FNT104
Winter 2026

1. The Regulatory Framework
2. Types of Regulation
3. KYC & AML
4. The Regulatory Landscape
5. Fintech Operations
6. The Regulatory Bodies
7. Equivalency & Passporting
8. The Start-up
9. The Shifting Landscape

FNT104

Fintech and Techfin are similar terms that refer to the intersection of technology and finance, but they are often used in slightly different ways.

Fintech generally refers to the use of technology to improve and automate financial services. This can include a wide range of products and services, such as mobile payments, online lending, and robo-advisory services.

Techfin, on the other hand, is often used to refer specifically to technology companies that are entering the financial services space. This can include companies like Apple, Google, and Amazon, which are developing financial products and services such as digital wallets, credit cards, and insurance.

In summary, Fintech refers to the use of technology in the financial services, while Techfin refers to the technology companies entering financial services space.

Regtech (Regulatory Technology) refers to technology solutions that help financial institutions comply with regulations, reduce compliance costs and manage risks. This can include solutions for compliance management, anti-money laundering (AML), and know-your-customer (KYC) requirements. 

Suptech (Supervisory Technology) refers to technology solutions that are used by regulators and supervisors to monitor and oversee the financial industry. This can include solutions for data collection, analysis, and surveillance, as well as tools for on-site inspections and risk assessments.

In summary, Regtech focuses on technology solutions to help financial institutions comply with regulations, while Suptech focuses on technology solutions that help regulators and supervisors identify and address risks and potential issues within the financial industry.

There is no doubt that Financial Services is a highly regulated industry – and for good reasons, as it is the lifeblood of our modern economy and because it deals with people’s life savings. 

Many people, especially in the tech world, see regulation as a nuisance – a necessary evil – something that at best needs to be reluctantly complied with.  This is partially true – compliance with applicable regulations is tedious and requires a lot of work.

However, from a strategic point of view this is not necessarily a bad thing: to the extent that a company is better able to navigate the regulatory environment than others, this can and does provide a competitive advantage.

Because of their very nature, FinTech companies need to deal with regulatory compliance in each and every market in which they operate.

Compliance being costly is one thing, but from a scaling point of view what is more important is that regulatory compliance means delays: even before the first customer interaction takes place, a company has to ensure that it can comply with the applicable requirements, document this, and then seek approval or registration in the relevant jurisdiction.

This process can be very time-consuming, especially if approached the wrong way, and the more regulatorily nimble competitors will leapfrog FinTech companies that are seeking regulatory compliance as an afterthought rather than a core strategic skill.

Whilst there is a general belief that markets work well in most instances, there is also an understanding that there are market failures, and as history has proven itself time and time again when markets are left to themselves it can lead to suboptimal or bad outcomes.

In many cases, market failures can be traced back to the fact that one party is better informed than the other one – not because they have failed to do their homework, but because structurally one party to the transaction finds it impossible or at least very expensive to acquire information that the other side has.

This is why we need to have regulation in place that is beneficial to both parties – we call this Beneficial Regulation.

Financial services are complex, so let’s start with an example where the market failure is very obvious: Taxi services.

First let's define the service, the classic street-hailed taxi service where a customer must go from point A to point B within that city. Being at point A they'd therefore go to the closest busy street, or to the next taxi stand, and take a taxi to point B.

What the customer wants is to get there (a) unharmed, (b) reasonably fast, and (c) at a reasonable and predictable cost.

Unfortunately, if the customer just stands next to road waving his hand and a car stops, he will not have the information that would allow him to assess the points (a)–(c) above.

For example, he'd like to know that the driver is sufficiently capable and not a psychopath, and that the car is safe in order to assert (a). To assert (b) he'd want to driver to be sufficiently skilled in navigating the city, and to assert (c) he'd either need to know that the driver is honest, or would need a benchmark to assess what is a fair price.

It is interesting that technology changes how those constraints can be addressed.

For example, since GPS units have become ubiquitous, being able to navigate the city is no longer a big issue, and even non-residents can assess the length of a trip, and whether or not the price demanded is fair. However, ignoring the fact that nowadays it is possible to quasi-street-hail taxis using a smartphone app, the issue of a honest and skilled driver with a sufficiently safe car remains: when a car pulls up at the kerb or waits at the taxi stand, the potential passenger has no means of getting all the information he needs.

That is the fundamental market failure in taxi services, and in the absence of a mechanism to address this, potential customers might find it too dangerous to take a taxi, and therefore a mutually beneficial deal would not happen.

There are fundamentally two different ways in which this can be addressed:
Reputation and Regulation.

In countries where taxis are not well regulated one tends to have large taxi companies that dominate the market.

For example, when I was in Jakarta a few years ago, I was strongly advised to only use cars of a specific company, and to always order a car by phone, lest rogue drivers manage to get hold of a car of that company.  This is also why you hear announcements at our own Toronto Pearson Airport constantly reminding tourists to hail cabs only from designated spots.

