Financial services compliance — licensing disclosures, risk disclosures, APR caps — AuditBuffet Pattern Catalog

Why it matters

US Truth in Lending Act (TILA), FINRA disclosure rules, and both Apple guideline 3.1.5 and Google Play's Financial Services policy require specific, verifiable disclosures before a user commits to a financial product — investment risk warnings, APR disclosure on loans, and broker-dealer registration confirmations. Missing these is not a gray area: FINRA and the CFPB actively pursue enforcement against app developers, and civil penalties start in the tens of thousands per violation. An investment app missing 'past performance does not guarantee future results' or a lending app missing APR disclosure can be rejected, removed, and fined independently.

Remediation

Add required disclosures to every screen where a financial decision is made — not buried in a ToS screen, but visible at the point of commitment:

// src/screens/Portfolio.tsx
<RiskDisclosure>
  Investing involves risk. Past performance does not guarantee future results.
  You may lose some or all of your invested capital.
</RiskDisclosure>

For lending flows, display APR before the user taps the final confirmation:

// src/screens/LoanApplication.tsx
<Text>Annual Percentage Rate (APR): {formatAPR(loan.apr)}%</Text>
<Text>Total cost of credit: {formatCurrency(loan.totalCost)}</Text>

Remove any lending product with APR >36% or repayment period <60 days — these are prohibited by both stores, not just regulated. Consult a financial regulatory attorney before submitting any investment, brokerage, or insurance app.

Detection

ID: app-store-policy-compliance.regulated-industries.financial-compliance
Severity: high
What to look for: Count all relevant instances and enumerate each. If financial services signals are detected (payment processing beyond standard IAP, lending, investments, cryptocurrency, insurance), examine: (1) Licensing disclosures — Search for regulatory disclosures in UI copy: "licensed by", "registered with", "member FDIC", "member SIPC", "FINRA", "broker-dealer", "investment adviser registered". If the app offers investment advice, brokerage services, or insurance, these disclosures are legally required and must appear in the app. (2) Risk disclosures — Search for "investments involve risk", "past performance", "not a guarantee", "you may lose money". Investment and trading apps must disclose that returns are not guaranteed. Cryptocurrency apps must disclose volatility risk. (3) Lending APR disclosures — If loan origination or buy-now-pay-later flows exist, search for "APR", "annual percentage rate", "total cost of credit" in the loan flow screens. US federal law (Truth in Lending Act) and Google Play/Apple policy both require APR disclosure in consumer lending. (4) Payday loan prohibition — Both Apple and Google prohibit high-interest short-term personal loans (>36% APR, <60-day repayment). Search for loan terms defined in source: repayment periods in days, interest rate configs. (5) Cryptocurrency — Apps offering crypto trading must be from licensed money transmitters or exchanges. Look for KYC (Know Your Customer) flows — if the app moves real money via crypto without a KYC step, this is a policy violation.
Pass criteria: Financial service apps include all required regulatory disclosures, risk warnings, and APR disclosures. Lending apps comply with APR limits. Crypto apps have KYC flows. Licensing disclosures are present and accurate.
Fail criteria: Investment or brokerage app missing FINRA/SEC/regulatory disclosure; lending app missing APR disclosure or offering >36% APR short-term loans; crypto trading app with no KYC flow; insurance app missing state licensing disclosure.
Skip (N/A) when: No financial service features detected — app does not process payments beyond standard in-app purchases, does not offer lending, investment, insurance, or cryptocurrency features. Skip if the only financial component is standard Stripe/IAP purchase processing.
Detail on fail: "Investment portfolio screen in src/screens/Portfolio.tsx shows projected returns with no risk disclosure — 'past performance does not guarantee future results' is absent" or "Loan origination flow in src/screens/LoanApplication.tsx does not display APR at any point in the flow"
Remediation: Financial regulation violations can result in legal liability beyond app rejection.
1. Add required regulatory disclosures to every relevant screen — consult a financial regulatory attorney for your specific license requirements
2. Add APR disclosure to every lending screen before the user commits to a loan
3. Implement KYC (identity verification) before enabling any crypto money movement
4. Remove any lending product with >36% APR or <60-day repayment — these are prohibited by both stores
Review the configuration in src/ or app/ directory for implementation patterns.

