Regulatory compliance guidelinesPrivate preview
Learn about the requirements and guidelines for regulatory compliance.
Regional considerationsUnited StatesUnited Kingdom
Review the Capital regulatory guidelines for United States and United Kingdom.
To offer and promote Stripe Capital to your users, your platform’s marketing and user interfaces must adhere to the following regulatory compliance guidelines. These guidelines can help your platform and users (connected accounts) navigate the financial regulations applicable to Capital.
Warning
Marketing Capital to your users is subject to regulatory compliance that can result in fines and reputational damage if you fail to adhere. Incorporate the best practices in this guide and seek legal advice to ensure your product use and branding meet all regulations for offering financial services.
Compliance checklist 
Ensure you’ve completed the following checklist prior to launching your program:
Managing complaints
To create a responsive and equitable complaints handling process, you must detail and distribute clear pathways to where your customers can report complaints. Complaints are an important and mandatory part of the compliance system for financial services products. We regard complaints as any expressions of dissatisfaction about our organization, products and services, policies, employees, and contracted partners.
If your customer contacts your support team with a complaint regarding the Stripe Capital product, direct them to Stripe Servicing (capital+support@stripe.com). Stripe Servicing will intake any complaints received by your customers, and you must forward any Stripe Capital complaints your platform directly receives back to Stripe (capital+support@stripe.com). Stripe will work with our financial partners to address the customer complaint.
Complaints reporting template
In summary:
- A complaint is any expression of dissatisfaction about our organization, products and services, policies, employees, and contracted partners.
- An executive complaint is (i) any Complaint from a regulatory authority (such as a local regulator, federal agency, state agency, or a court with jurisdiction over Stripe or the relevant financial partner) and (ii) any other person (including individuals and legal entities) threatening material litigation.
- You must provide a clear pathway for your customers to file a complaint.
- You must report all Stripe Capital complaints your platform receives directly to Stripe.
Recordkeeping
Keep thorough records of all marketing materials, customer data, account information, and other disclosures you make to customers for at least 5 years as evidence of compliance. The following list of records details the types of data records to retain.
| Record Type | Examples |
|---|---|
| Product Interface (UX) | Screenshots of all deployed versions of the product UX, include application flow, customer dashboard, support pages, etc. |
| Marketing | Inventory of all marketing copy deployed, Email distribution lists, user targeting, used Email solicitation opt out lists (including timestamps of user opt-outs), and adherence to opt-out requests |
| Customer communications and complaints | Email interactions or documentation developed in the course of resolving complaints |
Testimonials
If you use a testimonial or endorsement to advertise Stripe products to your customers, you must consider the following:
- The person giving a testimonial must be a real person and a real user of the service or product they’re talking about.
- You must have their written permission to use their quote, and save this written documentation in a place that’s easily accessible during audits. You must also update this permission every 24 months.
- Product benefits, costs, or features in any quotes must be verifiable and true to what most users can expect to experience when using the product or service.
- If you have paid someone for their quote, or given them anything of value, you must put a disclaimer near the quote that says the following:
- “This person was compensated for their testimonial.”
US CAN-SPAM Act
The CAN-SPAM Act regulates marketing activity conducted by email.
- An email is deemed a commercial message, subject to the CAN-SPAM act, if the primary purpose of the email is to convey a commercial advertisement, or to promote a product or service.
- A transactional email is an email sent to a customer that has a primary purpose relating to a particular transaction or relationship between you and the customer (e.g. financing terms and conditions). The CAN-SPAM Act imposes more rigorous requirements on commercial email messages, as compared with transactional messages. Transactional messages are not subject to most of the requirements of the CAN-SPAM Act. If a message contains both transactional content and commercial content, the CAN-SPAM Act’s commercial email requirements might apply, if the message’s primary purpose might be considered to be commercial.
To facilitate compliance with the CAN-SPAM Act, any employee or staff utilizing or having access to your email systems and resources for marketing must adhere to the following requirements:
- Misleading Header Information: Any email message, whether commercial or transactional, must not contain: (i) false or misleading header information; (ii) a “from” line that does not accurately identify any person (individual or business) who initiated the message; and (iii) inaccurate or misleading identification of a protected computer used to initiate the message for purposes of disguising its origin.
- Deceptive Subject Headings: Any commercial email message must not contain deceptive subject headings. For example, a deceptive subject heading is one that would be likely to mislead the recipient about a material fact regarding the message’s contents or subject matter.
- Opt-out Mechanism: You must provide your customers with the ability to opt out of receiving future commercial messages, and you must honor customer requests to opt out within ten days. You cannot require a user to pay a fee or provide information other than an email address to opt out.
