Fintech Compliance Regulations Around the World

Financial technology has transformed the way that modern financial institutions (FIs) do business. It has opened the door to innovation in financial services and enhanced the customer experience. And the sector is growing, with global fintech expected to reach a market value of around $324bn by 2026. 

Fintech brings with it countless opportunities. Cloud computing has enabled quick and cost-effective processing of data, while open banking makes it possible for data to be shared between FIs, and APIs aid communication between different types of application.

But as with any developing ecosystem, fintech also brings with it increased challenges, which may need to be managed through additional oversight, regulation and compliance.

Criminals have also spotted the increased opportunities that fintech brings and are using advances in technology to develop money laundering and terrorism financing (ML/TF) activities. 

The FATF Standards For Fintech Compliance

The Financial Action Task Force (FATF) sets anti-money laundering (AML) standards for firms globally, and this includes fintech compliance. The FATF is continually adapting its guidance to counter emerging financial crime risks.

There are currently 37 member countries that are guided by the FATF, along with the European Commission and Gulf Cooperation Council. Fintechs in these countries will almost certainly be guided by the FATF’s Recommendations. These set international standards for ML/TF countermeasures covering the criminal justice system, law enforcement, fintech regulation and international cooperation. 

Registering and Fintech Regulators

As part of the FATF-based framework, countries should have national bodies with specific oversight for the implementation of AML/CFT controls by FIs. Usually described as ‘regulators’ or ‘supervisors’ these bodies are responsible for conducting regulatory examinations of individual firms, identifying problems, and enforcing punishments if necessary. 

For fintech firms, registering with regulators in good time and in the way they prescribe is key. The precise requirements of registration will vary between different jurisdictions, but will usually require information to be provided across the whole spectrum of regulatory issues. It is important firms familiarize themselves with the requirements on the relevant fintech regulator’s website. 

All regulators will want to clearly understand a fintech firm’s:

• Governance arrangements (MLROs, relationship to senior management structure, etc.)
• Internal control frameworks and mechanisms, including written policies and procedures (especially around all aspects of CDD and reporting)
• AML/CFT training programs and materials
• Enterprise-Wide Risk Assessment 

Comprehensive documentation that underpins a firm’s approach to fintech regulation and compliance can also help. Spending time putting together relevant material will pay significant dividends when regulators assess how well a fintech firm is meeting its obligations.

Core Regulatory Responsibilities

The AML/CFT ecosystem shown above shapes five core fintech compliance responsibilities:

1. Appoint a senior figure responsible in law, known as the Money Laundering Reporting Officer (MLRO).
2. Undertake an appropriate range of Customer Due Diligence (CDD) and Know Your Customer (KYC) measures to provide assurance about the identity and behavior of the clients throughout the client life cycle. 
3. In the course of undertaking CDD, firms will sometimes find reasons for concern – possibly a name on a watchlist, or unusual or suspicious patterns of behavior. If this happens and further checks do not provide comfort, firms must report their concerns to the authorities through authorized channels.
4. In order to help regulators and law enforcement, fintechs are expected to maintain records on AML/CFT operations for a minimum period.
5. Obligated entities are required to undergo a registration process with responsible regulatory bodies.

AML Guide for Fintechs

To find out more about fintech regulation and compliance around the world download the AML Guide for fintechs, or get in touch to schedule a demo.

Download the guide

Global Fintech Compliance Landscape

As countries have diverse legal, administrative and operational frameworks, and different financial systems, they cannot all take identical measures to counter these threats, and fintech firms will find regulatory nuances in different parts of the world.

EU Fintech Regulations

No single piece of EU legislation covers all aspects of fintech compliance. Fintech companies providing financial services (e.g. lending, financial advice, insurance, payments), must comply with the same laws as any other firms offering those services. Across the EU, FATF standards have been translated into national laws and regulations by a series of directives drafted by the European Commission. The Anti-Money Laundering Directives (AMLDs) are now on their sixth iteration (6AMLD). How countries implement the rules can vary, with some choosing to take a more stringent approach than the minimum standard. Firms should acquaint themselves with relevant guidance from national regulators such as the Autorité de Contrôle Prudentiel et de Résolution (ACPR) in France, or BaFin in Germany. 

