If you ask three financial services business people in Nigeria what financial technology, or “fintech” means to them, you will probably receive three, or even more, answers.
The term fintech means different things to different people depending on where in the financial services ecosystem they operate. Fintech covers a broad range of new and developing technologies as well as alternative financial products and service distribution models, from so-called challenger banks and specialist finance providers at one end of the spectrum, to distributed ledger technology (DLT) innovators at the other end.
Fintech can be consumer-facing, internal business-facing or even embedded in financial services market infrastructure. Irrespective of whether fintech is perceived as an enabler or disruptor of business models, the reality is that change is inevitable as financial institutions jostle to remain competitive in the rapidly changing markets of today.
It seems clear that fintech will continue to drive the evolution of financial services, disrupting some sub-sectors, enabling new developments in others, and providing new and improving infrastructure for the digital age. Change can be very healthy in the lifecycle of any business, but investment in largely unchartered waters, especially in a heavily regulated financial environment, raises a variety of complex legal concerns .
This article examines some of the key legal risks associated with businesses from across the fintech spectrum. The article focuses, in particular, on regulatory and payments services, intellectual property (IP), and data protection risks.
OVERVIEW OF REGULATORY RISKS
The landscape within which Nigerian fintech businesses must operate is clearly complex and a wide range of risks and regulatory requirements must be considered. The innovative nature of fintech businesses means that the regulatory framework within which they sit is not always easy to navigate.
In a world of increasing financial regulatory complexity, fintech businesses that currently operate outside the regulatory perimeter may soon find themselves needing to comply with a spider web of legislation. Operating within the regulatory perimeter poses challenges for innovation; the time, manpower and infrastructure costs associated with understanding, implementing and complying with applicable regulation can be prohibitive for many start-up businesses.
Fintech businesses need to develop and maintain strategies in order to deal with the multifaceted nature of operating and innovating within the financial services sector and for anyone seeking to invest in, acquire, dispose of or partner with a fintech business, navigating the legal complexity involved will be essential. While many participants in the Nigerian fintech sector say that they do not believe fintech businesses should be subject to tighter regulation, the most commonly cited barrier to deal-making is the lack of regulatory clarity.
In considering regulatory challenges, one of the key points for those interested in fintech to remember is that regulation always trails innovation and only rarely will regulation be specifically designed to address particular technological advances while those advances are in their early stages of development. This means that technological innovators need to think about how their novel ideas will fit into existing regulatory frameworks if their nexus with the real economy or market place involves them in producing products for marketplaces which are otherwise tightly regulated.
This is particularly true in the financial services sector, where regulation bites on virtually every aspect of the business and operations of financial services firms, whether they are at the consumer facing front-end, interacting with the public as buyers of financial services or they are at the other end of the spectrum, involved in providing financial market infrastructure services, keeping the plumbing and wiring of the financial markets open and functioning. Regulation will bite in different ways at different points in the supply chain, with focuses varying between consumer and conduct facing rules through to regulatory requirements that systems be robust, stable and protected from operational risks that could result in systemically significant failure.
All of these factors produce a regulatory environment where regulators will be keen to:
- Understand what a particular innovation will do, how it will work and what the risks and rewards will be not only to consumers but also for them as regulators.
- See how the particular innovation fits into the existing legal, regulatory and prudential landscape, so that they can understand what sections of the rule book apply.
- Understand what particular conduct, operational or stability issues or risks the innovation may give rise to.
Today, the Nigerian Fintech space is primarily regulated by the Central Bank of Nigeria which has consistently issued guidelines for operations in the payments space. We look forward to a fintech specific regulation from the CBN this year.
READ OUR FULL OVERVIEW OF NIGERIAN FINTECH REGULATION HERE: https://legitng.com/fintech-report/
Nigerian innovators also need to bear in mind that, given there is no harmonised or overarching regulatory framework within which fintech innovations can slot. At the moment, Nigerian regulators are looking at fintech developments against their own rule books. Some regulators are keen to understand and work with innovators; the FCA, the Bank of England, the German Federal Financial Supervisory Authority (BaFin) and the Singaporean Monetary Authority are good examples.
Others have not been quite so welcoming.However, this means that, at the moment, cross-border application of fintech which implicates a regulated area of activity means getting the innovation past regulators in both locations, or as many locations as the technology will be used. That is not necessarily straightforward and slows down the network benefit reward that fintech should deliver.
Fintech businesses rely heavily on software, databases, other technology, data and trade secrets. These assets often provide an important advantage over competitors. For fintechbusinesses that offer consumer-facing services or products, branding is another important asset, in particular in an industry where the ability to grow a brand identity and keep a loyal customer base is often one of the most important factors for success.
Most of these assets are or can be protected through intellectual property rights (IPRs) or, in the case of trade secrets, through other legal mechanisms, such as the law of confidential information under English law.
