Fintech Law TL;DR (Feb 17)
New Podcasts -- Regulatory Round Up
Hi all 👋
Been a minute! Hope your 2023 has been relatively spy balloon-free so far.
This edition is going to be less of a deep-dive, and more of a high-level round-up of key fintech regulatory developments since the last time we talked.
ICYMI, we released two new podcasts since we last spoke. One covers the TL;DR of sanctions with John Smith from MoFo.
The second episode is a primer on lending capital markets with a former colleague of mine, Robin Poore from Bluevine. If you’ve never thought much about how deeply the economics and terms of a lender’s capital source affect the entire business…you really oughta give it a listen. And while we’re here, Bluevine is looking for a Sr Product Counsel in case you know any fintech product lawyers looking!
Fintech (Non-Crypto) Round Up
Lending
In the mortgage space, the CFPB issued an opinion clarifying that mortgage comparison platforms can’t receive fees for steering mortgages customers (e.g., labeling a lender as “featured”).
New York finalized their business loan disclosure regulations. Commercial lenders will have to start providing a one-pager of key loan terms to NY borrowers in six months, following a similar requirement in CA.
Afterpay stopped offering its BNPL in New Mexico after the state’s 36% interest rate law went into effect. Also, per Fintech Business Weekly, Chime has been obtaining the types of licenses needed for consumer lending. 🤔
Lastly, Grovetta Gardineer from the OCC1 gave a speech on the agency’s fair lending-related work, saying lenders should devote technical and compliance expertise in their risk management process to address discrimination issues that can happen when using AI, ML, and similar techniques. It’s worth a read if you’re using any of those tools.
Zelle
Zelle’s bank owners are considering making new rules that would reimburse victims of fraud, likely an attempt to address recent public scrutiny and continued regulatory pressure. Small banks claim that footing the bill for scams would make Zelle too expensive for them.
Also, the banks behind Zelle are planning to launch a digital wallet.
Fintech Registries
The CFPB released proposals for two public non-bank registries. Under the first proposal, nonbanks (aka, fintechs) would have to report any violations of any consumer finance laws to a public registry.
Under the second proposal, nonbanks would have to register with the CFPB if their terms and conditions included certain (pretty standard and ubiquitous) clauses. This second proposal mostly applies to providers of payday loans, student loans, and mortgages, as well as larger providers of auto loans, consumer reports, debt collection, and international remittances.
Clearly, the CFPB wants to expand its visibility into fintech (beyond their existing complaint database). If these proposals are realized, I suspect there’ll be a lot of fintechs that are required to register but don’t know that (and I imagine many early stage companies will probably just not register even if they know). And that, of course, would give the Bureau a hook to come knocking whenever they wanted.
Storm Clouds Might Be Coming
Treasury released a report on the benefits and challenges of cloud technology in financial services, calling for increased visibility, staffing, and cybersecurity engagement from cloud providers.
It’s notable because federal regulators haven’t done a ton in the cloud space yet outside of a Fed examination of AWS in 2019. Cloud service providers should generally be covered under banks’ third party risk management obligations, but I wouldn’t be surprised if we see cloud-specific guidance over the next few years.
Investigations
The Fed is investigating Goldman Sach’s consumer business with a focus on the monitoring and controls in place for their consumer lending Marcus product (which might help explain why Goldman is shutting it down). Their 10-Q also revealed the CFPB is investigating their credit card practices.
In Visa’s most recent 10-Q, the company disclosed that they received an investigative demand from the DOJ “focusing on U.S. debit and competition with other payment methods and networks.” The filing also disclosed a putative CA class action against Visa and Mastercard alleging “a conspiracy to fix interchange fees.”
PayPal also disclosed an FTC investigative demand regarding “commercial customers that submit charges on behalf of other merchants or sellers, and related activities.” If you have an idea what this might be about, let me know!
Cards, Cards, Cards
The CFPB issued a proposal to (1) lower acceptable credit card late fees from $35 to $8, (2) remove an automatic inflation adjustment to that fee limit, and (3) ban late fees above 25% of a required credit card payment. They’re also considering requiring a 15-day grace period where consumers can’t be assessed late fees.
There’s a lot to unpack on this proposal…but lucky for you, we’ve got a Fintech Layer Cake podcast episode coming out soon that dives into it. So go follow us (Spotify, Apple) if you want to catch it!
The FTC released a proposed order with Mastercard based on the network’s tokenization practices. When a card is added to a digital wallet, a token is created as a proxy for that card, to be used when that card is spent. [FN: See @fintechgtm’s tokenization post for more detail on tokenization.]
I’m glossing over a lot of nuance here, but the general idea of the FTC order is that Mastercard allegedly held card tokens in a vault that competing card networks couldn’t access, so merchants couldn’t route those transactions over another unaffiliated card network (which the Durbin Amendment says they should be able to do).
Lastly, the CFPB released a summary of responses to letters the Bureau sent big banks last May, inquiring why the banks (allegedly) deliberately suppressed reporting credit card repayments to the credit bureaus. “The responses suggested companies withheld information in an attempt to make it harder for competitors to offer their more profitable and less risky customers better rates, products, or services.”
Ensuring Accurate FDIC Claims
The FDIC issued proposed updated rules targeting the misrepresentation of products’ FDIC insurance claims. The proposed rules would require greater clarity around which products are and aren’t insured, and clarify the type of behavior that counts as misrepresentation (e.g., using FDIC terms or images to imply an uninsured product is insured = bad idea (not legal advice, just common sense!).