One impact of this was that it was rather difficult to get a cab when not in a location where some trusted friend or an honest concierge could order a car, and the company was able to charge premium prices because they had a quasi-monopoly on vetting reliable drivers.

In most cities of the world, Taxis are regulated.

They are easily identifiable as taxis, and both the car and the driver must be in possession of a valid licence. Licensed taxis are equipped with an official meter that both the customer and the driver can see, and that is the sole basis for the fare that will be due at the end of the ride. The taxi meter is regularly verified to ensure that it works correctly, and police makes spot checks on taxis in operation and fines offenders who do not comply with the aforementioned requirements.

In this environment, customers do not have to worry whether or not a taxi they hail in the street conforms with the requirements (a)–(c) discussed previously.  Thus, provided the car is a licensed taxi, the customer can be assured that both the driver and car are vetted and that he or she therefore does not need to worry about taking this taxi. 

In short, the Taxi’s fundamental market failure has been addressed.

With the previous example of Taxi services - we saw that information asymmetry can lead to a market failure in the market for street-hailed taxis, meaning that the market breaks down because potential customers may not be comfortable with their potential providers and therefore may not engage in taxi commutes.

In financial services the situation is similar: for example, it is impossible for individuals to assess the strength of financial institutions, and therefore:

• they might either not deposit money with those institutions, or
• withdraw it at the first sign of distress

Either of the above constitutes a financial market failure.

Historically, we have seen two mechanisms that can be deployed to get around this financial market failure:

• services are provided by companies whose size and market share are sufficient to allow them to develop a strong brand; these are able to charge premium prices. 
• services are provided by small companies, and there is a small number of private authorities who vet the providers and have a brand strong enough to support this.

In the early days of banking, banks mostly employed the first solution, i.e. brand and reputation was the major means of addressing this issue. A testament to this are the splendid branches that banks built to credibly signal the financial stability and solidity.

In modern banking there is also an element of the second solution, in that all major banks are rated by reputable rating agencies, and in the major developed economies such as ours: most banks are rated AA, or at worst A.

However, whilst rating agencies are an important data point in assessing the creditworthiness of a bank, in practice ultimately the only way to ensure that people leave their deposits with banks even in times of distress seems to be to make sure that:

• the banks are tightly regulated and risk is at an acceptable level, and
• deposits are insured, and there are sufficient business continuity procedures in place to ensure that the distress does not spread through the financial system.

Whenever an industry is regulated this fundamentally alters its strategic landscape.

The strategic impact of regulation cannot be understood generally, but must be analysed on a case-by-case basis.

For example, in markets with natural monopolies – e.g. utilities or transport - regulation is often the only way that competition can be maintained. In other markets, the purpose of regulation is not competition, but, say, customer safety or systemic stability, in which case regulation is more often than not an additional barrier to competition.

One universal truth, however, is that in regulated environments, being able to play the regulatory game well is a key competitive advantage, especially for new entrants trying to break into an existing market. This is doubly important for tech companies, where the focus is on being able to scale quickly and efficiently, and where regulatory moats can be both an opportunity for those who are on the right side of them, and a hurdle for those who are not.

All regulation, even when it is meant to increase competition, creates moats.

Moats are good for companies, at least for those whose strategy means that they find themselves on the correct side of it. In an established business, the moats protect the incumbents. In a fast-changing yet highly regulated business segment, creating and taking advantage of regulatory moats can be key to becoming the new incumbent.

This is very important to understand: whilst regulation is a barrier to doing business, regulation is not necessarily bad for businesses, at least not for those businesses who find themselves on the right side of the moat.

This is even the case when it is bad regulation: customers might pay more or receive a worse service than if the regulation was better or not present, and the market size might be reduced, but a specific company using that regulation to its advantage might still find itself in a very comfortable situation.

It is in the nature of Regulators to be reluctant.

Regulators have a duty to protect markets, and those markets typically require protection because they are important for the overall economy and/or for a significant part of the population. Also, whilst those markets in their regulated state might not be perfect, they tend to work sufficiently well. In that environment, innovation poses an asymmetric risk: the downside is destroying something that is essential in peoples' lives, whilst the upside is an incremental improvement whose value, even if it works, is often uncertain and not yet well understood.

Thus, regulators have a natural bias towards being reluctant and not rocking the boat.

In addition, regulators are typically underfunded and stretched, and their personal incentive structure is even more asymmetric as they'll get the blame if things blow up, but not much of the credit for marginal improvements.

There are two fundamentally different  cultures within the regulatory community, a permissive culture and a pre-approval culture .

Under the permissive culture, regulators are more comfortable with companies going ahead and doing new things, to be regulated (or not) eventually.

Under the pre-approval culture, regulators expect everything that might need regulation to be pre-cleared from the beginning.

Those cultures can also temporarily shift, for instance when markets are perceived as not working as they should. An example for this would be the period after a financial credit crisis. In such an environment , regulators are often eager to help new entrants to enter the market, for example by treating them more leniently than proportionate regulation would imply, or by actively helping them, e.g. in a regulatory sandbox environment.