External references

external · us-tila — US Truth in Lending Act (Regulation Z) — APR Disclosure Requirements

external · apple-guideline-3.1.5 — App Store Review Guidelines 3.1.5 — Real-Money Gaming and Lotteries

external · google-play-financial-services — Google Play Developer Policy — Financial Services

external · finra-disclosure — FINRA Rule 2210 — Communications with the Public (disclosure requirements)

Why it matters

Remediation

Add required disclosures to every screen where a financial decision is made — not buried in a ToS screen, but visible at the point of commitment:

// src/screens/Portfolio.tsx
<RiskDisclosure>
  Investing involves risk. Past performance does not guarantee future results.
  You may lose some or all of your invested capital.
</RiskDisclosure>

For lending flows, display APR before the user taps the final confirmation:

// src/screens/LoanApplication.tsx
<Text>Annual Percentage Rate (APR): {formatAPR(loan.apr)}%</Text>
<Text>Total cost of credit: {formatCurrency(loan.totalCost)}</Text>

Detection

ID: app-store-policy-compliance.regulated-industries.financial-compliance
Severity: high
What to look for: Count all relevant instances and enumerate each. If financial services signals are detected (payment processing beyond standard IAP, lending, investments, cryptocurrency, insurance), examine: (1) Licensing disclosures — Search for regulatory disclosures in UI copy: "licensed by", "registered with", "member FDIC", "member SIPC", "FINRA", "broker-dealer", "investment adviser registered". If the app offers investment advice, brokerage services, or insurance, these disclosures are legally required and must appear in the app. (2) Risk disclosures — Search for "investments involve risk", "past performance", "not a guarantee", "you may lose money". Investment and trading apps must disclose that returns are not guaranteed. Cryptocurrency apps must disclose volatility risk. (3) Lending APR disclosures — If loan origination or buy-now-pay-later flows exist, search for "APR", "annual percentage rate", "total cost of credit" in the loan flow screens. US federal law (Truth in Lending Act) and Google Play/Apple policy both require APR disclosure in consumer lending. (4) Payday loan prohibition — Both Apple and Google prohibit high-interest short-term personal loans (>36% APR, <60-day repayment). Search for loan terms defined in source: repayment periods in days, interest rate configs. (5) Cryptocurrency — Apps offering crypto trading must be from licensed money transmitters or exchanges. Look for KYC (Know Your Customer) flows — if the app moves real money via crypto without a KYC step, this is a policy violation.
Pass criteria: Financial service apps include all required regulatory disclosures, risk warnings, and APR disclosures. Lending apps comply with APR limits. Crypto apps have KYC flows. Licensing disclosures are present and accurate.
Fail criteria: Investment or brokerage app missing FINRA/SEC/regulatory disclosure; lending app missing APR disclosure or offering >36% APR short-term loans; crypto trading app with no KYC flow; insurance app missing state licensing disclosure.
Skip (N/A) when: No financial service features detected — app does not process payments beyond standard in-app purchases, does not offer lending, investment, insurance, or cryptocurrency features. Skip if the only financial component is standard Stripe/IAP purchase processing.
Detail on fail: "Investment portfolio screen in src/screens/Portfolio.tsx shows projected returns with no risk disclosure — 'past performance does not guarantee future results' is absent" or "Loan origination flow in src/screens/LoanApplication.tsx does not display APR at any point in the flow"
Remediation: Financial regulation violations can result in legal liability beyond app rejection.
1. Add required regulatory disclosures to every relevant screen — consult a financial regulatory attorney for your specific license requirements
2. Add APR disclosure to every lending screen before the user commits to a loan
3. Implement KYC (identity verification) before enabling any crypto money movement
4. Remove any lending product with >36% APR or <60-day repayment — these are prohibited by both stores
Review the configuration in src/ or app/ directory for implementation patterns.

External references

external · us-tila — US Truth in Lending Act (Regulation Z) — APR Disclosure Requirements

external · apple-guideline-3.1.5 — App Store Review Guidelines 3.1.5 — Real-Money Gaming and Lotteries

external · google-play-financial-services — Google Play Developer Policy — Financial Services

external · finra-disclosure — FINRA Rule 2210 — Communications with the Public (disclosure requirements)

Financial services compliance — licensing disclosures, risk disclosures, APR caps

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Financial services compliance — licensing disclosures, risk disclosures, APR caps

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History