Seven Lines of Compliance Defense |
|
| First: | The fintech’s own internal compliance function, which does the lion’s share of the compliance work: the work-up of the program’s products and services and ongoing compliance. |
| Second: | The fintech’s outside counsel, which provides compliance support to the fintech and is often called on to advise on complex legal questions presented in the fintech’s development of program products and services |
| Third: | The compliance function of the fintech’s partner bank, which collaborates on, reviews, monitors, and controls all aspects of the program compliance-wise, including product and service development, customer-facing agreements and disclosures provided to users, fees charged, marketing materials used, and compliance reports submitted by the fintech. |
| Fourth: | The partner bank’s outside counsel, which supports the bank’s program compliance reviews, providing another take on complex legal questions. |
| Fifth: | The compliance consultants engaged by the partner bank to perform annual compliance audits on the fintech and the program, including audits of the fintech’s compliance management system and anti-money laundering program, and the entire program’s credit model from a fair-lending perspective. |
| Sixth: | The fintech’s investors and the compliance due diligence they and their outside counsels conduct before investing; more on this in the next section. |
| Seventh: | When a third party or the fintech acquires program loans, receivables, or some other interest in the loans, the lender that provides the loan facility drawn down on to acquire the loans, receivables, or other interest will, with the help of its outside counsel, perform its own compliance due diligence on the program and the loans made to users before closing the facility. |
That’s seven different trained, long-compliance eyes on a loan program’s products and services. At each level, there will be any number of compliance enhancement suggestions made by the bank, investor, or lender, or their counsels or consultants, that are ultimately incorporated into the program. This compliance gold plating results in a compliance-reinforced fintech.
The remainder of this Flash focuses on the synergies created by the convergence of the first and sixth lines of defense, which are bolded above for ease of reference.
Management Side Letters
Lead investors are not only a financial source of strength for the fintechs they invest in but can also be a source of compliance knowledge and benchmarking, having considerable institutional compliance awareness gleaned from their portfolio fintechs and deals due diligenced but passed on. Indeed, a number of our investor clients have general counsels who were leading fintech regulatory lawyers in private practice.
Compliance can be complicated and costly. Investors understand that a fintech’s compliance can be on a continuum. As the business scales and becomes more complex, funds raised in early rounds are often deployed to obtain state licenses, hire a chief compliance officer, or establish or enhance a compliance management system.
Significant investors sometimes enter into management side letters with fintechs in connection with their investments. These letters cover things such as board seats (or observation rights) and information rights (e.g., sharing of financial statements). If funds raised are earmarked for compliance enhancements, the investor may look to include a compliance covenant in the side letter that serves as a guidepost for the enhancements. The trick with covenants like this is to not be overly prescriptive. Investors make investments as much for the capabilities of senior management as the prospects of the business. Not wanting to get in the way of management operating the business and understanding that initiatives such as hiring the right compliance officer and building a comprehensive compliance management system take time, compliance covenants should be reasonable as to time and business judgment.
Here's a sample compliance covenant for a side letter:
Compliance Covenant
- The Company will use commercially reasonable efforts to hire and maintain a chief compliance officer with at least five (5) years of experience in (i) compliance with federal, state, and local [insert areas of law most implicated by the business, e.g., consumer lending/loan broker and debt collection laws] laws and (ii) developing and administering compliance management systems (“CMS”) within one hundred and eighty (180) days of the Closing.
- The Company will use commercially reasonable efforts to develop, implement, and maintain a CMS consistent with guidance provided by the Consumer Financial Protection Bureau (“CFPB”), including the CFPB Supervision and Examination Manual, within three hundred and sixty (360) days of the Closing. The Company’s CMS will have two interdependent control components: (i) board and management oversight, and (ii) a compliance program, including policies and procedures, training, monitoring and audit, and consumer complaint response. The monitoring and audit component of the compliance program will begin within one hundred and eighty (180) days following the implementation of the CMS and will include periodic internal compliance with law audits and an annual external compliance with law audit. The annual external compliance audit will be completed by an experienced third party that conducts such audits as one of its primary services. Any findings made by such internal or external audits will be promptly addressed by the Company.
- Within sixty (60) days of the Closing, the Company will engage a nationally recognized law firm or state licensing consultant that conducts licensing analyses as one of its primary services to perform a formal, written fifty (50) state (including the District of Columbia) and local [insert subject matter, e.g., consumer lender, loan broker, debt collector] licensing analysis. The Company will use commercially reasonable efforts to cause the firm or consultant to provide its final, written analysis to the Company within one hundred and twenty (120) days of the Closing, indicating licensing risk by jurisdiction. The Company will use commercially reasonable efforts to apply for such licenses it reasonably deems necessary or appropriate within one hundred and eighty (180) days of the Closing.
Naturally, you should work with your attorney when drafting a compliance covenant, and its content will vary on its underlying facts and circumstances. Again, the hallmark of a workable compliance covenant is sufficient leeway for management to run the business in a manner that appreciates the complexities of compliance.
Goodwin’s Fintech Team
Our Fintech team counsels fintech companies, banks, investors, and other participants in the fintech space on transactional, enforcement and regulatory matters, including state licensing, product and service development, establishing and maintaining compliance management systems, and conducting deal due diligence. Representing the various participants uniquely positions us to provide actionable risk and market-based advice to our clients. Our team is led by partners Crystal Kaldjob, Kim Holzel, Alex Callen, Danielle Reyes, Sammy Tang, and Mike Whalen. The team represents one-third of the fintechs on Forbes’ Fintech 50 list and is highly ranked by Chambers and Legal500.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.