Freshfields recently hosted a U.S. Fintech Hot Topics Webinar to highlight on-the-ground insights from our Antitrust and Competition, Data Privacy and Security, Financial Services Regulatory, and Transactional teams. The fintech sector has recently seen a return to explosive growth and is expected to continue growing rapidly notwithstanding regulatory and economic headwinds. Our top takeaways from the panel discussion are below, and the full recording is available here.
Financial Regulatory
The U.S. May Soon Catch Up on Open Banking
The CFPB proposed a long-awaited rule in October 2023 requiring financial institutions to provide consumers and authorized third parties with access to their financial data. The comment period closed at the end of December, and CFPB Director Rohit Chopra has stated that he expects the agency to finalize the rule in 2024. Other jurisdictions that have implemented open banking have seen significant shifts in the provision of financial services (for further details, see our analysis here). While the final form of the CFPB’s rules remains to be seen, we expect the arrival of open banking could be similarly disruptive—and present similar opportunities—in the U.S.
Fintech Partner Banks Face Significant Regulatory Pressure
The Federal Reserve, FDIC, and OCC have announced a string of enforcement actions against high profile fintech partner banks and continue to emphasize the risks of third-party partnerships in public statements. Anecdotally, we have also seen a significant uptick in agencies’ scrutiny of fintech relationships during exams of partner banks. Fintechs incorporating a bank partnership in their business model should engage early and often with their partner to identify and address any regulatory concerns that may emerge.
Fast-Growing Market Segments Continue to Challenge Regulators
SEC approval of Bitcoin spot ETFs has led to surging crypto prices and surging institutional interest in meeting clients’ demand for crypto services. Expect pressure on regulators and Congress to continue to build in this area, as the federal banking agencies continue to make digital asset-related activities nearly impossible for banks and legislation to create a regulatory framework for digital assets has stalled. The explosion in BNPL also has regulators playing catch-up. Regulatory approaches differ significantly across states, and several states have pending legislation that would adopt BNPL-specific regulatory requirements. Federal regulators have mostly stayed out of the fray, but recent releases from the CFPB and OCC highlight potential concerns. Federal regulators may engage further if this segment continues to grow.
Data-Related Trends
U.S. Privacy Law Regimes Are Expanding
Fintechs operate at the intersection of different privacy law regimes in the U.S., and these different regimes are becoming increasingly complex. Beyond specialized financial-sector regulatory requirements (such as the Gramm-Leach-Bliley Act (GLBA)) and credit/consumer reporting laws (such as the Fair Credit Reporting Act), there is a growing wave of comprehensive state consumer data privacy laws, such as the California Consumer Privacy Act. As a result, fintechs operating outside the realm of traditional financial institutions are facing greater data privacy obligations, including requirements to allow consumers to access, correct, and delete their personal information.
Consumers Gain Greater Control Over Data Disclosures
State consumer data privacy laws are also consumers new rights to limit certain types of disclosure of their personal information, such as restrictions on “sale” of personal information (which might not necessarily involve any monetary consideration, depending on the state law) or use or disclosure of personal information for targeted advertising. However, there is a countervailing trend of data portability, in which state consumer data privacy laws give consumers the right to receive a copy of certain data in a machine-readable format that may be transmitted to another entity at the consumer’s request. This data portability theme is also present in the CFPB’s proposed open banking rules, discussed above. Both of these trends reflect a move toward providing consumers with greater control over disclosures of their personal information.
Automated Decision-making Faces New Requirements
State consumer data privacy laws give consumers the right to opt out of certain automated decision-making and profiling for decisions that have legal or other similarly significant effects, such as the provision or denial of financial and lending services. Formal data privacy assessments are also now required for higher-risk types of processing, including profiling and automated decision-making. These developments will be important for fintechs seeking to apply artificial intelligence (AI) and similar technologies in making lending and similar decisions, especially where they are not already subject to laws like the GLBA.
Licensing of Technology Transactions
Intellectual Property Protection Is Critical
Protecting intellectual property (IP) rights in fintech collaborations can be challenging, given the fast-paced nature of the industry and complexity of the technology. As a first step, companies should identify their IP assets and assess their value to the business. Depending on the nature and scope of the fintech collaboration, companies may want to exclude certain IP from the collaboration or expressly retain certain exclusive rights with respect to a subset of IP assets. Prior to entering into a fintech collaboration, companies should clearly outline the parties’ expectations with respect to ownership and the parties’ respective rights to their background IP as well as any IP arising out of the collaboration. Joint ownership of arising IP may seem like a simple, fair solution but can ultimately introduce complexities into the future development or commercialization of fintech innovations. Additionally, each party’s rights as a joint owner may vary by the type of IP and jurisdiction.
Parties Should Address Data Use Rights
Data rights are an important issue in fintech transactions. Fintechs should be prepared to discuss the value of their data and the rights they possess with respect to their data, including whether all required and advisable consents and permissions have been obtained. To the extent feasible, fintechs should also map out the data flows for a given partnership or transaction, showing how and where the data is stored and shared and what geographies are implicated.
Antitrust
Fintech Is in the Global Antitrust Spotlight
Increased fintech investment and M&A, coupled with historically high levels of antitrust enforcement, has created an environment ripe for scrutiny by antitrust agencies. As with pharma and Big Tech, the fintech industry is fast-evolving, engages directly with consumers, and collects an immense amount of financial and consumer data. Fintech investment and M&A will also undoubtedly intersect with AI, another area of regulatory concern. This complex regulatory landscape is further complicated when executing cross-border payments or transactions. For example, on the M&A side there are over 140 global merger enforcement regimes with different jurisdictional thresholds.
Defining the Outer Bounds of the Market Is Key
Agencies can interpret market definition and the parties’ market share using a number of different sources (e.g., documents or industry interviews) and methodologies (e.g., by revenue or transaction volume share) in order to analyze overlaps or potential for competitive harm. How narrowly or broadly agencies choose to define the outer bounds of the market is key to determining whether any particular transaction may raise competition concerns. For example, in the in ICE / Black Knight transaction, the FTC concluded there would be harm in the loan origination software market, where the parties allegedly were the two largest players.
In addition, and of relevance for fintech transactions, authorities are increasingly scrutinizing build v. buy decisions to determine whether a deal would eliminate new or potential entrants that represent a nascent competitive threat to an incumbent.
Account for Antitrust Risk When Negotiating Deal Terms and Contemplating Remedies
There are several contractual levers that allow parties to allocate antitrust risk in M&A deal terms. Regulatory efforts obligations, break fees, and longstop dates all can shift risk between buyer and seller depending on the extent of antitrust risk. However, merging parties must first understand potential risk areas for these provisions to be effective. Companies should be proactive in contemplating whether there are remedies that would address potential agency concern.
Take Care Over Document Creation
Companies should assume that, if a transaction is investigated, authorities will see all documents that are created including emails, presentations, reports, messages and texts related to business practices at issue. Internal company documents, especially those that illustrate or inform management and board decision-making, significantly influence authorities’ decision to challenge a transaction or business practice.