United States: Where Disruption Meets Regulation

In southeast Asia, a wide range of businesses from retailers to ride hailing companies, as well as traditional financial institutions, are poised to harness technology to launch, or collaborate with fintech companies to offer, payments, lending, wealth management or insurtech products regionally.

Yet regulatory compliance is often an afterthought. A failure to plan for, and adapt to, rapid changes in financial services regulation and the resulting financial and reputational implications of breaches of such regulation can all have disastrous consequences. These are critical considerations for all fintechs planning cross-border rollouts, as well as for other businesses considering commercial partnerships with fintechs in this region.

Regulators welcome innovation but regulatory requirements remain high

There is little doubt that the financial services industry in southeast Asia is in the process of being "disrupted" by new business models, new market participants and new products, but this is only part of the story. Financial services regulators are tasked with the dual role of ensuring that customers are adequately protected whilst at the same time encouraging financial inclusion, especially through innovation. Until relatively recently, many regulators in the region have been playing catch up with technological developments in the financial services sector and the regulatory infrastructure has not kept pace with innovation, which, in certain jurisdictions, has led to a certain amount of paralysis and uncertainty. This is, however, beginning to change.

Many financial services regulators in ASEAN countries are engaging with innovators in regulatory sandboxes as part of a broader remit to increase financial inclusion and move to a cashless economy, and a new wave of regulation is being implemented in many countries in southeast Asia to respond to innovation in the payments, lending and crowdfunding sectors in particular.

In addition, fintechs and those partnering with them must also comply with a host of other regulations that impact on their businesses; from licensing restrictions tied to foreign ownership caps to data privacy and localisation laws as well as general anti-money laundering reporting requirements.

The real challenge for fintech innovators is therefore not only to innovate and seek commercial partnerships for the distribution of their financial services offerings – a theme that we covered in our 2018 IFLR fintech special report, but also to create a holistic approach to compliance that will grow and respond positively to the changes in regulation in their target markets.

In this article, we outline some critical areas in which fintech innovators, and businesses that may seek to partner with them, potentially expose themselves to future regulatory risk. These areas should be considered as early as possible when planning a fintech product or distribution joint venture.

Monetising customer data in a data privacy minefield

Customer data plays a key role in the fintech economy. In addition to its immediate use in individual transactions, the collection, processing and analysis of sets of customer data can provide invaluable market insights to help a business develop new products, identify third party synergies and focus marketing efforts.

Lending platforms in particular have benefitted from the acquisition of detailed customer databases. By applying deep learning techniques to these datasets, platforms are able to generate accurate, highly-granular individual risk profiles and credit scores that enable accurate and rapid risk pricing for individuals, thus opening up previously underserved markets in countries like the Philippines and Indonesia.

Indeed, customer databases are often the most valuable asset on a fintech's balance sheet and the size, quality and transferability of data assets are increasingly the focus of interest (and careful diligence) by investors and potential acquirers.

However, data can be a double-edged sword – the collection, processing, retention, protection and sharing of personal data are heavily regulated. Recent years have seen a proliferation of cyber security and data protection laws – with China, Singapore, South Korea, Japan, Australia, Malaysia, Indonesia and the Philippines all introducing or updating compliance rules and Indonesia and India taking important steps toward statutory regulation.

The net effect is a patchwork of different regulatory regimes across southeast Asia. This is compounded by the extra-territorial reach of the EU's General Data Privacy Regulation (GDPR), which can apply to southeast Asia fintechs catering to local customers who are European nationals.

The infrastructure and manpower costs of achieving regulatory compliance when operating a platform across multiple jurisdictions can be substantial. Given the relatively light policing and minor penalties imposed by many southeast Asian jurisdictions, some early-stage fintechs have taken the view that it is cheaper to ask for forgiveness than to foot the costs of compliance. However, this is a false economy. It merely stores up the problem for the future, where the costs and difficulty of rectification might even outstrip the value growth of the business. A platform's hard-earned goodwill and reputation might easily be destroyed by a single data breach – particularly as more jurisdictions (such as the Philippines, China, Indonesia and Singapore) impose mandatory breach notifications.

A more advisable approach is for fintechs to work with privacy and data security specialists to build compliance into the platform from the ground up. In particular, fintechs should: " obtain adequate consents from customers when data is collected;

  • conduct adequate diligence on the provenance of third-party data sources;
  • develop a privacy policy tailored to the platform and ensure that any sharing of data from the platform complies with that policy;
  • avoid collecting and retaining personal data for which the business has no legitimate need and wherever practical, anonymise and/or tokenise datasets; and
  • be particularly wary of incorporating unverified scripts and other elements into the platform when collaborating with third parties.

Customer loyalty and digital wallets in the context of payments systems regulation

In the payments sector in southeast Asia, there is a trend towards creating consumerorientated end-to-end payment systems that remove many steps and actors from the traditional payment and settlement process.