- Advertisement Identification: Any commercial email message must contain clear and conspicuous identification that the message is an advertisement or solicitation.
- Physical Address Disclosure: Any commercial email message must disclose a valid physical address of the sender.
Caution
Failure to comply with CAN-SPAM could result in hefty fines for every single violation.
In summary:
- Subject lines must not contradict email body copy
- The sender or “from” email address can’t be confusing or misleading
- Email disclosures MUST include a physical business address
- Email disclosures must clearly identify the message as an advertisement
- There MUST be a clear and conspicuous opt-out link
- Email opt-outs must be honored within 10 days
US UDAP and correct messaging
Federal regulation prohibits unfair and deceptive acts or practices (UDAP). To avoid UDAP violations, you must think of the end user first when developing and deploying any marketing materials.
Make sure that marketing materials use clear messaging that fully explains product features, costs, benefits, and limitations. Don’t leave out key terms or fees, and don’t advertise product uses or features that aren’t true.
| Do | Don’t |
|---|---|
| Only use statements about products that are true, accurate, and aligned with how users engage with the products. | Don’t leave out key information from marketing content. If the information is likely to affect whether someone uses the product, then it’s “key." |
If you make claims that require additional data to support them, or if an end user needs to know more details to know how a certain claim is true, you must:
| Make exaggerated claims that are hard to prove. Don’t make absolute statements that are disproved by a single exception. For example, “number 1," “every," “only," “all," “never," “always." |
| Clearly explain all qualifying limitations and requirements needed by end users to get the product or features that you’ve advertised. | Don’t advertise features or programs that only a few applicants actually qualify for. |
All disclosures must meet a “clear and conspicuous” standard:
| Don’t make disclosures hard to read. |
Disclosures used to explain or modify a claim must be ‘tied’ to the claim they’re explaining.
| Don’t bury disclosures in other non-key disclosures or footnotes. |
| Disclose all account fees, costs, benefits, and terms as part of onboarding before your end users take out a product. | Don’t advertise products as “free” if you’re charging fees. |
| Make sure all images used are properly licensed and that you can document this fact. | Don’t use images, formatting, or copy that implies products are endorsed by, or affiliated with, government entities or celebrities. |
UK Privacy and Electronic Communications Regulations
Direct marketing is any type of advertising or promotional material to individuals or businesses and applies to any type of communication, such as sending someone information about Stripe Capital by email, text, or through social media.
UK Privacy and Electronic Communications Regulations (PECR) give specific privacy rights in relation to electronic communications and have specific rules on marketing calls, emails, texts and so on. These rules work alongside the UK Data Protection Act and the UK GDPR. These rules might differ depending on your chosen method of direct marketing and the type of business you intend to contact. “Electronic mail” is intentionally broad and includes texts, emails, sounds, images, or social media messages.
Businesses or body corporates are classed as “corporate subscribers” under PECR. The PECR consent rule on electronic mail marketing generally does not apply to corporate subscribers if related to their professional role. This means that you do not need their consent under PECR to send B2B direct marketing emails or texts to a corporate subscribers.
Sole traders and partnerships are classed as “individual subscribers” (even if acting in a commercial or business context) and PECR treats them the same as individuals. You can’t send electronic mail marketing to individuals, unless you have one of the following forms of consent:
- They specifically and actively consented to electronic mail and communications from you, such as by ticking an opt-in box.
- They are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and has never opted out of marketing messages. You must show you continuously provide a simple way to opt out in every message from the first collection of their details. This doesn’t apply to new contacts or prospective customers.
When marketing to either corporate or individual subscribers:
- Identify your audience and apply the right consent rule, i.e. 'corporate subscribers’ vs ‘individual subscribers’.
- Use fair, clear, and accurate information - don’t leave out key terms or fees, and don’t advertise product uses or features that aren’t true.
- Don’t disguise or conceal your identity.
- Provide a valid contact address so they can opt out or unsubscribe easily, offer an opt-out of messaging in every message. For example, opt out by reply, an unsubscribe link in emails, an ability to update communication preferences in the dashboard, or an X dismissal option in the embedded component.
- Act on opt-outs promptly.
- Maintain and keep up-to-date a “do not contact” list of any users who opt out of messaging.
- Screen any communications against the current “do not contact” list and don’t send any communications to anyone who has opted out.
- Avoid unsolicited communications.
- Consider data protection law implications if you email employees at a corporate body who have personal corporate email addresses (firstname.lastname@org.co.uk). If you process personal data for marketing purposes, even in a business context, UK GDPR applies.
- Consider the Advertising Standards Authority code.