO, there are a few options:
Outsourced CCO Service: We often recommend that clients use an outsourced CCO service as an interim solution until they are approximately 8-12 months post go-live, at which point a full-time CCO is likely justifiable from both a cost and proof of concept perspective. Outsourced CCOs often provide the requisite experience, industry contacts and relationships, and technical understanding needed to satisfy the company’s expectations, as well as those of regulators, bank partners, and investors. Companies offering outsourced CCO services often provide flexible pricing and staffing arrangements to accommodate changes in demand for their services.
Part-time CCO: Another option is to hire a qualified CCO part-time until the company can bring the individual on full-time. However, in such a tight labor market, it is difficult to identify and hire a quality CCO for a part-time role. Candidates willing to accept these positions should be highly vetted. In addition, part-time CCOs may take on additional part-time roles but often lack the staffing support to accommodate changes in workload, thus risking delays.
The OCC’s Journey Towards Innovation
Beginning in 2015, as chief counsel and member of the Executive Committee of the Office of the Comptroller of the Currency (OCC), I led a team that developed the agency’s initiative to support responsible innovation in the federal banking system. Much of what seems obvious now was not so at the time. No other prudential regulator had studied or embraced fintech or endeavored to understand the implications of the rapid developments in technology for banks and their customers, consumers, and small businesses. To get up to speed, agency staff got a crash course in new technologies and quickly learned the sometimes whimsical and often times commonplace names of businesses that sounded nothing like the banks they oversaw.
The OCC’s journey to support responsible innovation led to the establishment of the Office of Innovation, the appointment of a Chief Innovation Officer, and the creation of the Special Purpose National Bank charter for fintechs. Along with these developments came a new receptivity and openness to meet with companies beyond national banks and federal thrifts. Agency staff now routinely meet with fintechs in DC and in other cities. Meetings can range from educational to exploring and discussing the specifics of a bank charter.
As part of its efforts to support responsible innovation, the OCC recently announced the creation of a pilot program for new and innovative products and services. The OCC has considered the idea of a pilot program since it first announced the creation of the Office of Innovation in October 2016, so this development has been a long time in the making. The program does not offer safe harbor protections from regulatory requirements (which would exceed the agency’s authority) but instead provides an opportunity for banks and their third-party partners to seek regulatory input in the pre-launch stage of a product or service.
The newly proposed pilot program should be welcome news for banks and their partners; understanding regulatory concerns and expectations early on can increase efficiencies and save costs in the long run. Although, under the proposed parameters, fintechs alone cannot participate in the pilot. They can join forces with their bank partners to qualify for the program. Requirements for participation include demonstrating that the OCC’s involvement in the pilot is appropriate because (1) the proposed activity is within the scope of the OCC’s supervisory jurisdiction, and (2) uncertainty in the regulatory, supervisory or legal regime is a barrier to the activity’s development or implementation. The agency will also consider whether the activity has the potential to achieve specific objectives, such as meeting the evolving needs of consumers, businesses and communities; promoting financial inclusion; or enhancing the efficiency or effectiveness of bank processes. The proposed program was issued for comment on April 30th with a 45-day public comment period. Although the final pilot program may differ from the proposed one, it is not too early for banks and fintechs to consider how to structure an Expression of Interest that passes regulatory muster, as companies will inevitably queue up for consideration.
FinCEN Announces Innovation Hours Program
On May 24th, the Financial Crimes Enforcement Network (FinCEN) announced its new Innovation Hours Program. The new program is designed to facilitate innovative approaches to combating money laundering and terrorist financing. In its announcement, FinCEN stated the program is intended to provide opportunities for both financial institutions and financial technology (FinTech) companies to discuss Bank Secrecy Act (BSA)-related innovations.
According to a 2017 survey of community banks, compliance with BSA was ranked as the costliest of all regulations. Technology-related innovation can help improve the financial sector’s ability to comply with BSA and Anti-Money Laundering (AML) requirements, including suspicious activity reporting (SAR), risk identification, and transaction monitoring. Technology can also assist regulators and law enforcement in better targeting resources to detect illegal activity.
The program is open to anyone, including financial institutions and technology service providers, who offer or use products to comply with BSA/AML requirements and can demonstrate that the innovation either enhances a financial institution’s compliance program or improves the information available to law enforcement to safeguard the US financial system. Anyone interested in participating in the program must also not be subject to any criminal or civil enforcement action.
What You Should Know
Companies offering an innovative solution for BSA/AML compliance are encouraged to request a meeting during the innovation hours which will be on the second Thursday of each month from 9:30 to 12:30 in the Washington, DC area. Applicants should apply using the request form. When filling out the online form, consider the following:
Tell your story. In the FAQs, FinCEN states that if you meet the qualifying criteria, it may request additional information, including your company history, your technical portfolio, and technical readiness. You may want to include some relevant information about you and your company in the online request summary. You should have more detailed information ready to provide to FinCEN when requested.