Those episodes where regulators are eager are typically temporarily and geographically limited. Being in the right place at the right time when this happens is very important.

As long as business scale is below the regulatory scale, incumbent businesses experience economies of scale when dealing with regulation. Hence, regulation creates a moat.

Active regulatory strategies can reduce or increase this moat. At the lower end, the moat is reduced if there is a proportionate regulatory regime in place; at the upper end, a certain moat is maintained if there are passporting or equivalence regimes in place, or at least some common regulatory rules that allow large players to reap economies of scale across multiple regulated markets.

The underlying reason here is that compliance costs do not scale much with the business volume, i.e. they have a significant fixed component. For example, bank regulators might require certain reports. The actual work of crunching the numbers for the report is done by a computer, and the cost of running a report pales against the cost of programming the computer. Regulatory compliance usually imposes a high fixed cost, and this creates moats.

Proportionate regulatory regimes acknowledge not only that there is this high fixed cost component in compliance, but that it is often not necessary.

For example, rules that are meant to keep the overall system safe if a bank defaults can be safely ignored when regulating a small bank whose default can easily be absorbed by the system.

On the other hand, rules that are meant to protect the customers of this bank remain equally important, regardless of whether the bank is big or small. A proportionate regulatory regime would therefore allow small banks not to spend many resources on the first objective, but would not reduce the burden on the second one.

Things like common regulatory frameworks, equivalence and passporting regimes go the other way: they allow players present in multiple jurisdictions to reap some economies of scale, thereby benefitting from regulatory moats.

Common Regulatory Frameworks indicate that the requirements are similar—for example, a company might still have to submit reports to all their regulators, but all the reports can be the same or at least very similar.

Under an equivalence or passporting regime, the host (local) regulator assumes that the home regulator (where the company is based) does a good job and leaves the main regulatory burden with the home regulator.

The difference between equivalence and passporting is one of degree. 

• Passporting, in particular, is used in the EU where it refers to the unconditional right of businesses resident and regulated in one market to operate across the entire EU Single Market;
• Equivalence is an agreement between two regulatory jurisdictions that the two systems are currently equivalent, but that can be withdrawn at short notice.

Being a trailblazer is hard, in every business. It is hard to be a regulatory trailblazer, in terms of cost, effort, and time to market. The best position from a regulatory strategy point of view is that of a close follower, with the exception of where the trailblazer's business model has some hard-to-replicate features that they manage to slip into the regulation. Distant followers will find regulatory compliance the easiest as rules are already set, but their lack of scale and market share might hinder them.

Regulators will often lean on companies to do the leg work on that as they themselves lack the resources and incentives to do so. Once all those issues are resolved, however, regulators no longer need convincing, and the document requirement and regulatory frameworks are in place.  All a competitor has to do is to contact the regulators, and they'll guide them through the authorization process. There is a slight twist if the trailblazer can shape the regulation in a manner that plays to their own strengths and to their competitor's weaknesses, but this is very rare with a good regulator.

When regulation has not settled yet, precedents are very powerful. 

In descending order of power, key precedents are:

1. Someone else doing the same thing in the same jurisdiction, regulated by the regulator in question.
2. Doing the same thing, in a different jurisdiction, regulated by the regulator of that jurisdiction.
3. Similar regulation with a clear carry-over being in place in that particular jurisdiction, or in another one with sufficient reputation.
4. The possible regulatory concerns are understood and agreed, and there is a written regulatory draft framework that addresses them.
5. The business is up and running at a not-insignificant scale, and is well-liked by the public, and/or is in line with the current public opinion (e.g. ‘the financial system has failed us and needs to be renewed’).

Even in a passporting regime, the local regulations still matter, if not de jure then de facto, so all local regulators should be kept informed and on-board.

In passporting regimes - and in the weaker equivalence regimes of course - the local regulator will always be able to throw a spanner in the wheels if they feel that a company is not following local rules that they consider important, even if passporting means that they do not have to follow the rules.

If the local regulator is unreasonable, ultimately the regulated company will be able to rectify this when going through the appeals process, but this is a costly and lengthy process, and possibly not a good strategy for start-ups with limited resources.

The best strategy is usually to address such conflicts early on, and to comply with local regulatory demands where this is economically justifiable.

Jurisdictions within a passporting environment might offer two choices to start-up companies that are subject to regulation:

• compliance with a lightweight local framework, or
• compliance with a more complex cross-jurisdictional framework that can be passported.

This choice is ultimately down to individual circumstances, and should be given serious thought by the start-up's executives, ideally together with competent advisors.

The local regime probably allows for a quicker and less-costly time-to-market, and an easier pivot if need be.

The passportable regime, on the other hand, might save time scaling and, importantly, avoids the risk of getting stuck in a business model that does not scale.

FNT104

Regulations are about addressing market failures.

