fbpx

Explainer on the Electronic Fund Transfer Act & Regulation E for Fintechs

If you’re launching a card program, you may have heard terms like the EFTA or Reg E being thrown around in legal or compliance discussions.

The Electronic Fund Transfer Act (EFTA) is important to fintechs because it establishes the rights, liabilities, and responsibilities for parties involved in an electronic transaction (like a debit card transaction). It’s what allows consumers to challenge transaction errors (disputes) or get their money back when an investigation reveals a legitimate error or wrongdoing (chargeback).

It also does other import things like setting caps on interchange debit card fees, giving merchants choices on how to route card transactions, and requiring you to provide certain notices and disclosures to consumers.

In this blog, we break down the EFTA and Regulation E.

Founder TL;DR

If you’re launching a debit card product, here’s what you need to know:

  • The EFTA is a federal law that protects consumers when they transfer funds electronically.
  • Every product has its own considerations, so talk to a lawyer!
  • The EFTA establishes certain requirements, like:
  • You need to disclose certain terms.
  • You may be required to provide monthly statements.
  • You may need to give advance notice before you change important terms.
  • You need to address claims there were unauthorized transactions, which may include having to cover the costs of fraudulent transactions.
  • Lithic’s legal team knows many fintech lawyers and we’re happy to point customers to recommendations.

What is the EFTA?

Debit cards and other electronic payment methods are primarily regulated by the EFTA. The law sets a high-level framework, but Regulation E (or Reg E) fills in a lot of the details, so you may hear “EFTA” and “Reg E” used interchangeably.

The EFTA was originally passed to give consumers protections from then-new ATM and electronic payment technologies. But as new tech developed, it evolved to cover much more.

While the requirements may seem like a hurdle, many fintech entrepreneurs can navigate them. So let’s walk through some of the main considerations.

Who does the EFTA apply to?

The EFTA applies to certain financial institutions, including banks. When a fintech that offers cards works with a bank (as is typical in card issuing), the bank delegates much of its EFTA obligations to the fintech. This post focuses on how the EFTA applies to fintech companies that partner with banks to offer cards, though the law applies to many other types of businesses.

What does the EFTA cover?

The EFTA applies to “electronic fund transfer” services, which generally means any transfers by electronic means that debit or credit a consumer’s bank account. However, it does not apply to electronic fund transfers for businesses, just consumers.

Practically, the EFTA applies to transfers via debit cards, prepaid cards, ACHs, ATMs, online payments, point-of-sale (POS) transfers, and other electronic payment methods. While the EFTA covers prepaid and gift cards, those types of cards have special rules, which we’ll discuss in later posts. The EFTA also sets special rules for remittances.

In contrast, credit cards are primarily regulated by a separate law, the Truth in Lending Act.

Disclosures

If the EFTA applies to a product offering, you may need to disclose certain terms, like fees, limits on transfer frequency, liability limits, contact information, and others.

While card providers need to tailor agreements and disclosures to their situation, Lithic is happy to provide basic templates.

Statements and notices

The EFTA requires that companies offering cards and certain other financial institutions provide monthly statements outlining transactions, applied fees, and other account events from the relevant month. You also need to give advance notice if you’re changing important terms like fees or allowed frequency of transfers.

Consumer protections

The EFTA sets limits on how much consumers can be liable for unauthorized transactions (like fraud or card theft):

  • Up to $50 if they notify their card issuing company within 2 business days after learning of the loss or theft of an access device.
  • Up to $500 if they notify their card issuing company between 3 days after learning of the loss or theft of an access device and 60 days after the financial institution sends the monthly statement that includes the unauthorized transaction.
  • After that, they can be fully liable for the unauthorized transactions that happen until they notify their card company that the transfer was unauthorized.

Also, the EFTA requires that companies investigate billing disputes within 10 days of being notified, and must report their findings and correct any errors. The 10-day timeline may be extended if the consumer is provided with provisional credit for any disputed amount.

Network liability policies

While the EFTA gives consumers some liability protections, the card networks Visa and Mastercard have their own “zero liability” policies for unauthorized transactions on certain cards. Those policies offer more protection than the EFTA; cardholders aren’t liable for any amount if they use reasonable care to protect their card and promptly report any loss or theft.

So if there’s a fraudulent charge, in practice this means that the card issuing company (or bank) eats the cost.

Additional resources

For more information, you can check out:

Explainer on Fintech AML Requirements

If you’re in fintech, understanding anti-money laundering laws is crucial.

AML laws require you to have programs and tools in place to detect and prevent money laundering. If you don’t, you can face regulatory scrutiny and hefty fines.

But the scale your AML program needs can vary depending on your company and product(s). To navigate what’s needed, it helps to understand the laws and regulations.

Here’s an explainer on the Bank Secrecy Act and Anti-Money Laundering laws.

Founder TL;DR

If you’re launching a card program, you’ll want to:

  • Get familiar with AML requirements that fintech companies must navigate.
  • Consider whether you need to have AML policies & procedures, a compliance officer, and employee training in place.
  • Establish your KYC/KYB procedures to verify customers’ identities.
  • Determine how you’re monitoring transactions in case you need to report suspicious activity.
  • Talk to a lawyer! Every product has its own considerations and we’re happy to point customers to recommendations.

AML overview & terminology

The Bank Secrecy Act (BSA) establishes the basic framework for AML obligations and has been updated by several laws including the USA PATRIOT Act and the more recent Anti-Money Laundering Act of 2020. Other various laws shape AML requirements depending on the setting, but the BSA and PATRIOT Act are the primary ones that operators in the industry will reference.

We’ll generally refer to all of these as the “AML laws” in this post.

AML laws are structured to form public-private partnerships for financial crimes and intelligence purposes. Under the laws and rules, financial institutions are deputized to collect information about customers and provide financial intelligence to government agencies and law enforcement.

