FinTech Law TL;DR (April 15)
TransUnion Suit - Celsius Interest Accounts - CFPB Climate Risk
Hi all 👋
I had a blast writing a guest post for Napkin Math, The Race for New Payment Rails. It explores the minimum viable capabilities a company needs to become the next payment rail, and a few case studies of fintechs that might pull it off…
Also! We’ve been working on some educational blogs at Lithic, and we kicked them off with a guide to the EFTA and Reg E. We’re scheming up lots of cool stuff that we hope will help founders and operators…much, much more to come!
Lastly, one follow up from last edition: the Payday Rule is set to go into effect 286 days after a pending Fifth Circuit appeal, not in June (as mentioned in the last edition).
Substack tells me this will clip, so click here to read it in browser.
Open Fintech Roles
Are you a fintech company looking to fill roles? I (finally) set up a Pallet for this newsletter!
If you want your open roles highlighted in two newsletter editions that are (currently) read by 1.5-2K+ folks, check out the Fintech Law TL;DR Pallet. It’s a targeted fintech audience of primarily legal, compliance, product, and operations folks.
Currently highlighted roles:
It’s A Bad Time to Be A CRA
The CFPB is increasingly cantankerous towards the credit agencies.
We’ve talked about the agency’s report in March that suggested the CFPB thought consumer reporting agencies (CRAs) should remove medical debt from credit reports…which the big three CRAs (Equifax, Experian, and TransUnion) responded to by announcing plans to do just that. But wait, there’s more!
CFPB Director Rohit Chopra recently gave a speech about the big three CRAs’ medical debt announcement. In it, he re-raised some previous questions (e.g., should medical bills be treated like traditional debt at all?).
But he also hinted at antitrust issues:
“The firms appeared to have made an agreement to decide how they wanted to report medical debt. This raised a key question: are these three firms acting as competitors or as a cartel?”
That might just be puffery; right now, the CFPB, FTC, and Biden administration seem to be calling everything an antitrust issue. My guess is nothing comes of it – but it does put credit agencies on notice to curtail any coordination. But then again, regulatory agencies seem ripe to bring lawsuits like…
The CFPB announced they filed a lawsuit against TransUnion, two subsidiaries, and a senior executive for violating a 2017 enforcement order. There’s a lot to unpack here. 🍿
First, what was the 2017 order about? Remember that TransUnion isn’t just a credit reporting agency; they also sell products like access to your credit score or report, and credit monitoring.
The order claimed TransUnion used dark patterns in selling its products. For example, they say TransUnion had “deceptive buttons” that suggested consumers would access a free credit score but actually signed them up for recurring charges. In the order, TransUnion agreed to pay $13.9M to victims and $3M in penalties, and put certain guardrails in place (like getting express opt-in consent for recurring payments, and providing an easy way to cancel subscriptions).
But, apparently, in 2019 CFPB examiners found TransUnion wasn’t living up to these requirements. Normally, when the CFPB flags something like this, a company moves quickly to fix it. But the CFPB claims TransUnion didn’t, and kept violating the order.
The announcement also claims the senior exec (from the TransUnion unit that sold the relevant products/services) determined that complying with the 2017 order would reduce revenue, so he delayed or avoided implementing it. The CFPB claims he specifically told the company not to use the affirmative opt-in checkbox the order requires.
Also! TransUnion quickly released a public statement, claiming the charges are meritless. They say:
They submitted a compliance plan to the CFPB in 2017, which the agency ignored.
The CFPB didn’t communicate any supervisory guidance “like a responsible regulator would,” but waited to aggregate claims for a lawsuit.
CFPB leadership refused to meet with TransUnion and were determined to litigate so they could get the headlines.
Honestly, I wouldn't be surprised if TransUnion’s side of the story were true? The day the suit was announced, the TransUnion news was all over headlines and Twitter. If the CFPB was just trying to make a splash, it worked.
Oddly absent from TransUnion’s statement, though, is a defense of the particular exec…though, in a way, it’s wrapped up in their overall positioning. But I’m kind of surprised they didn’t specifically call it out…which means we need to talk about what happens when an individual at a company is sued.
