A great friend of Glenbrook’s is Broox Peterson, formerly Senior Vice President and Assistant General Counsel at Visa International and currently in private practice. Earlier we posted his article So You Want to Start a Payments Company? which has helped many entrepreneurs and investors understand the considerations involved in payments-related businesses. In this new article, Broox updates us on what’s happening in the US regarding payments innovation and payments regulation. This article is © 2014 Broox W. Peterson, All Rights Reserved.

This issue was considered, albeit obliquely, at a recent Senate hearing in Washington D.C. investigating virtual currencies, primarily Bitcoin. Bitcoin supporters have claimed that onerous regulation will hinder the Bitcoin experiment (and, by implication, any innovative payment technology subject to regulation) and possibly kill it, and that this will drive Bitcoin out of the U.S. in favor of less regulated markets.

This is a pretty standard talking point for anyone against a regulatory scheme, although there was actually little discussion about this at the Senate hearing. Government regulatory and private sector witnesses all agreed that payments innovations like Bitcoin should be allowed to develop and prove their value for legitimate uses in the United States, and these witnesses, including Bitcoin advocates, further agreed, or at least did not dispute, that some regulation was appropriate to protect consumers and prevent exploitation for criminal or terrorist purposes.

Witnesses from the Financial Crimes Enforcement Network (FinCEN), the Department of Justice and the Secret Service explained how existing regulation (including the recent FinCEN clarification of which Bitcoin participants are covered under its regulations) was effective for the purpose of identifying and preventing or prosecuting criminal and terrorist activity in payment systems. None of the private sector witnesses, including the General Counsel of the Bitcoin Foundation, attempted to explain in what way application of existing regulation to Bitcoin was in fact harmful. As is usually the case with these kinds of proceedings, no one addressed the difficult questions, but then substance is not the purpose of most of what goes on in Congress.

Is there any substance to the received wisdom that payments regulation is too onerous and hinders or thwarts innovation? There is no binary answer, but some truth along with misconception mixed up in the claim.

It is true that the payments regulatory landscape is complicated. On the Federal level there is FinCEN, with extensive regulations but also useful written guidance. On the non-federal level there are licensing statutes in 47 states, Washington D.C., and Puerto Rico, with little written guidance available. Although there are general similarities in terms of what these state laws cover and require, there are significant differences in the specifics of many of these individually adopted laws that must be reviewed for each business that wants to enter the payments business. I have written in more detail about this in “So You Want to Start a Payments Company?”.

As with any regulated business, there are costs to identify and comply with these regulatory requirements, and the business has to be profitable enough to justify those costs. Presumably this fact does prevent some potential payment businesses from entering the market, and some of these businesses could have innovative technologies or processes that would prove useful to consumers.

On the other hand, at the Senate hearings the CEO of Circle Internet Financial, a startup seeking to process Bitcoin transactions, made the point that a business seeking to participate in and connect to the financial system in the United States should reasonably expect to make a significant investment in and be subject to regulation and licensing, although he did note the burden of multiple non-federal licensing schemes. In other words, the payments business is a regulated one, for good reasons, so no one should expect to (or perhaps even be able to) enter it on the cheap.

The process of identifying and complying with payments regulation that applies to a startup business is probably less daunting than common perceptions of the process, caused in part by the arm-waving of lawyers and compliance specialists (like me) trying to scare startup businesses to take the regulatory requirements seriously, and perhaps over-succeeding. So let me take a stab at dialing back some of the hysteria over payments regulation.

On the federal level, FinCEN takes extra care to target its regulation only at businesses that in its experience pose particular risks of abuse by money launderers or terrorist financiers. The FinCEN regulatory definitions of covered businesses contain exceptions and qualifications that exclude many business models FinCEN is not concerned about.

For example, the basic definition of “money transmission” that requires registration as a Money Services Business is very broad, but the definition expressly excludes coverage of businesses that engage in money transmission in connection with operation of a business other than money transmission, such as settling a securities sale transaction. This exception manifests itself in many circumstances, where the business involved is not in the money transmission business itself but rather another business requiring settlement or reimbursement in connection with the sale of goods or services. This is also partly the basis of the so-called “processor exemption”, available to third party payment processors who handle and transmit funds to settle payment transactions as the agent of merchant sellers (but not consumers or other payers).

If a processor or operator of a payments application (for any kind of party) does not touch the money, but simply supplies clearing and settlement instructions to a bank or ACH processor who move the money, it is not money transmitter under the FinCEN definition. This business model can be useful for start-ups seeking to prove a concept before building out a payment infrastructure with the attendant
regulatory compliance requirements, or for any business where actually handling the funds is not essential to the business model.