Financial institutions (including fintechs) have paid millions or even billions for failing to fulfill their anti-money laundering (AML) obligations. So if you’re working in fintech, you’ll want to make sure your company complies with AML laws.

Additionally, “AML” is often used to refer to both AML and counter-terrorist financing requirements, though you may hear CTF discussed separately. We’ll generally use “AML” to refer to both.The Financial Crimes Enforcement Network (FinCEN) imposed more than $600 million in fines for anti-money laundering (AML) violations from January 2021 to March 2022.

FinCEN

The Financial Crimes Enforcement Network (FinCEN) is the main U.S. regulator responsible for AML regulations and operations. FinCEN is a bureau within the Department of Treasury, and it works with other U.S. regulators to set rules for banks and other financial companies like money transmitters. FinCEN also maintains a database and employs various analysts to help identify trends and issues that inform policy changes.

FinCEN can pursue civil penalties (e.g., fines) for AML violations, and the Department of Justice can seek criminal penalties. But largely FinCEN is a supportive agency and encourages collaboration with industry participants via its FinCEN Exchange and office hours programs.

Who do AML Laws apply to?

AML laws and related requirements apply to “financial institutions,” which include:

  • Banks
  • Insurance companies
  • Securities and commodities broker-dealers
  • Anyone involved in real estate settlements and closings
  • Money services businesses (MSBs), including money transmitters and companies that offer prepaid cards under their own regulatory structure
  • Various other financial businesses and actors

For fintechs in the payment space, the most relevant categories are banks and MSBs.

Banks’ AML obligations will extend to third-party service providers and certain wholesale customers via contract and certain banking law provisions like 12 USC 1867(c).  Additionally, a fintech may count as a MSB if they’re not careful, which triggers the need to have an AML program, FinCEN registration, and a host of other costly legal requirements.

Basic AML program requirements

AML laws require financial institutions to have AML programs, which generally includes:

  • Written policies and procedures that implement the program
  • Written internal controls and testing mechanisms for the program (e.g., quality control audits)
  • A designated compliance officer who oversees the program
  • An ongoing AML employee training program
  • Reporting suspicious activities, which requires transaction monitoring
  • Identify and verify customers’ identities (i.e., know-your-customer (KYC) and/or know-your-business (KYB)), unless the program fits in an exception.

If this list feels daunting, don’t be discouraged.

FinTechs will often start out as partners to regulated financial institutions versus being directly licensed and regulated. If you’re in this position, we recommend you consult with your BaaS or bank partner to check in on their requirements for your product.

The best BaaS and bank partners can help offer guidance on how to size your internal practices to meet their regulatory needs and the risks presented by your product. And because banks are the regulated entity in these partnerships, they might have tools or resources to help absorb or shoulder some of these responsibilities.

As an example, some bank partners have key FinTech staff attend annual AML training, which can help the bank and FinTech meet their compliance responsibilities.

AML programs in practice

Ideally, early stage fintech companies would have dedicated AML policies and resources.

However, some early stage fintechs may not have full policies, dedicated headcount, or employee training as they’re first getting set up and trying to find product-market fit. Instead, they may rely on their bank partner’s AML policies, and may hire a consultant to advise if they get stuck on issues.

Once fintechs have product-market fit and see meaningful growth, they often designate a compliance officer and build out their own AML policies, internal controls, and employee trainings.

As a best practice, fintechs past the MVP stage with some product-market fit should review their policies regularly to address new risks and products, and should have their boards of directors and senior management approve their AML policies annually.

Overview of compliance fundamentals for fintechs in the US

Introduction

This guide is meant to provide a basic overview of compliance for fintechs in the US and should not be treated as legal advice. In addition, compliance and regulations are constantly evolving, so this guide does not provide an exhaustive overview. Please consult a lawyer and compliance expert when evaluating and creating a compliance program for your fintech.

Startups that offer financial services—such as business expense cards, monetary accounts, and loan access—are governed by a long and complex set of regulatory requirements essential to protect the startup’s business, customers, and the US financial system.

Compliance touches every aspect of a financial product, from marketing to onboarding to account closures. For example, you need to communicate all terms about a financial product (such as fees, interest, payment requirements, and other details) clearly and upfront in your marketing materials. When you are onboarding users, you must properly conduct Know Your Customer (KYC) checks and sanctions screenings, and comply with all fair lending laws if you are extending credit. And if users are delinquent on their repayment of a credit account, you may be required to comply with certain debt collection requirements that govern the frequency and times you may communicate collections reminders. And that covers just a fraction of the compliance regulations you may be required to follow.

The below diagram is for demonstrative purposes only and should not be considered an exhaustive list of fintech compliance requirements.

Compliance with various regulations is essential to building a fintech: Fail to get it right, and—at best—you’ll be faced with large fines that can hurt your business. At worst, your business can be shut down.

However, ensuring compliance isn’t just about avoiding fees or legal repercussions. Investing in compliance means that your startup can create safer, more durable products for users while making money movement and financing products safe, which provides a competitive advantage for your business in the long term. In the end, you’re acting in the user’s best interest, helping them get access to a secure, stable, and beneficial product.

This guide provides an overview of how financial services in the US are regulated and what this means for your business. You’ll learn compliance fundamentals, get an overview of the most common compliance regulations, and understand your options for managing compliance for your business.

Compliance guidance and best practices

A common way to offer financial products in the US is by partnering with a bank to power your product. Each bank partner is regulated by a primary regulator (alongside a host of other regulatory bodies) that examines the bank periodically for compliance. For example, the bank may be assessed on whether it is compliant with state and federal statutes that regulate unfair and deceptive acts and practices (UDAP), which require transparent, up-front communication to customers (among other things).

Any fintech company that works with a bank is indirectly accountable to these same regulators as a result of their banking partnership. Your startup will seldom directly interact with the primary bank regulator; instead, the bank will oversee your compliance with banking-related laws and regulations. For example, using the same scenario as above, you would also be assessed by the bank on whether you remain compliant with UDAP through periodic testing engagements and reporting requirements.

