<b><i>Legal Tech:</b></i> Contracting with a Fintech Company

The hallmarks of fintech are the use of new technology to solve old problems with products that are fast, easy to use and convenient. Fintech products are designed to be very efficient, and many are undeniably cool. Automation is maximized and human interaction is typically minimized. Hype is not unheard of, and market capitalization of some companies is stunning. Some fintech companies see themselves as the wave of the future, destined to put “old-fashioned” banks out of business.

For all the innovation of fintech service providers, they are probably just another type of vendor for your company, one of hundreds or thousands. Most normal vendor management and contracting issues will be relevant. Are there any special areas of concern for contracting with a fintech company?

Issues Arising Out of Innovation

Because innovation is key with fintech, the service provider may be a relatively new company and the service itself is likely new, both in what it is and how it is delivered. The service provider may also be on the smaller side and perhaps still evolving. Newer entrants may be unproven in their ability to scale up or handle a large enterprise. These do not present unique or insurmountable obstacles. As compared with well-established vendors, though, these characteristics may require special attention to up front diligence, testing, product definition, warranties and change management.

The Hot Property

Successful fintech companies can be a hot property. Customers and press may be flocking to them. Success, however recent, may embolden them. This, coupled with a reliance on automation and a general need for speed in all things, may result in a service provider that is contractually less accommodating than might be desired. This is especially true of unique products where a competitive offer is not available ' yet. These issues cannot really be solved with contract language. They can, however, be managed, particularly with a cooperative client that can help establish a productive working relationship with the vendor at the outset (or which can at least determine whether the product is really so critical to the company that it is necessary to suffer the pain of dealing with a non-accommodating vendor). It bears keeping in mind that not every fintech company that is a hot property today will survive in that lucky status.

Intellectual Property

Intellectual property issues will of course be important to both counterparties to a fintech contract. The underlying legal issues may not be that unique, but the context in which they are evaluated may be different as compared with dealing with an established technology vendor. For example, infringement protection is a normal ask from any technology vendor. Does the newness and innovation of the fintech service provider's offering mean that infringement presents a greater risk? Do the vendor's size and long term prospects engender confidence in the value of the infringement indemnity the fintech service provider is willing to make?

If the relationship is anticipated to be something more than passive receipt of service in a backroom setting, other ownership and licensing issues may be important. Is the customer likely to be contributing to the evolution of the vendor's product in a meaningful way? What rights, if any, should arise out of those contributions? Is it at least clear that the customer is not fenced out of using its own contributions in the future or in alternative relationships? How will the fintech product be embedded in the customer's other systems? Has the customer complied with its obligations to other systems' vendors? Are there proper provisions for transition and disentangling systems at the end of the relationship? If the fintech product has a public facing side, are branding and trademarking issues properly addressed?

Data

It is not uncommon for fintech service providers to have an expansive view of the data they want to use or have rights in. The customer whose business is the source of that data may obviously have a different and more proprietary outlook. The fintech vendor may claim the right to use data running through the fintech product to support other customers, to develop new products, to market products and for other purposes. Are these rights clear, acceptable and properly limited? Is data ownership clear, along with rights to use data, confidentiality obligations and obligations to return information at the conclusion of the relationship? To the extent that the fintech service provider is handling transactions or data that involve the customer's customers, these data issues can also take the form of customer and customer list ownership, control and portability issues.

As with any vendor contract, and especially where financial information is at issue, data security is likely to be an important and potentially controversial and risky topic. If the customer is used to dealing with regulated financial institutions as its financial service providers, that customer may want to consider the fact that the fintech service provider may not be similarly regulated (banks being heavily regulated and supervised with respect to data security). The fintech service provider is probably not required to have the same data security protections in place. Even if they do, they may not have the same degree of internal control and outside examination of those protections as does a bank. The Consumer Financial Protection Bureau (CFPB) in March of 2016 entered into a $100,000 settlement'with digital payment company Dwolla for allegedly misrepresenting how it protected customers' data. The CFPB alleged that Dwolla, which has stated that it has since improved its data security, advertised to customers better data security than it actually had at the time. Data security risks can obviously be mitigated with robust data security provisions in the contract, though likely with considerable resistance from the service provider. Given the significant losses that might result from a data breach, the customer should also consider whether the service provider can realistically be expected to be able to stand behind the commitments it does make in this area.

