Orrick's Founder Series offers monthly top tips for UK startups on key considerations at each stage of their lifecycle, from incorporating a company through to possible exit strategies. The Series is written by members of our market-leading London Technology Companies Group (TCG), with contributions from other practice members. Our Band 1 ranked London TCG team closed over 320 growth financings and tech M&A deals totalling US$9.76bn in 2022 and has dominated the European venture capital tech market for 29 consecutive quarters (PitchBook, Q1 2023). You can view our previous series instalments here.
In addition to the challenges faced by all new companies, UK financial services startups have to also operate within a complex regulatory regime. With limited capital, these firms must make tough decisions between the competing pressures of spending on growth initiatives versus regulatory compliance.
In the twelfth instalment of Orrick’s Founder Series, our FinTech regulatory lawyers offer key guidance for UK founders of financial services startups looking to strike the right balance between business growth and cost-effective compliance spend.
1. Authorisation takes time. Many “firms” (a term used by the regulator (and/or their investors) set themselves tight timelines for achieving regulatory authorisation. In our experience, firms that rush to submit their applications and meet only the minimum information requirements or haven’t implemented all practical steps before submission (e.g. having appropriate management or risk controls in place) end up taking longer to get approval than firms who spend more time perfecting their submission upfront. While the Financial Conduct Authority (FCA) sets itself a timeline for reviewing and approving or rejecting licence applications, the FCA’s review clock stops if it needs to ask the applicant questions about its application or seek further materials. Spending two extra weeks reviewing and perfecting an application before it is submitted can save months of FCA questions following submission and could be the difference between approval or rejection. Pre-empting questions from the regulator and providing relevant information in the initial submission is therefore a valuable exercise.
2. It’s not just what you do, but also what you say you do. For startups in high-growth mode, it’s tempting to promote the ambitions or the capabilities of the startup’s services and technology before it actually provides those services or has appropriate licenses to do so. FinTech founders need to be clear and not mislead their investors and customers about what they can and cannot offer. This is especially true where retail customers are involved and make financial decisions based on materials produced by the startup. Founders should check marketing material, statements to investors and customer contracts to confirm that the startup isn’t holding itself out as providing a service for which it is not appropriately licensed by the FCA, even if it doesn’t actually provide that service in practice yet.
3. There’s the matter of substance. Outsourcing internal functions (e.g. AML and sanctions compliance, KYC and CDD) to third parties, or to group entities in third countries with lower overhead costs, is a cost-effective way to meet the practical elements of regulatory compliance. Be aware, however, that it is not possible to outsource liability for regulatory compliance even if a third party undertakes the practical steps. The FCA will reject applications for authorisation where it does not consider the applicant firm to have adequate senior management resident in the UK. Compliance decisions should be made by accountable management from the UK. The FCA will also reject applications for authorisation where it believes the firm outsources too much of its compliance functions and / or has inadequate controls over the provision of the compliance function. Startups will need to demonstrate that they have (i) appropriate management resident in the UK, (ii) conducted appropriate pre-contracting due diligence on outsource providers and (iii) put provisions in place for the firm to bring outsourced functions back in-house if compliance standards are not being met.
4. Who will be accountable? In early 2023 the Prudential Regulatory Authority found the former CIO of a large bank personally liable for the bank’s failings to properly oversee and implement an outsourcing project, which led to a technology outage and prevented customers from accessing their funds. While personal liability for actions undertaken by a firm is unusual, it highlights the regulator’s focus on individuals running regulated businesses and the need for them to be fit, proper and ultimately accountable for their management decisions. When applying for authorisation, the FCA will interview individuals in senior management positions, with the aim of testing each manager’s understanding of the functions being assigned to them, their compliance obligations and what is needed to mitigate risks.
5. Regulatory capital. Many FinTech startups, as with all regulated firms, are required to hold enough liquid assets to protect their customers and their customers’ funds against the risk of the firm becoming insolvent. Startups often have tight pressures on the capital available to them, with every penny needing to be accounted for, and the balance of assets to be retained versus spend on growth becomes a daily challenge. Retained assets must meet certain criteria to count towards regulatory capital, so it’s important to note that share options and preferential shares do not, in themselves, count towards regulatory capital. Founders should also pay careful attention to financing terms and the structuring of their financing rounds to ensure regulatory capital compliance. We talk more about key terms and what to look out for in term sheets in our sixth instalment of the Founder Series: Top Tips to Follow to Get Ready to Raise.