In addition, federal regulators who oversee banks (and fintechs) but who do not function as a primary banking regulator include (but are not limited to):

  • The Federal Trade Commission (FTC), enforces laws against deceptive and unfair trade practices as well as unjust methods of competition. The FTC also enforces federal consumer protection laws that prevent fraud, deception, and unfair business practices. For example, the FTC may investigate telemarketing scams, sweepstakes scams, or “bogus health products.”
  • The Consumer Financial Protection Bureau (CFPB), is tasked with ensuring consumers are treated fairly by entities offering consumer financial products. It provides consumer protection across all consumer financial products, whether they’re offered by a bank, a fintech, or any other entity.

Overview of compliance regulations in the US

The specific laws and regulations you must follow greatly depend on your business. For example, certain rules only apply to consumer financial services or businesses extending credit. However, in general, there are a few rules that apply to all businesses:

Laws that apply to all financial services businesses

This section is for demonstrative purposes only and should not be considered an exhaustive list of fintech compliance requirements.

Know Your Customer (KYC) and Know Your Business (KYB) obligations

KYC or KYB is the mandatory process of verifying customer or business identities when they sign up for an account and then continually monitoring transaction patterns to gauge risk. Users must provide proof of their identity and address during your onboarding process to ensure that they are who they say they are.

What this means: Complying with KYC or KYB obligations helps ensure that the money moving through your system is safe and is not involved in money laundering, terrorism financing, or other fraudulent schemes.

Anti-money laundering (AML) rules

AML rules are a set of laws and regulations designed to prevent criminals from engaging in financial crimes and illegal activity—namely, disguising illegal funds as legitimate income. AML rules require banks and other financial service providers to record and report money movement to screen for money laundering and terrorist financing.

What this means: Helps to keep the financial system safe and secure by preventing money laundering and terrorist financing.

The Office of Foreign Assets Control (OFAC) sanctions

OFAC enforces a series of economic and trade sanctions against countries, legal entities such as businesses, and groups of individuals such as terrorists and narcotics traffickers.

What this means: Helps accomplish foreign policy and national security goals by preventing terrorism financing, money laundering, or other fraudulent schemes.

Unfair or Deceptive Acts or Practices (UDAP) and Unfair, Deceptive, and Abusive Acts or Practices (UDAAP)

UDAP and UDAAP laws prevent companies from engaging in any unfair or deceptive (and, in the case of UDAAP laws, abusive) acts or practices, such as failing to disclose fees or misrepresenting a product or service. UDAP is invoked to protect all persons and entities engaged in commerce, while UDAAP laws provide extra protection to consumers using financial products.

UDAP and UDAAP provide similar customer protections, but they differ slightly. UDAAP contains an additional, intentionally vague prohibition against “abusive” acts that is used to capture a wider variety of acts that could result in consumer harm.

What this means: Ensures that you are creating a high-quality and safe user experience by making all your communication transparent and easy to understand.

Red Flag Rules

Red Flag Rules require businesses to adopt and implement a written identity fraud program to detect the warning signs—or red flags—of identity fraud. This program helps companies more easily identify suspicious patterns and trends in their business, take appropriate steps to prevent identity theft and mitigate its damage.

What this means: Helps businesses detect fraud attempts before actual crimes are committed.

Laws that only apply to businesses that extend, support, or collect credit

Many regulations apply to businesses extending, supporting, or collecting credit. For example, you may be subject to the Fair Credit Reporting Act, the Servicemembers Civil Relief Act, the Equal Credit Opportunity Act (ECOA), and others. This guide doesn’t provide an exhaustive list of all lending laws. Instead, we’ll cover two of the most common: fair lending laws and the Truth in Lending Act.

Fair lending laws

Fair lending laws such as ECOA prohibit lenders from considering race, colour, national origin, religion, sex, familial status, or disability when applying for credit. These laws and regulations apply to any extension of credit, including credit for small businesses, corporations, and partnerships. There are also technical communication requirements within federal fair lending laws that require ​creditors to explain why an adverse action was taken against a borrower or an applicant for credit.

What this means: Prevents discrimination and ensures that people of protected classes are offered fair and equal access to credit; provides transparency to the credit underwriting process.

Truth in Lending Act (TILA)

TILA protects consumers against unfair credit billing and credit card practices. It requires lenders to provide loan cost information upfront so consumers can compare different types of loans. TILA primarily applies to consumer loans, but important fraud and dispute procedures also apply to business credit. For example, in certain situations, an employee cardholder can’t be held liable for more than $50 for the unauthorized use of a stolen credit card.

What this means: Protects borrowers from unethical lending practices and improves customer experience by ensuring that users have a clear understanding of credit costs and terms; protects certain borrowers from unauthorized use of stolen credit cards.

How to handle compliance for your business

Manage compliance yourself

You or your in-house compliance team may be able to work directly with a bank to manage compliance, but it is often expensive and time-consuming. For example, this involves building a full-time compliance team from scratch, hiring lawyers, compliance experts, finance managers, and others.

To approve your in-house compliance management program, banks expect you to apply the same level of rigour that they apply to their own programs. To satisfy bank expectations, you will need to leverage your team of in-house and external legal and compliance professionals to implement and operate a resource-intensive set of program components on an ongoing basis. These components include your foundational compliance policies, risk assessment methodologies and matrices, independent testing plans and workflows, compliance training content and assessments, various compliance procedures and controls, ongoing “state of compliance” reporting, and compliance issue program management. They would evaluate you and your team for subject matter expertise, reporting capabilities, program policies, issues and risk management, internal training curriculum, and more. We recommend that you speak with a compliance professional and a lawyer to fully understand what you need to do to make this program viable.

Work with third-party advisors

In addition to managing compliance by yourself, you could hire an external compliance consultant to design your policies, review materials, and test your user flows to make sure you are compliant with applicable laws.

