Table of Contents
Certain types of contracts are almost universally used by start-ups. However, as is the case with many things in life, some contracts deserve more attention than others. Two contracts that FinTech companies in particular should pay close attention to are privacy policies and confidentiality agreements (also known as non-disclosure agreements). These two agreements appear to be fairly standard documents that require little modification from a template before being put into use. However, it is advisable for FinTech companies to review and amend such contracts more closely before finalising them so as to ensure that the relevant agreement is sufficiently tailored to the FinTech company’s business model and operations.
Privacy policies
Privacy policies inform persons accessing or using a website or application of how a business collects, uses, and handles the personal data of these persons. While parts of privacy policies may be voluntarily included by a business (e.g., to match industry best practices), most of the content of privacy policies will usually be required by laws applicable to the business, such as the Personal Data Protection Act 2012 (PDPA). Since much of the content is typically already mandated by applicable laws, it may seem more efficient to use a template privacy policy, which should have taken these statutory requirements into account, than to draft one from scratch. However, adopting a template wholesale could instead create problems for FinTech companies. Close attention should be paid to clauses on the collection, use, and management of personal data instead of relying on template language, as the latter may not match what the FinTech company actually does or intends to do.
Given the nature of their services and operations, FinTech companies may collect, use, or handle personal data in ways that companies outside the financial industry do not. Or obtain types of personal data that such companies typically cannot access. For example, FinTech companies that provide a stored value facility can obtain information about a customer’s funding sources, while FinTech companies that provide automated portfolio investment services can use the data from customers’ transactions and investment activities to build a profile of a customer’s specific financial circumstances. Accordingly, it is important to modify clauses on the collection, use, and handling of personal data to ensure that they form an accurate and comprehensive statement of what the FinTech company does in the course of conducting its business.
Some FinTech companies may also need to comply with additional regulatory requirements that will affect how they handle personal data. One instance concerns how long personal data records will be kept. The PDPA states that personal data should not be retained where (among other reasons) such retention is no longer necessary for legal or business purposes. FinTech companies that are regulated by the Monetary Authority of Singapore (MAS) should note that MAS generally requires customer due diligence information, which often includes personal data, to be kept for five years until the termination of the business relationship with that customer. This regulatory requirement is a “legal purpose” that will need to be kept in mind should such regulated FinTech companies decide to state how long they will retain personal data for in their privacy policies. Such disclosure may be made by amending the relevant clause (based on the data retention clause from Zegal’s Privacy Policy) as follows:
We only retain personal data for as long as it is necessary for us to do so. This includes situations where there is a binding legal or regulatory requirement upon us to retain the data (e.g., for at least five years from the termination of our business relationship with you). Data may be archived as long as the purpose for which the data was used still exists.
Confidentiality agreements
The types of information that a FinTech company would regard as confidential will vary depending on its particular business. Template confidentiality agreements tend to define “confidential information” as broadly as possible, so that the widest possible range of information can be captured within this definition. The below clause (from Zegal’s Mutual Non-Disclosure Agreement) is a typical example:
Confidential Information: all confidential information (however recorded, preserved or disclosed) disclosed by a party or its Representatives to the other party and that party’s Representatives after the date of this agreement including but not limited to:
- the fact that discussions and negotiations are taking place concerning the Purpose and the status of those discussions and negotiations;
- the existence and terms of this agreement;
- any information that would be regarded as confidential by a reasonable business person relating to:
- the business, affairs, customers, clients, suppliers, plans, intentions, or market opportunities of the Disclosing Party or of the Disclosing Party’s Group;
- the operations, processes, product information, know-how, designs, trade secrets or software of the Disclosing Party or of the Disclosing Party’s Group;
- any information or analysis derived from Confidential Information;
- but not including any information that:
- is or becomes generally available to the public other than as a result of its disclosure by the Recipient or its Representatives in breach of this agreement or of any other undertaking of confidentiality addressed to the party to whom the information relates (except that any compilation of otherwise public information in a form not publicly known shall nevertheless be treated as Confidential Information); or
- was available to the Recipient on a non-confidential basis prior to disclosure by the Disclosing Party; or
- was, is or becomes available to the Recipient on a non-confidential basis from a person who, to the Recipient’s knowledge, is not bound by a confidentiality agreement with the Disclosing Party or otherwise prohibited from disclosing the information to the Recipient; or
- was lawfully in the possession of the Recipient before the information was disclosed to it by the Disclosing Party; or
- the parties agree in writing is not confidential or may be disclosed; or
- is developed by or for the Recipient independently of the information disclosed by the Disclosing Party.
While it may in most cases be helpful to define “confidential information” broadly, FinTech companies should still closely review this definition in their confidentiality agreements so that they can tailor it to maximise the advantage to themselves. For example, the company should try to anticipate as accurately as possible what sort of information it will likely have to share with the other contracting party over the course of their business relationship and check that the contractual definition of “confidential information” clearly includes such information as appropriate. Similarly, if the other contracting party tries to negotiate further carve-outs to the type of information that would otherwise be considered “confidential”, the FinTech company should carefully check these carve-outs to ensure that information it wants to keep confidential will not fall within the scope of these carve-outs.
In summary, while template contracts may be convenient resources, it is important for FinTech companies to review and modify them to ensure maximum support for and coverage of their business and operations. This is especially imperative for FinTech companies that are or will be regulated financial institutions, as they will all the more need to ensure that weak contractual clauses will not hinder them in discharging their regulatory obligations. Implementing effective contract management practices allows FinTech companies to proactively address potential gaps or limitations in template contracts, aligning them with regulatory requirements and industry best practices. By engaging in thorough contract review and modification, FinTech companies can mitigate risks, enhance compliance, and strengthen their contractual framework to support their business objectives while meeting their regulatory obligations.
Lisa Farrah Ho is an associate in Rajah & Tann Singapore LLP’s Financial Institutions Group, where she works with a range of financial institutions and FinTech companies.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.
Start managing your legal needs with Zegal today
READ MORE: The Startup Legal Documents Your Business Cannot Live Without: A Complete Legal Toolkit
READ MORE: 5 FinTech Solutions For Small Businesses