Fintech and the Finnish Market — Are They Ready for Each Other?

The technological revolution has disrupted and altered many industries in recent years. The most intense hype surrounding certain new technologies, like big data or the internet of things, may be settling, but not even traditionally static business can afford to rest on their laurels as Silicon Valley is constantly creating new innovations.

The next big thing on both sides of the Atlantic is financial technology, more commonly known as fintech. As the Guardian noted in an  article last spring, startups focusing on specialised financial services are making use of cheap cloud computing, big data, mobile devices and social media applications to compete with banks and other conventional providers of financial services.

From personal finance planning apps to crowdfunding, fintech companies leverage user-friendly interfaces and the flexibility of their services to take market share in products and services[1] that used to be the exclusive domain of larger players.

Complex Regulation Makes Dangerous Waters for Fintech Startups

As fintech companies enter the Finnish market, their biggest challenges may well be understanding and navigating complex regulation. Even simple fintech services, such as providing mobile payment solutions or trading applications, may require licenses to provide payment or investment services.

When it comes to peer2peer lending, operators should keep in mind that micro-lending is also regulated by consumer protection rules, and prospective service providers may need to register with regional authorities.

Obtaining licenses for all this and complying with statutory obligations can be both cumbersome and costly, which is far from an ideal fit for the generally lean and agile startup business model. Therefore, creating a proactive policy to address and mitigate regulatory concerns are vital initial measures for a startup looking to enter the fintech market.

Personal Data a Potential Land Mine

The use of personal data is strictly regulated in the EU under the Data Protection Directive (95/46/EC). Further data protection regulation is expected to come into effect during the upcoming years in the form of the new European Data Protection Regulation. At the same time as regulation is increasing, new technologies are looking for broader opportunities to permissibly utilise personal data.

Certain personal data has long been used for risk analysis in the financial industry. However, many traditional concepts associated with data processing are facing a revolution in the form of developments such as dual purpose social media applications, such as peer2peer lending platforms.

As tempting as the significant opportunities to use personal data available through various social media platforms may be to fintech startups, they have to watch their step and make sure their operations comply with constantly developing  data protection rules.

What to Look Out for In Fintech Investments

When looking to invest in fintech startups, venture capital investors should keep in mind the regulatory landscape described above. Most importantly, investors need to take into account the possibility of increased compliance and risk management costs as well as liability risks when conducting due diligence relating to start-up targets. This is especially demanding in the current environment of swelling regulation that remains inherently ambiguous with respect to new and disruptive technologies.

At worst, a fintech startup’s business could involve significant liability risks if it
has neglected regulatory obligations. It is vital that investors identify such situations and engage the expertise to appropriately assess the risks involved when making investment decisions.

As fintech companies gain more ground in the financial sector, venture capital and private equity investors have two possible ways to react: adapt or invest. If the financial sector  is reluctant to adapt by embracing new technologies, we may see a repeat of the kind of changes that occurred in the music industry since the launch of mp3 and P2P networks, albeit restricted by the industry’s regulated nature.

The mobile pay applications that have been launched by large banks and welcomed by customers are a good example of using investment to integrate fintech in existing businesses.

Fintech clearly holds potential that intrigues investors. This is evident in BlackRock’s recent of acquisition of FutureAdvisor, a previously Sequoia-backed start-up offering automated algorithm based financial planning services to consumers.

While interest among investors grows, fintech start-ups in the US are already expanding into insurance, yet another highly regulated financial services business. Despite the limitations set by regulation, the advance of fintech into the Finnish market seems inevitable. After all, this is a country that is already accustomed to widespread and well-functioning digital financial services, such as long-established internet banking portals.

Jaakko Lindgren
Thomas Landell

[1] A World Economic Forum graphic of the fintech scene

EU-Wide Data Protection Regulation Moves Forward – Nine Things You Should Know

We are going to have an interesting autumn when it comes to data protection regulation.  On 15 June 2015, the Ministers in the Justice Council finally reached a political agreement on the new data protection rules, confirming the approach taken in the Commission’s proposal back in 2012. Trilogue negotiations between the Commission, the European Parliament and the Council of the EU will start already on 24 June next week, and the intention is that the reform will be finalised by the end of 2015.

I have gathered nine highlights of the new data protection rules that you should know.

One continent, one law: the Regulation will establish a single, pan-European data protection law replacing the current inconsistent patchwork of national laws. In the future, your company will only have to deal with one law, not 28.

Strengthened individual rights: companies will have to inform individuals in a clear and understandable way about the processing of their personal data. When there are no longer legitimate grounds for retaining data, an individual will be able to ask for the data to be deleted (right to be forgotten).  A right to data portability will help people transfer personal data between service providers.

Right to know if hacked: your company will have to notify the national data protection authority as soon as possible (not later than 72 hours) about data breaches and will also have to notify affected data subjects without undue delay.