However, not only are external consultants very expensive, but they are also compliance experts—not product experts. While they have a deep understanding of regulations, they may not be able to effectively marry that understanding with your specific product.

Offload elements of compliance to a banking-as-a-service (BaaS) solution

The below diagram represents the elements that Stripe, as the BaaS provider, oversees and/or manages, and may not apply to all BaaS providers.

A successful fintech is made up of both product excellence and compliance expertise. While third-party consultants can only advise on half of that equation (the compliance expertise), a BaaS provider can do both. A BaaS solution offers both the full suite of embedded finance needs in addition to the infrastructure for financial partnerships and compliance. This allows you to use one system for building your fintech offering, growing your feature set, and managing a compliance system, reducing the complexity required to go to market and saving internal costs.

The best BaaS offerings assign you a compliance program manager that partners directly with banks on a range of important topics including compliance, risk, reporting, marketing, disputes, and contracts—so you don’t have to.

Sometimes, your BaaS provider may build solutions directly within the product that help you adhere to the bank’s compliance requirements. For example, the best providers offer prebuilt funds flows and user onboarding elements that match the bank’s specific compliance needs and also have an in-house testing program that tests and audits your user flows on behalf of the bank.

In other cases, the compliance program manager works directly with you to outline the requirements you must adhere to, reviews and approves your entire user experience and periodically audits your compliance controls.

Even when working with a BaaS provider, your business will still be responsible for implementing certain compliance responsibilities. For example, your business will always need to ensure that all your customer-facing assets and user interfaces go through the BaaS provider’s approval process and report any user complaints to the BaaS provider (e.g., by enabling your customer service team to tag complaints so that the BaaS provider can investigate whether any are indicative of a broader compliance issue and send reports to your BaaS provider each month).

How to evaluate a BaaS provider for compliance

The best BaaS providers don’t just offer APIs to help you integrate financial services into your product—they also offer compliance as part of their product. To that end, as you’re looking for a BaaS provider, make sure to evaluate them specifically on how they help you manage compliance. For example, ask for copies of their compliance policies and sample requirements that they would ask you to implement, and compare those to other providers.

While there is no one-size-fits-all approach when evaluating a BaaS provider, we recommend asking about the following criteria during the discovery phase:

  • Relationships with multiple banking partners to ensure reliable solutions with redundancy measures.
  • Demonstrated ability to enforce compliance requirements. Ask the BaaS provider for a recent example of how they’ve modified their program to adapt to evolving compliance requirements.
  • Level of detail needed in use case supportability and onboarding. A BaaS provider that asks for more details when onboarding fintechs suggests that they have a robust compliance program.
  • The number of full-time employees working on compliance and the number of years/experience working in compliance.
  • Demonstrated ability to support multiple types of companies across industries and business models.
  • Demonstrated ability to support businesses in getting started and operating at scale (since compliance and support needs vary by company size).

A simple guide to PCI compliance

Payment Card Industry Data Security Standards (PCI DSS) sets the minimum standard for data security. Here’s a step-by-step guide to maintaining compliance.

Since 2005, over 11 billion consumer records have been compromised from over 8,500 data breaches. These are the latest numbers from The Privacy Rights Clearinghouse, which reports on data breaches and security breaches impacting consumers dating back to 2005.

To improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data. Before the PCI SSC was established, these five credit card companies all had their own security standards programs—each with roughly similar requirements and goals. They banded together through the PCI SSC to align on one standard policy, the PCI Data Security Standards (known as PCI DSS) to ensure a baseline level of protection for consumers and banks in the internet era.

Understanding PCI DSS can be complex and challenging

If your business model requires you to handle card data, you may be required to meet each of the 300+ security controls in PCI DSS. There are more than 1,800 pages of official documentation, published by the PCI Council, about PCI DSS, and more than 300 pages just to understand which form(s) to use when validating compliance. This would take over 72 hours just to read.

To ease this burden, the following is a step-by-step guide to validating and maintaining PCI compliance.

Overview of PCI Data Security Standard (PCI DSS)

PCI DSS is the global security standard for all entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS sets a baseline level of protection for consumers and helps reduce fraud and data breaches across the entire payment ecosystem. It applies to any organization that accepts or processes payment cards.

PCI DSS compliance involves three main components:

  1. Handling the ingress of credit card data from customers; namely, that sensitive card details are collected and transmitted securely
  2. Storing data securely, which is outlined in the 12 security domains of the PCI standard, such as encryption, ongoing monitoring, and security testing of access to card data
  3. Validating annually that the required security controls are in place, which can include forms, questionnaires, external vulnerability scanning services, and third-party audits (see the step-by-step guide below for a table with the four levels of requirements)

Handling card data

Some business models do require the direct handling of sensitive credit card data when accepting payments, while others do not. Companies that do need to handle card data (e.g., accepting untokenized PANs on a payment page) may be required to meet each of the 300+ security controls in PCI DSS. Even if card data only traverses its servers for a short moment, the company would need to purchase, implement, and maintain security software and hardware.

If a company does not need to handle sensitive credit card data, it shouldn’t. Third-party solutions securely accept and store the data, whisking away considerable complexity, cost, and risk. Since card data never touches its servers, the company would only need to confirm 22 security controls, most of which are straightforward, such as using strong passwords.

Storing data securely

If an organization handles or stores credit card data, it needs to define the scope of its cardholder data environment (CDE). PCI DSS defines CDE as the people, processes, and technologies that store, process, or transmit credit card data—or any system connected to it. Since all 300+ security requirements in PCI DSS apply to CDE, it’s important to properly segment the payment environment from the rest of the business to limit the scope of PCI validation. If an organization is unable to contain the CDE scope with granular segmentation, the PCI security controls would then apply to every system, laptop, and device on its corporate network…

Annual validation

Regardless of how card data is accepted, organizations are required to complete a PCI validation form annually. The way PCI compliance is validated depends on several factors, which are outlined below. Here are three scenarios in which an organization could be asked to show that it is PCI compliant:

  • Payment processors may request it as part of their required reporting to the payment card brands.
  • Business partners may request it as a prerequisite to entering into business agreements.
  • For platform businesses (those whose technology facilitates online transactions among multiple distinct sets of users), customers may request it to show their customers that they are handling data securely.

