This guide is meant to provide a basic overview of compliance for fintechs in the US and should not be treated as legal advice. In addition, compliance and regulations are constantly evolving, so this guide does not provide an exhaustive overview. Please consult a lawyer and compliance expert when evaluating and creating a compliance program for your fintech.
Startups that offer financial services—such as business expense cards, monetary accounts, and loan access—are governed by a long and complex set of regulatory requirements that are essential to protect the startup’s business, customers, and the US financial system.
Compliance touches every single aspect of a financial product, from marketing to onboarding to account closures. For example, you need to clearly communicate all terms about a financial product (such as fees, interest, payment requirements, and other details) clearly and up front in your marketing materials. When you’re onboarding users, you must properly conduct Know Your Customer (KYC) checks and sanctions screenings, and comply with all fair lending laws if you are extending credit. And if users are delinquent on their repayment of a credit account, you may be required to comply with certain debt collection requirements that govern the frequency and times you may communicate collections reminders. And that covers just a fraction of compliance regulations you may be required to follow.
The below diagram is for demonstrative purposes only and should not be considered an exhaustive list of fintech compliance requirements.
Compliance with various regulations is essential to building a fintech: Fail to get it right, and—at best—you’ll be faced with large fines that can hurt your business. At worst, your business can be shut down.
However, ensuring compliance isn’t just about avoiding fees or legal repercussions. Investing in compliance means that your startup can create safer, more durable products for users while making money movement and financing products safe, which provides a competitive advantage for your business in the long term. In the end, you’re acting in the user’s best interest, helping them get access to a secure, stable, and beneficial product.
This guide provides an overview of how financial services in the US are regulated and what this means for your business. You’ll learn compliance fundamentals, get an overview of the most common compliance regulations, and understand your options for managing compliance for your business.
Compliance guidance and best practices
A common way to offer financial products in the US is by partnering with a bank to power your product. Each bank partner is regulated by a primary regulator (alongside a host of other regulatory bodies) that examines the bank on a periodic basis for compliance. For example, the bank may be assessed on whether it is compliant with state and federal statutes that regulate unfair and deceptive acts and practices (UDAP), which require transparent, up-front communication to customers (among other things).
Any fintech company that works with a bank is indirectly accountable to these same regulators as a result of their banking partnership. Your startup will almost never directly interact with the primary bank regulator; instead, the bank will oversee your compliance with banking-related laws and regulations. For example, using the same scenario as above, you would also be assessed by the bank on whether you remain compliant with UDAP through periodic testing engagements and reporting requirements.
In addition, federal regulators who oversee banks (and fintechs) but who do not function as a primary banking regulator include (but are not limited to):
- The Federal Trade Commission (FTC), which enforces laws against deceptive and unfair trade practice as well as unjust methods of competition. The FTC also enforces federal consumer protection laws that prevent fraud, deception, and unfair business practices. For example, the FTC may investigate telemarketing scams, sweepstakes scams, or “bogus health products.”
- The Consumer Financial Protection Bureau (CFPB), which is tasked with ensuring consumers are treated fairly by entities offering consumer financial products. It provides consumer protection across all consumer financial products, whether they’re offered by a bank, a fintech, or any other entity.
Overview of compliance regulations in the US
The specific laws and regulations you must follow greatly depend on your business. For example, there are certain rules that only apply to consumer financial services or businesses extending credit. However, in general, there are a few rules that apply to all businesses:
Laws that apply to all financial services businesses
This section is for demonstrative purposes only and should not be considered an exhaustive list of fintech compliance requirements.
Know Your Customer (KYC) and Know Your Business (KYB) obligations
KYC or KYB is the mandatory process of verifying customer or business identities when they sign up for an account and then continually monitoring transaction patterns to gauge risk. Users must provide proof of their identity and address during your onboarding process to ensure that they are who they say they are.
What this means: Complying with KYC or KYB obligations helps ensure that the money moving through your system is safe and is not involved in money laundering, terrorism financing, or other fraudulent schemes.
Anti-money laundering (AML) rules
AML rules are a set of laws and regulations designed to prevent criminals from engaging in financial crimes and illegal activity—namely, disguising illegal funds as legitimate income. AML rules require banks and other financial service providers to record and report money movement to screen for money laundering and terrorist financing.
What this means: Helps to keep the financial system safe and secure by preventing money laundering and terrorist financing.
The Office of Foreign Assets Control (OFAC) sanctions
OFAC enforces a series of economic and trade sanctions against countries, legal entities such as businesses, and groups of individuals such as terrorists and narcotics traffickers.
What this means: Helps accomplish foreign policy and national security goals by preventing terrorism financing, money laundering, or other fraudulent schemes.
