Issue link: https://digital.shearman.com/i/1394543
17 The Changing FinTech Landscape: A Snapshot of M&A Themes and Trends FinTechs, and the innovative technologies and analytics they are associated with, generate or handle enormous amounts of data. For regulators, financial institutions, and customers, some very tough questions have emerged. Who owns the data? Where is it stored? What rights should customers have over their data? What laws and regulations are implicated when FinTechs interact with data? Careful attention needs to be given to these questions by banks, FinTechs, and private equity and venture capital investors when evaluating transactions. There are no easy answers. Acquirers and investors must fully understand the relationship between a target and the data that is integral to its business. Apart from data security, which is discussed below, there is the issue of data ownership and access. Understanding who owns customer-specific data (including data that is generated from that data) will be critical not only to valuation but in scoping what legal and contractual requirements and technical standards may apply vis-à-vis existing customers or bank partners. In addition, the issue of third-party access must be considered. In the U.S., the Consumer Financial Protection Bureau is actively scrutinizing how FinTechs and data aggregators (companies that have consumer authorization to collect data from multiple financial accounts to provide insights and services to the consumer) use and provide access to consumer data. For example, it is developing regulations— expected to be released in 2023— to implement Section 1033 of the Dodd-Frank Act, which requires consumer financial services providers to make information in its control or possession—including transaction information, costs, and usage data— available to consumers. Similarly, in the European Union, the Second Payment Services Directive (PSD2) requires EU banks and other online payment account providers to grant access on customer account data to third-party payment service providers if authorized by the underlying customers. An effective due diligence process should also reveal all the ways in which a FinTech obtains, uses, transmits and stores customer data. A litany of legal and regulatory requirements will be implicated depending on the nature of the business. Developing an inventory of data touchpoints and an assessment of how applicable requirements are being satisfied will have many benefits, not least of all understanding the target's potential legal exposure. In addition, acquirers and investors should consider how a target uses artificial intelligence applications or machine learning models, particularly in the areas of credit underwriting and credit risk analysis. Increasingly, regulators are expressing concern with how technological tools may reinforce longstanding inequities or reflect racial bias. Especially for online lenders, technological tools that rely on non-traditional data (e.g., education history, digital "breadcrumbs" such as social media activity) instead of credit scores or cash flow data could implicate fair lending and credit reporting laws or constitute unfair or deceptive acts or practices. Understanding how consumer protection laws evolve to address these concerns will be important. CUSTOMER DATA USES MUST BE EXAMINED CAREFULLY