The latest set of security standards, PCI DSS version 3.2.1, includes 12 main requirements with more than 300 sub-requirements that mirror security best practices.

BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS

  • 1. Install and maintain a firewall configuration to protect cardholder data.
  • 2. Do not use vendor-supplied defaults for system passwords and other security parameters.

PROTECT CARDHOLDER DATA

  • 3. Protect stored cardholder data.
  • 4. Encrypt transmission of cardholder data across open or public networks.

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

  • 5. Protect all systems against malware and regularly update anti-virus software.
  • 6. Develop and maintain secure systems and applications.

IMPLEMENT STRONG ACCESS CONTROL MEASURES

  • 7. Restrict access to cardholder data by business need to know.
  • 8. Identify and authenticate access to system components.
  • 9. Restrict physical access to cardholder data.

REGULARLY MONITOR AND TEST NETWORKS

  • 10. Track and monitor all access to network resources and cardholder data.
  • 11. Regularly test security systems and processes.

MAINTAIN AN INFORMATION SECURITY POLICY

  • 12. Maintain a policy that addresses information security for all personnel.

To make it “easier” for new businesses to validate PCI compliance, the PCI Council created nine different forms or Self-Assessment Questionnaires (SAQs) that are a subset of the entire PCI DSS requirement. The trick is figuring out which is applicable or whether it’s necessary to hire a PCI Council–approved auditor to verify that each PCI DSS security requirement has been met. In addition, the PCI Council revises the rules every three years and releases incremental updates throughout the year, adding even more dynamic complexity.

A step-by-step guide to PCI DSS v3.2.1 compliance

1. Know your requirements

The first step in achieving PCI compliance is knowing which requirements apply to your organization. There are four different PCI compliance levels, typically based on the volume of credit card transactions your business processes during 12 months.

Compliance level

Applies to

Requirements

Level 1

  1. Organizations that annually process more than 6 million transactions of Visa or Mastercard, or more than 2.5 million for American Express; or
  2. Have experienced a data breach; or
  3. Are deemed “Level 1” by any card association (Visa, Mastercard, etc.)

  1. Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)—also commonly known as a Level 1 onsite assessment—or internal auditor if signed by an officer of the company
  2. Quarterly network scan by Approved Scan Vendor (ASV)
  3. Attestation of Compliance (AOC) for Onsite Assessments–there are specific forms for merchants and service providers

Level 2
Organizations that process between 1–6 million transactions annually

  1. Annual PCI DSS Self-Assessment Questionnaire (SAQ)—there are 9 SAQ types shown briefly in the table below
  2. Quarterly network scan by Approved Scan Vendor (ASV)
  3. Attestation of Compliance (AOC)—each of the 9 SAQs has a respective AOC form

Level 3

  1. Organizations that process between 20,000–1 million online transactions annually
  2. Organizations that process fewer than 1 million total transactions annually
Same as above

Level 4

  1. Organizations that process fewer than 20,000 online transactions annually; or
  2. Organizations that process up to 1 million total transactions annually
Same as above

For Levels 2–4, there are different SAQ types depending on your payment integration method. Here’s a brief table:

SAQ

Description

A

Card-not-present merchants (ecommerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS–compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Not applicable to face-to-face channels.

A-EP

Ecommerce merchants who outsource all payment processing to PCI DSS–validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of cardholder data on merchant’s systems or premises.

Applicable only to e-commerce channels.

B

Merchants using only:

  • Imprint machines with no electronic cardholder data storage, and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.

B-IP

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage.

Not applicable to e-commerce channels.

C-VT

Merchants who manually enter a single transaction at a time via a keyboard into an internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS–validated third-party service provider. No electronic cardholder data storage.

Not applicable to e-commerce channels.

C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

Not applicable to e-commerce channels.

P2PE

Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC–listed point-to-point Encryption (P2PE) solution, with no electronic cardholder data storage.

Not applicable to e-commerce channels.

D

SAQ D FOR MERCHANTS: All merchants are not included in descriptions for the above SAQ types.

SAQ D FOR SERVICE PROVIDERS: All service providers defined by a payment brand as eligible to complete an SAQ.

2. Map your data flows

Before you can protect sensitive credit card data, you need to know where it lives and how it gets there. You’ll want to create a comprehensive map of the systems, network connections, and applications that interact with credit card data across your organization. Depending on your role, you’ll probably need to work with your IT and security team(s) to do this.

  • First, identify every consumer-facing area of the business that involves payment transactions. For example, you may accept payments via an online shopping cart, in-store payment terminals, or orders placed over the phone.
  • Next, pinpoint the various ways cardholder data is handled throughout the business. It’s important to know exactly where the data is stored and who has access to it.
  • Then, identify the internal systems or underlying technologies that touch payment transactions. This includes your network systems, data centers, and cloud environments.

3. Check security controls and protocols

Once you map out all the potential touchpoints for credit card data across your organization, work with IT and security teams to ensure the right security configurations and protocols are in place (see the list of 12 security requirements for PCI DSS above). These protocols are designed to secure the transmission of data, like Transport Layer Security (TLS).

The 12 security requirements for PCI DSS v3.2.1 stem from best practices for protecting sensitive data for any business. Several overlap with those required to meet GDPR, HIPAA, and other privacy mandates, so a few of them may already be in place in your organization.

4. Monitor and maintain

It’s important to note that PCI compliance is not a one-time event. It’s an ongoing process to ensure your business remains compliant even as data flows and customer touchpoints evolve. Some credit card brands may require you to submit quarterly or annual reports, or complete an annual on-site assessment to validate ongoing compliance, particularly if you process more than 6 million transactions each year.

