Fintech Law TL;DR (Feb 17)
New Podcasts -- Regulatory Round Up
Hi all š
Been a minute! Hope your 2023 has been relatively spy balloon-free so far.
This edition is going to be less of a deep-dive, and more of a high-level round-up of key fintech regulatory developments since the last time we talked.
ICYMI, we released two new podcasts since we last spoke. One covers the TL;DR of sanctions with John Smith from MoFo.
The second episode is a primer on lending capital markets with a former colleague of mine, Robin Poore from Bluevine. If youāve never thought much about how deeply the economics and terms of a lenderās capital source affect the entire businessā¦you really oughta give it a listen. And while weāre here, Bluevine is looking for a Sr Product Counsel in case you know any fintech product lawyers looking!
Fintech (Non-Crypto) Round Up
Lending
In the mortgage space, the CFPB issued an opinion clarifying that mortgage comparison platforms canāt receive fees for steering mortgages customers (e.g., labeling a lender as āfeaturedā).Ā
New York finalized their business loan disclosure regulations. Commercial lenders will have to start providing a one-pager of key loan terms to NY borrowers in six months, following a similar requirement in CA.Ā
Afterpay stopped offering its BNPL in New Mexico after the stateās 36% interest rate law went into effect. Ā Also, per Fintech Business Weekly, Chime has been obtaining the types of licenses needed for consumer lending. š¤
Lastly, Grovetta Gardineer from the OCC1 gave a speech on the agencyās fair lending-related work, saying lenders should devote technical and compliance expertise in their risk management process to address discrimination issues that can happen when using AI, ML, and similar techniques.Ā Itās worth a read if youāre using any of those tools.
Zelle
Zelleās bank owners are considering making new rules that would reimburse victims of fraud, likely an attempt to address recent public scrutiny and continued regulatory pressure. Small banks claim that footing the bill for scams would make Zelle too expensive for them.Ā
Also, the banks behind Zelle are planning to launch a digital wallet.Ā
Fintech Registries
The CFPB released proposals for two public non-bank registries. Under the first proposal, nonbanks (aka, fintechs) would have to report any violations of any consumer finance laws to a public registry.Ā
Under the second proposal, nonbanks would have to register with the CFPB if their terms and conditions included certain (pretty standard and ubiquitous) clauses. This second proposal mostly applies to providers of payday loans, student loans, and mortgages, as well as larger providers of auto loans, consumer reports, debt collection, and international remittances.Ā
Clearly, the CFPB wants to expand its visibility into fintech (beyond their existing complaint database). If these proposals are realized, I suspect thereāll be a lot of fintechs that are required to register but donāt know that (and I imagine many early stage companies will probably just not register even if they know). And that, of course, would give the Bureau a hook to come knocking whenever they wanted.
Storm Clouds Might Be Coming
Treasury released a report on the benefits and challenges of cloud technology in financial services, calling for increased visibility, staffing, and cybersecurity engagement from cloud providers.Ā
Itās notable because federal regulators havenāt done a ton in the cloud space yet outside of a Fed examination of AWS in 2019. Cloud service providers should generally be covered under banksā third party risk management obligations, but I wouldnāt be surprised if we see cloud-specific guidance over the next few years.Ā
Investigations
The Fed is investigating Goldman Sachās consumer business with a focus on the monitoring and controls in place for their consumer lending Marcus product (which might help explain why Goldman is shutting it down). Their 10-Q also revealed the CFPB is investigating their credit card practices.
In Visaās most recent 10-Q, the company disclosed that they received an investigative demand from the DOJ āfocusing on U.S. debit and competition with other payment methods and networks.ā The filing also disclosed a putative CA class action against Visa and Mastercard alleging āa conspiracy to fix interchange fees.ā
PayPal also disclosed an FTC investigative demand regarding ācommercial customers that submit charges on behalf of other merchants or sellers, and related activities.ā If you have an idea what this might be about, let me know!
Cards, Cards, Cards
The CFPB issued a proposal to (1) lower acceptable credit card late fees from $35 to $8, (2) remove an automatic inflation adjustment to that fee limit, and (3) ban late fees above 25% of a required credit card payment. Theyāre also considering requiring a 15-day grace period where consumers canāt be assessed late fees.Ā
Thereās a lot to unpack on this proposalā¦but lucky for you, weāve got a Fintech Layer Cake podcast episode coming out soon that dives into it. So go follow us (Spotify, Apple) if you want to catch it!
The FTC released a proposed order with Mastercard based on the networkās tokenization practices. When a card is added to a digital wallet, a token is created as a proxy for that card, to be used when that card is spent. [FN: See @fintechgtmās tokenization post for more detail on tokenization.]Ā
Iām glossing over a lot of nuance here, but the general idea of the FTC order is that Mastercard allegedly held card tokens in a vault that competing card networks couldnāt access, so merchants couldnāt route those transactions over another unaffiliated card network (which the Durbin Amendment says they should be able to do).Ā
Lastly, the CFPB released a summary of responses to letters the Bureau sent big banks last May, inquiring why the banks (allegedly) deliberately suppressed reporting credit card repayments to the credit bureaus. āThe responses suggested companies withheld information in an attempt to make it harder for competitors to offer their more profitable and less risky customers better rates, products, or services.ā
Ensuring Accurate FDIC Claims
The FDIC issued proposed updated rules targeting the misrepresentation of productsā FDIC insurance claims. The proposed rules would require greater clarity around which products are and arenāt insured, and clarify the type of behavior that counts as misrepresentation (e.g., using FDIC terms or images to imply an uninsured product is insured = bad idea (not legal advice, just common sense!).
