To Hartmann Karl Günter Loesch, 1937–2012

Fintech companies are revolutionising the way financial services work. Their main strengths are superior agility, systems and customer focus, but established financial services have a strong advantage because they understand how to comply with regulations. This book teaches Fintech executives to attack incumbents in the regulatory arena, and at the same time to create moats against other Fintech companies.

When a company is starting up, regulatory requirements are small. However, they increase rapidly when a company starts growing and regulators start paying closer attention, or when regulators from other jurisdictions are getting involved. Regulators only have limited capacity, and if a company wants to be able to scale without being held back by the regulators, planning the regulatory strategy ahead of time is indispensable.

Going through regulatory texts is hard: even for the most basic financial services, the relevant regulations amount to thousands of pages of dry legalistic prose, describing the regulatory trees in detail but obfuscating the view on the regulatory forest. As a Fintech executive, this book gives you a map of the forest, allowing you quickly to identify the specific trees that matter for you. It clearly explains the purpose and the structure of the regulatory environment, and provides you with frameworks that enable you to develop an effective regulatory strategy.

The first part of the book explains why financial services regulation exists, what its goals are, and how Fintech executives can use regulation to gain a strategic advantage for their companies. The second part gives a more detailed map of the key regulations that Fintech companies have to follow, firstly identifying the most relevant ones, and then distilling the thousands of pages that still remain into about 100 pages in the book.

All EU regulations cited are (c) European Union 1995–2017 and used based on their reuse policy that can be found on https://ec.europa.eu/info/legal-notice_en which states that “Reuse is authorised, provided the source is acknowledged. The Commission’s reuse policy is implemented by the Decision of 12 December 2011—reuse of Commission documents”.

I am grateful for the help of Thomas Barker, Pascal Bouvier, Andy Condurache, Maxim Harper, Jonathan Howitt, Jerôme Legras, George Markides, Justin McCarthy, Oscar McCarthy, fiona Mullen, Sid Singh and Sean Tuffy at the various stages of this project. It goes without saying that all mistakes still left are mine and mine alone.

I want to thank my family—my wonderful wife Oksana and our two daughters Sophie Alexandra and Béatrice Hélène—for their support, and for putting up with me while I was researching and writing this book. I would also like to thank my parents, Christa Loesch-Goldschmidt and Wilfried Goldschmidt, just for being there for me and my family.

Stefan is a theoretical physicist by training, holding a degree from the University of Bonn, and he spent some time at Ecole Polytechnique near Paris. He also holds an MBA degree from INSEAD.

Immediately after university he became a quant, developing pricing software for derivatives, where he lead Paribas' equity derivatives quant team worldwide. After the MBA he joined McKinsey & Co. as a consultant in the Corporate Finance practice, which is where he first got introduced to financial services regulation proper, in the form of the Basel 2 regulations. He then joined J.P. Morgan where he continued advising clients on Basel 2, helping them to position their balance sheets to optimise regulatory and economic capital and liquidity constraints.

After leaving J.P. Morgan he built an edtech platform for business schools to improve their online and classroom teaching. He was also invited to join the PRMIA Education Committee, and to co-edit and co-author the most recent revision of the PRMIA Handbook, the study guide for students taking the prestigious Professional Risk Manager^TM exam. More recently he was serving as CTO of an early stage start-up in the non-traditional lending space. His current focus is on bridging the gap between crypto and traditional finance, setting up structures that allow both of those spaces to work together while being in compliance with the applicable regulations.

The Fintech space—like the overall tech space a few years earlier—is evolving at breakneck speed, even though from a low base when compared to the incumbents currently present in the market. Financial services is a highly regulated industry—and for good reasons, as it is the lifeblood of a modern economy, and because it deals with people's live savings. Because of the lack of scale, Fintech has thus far mostly escaped regulation. However, this is coming to an end: as Fintech grows up and moves into the mainstream of finance, regulation on a par with that applied to other financial services is unavoidable.

Many people, especially in the tech world, see regulation as a nuisance, and something that at best needs to be reluctantly complied with. This is partially true—compliance with applicable regulations is tedious and a lot of work. However, from a strategic point of view this is not necessarily a bad thing: to the extent that a company is better able to navigate the regulatory environment than others, this can and will provide a competitive advantage.