Managing PCI compliance throughout the year (and year over year) often requires cross-departmental support and collaboration. If this doesn’t already exist, it may be worthwhile to create a dedicated team internally to properly maintain compliance. While every company is unique, a good starting point for a “PCI team” would include representation from the following:

  • Security: The Chief Security Officer (CSO), Chief Information Security Officer (CISO), and their teams ensure the organization is always properly investing in the necessary data security and privacy resources and policies.
  • Technology/Payments: The Chief Technology Officer (CTO), VP of Payments, and their teams make sure that core tools, integrations, and infrastructure remain compliant as the organization’s systems evolve.
  • Finance: The Chief Financial Officer (CFO) and their team ensure that all payment data flows are accounted for when it comes to payment systems and partners.
  • Legal: This team can help navigate the many legal nuances of PCI DSS compliance.

For more information about the complex world of PCI compliance, head to the PCI Security Standards Council website. If you only read this guide and a few other PCI docs, we recommend starting with these: prioritized approach for PCI DSS, SAQ instructions and guidelines, FAQ about using SAQ eligibility criteria to determine onsite assessment requirements, and FAQ about obligations for merchants that develop apps for consumer devices that accept payment card data.

Conclusion

Assessing and validating PCI compliance usually happens once a year, but PCI compliance is not a one-time event—it’s a continuous and substantial effort of assessment and remediation. As a company grows so will the core business logic and processes, which means compliance requirements will evolve as well. An online business, for example, may decide to open physical stores, enter new markets, or launch a customer support center. If anything new involves payment card data, it’s a good idea to proactively check whether this has any impact on your PCI validation method and re-validate PCI compliance as necessary.

The Fintech Founder’s Guide to FinTech Compliance Regulations in 2024

Fintech Policies has been working with companies that provide financial services toward their compliance efforts. In this time, we have studied both FinTech, banking regulations and data protection laws like GDPR. Below are the insights we gained while researching the market and working with our clients.

What is compliance in FinTech?

The Q1 of 2023 was one of FinTech’s biggest wins. The industry secured $45.6 billion in investments (half of the previous year’s total funding). Open Banking APIs and COVID-19 continued to be some of the biggest drivers behind FinTech growth.

The industry is advancing at a rapid pace, presenting ample opportunities for entrepreneurs. Most FinTech startups operate in a “move fast, break things” manner, embracing mistakes as part of the innovation process.

Unlike traditional banks, they rarely have robust risk and compliance management programs. As more FinTechs venture into the spaces occupied by traditional financial institutions, they begin to attract attention from both criminals and regulators. Protecting the industry from fraud and alleviating FinTech security concerns are the main reasons behind the emerging regulations.

Here are some of the key trends that are expected to shape the FinTech industry in 2023:

  • The rise of decentralized finance (DeFi): DeFi is a blockchain-based financial system that allows for peer-to-peer transactions without the need for intermediaries. This has the potential to disrupt traditional financial institutions and make financial services more accessible to everyone.
  • The continued growth of mobile payments: Mobile payments are becoming increasingly popular, as they offer a convenient and secure way to pay for goods and services. This trend is expected to continue in 2023, as more businesses adopt mobile payment solutions.
  • The increasing use of artificial intelligence (AI): AI is being used in a variety of ways in the FinTech industry, such as fraud detection, risk assessment, and customer service. This trend is expected to continue in 2023, as AI becomes more sophisticated and affordable.

The FinTech industry is rapidly evolving, and it is difficult to predict what the future holds. However, the trends mentioned above are likely to play a major role in shaping the industry in the years to come.

Protecting the industry from fraud and alleviating FinTech security concerns are the main reasons behind the emerging regulations.

Not following these laws and regulations leads to non-compliance, which carries serious risks for FinTech companies:

  • Regulatory risks represent a major threat in the form of legal action, especially for FinTechs that partner with traditional banks.
  • Financial risks affect the company’s bottom line – a fall in share prices due to regulatory action, inability to attract funds, loss of user confidence, and a resulting drop in future profits.
  • Business risks can prevent the company from reaching its financial goals. Often, they are a natural outcome of FinTech’s fast-moving nature.
  • Reputational risks result from breaching customer trust. A single incident can cause a domino effect that impacts other related products and services.

FinTech regulations around the world

The government agencies attempting to regulate the FinTech sector are lagging considerably behind the fast-moving technology. This means that most countries around the world still lack a unified legal framework to oversee the FinTech sector and have large gaps for new FinTech technologies like Blockchain and cryptocurrencies.

Still, it’s important to understand the complex regulatory landscape that exists in different states to mitigate compliance risks.

The United States

The US is home to more than 30% of the world’s FinTech companies.

Yet, the country still lacks a federal framework to oversee the FinTech sector. Financial startups are regulated by the laws of individual states making it harder to acquire all the necessary permits to operate across the US. In addition to the local regulations, all FinTechs need to understand the federal legislation that governs the financial industry:

