Payments Regulation: What U.S. Fintech and Payment Firms Must Know

A money services business, payment processor, or fintech platform that is subject to the Bank Secrecy Act must maintain a written anti-money laundering program that includes internal controls, independent testing, a designated compliance officer, and ongoing training for all customer-facing personnel, and AML compliance counsel advising on BSA/AML program design must evaluate whether the company's transaction monitoring system is calibrated to detect the patterns of suspicious activity that are most likely to occur given the company's customer base and transaction types and whether the company's suspicious activity report filing process satisfies FinCEN's requirements for timely identification and reporting.

A payment company that discovers a potential OFAC sanctions violation must evaluate whether to make a voluntary self-disclosure to OFAC before the agency independently discovers the violation, because OFAC treats voluntary self-disclosure as a significant mitigating factor that can reduce the applicable civil monetary penalty by up to fifty percent, and financial crime counsel advising on OFAC enforcement response must evaluate whether the violation was egregious or non-egregious under OFAC's published penalty guidelines and whether the company's voluntary disclosure is supported by a credible root cause analysis and remediation plan.

A financial institution or payment service provider that receives a Regulation E error notice from a consumer must complete its investigation within the applicable time limits and provisionally credit the consumer's account while the investigation is pending, and consumer financial protection bureau counsel advising on Regulation E compliance must evaluate whether the company's error resolution procedures satisfy the timing and investigation requirements of Regulation E and whether the company has adequate evidence to deny an error claim based on the consumer's failure to report the unauthorized transaction within the applicable time limits.

A payment company subject to CFPB supervision must ensure that its fee disclosures, marketing materials, and customer service practices do not contain any representation that is unfair, deceptive, or abusive to consumers, because UDAAP violations can result in civil penalties, restitution to affected consumers, and reputational damage that affects the company's ability to maintain banking relationships, and fintech counsel advising on CFPB supervisory examination preparation must evaluate whether the company's fee structures are disclosed in a manner that is clear, conspicuous, and accurate and whether any marketing claims about the company's services are substantiated by the company's actual performance.

A fintech company that processes payments for customers located in multiple states must obtain a money transmitter license in each state where its business activities constitute money transmission under the applicable state law, and banking laws counsel advising on state money transmitter licensing must evaluate whether the company's business model constitutes money transmission in each state where it operates and whether the company qualifies for any exemptions from money transmitter licensing that are available in particular states.

A money transmitter licensee must satisfy the net worth, permissible investment, and surety bond requirements imposed by each state in which it holds a money transmitter license, and banking and financial institutions counsel advising on MTL financial compliance must evaluate whether the company's permissible investments in each state satisfy the applicable requirements for asset type, quality, and geographic allocation and whether the company's financial condition is accurately reflected in the annual reports and audited financial statements that each state requires as a condition of license renewal.

A payment company that processes stablecoin or cryptocurrency transactions must determine whether those activities constitute money transmission under federal or state law and must also evaluate whether the digital assets it accepts or transmits are subject to commodity, securities, or banking regulation, and stablecoin regulation counsel advising on payments regulation compliance for digital asset transactions must evaluate whether the company's stablecoin activities are subject to FinCEN's money services business requirements and whether any state money transmitter licensing obligations apply to the company's digital asset transmission activities.

A payment company that experiences a data breach affecting cardholder data must immediately engage a qualified security assessor to determine the scope of the breach, assess its current PCI DSS compliance status, and develop a remediation plan addressing the vulnerabilities the attacker exploited, and anti-money laundering and cybersecurity counsel advising on post-breach payments regulation compliance must evaluate whether the breach resulted from a failure to satisfy any specific PCI DSS requirement and whether the company's contractual obligations to its acquiring bank and payment network require it to notify the network and the bank within specified timeframes after discovering a breach.