Be specific. Stay away from general claims about your product or service. Instead, be very specific as to what problem your product or service solves. Regulators will be much more open to learning about your product (and less suspicious) if you give concrete examples of its benefits.
Don’t complain. Don’t use this as an opportunity to complain about regulations or regulatory burden. Regulators hear these complaints all the time. If there is a law or regulation that is a barrier to your ability to effectively deploy your product, you should describe that during your meeting. FinCEN will likely appreciate hearing how their regulations might impede innovation, particularly if you are specific and give examples.
The Innovation Hours Program is part of a larger initiative – introduced at the American Bankers Association/American Bar Association Financial Crimes Enforcement Conference last December – to spur BSA/AML innovation among financial institutions. FinCEN has stated that it is interested in fostering a better understanding of both the opportunities and challenges associated with innovation related to compliance with BSA/AML. In December, FinCEN and the federal banking agencies issued a “Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing.” That statement encourages financial institutions to consider and, when appropriate, implement responsible innovations designed to enhance BSA/AML compliance obligations and safeguard the nation’s financial system.
FATF Guidance on Virtual Currencies
John Collins, Partner
The Financial Action Task Force (FATF) is little known among many but plays a powerful role in protecting the global financial system. Founded over 30 years ago by the members of the G7, the group was intended to bring the most advanced economies in the world together to explore and share how they were each addressing money laundering. From there, they could develop and adopt shared standards to combat all forms of financial crime. Much has changed in financial services in the past 30 years but what was observed then - the globalization of financial services and ability to arbitrage regulatory regimes - has only accelerated.
The advent of cryptocurrencies and global, peer-to-peer blockchain networks, non-existent until only 10 years ago, were obviously not on the G7’s radar in 1988. That said, these networks are, in reality, global financial networks unbridled from the central intermediaries (banks and other financial institutions) upon which much of FATF’s work has been based. Financial intermediaries have been the lever upon which nations across the world have leaned upon to protect and monitor the financial system from money laundering, terrorist financing support, and other crimes.
That leads us to FATF’s recently issued guidance regarding virtual currencies. (Note: I’m cognizant of the fact that many do not prefer the term ‘virtual currencies’ and instead insist upon digital currencies or assets or any number of other terms of art. For the purposes of this article, however, and because FATF themselves have chosen virtual currencies as their preferred nomenclature, I’ll stick to it.) Specifically, their recent proposed “Interpretive Note” to Recommendation 15, set for final adoption this week. For some context, shortly after FATF’s founding, the group issued a set of Forty Recommendations “intended to provide a comprehensive plan of action needed to fight against money laundering.”
Recommendation 15 focuses on new technologies and calls for countries and financial institutions to keep a look out for emerging technologies, products, and business lines and apply appropriate controls based on a risk assessment.
You can read the FATF’s new guidance here but the bottom line is the document makes explicit and public what has been communicated to members of the virtual currency industry for years. Namely, what we in the United States know as the funds transfer rule, better known as the “Travel Rule”, must be complied with by applicable industry players. These players are namely virtual currency exchangers and custodial wallet providers, newly deemed by the guidance as “Virtual Asset Service Providers” (VASPs).
A lot has been written on the application of the Travel Rule to virtual currency networks and, in particular, companies that provide custodial wallet services for these tokens, assets, currencies, etc. I’d invite you read some of Yaya Fanusie’s articles on this topic, as well as Chainalysis’ letter to FATF. This work lays out succinctly the challenges and opportunities this new guidance will present for the industry.
The funds transfer rule was created in the late 70’s via legislation from the U.S. Congress. The problem at the time were wire transfers stripped of information such as the sender or the beneficiary. This was done to obfuscate the money trail and better facilitate money laundering.
Cryptocurrency transactions are not wire transfers. They are not funds being sent from bank to bank. However, in some cases, they look a lot like that. For example, when it sent from one custodial wallet that is managed by Company X and sent to another custodial wallet Company Y. These are two financial institutions where funds are going from one account to another.
These rules are principles-based and thus neutral to technology and the exact form of compliance. These open blockchain networks operate fundamentally differently than wire transfers, and FinCEN, FATF, and others, understand that. But, just because they run on blockchains and not bank wires, doesn’t mean these rules don’t apply. In fact, due to increased regulatory scrutiny and relatively high risk associated with the cryptocurrency sector, they apply all the more. That said, as a Senior Treasury Official recently stated: companies “need to know with whom they are dealing.” It’s as simple as that.
It will take some thoughtful, coordinated, and honest thinking from the industry as to how to satisfy compliance with the Travel Rule and FATF’s guidance as a whole. To date, this hasn’t happened. Industry leaders should consider using their exceptional technical talent to find ways that might better facilitate compliance with the principles-based guidance issued by FATF and to communicate this work to policymakers not only at FinCEN, but leaders on both sides of Pennsylvania Avenue. We have spent the past several years working on the problems listed above and working with policymakers around the world to communicate their concerns to industry. We believe the time is ripe to rise to the occasion.
