FinTech Law TL;DR (April 29)
CFPB Fintech Supervision - MoneyGram Suit - Anchorage Order
Hi all 👋
We’re building out our fintech founder legal library at Lithic and we added a guide to the Prepaid Card Rule and the Gift Card Rule!
Wirecutter also did a deep dive on Privacy.com: The Easy Way I Protect My Credit Cards Online and Keep Free Trials Free. Privacy.com is Lithic’s consumer-facing product (and the genesis of our tech). I’ve been working on the product a bit lately, so it’s cool to see it in the NYT!
Your email will probably clip this, so click here to read it in browser.
Are you a fintech company looking to fill roles? If you want your open roles highlighted here, check out the Fintech Law TL;DR Pallet. Current openings:
Coming to a Fintech Near You: the CFPB
Some fun news from the CFPB this week that’s important but, IMO, not a huge change.
The agency announced it’s going to start leveraging its “largely unused” authority to examine “nonbank financial companies that pose risks to consumers.” And the release explicitly calls out fintechs.
What’s that all mean, though?
The CFPB was created after the Great Recession to be the go-to regulator for consumer financial services. Congress gave the agency explicit authority to supervise certain types of financial companies, like large banks, private student lenders, some remittance providers, and others.
But Congress was savvy, so they added a catch all bucket for CFPB supervision authority. And that’s what the agency is highlighting now; they can supervise a company they think poses risks to consumers.
But WTF counts as “posing risk?”
I don’t know. And neither does the CFPB. They specifically declined to define or set standards for what counts as a risk to consumers back in 2013. It could mean “you violated a specific consumer financial law.” Or it could mean “you charged NSF fees when the financial industry is moving away from them.”
But the CFPB’s perception of a risk has to be based on complaints or “information from other sources.” And the agency also hasn’t defined “other sources” that well. So…it’s kind of whatever the agency wants? It could mean traditional sources like complaints to the CFPB or court opinions. But it could also include Tweets, or Fintech Business Weekly’s tireless efforts to uncover UDAAPs.
And given how much CFPB complaints continue to skyrocket, it’s probably not hard for them to find a complaint about a particular fintech if they want:
So this all means the CFPB is going to use extremely broad authority to supervise any fintech the agency wants. It also underscores something good fintech operators know: if you treat your users well (quickly solving disputes, being generous when things go wrong, etc.), users won’t file complaints, and you won’t end up under the microscope!
IMO, this isn’t that big of a deal, though. The CFPB already had purview over some fintechs before (see, e.g., how they shut down LendUp). So the news itself isn’t a sea change, but it does make the CFPB’s path easier if they want to supervise a fintech.
MoneyGram Gets Sued
We’ve talked about the CFPB initiative to target repeat offenders early this month. And we talked last week about the CFPB’s new lawsuit against TransUnion for (allegedly) repeatedly violating financial laws. Third time’s the charm?
The CFPB and NY Attorney General recently announced a lawsuit against MoneyGram, alleging the company failed to promptly deliver remittance funds and ignored complaints and government warnings over the failure.
Similar to the TransUnion story, the MoneyGram suit came after the CFPB found issues in 2014 and followed up in 2019 to find they (allegedly) weren’t fixed.
The release describes how MoneyGram is one of the biggest players in the market, so it “knew it had new laws to follow and that it had to change some of its ways of doing business” after the CFPB updated remittance regulations in 2013. The implication: the CFPB doesn’t expect smaller companies to always know and follow the laws that apply to them. This is the CFPB saying the quiet part out loud: bigger companies generally get more regulatory scrutiny, smaller ones…less so.
Anchorage Consent Order
Anchorage is a bank that offers crypto services. It started its crypto journey as a South Dakota-chartered trust. Back in January 2021, Anchorage converted to a national (OCC) bank charter, making them the first crypto bank with a national charter. But they had to agree to, and follow, an operating agreement that listed requirements (like having AML policies and procedures).
Last week, the OCC announced Anchorage agreed to a consent order over the company’s insufficient AML/BSA program.
The order highlights Anchorage’s allegedly inadequate customer due diligence, suspicious activity monitoring, BSA officer and staff resources, and training. The order has a laundry list of things Anchorage needs to ensure are in place (e.g., an AML officer that reports to the board, an independent AML audit).
There’s no civil penalty, and Anchorage didn’t admit or deny the issues in the order. So it’s more like the OCC just put Anchorage on notice to get their affairs in shape. I’ve seen a few reporters and newsletters struggle to suss out the meaning here. What did Anchorage do wrong? What does it mean for crypto?
The order doesn’t provide much detail. But I have a theory.
Brian Brooks was head of the OCC from late May 2020 to January 2021. Brooks is known for being pro-crypto and friendly with fintechs. After he left the OCC, he was CEO of Binance’s US division for a few months, and is now the CEO of Bitfury, a crypto infrastructure provider.