There are a number of market failures in the financial services space, and it is useful to classify the different types of regulation according to the market failure that they are meant to address:

• Prudential regulation
• Market structure regulation
• Conduct regulation
• Public interest regulation

Prudential regulation: Micro‐prudential regulation addresses the issue that single institutions have incentives to take excessive risks, and macro‐prudential regulation addresses the same issue for markets as a whole; many of them have a tendency to operate in destructive boom and bust cycles.

Market structure regulation: Market structure regulation addresses the issue that markets are not operating optimally, e.g. because of asymmetric information.

Conduct regulation: Conduct regulation addresses the issue that customers are not able to properly assess the respective risks and rewards of financial products, and that they can't see ahead of time who'll treat them fairly once they are tied in.

Public interest regulation: Public interest regulation addresses the issue that the financial system can be used for illicit purposes, for example money laundering or terrorist financing.

The regulation that is meant to ensure the safety of financial institutions and financial infrastructure is commonly known as prudential regulation.  Prudential regulation can be further classified into micro‐prudential and macro‐prudential.

The former deals with the stability of individual institutions without considering their context, and this was the main focus of prudential regulation before the crisis. Up to that point it was widely believed that if all banks are considered safe, then the system can be considered safe as well. Since then, regulators have realized that this is not necessarily the case. To give an example, banks might choose to hold a portfolio of reasonably liquid assets in case they run into liquidity problems, and regulators might consider this sufficient, given the liquidity they see in the market. However, if many banks hold similar assets, and if there is a general liquidity stress, all companies might all try to sell those securities at the same time, and they might find that markets seize up. Macro‐prudential regulation is meant to discover and address those risks.

On the micro‐prudential side, regulators want to ensure that individual institutions are safe and well run. For banks, for example, the major prudential requirements are that:

• they hold sufficient capital to be reasonably certain that depositors and other senior liability holders don't suffer any losses in case of distress
• they hold sufficient liquid assets to be reasonably certain they will be able to repay obligations when they come due
• they competently assess, manage and mitigate all risks they face, including operational risks. This includes business continuity planning as it is important that a bank failure does not interrupt the business for their customers.

It is crucial for a Fintech start‐up to understand the regulations that apply to their regulated competitors. Also, for early‐stage Fintech companies there is a real risk that companies cease operations, so regulators expect contingency plans in place that allow for an appropriate level of business continuity.

Macro‐prudential regulation is about protecting the interconnected system as a whole, not individual players.

Size matters here: macro‐prudential regulators will usually ignore an institution that has only a few thousand customers - or even a few ten‐thousands of customers for that matter - and similarly they are likely to ignore individual start‐ups if their business volume is insignificant in the overall scheme of things.

The toolkit of macro‐prudential regulators is mostly analytic - they collect and analyze data, and if they have specific concerns they ask for specific reports, or for stress tests under scenarios they are worried about.

Another important tool is living wills and resolution plans: for companies that are considered systemically important, regulators may ask for a detailed plan as to how they can be wound down without risk to the overall financial system. It is similar to a business continuity plan but is more detailed and is created in close interaction with regulators.

Market structure regulation is about making sure that markets are as close to being efficient as is reasonably possible. The main issue to address here is usually information asymmetry in its various guises.

Market structure regulation tries to address the situations where some participants are in a structurally superior position. For example, it outlaws insider dealing, i.e. it makes it in many cases a criminal offence to trade a security when in possession of material non‐public information. Other regulations ensure that players do not have different access to key market information, for example that some players are not allowed to see orders significantly earlier than others, or also that companies must release information such as annual reports or ad hoc messages to all investors at the same time.

It also addresses natural oligopoly issues that often arise in financial services, in part because of regulatory moats.  Thus, in order to ensure competition, regulators can require access to key infrastructure on fair and non‐discriminatory terms, thereby allowing the smaller players to compete with the larger ones.

Financial markets are both important and complex for many people to understand.

Conduct regulation is in place to ensure that customers are treated fairly. 

What this means depends on the exact regulatory regime in place - some are more protective than others - but the principle is that customers should be put in a position to make informed decisions with respect to their finances. For example, some jurisdictions might simply require customers to be provided with sufficient information, others might require the financial services company to ensure that their customers understand the information they have been given.

Conduct regulation also includes data protection and privacy rules that regulate what level of protection customers can expect by regulated institutions and their partners in this area. This is important as customers are not in a position to audit their provider’s systems and processes in this respect, and might not even be able to ascertain whether or not the protections provided in a company's terms and conditions are adequate.

Financial institutions' conduct is also regulated for the common good, for example for crime prevention and similar public policy purposes.

The key areas covered with those regulations are:

• Anti Money Laundering (AML)
• Combat Terrorist Financing (CTF)
• Anti‐Bribery Corruption (ABC) - includes Politically Exposed Persons (PEP) processes.

All of the above enlist financial systems as a deputy in the fight against crime, corruption, and terrorism, and also to support politically motivated actions, in particular embargoes.