The CFPB announcement (and their repeat offender release) make it sound like we’re going to make this senior exec pay! In reality, though, most officers and employees don’t pay for these sorts of things. Execs and officers typically have indemnification protections, meaning the company pays for litigation costs and resulting fines. Established companies also have Directors & Officers Insurance, which covers losses from suits targeted at higher-ranking folks. All of this means the company pays!
This is (generally) good! It’s a policy that encourages people to make judgment calls and take (reasonable) risks for companies without fear of frivolous lawsuits. But there are exceptions for things like egregious fraud, self-dealing, or a conflict of interest. Which is what makes TransUnion’s omission of a defense of the senior executive interesting. 🧐
Where the CFPB can hit an exec, though, is non-financial penalties. For example, they can ban him or her from certain activities (say, working in a credit agency division that sells subscription products) if their charges succeed.
While this may not have much direct implication for fintechs, it drives home a few things: (1) the CFPB is actually going after repeat offenders, (2) the agency seems to want go after individuals more, and (3) regulators are getting more serious about dark patterns, so don’t be a jerk with your product.
Securities Laws & Branding
Back in February, we talked about the BlockFi settlement. The SEC and state securities regulators went after BlockFi’s high-yield crypto interest account as an unregistered security. BlockFi cried uncle and agreed that, yep, the interest accounts are securities. It was the first major outcome for a crypto interest account, though there are dozens of others offering them.
When something’s a security you generally either (a) register it with the SEC1 or (b) fit under an exemption.
BlockFi took the first approach. The company needs to draft those registration statements, and the SEC needs to review them (typically 3-5 months), so I don’t expect BlockFi to relaunch the product until the end of the year at the earliest.
Celsius had also been under scrutiny for a similar product and they just announced they’re taking the second option:
Registered securities can generally be marketed and offered to the public without limits on who can invest. But the most common securities exemptions are “private offerings,” which (1) prohibit you from marketing and offering them to the public, (2) are generally limited to high-net worth investors only (most commonly, accredited investors), and (3) don’t require that you confirm investors actually are high-net worth (you can just rely on them saying they are).
There’s one big exception to the “don’t market private offerings to the public” rule: Rule 506(c) offerings, which allow an issuer to market securities to the public. But! There’s one catch: If you do a 506(c) offering, you have to confirm investors are accredited. Celsius is taking this approach.2
So we end up with:
BlockFi: marketed to the public, anyone can invest, but you have to wait until their registration statement is approved.
Celsius: marketed to the public, only high-net worth investors can invest, but they can invest now.
This strikes me as “BlockFi is for the people (a la Robinhood); Celsius is not.” It’s an interesting example of how the securities framework can affect your brand.
FDIC to Pre-Approve Crypto
The FDIC sent a letter to banks it supervises saying they need to notify the agency of any crypto activity they’re involved in or want to be involved in. They’re concerned crypto risks aren’t well understood and may threaten financial stability and bank safety and soundness. Once notified, the FDIC will “review” and “provide relevant supervisory feedback.” Aka, you need their approval.
Back in November ‘21, the OCC published a letter to the national banks it oversees that, in part, says banks should seek OCC permission before offering any crypto services. Because the OCC is the primary regulator for national banks, state banks weren’t affected. So this new FDIC letter plugs the gap, requiring most state banks to now get regulator pre-approval to engage with crypto.3
This could be bad for banks offering crypto, but not necessarily. It depends on how reasonable the regulator reviews are. If the FDIC (and OCC) are too unreasonably difficult, crypto lobbyists are incentivized to push for a regulatory framework that takes crypto out of the FDIC’s and OCC’s purview.
CFPB Climate Risk
The CFPB released a blog post warning homebuyers to consider climate change risks when purchasing a home. As far as I can tell, this is the first CFPB release to target climate change.
Some callouts from the post:
4.3M residential homes have substantial flood risk, with 2021 annual losses estimated at $4,694 per property (expected to grow to $7,563 by 2051).
Homeowners in high-risk coastal areas are facing flood insurance premium increases that can be thousands per year.