Payment for goods and services using emoney by scanning a QR code at the point of sale has spread from China to much of southeast Asia. This in turn is helping to promote the wider use of e-wallets and emoney and also fits with financial regulators' desire to promote cashless transactions.

Blockchain technology is already available that can facilitate the interoperability of ewallet providers, while also potentially allowing consumers to carry out frictionless peer-to-peer payments or remittances. Adding elements of convertibility or exchange with points-based customer loyalty systems can also help businesses achieve customer engagement and obtain access to deeper customer data.

However, regulation in this area remains segmented along national lines and tends to view with suspicion payments and settlement systems that run independently of the traditional banking system. For instance, in Indonesia, the 2018 Electronic Money Regulation imposes foreign ownership limits on system operators and requires operators to either choose between providing "front end" or "back end" elements of the system, but not both. In Singapore, the new Payment Services Act has a narrow safe-harbour in which "limited purpose e-money" (or digital tokens carrying out a similar function) is allowed to operate before requiring full licensing as a payments system provider.

The regulatory uncertainty becomes even more pronounced if blockchain technology is brought into the equation, with countries like Malaysia now stipulating that all digital tokens must be regulated as investment securities, and others such as Singapore, regulating so-called "stablecoins" potentially as both debt securities and as payment instruments.

Businesses focused on this sector should therefore recognise that expansion of products and services in southeast Asia must be done incrementally, and that due to greater regulatory requirements, commercial partnerships or strategic joint-ventures with incumbents may be a key component of a disruptive business model.

Friction-less customer acquisition and the dangers of mis-selling

Financial services have been sold online for a number of years. However, the ability to proactively market financial services to consumers, though smartphone apps based on customer data and behavioural analytics, is set to transform the way in which financial services are marketed and sold.

Similar to how many supermarkets or retailers in the UK developed financial services joint-ventures with retail banks in the late 1990s, in a number of southeast Asia countries we are seeing banks and insurers actively partnering with online retailers or platforms to extend their reach and customer base. However, the flip-side to greater reach and customer conversion is increased regulatory risk, which in the absence of selfregulation by the fintech industry is likely to result in stricter regulatory standards being imposed by regulators and legislators.

  • Compliant product distribution: Putting in place a network of licensed distribution partners in multiple countries in southeast Asia is challenging. The regulatory framework in many countries in this region for certain types of products such as life insurance, is still largely based on face to face sign-ups using licensed agents. Financial institutions looking to extend their reach through digital platforms to new customer segments need to demonstrate that due attention has been applied to respecting the spirit of these regulations when designing the customer sign up and onboarding process. This should also be reflected in the minimum compliance standards set out in distribution arrangements.
  • Disclosure of commission: The ease and convenience of offering and selling financial services such as lending or wealth management through, for example, an online shopping app, does not necessarily mean that these products ought to be sold in the same manner as other products on the platform. For instance, in EU countries there is a trend to require clearer disclosure of all referral fees, commissions and other fees earned by intermediaries. This has consequently required changes to many distribution models. Fintech businesses in southeast Asia may wish to consider carefully how any future implementation of stricter rules on disclosing fees and commissions may adversely affect the fee models for their services.
  • Product description and eligibility: Targeting and soliciting potential customers for financial services based on individual customer data can sometimes lead to a blurring of the lines between education about the type of product and selling a product that is suitable for the customer's circumstances.

    In some Asian markets, fintech products such as peer to peer lending or roboadvisory services are the first time that consumers may have been given access to such financial services. For instance, if a potential customer is presented with a maximum borrowing amount on a lending platform, should the platform operator also be obliged to check that the customer understands whether or not they can afford to service the loan?

    In Indonesia, the peer-to-peer lending sector has already been tainted by reports of irresponsible lending, with the country's regulator, the OJK, taking action to restrict the issue of new licences and remove licences from blacklisted operators.

If large numbers of customers in a particular market later complain that the product does not deliver on the benefits presented to them during the sign-up process, or that the potential negative aspects of the product were not made clear, the regulatory response could be catastrophic and could lead to whole categories of products becoming outlawed across multiple markets.

This has already occurred in the US with sub-prime mortgages and in the UK with payment protection insurance. The balance between sensible self-regulation and deterring customer sign-up is difficult, but one which all fintechs must achieve.

Outsourced system providers – the dangers of a data breach

Most fintech businesses require an extensive IT infrastructure to operate. The capital cost and management time involved in purchasing, installing and maintaining the necessary hardware can be substantial – particularly for an early-stage fintech. Moreover, self-owned systems can impede agility – it can be difficult to rapidly scale such systems up or down in response to business needs.

Fintechs often look to address these issues by entering into outsourcing arrangements with cloud providers and other outsourced service providers (OSPs). OSPs offer a wide variety of services that may be of interest to a fintech, including virtual servers, storage, compute, backup and payment gateways. Typically, these services can be rapidly implemented and subsequently scaled as necessary to speedily bring the fintech's product to market.

