In this article, we'll try to break down the process of how startup founders can identify their compliance obligations in order to comply with all the respective laws and avoid receiving fines and penalties or having their bank accounts frozen.
Many startups begin by incorporating in a tech-friendly jurisdiction like Delaware in the US, or in the UK or Estonia. The jurisdiction they choose largely will depend on their early investors, first target market, founders' location, and other factors.
And it is usually when founders want to launch their product in new markets (such as the EU or Asia-Pacific markets) that compliance with regulations in foreign markets becomes crucial to business operations.
Let's start with the framework that we, at Legal Nodes, use to identify the regulations with which startups must comply.
A framework for identifying compliance obligations
We usually use a 3-step process to identify the exact compliance obligations of a startup:
- Business activities analysis. This involves speaking with founders to deep dive into the company's business model and use legal language to describe various business activities. This enables us to analyze the business in the context of the laws of specific jurisdictions. The outcome of these conversations, held as discovery sessions, is usually a document detailing business activities and the list of regulations that these activities can potentially trigger.
- Target market analysis. The next step is to analyze which markets the business is targeting in both the short and long term. For example, this might be the US market, the EU market, the Asian market, etc. This helps us understand which countries the business may plan to operate in.
- Applicable regulations/requirements analysis. As a last step, we can identify the specific regulatory regimes and laws that the startup needs to comply with in the short and long term in order to operate in their target markets, serve clients in those markets and accept payments without risks from clients in those markets.
There are usually three main compliance areas that are analyzed in the process: regulatory compliance, consumer protection compliance, and data protection compliance, and we will cover them in more detail below.
Let us also first clarify the difference between a holding and an operational company as it often gets confused.
Holding company vs operational company compliance
When analyzing the regulatory landscape that will apply to your company, it is important to distinguish between an operating company and a holding one. A holding company is a type of company that owns a controlling interest in one or more other companies, known as subsidiary companies. The holding company doesn't produce any goods or services of its own, but rather holds and manages the assets of its subsidiary companies. The purpose of a holding company is generally to manage and control the subsidiary companies, as well as to provide a layer of legal protection for the shareholders of the holding company. There are different compliance requirements for a holding company including corporate governance and taxation compliance.
An operational company is a company that is engaged in producing goods or services for sale. It is the primary revenue-generating entity of a business and is responsible for the day-to-day operations of the business. Operational companies are the ones that are directly involved in the production, marketing, and distribution of goods or services, and are responsible for generating profits for the business. Therefore, the regulatory compliance, consumer protection compliance, and data protection compliance requirements will apply to the operational company.
In this guide, we're focusing primarily on the operational company (which is involved in producing and distributing the product to the clients and accepting payments) compliance.
Why is compliance important for a startup?
Let's take a step back and figure out why compliance is critically important at such an early stage of a company, during a time when the company may not be attracting much attention, serving many clients, or undergoing a lot of business activity.
- Many industries are subject to regulation. In fact, there are very few that don’t have an all-encompassing regulation (even if the regulation is a bit confusing, or lacking in some areas). This means that any new business must be aware of the regulations of the industry they are entering and must proactively pursue compliance with those regulations. By behaving in a ‘compliant by default’ manner, the business will be set up to operate lawfully.
- Non-compliance is certainly not an option for businesses, as it can have catastrophic consequences. Companies that fail to comply with regulations can face astronomical fines and penalties.
- Compliance with regulations ensures the protection of your brand reputation. Users can become dubious of using a company’s technology following violations of laws and heavy fines.
- Being proactively compliant with laws is a mindset that stems from the core of good business. This helps you attract clients by giving them confidence that you are complying with laws so that, for example, their data is protected. For startups in a B2B context, having a proactive attitude towards compliance is especially attractive to prospective partners who won’t want to take any risks when embarking on new partnerships.
- Behaving in a compliant manner also helps you avoid deal breakers when attracting investments. Investors will always be protecting their interests and will want to avoid future lawsuits and problems too, so they bet their money more often on compliant startups.
Examples of non-compliance consequences on a large scale:
- Meta, Facebook’s parent company, was issued a fine in 2023 for €1.2 billion (~$1.3 billion), relating to GDPR non-compliance. Meta’s failure to comply with a decision from the EU’s highest court invalidated the EU-US Privacy Shield Framework.
- Dutch bank ABN Amro was fined €480m in 2021 after falling “seriously short of compliance with the AML/CTF Act”, according to the Netherlands Public Prosecution Service.