The FDIC sent cease and desist letters to four fintechs (including 3 crypto companies) demanding they correct misleading FDIC insurance statements.
The CFPB entered a proposed settlement with My Loan Doctor and its founder after the company allegedly misled consumers into depositing funds into what consumers were led to believe were FDIC-insured bank accounts, when the “deposits” were actually put in the founder's hedge fund. Hot tip: don’t do that (not legal advice, just common sense!).
Oh also, on the topic of the FDIC, Martin Gruenberg was finally nominated and sworn in as chair of the FDIC board.
FSOC
The Financial Stability Oversight Council (FSOC) plans to revise how it determines whether nonbanks are systemically important. TBD what it looks like, but this could open the door to the FSOC directly overseeing and regulating larger fintechs. See Bank Reg Blog for a deeper dive.
Don’t Lie to Credit Bureaus
Returning to our theme of “not legal advice, just common sense,” don’t lie to the credit bureaus! The FTC approved a proposed court order that includes lifetime bans and $18M in fines for founders of a company that allegedly provided false info to credit reporting agencies to “repair” consumers’ credit, among other allegations.
Also, as part of a CFPB report on the state of the bigger credit reporting agencies, CFPB Director Rohit Chopra said the Bureau “will be exploring new rules to ensure that they are following the law.”
FTC drama
Internal dissatisfaction with FTC Chair Lina Khan is spilling into the public. An FTC Commissioner wrote a WSJ op-ed announcing her resignation and claiming Khan is running roughshod over due process and the rule of law.
While we’re talking about the FTC, the agency also launched a new Office of Technology focused on keeping pace with new digital technologies. This follows the OCC’s creation of an “Office of Financial Technology” late last year.
Remittances
The CFPB is considering updating cross-border remittance rules, with an eye towards modified fee, exchange rate, and tax disclosure requirements.
Frankly, I’m Not That Shocked
JPMorgan is suing the founder of student loan company Frank, which the bank acquired last year, over claims the CEO falsified user data.
Crypto Round-Up
Turning Up the Heat on Celsius
Celsius’s bankruptcy examiner released its excellently-investigated report, covering the gaps between what the company and its former CEO claimed to do vs. what they actually did. Also, NY’s financial regulator sued Celsius’s former CEO for fraud.
Release the Kraken Fines!
Kraken agreed to pay nearly $370K to settle claims it violated sanctions laws by not blocking IP addresses from Iran. The exchange also agreed to pay $30M and end its staking program to settle SEC claims that its staking-as-a-service product was an unregistered securities offering. Surprise: crypto trade groups and companies aren’t happy about it (see, e.g., Coinbase’s blog arguing that staking services aren’t securities).
Unstable Coins, Amirite?
NY’s financial regulator ordered Paxos to stop issuing Binance’s stablecoin. Some folks see this as a sign the NY regulator might believe Binance’s stablecoin is a security, but it could also stem from AML issues Binance has had.
Crypto Banking Updates
NY’s financial regulator released a letter outlining what NY-regulated banks need to do to engage in crypto activities. The letter mostly tracks existing guidance [FN: See previous guidance from the OCC, Fed, and FDIC.] but adds a few new hurdles (e.g., providing policies, legal memos, and control frameworks).
The Fed denied Custodia Bank’s Fed membership application, generally saying the institution’s focus on crypto activities was “inconsistent with safe and sound banking practices” and that it had an “insufficient” risk management framework. Given Custodia wasn’t afraid to sue the Fed last year, don’t expect Custodia to accept the denial without a fight.
Coinbase Settlement
Coinbase agreed to pay a $50M penalty to settle claims with NY’s financial regulator that the exchange let customers open accounts with insufficient AML checks, monitoring, and reporting. As part of the settlement, the exchange will invest $50M in their compliance program.
Pro-tip: if you’re trying to increase your Compliance budget, I don’t recommend this approach.
Regulators See Crypto Risks (See Also, Water Is Wet)
Federal bank regulators issued a statement identifying key banking risks of crypto. The risks aren’t new (e.g., volatility, stablecoin runs, contagion), but the statement takes a starkly disapproving tone, saying crypto services are “highly likely to be inconsistent with safe and sound banking practices.”
SEC Pressure via Public Markets
The SEC sent a letter to public companies notifying that any significant exposure to crypto should be publicly disclosed. The SEC has also been scrutinizing crypto firms like Circle (which scrapped its SPAC), eToro, and Galaxy and withholding the agency’s approval needed to go public.
Thank U, Nexo
Nexo, which offered high-yield crypto lending products, agreed to pay $45M to settle SEC and state securities cases that its earn products were unregistered securities. The lender also stopped offering its products in the US.
Sui Generis (Fun Finds)
Should your company have a ChatGPT policy? Probably.
Bank Reg Blog published an interest post on the rates of de novo banks becoming profitable:
Hi. I’m Reggie. I’m a fintech product lawyer at Lithic.
Reach out (email or Twitter) if you’re interested in sponsoring the newsletter, want to connect with good + practical fintech counsel, want to collaborate, or just want to say hey!
Any views expressed are my own (well, sort of? I mean, they’re based on laws and regulations, so they’re not really “mine”?). Nothing here is legal or financial advice. If you need me to tell you not to get legal advice from Substack, you probably shouldn’t be on the internet?
Specifically, Gardineer is Senior Deputy Comptroller for Bank Supervision Policy.