The central element in all those processes are the Know Your Customer (KYC) rules: financial institutions must know their customers - and where necessary the ultimate beneficiaries behind their customers - to assert whether or not flows of funds they observe correspond to legitimate activities, and that the persons involved do not appear on any of the relevant lists.

FNT104

Know Your Customer (KYC) is the process of obtaining information about the customer and verifying their identity.

The scope of identity information to be obtained varies by jurisdiction.

Usually, businesses need at least the following data:

• Name
• Date of Birth
• Address

During the verification process, customers provide businesses with certain credentials, such as their ID. It’s on the businesses to ensure that submitted documents aren’t fake and that customers are who they say they are.

AML is a series of measures and procedures carried out by financial institutions and other regulated entities to prevent financial crimes. For regulated businesses, this includes analyzing customers and their transactions, recordkeeping, reporting to AML authorities on suspicion of money laundering, and so forth.

Regulated businesses must develop their AML measures under the AML regulations of the country or region they operate in. Here are some examples from across the world:

• The Money Laundering, Terrorist Financing and Transfer of Funds Regulations in UK
• The Anti-Money Laundering Act in Germany
• The Payment Service Act (PSA) in Singapore

In Canada, the federal government introduced anti-money laundering (AML) and anti-terrorist financing (ATF) legislative changes, as recently as in April of 2022. The changes came into force on April 5, 2022.

AML involves a broad range of measures, usually referred to as an AML compliance program. KYC is just one component of this program, and is therefore a subset of AML.

AML program requirements can vary across jurisdictions. But, usually, they involve:

• Customer Due Diligence (CDD)
• Enhanced Due Diligence (EDD)
• Risk assessment
• AML policies and internal controls
• Ongoing monitoring
• Suspicious activity and transactions reports
• AML compliance officer appointment
• AML training programs for staff

During the CDD procedure, businesses must identify and verify customers—in other words, carry out KYC checks and define customer risk profiles.

AML compliance, including KYC, is mandatory for regulated entities but its scope varies across jurisdictions. Usually, this includes:

• Financial institutions
• Credit institutions
• Insurance companies
• E-money institutions
• Payment institutions
• Virtual Assets Service Providers (VASPs)
• Gambling service providers
• Art dealers, etc.

VASPs fall under AML regulations in many countries, including the Canada, USA, UK, France, Singapore, Japan, South Korea, and others. Whereas, in some other countries, VASPs aren’t yet even written into law, or are banned altogether.

KYC/CDD is required in a number of cases described by national AML regulations.

Usually, they include, but are not limited to, cases when the client:

• Establishes a relationship with a business for the first time (for example, opening an account at a bank or crypto exchange platform)
• Makes a transaction exceeding the amount defined by AML regulations
• Poses suspicions in relation to money laundering/terrorist financing

Businesses can implement either manual (performed by a human compliance team) or automated KYC/AML checks. Automated KYC/AML and sanctions screening solutions reduce the risk of losing applicants by increasing pass rates. By automating KYC, businesses obtain customer identity data through online identity verification. This process can occur on a mobile or web platform, and usually involves 5 steps:

1. The user selects their ID document type
2. The user uploads photos of their document
3. The KYC platform screens and validates the document
4. Users upload a photo of themselves holding the document
5. The KYC platform verifies that the user is a real person

Automated KYC procedures can also include biometric checks. An example is: liveness, which is a face authentication process that verifies whether the client is a real person.

Automated AML and sanctions screening solutions are beneficial in terms of costs and efficiency. They reduce manual work and protect businesses from crime by getting reliable data from trustworthy sources, such as:

• PEP (Politically Exposed Person) lists
• Sanctions lists
• Watchlist
• Adverse media lists

With automated AML solutions, businesses can build verification flows according to AML/KYC requirements in any given jurisdiction.

Banking, fintech, and crypto markets are the most vulnerable to money laundering and fraud. Effective KYC/AML processes can mitigate this by:

Lowering legal and reputational risks
By complying with AML laws, businesses can avoid hefty fines and other penalties from regulators while safeguarding their reputation.

Detecting fraudsters
In financial services, fraudsters not only use fake IDs, but apply a variety of sophisticated schemes, for example, money muling. By ensuring that only verified users can become customers, businesses can curb even the most innovative fraud attacks.

Improving user experience
When businesses optimize their KYC/AML flows according to applicant risk profiles, users don’t have to pass extra checks. This reduces drop-offs and improves user experience.

FNT104

Canada is a business-friendly jurisdiction that has a wide array of fintech businesses, at all stages of growth, operating throughout the Country.

In 2020, the anticipated pace of fintech regulatory development in Canada slowed due to the COVID-19 pandemic; however, Canada nevertheless continued its transition to an increasingly digital economy.

Initiatives related to open banking, known as “consumer-directed finance”, payments and cryptocurrency have been particularly active in Canada.

