Fintech startups operate in one of the most heavily regulated sectors — and for good reason. After all, they do handle people’s money and personal details.
Thomas Reisenberger, compliance and regulation attorney at Legalese, last month held a free workshop at Rise Cape Town where he shared some tips and insider information on what startups who move money online should look out for, which laws they are likely to trigger and steps they can take to protect themselves.
Mapping out what you do, how you do it and who you do it for will help you to figure out which laws apply to you
“If you ask these three questions, what it will do is it will allow you to get a nice scope of exactly who you’re touching, and what regimes are going to start triggering off,” he explains.
What you do
- Direct retail is subject to the Consumer Protection Act, Electronic Communications and Transactions Act, Protection of Personal Information Act (POPI), and common law.
- Although marketplaces are not specifically covered by any particular act, Reisenberger advises startups to use smart terms to side-step regulation.
- Digital Exchanges (including crypto exchanges) should be familiar with the Exchange Control Regulations and the National Payment Systems Act.
- Digital wallets fall under the National Payment Systems Act (NPSA) as well as the Banks Act.
- Insurance is regulated by the Financial Advisory and Intermediary Services Act (FAIS), Financial Sector Regulation Act, and the Insurance Act.
“If you’re going to read an act, don’t just read the act, look at the regulations because the regulations are changing constantly,” he says.
“If you’re working within a big industry, trust that there’s going to be a code. Banking has one, insurance has one, they have internal policies and codes. Don’t just apply the law, you might have to apply the code.”
How you do it
“The method of how you’re moving money is also going to affect which regimes might apply. If you’re moving money yourself you’re the most highly regulated and will have the most regimes apply to you,” Reisenberger says.
A startup that handles its own operations — that is without the use of third parties or APIs — will need to be familiar with the Banks Act, NPSA, and FAIS.
Those startups that use third parties have to use terms with warranties. “A warranty is a written guarantee that says ‘I’m not responsible for payments, I have a third party responsible for payments.’ If something goes wrong with a third party, who do you complain to? The third party,” he explains.
“If you’re moving currency using a digital wallet and one of your providers goes down, and one of your customers just lost R1,8-million in a frozen transaction, they’re going to come for you.
“If you do not have a warranty in your terms and conditions saying ‘Its not us, it’s the third parties problem’, they are legally allowed to come after you, even if there was no responsibility from your side.”
Startups making use of APIs, he says, should also make use of warranties and disclaimers.
Startups handling foreign currency and foreign remittances have to be aware of Exchange Control Regulations and special personal information under POPI.
“Before you go to a lawyer about exchange control, go to your bank. Chances are they will give you free services, because you’re already paying and they are your bank.
“Walk into your bank, go to the exchange control department and ask for a specialist, and they can explain to you what you should be thinking about, all for free, and they can assist you on how to move money”.
Digital wallets, he says, should consider getting a bank to be a sponsor.
“What that means is you don’t have to have a banking license. Your sponsor does.”
“For a lot of acts, when you move money from a financial perspective, you have to know your client,” Reisenberger explains.
“You have to know where the money is coming from and where it is going to, and if something gets picked up and have a suspicion, then you have a proactive duty to report it. If you do not report it, then you yourself are committing a crime.”
He adds that although Know Your Customer (KYC) and Anti-Money-Laundering (AML) compliance are sometimes prescribed, accountable institutions have to adhere to them, “otherwise its voluntary”.
It’s also important that startups know who they are dealing with as they might need special consent under POPI for anyone under 18. In addition, they might need to apply foreign law on top of local law if they are serving foreign users.
“Be very careful about the citizenship and location of the user. It might also determine what other laws apply. Maybe they have consumer protection laws that might apply.”
Startups should also consider regulator engagement, getting information on regulator sandboxes, having strong internal policies on data protection as well as representation of the business, and providing customers with more information.
“Substance over form, if you are trying to be pro-active and you have done as much as you can, it might not be exactly what is required but, you tried as hard as you could, regulators are really happy with that in South Africa,” says Reisenberger.
“Do as much as you can, try it yourself, you don’t need a lawyer to do most legal things,” he says.
Featured image: AhmadArdity via Pixabay (CC0)