The FDIC sent cease and desist letters to four fintechs (including 3 crypto companies) demanding they correct misleading FDIC insurance statements.Ā
The CFPB entered a proposed settlement with My Loan Doctor and its founder after the company allegedly misled consumers into depositing funds into what consumers were led to believe were FDIC-insured bank accounts, when the ādepositsā were actually put in the founder's hedge fund. Hot tip: donāt do that (not legal advice, just common sense!).
Oh also, on the topic of the FDIC, Martin Gruenberg was finally nominated and sworn in as chair of the FDIC board.Ā
FSOC
The Financial Stability Oversight Council (FSOC) plans to revise how it determines whether nonbanks are systemically important. TBD what it looks like, but this could open the door to the FSOC directly overseeing and regulating larger fintechs. See Bank Reg Blog for a deeper dive.Ā
Donāt Lie to Credit Bureaus
Returning to our theme of ānot legal advice, just common sense,ā donāt lie to the credit bureaus! The FTC approved a proposed court order that includes lifetime bans and $18M in fines for founders of a company that allegedly provided false info to credit reporting agencies to ārepairā consumersā credit, among other allegations.Ā
Also, as part of a CFPB report on the state of the bigger credit reporting agencies, CFPB Director Rohit Chopra said the Bureau āwill be exploring new rules to ensure that they are following the law.ā
FTC drama
Internal dissatisfaction with FTC Chair Lina Khan is spilling into the public. An FTC Commissioner wrote a WSJ op-ed announcing her resignation and claiming Khan is running roughshod over due process and the rule of law.
While weāre talking about the FTC, the agency also launched a new Office of Technology focused on keeping pace with new digital technologies. This follows the OCCās creation of an āOffice of Financial Technologyā late last year.Ā
Remittances
The CFPB is considering updating cross-border remittance rules, with an eye towards modified fee, exchange rate, and tax disclosure requirements.Ā
Frankly, Iām Not That Shocked
JPMorgan is suing the founder of student loan company Frank, which the bank acquired last year, over claims the CEO falsified user data.Ā
Crypto Round-Up
Turning Up the Heat on Celsius
Celsiusās bankruptcy examiner released its excellently-investigated report, covering the gaps between what the company and its former CEO claimed to do vs. what they actually did. Also, NYās financial regulator sued Celsiusās former CEO for fraud.Ā
Release the Kraken Fines!
Ā
Kraken agreed to pay nearly $370K to settle claims it violated sanctions laws by not blocking IP addresses from Iran. The exchange also agreed to pay $30M and end its staking program to settle SEC claims that its staking-as-a-service product was an unregistered securities offering. Surprise: crypto trade groups and companies arenāt happy about it (see, e.g., Coinbaseās blog arguing that staking services arenāt securities).Ā
Unstable Coins, Amirite?
NYās financial regulator ordered Paxos to stop issuing Binanceās stablecoin. Some folks see this as a sign the NY regulator might believe Binanceās stablecoin is a security, but it could also stem from AML issues Binance has had.Ā
Crypto Banking Updates
NYās financial regulator released a letter outlining what NY-regulated banks need to do to engage in crypto activities. The letter mostly tracks existing guidance [FN: See previous guidance from the OCC, Fed, and FDIC.] but adds a few new hurdles (e.g., providing policies, legal memos, and control frameworks).Ā
The Fed denied Custodia Bankās Fed membership application, generally saying the institutionās focus on crypto activities was āinconsistent with safe and sound banking practicesā and that it had an āinsufficientā risk management framework. Given Custodia wasnāt afraid to sue the Fed last year, donāt expect Custodia to accept the denial without a fight.Ā
Coinbase Settlement
Coinbase agreed to pay a $50M penalty to settle claims with NYās financial regulator that the exchange let customers open accounts with insufficient AML checks, monitoring, and reporting. As part of the settlement, the exchange will invest $50M in their compliance program.Ā
Pro-tip: if youāre trying to increase your Compliance budget, I donāt recommend this approach.
Regulators See Crypto Risks (See Also, Water Is Wet)
Federal bank regulators issued a statement identifying key banking risks of crypto. The risks arenāt new (e.g., volatility, stablecoin runs, contagion), but the statement takes a starkly disapproving tone, saying crypto services are āhighly likely to be inconsistent with safe and sound banking practices.ā
SEC Pressure via Public Markets
The SEC sent a letter to public companies notifying that any significant exposure to crypto should be publicly disclosed. The SEC has also been scrutinizing crypto firms like Circle (which scrapped its SPAC), eToro, and Galaxy and withholding the agencyās approval needed to go public.
Thank U, Nexo
Nexo, which offered high-yield crypto lending products, agreed to pay $45M to settle SEC and state securities cases that its earn products were unregistered securities. The lender also stopped offering its products in the US.Ā
Sui Generis (Fun Finds)
Should your company have a ChatGPT policy? Probably.Ā
Bank Reg Blog published an interest post on the rates of de novo banks becoming profitable:
Hi. Iām Reggie. Iām a fintech product lawyer at Lithic.
Reach out (email or Twitter) if youāre interested in sponsoring the newsletter, want to connect with good + practical fintech counsel, want to collaborate, or just want to say hey!
Any views expressed are my own (well, sort of? I mean, theyāre based on laws and regulations, so theyāre not really āmineā?). Nothing here is legal or financial advice. If you need me to tell you not to get legal advice from Substack, you probably shouldnāt be on the internet?
Specifically, Gardineer is Senior Deputy Comptroller for Bank Supervision Policy.