Formerly redlined areas are disproportionately affected by heat and flood risk.
The CFPB advised consumers to research a property’s climate risks, using resources like:
There’s gotta be a fintech business model out there for incorporating climate risk into real estate valuations, listings, etc. Who’s building that? 🤔
The CFPB proposed a rule preventing consumer reporting agencies from including negative credit information in credit reports if it results from human trafficking. The rule implements a law President Biden signed late last year.
Block (f/k/a Square) disclosed that a former employee downloaded the Cash App account info of 8.2M users.
NACHA released its 2021 top 50 FI originators and receivers. Readers will recognize a few fintech bank partners (e.g., Bancorp, Evolve, Green Dot).
Banks and credit unions are pushing the House to terminate the exemption that lets industrial loan charter (ILC) banks be owned by any organization, not just bank holding companies, and the prudential regs that apply to BHCs.
Over a dozen Democratic state attorneys general called on big banks to get rid of overdraft fees, per American Banker.
The CFPB released a report about states that have “no-cost extension” payday lending laws. These laws give borrowers a right to extend repayment without incurring additional costs. The report found low utilization rates resulting from payday lenders steering borrowers away from the option.
The CFPB released its semi-annual report of activities for the past six months.
Wells Fargo named its first chief sustainability officer.
The CFPB published a blog busting the myth that student debt cannot be discharged in bankruptcy.
The CFPB published a blog highlighting that consumers are on track to save $1B in NSF fees annually after the recent push to stop charging these fees, publicly shaming banks that haven’t eliminated the fees by listing them in the blog.
The IMF called for increased regulation of fintechs.
Tennessee became the third state to pass a law creating a new DAO entity type, following Wyoming and Vermont.
NJ issued a cease and desist order to Voyager over its interest-earning crypto account being an unregistered security.
The SEC approved a BTC futures ETF, this one approved under the Securities Exchange Act instead of the Investment Company Act, which most prior BT futures companies followed, and some folks suggest this opens the door to a BTC spot ETF approval.
Virgil Griffith, the ETH programmer who spoke at a crypto conference in North Korea, was sentenced to 63 months in prison for violating a US law that prohibits US citizens from exporting goods, services, or technology to sanctioned countries like North Korea, per the WSJ.
Treasury Secretary Janet Yellen gave her first speech focused solely on crypto, positing that crypto should be subject to the same rules as the traditional finance system.
Treasury sanctioned Hydra Market, a Russia-based darknet market, in part thanks to tracking crypto transactions.
Sen. Toomey introduced the TRUST Act, a bill that would create a framework for stablecoin regulation: get a new stablecoin license from the OCC, get state money transmitter licenses, or a traditional bank charter.
ProShares filed an ETF application that lets investors short BTC.
The NY Senate effectively gave NY’s financial regulator the ability to start collecting examination fees on crypto companies it oversees (via the Bitlicense), per Coindesk.
The New York Times published a great piece on how crypto policy advocates are (successfully) targeting state lawmakers in the absence of federal policy, leading to at least 153 state crypto bills so far this year.
Mastercard filed dozens of metaverse and crypto patents, per The Block.
NY’s attorney general reminded investors to pay taxes on crypto.
Sui Generis (Fun Finds)
Hi. I’m Reggie. I’m a fintech product lawyer at Lithic
Are you a fintech company looking to fill roles? If you want your open roles highlighted in two editions (currently) read by 1.5-2K folks, check out the Fintech Law TL;DR Pallet. It’s a targeted fintech audience of primarily legal, compliance, product, and operations folks.
Sponsoring the newsletter
Early stage fintech looking to raise
Just want to say hey!
Any views expressed are my own (well, sort of? I mean, they’re based on laws and regulations, so they’re not really “mine”?). Nothing here is legal or financial advice.
We’re ignoring the interaction (preemption, mostly) of state securities laws here.
It’s possible Celsius could register their interest product as a security while they’re doing the 506(c) offering. But they haven’t mentioned that in any public statements I’ve seen.
It also means OCC-regulated banks will need to get both OCC and FDI sign off.