Regulatory Supervision

Innovative, entrepreneurial fintech service providers may have distinct competitive advantages over their more staid cousins, bank financial services providers. Many of those advantages arise from the lack of significant regulatory supervision. Whatever their faults, however, prudential regulators do offer a valuable public service in helping to assure the safety and soundness and stability of banks. Banks offer a safe and conservative choice as a service provider and are perhaps more likely to be around for the long term. Vendor stability risks may take on more or less significance based on the nature of the product being acquired. Fintech service providers that offer an application to handle limited data present a different risk profile than those that move money, for example. Contracts can play some role in mitigating these risks (e.g., with financial covenants and reporting, audit rights and termination privileges), but real risk management might mean that vendor management teams need to step up their initial diligence and ongoing supervision beyond what they might require of a regulated financial institution.

Regulatory Compliance

In the competition between fintech service providers and bank financial service providers, there is ongoing controversy over the degree to which fintech service providers are, or should be, permitted to operate free from the regulatory compliance restrictions applicable to banks. While this issue may not be as significant in the business space as it is in the consumer space, customers should at least consider whether the topic is relevant to their situation or the specific product involved. Although most vendor contracts should probably have a compliance with law requirement, counsel may want to drill down on what that really means for products with material regulatory compliance implications. Is the service provider properly licensed? Is it clear the service provider has responsibility for compliance with substantive requirements applicable to a particular service and what is the extent of that responsibility? Is the service provider attempting to allocate compliance responsibility to the customer? Is the service provider attempting to reserve the right to change prices if the regulatory environment changes?

If the service provider is providing a service that supports a product for which the customer has any consumer regulatory compliance responsibility (e.g., a payment functionality offered to the customer's customers), the customer should consider whether to seek the same sort of protections that banks are required to seek of their similarly situated vendors. This is especially true if there is a directly consumer-facing aspect to the fintech service. This may involve, among other things, establishing clear expectations about compliance (including prohibitions on unfair, deceptive or abusive activities), rights to obtain and monitor the service provider's policies, procedures and internal controls with respect to compliance, training and internal oversight of compliance, notification of complaints and consequences for non-compliance. See, CFPB Bulletin 2012-03.'

Acquisition, Consolidation, or Worse

As compared with all vendors, it may or may not be fair to suggest that fintech service providers present any greater degree risk of being acquired, consolidated or going out of business or bankrupt. As compared with bank financial service providers, it is probably fair to suggest that fintech service providers present a different risk profile. This difference can be significant depending on the nature of the service and how critical the service is to the customer's business (e.g., is the service a data application or a payment service that moves money?). Mitigating these issues does not involve a much different set of contractual tools than is used in other settings. The key here lies more in the customer identifying the degree of risk presented and answering with an appropriate provision (such as an anti-assignment provision or appropriate termination right) instead of letting a boilerplate provision slide through that will not be helpful to the customer when needed.

Conclusion

Many fintech service providers offer truly innovative and valuable products, sometimes at highly attractive prices. Like the products of any other vendor, these products will rarely be risk free. Careful upfront consideration of the special risks presented by a fintech vendor will pay dividends in achieving a useful fintech contract.

Bryan G. Handlos is a partner and Kevin F. Griffith is an associate in Kutak Rock LLP's Omaha, NE office. Handlos focuses his practice on bank regulatory and consumer financial services matters. Griffith focuses on corporate finance, mergers and acquisitions, and financial services regulatory matters. They may be reached at [email protected] and [email protected], respectively.