This competitive advantage can be particularly important for tech companies because of way they slice up the underlying market: the current banking system is mostly designed on the assumption that customers want a one-stop-shop for all their banking needs, or even for all their financial needs, with most major banking groups now also sporting associated insurance and asset management divisions. Tech companies tend to have a very narrow focus in terms of the services they provide, and often even in terms of the segment of customers they target. They also understand the importance that scaling has for them: for many tech business models the first player who can reach significant scale in its segment can reach a position that is difficult to attack for followers, so being able to scale quickly and efficiently is a key part of a tech company's strategy.

There are very few national markets in the world—and especially in the Western world—that provide sufficient scale for a tech company that wants to play in the major league. This means that tech companies have to think about international expansion early on. For Fintech in particular this means that they will always have to deal with regulatory compliance in each and every market in which they operate. Compliance being costly is one thing, but from a scaling point of view more important is that regulatory compliance means delays: even before the first customer interaction takes place, a company has to ensure that it can comply with the applicable requirements, document this, and then seek authorisation or registration in the relevant jurisdiction. This process can be very time-consuming, especially if approached the wrong way, and more regulatorily nimble competitors can leapfrog Fintech companies that are seeing regulatory compliance as an afterthought rather than a core strategic skill.

The purpose of this book is to allow senior executives—especially those that come from a technical and single-product-focus background—to get to a point that allows them to understand the overall regulatory environment they are facing and to formulate a regulatory strategy, in particular during the scaling phase.

The financial markets are a highly connected system, and it is not possible to understand financial services regulation without a high-level understanding of the entire financial services space, and the range of products and services it offers. A big part of this book therefore is a description of the financial services space, intertwined with applicable regulation.

The first part of the book provides the main narrative. It is split into the following chapters:

1. a general introduction to regulations and their purpose, and how they impact a company's strategic planning (this chapter)
2. an overview of financial services regulations, looking at the types of regulations (ie, grouped by purpose), as well as their strands (ie, grouped by the way they are organised in reality)
3. a more detailed description of the regulations in place, looking at the sources from which they flow, then at various regulatory models, and finally a discussion of the areas most important for Fintech companies
4. an overview of the financial services industry split along the classic sectorial lines, interspersed with discussions about key applicable regulations
5. an overview of the key products offered by the financial services industry offered in the retail space, interspersed with discussions about key applicable regulations
6. an overview of the key products offered by the financial services industry offered in the wholesale space, interspersed with discussions about key applicable regulations.

The second part consists of tear sheets covering in more detail the most important regulations applicable to Fintech companies. A quick summary of each of those regulations is provided, and there is a discussion of the strategic importance of that particular regulation within the Fintech space. The tear sheets are cross-referenced against the regulatory text so that it is quick and easy to look at the exact regulatory requirements. All regulatory texts are linked on the companion site for easy access. In order to avoid duplication I had to choose a jurisdiction for which to provide those regulations, with the choice being between the US and the EU. I ultimately chose the EU because the regulatory structure is clearer. However, the large majority of rules and regulations will be very similar in the US, just with different references where to find the respective legislation.

1.1 Regulation

Whilst there is a general belief that markets work well in many instances, there is also an understanding that there are market failures, and that markets left to themselves can lead to suboptimal or bad outcomes. In many cases, market failures can be traced back to the fact that one party is better informed than the other one—not because they have failed to do their homework, but because structurally one party to the transaction finds it impossible or at least very expensive to acquire information that the other side has.

1.2 A Regulatory Strategy Framework

Whenever an industry is regulated this fundamentally alters its strategic landscape. The strategic impact of regulation cannot be understood generally, but must be analysed on a case-by-case basis. For example, in markets with natural monopolies—eg utilities or transport—regulation is often the only way that competition can be maintained. In other markets, the purpose of regulation is not competition, but, say, customer safety or systemic stability, in which case regulation is more often than not an additional barrier to competition. One universal truth, however, is that in regulated environments, being able to play the regulatory game well is a key competitive advantage, especially for new entrants trying to break into an existing market. This is doubly important for tech companies, where the focus is on being able to scale quickly and efficiently, and where regulatory moats can be both an opportunity for those who are on the right side of them, and a hurdle for those who are not.

This is very important to understand: whilst regulation is a barrier to doing business, regulation is not necessarily bad for businesses, at least not for those businesses who find themselves on the right side of the moat. This is even the case when it is bad regulation: customers might pay more or receive a worse service than if the regulation was better or not present, and the market size might be reduced, but a specific company using that regulation to its advantage might still find itself in a very comfortable situation.