  • Bank Secrecy Act (BSA) governs Anti-Money Laundering (AML) regulations for FinTech companies. These companies must report all suspicious activities and the acquisition of negotiable instruments (cashier checks and money orders).
  • Section 326 of the USA Patriot Act obliges FinTechs to implement Know Your Customer (KYC) procedures. Its Title III obliges FinTechs to implement AML procedures, employ compliance officers for continuous worker training, and assess their KYC/AML programs via third-party audits.
  • The Anti-Money Laundering Act of 2020 (AMLA) has among other things amended the BSA to include requirements for FinTechs to develop risk-based programs to prevent money laundering and terrorist funding.
  • Fair Credit Reporting Act (FCRA) dictates how financial companies collect consumer credit information.
  • Gramm-Leach Bliley Act (GLBA) demands all FinTech companies disclose how they share customer information.
  • Securities Act of 1933 regulates Initial Coin Offerings (ICOs) for American FinTechs. A precedent known as the Howey Test shapes the legal status of an ICO subjecting it to the Exchange Act and the Securities Act if it meets the threshold requirements.
  • Electronic Fund Transfer Act and CFPB Regulation E govern the sphere of payments, requiring FinTechs to resolve transfer errors within 45 days.
  • Truth in Lending Act (TILA) lays out the obligations for credit card holders – defend and enhance credit card disclosures, rate increases, payment allocations, and a reasonable amount of time to make payments.
  • Jumpstart Our Business Startups (JOBS) Act requires crowdfunding platforms to register with the FINRA and SEC, setting the maximum fundraising sums and other limitations. If you run a peer-to-peer (P2P) lending website that is a partner of a traditional bank, your site is recognized as a third party and the bank becomes responsible for compliance. Yet, if you sell loans as securities, your platform becomes subject to SEC oversight.
  • Truth in Savings Act (TISA) includes FinTech requirements on transparent disclosure of fees and interest rates.
  • Electronic Signatures in Global and National Commerce (E-Sign) Act regulates electronic documents and signatures. According to the act, FinTechs are required to supply an option for paper copies, disclosures of electronic documents, and how future electronic contact will be made with the customer.
  • Numerous regulators are responsible for oversight of payment-related FinTechs. They include local governments, the National Automated Clearing House Association (NACHA), and the planned Department of Treasury’s FinTech Council.
  • There are other consumer protection laws that FinTechs like the Fair Credit Reporting ActEqual Credit Opportunity Act, and Home Mortgage Disclosure Act.

This list of legislation is monitored by a vast network of regulatory bodies, each providing oversight for a particular type of financial services.

Regulator Regulation object
Securities and Exchange Commission (SEC) Oversees the American securities market – securities exchanges, investment advisors, mutual funds, dealers, and brokers.
Financial Industry Regulatory Authority (FINRA) Protects investors. Investment and crowdfunding companies must be registered with FINRA and the SEC
Federal Trade Commission (FTC) Watches for “anticompetitive, unfair, or deceptive” actions by B2C companies as well as oversees privacy and data protection responsibilities.
Federal Deposit Insurance Corporation (FDIC) Oversees the American deposit insurance scheme and regulates banks that aren’t subject to the Federal Reserve System.
Consumer Financial Protection Bureau (CFPB) Regulates B2C financial services and takes actions against deceitful or unfair practices.
Financial Crimes Enforcement Network (FinCEN) Administers Anti-Money Laundering (AML) regulations and imposes the terms of AML compliance for financial companies.
Office of the Comptroller of the Currency (OCC) Oversees national banks and accepts applications for special purpose charters from FinTechs that manage deposits, cheques, or engage in lending activities. Companies with the charter have the same compliance requirements as national banks.
Commodity Futures Trading Commission (CFTC) Regulates commodity exchange markets, oversees trading organizations, intermediaries, and similar companies.
State legislations Local regulations vary from state to state. There are some of the attempts being taken at streamlining the complexity of state-level legislation.

The UK

The UK is one of the leading FinTech countries, with over 1,800 startups fighting for the booming market. Yet, like other countries on our list, the UK doesn’t currently have a unified legal framework for FinTechs. British companies are supervised by different regulators depending on the company’s size and the nature of business.

The primary FinTech compliance regulators in the UK are:

Activities like electronic money, investments, deposits, lending, insurance, and payments all require a license. Although crypto-trading platforms aren’t officially regulated, companies operating in the area might want to acquire certain licenses like the E-Money license.

After the start of the pandemic, the government closely monitors crypto assets to mitigate risks and protect consumer well-being. The lockdowns have only emphasized the importance of alternative financial systems, prompting the government to consider adopting new FinTech legislation.

The European Union

The EU is home to almost 2,400 FinTech companies. Although the pandemic has led to a drop in European FinTech funding, many startups are showing steady growth. As a result, the EU regulators are working hard to modernize the FinTech regulatory framework.

Since 2022, all cryptocurrency trading platforms, mobile wallet providers, and startups that manage virtual currency exchange have been coming under closer scrutiny. The trading platforms now have to register with relevant authorities and implement due diligence procedures for anti-money laundering (AML) and know-your-customer (KYC) compliance.

The European regulators are planning to improve financial technology regulations by 2024 in all member states. Among the plans are new frameworks for cryptocurrencies, blockchain, digital identities, and so on.

Here are some of the specific regulations that are being considered:

  • A licensing regime for cryptocurrency exchanges and other crypto-related businesses.
  • Requirements for cryptocurrency exchanges to collect and store customer data.
  • Restrictions on the use of cryptocurrencies for anonymous transactions.
  • Measures to prevent the use of cryptocurrencies for money laundering and terrorist financing.

The European regulators are also considering the development of new technologies, such as blockchain, to improve the regulation of financial services. Blockchain is a distributed ledger technology that can be used to record transactions in a secure and transparent way. The regulators believe that blockchain could be used to create a more efficient and secure system for monitoring and enforcing financial regulations.

The proposed regulations are still in the early stages of development, but they are likely to have a significant impact on the cryptocurrency industry in Europe. The regulations are intended to protect consumers and investors, and to prevent the use of cryptocurrencies for illegal activities. However, they could also stifle innovation in the industry.

Other countries

  • Switzerland is a FinTech powerhouse with full-on government support for the sector. The country’s primary regulator is the Swiss Financial Market Supervisory Authority (FINMA). During the COVID-19 pandemic, the government unveiled a new type of license for FinTech startups that is less strict than the ones for traditional companies.
  • Australia is home to the Australian Prudential Regulatory Authority (APRA) and Australian Securities and Investments Commission (ASIC) which are the industry’s chief regulators. They oversee financial services, crowdfunding, and consumer lending. To take part in such activities, your startup will need to obtain an Australian Financial Service License. Any Australian neobanks must be registered as an Authorized Deposit-Taking Institution. And if you’re dealing with any kind of credit activity, your company will also have to earn an Australian Credit License.
  • China is a powerful FinTech market. Although the government and the People’s Bank of China take an active part in overseeing the sector, the country has no unified FinTech regulatory framework. In 2019, the government started a pilot sandbox mode for 7 cities including Beijing.