UK Fintech Regulation

There is no legislation in the UK aimed specifically at fintech compliance, but firms which carry out regulated activities such as banking, consumer credit-related activities etc, fall within the remit of the Financial Conduct Authority (FCA) or Bank of England (BoE). The FCA’s key focus is on risks posed by the conduct of financial services firms, while the BoE – through the Prudential Regulation Authority (PRA) – focuses on the prudential soundness of firms.

Fintech Regulation in the Baltics

The Baltic countries of Latvia, Estonia and Lithuania have become attractive destinations for startup fintechs and others expanding into Europe, but are at risk of illicit financial activity due to their relations with countries such as Russia. Fintech compliance teams should become familiar with the EU’s AML regulations and sanctions as well as Estonia’s Financial Intelligence Unit, the Financial Intelligence Unit of Latvia and Lithuania’s Financial Crime Investigation Service. 

Fintech Regulation in the United States

The US has a complex financial regulatory system where individual states and the federal government both act as regulators. There are few specific fintech regulations or licenses, with the products or services a fintech offers determining their guidance and enforcement. 

The Consumer Financial Protection Bureau (CFPB) has direct supervisory and regulatory authority over non-bank fintechs. Fintechs providing investment advice or acting as a broker or dealer of securities are licensed and regulated by the Securities and Exchange Commission (SEC) or the Commodities Future Trading Commission (CFTC). Robo-advising services, as an investment adviser activity, fall within this remit. Fintechs that engage in credit information services may be subject to the Fair Credit Reporting Act (FCRA). And all money services/payments businesses must register with the Treasury’s Financial Crimes Enforcement Network (FinCEN).

Fintech Regulation in Canada

Fintech firms in Canada must abide by public and private legislation at federal and provincial levels, the same as banks and other FIs. Canadian AML requirements include: the Canadian Payments Act, Payment Clearing and Settlement Act (Canada), Bank Act and the Bills of Exchange Act (Canada). Certain Canadian financial regulations are specifically relevant to fintech service providers. These include the Personal Information Protection and Electronic Documents Act (PIPEDA) which protects personal information handled by private sector firms, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Canada’s main financial regulator is the Financial Transactions and Reports Analysis Centre (FINTRAC), which is responsible for identifying ML/FT.

Fintech Regulation in Singapore

The Monetary Authority of Singapore (MAS) is Singapore’s central bank and financial regulator, responsible for regulating and supervising the financial sector and promoting economic growth. The Payment Services Act (PSA) which came into effect in 2020, provides a legislative framework for the regulation of fintech payments systems and payment service providers in Singapore. It brings them under the scope of AML/CFT rules, and introduced compliance obligations for service providers that facilitate cross-border money transfers. Under the PSA, fintech firms must hold an operating license (or qualify for an exemption).

Fintech Regulation in Hong Kong

The Hong Kong Monetary Authority (HKMA) is Hong Kong’s central bank and financial regulator and sets AML regulations. HKMA requires that firms take a risk-based approach to AML in line with the FATF and the Asia Pacific Group on Money Laundering (APG). While Hong Kong does not employ any specific fintech regulation, fintech firms are subject to certain laws depending on their functions: Fintech firms which carry out any ‘regulated activities’, as defined by the Securities & Futures Commission (SFC), must be licensed by that body; money lenders are subject to the Money Lenders Ordinance; and payment systems firms and retail payment systems providers must be licensed under the Payment Systems and Stored Value Facilities Ordinance (PSSVFO).

Fintech Regulation in Australia

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s primary financial intelligence agency and regulator, tasked with preventing ML/FT and other financial crimes. The primary AML rules in Australia are part of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. There are no specific fintech regulations in Australia, but fintech firms must comply with the existing AML/CTF framework and the licensing and reporting regulations that it imposes. Fintech firms should treat data privacy as a priority, as it is regulated at territorial, state, and federal levels.

Request a Demo

See how 1000+ leading companies are screening against the world's only real-time risk database of people and businesses.

Demo request

Originally published June 14, 2022, updated June 20, 2022