The newly released FATF guidance should not come as a surprise to virtual currency companies.
Regulators around the world are eager to see compliance by applicable players in the industry.
There’s likely an opportunity for education, as well as creative problem solving and innovative technologies, to help reach compliance and build the current gaps.
Finance Rewired Introduction
Finance Rewired, an FS Vector podcast, explores the technologies and the people rewiring financial services. The podcast is now on the 13th episode of the first season with new episodes coming out regularly. Check out a few of the most recent guests and topics discussed below:
In this episode, John Collins speaks with Margaret Liu, SVP and Deputy General Counsel at CSBS (“Conference of State Bank Supervisors”) on the OCC Fintech Charter, virtual currencies, state approaches to innovation, the CSBS’ Vision 2020, and her opinions about federal preemption of state money transmission licensing. Liu explains the unique position CSBS plays in the safety and soundness of bank and non-bank activities. She describes CSBS as the D.C. field office for state banking and financial regulators. CSBS coordinates with other regulatory agencies, advocates public policy positions on behalf of the states, and educates its members with an accreditation program which Liu describes as “regulating the regulators.” Collins and Liu discuss how the Nationwide Multistate Licensing System (“NMLS”) was a state-driven initiative that resulted in Congressional passage of the SAFE Act. Liu believes that not every good idea begins in D.C. and CSBS helps the states bring an “outside the beltway perspective” to regulation. The two discuss the origins of the OCC Fintech Charter, which began when companies started asking state regulators if they should be licensed. Liu explained that, among other issues, CSBS is concerned that there are public policy concerns that should be addressed by Congress, not by regulatory triage. Lastly, Liu explains how the CSBS’s own initiative--Vision 2020—is working to make the state non-banking world safer, more efficient, and doing so in a way that does not dilute consumer protections or any other regulatory responsibility.
In this episode, John Collins speaks with Congressman Tom Emmer from Minnesota’s Sixth District, and Co-chair of the Congressional Blockchain Caucus, about the Congressman’s view on how the government should approach blockchain, the Blockchain Regulatory Certainty Act, and his work in gaining more guidance from the IRS on cryptocurrency transactions. Congressman Emmer became engaged in blockchain while in a House Financial Services Committee hearing in 2018. He recalls that “Democrats sounded like Democrats and Republicans sounded like Democrats” and at that point he knew there was a problem. Congressman Emmer believes that the best ideas come from individuals who are trying to improve their own lives, and while doing so, they improve the lives of others with innovative breakthroughs. It is the same for blockchain. He stated that we cannot allow the government, through uncertainty and through overregulation of problems that do not exist, to drive out the entrepreneurial spirit to innovate. Congressman Emmer and Collins discuss the origins of the Congressman’s proposed bill—The Blockchain Regulatory Certainty Act. Congressman Emmer explains that the bill seeks to answer three questions: (1) who has jurisdiction over blockchain/cryptocurrency, (2) what is currency, and (3) what is a commodity or security for the purposes of blockchain/cryptocurrency? Additionally, the Congressman, joined with other members of Congress, sent a letter requesting the IRS produce better guidance on reporting virtual currency for tax purposes and create a safe harbor for certain blockchain services.
In this episode, John Collins speaks with Jason Somensatto, 0x’s strategic legal counsel, about 0x, the decentralized finance (DeFi) movement, and conversation around cryptotwitter. At its core, 0x is an open protocol (a suite of smart contracts) that enables the peer-to-peer exchange of assets on the Ethereum blockchain without relying on a centralized exchange or custodian to facilitate the transaction. 0x has an off chain order relay and on chain settlements. Somensatto compares this protocol to sending an email. Like an email which is delivered if you fill in all the required boxes, in 0x, the exchange occurs if the order meets predefined schema.
Collins and Somensatto discuss the “DeFi movement” which Somensatto explains is essentially a collection of projects trying to replicate more traditional financial transaction in the crypto world and doing so in a way that the protocol manages the transaction. Part of the significance of the “DeFi movement” is that if enough assets become tokenized, we could face a world with a fundamentally different financial system. One issue Somensatto has with the current regulatory environment is that well-meaning and interested people are afraid to innovate. People can easily program value to an asset and “once something becomes that easy, telling people they can’t do it doesn’t really work.” Somensatto and Collins also discuss their opinions on #cryptotwitter. Somensatto explained that the reality of the situation is that Twitter is where people talk about cryptocurrency and if you can put together sound bites people will listen. But having these discussions on Twitter is just not for him. Someensatto also notes that it is important to understand that in the US legal system, the courts have the final say and it will be some time before any authoritative decision is made that provides more guidance to the industry.