Unfair or Deceptive Acts or Practices (UDAP) and Unfair, Deceptive, and Abusive Acts or Practices (UDAAP)
UDAP and UDAAP laws prevent companies from engaging in any unfair or deceptive (and, in the case of UDAAP laws, abusive) acts or practices, such as failing to disclose fees or misrepresenting a product or service. UDAP is invoked to protect all persons and entities engaged in commerce, while UDAAP laws provide extra protection to consumers using financial products.
UDAP and UDAAP provide similar customer protections, but they differ slightly. UDAAP contains an additional, intentionally vague prohibition against “abusive” acts that is used to capture a wider variety of acts that could result in consumer harm.
What this means: Ensures that you are creating a high-quality and safe user experience by making all your communication transparent and easy to understand.
Red Flag Rules
Red Flag Rules require businesses to adopt and implement a written identity fraud program to detect the warning signs—or red flags—of identity fraud. This program helps companies more easily identify suspicious patterns and trends in their business, take appropriate steps to prevent identity theft, and mitigate its damage.
What this means: Helps businesses detect fraud attempts before actual crimes are committed.
Laws that only apply to businesses that extend, support, or collect credit
There are many regulations that apply to businesses extending, supporting, or collecting credit. For example, you may be subject to the Fair Credit Reporting Act, the Servicemembers Civil Relief Act, the Equal Credit Opportunity Act (ECOA), and others. This guide doesn’t provide an exhaustive list of all lending laws. Instead, we’ll cover two of the most common: fair lending laws and the Truth in Lending Act.
Fair lending laws
Fair lending laws such as ECOA prohibit lenders from considering race, color, national origin, religion, sex, familial status, or disability when applying for credit. These laws and regulations apply to any extension of credit, including credit for small businesses, corporations, and partnerships. There are also technical communication requirements within federal fair lending laws that require creditors to explain why an adverse action was taken against a borrower or an applicant for credit.
What this means: Prevents discrimination and ensures that people of protected classes are offered fair and equal access to credit; provides transparency to the credit underwriting process.
Truth in Lending Act (TILA)
TILA protects consumers against unfair credit billing and credit card practices. It requires lenders to provide loan cost information up front so consumers can compare different types of loans. TILA primarily applies to consumer loans, but important fraud and dispute procedures also apply to business credit. For example, in certain situations, an employee cardholder can’t be held liable for more than $50 for the unauthorized use of a stolen credit card.
What this means: Protects borrowers from unethical lending practices and improves customer experience by ensuring that users have a clear understanding of credit costs and terms; protects certain borrowers from unauthorized use of stolen credit cards.
How to handle compliance for your business
Manage compliance yourself
You or your in-house compliance team may be able to work directly with a bank to manage compliance, but it is often expensive and time-consuming. For example, this involves building a full-time compliance team from scratch, hiring lawyers, compliance experts, finance managers, and others.
In order to approve your in-house compliance management program, banks expect you to apply the same level of rigor that they apply to their own programs. In order to satisfy bank expectations, you will need to leverage your team of in-house and external legal and compliance professionals to implement and operate a resource-intensive set of program components on an ongoing basis. These components include your foundational compliance policies, risk assessment methodologies and matrices, independent testing plans and workflows, compliance training content and assessments, various compliance procedures and controls, ongoing “state of compliance” reporting, and compliance issue program management. They would evaluate you and your team for subject matter expertise, reporting capabilities, program policies, issues and risk management, internal training curriculum, and more. We recommend that you speak with a compliance professional and a lawyer to fully understand what you need to do to make this program viable.
Work with third-party advisors
In addition to managing compliance by yourself, you could hire an external compliance consultant to design your policies, review materials, and test your user flows to make sure you are compliant with applicable laws.
However, not only are external consultants very expensive, they are also compliance experts—not product experts. While they have a deep understanding of regulations, they may not be able to effectively marry that understanding with your specific product.
Offload elements of compliance to a banking-as-a-service (BaaS) solution
The below diagram represents the elements that Stripe, as the BaaS provider, oversees and/or manages, and may not apply to all BaaS providers.
A successful fintech is made up of both product excellence and compliance expertise. While third-party consultants can only advise on half of that equation (the compliance expertise), a BaaS provider can do both. A BaaS solution offers both the full suite of embedded finance needs in addition to the infrastructure for financial partnerships and compliance. This allows you to use one system for building your fintech offering, growing your feature set, and managing a compliance system, reducing the complexity required to go to market and saving internal costs.
The best BaaS offerings assign you a compliance program manager that partners directly with banks on a range of important topics including compliance, risk, reporting, marketing, disputes, and contracts—so you don’t have to.
