Fintech Market Overview

This article does not constitute legal advice.

Data protection in the USA

In the United States, there is no overarching privacy law that applies broadly to all businesses.1

The Gramm-Leach-Bliley Act (GLB) is the primary federal privacy law that regulates the activities of fintech firms.1

GLB applies to the use and disclosure of any non-public personal information (NPI) by a financial institution.1

NPI includes any personally identifiable financial information that either:

  1. is provided by a consumer to a financial institution
  2. results from a transaction or service with the financial institution
  3. is otherwise obtained by the financial institution 1

The term "financial institution" is broadly defined to include any entity that is significantly engaged in financial activities such as lending funds, servicing loans or transferring money.1

GLB is implemented by two distinct rules:

  • the Privacy Rule, which requires financial institutions to provide privacy notices to their consumers and customers and offer them an opportunity to opt out of certain disclosures of their NPI
  • the Safeguards Rule, which requires financial institutions to ensure the security and confidentiality of NPI through the development of a written information security programme 1

Several other important federal and state laws and regulations for fintech firms to bear in mind and comply with include:

  • the federal FCRA, which regulates the use and disclosure of consumer reports
  • the federal Red Flags Rule, which requires financial institutions and creditors to develop, implement and update a written identity theft prevention programme to detect and respond to red flags that might indicate identity theft
  • the federal Affiliate Marketing Rule, which limits the sharing of certain information among affiliated entities for marketing purposes
  • if the fintech will be interacting with children, the federal Children's Online Privacy Protection Act, provisions of the California Consumer Privacy Act (CCPA) that apply to opt-in requirements for sale of data for children aged 13–16 (and parental opt-in consent for children 13 years and younger), and other California and additional state privacy laws that apply to children under the age of 18
  • the federal Health Insurance Portability and Accountability Act (if the fintech will be interacting with healthcare data) 1

In addition to laws that are straightforward in their applicability, other federal and state privacy and data protection laws may be triggered based on the type of security processes, procedures and tools fintechs deploy in their product offerings.1

For example, a fintech that utilises biometric recognition or verification tools through a mobile device must comply with state-specific laws on biometric identification and information.1

Texas, Washington, California, New York and Arkansas have now passed their own biometric statutes or expanded existing laws to include biometric identifiers.1

Cross-border payments in the USA

Fintech in the USA

Fintech in other countries

  1. https://thelawreviews.co.uk/title/the-financial-technology-law-review/usa