IP for fintech businesses
Each fintech business is well advised to develop and implement an IP and trade secrets strategy, ideally from the early stages of the business. This type of strategy should cover the creation, acquisition, protection, use, exploitation and enforcement of IP and trade secrets, and procedures to avoid infringement of third-party IPRs or the unlawful use or disclosure of third-party trade secrets. Copyright is the most relevant type of IPR for many fintech businesses because it is the IPR that generally protects software, which is often the most valuable IP asset in a fintechbusiness.
Under certain circumstances, copyright can also protect databases, which are another important type of fintech assets. Copyright subsists immediately on creation of the relevant work, without the requirement for any additional act, such as a grant or a registration. However, a corresponding disadvantage is that establishing ownership of copyright is often complicated, in particular in relation to software, because it requires establishing precisely which individual created which part of the software. Also, software and databases will often be developed through collaboration of a number of individuals.
This can create particular problems resulting from joint ownership. One of the most important operational and strategic tasks for a fintech business in the area of IP will therefore be keeping a record of all software and databases created for the business and the contributions of each relevant individual. Another important task is to put in place, from the beginning, the necessary contractual arrangements to ensure that all copyrights in relevant software and databases, along with all other IPRs in relevant materials, vest in, or are assigned to, the business on creation or development.
Trade secrets should be protected through contractual confidentiality provisions, and ideally also by restricting access to trade secrets to individuals who need that access in order to fulfil their respective tasks for the business.Beyond copyright and trade secrets, fintech businesses should determine on a case-by-case basis whether other IPRs, in particular registered rights such as patents, registered designs or registered trade marks, are available to protect their intangible assets. Filing applications to be granted or to register these rights requires the investment of time and money, in particular, application fees, other official fees, and counsel fees for preparing and prosecuting the applications. Fintech businesses should therefore decide whether it makes strategic and economic sense to apply for registered rights.
IP for buyers or investors
Anyone interested in acquiring or investing in a fintech business should certainly include IP and trade secrets in the due diligence exercise, in order to identify and assess any related risks and, where possible, remedy them, and to assess the value of IP or trade secrets owned or used in the business. A large number of players in the fintech industry feel that doing due diligence on intangible assets is one of the top three biggest challenges to fintech deals.
Working out who owns the IPRs in assets is often complex and requires rather extensive fact-finding exercises, in particular with respect to software and databases. Any fintech business that has documented the creation of all software and databases as well as the contributions of each relevant individual, and that has procured ownership of all IPRs in the software and databases and all other IP created or acquired for the business, will be a more attractive target for an acquirer or investor.
It can also be difficult for potential acquirers or investors to assess the risks related to IP assets, including the risks that the rights in those assets will be infringed by third parties, or that the use of those assets by the target business infringes third party rights. Further risks in connection with software-focused fintech businesses may result from the use of open source software (OSS). Some OSS licences require, as a condition for the use of the OSS, that the source code of any software derived from OSS products must be made available, or that the derivative software must be provided for free. These requirements significantly limit the possibility to exploit the derivative software commercially.
A further risk comes from patent trolls, which are increasingly targeting fintech businesses, in particular those using distributed ledger technology, with the aim of extracting money through forced licensing arrangements by threatening to enforce patents primarily obtained for that aim.Another big challenge for potential acquirers of, or investors in, fintech businesses is establishing the value of IP assets, which typically represent a large portion of the overall value of a fintech business. Even though a number of valuation methods are available, accurately vetting the value and growth potential of fintech start-ups that may not even be profitable at the time of acquisition can seem like a shot in the dark.
IP in collaborations
Businesses looking to collaborate in fintech will have to conduct due diligence on the IP assets of their envisaged partners and to reach agreement on issues such as the contribution of existing IP and sometimes IP developed outside the collaboration, the ownership of IP developed within the collaboration, rights to use that IP, the management, protection, exploitation and enforcement of that IP, as well as the rights of each collaborator on leaving the collaboration or termination of the collaboration.
DATA PROTECTION AND CYBER SECURITY
The ability to collect, analyse, manipulate, and transfer data is crucial to almost every fintech business. Without the free flow of data, much of the fintech industry would grind to a halt. However, in many parts of the world, and especially in the EU, the desire to use and share data conflicts with data protection laws.
Those laws restrict the ability of fintech businesses to use data for certain purposes, place limits on the duration for which data can be retained, and grant broad rights to individuals with respect to their data. Historically, data protection compliance has not been viewed as a major problem in fintech, however, the data protection regulatory landscape is undergoing a drastic shift.
The New NITDA Data Protection Regulations
In February 2019, the Nigerian Information Technology Development Agency released its guidelines on data protection for Nigerian organisations in the public and private sector, bringing with it stricter limits on how Nigerian businesses can use data. The NITDA regulations poses immediate danger to Nigerian fintech businesses because it dramatically escalates the maximum fines for data protection non-compliance. Consequently, the risks associated with non-compliance has become much more serious.
In light of these risks, it is not surprising that many fintech businesses identify data protection as their greatest regulatory challenge.