COVID-19 caused a material shift in consumer behavior, and Canadians accelerated their adoption of technology, notably in the area of digital and contactless payments.

A recent Payments Canada study showed:

• 62% of Canadians reported using less cash since the start of pandemic.
• 53% of Canadians reported increased use of contactless payment methods.
• Electronic payments now make up 75% of total payments volume in Canada.

There is no single whole-and-sole Canadian regulatory body, either at the federal or provincial level, which has jurisdiction over fintech businesses. Rather, depending on the type of services provided by the fintech business, a number of regulatory bodies have jurisdiction over it.

Fintech businesses that provide banking, consumer credit and insurance services, or capital-raising services, find themselves subject to the same regulations as incumbent businesses in the same areas.  

However, Fintech businesses typically find themselves under further regulations for privacy laws such as PIPEDA (Privacy Information Protection & Electronic Documents Act) and AML laws.

Most of the regulations applicable to a Fintech business depend on the sector in which it is operating, and/or which products it is offering.

However, there are a number of regulations that apply to most Fintech businesses, notably:

• taking reasonable steps to avoid money laundering, terrorist financing, and other financial crime
• keeping customer data safe, and ensuring that customers' privacy is respected
• ensuring an adequate level of customer protection, including ensuring that a product is suitable where this is required
• ensuring that there are adequate continuity and wind‐down plans in place should the business default
• ensuring that the company does not endanger the critical financial infrastructure

It is noteworthy that: Fintech regulation is not an end in itself, but a means to achieve a certain end, typically to address a market failure.

The smaller a company is, the less damage it can do, and the less it is subject to regulatory oversight. There is one important distinction to make: proportionality mostly applies in the area of macro‐prudential regulation and market structure, because in those areas size matters.

However, any company can do damage to its customers, so even small companies must comply with conduct rules, micro‐prudential rules ensuring appropriate levels of safety for customer assets, and public interest regulations, e.g. in the money laundering and terrorist finance space.

FNT104

So when a TechFin creates Fintech and starts selling, what are its sales operations and where does the revenue come from?  It boils down to the focus of Fintech.

Fintech can either have:

• a Product focus - i.e. you are selling a product, such as an 'app', or
• a Service focus - i.e. you are targeting a certain sector or geography

The operations of a Fintech with specific product focus may or may not fit neatly into one of the traditional areas of regulation.

For example, a robo‐advisor would be regulated similar to an investment advisor, and for an app that allows friends to share bills some bank‐like regulation might apply (unless there is specific regulation in the payments space that recognizes non‐bank payment services providers).

However, there are products that are more difficult to fit into existing categories. For example, peer‐to‐peer lending or crowdfunding do not slot neatly into pre‐Fintech categories that did not really foresee individuals providing finance to each other on a large scale.

A Fintech company could focus on providing a complete set of financial services to a very narrow set of customers.

This company might focus on distribution, meaning that it would not create the products itself, but rely on partners – e.g. banks, insurance companies, etc. – whose products it would white‐label and sell on to its own customers. Regulating this company like a financial conglomerate would certainly not be the way to go.

On the other hand, solely relying on the fact that the backend product providers are regulated would probably not work either, as at least some of the applicable regulations (e.g. money laundering, data protection, conduct) are relevant for the front‐end provider as well.

It is often difficult to design product‐based regulation.

It would be ideal if one could apply the equivalent of duck typing (if it walks like a duck, and it quacks like a duck, then it must be a duck) and whilst regulators often try to do so, it is not always possible.

The very nature of law makes it difficult to write regulation on a functional or product level because there is always the tension between making the law unambiguous and predictable, and making it flexible enough to allow for variations around a theme when the market offers products that are similar in nature, but different in important details, in particular also in the legal form.

The question is ultimately about where to apply the boundary.

Regulating Fintech products based on rules is hard.

It is usually possible to look at existing products and services and then write legislation that sorts them correctly into those where it should apply and where not.

However, once the legislation is written, new products can be designed that end up on the wrong side of the boundary:

• either deliberately - a process often referred to as regulatory arbitrage,
• or by chance - in which case existing legacy regulation can and does impede the development of innovative products and services.

An attempt to solve the dilemma of classic rules-based regulation is to go down the route of principles‐based regulation, allowing more regulatory flexibility.

In practice this is not a dichotomy but rather two opposite ends of a continuous spectrum, as principle‐based regulations also have some hard rules, just fewer of them, and vice versa.

Principles‐based regulation can solve some of the issues, but it comes at a cost: for example, there is less regulatory certainty, and regulators become more powerful so regulatory capture and even corruption can become more of an issue.

Financial services regulation is usually organized within classic industry sectors:

• banking and payments,
• insurance and asset management, and
• market infrastructure.

Within those sectors, there are a number of lines along which regulation can be split, for example:

• by structure – e.g. prudential (robustness of institutions and the system) vs conduct (e.g. fair treatment of customer) vs market (e.g. product innovation and availability)
• by subsector – e.g. banking, payments; or insurance, mutual funds, pension providers; or exchanges, clearing houses

Fintech regulation does not always catch up immediately with what is happening in the market.