As an example I want to look at taxi companies in New York, especially before the arrival of Uber. This is a highly regulated market with a fixed service offering—the standard street-hailed yellow cab—at a fixed price, and with a very big moat: the number of medallions is fixed, so new players can only enter the market when the regulator auctions off new medallions, or when they buy them from incumbents who withdraw. In the years prior to the arrival of Uber, the price of medallions in the secondary market sky-rocketed, suggesting that operating a taxi in New York was a very attractive business. The flip side of this was that customers were getting a worse deal than they'd have got in a more open market, as everyone trying to get a taxi in NYC during rush hour and/or rain can attest. So in this case, the regulation created a nice moat that restricted the overall size of the market, but that created a very comfortable environment for the cab owners that found themselves inside the moat.

By their very nature, regulators must be reluctant in embracing innovation: they have a duty to protect markets, and those markets typically require protection because they are important for the overall economy and/or for a significant part of the population. Also, whilst those markets in their regulated state might not be perfect, they tend to work sufficiently well. In that environment, innovation poses an asymmetric risk: the downside is destroying something that is essential in peoples' lives, whilst the upside is an incremental improvement whose value, even if it works, is often uncertain and not yet well understood. This means that regulators have a natural bias towards being reluctant and not rocking the boat.

In addition, regulators are typically underfunded and stretched, and their personal incentive structure is even more asymmetric as they'll get the blame if things blow up, but not much of the credit for marginal improvements. On top of this, in many cases the industries they are meant to regulate have a lot of resources to put into influencing regulation, both at the political and at the regulatory level, and in many cases there is a strong financial incentive for experienced regulators to move over to the other side. All of this together means that regulators often have an even bigger bias towards reluctancy than they should naturally have. Plus there is always the issue of regulatory capture, ie that regulators get too close to those whom they regulate, and that they start defending the interests of the companies they regulate against outsiders, especially against new entrants.

Having said this, there are two fundamentally different cultures within the regulatory community, a permissive culture and a pre-approval culture. Under the former, regulators are more comfortable with companies going ahead and doing new things, to be regulated—or not—eventually, whilst under the latter, regulators expect everything that might need regulation to be pre-cleared from the beginning. Those cultures can also temporarily shift, for instance when markets are perceived as not working as they should. An example for this would be the period after the credit crisis. In an environment like that one, regulators are often eager to help new entrants to enter the market, for example by treating them more leniently than proportionate regulation would imply, or by actively helping them, eg in a regulatory sandbox environment. Those episodes where regulators are eager are typically temporarily and geographically limited, and so being in the right place at the right time when this happens is an important strategic advantage.

The underlying reason here is that compliance costs do not scale much with the business volume, ie they have a significant fixed component. For example, bank regulators might require certain reports. The actual work of crunching the numbers for the report is done by a computer, and the cost of running a report pales against the cost of programming the computer. Not all regulatory cost is fixed, however: for example, any report will throw up a certain number of exceptions that will have to be followed up manually, and the cost of doing this will be proportional to the business volume. In any case, in the financial services segment regulatory compliance usually does impose a high fixed cost, and this does create moats.

Proportionate regulatory regimes are acknowledging not only that there is this high fixed cost component in compliance, but that it is often not necessary. For example, rules that are meant to keep the overall system safe if a bank defaults can be safely ignored when regulating a small bank whose default can easily be absorbed by the system. On the other hand, rules that are meant to protect the customers of this bank remain equally important, regardless of whether the bank is big or small. A proportionate regulatory regime would therefore allow small banks not to spend many resources on the first objective, but would not reduce the burden on the second one.

Things like common regulatory frameworks, equivalence regimes and passporting go the other way: they allow players present in multiple jurisdictions to reap some economies of scale, thereby benefitting from regulatory moats. To explain what those terms mean, common regulatory frameworks indicates that the requirements are similar—for example, a company might still have to submit reports to all their regulators, but all the reports can be the same or at least very similar.

Under an equivalence or passporting regime, the host (local) regulator assumes that the home regulator (where the company is based) does a good job and leaves the main regulatory burden with the home regulator. The difference between equivalence and passporting is one of degree—the latter term is in particular used in the EU where it refers to the unconditional right of businesses resident and regulated in one market to operate across the entire EU Single Market, whilst equivalence is an agreement between two regulatory jurisdictions that the two systems are currently equivalent, but that can be withdrawn at short notice.