One of the reasons why the NITDA regulations present such a significant challenge to fintech businesses is that the scope of the regulations is so broad. It applies to anything that a business does with any data that relate directly or indirectly to people (personal data). Personal data are found in a wide range of contexts, such as retail banking data, HR records, IP addresses, online advertising cookies, emails, instant messaging apps, and so on. As a result, the task of working out how best to achieve compliance in a fintech context can be extremely complex and time-consuming.
Practical implications of the NITDA Regulations
Even if a fintech business could achieve complete compliance with the NITDA regulations today, the ways in which personal data are used in fintech change all the time, as new technologies are developed and new business opportunities created. As a result, it is better to think of GDPR compliance as an ongoing process of improvement, rather than a one-time compliance effort. This process of improvement typically begins by working out how a fintech business is using personal data. For example:
- What kinds of data are collected.
- Which legal entities are responsible for making decisions about the data.
- Where the data are transferred around the world.
The aim here is not to map out everything that happens to data within a fintech business, as that is often unfeasible from an IT perspective. Rather, the aim is to identify the areas in which the business is likely to face data compliance risks. Once a fintech business has identified the range of compliance risks it faces, it is generally advisable to work out which of those risks are most central to the business; for example, compliance risks relating to key contracts or major business operations are likely to be more urgent to address than risks relating to arrangements with minor service providers.
In general, the most central risks should be addressed first, and lower priority compliance risks can be addressed at a later date.One data compliance risk that is likely to affect all fintech businesses is cyber security. The NITDA data protection regulation requires that businesses must put in place adequate security measures to protect personal data from malicious threats, such as third-party hackers, and also from inadvertent threats, such as accidental loss or destruction of data through oversight or negligence. Adequate cyber security in this context includes both technical measures, such as strong password requirements, firewalls, two-factor authentication, and organisational measures, such as ensuring that employees have access only to data they actually need in order to perform their roles, providing employees with adequate training, protecting against social engineering.
However, NITDA provides no technical specifications for the cyber security measures that must be put in place. This means that each fintech business is responsible for reviewing its own data processing activities, identifying the cyber security risks that it faces, and ensuring that adequate technical and organisational measures are implemented.In addition, whenever a business engages a service provider to process personal data on its behalf, it must by law include in the service contract an obligation on the service provider to implement adequate cyber security measures.
This requires fintech businesses to review their existing service agreements to ensure that the correct cyber security provisions are in place. We foresee that in some cases, service providers may seek to raise prices before they will agree to compliant cyber security language being included in their agreements.
Outlook for fintech in data protection
For fintech businesses facing these data protection and cyber security compliance challenges, early planning is essential. Enforcement of the NITDA regulations begins in 3 months. Fintech businesses will find it very difficult to bring their operations into compliance with the GDPR by this date unless they take its requirements seriously, and commit sufficient time and resources to satisfying those requirements. Because the NITDA regulations affect almost all of the ways in which fintech businesses process personal data, the scale of this task should not be underestimated.
READ OUR SUMMARY OF THE ISSUES RAISED BY THE NITDA GUIDELINES HERE: https://legitng.com/2019/02/01/the-2019-nitda-data-protection-regulation-things-every-nigerian-business-should-know/
Checklist of regulatory issues in fintech transactions
In-house lawyers and practitioners should consider the following questions when advising potential investors in, or buyers of, fintech businesses:
- Does the business currently conduct any regulated activities, either in Nigeria or elsewhere? Does the business have the relevant regulatory permissions to operate?
- If not currently required to be authorised, is it reasonably likely that the business may need to become authorised in the future? Which regulatory framework(s) could apply to the business? How prepared is the business to navigate the regulatory approval processes, including evidencing sufficiency of internal systems and controls?
- Is regulation that is currently in the pipeline an opportunity or a threat for the business? How does the business’s business plan fit within the upcoming regulatory framework? Is the business correctly positioned to respond to that regulation?
Intellectual property and information technology
- Which intellectual property assets are material for the operation and success of the business? Does the business own or at least have the exclusive right to use all of the assets? If a brand identity is integral to the success of the business, does the business own registered trade marks to protect that identity?
- What are the risks relating to the business’ intellectual property, such as third party infringement or patent troll attacks? Does the business have the right infrastructure and governance to develop, exploit and protect its intellectual property?
- What IT systems does the business use? Is this IT scalable to meet demand? Are these IT systems compatible with the buyer’s existing systems? Has enough time and budget been reserved for data migration and testing?
Data protection and cyber security
- Does the business rely on the collection, analysis or transfer of personal data?
- Does the business have a programme in place which will enable it comply with the NITDA General Data Protection Regulation?
- Are the business’s protocols and systems sufficiently malleable to enable the business to comply with data processing requirements even if the ways in which the business processes data change?
- Are the business’s technical measures, monitoring and training policies and practices sufficiently robust to withstand cyber attacks? Does the business have appropriate protocols for responding in event of a cyber security breach?
Contact the Legitng Fintech Team at firstname.lastname@example.org for further assistance with compliance for your Fintech business..