Especially when business models are new, and/or do not map properly onto the classic regulated businesses, it is often not clear which exact regulation applies, how it is to be interpreted, and who the regulator in question is.

That is a chance, but it is also a risk that suddenly a regulator steps out of the woodwork and imposes restrictions or even fines. Ultimately a start‐up company with limited resources must weigh the risk of getting bogged down in regulatory discussion with a number of regulators, most of which might not have clear idea what to do in this respect either, with the risk of being told off at a later stage.

FNT104

Regulation is anchored around primary legislation that has been implemented at the appropriate level. By default this is the national level, but there are important exceptions.

For example:

• in United States – insurance regulation is based at the state level, and bank regulation can either be at the state or the federal level, depending on whether the bank has a state charter or a federal charter.
• In European Union – a lot of regulation is legislated at the supra‐national level, in a slightly complex process involving national‐level legislators as well.

Regulatory legislation is complex and technical, and the broad‐brush principles have to be interpreted to ensure coherent application on the ground. Therefore, primary regulatory legislation generally leaves a lot of the technical details to secondary legislation.

Wherever there is a legislator enacting regulation there tends to be one or multiple agencies tasked with implementing this legislation, loosely referred to as ‘regulators’, and those regulators are usually also in charge of enacting the secondary legislation. The balance between the frontline regulatory task, and the duty to create secondary legislation can vary.

The financial system is highly interconnected at all levels, and it is therefore important that regulation is coordinated and harmonized at all levels as well.

The international harmonization of regulation happens in a number of supranational forums where national regulators and legislators, plus typically the EU as an independent party, convene and discuss to what extent regulations should be harmonized.

At a political level, the highest‐level group addressing this is the G20 forum of heads of state or finance ministers who, supported by their senior regulators, decide upon a high‐level roadmap of where they want international regulation to go.

The main focus of the G20 Forum tends to be the avoidance of financial crisis.

The G20 only meets occasionally, and is supported by:

• the Financial Stability Board (FSB), which is a permanent institution that drives the G20 agenda between the meetings.

On a more technical level, there are 3 organizations that deal with the global harmonization of rules in their respective sector:

• the Basel Committee for Banking Supervision (BCBS) for banks,
• the International Association of Insurance Supervisors (IAIS) for insurance companies, and
• the International Organization of Securities Commissions (IOSCO) for market places.

The FATF (Financial Action Task Force), is another important international organization which coordinates the global fight against:

• money laundering,
• terrorist finance, and
• financial crime.

FATF is a forum to create harmonized rules in the above areas and it regularly reviews and comments as to whether national practices are in line with said rules.

CRTA (Canadian RegTech Association) is a non-profit organization focused on solving regulatory challenges through collaborative efforts between key RegTech stakeholders:

• regulated entities,
• technology vendors,
• regulatory bodies,
• government, and
• professional service providers.

canadianregtech.ca

CRTA’s goal is to:

• facilitate dialogue,
• raise standards, and
• promote growth and innovation within Canadian RegTech eco-system.

CRTA solves regulatory challenges through collaborative discussion and engagement in proof-of-concept initiatives.

canadianregtech.ca

• Actively lead progressive dialogue amongst industry, innovators and policy makers
• Champion and promote the innovative use of technology to create efficiencies and reduce the costs of regulatory compliance
• Create greater awareness of the Canadian RegTech industry within Canada through Thought Leadership, hosted events, podcasts and collaborative partnerships
• Represent the Canadian RegTech industry in global forums including International RegTech Associations by highlighting local Canadian expertise that can be readily exported to other jurisdictions
• Participate in the development of standards and establish mechanisms with partners to test and validate within the RegTech community

canadianregtech.ca

By default every subsidiary of a company is subject to the rules of the jurisdiction where it is incorporated. This, however, cannot be seen in isolation, and there is also the group‐level company view to consider.

In order to deal with this, regulators establish for every major financial group a so‐called regulatory college where all national regulators for whom the group in question is important participate, and that is led by the group's home regulator, i.e. the lead regulator in the jurisdiction where the group holding company is regulated.

There are a number of conventions and international agreements about how those colleges operate, but essentially they must agree on respective responsibilities, in particular with respect to control, inspection, and information sharing, and on how to deal with sanctions and emergency situations should the need arise.

FNT104

One of the key reasons behind the harmonization of regulations is to enable companies to engage in cross‐border business without having to go through a full regulatory approval process in every jurisdiction in which they operate. In current regulatory practice there are two different levels of authorization:

Equivalency  means that rules in two jurisdictions are similar enough that regulators are confident that the firms covered by them can operate in each other's markets (or portions of each other's market, e.g. only covering sophisticated investors) with a reduced level of local oversight.