Being a trailblazer is hard, in every business. Trailblazers spend a lot of time working on dead ends before finally coming up with the right solution. However, when solving business problems, intellectual property law, copyright law, or simply institutional knowledge often mean that trailblazers create a moat that protects them. This is not the case in regulatory interactions: here a lot of time and effort is spent convincing the regulators that allowing that particular new-and-untested business model is a good idea in the first place. After that, coming to an agreement as to what kind of documents, analysis, and reports the regulators need to see, and more generally what the regulatory framework should look like requires a lot of effort. Regulators will often lean on companies to do the leg work on that as they themselves lack the resources and incentives to do so.

Once all those issues are resolved, however, regulators no longer need convincing, and the document requirement and regulatory frameworks are in place. All a competitor has to do is to contact the regulators, and they'll guide them through the authorisation process. There is a slight twist if the trailblazer can shape the regulation in a manner that plays to their own strengths and to their competitor's weaknesses, but this is rare with a good regulator.

In a new area with no established best practices—and with a significant downside risk and much less upside—nothing can calm regulatory minds as much as giving the confidence that what is being done is not actually new, and that the risk is limited. That, in a nutshell, is the power of the precedent: theoretical arguments are good, but real-life experience is better.

The last solution—operate now, regulate later—is the odd one out. It can work, especially in lightly regulated industries, or where the regulator is not particularly powerful vis-à-vis the company in question. For example, where the company is global and operating in numerous locations whilst the regulators are local, losing the right to operate in a given location might not be catastrophic for the company, but the regulator might face a public backlash if the service is popular elsewhere. This strategy in particular allows to bootstrap the regulation cases where no regulator wants to go first: once one regulator has agreed on a certain regulatory scheme the company moves up from precedent (5) to precedent (2). It is, however, a rather risky undertaking, and in the financial services space it is not necessarily recommended, even though some segments—notably the crypto space—are sometimes seen as operating in that way.

Every junior consultant learns very quickly there is a very narrow point when one should go to see the senior partner in charge to discuss the new deck of slides. Going to see them when you think you have everything tied down and finished is dangerous: maybe you misunderstood something, or you were not given a key piece of information when receiving your brief, or the partner simply feels out of the loop and needs to put his or her own imprint on the deck. In any case, you'll have done a lot of superfluous work, and will have to redo a number of things. Going to see the partner too early is dangerous as well. First, it is bad for your reputation, because then you are seen as someone who is not particularly skilled and needs a lot of help. Also, the partner will see this as a brainstorming session rather than as an opportunity to tie down loose ends, and he or she might come up with many different ideas that you'll have to pursue, the majority of which end up being wrong, redundant, or simply not important enough to be pursued within the limited timeframe of the project.

Exactly the same points apply to regulatory interactions: if you presume too much, the regulator might simply disagree with you, and/or get annoyed that they have not been involved at an earlier stage. If you come too early, on the other hand, with no clear idea of what kind of regulation you consider appropriate, then the regulator will initially assume that you are not particularly competent in this area, and that you need extra supervision. Moreover, they will treat this meeting as a brainstorming session and you risk end coming out of it with not much to show other than a big shopping list for more analysis and reports that the regulator would like to see for the next meeting. So here as well, hitting the sweet spot is extremely important in order to reduce the workload, and to keep the process on track.

In passporting regimes—and in the weaker equivalence regimes of course—the local regulator will always be able to throw a spanner in the wheels if they feel that a company is not following local rules that they consider important, even if passporting means that they do not have to follow the rules. If the local regulator is unreasonable, ultimately the regulated company will be able to rectify this when going through the appeals process, but this is a costly and lengthy endeavour, and possibly not a good strategy for start-ups with limited resources. The best strategy is usually to address such conflicts early on, and to comply with local regulatory demands where this is economically justifiable.

To give a concrete example, let's consider an alternative lender who does not take deposits and does not lend to individuals. In the UK this lender can choose to follow either a lightly regulated local model, or to get a banking licence. In Germany, every lender needs a banking licence, so alternative lenders either have one, or work with a bank. If the UK company wants to do business in Germany and has a banking licence, it can simply passport it. If it only has a local licence, it might not be able to passport it at all, and even if it manages to do so, it will need a local banking partner, which means probably that it will need to redesign a lot of its processes and systems.

This choice is ultimately down to individual circumstances, and should be given serious thought by the start-up's executives, ideally together with competent advisors. The local regime probably allows for a quicker and less-costly time-to-market, and an easier pivot if need be. The passportable regime, on the other hand, might save time scaling and, importantly, avoids the risk of getting stuck in a business model that does not scale.

The last observation is not really an observation but it is a meta-observation about the interaction of all that we have previously discussed (see also Figure 1.1).