Insights: IP and data protection for fintech companies in the US

All questions

Intellectual property rights and data protection

in Intellectual property rights, technology and data ownership

Fintech companies seeking patent protection often face the challenge of patenting financial services technology following court rulings that have limited the type of technology eligible for patenting. In 2014, the United States Supreme Court issued what is commonly referred to as Alice decision,² which lays down a two-stage eligibility test. If an invention is directed to a patent-ineligible abstract idea during the first step, the second step determines whether the patent claim (which notifies the public of the scope of the patentee’s right to exclude) recites elements that transform the abstract idea into a patent-eligible invention . Courts have generally used this test to determine that the mere use of commercially available computing devices and software to implement an abstract concept is ineligible for patent protection. Fintechs should be aware that business models or proprietary operations performed by standard software may not be enough to apply for a patent, and should consult with patent counsel on these issues.

Fintechs should also consider taking steps to protect their developed technologies in terms of copyright protection. Copyright protection extends to software code and certain works within software applications (such as user interfaces and original text or content). If a fintech company is to develop software using third party software, the associated license grants and restrictions from the licensed third party must be taken into account. In addition, if the third party software involves open source software, and the fintech’s development consists of a ‘derivative work’ resulting from a modification of the existing open source software, it is possible that a ‘copyleft license’ governs the open source code . -source software may contain an obligation to distribute the derivative software under the same open source license, disclose and make the source code available to the public.

As an alternative to obtaining a patent, a fintech may be able to maintain confidential information that provides an economic advantage over competitors as a trade secret. Trade secret law provides an avenue to obtain protection for economically valuable information such as a formula or algorithm. Protecting trade secrets presents its own challenges. If a holder of trade secrets fails to maintain confidentiality or if the information is independently discovered, released or otherwise becomes generally known, the protection as a trade secret may be lost. For these reasons, it is important to enter into appropriate contractual arrangements that provide for the protection of trade secrets, including non-disclosure agreements and also specific contractual language such as IP and proprietary ownership and confidentiality provisions.

Finally, the fintech company will also want to take additional steps to preserve IP rights in distinctive names and other designations, such as logos, brand names and domain names, to preserve brand awareness and protect against potential confusion. Registration of trademarks, design logos, brand names and domain names can prevent others from using the goods that may be confused with the fintech company, which helps to protect the name and brand identity as well as position and recognition in the market.

The fintech company should develop and implement a comprehensive strategy for IP development and ownership from product development to product launch and scaling. The fintech company should ensure that its agreements with employees and independent contractors who may perform development work contain “work made for hire” or similar contractual language stating that:

1. fintech owns all IP developed for it;
2. the employee or independent contractor acknowledges that any inventions, works or other IP created or created by the employee or independent contractor during the employment or engagement are owned by fintech; and
3. the employee or independent contractor will take all necessary steps and complete all necessary documentation to assign these IP rights to the fintech.

This will ensure that the fintech owns all of its IP, regardless of whether it chooses to explore some or all of the IP protection strategies described above.

With regard to third-party service provider agreements that the fintech may enter into for the development or operation of the fintech services (such as hosting agreements, software-as-a-service agreements and agreements for identity verification services), the fintech will wish to ensure the following:

1. it preserves its IP rights while acknowledging and acknowledging the rights of the third party licensor of the Software or Services; and
2. it states by contract that it owns all its own and its customers’ data, and limits or prohibits the extent to which the service provider can use the fintech’s information or data.

In customer-facing agreements, fintech providers will want to include robust provisions for confidentiality, IP ownership and end-user terms of licensing and use (including permitted and prohibited activities under the license) and may also disclaim any warranties of non-infringement or disclaim any liability or indemnification for third party claims of infringement. In addition, the customer-facing agreements are the appropriate place to obtain consent from consumer or business end customers for data collection, data use by fintech and specific permission to use fintech customer information in product improvement or data monetization initiatives (all subject to privacy and data security laws, rules and regulations highlighted below ).

ii Privacy and data protection

In the United States, there is no overarching privacy law that applies broadly to all businesses. Rather, the Gramm-Leach-Bliley Act (GLB) is the primary federal privacy law that regulates the activities of fintech firms. GLB applies to the use and disclosure of non-public personal information (NPI) by a financial institution. NPI includes all personally identifiable financial information such as:

1. supplied by a consumer to a financial institution;
2. results of a transaction or service with the financial institution; or
3. otherwise obtained by the financial institution.

The term “financial institution” is broadly defined to include any entity that is significantly engaged in financial activities such as lending funds, servicing loans or transferring money. GLB is implemented by two distinct rules:

1. the Privacy Rule, which requires financial institutions to provide privacy notices to their consumers and customers and offer them an opportunity to opt out of certain disclosures of their NPI; and
2. the security rule, which requires financial institutions to ensure the security and confidentiality of NPI through the development of a written information security program.

Fintech firms are directly regulated by either the Federal Trade Commission or the CFPB with respect to privacy and data protection.

On top of GLB, several other important federal and state laws and regulations for fintech firms to keep in mind and comply with include:

1. the federal FCRA, which regulates the use and disclosure of consumer reports, and defines what activities will trigger a fintech to be considered a “consumer reporting agency” under the Act;
2. the federal Red Flags Rule, which requires financial institutions and creditors to develop, implement and update a written identity theft prevention program to detect and respond to red flags that may indicate identity theft;
3. the federal Affiliate Marketing Rule, which restricts the sharing of certain information between affiliates for marketing purposes;
4. if fintech will interact with children, the federal Children’s Online Privacy Protection Act, provisions of the California Consumer Privacy Act that apply to opt-in requirements for the sale of data for children aged 13-16 (and parental consent for children 13 and under) and other California and other state privacy laws that apply to children under 18;
5. the federal Health Insurance Portability and Accountability Act (if fintech is to interact with health data); and
6. California Consumer Privacy Act of 2018 (and as amended in 2020 with amendment effective January 1, 2023).