Passporting   means that the rules in the two jurisdictions are so close that only very limited local oversight is needed, and that therefore the regulator of the company's home jurisdiction is responsible for looking after the company's entire business, including in passported jurisdictions.

When regulators declare their rules within a certain area to be equivalent, this indicates that either set of rules is as good as the other.

In this case the regulators might grant each other's regulated companies access to their own markets, subject to a number of operational guidelines with regard to the respective rights and responsibilities of home regulators and host regulators, and how they'll interact — in particular, how they'll share data.

Typically, market access via equivalence is within a very narrow range of product, services, and customers, with the latter almost always being professional or sophisticated counterparties that are believed to be able to look after themselves if need be.

Companies that are established within the EU's Single Market do not have to rely on equivalence to provide their services on a cross‐border basis.

As the rules are already the same (within the parameters established by the relevant directives and regulations, i.e. taking into account permissible variations across jurisdictions) the different regimes are known to be equivalent.

In fact, they are super‐equivalent in the sense that the variation in rules is much smaller than would be the case under the typical equivalence regime. In this case, companies can provide services under a regime that is known as ‘regulatory passporting’.

Companies that are authorized in an equivalent regime have the right to apply for authorization under equivalence provision, meaning being authorized in their home country is a necessary condition for authorization under equivalence.

Under a passporting regime, companies that are authorized in their home country have the right to operate under this passport, meaning being authorized in their home country is a sufficient condition for authorization under passporting.

There are a number of administrative hurdles to overcome, but overall, gaining access to a market via passporting is much preferable to gaining access via equivalence. However, companies must be established in the business they want to passport in their home Member State – they can't just go forum shopping and establish themselves in a particular jurisdiction for regulatory reasons without doing substantive business there.

FNT104

Start‐ups should have a good view on the regulations in place in the product areas in which they are operating.

In particular, if start‐ups are competing head‐on with regulated businesses, they should know the regulations that those businesses have to comply with, and they should spend some senior management time and effort to adapt their own strategy accordingly.

A number of questions that senior management should ask themselves, and points to ponder, are presented on following two pages. 

1. Are there regulations that apply to our business?
2. Are there regulations that make sense if they applied to our business, and is the only reason they don't apply because our business model is not yet on regulatory radar?
3. Are there regulations, or regulatory principles, that apply in the product space that we are covering?
4. Are there regulations that apply to traditional competitors but not to us, and do they really not make sense either in their case or in ours?
5. What are the implications of the answers to the above points with respect to product design? Are there product features that would make it better suited to the regulatory environment?
6. What are the technology implications of above points? In particular, would it be better to take certain design decisions now, or leave them to later?

If there are regulations where the answer to question (1) is ‘yes’ or ‘probably yes’ then it is highly advisable to talk to the relevant regulator.

Any regulations where the answer to question (2) or (3) is ‘yes’ should be high on the priority list, as they'll almost certainly become a requirement in the future.

Those under (4) are more ambiguous: there is a risk that they'll be extended for level‐playing‐field reasons, or maybe they might be entirely scrapped, so they should be on the radar but need not necessarily be acted upon.

The points (5) and (6) are key strategic question in terms of product and system development that companies should consider.

One instrument often used by early‐stage start‐ups is a non‐action‐letter.

A start‐up may formally approach the regulator with a description of its business activities, processes, and volumes, especially in the areas that relate to regulated parts of the financial system. If the regulator is persuaded that those are adequate it might issue a non‐action‐letter. This letter is time-limited and conditional on the environment not substantially changing from that which had previously been described, in particular also in terms of business volume.

A non‐action‐letter does not provide 100% legal certainty that everything is correct, especially if things go wrong. Also, it only covers the regulator who has prepared the letter, so it should not be taken as an indication that all applicable regulations have been complied with, or that all relevant regulators are on board.

Having said this, in most cases having a non‐action‐letter is better than not having one.

FNT104

For the longest time, the big banks dominated the financial services landscape, providing the deposit, payment, and credit facilities that we all use and take for granted, but they are no longer the only players in town.

Businesses that would once have relied on banks for credit can now borrow from peer-to-peer (P2P) platforms or specialist lenders. As alternative finance gains traction with customers, FinTech is approaching the tipping point at which a critical mass of consumers and businesses see technology-driven solutions offered by new players in the marketplace as preferable to services offered by incumbent banks.

You know what they say: if you can’t beat them, join them.

Developments in FinTech have the potential to erode the brand equity of the incumbent banks and eat into heir market share. But banks also have an opportunity to embrace FinTech innovation and offer new solutions to their customers.

The smartest move is to collaborate, not to compete – and many banks have understood this. Strategies differ but the goal remains the same: survive, and even profit from the digital disruption. This may actually be beneficial for the bug banks. What is better than having someone inventing everything right in front of you, and allowing you to just buy it?

This is a once-in-a-lifetime opportunity for banks to obtain advanced capabilities and modernize infrastructure without having to develop it in-house.

It only requires an open innovation mind-set for banks to join the game.

FNT104

Winter 2026