Prepaid cards are a platform for many novel startups, and are separately regulated under the FinCEN regulations. Although prepaid card schemes typically involve different parties for issuance, program management, and distribution of the prepaid cards used in the scheme, only one of these parties is required to register with FinCEN and be responsible for the required compliance (although actual compliance can be performed by the party in the scheme best positioned to perform certain duties). Actual sellers of the prepaid cards also have lesser compliance obligations, but do not need to register with FinCEN.

Typically, startups utilizing a prepaid card platform utilize existing vendors in the industry who have their own FinCEN registrations, and who will be responsible for compliance (with assistance from the startup in such areas as “know your customer”). Significantly, the FinCEN prepaid card regulations contain dollar thresholds below which the regulations do not apply, and these thresholds are high enough that many prepaid card programs are not covered, because FinCEN determined that the minimal level of risk involved did not justify application of the regulations to those programs. Regulatory compliance for these programs can consist simply of setting and enforcing appropriate transaction thresholds (although see below).

The requirements on businesses that are covered under the FinCEN regulations are not trivial, but they are proportional to the potential risks posed by the business. The FinCEN requirements are intended to prevent abuses of the financial system by requiring covered businesses to implement processes to detect and prevent money laundering, to identify and record transactions over certain thresholds, and to report suspicious transactions. In many ways these requirements can be considered best practice for any payments-related business, regardless of application of the FinCEN regulations to that business. No legitimate business wants its services to be exploited by money launderers or terrorists, and the screening processes designed to detect these also can detect fraudsters, who can be the bane of payments-related businesses.

The poster children for claims of onerous payments regulation are the 49 jurisdictions (47 states, Washington DC and Puerto Rico) with separate licensing requirements for any business offering payment-related services to their residents. Despite efforts to harmonize these laws and the adoption of a few limited interstate compacts to recognize licenses granted in another state, there still is quite a bit of variability in these state laws. Slightly different wording of definitions and exemptions in these laws can mean a business requiring a license in one state will not in another, and can also mean that one of two competing businesses can need a license in a state while the other does not, due to differences in business model. Payments-related startups may want to have an attorney with expertise in this area review the specific requirements of each jurisdiction to determine which actually apply to the particular business model in question, although in some circumstances, described below, some self-help can also work.

Despite the inherent complexity of multiple state licensing schemes, it is not really as bad as it appears, for a number of reasons. Although these state laws are not nearly as detailed as the FinCEN rules and the state regulators’ websites do not provide much, if any, guidance in interpretation of their statutes, the FinCEN requirements and exemptions can help in interpretation of the state laws, particularly the money transmitter requirements. For instance, the “processor exemption” is not expressed in most of these state laws, but conceptually it can be applied to all of them. Similarly, not many state laws contain language that expressly excludes from coverage money transmission incidental to a primary business other than money transmission, but it would be unusual for a state to claim that its licensing requirement applied in that circumstance. It is also possible to act as an agent of a entity that is licensed without needing a separate license, although this relationship must be documented consistently with each state’s requirements. The same exception generally applies to acting as an agent for a bank, which themselves do not require licenses, although this may not be possible in all states.

It is true that there are many instances where state licensing statutes raise questions of interpretation, either because of ambiguous drafting or failure to include language in their statutes that other states have in theirs that would provide an exemption from licensing. However, since the licensing requirements in all states address similar functional concerns arising out of payments-related businesses, it is often the case that the absence of express exemption language does not mean the regulator does not read it into the statute. There is usually, if not always, someone in the state regulatory agencies who is very knowledgeable about their statute and helpful if contacted with questions. In fact, a start-up business can determine its licensing requirements without an attorney simply by contacting the states in which it will be providing services, saving attorneys fees, if not time and effort.

If a startup determines that it will need one or more state licenses, there is a fair amount of paperwork and information that must be supplied, but since every state asks for the same general kinds of information once one application is completed, subsequent ones are easier to complete. The state licensing websites are usually very helpful in detailing the application process and the requirements on licensees, and diligent self-help is always an option in the licensing process. Again, the state regulators usually will be available to answer questions. There are, of course, costs associated with obtaining and maintaining these licenses, but these are simply expenses of being in the payments business.

I do not expect that anything said here has created warm feelings towards payments regulation, and perhaps quite the opposite. It would certainly be better if the state laws were more uniform and the regulators shared a common license registry. I have also not addressed what may be the biggest obstacle to many payments startups, which is finding a bank willing to do business with them. The wariness of banks may be due to potential liability for assisting money laundering/terrorist activity, or not being able to justify their own compliance obligations with the revenues from these startups, but it is a real and growing problem that regulation, however well intended and justified, has caused. Short of having banks treated like utilities with universal service requirements, and appropriate tariffed prices, I do not see this changing, and without question inability of payments startups to obtain a banking relationship will hamper innovation in the industry. Really.