The FinTech scene is dynamic, disruptive, innovative and, oh yes, complex. This is well-known. Regulatory authorities in most jurisdictions are consistently and hopelessly left in the dark. That is also well-known. This despite the fact that it was the politicians and legislators who triggered and made possible the FinTech euphoria in the EU almost 10 years ago with the Payment Services Directive (PDS). There are many different segments and niches in which FinTechs are active, but their respective effects and their evolvement are only gradually becoming known. It’s about time for regulators to leash the FinTech dogs released via PSD and PSD2. Financial freedom without regulatory limits leads to economic chaos. So far, they address only the tip of the iceberg with their regulatory regimes and actions.
Retail App Banking
FinTechs are known to the general public primarily through smartphones, apps and retail brands such as Revolut, Monzo or N26. As regulated financial service providers, these Retail App Bankers primarily address consumers and small businesses with their range of products and services, which are primarily focused on payment transactions. They acquire end customers for themselves and the App-based financial system. These FinTechs are characterized by their straightforward structure and simple business models. Essentially, the offer to end customers is to simplify and mobilize their banking. For this reason, the term app banking is often used in this context.
Corporate API Banking
At the other end are the FinTechs, who act as so-called acquirers or as partners of acquirers. These FinTechs’ business model is focused on corporate banking. They integrate legal entities into the global financial system offering them bank wires, credit/debit cards, prepaid cards or cryptocurrencies. These corporate clients are called merchants. Let’s call this segment Corporate API Banking or API Banking for short.
Some of these FinTechs operate as licensed e-money institutions and payment services providers (PSP). Others operate as mostly unlicensed payment processors. They operate platforms like Praxis Cashier, Naspay Cashier, or Pradexx. Just to name a few. These platforms integrate the APIs of banks, e-money institutions, or unlicensed Payment Services Providers (PSP) on the one end and offer their own “all-inclusive” API to their merchants on the other end.
It is a very complex segment in which various API layers form a complex network that is often (deliberately) opaque. In Europe, the so-called Payment Services Directives (PSD and PSD2) have enabled the emergence of this Open Banking or API Banking. This, in turn, has enabled the emergence of e-money institutions and, unfortunately, the dawn of the next generation cybercrime.
FinTech groups, API Banking, and the “Fonseca Approach”
The good news is that API Banking has enabled the deregulation of the traditional banking sector and the emergence of the FinTechs. This has undoubtedly brought many benefits for consumers and economies. The bad news is that API Banking is prone to fraud and money-laundering.
More and more often we encounter so-called “FinTech Groups”. These are formal and/or information organizations under the control of a group of individuals that consist of several companies and serve different horizontal and vertical segments. These FinTechs Groups take financial technology and API banking beyond the capacity of any regulatory framework. As a matter of fact, quite a significant percentage of FinTech Groups is serving high-risk and illegal businesses and offer cheap and efficient money-laundering. It doesn’t take a rocket scientist to conclude that the manipulation of credit card transactions via recoding or miscoding, for example, is an easy task API banking and is therefore frequently applied.
Miscoding of credit card transactions conceals the true nature of transactions and businesses from credit card networks and issuing banks. It’s an easy task to recode the deposit made by a credit card owner at an illegal brokerage site into a payment made at an online antique merchant.
Dark-world FinTechs are able to take over the role occupied in the offline world by consulting and law firms such as Fonseca: concealing illicit cash flows and the nature of the business and the beneficial owners.
In the area of Corporate API Banking, which is susceptible to fraud and money laundering, we can identify certain patterns.
|Relaxed Regulatory Regime||FinTechs often try to obtain their license in rather “relaxed” regulatory regimes such as Cyprus, Lithuania or Estonia in the EU. Therefore, one finds many Israeli or Russian FinTech Groups in these regulatory regimes working with local front line people.|
|Multi-jurisdictional Approach||The individual companies of the FinTech Group settle in different regulatory regimes, thus spreading their risk and obtaining “regulatory flexibility”.|
|Cross-company services||The individual services in the FinTech group are distributed through different companies and offered under different brands (d/b/a) For example, payment processing platforms are often not operated by regulated and licensed companies in order to be flexible with KYC/AML/CTF procedures.|
This distribution of financial and payment transaction services within a FinTech group over different legal entities is not in the sense of regulatory frameworks. In fact, from our point of view, it is a violation of the license terms in most regulatory regimes if the beneficial owners of a licensed financial service provider operate others in addition to the licensed entity, which act in interaction with the licensed entity but remove certain services from the access and control of the regulator.