Data protection impact assessment: an assessment will be required when processing is likely to result in a high risk for the individuals, such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorised reversal of pseudonymisation or significant economic or social disadvantage.

Data protection officer: it will no longer be obligatory to appoint a data protection officer unless mandatory under national law.

Codes of conduct: the regulation will encourage codes of conduct to be drawn up for specific sectors and for specific needs of SMEs (small and medium-sized companies).

European rules on European soil: if your company is based outside the EU, it will have to apply the same rules and guarantee the same level of protection for personal data when offering services in the European market.

More powers for independent national data protection authorities: in order to effectively enforce the rules, national data protection authorities will be empowered to fine companies that violate EU data protection rules. The fine may be up to €1 million or 2% of the global annual turnover of the offending company.

One-stop shop: companies will only have to deal with a single supervisory authority, which will make it easier and cheaper for companies to do business across the EU. Similarly, individuals will only have to deal with their national data protection authority—in their own language—even if their personal data is processed outside their home country.

I am optimistic that the new regulation will strengthen and harmonise data protection rules in the EU. We will be closely monitoring the progress of the new general data protection regulation and keep you up-to-date on any developments.

Eija Warma

 

See our previous news items on the topic:

EU Data Protection Reform Approved by the Parliament

European Commission Proposal For New Personal Data Rules

EU Parliament’s LIBE Committee Voted on Data Protection

Personal Data is the New Oil

All the superpower states, such as China, the US and Russia, have recently understood that in the internet era, personal data is the new oil, the defining natural resource that makes our lifestyle rise and fall. Consequently, these states have increased their interest in the personal data of their citizens and in the use of that data in business and commerce.

The US is by far the leader in the competition to collect, use and control the use of personal data, mainly thanks to large American internet and social media companies and legislation that grants extensive information rights to the state. However, China is not far behind.

Recently Russia has also taken some major steps in the field by enacting new legislative amendments restricting companies’ use of Russian citizens’ data.

Restrictions to Processing Data of Russian Citizens Abroad

In Russia, a set of new legislative amendments will come into force on 1 September 2015. The amendments are primarily aimed at restricting the processing of Russian citizens’ personal data on servers located outside of Russia. They also develop state supervision procedures and empower the Russian Data Protection Authority (Roscomnadzor), under certain conditions, to block access to websites where personal data violations take place.

From the perspective of data operators, it will be illegal to collect personal data of Russian citizens and directly send it to servers located outside of Russia without processing the data ‘with the use of’ a database installed on a Russia-based server or computer.

However, the amendments contain several exceptions. One of them could be interpreted as being applicable to Russian employees of international companies. The obligation to process data in Russian databases may not be applicable if personal data is processed either for purposes stipulated by an international agreement of the Russian Federation, for purposes set out in law or for exercising the powers or performing the functions and obligations of data operators under Russian law. The purposes for which employers process the data of their employees are in fact defined by law and, thus, may fall into the second category.

Websites Containing Illegally Processed Personal Data May Be Shut Down

Under the amendments, Roscomnadzor will be given powers to block access to websites containing illegally processed personal data in Russian territory. For this purpose, Roscomnadzor will enter the banned domain names, network addresses and other details in a special state register.

A website can be blocked only on the grounds of a court act. The website owner will be informed of the violation of personal data laws and asked to rectify the violation voluntarily prior to the website being blocked. If the violation is not rectified, the website will be blocked not later than in three days.

The website owner will have the right to apply for the removal of its website from the state register after all personal data violations have been rectified or if a court reverses the act blocking of the website. These rules can be construed as being applicable only to websites containing illegally processed personal data, including social networks, public databases, address books and blogs. On the other hand, Roscomnadzor may interpret the new rules broadly and try to apply them to all websites used in any way that violates any of the Russian legal requirements concerning personal data.

Practical Solutions to Legal Challenges

How, then, should one react to these new regulations and prevent localisation politics for affecting business? From a formal point of view, it will be necessary to relocate databases containing information about Russian clients, partners and, arguably, employees to Russia. If a company ignores data privacy requirements, it may be subject to several fines for various violations.

However, the legislative changes do not apply to cross-border data transfers. This fact provides certain loopholes for reorganisation of global ICT systems used by international companies. There will be no need to completely disconnect Russian offices or websites from the corporate networks. Keeping in mind that the amendments enter into legal force in less than five months, it is a good time to start assessing possible ways of modifying the ICT systems.

The strategic importance of oil has not prevented it from being an important commodity in international trade. Similarly, increased state interest in personal data is in no way an obstacle to continuing business. The importance of personal data for commercial actors is, indeed, one of the main factors that also make it interesting for any state.

In order to not let variable legislation affect your business in Russia, it’s better to consider possible options for complying with the new amendments and start preparations now.

Stanislav Rumyantsev

Jaakko Lindgren