6. Jurisdictional scope of the business. Technological advances allow firms to provide global financial solutions from a single location or for management to be split across the globe but remain digitally connected. Just because a firm is incorporated in or “operates from” only one location, however, does not mean that only one regulatory regime applies. When determining whether a firm is subject to its regulatory jurisdiction, regulators will consider a number of factors including: (i) whether marketing activities are targeted at customers in the jurisdiction; (ii) whether business decisions were made in the jurisdiction (e.g. by members of management residing); (iii) where the technology is operated from; and (iv) whether the customer first approached the firm or vice versa. The approach of regulators differs across the world and the regulatory regime of every jurisdiction touched by the firm should be considered on a case-by-case basis.
7. Regulatory arbitrage should be all about ease of approval. Harmonisation of European regulation and the ability to “passport” financial services between jurisdictions have led some firms to seek authorisation from the “easiest” / “cheapest” / “quickest” regulator (i.e. to get licensed under an easy regime and then “passport” its services into a more difficult regime). The notion of a soft-touch regulator is increasingly being recognised as a fallacy, though some regulators are more collaborative and quicker to come to an answer than others. Founders should balance the ease with which a particular regulator might authorise a firm, against the perceived quality of the regulatory regime. Tougher regulatory regimes are recognised by customers and investors as kitemarks of quality. Achieving authorisation from a sophisticated and stringent regulator demonstrates the sophistication and quality of the firm, which can be attractive to investors and customers alike, while the converse may be true of firms authorised under less stringent regimes.
8. Offering employee incentives may itself be a regulated activity. Many startups wish to reward early team members or incentivise existing ones with shares or share options (we talk more about share options in our third instalment of the Founder Series: Top Tips to Follow to Incentivise Your Team). In doing so, the company should ensure that it is not undertaking the regulated activity of promoting and issuing financial instruments to the public. While exemptions exist for such activity, care should be taken to ensure compliance with all conditions of the exemption. For example, employee share schemes are generally exempt from regulation, however, if just one external advisor is issued shares as payment for their services as part of the same employee issuance, the employee share scheme exemption may not apply.
9. Be prepared for investors to challenge your regulatory assumptions. The recent high-profile failures of large, regulated firms like FTX has brought into sharp focus the diligence practices of the firms investing in those businesses. Investors have their own sophisticated knowledge of the regulated space and founders should be prepared to justify their interpretations of how regulation applies to them (or doesn’t, as the case may be). When dealing with products that push the boundaries of technology and regulated financial services, it is often useful to seek out legal advice which supports your world view so that you have this to fall back on.
10. Good compliance spend vs bad compliance spend. We consider good compliance to be proactive, forward-thinking implementation of systems and controls designed to mitigate the chance of risks coming to pass. Bad compliance is often purely reactive and comes as a response to a risk coming to pass. It often requires a rushed response to requests from the regulator with information only becoming available as the event unfolds. In the early days of a startup, many firms have limited capital which must be split between employment, marketing, R&D and a whole host of other growth and compliance initiatives. Compliance requirements and costs often hold back or slow down the growth of startups, and delaying compliance spend until absolutely necessary therefore may appear an attractive option. In our experience, reactive compliance often costs a lot more than good, proactive compliance implemented when the firm has time to consider possible risks and solutions to mitigate them. An early plan for managing compliance can therefore save a firm millions in reactive compliance spend over the life of the firm.
Our London financial regulation practice is a leading adviser to digital banks, FinTech firms and their investors. We provide clients with practical and creative structuring advice and help to navigate the compliance challenges faced by regulated businesses. We have broad geographic reach with regulatory lawyers on the ground in the UK, Europe and the US. Our lawyers give financial services regulatory advice to clients on how to expand FinTech operations into the UK or invest in a UK FinTech firm.