- Google was fined €50m (~$52.9m) following the French data regulator CNIL’s decision that people were “not sufficiently informed” users about how Google was collecting data and in particular there was a “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”.
- British Airways was fined €204.6m (~$216.7m) after users of the airline’s website were diverted to a fraudulent site, allowing data belonging to 500,000 consumers to be harvested by hackers.
Examples of non-compliance by small-scale businesses:
- A report on the use of unlicensed software by UK small to medium (SME) sized businesses showed that it cost businesses over £900,000 in damages and legal costs in 2016. “One UK SME paid £84,300 in damages for using copies of unlicensed design software”.
- Murad, a skincare company, received a $3,334,286 (!) penalty from OFAC (Office of Foreign Assets Control) for violating sanctions on Iran from 2009 to 2018.
Identifying regulatory requirements
Basically, what do you need to think about when you're entering a new market from the compliance perspective?
There are 3 main compliance pillars that are important to check:
- Regulatory compliance. Understand if your business triggers any criteria for regulated activity and, as a result, whether you need to get authorizations or licenses to remain compliant.
- Data protection. The data that your business collects and processes will place you under various obligations such as the requirement to obtain the proper consent in the proper manner for data collection and processing. There will also be other requirements such as implementing data security measures and appointing a data protection officer if required by law.
- Consumer protection compliance. Understand what types of customers you are targeting and what rights you need to guarantee them if you want to sell to them. This could include compliance with applicable local laws and regulations related to e-commerce, advertising, and consumer protection.
To understand which compliance requirements will be applicable from each of these three pillars, it is always important to start by analyzing the type of business activity that your startup undertakes or is planning to undertake.
Once the type of service has been analyzed and it is clear that this type of service is a regulated activity, it is much easier to identify the specific type of license that this activity falls under.
For example, if the company plans to launch its own e-wallet with e-money, it will require an Electronic Money Institution license (similar to PayPal). If the service plans to provide a payment gateway for online acquiring of payments or for sending payments between different bank accounts (or even in different currencies, like through Wise or Revolut), then it will require a Payment Service Business license or a Money Transmitter license.
In addition to the regulations outlined above, other regulations would apply to various sectors of the market. For example, a fintech business contemplating operating in the US may want to be mindful of the following US regulations:
- Bank Secrecy Act (BSA)
- Section 326 of the USA Patriot Act
- Anti-Money Laundering Act of 2020 (AMLA) regulating the obligations that help prevent money laundering and also implement KYC procedures
- Fair Credit Reporting Act (FCRA) and Gramm-Leach Bliley Act (GLBA) stipulating how fintech should handle credit and personal information of their customers
Fintech startups in the US should also be aware of consumer protection laws, such as:
- Electronic Fund Transfer Act (EFTA)
- Electronic Signatures in Global and National Commerce Act (ESIGN)
- Fair Credit Reporting Act
- Truth in Savings Act (TISA)
- Equal Credit Opportunity Act
- Home Mortgage Disclosure Act
The regulation detailed above is an example of applicable regulations for a startup in the finance industry. Other types of regulated services such as healthcare, transportation, energy, information technology, and environmental technology, also have their own set of laws and requirements that startups must comply with.
Examples of companies that started out in one country and then got licenses to operate in new markets
Wise, formerly known as TransferWise, is a foreign exchange financial technology company. It was originally founded in Estonia, and then they obtained a license in the UK. It is now considered a UK-based company.
Similarly, Revolut, a global neobank and financial technology company offering banking services is headquartered in London and has since obtained a license in Lithuania to operate in the EU and also expanded into Japan and the US.
Data protection compliance requirements
Where should founders start when trying to understand their privacy compliance obligations?
Founders embarking on new ventures in the tech landscape must prioritize the understanding of their obligations concerning data protection and privacy compliance. A good first step is familiarizing yourself with the General Data Protection Regulation (GDPR), which is a European Union regulation. This pivotal regulation has set stringent standards in data protection laws, influencing global practices. The GDPR mandates the safeguarding of personal data, ensuring its secure and lawful processing, and upholding individuals' privacy rights. Founders should also be attuned to the specific risks associated with their sector. For instance, tech startups leveraging Artificial Intelligence (AI) must be cognizant of the unique challenges it presents, such as biases in models and lack of transparency in AI algorithms. A comprehensive approach, integrating legal, technical, and organizational measures, is essential to navigate the complexities of privacy compliance effectively.