How to become compliant?

#1 It is recommended that you seek legal advice prior to taking any action.

Compliance is a complex and costly matter, so it’s critical to ask for legal advice before you make any important decision. Book an appointment in advance with a competent lawyer to learn about the regulatory FinTech requirements your company will face and how to fulfill them.

Compliance is a complex and costly matter. It is critical to seek legal advice before making any important decisions.

Schedule a consultation with a qualified lawyer to learn about the regulatory requirements your FinTech company will face and how to comply with them.

Here are some of the specific benefits of seeking legal advice for FinTech compliance:

  • A lawyer can help you understand the relevant laws and regulations.
  • A lawyer can help you develop a compliance program that is tailored to your specific business.
  • A lawyer can help you avoid costly fines and penalties.
  • A lawyer can help you protect your company from legal liability.

If you are a FinTech company, it is important to take compliance seriously. By seeking legal advice, you can protect your company and avoid costly mistakes.

#2 Evaluating Your Service Offerings and Data Collection Strategies

There is no single, clear path to FinTech and compliance. Until governments implement a unified legal framework, financial companies have to take the case-by-case approach regarding the licenses they need to acquire:

  • Money Transmitter License (MTLs) is a must-have for any US company engaging in selling/issuing payment instruments/stored value, and/or receiving money for transmission. The process and the rules vary from state to state and can take a lot of time and money.
  • Money service business (MSB) registrations are typically required for e-wallets, peer-to-peer transfer, and mobile payment platforms. These companies have to register with the Treasury Department, implement an AML program, prepare Currency Transaction Reports, and Suspicious Activity Reports.
  • BitLicense is a requirement for virtual and crypto currencies. It is granted by the New York State Department of Financial Services (NYSDFS) for businesses that work with NY state residents.
  • Offerings through Reg A for businesses that offer securities or alternative investment options are subject to less strict reporting requirements. Reg D outlines similar rules for private placements and smaller businesses, reducing the complexity of SEC reporting. FinTechs that go through funding rounds are obliged to register with relevant authorities and follow these requirements before the launch.

#3 Implement Anti-Money Laundering and CFT procedures from day one

AML programs must be developed well before you start providing financial services. In 2020, Financial institutions around the world were fined $10.4 billion due to violations in AML, KYC, and due diligence. As FinTechs tend to start small and innovate quickly, they might create a gap for unmonitored transactions which leaves them open for regulatory sanctions.

P2P lending platforms, in particular, should ensure their services are protected from criminal activity. According to the US government, more than $100 million of stolen funds have been laundered in 2020 via America’s top four P2P investment platforms. So it’s crucial to implement AML procedures to protect your business from reputational fallout.

#4 Build a scalable compliance program

Fast-growing FinTechs need to ensure their compliance programs are keeping up with the increase in transaction volumes. KYC procedures are essential because your customer base might expand quickly to include new types of users with different requirements. The increased transaction volume requires changes to reporting and dispute processing.

KYC procedures should be applied to transactions of any size to prevent the funds from going to illegal or terrorist activities. Avoiding this responsibility is sure to result in quick regulatory action.

Employing a dedicated compliance officer is another good practice to have in your company from the very beginning.

And remember – compliance isn’t a one-off task, so ensure you have enough resources to handle it continuously.

#5 Consider RegTech partnerships

In some situations, it might be reasonable to partner with an established company that has already obtained all the relevant licenses.

Regulatory Technology (RegTech) is one of the top FinTech trends that shape the industry. This industry applies the Software as a Service principle to FinTech compliance practices. RegTech companies provide advisory and guidance services focusing on the biggest risk areas in FinTech:

  • Online libraries of compliance regulations.
  • Software for planning compliance activities, gathering resources, and reacting to new regulations.
  • Tools for monitoring and auditing transactions for suspicious activity.
  • Automated risk assessment and reporting tools to determine the risk exposures and asset qualities.
  • Online due diligence and data security tools to prevent data leaks and fraud.
  • KYC tools for managing customer identities.
  • Regular AML checkpoints for high-value and politically exposed clients.
  • Real-time dashboards for monitoring the company’s current state of compliance.

RegTech companies can become valuable partners for early-stage FinTechs that need to navigate the complex regulatory landscape. As your startup matures, however, it becomes important to have all the required compliance expertise in-house.

#6 It’s important to be mindful of what lies ahead.

FinTech regulations are still in their infancy and evolving at a rapid pace. As governments around the world are working to produce unified FinTech standards, businesses will have to keep their eyes peeled for any changes in regulations.

Some countries like the UK have implemented the so-called regulatory sandboxes that allow FinTechs to experiment in regulated test environments. This allows government agencies to get a deeper understanding of FinTech while providing detailed regulatory guidance to the participating business.

Although a similar practice is yet to be established in the US, there are already some steps in the right direction.

In 2018, The Treasury and the Consumer Financial Protection Bureau (CFPB) published independent reports that propose the creation of sandboxes. The same year saw Arizona pass the first state-level sandbox law. In 2019, Wyoming followed suit together with West Virginia, Nevada, and Utah. At the time, Washington DC is actively considering the sandbox legislature.

The road to fintech compliance

Conclusion

The article provides a short, yet comprehensive overview of FinTech compliance regulations around the world. The path to compliance is difficult. Yet, it is within your reach if you do your homework.

The landscape is shifting constantly, so it’s important to stay updated on the latest changes in regulations. As governments around the world are working to create a better legal framework, there’s a big hope for simpler compliance among FinTech founders.

Fintech Policies has been working with financial companies, helping them jumpstart their compliance process with policy templates as well as RFP templates for software acquisitions. So if you need some advice or a team of experts to implement your project, we’ll be happy to assist you. Just fill out the contact form and we’ll arrange a free consultation with our team of consultants.