In some cases, your BaaS provider may build solutions directly within the product that help you adhere to the bank’s compliance requirements. For example, the best providers offer prebuilt funds flows and user onboarding elements that match the bank’s specific compliance needs and also have an in-house testing program that tests and audits your user flows on behalf of the bank.
In other cases, the compliance program manager works directly with you to outline the requirements you must adhere to, reviews and approves your entire user experience, and periodically audits your compliance controls.
Even when working with a BaaS provider, your business will still be responsible for implementing certain compliance responsibilities. For example, your business will always need to ensure that all your customer-facing assets and user interfaces go through the BaaS provider’s approval process and report any user complaints to the BaaS provider (e.g., by enabling your customer service team to tag complaints so that the BaaS provider can investigate whether any are indicative of a broader compliance issue and send reports to your BaaS provider each month).
How to evaluate a BaaS provider for compliance
The best BaaS providers don’t just offer APIs to help you integrate financial services into your product—they also offer compliance as part of their product. To that end, as you’re looking for a BaaS provider, make sure to evaluate them specifically on how they help you manage compliance. For example, ask for copies of their compliance policies and sample requirements that they would ask you to implement, and compare those to other providers.
While there is no one-size-fits-all approach when evaluating a BaaS provider, we recommend asking about the following criteria during the discovery phase:
Relationships with multiple banking partners to ensure reliable solutions with redundancy measures.
Demonstrated ability to enforce compliance requirements. Ask the BaaS provider for a recent example of how they’ve modified their program to adapt to evolving compliance requirements.
Level of detail needed in use case supportability and onboarding. A BaaS provider that asks for more details when onboarding fintechs suggests that they have a robust compliance program.
The number of full-time employees working on compliance and the number of years/experience working in compliance.
Demonstrated ability to support multiple types of companies across industries and business models.
Demonstrated ability to support businesses in getting started and operating at scale (since compliance and support needs vary by company size).
How Stripe can help
Stripe is the easiest and most flexible way for platforms to build and launch their own full-featured, scalable financial features—whether it’s payments, lending, cards, or bank account replacements. Stripe has worked with banks since day one (more than 11 years ago), and we bring that same expertise to our Issuing business. For example, we have built a durable structure for financial partnerships and compliance to help users learn how to satisfy regulatory requirements and provide the most streamlined, reliable, and safe financial solutions to users. And often, we’re able to use those relationships for our BaaS product suite.
We’ve developed an in-house compliance program refined by team members that regularly meet with banks. Compliance program managers offer a series of guided checklists and discussions to confirm the program has all of the right processes, disclosures, reporting, and controls in place for final bank review and approval. Stripe also conducts periodic reporting and testing activities on behalf of its sponsor banks in order to help manage your business risk on an ongoing basis.
Each of our products offer APIs that are building blocks for platforms to combine in different ways, depending on their business model and the needs of their customers.
Screen users during onboarding: Onboard users quickly and safely with prebuilt, conversion-optimized UIs that securely collect sensitive personal details and identification documents needed for Know Your Customer (KYC) and AML verifications. Stripe leverages its experience from having verified millions of accounts and uses proprietary internal systems to safely onboard users with less friction. Stripe’s onboarding flows dynamically update with changing compliance regulations, providing seamless onboarding experiences for your customers as you grow.
Create a compliance-focused card program: We used our deep expertise on legal, compliance, and regulatory matters to build Stripe Issuing, which allows you to instantly create virtual and physical cards with your own branding. We help with KYC, AML, OFAC, and other sanction screenings so you can focus on building the right card offering for your customers. Platforms earn a share of interchange that’s collected every time a card is used.
Offer bank account replacements: Stripe Treasury’s APIs create FDIC insurance–eligible accounts for your customers that can send ACH and domestic wire transfers. Stripe handles up-front negotiations with a network of banks, helps embed KYC within your product so you don’t need to build a costly KYC program, and advises you on remaining compliance requirements.
Get in touch with our team to learn more about how you can use Stripe to quickly, easily, and compliantly offer your own financial services.
The Spend Card is issued by Celtic Bank, a Utah-Chartered Industrial Bank, Member FDIC.
Commercial Prepaid Cards are issued by Sutton Bank, an Ohio-Chartered Bank, Member FDIC.
Stripe Treasury is provided by Stripe Payments Company, licensed money transmitter, with funds held at Evolve Bank & Trust and Goldman Sachs Bank USA, Members FDIC.
Capital Loans are issued by Celtic Bank, a Utah-Chartered Industrial Bank, Member FDIC. All loans subject to credit approval.