The original Anchorage conversion to a national bank happened January 13, 2021, one day before Brooks left. Two other crypto charters were approved by the OCC: Protego and Paxos. Both of them happened under Blake Paulson, who led the OCC after Brooks until Michael Hsu, the current head, took over in May 2021. Hsu is known for being a bit more skeptical about fintech and crypto, and no national crypto banks have been approved under him so far.
Anchorage’s original operating agreement outlined some broad strokes AML requirements. But the new consent order seems to go into way more detail.
So I wonder: is the Anchorage order just a sign that Hsu is going back over Brooks’ and Paulson’s work and ratcheting up the standards for crypto? Did Brooks push Anchorage through in his last days so he could say he approved the first national crypto bank? 🤔
This order might just be an example of Democratic-leaning OCC leadership changing standards.1 🤷
If only…there were a good podcast out there…that Anchorage could have listened to…outlining how to build a good compliance program…stay tuned 😏.
Elsewhere:
One-click checkout company Bolt is being sued by Forever 21’s parent company over claims it failed to deliver on its tech promises, per Bloomberg.
Senators sent Visa and Mastercard a letter calling for the card networks to cancel planned fee increases, including veiled antitrust threats.
CA responded to OppFi’s true lender filings, arguing vehemently that OppFi is the true lender because it buys 95%+ of loans from its bank partner, collecting nearly all the profit.
SoFi agreed to settle class action claims that its lending policies discriminated against DACA immigrants because they wouldn’t accept their status, per Law360. The settlement requires SoFi to revise policies.
The CFPB plans to revisit the CARD Act’s credit card regulations, per American Banker.
PayPal is closing its SF office, per TechCrunch.
Inflation has replaced cybersecurity as community banks’ top concern, per a CSBS survey.
President BIden nominated Michael Barr to be the Fed’s vice chairman for supervision. Given fraught recent nominations, I’ll hold off on a deep-dive on Barr until there’s an actual appointment. The TL;DR: he’s generally a mix of consumer-friendly and pro-innovation.
The Tenth Circuit Court of Appeals ruled that extended overdraft fees don’t count as interest under the National Bank Act.
The CFPB released a report on top issues consumers face in medical billing and collections: inaccurate bills, bills for debt that isn’t owed, difficulty identifying bills, only discovering bills after a credit score drop, and privacy breaches in debt collections.
HUD released its first ever equity action plan to advance racial and underserved community equity, including increased funding for fair housing complaints.
Lael Brainard was confirmed as Vice Chair of the Fed Board of Governors.
The CFPB released a report on rural Americans’ economic challenges, mostly focused on consequences of the dwindling number of community banks and physical branches.
The OCC announced a discussion series on consumer financial well-being.
Elsewhere (crypto):
The SEC issued a bulletin saying companies should (1) disclose risks to investors from crypto held on behalf of customers and (2) account for customer crypto assets as liabilities.
The NY House passed a moratorium on new POW mining operations that use electricity generated from carbon-based fuel. The NY Senate will vote on it next.
DeFi coin mixer Tornado Cash added a Chainalysis tool to block crypto wallets sanctioned by OFAC. It’s an example of what building a compliant decentralized app looks like. Though it only interacts with Tornado Cash’s front end, so users can still use the smart contracts underlying the service, per Coindesk.
Related: it looks like the Ronin Bridge hackers were North Korean, who had been processing stolen ETH through Tornado Cash, per Coindesk.
Plaintiffs brought a class action suit against Uniswap Labs (the company that built the Uniswap decentralized exchange) over claims they offered unregistered securities (the UNI token) and allowed pump and dump and rug pull schemes.
Binance won a NY federal court dismissal of a proposed securities class action lawsuit. The suit was based on claims the exchange sold unregistered securities tokens.
Fidelity will start letting investors put BTC in their 401ks next year, per the WSJ. And the Dept of Labor has “grave concerns” about the offering, per the WSJ.
Sui Generis (Fun Finds)
The New Yorker recently explored a pending lawsuit brought by two lakes, a marsh, and two boggy streams: A Lake in Florida Suing to Protect Itself. It’s a fascinating overview of efforts in the US and other countries to give nature aspects of nature rights.
Hi. I’m Reggie. I’m a fintech product lawyer at Lithic
Are you a fintech company looking to fill roles? If you want your open roles highlighted in two editions (currently) read by 1.5-2K folks, check out the Fintech Law TL;DR Pallet. It’s a targeted fintech audience of primarily legal, compliance, product, and operations folks.
Reach out (email or Twitter) if you’re interested in any of the following:
Sponsoring the newsletter
Early stage fintech looking to raise
Collaborating
Just want to say hey!
If you want to use a card issuer that makes it simple for companies of all sizes to issue cards INSANELY fast, come talk to Lithic. Lithic’s hiring if you want to come work with me!
Any views expressed are my own (well, sort of? I mean, they’re based on laws and regulations, so they’re not really “mine”?). Nothing here is legal or financial advice.
To be clear: AML requirements are AML requirements and to the extent Anchorage didn’t satisfy them, OCC scrutiny is warranted.