{"componentChunkName":"component---src-templates-blogpost-tsx","path":"/blog/regtech-is-not-the-new-fintech","result":{"pageContext":{"isCreatedByStatefulCreatePages":false,"id":"d1c47132-cef3-573c-9234-e28ef56bfbfa","title":"RegTech Is Not the New Fintech - It Is Part of FinTech","slug":"regtech-is-not-the-new-fintech","published":"2018-04-26T00:00:00.000Z","author":"Dan Whale","content":"\n### Recent regulatory changes may have assisted the growth of RegTech, but is separating it from FinTech really necessary - or wise?\n\nRegTech is an industry based on the use of new technologies to help companies meet regulatory requirements in an optimised, streamlined or simply more effective way. First coined by the [Financial Conduct Authority](https://www.fca.org.uk/firms/regtech) in 2015, RegTech has since grown to become the jewel of FinTech’s crown, with global investment surpassing [$1bn in 2017](http://thefintechtimes.com/global-regtech-investments-surpass-1bn-2017/).\n\nBut what does it look like? RegTech can come in many forms, from automated approaches to combating anti-money laundering (AML) and counter-terrorist financing (CTF), to using social media to carry out enhanced KYC checks. Behavioural analytics software even exists aimed at detecting suspicious behaviour amongst employees working at financial institutions.\n\nSound impressive? That’s because it is, and quite frankly, in 2018 it needs to be. We are living in a time when the way in which data is held, possessed and shared is being heavily scrutinised and regulated. You would be forgiven for thinking that this scrutiny has come off the back of the data hacks and leaks which have dominated the news in recent months, especially relating to Cambridge Analytica. Alternatively you may think that RegTech was created due to the recent major regulation changes, with [GDPR](https://paybase.io/blog/gdpr-what-you-need-to-know), [PSD2](https://paybase.io/blog/psd2-what-is-it-will-it-affect-me) and [MLD5](https://www.lexology.com/library/detail.aspx?g=c80b71cb-cefe-45e6-b1c6-909cd7ce9e9d) being the most notable examples.\n\nHowever, [Wired](https://www.wired.co.uk/article/regtech-next-fintech) claims that RegTech’s origins go further back. “In the wake of the 2008 financial crisis, financial regulators wanted to ensure the industry would not face the same problems again.” Regulatory demands have therefore grown in the past decade and it is that, combined with technological advancements, that has allowed RegTech to blossom.\n\nBut at Paybase, we don’t think that celebrating the growth of RegTech goes far enough. The problem is this: increased regulation has created more hurdles for companies attempting to get to market. The current solution? This new breed of RegTech firms is helping companies meet this level of regulation in the most efficient manner, but as a result of RegTech establishing its own identity, new companies are having even more suppliers to deal with. We believe that regulation and financial services are two sides of the same coin.\n\nWe built our platform in the knowledge that creating a business that facilitates payments between multiple parties - for instance a marketplace - involves partnering with many providers, suppliers and specialists, each with their own way of working. This can put huge pressure on the business, as it has to bend to fit with so many others. Because of this we wanted to provide a solution that covered everything, offering our clients the chance to work with just one, end-to-end partner. Not only does this simplify things for the business, but the tight integration between compliance services and payments allows for innovative new features that would be otherwise impossible.\n\nOne of our most important features, our Logic Engine, is an example of this. It allows companies to set risk management rules that are appropriate for their business. If you are a marketplace, you may want to flag a transaction over £200 on an account created in the past 24 hours, but allow a £500 transaction for a more established account, for example. Transactions could be blocked on accounts that have added more than X amount of cards, or accounts that have changed address X number of times. These rules can be also applied to P2P transfers and withdrawals, covering all parts of the payment journey and ensuring that AML, CTF and Risk Management requirements are met in the most efficient way possible.\n\nBut separating this type of compliance and risk management tool from payments would completely restrict what can be inferred from each account. It is only through having extensive customer data and payment processing within the same system that rules can be truly dynamic. This is why it does not make sense to isolate RegTech from payments.\n\nWe have also incorporated RegTech within our Customer Due Diligence (CDD) procedure with our Automatic CDD Processor. Using the marketplace example again, if a merchant wishes to become listed on the marketplace their details as a merchant will be automatically searched and verified through Companies House (and other sources). Directors of companies can be verified through various credit agencies and more information is collected as the risk of an individual increases. This ensures that your business is not welcoming fraudulent users, but does not create poor UX for merchants selling on a smaller scale.\n\nFurthermore, Paybase models and tracks interconnected data to detect suspicious activity. Each unique piece of information has its own place on our Graph. This applies across the Paybase client base. If certain details have been flagged as suspicious with a given client, they are flagged across the client-base for review, with real-time risk predictions available. Features like this give our clients targetted insight when investigating and preventing suspicious activity.\n\nAs for more recent requirements, PSD2 (which came into effect this year) [requires marketplaces and platform businesses to partner with a financial institution](https://paybase.io/blog/psd2-what-is-it-will-it-affect-me) in order to process transactions between both buyers and sellers. Partnering with Paybase ensures your business is covered for this regulatory change.\n\nPaybase recognises the utility of RegTech, especially in this current period of regulatory change. However, there should be caution over referring to it as [‘the new FinTech’](https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/financial-services/performancemagazine/articles/lu-how-agile-regulatory-technology-is-helping-firms-better-understand-and-manage-their-risks-24052016.pdf) or separating it from FinTech - RegTech is, or at least should be, a part of FinTech. New suppliers only add complexity to business operations. Aside from simplicity, keeping RegTech and payments together drastically improves what can be done with both. At Paybase, we’re showing how that can be done.\n\n[Twitter](https://twitter.com/paybase) &nbsp;[LinkedIn](https://www.linkedin.com/company/paybase/)\n","excerpt":"\nRecent regulatory changes may have assisted the growth of RegTech, but is separating it from FinTech really necessary - or wise?\n\nRegTech is an industry based on the use of new technologies to help companies meet regulatory requirements in an optimi...","cover":{"src":"https://paybase.imgix.net/blog/regtech-hero.jpg","alt":"RegTech, FinTech, Payments, Compliance"},"link":{"to":"/blog/regtech-is-not-the-new-fintech","copy":"Read more"},"tags":["RegTech","FinTech","Regulation"],"related":[{"id":"e86bdb62-c535-56f1-9578-7fbe6a691c20","title":"Paybase presents Blind Date","slug":"valentines-blind-date","published":"2020-02-14T00:00:00.000Z","author":"Gemma Doswell","content":"How well do you know your industry? We’re putting you to the test in a very special FinTech edition of Blind Date. See if you can match these seven FinTech Valentine’s hopefuls with their perfect features, terms and instruments. The more you get right, the more you can be certain that you have the critical knowledge and innovation to disrupt your industry.\n\nGood luck, and happy match-making! Check your answers at the bottom of the page.\n\n![](https://paybase.imgix.net/blog/blind-date-curtains.png)\n\n![](https://paybase.imgix.net/blog/blind-date-frame-01.png)\n\n![](https://paybase.imgix.net/blog/blind-date-frame-02.png)\n\n![](https://paybase.imgix.net/blog/blind-date-frame-03.png)\n\n![](https://paybase.imgix.net/blog/blind-date-frame-04.png)\n\n![](https://paybase.imgix.net/blog/blind-date-frame-05.png)\n\n![](https://paybase.imgix.net/blog/blind-date-frame-06.png)\n\n![](https://paybase.imgix.net/blog/blind-date-frame-07.png)\n\nIf you want to find out more about payments or any of the features mentioned in the quiz, [get in touch](https://www.paybase.io/get-in-touch) today!\n\n**ANSWERS**: 01. Escrow, 02. Sharing Economy, 03. Refer-a-Friend, 04. Lead Leakage, 05. Faster Payments, 06. Blockchain, 07. PSD2","excerpt":"How well do you know your industry? We’re putting you to the test in a very special FinTech edition of Blind Date. See if you can match these seven FinTech Valentine’s hopefuls with their perfect features, terms and instruments. The more you get righ...","cover":{"src":"https://paybase.imgix.net/blog/paper-heart.jpg","alt":"need one"},"link":{"to":"/blog/valentines-blind-date","copy":"Read more"},"tags":["FinTech","Valentine’s Day","Quiz"]},{"id":"cf064abc-a34a-5981-8a74-b21d035865d5","title":"What’s the deal with IR35?","slug":"whats-the-deal-with-ir35","published":"2019-11-12T00:00:00.000Z","author":"Gemma Doswell","content":"\n# What’s the deal with IR35?\n\nIn what feels like an ever-changing regulatory landscape, [IR35](https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/818816/OPR_Factsheet_.pdf) is yet another addition to the evolving contract/freelance/off-payroll space. But, as we firmly advocate at Paybase, regulation should not be looked at as a deterrent. It’s put in place to protect consumers, workers and to help you as businesses to strengthen and future-proof your offering as well as creating a fair, level playing field for those in the market.\n\n\nIR35 affects off-payroll workers and their employers in medium and large organisations - those who are contractors as opposed to employees and thus do not pay PAYE. It is “[a set of tax laws which form part of the Finance Act](https://www.contractorcalculator.co.uk/what_is_ir35.aspx)” and it is designed to cut down on tax payment discrepancies that have been historically common in off-payroll work.\n\n\nAs many of our clients operate businesses that work with freelancers, contractors, locums, gig workers and more, it’s important to understand the implications and, if necessary, make as much time as possible to prepare. Crucially, it’s important that your business model is clearly defined.\n\n## What’s the problem?\nDeemed employment is where employers use contractors to work exclusively for their company on a self-employed basis rather than hiring them on an employment contract. It affects [disguised employees](http://www.business-information-uk.com/disguised-employment/) as opposed to those who are genuinely self-employed. Disguised employees often work for an intermediary - “[a Personal Service Company, Recruitment Agencies, and all Large and Medium-sized end clients](https://www.crunch.co.uk/ir35/)” - through which they are paid as opposed to invoicing a company directly. They fill a permanent position in a company but don’t pay the corresponding income tax and National Insurance contributions (NIC) that a permanent worker would. \n\n![disguised-employee](https://paybase.imgix.net/blog/disguised-employee.png)\n\nIR35 legislation has been in place since 2000 but was heavily criticised for being poorly implemented. In 2017, new, stricter off-payroll rules were introduced in the public sector and they will be pushed into the private sector on 6th April 2020.\n\n## What will change?\nFrom April 2020, employers of medium and large companies will be liable to declare their contractors and their rates and they will be [penalised](https://www.gov.uk/guidance/ir35-enquiry-by-hm-revenue-and-customs#penalties-and-sanctions) by HMRC if they don’t. For many disguised employees, this could cause an up to 20% pay cut once employers have deducted income tax and NIC from their regular pay. \n\nIn order to define who falls inside IR35, a worker’s status will be tested based on three main principles, among others - control, substitution and mutuality of obligation.\n\n\n![employment-status](https://paybase.imgix.net/blog/employment-status.png)\n\n\n## What does it all mean?!\nOne possible implication of IR35 will be the saturation of the permanent job market before April 2020. For the many who are misusing the infrastructure of off-payroll work (whether inadvertently or deliberately), there may be a rush from employers to fall in line and a rush from employees to find contracted permanent work. Those who work for [small companies](https://www.itcontracting.com/ir35-small-company-exemption/) - those with 50 employees or less - are not included in the new rules, but that’s not to say that they won’t be extended. \n\nHowever, for those who work with freelancers, contractors and those who are genuinely self-employed, IR35 is not a reason to panic. The regulations are designed specifically to target disguised employment in off-payroll work. The main thing to remember is that preparation is key. Make sure that everything is in order so that if HMRC come knocking, you won’t be met with surprises. \n\nFor more information on IR35, click here to read the [HM Treasury fact sheet](https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/818816/OPR_Factsheet_.pdf) and [guidance on gov.uk](https://www.gov.uk/guidance/understanding-off-payroll-working-ir35).\n","excerpt":"\nWhat’s the deal with IR35?\n\nIn what feels like an ever-changing regulatory landscape, IR35 is yet another addition to the evolving contract/freelance/off-payroll space. But, as we firmly advocate at Paybase, regulation should not be looked at as a d...","cover":{"src":"https://paybase.imgix.net/blog/head-in-hands.jpg","alt":"need one"},"link":{"to":"/blog/whats-the-deal-with-ir35","copy":"Read more"},"tags":["IR35","Tax","Regulation"]},{"id":"2438eb30-4d71-54e7-a0f8-482d24cf6b51","title":"GDPR – What You Need To Know","slug":"gdpr-what-you-need-to-know","published":"2018-03-26T00:00:00.000Z","author":"Dan Whale and Danielle Herndon","content":"\nIf you were not aware, Europe is set for its biggest data protection shake-up in 20 years. From May this year, the General Data Protection Regulation (GDPR) devised two years ago will be enforced. It replaces the EU-wide 1995 Data Protection Directive and the UK’s own 1998 Data Protection Act (which is heavily based on the former).\n\nWhy is this happening? GDPR has been established to protect people. As the economy has become more and more digitised, the level of personal information available online has increased. This has made, and continues to make, customers vulnerable to hackers and thieves, who can use and abuse this information for their own profit. Furthermore companies have become accustomed to collecting large amounts of unnecessary data for their own benefit - simply because they can. With these factors in mind, the core principle of GDPR is to specify how personal data should be used and protected.\n\nThe Information Commissioner’s Office, the UK body responsible for enforcing these changes, has assured that these changes are “evolution, not revolution” and that businesses should not be scared of them. However, they certainly should be aware of them. Failure to comply can result in fines of €20m or 4% of annual turnover, whichever is greater. Restaurant chain Wetherspoons went as far as [deleting hundreds of thousands of customer emails](https://gdpr.report/news/2017/06/30/jd-wetherspoon-purposely-deletes-entire-mailing-list/) to avoid any risk of penalisation. It decided that the marketing value the emails possessed did not match the cost of effective compliance in the face of GDPR.\n\nThis blog therefore aims to offer guidance, outlining the essential requirements of GDPR, the effects they might have, and providing a 12-step guide that all businesses can follow.\n\n<div class=\"box\">\n  **_Glossary:_**\n  <p>\n    **Personal information/data** - Any information the can be used to identify an individual. This could be name, date of birth or even an IP address. This may refer to customers, employees, clients and more.\n    </p>\n  <p>\n    **Controller** - An entity that decides how and why personal data is used or will be used.\n  </p>\n  <p>\n    **Processor** - The designated entity that processes the data on behalf of the controller. The term processing equates to obtaining, recording, adapting or holding any personal data.\n  </p>\n</div>\n\n### Essential Requirements\nThe essential requirements of GDPR can be split into 7 main areas:\n\n- **Consent:** Companies must obtain consent in order to process personal data, unless they have legal or legitimate reasons to do so. This consent cannot be hidden in undecipherable legalese within the Terms and Conditions, and withdrawing consent must be as easy as giving it.\n- **Breach Notification:** If a company suffers a security breach, they must inform their controllers, their customers and the ICO within 72 hours or face penalisation. FCA/EEA regulated firms should also consider their obligations under [PSD2](https://paybase.io/blog/psd2-what-is-it-will-it-affect-me) relating to incident reporting.\n- **Right to Access:** Previously, data controllers could charge £10 to supply customers with a copy of all information held on them. Now, all companies must provide a free electronic copy of said information within a month of it being requested.\n- **Right to be Forgotten:** Customers have the right to request their data be deleted without undue delay if they no longer want it to be processed - barring firms that are required to retain records for legal purposes.\n- **Data Portability:** Customers have the right to take the information companies have collected on them and transfer it to other IT environments. For example, banking customers have the right to take their banking data and transfer it to a third party price comparison website.\n- **Privacy by Design:** Under GDPR, businesses have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. This prevents firms from attempting to bolt on these measures after building their product or service and encountering difficulty.\n- **Data Protection Officers:** Companies that process personal information and have more than 250 employees must employ specific Data Protection Officers (DPOs). Existing employees may be able to take this role, though for some companies additional staff may be required. Smaller firms are also required to have DPOs if they process data on a large scale.\n\n### Effects\nFor large businesses, GDPR may appear worrying, with the potential requirements of new staff, change in business protocols and possibilities of crippling fines. But GDPR will also bring benefits to companies. Stronger data regulation will make it harder for security to be breached, which can cause huge amounts of negative publicity (as seen with [Uber](http://www.bbc.co.uk/news/technology-42075306) and [Equifax](https://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information) in recent years, among many others). Speaking more generally, the restrictions on unnecessarily collecting data changes the way firms do business, making them more transparent and thus also improving their image.\n\nAs for the fines, the ICO have stated that \"We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways. But [we've always preferred the carrot to the stick.\"](https://www.infosecurity-magazine.com/news/infosec17-gdpr-compliance-carrot/)\n\nHowever, what is a far greater cause for concern, is the effect this may have on small businesses. It is important to stress that GDPR is not just for big corporates. If you’re a small shop that has a list of customer emails for example, these regulations still affect you.\n\nFor these reasons Paybase argues that it is vital for all businesses that hold personal data, large or small, to not fear or avoid GDPR but embrace it. Following these steps, provided by the ICO, can help your business be ready for GDPR without unnecessary additional costs.\n\n### [The ICO’s 12 Steps](https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf)\n1. **Awareness.** You should make sure that decision makers and key people in your organisation are aware that GDPR is becoming law. They need to appreciate the impact this is likely to have.\n  - Paybase tip! Present the information to the Board, but also provide a training session to the whole company to make sure everyone is aware of their responsibilities.\n2. **Information you hold.** You should document what personal data you hold, where it came from and who you share it with.\n3. **Communicating your privacy information.** You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.\n  - Paybase tip! Given the extent of the changes of GDPR, it’s likely that most firms will need to alter their privacy notices. Your policy may be dependant on your suppliers, which may also be updating their policy, so revising this should be one of the first things you do!\n4. **Individual’s rights.** You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.\n5. **Subject access rejects.** You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.\n  - Paybase tip! Create a diagram for your customers explaining how their data is used and make it public. This will deter unnecessary data requests.\n6. **Lawful basis for processing personal data.** You should identify the lawful basis for your processing activity under GDPR, document it and explain it in your privacy notice update.\n7. **Consent.** You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.\n8. **Children.** You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.\n9. **Data breaches.** You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.\n10. **Data Protection by Design and Data Protection Impact Assessments.** You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the [Article 29 Working Party](http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358&tpa_id=6936), and work out how and when to implement them in your organisation.\n  - Paybase tip! Share helpful articles (such as this one!) with all employees to educate them. For more specifically relevant training, involve the inhouse/external expert.\n11. **Data Protection Officers.** You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.\n12. **International.** If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.\n  - Paybase tip! Don’t just think about where your organisation operates, but where your third party partners operate as well. Take an inventory of all personal data flows to third parties to determine if any of your data leaves the EEA. If it does, you may need need to introduce additional controls and standards, which should be established with the third party.\n\nFollowing these steps should enable you to cover GDPR and go about your business as usual, but if you are still unclear, there is a wealth of information on the topic [available online](https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en). Paybase believes that GDPR will ultimately be beneficial for both consumers and businesses, offering greater protection, transparency and security for all!\n\n[Twitter](https://twitter.com/paybase) &nbsp;[LinkedIn](https://www.linkedin.com/company/paybase/)\n","excerpt":"\nIf you were not aware, Europe is set for its biggest data protection shake-up in 20 years. From May this year, the General Data Protection Regulation (GDPR) devised two years ago will be enforced. It replaces the EU-wide 1995 Data Protection Directi...","cover":{"src":"https://paybase.imgix.net/blog/gdpr-hero.jpg","alt":"GDPR, Compliance, FinTech"},"link":{"to":"/blog/gdpr-what-you-need-to-know","copy":"Read more"},"tags":["GDPR","Compliance","Regulation"]}]}}}