Data Protection Officers (DPOs) are data privacy specialists who hold a particular role regarding the processing of data. For businesses processing data on a large scale or processing sensitive categories of data, a DPO is mandatory. Sensitive categories of data include health, biometrics, sex life, political, philosophical, and religious beliefs, genetic, sexual orientation, criminal convictions, trade union membership, and ethnic and racial origin.
In a nutshell, founders need to think about GDPR rules in the EU, consumer data privacy laws in the US and any other markets of interest and finally, consider the freshly emerging laws on AI like an upcoming EU AI Act.
The most common steps startups make to comply with privacy regulations
Startups often start their journey towards privacy compliance by establishing a robust internal framework. This includes creating clear privacy policies and procedures, and ensuring transparency in data processing activities. Consent mechanisms should also be implemented, empowering individuals to have control over their personal data. Additionally, startups should invest in secure technological infrastructures to safeguard data against breaches and unauthorized access. In the realm of AI, particular emphasis is placed on choosing appropriate lawful bases for data processing and ensuring the transparency of AI algorithms. Conducting Data Protection Impact Assessments (DPIAs) is another common practice, enabling startups to identify and mitigate potential risks in data processing activities, ensuring that privacy considerations are integrated into their products and services from the onset.
In a nutshell, founders need to look at privacy as a long-term responsibility, possibly hiring specialists such as Data Protection Officers (DPOs) to assist with correct conformity to relevant laws, and ensuring they proactively protect individuals’ data throughout their business activities.
What are the consequences of data protection non-compliance?
Breaching the GDPR rules may lead to fines of up to 10,000,000 EUR or 2% of the company's annual revenue. In cases of severe violations like failure to get consent for data processing from customers or transferring sensitive data without proper safeguards the fines may go up to 20,000,000 EUR or 4% of annual revenue.
According to the GDPR enforcement tracker, as of October 2023, there were already 1,853 fines issued for breaching GDPR rules with the most common violations being insufficient legal basis for data processing (599 fines), non-compliance with general data processing principles (501 fines) and insufficient technical and organizational measures to ensure information security (399 fines). The total sum of fines is already at 4,403,864,744 EUR.
Marketing, consumer rights, and e-commerce compliance
Once you’ve understood the regulatory compliance and data protection requirements that apply to your business when operating in your target markets, the next step is consumer protection. It is absolutely essential to check the compliance requirements concerning marketing, consumer rights, and e-commerce regulation, to properly assess which laws will apply to your business.
For example, if we consider the EU and the UK, there are several acts that apply to e-commerce businesses, software application stores, online advertisement and auction websites, search engines, and social media. These are:
- Regulation EU/2019/1150 (Online Intermediation Services or Platform to Business Regulation)
- Unfair Commercial Practices Directive (2005/29/EC)(‘the UCPD’)
- the E-Commerce Directive
- the Geo-Blocking Regulation (EU/2018/302)
These regulations set basic rules for access to data, complaints, ranking, terms & conditions, termination, and restrictions that should be taken into account by the marketplaces. If you, for example, have chosen the EU as your target market, you will need to work with compliance specialists to identify the particular steps you must take in order for your business to comply with these regulations.
Another example of a prominent consumer rights regulation is a set of financial promotion rules for cryptoassets in the UK. Under these rules, if you're, for example, a cryptoasset firm licensed in Estonia and you want to target UK consumers with promotions, you need to do this via the local authorized promoter or register under the Money Laundering Regulations (MLR).
What are the examples of specific things that consumer protection regulations might obligate me to do?
You may be required to add various disclaimers and information to your platforms, such as the website or app of your product to comply with regulations. This might include:
- Information on how user data is collected, used, and shared
- Disclaimers around the accuracy and reliability of product claims and descriptions
- Disclosures around any potential risks or side effects of using the product
- Information on any applicable warranties or guarantees
- Information on any applicable refund or return policies
How Legal Nodes can help you on your compliance journey
Compliance with regulation is as baffling as it is necessary. That’s why we at Legal Nodes work closely with our clients, many of whom are founders, to help them navigate all their compliance matters.
As a founder, it's important to have a good grasp of legal obligations that arise out of various business activities. We support founders by:
- Painting a clear picture of exactly which obligations, regulations and duties they should be aware of, helping them to have a global grasp on the legal aspect of their business.
- Creating an actionable ‘checklist’ of specific regulations and licenses that founders need to obtain to stay proactively compliant.
- Connecting founders to the right person for each different compliance job; from privacy compliance experts to consumer protection specialists.
- Supporting all these global works in one place; via the founder’s account on the Legal Nodes Platform.
For help with your compliance matters, speak to a member of the Legal Nodes team today.