However, outsourcing functions to an OSP often necessitates the transfer of personal data, transaction information and other sensitive data to the OSP . This, coupled with the inevitable reduced visibility of and control over the outsourced systems by the fintech, leads to an increased risk that the transferred data might be subject to unauthorised access, processing or transfer. As a consequence, such arrangements can lead to increased regulatory risk.

In addition to general privacy laws (mentioned above), many jurisdictions have imposed sector-specific rules on regulated entities in the insurance, banking and securities sectors. Sector-specific regulations vary widely from jurisdiction to jurisdiction. Some are rather detailed and prescriptive (for example, the outsourcing rules issued by MAS in Singapore and the HKMA in Hong Kong), whereas others simply set out high-levelprinciples.

The lack of harmonisation in both privacy laws and sector-specific regulations can be a challenge for fintechs operating across multiple jurisdictions. In the interests of efficiency and consistency, many fintechs try to identify the operating jurisdiction with the strictest regulations and apply that high water mark across all of their local operations. However, this approach is becoming increasingly complicated by recent regulatory trends requiring data users to localise, store and process personal data in-country (for example in Indonesia, Malaysia, India and China).

One particularly important regulatory requirement is the obligation to report data breaches to the regulator. This is becomingincreasingly common in the region – many jurisdictions (including the Philippines, China, Indonesia and Singapore) now impose mandatory breach notifications on data users. A business with operations in more than one jurisdiction may find itself required to report a breach to multiple regulators. The lack of harmonisation between jurisdictions on key matters such as materiality thresholds, process and form of report can make it difficult for a fintech to ensure compliance, particularly in the light of the very short prescribed statutory notification deadlines.

Attempting to pass through regulatory risk to the OSP is not a viable solution. Many regulations impose strict liability on the fintech as a data user and, historically, many OSPs (particularly in the cloud and virtual server space) have operated using non-negotiable standard terms with extensive liability disclaimers. That said, some OSPs are now actively targeting potential banking and fintech companies with less one-sided agreements backed up by service level agreements and meeting minimum standards imposed by regulators. A better approach is to plan ahead and choose carefully. Fintechs should:

  • work with privacy and data security specialists to develop detailed data security policies;
  • conduct appropriate diligence before engaging OSPs;
  • conduct regular testing after engaging OSPs;
  • develop breach policies and procedures; and
  • wherever practical, encrypt and/or tokenize datasets at rest and in flight.

The long-arm of the law: extraterritoriality in financial services regulation

In southeast Asia, an increasingly geographically mobile population together with the cross-border nature of many fintech products results in a significant risk to fintech businesses of falling foul of financial regulation in countries in which they had not anticipated launching.

When compared with the EU, the level of mutual recognition of licensing requirements in ASEAN countries is very low. Furthermore, in many countries, there are restrictions on foreign entities offering financial services products to their citizens – for example, all emoney operators in Indonesia must not be more than 49% foreign-owned. Other fintech focused legislation, such as Singapore's 2018 Payment Services Act, or Thailand's 2018 decree on Digital Assets Businesses, has introduced specific offences aimed at entities that solicit customers in their respective countries without having the requisite licences.

The issue for fintechs therefore becomes whether it is sufficient to rely on terms and conditions that list the jurisdictions in which users are permitted to access their services and rely on users to comply with those restrictions, or whether clearer monitoring and active exclusion of customers from all non-licensed jurisdictions is required. The latter approach is likely to be preferable for three reasons:

  • Maintaining an unblemished record with a future regulator: asking for forgiveness from a regulator once a product has gained traction in a market is an extremely risky strategy, especially when domestic operators are also trying to demonstrate regulatory compliance and may enjoy strong relationships with their domestic regulator.
  • Avoiding issues with home regulator: in our experience, even in a common market such as the EU, home regulators may be concerned where a financial services company is predominantly serving customers based outside its jurisdiction. Regulatory complaints made in other jurisdictions are likely to find their way back to the home regulator, which may result in closer scrutiny over a business's overseas expansion plans.
  • Anti-money laundering: the Financial Action Task Force (FATF) has published a number of recommendations on the level of know-your-customer checks that countries should apply to their financial technology sectors. Most recently, in their February 2019 statement on mitigating risks from virtual assets, the FATF recommended a $/€1,000 limit above which full client due diligence should be conducted. In this context, it is becoming largely unsustainable for a fintech to argue that it does not hold full and up to date information on a client's identity, since a fintech should have verified the client's address and therefore country of residence and citizenship as part of its due diligence.

Overall, in southeast Asia, we are rapidly seeing that grey areas of regulation are giving way to clear principles on how financial services regulation is responding to fintech innovation. The most sustainable fintech businesses will be those that adopt a holistic approach to compliance with all aspects of regulation that touch upon their businesses, and also which develop their products, backend systems, strategies and commercial partnerships in a way that can respond to likely future regulatory changes.

Mofo Tech Blog - A blog dedicated to information, trend-spotting & analysis for science & tech-based companies

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions