Fintech Law TL;DR (June 4)
CFPB Antitrust Focus -- Black Box Underwriting -- Regulatory Roundups
Hi all 👋
We’ve rolled out a bunch of exciting content at Lithic the past few weeks…like an explainer on fintech AML requirements and one on chargebacks.
But the coolest is our Lithic Legal Library, a free and open library of best practices policies, agreements, and other legal docs that a company needs when they’re working with cards. Think: Y Combinator’s SAFE agreement, but for cards. Read about the launch here.
Also, Substack tells me your email is going to clip this, so click here to read in browser.
CFPB Gets Competitive
The CFPB announced a re-org that renames its Office of Innovation to the Office of Competition and Innovation. The office was created in 2018 to promote innovation, and the new name comes with a new (obvious) focus: antitrust and competition. The Bureau wants to create markets where “consumers have choices, the best products win, and large incumbents cannot stifle competition.”
CFPB Director Rohit Chopra has already been pushing antitrust issues (e.g., the Bureau’s letters last year to big tech companies about their consumer payment plans). But this re-org makes antitrust issues much more explicit and primary.
The new office will focus on initiatives like:
Reducing barriers to switching accounts and financial services providers;
Identifying structural market problems that hinder innovation;
Studying how big tech wields power over smaller players; and
Using Section 1033 of Dodd-Frank (aka, the US’s open banking law) to make sure innovators can access digital data stored by “big banks.”
BUT. Tucked in the news, the CFPB killed two programs that could have benefitted fintechs: no action letters (NALs) and the sandbox. Under both programs, you could go talk with the CFPB and get guidance on or relief from regulatory requirements on a one-off basis. Upstart, for example, received a NAL from the CFPB for their underwriting program that considered an applicants’ education.
The Bureau says they ended the programs because they were “ineffective” and some participants publicly and misleadingly claimed they Bureau had conferred benefits on them (think: “our product was approved by the CFPB!”).1
Instead, the Bureau is encouraging fintech startups to file petitions for new rules when they want clarity. Which can take several years. So, uh…not useful? To be fair, I’ve generally heard the NAL and sandbox programs weren’t all that usable for fintechs; you’d run the risk of rejection and putting yourself on the Bureau’s radar instead of asking for forgiveness after you’ve shown compelling demand for a societally beneficial product. I also recall the CEO of Upstart saying the NAL process wasn’t scalable for other companies at a Congressional hearing last year. So not a huge loss.
TL;DR: Overall, it’s hard to say what this means for fintech startups, but my guess is it’ll be good. The US’s open banking rules are long overdue and will make it easier to pull customers away from incumbents or leverage data incumbents have. And big companies that stifle fintech startups are more likely to be big tech than big banks IMO (though both tend to be slow-movers), so the Bureau’s focus on big tech will likely be beneficial.
Underwriting & Black Boxes
Last edition we talked about how the Equal Credit Opportunity Act (ECOA) is one of the main fair lending laws that is meant to fight redlining and other forms of disrimination in lending. And a key requirement under ECOA is that creditors have to send adverse action notices (AAN) whenever they make an adverse decision (e.g., credit denial or lowering a credit line).
ECOA’s regs say you have to state the main reasons an adverse decision was made, and you can’t, for example, just say an application was rejected because it “didn’t meet our standards or policies” or “didn’t get a good enough score under our proprietary internal scoring system.” You have to provide some level of specifics.
Fintech lenders can struggle with this requirement. There are good reasons you shouldn’t provide that info. Namely, fraud! If a fraudster gets a letter that spells out how you rejected their credit application because you detected the picture in their driver’s license scan was edited, they’ll know exactly what they need to fix to rip your face off! So there are good reasons to not give away too much info in your AANs.
The CFPB recently released a circular confirming that creditors must explain the reasons they took an adverse action, and calls out black box underwriting algorithms. The release makes it clear that lenders can’t say “we don’t know why they were rejected, our black box is opaque to us!” Saying it’s too hard to figure out won’t fix your non-compliance.
This isn’t all that surprising; if you talked to a good fintech lawyer they would have told you this before the CFPB release. Regardless, there’s an interesting tradeoff here. There are likely some machine learning / AI underwriting algorithms out there that (1) would be discriminatory, but there are also likely others that (2) would be more inclusive.
To the extent both of those buckets cannot be sufficiently described under ECOA, this policy says “we, as a society, are OK killing off bucket 2 benefits to avoid bucket 1 problems.” And maybe that makes sense; if you’re playing with machine learning underwriting, it’s probably easier to make an unintentionally discriminatory model than an inclusive one, given how pervasive discrimination can be (see, e.g., FICO numbers).
Regardless, it’s worth calling out that this is the tradeoff our current policy makes. A lot of Pollyannaish founders think machine learning + alternative data will save the day without realizing our current laws make it, in most instances, practically infeasible.
TL;DR: credit fintechs may want to confirm they’re sending adverse action notices with sufficient descriptions.
Elsewhere:
The FDIC approved a final rule requiring anyone who uses the FDIC’s name or logo, or representing that cash is FDIC-insured, to identify the relevant insured bank. The head of the OCC issued a statement that specifically called out the “growth of nonbank crypto firms and fintechs” as a driver for the new rule.
Regulators are increasing scrutiny of payments companies, per American Banker.
Senator Durbin is pushing to increase credit card transparency, potentially expanding debit card requirements (e.g., merchant choice of where to route transactions, and rate caps) to credit cards, per American Banker.
The CFPB sent letters to the CEOs of the largest US credit card companies (e.g. JPM, Citi, BofA) asking them to explain their practice of suppressing actual payment amount information to consumer reporting agencies.
House Democrats sent letters to Equifax, Experian, and TransUnion asking how they handled complaints about credit report errors during the pandemic, per WSJ.
CA lawmakers asked the FDIC to crack down on bank partnerships that help bank partners preempt state interest rate caps, per American Banker.
The Fed finalized FedNow fund transfer rules.
BNY Mellon agreed to pay $1.5M over SEC charges that several of its funds misrepresented that their investments underwent ESG reviews, per WSJ.
CA’s financial regulator announced proposed consumer complaint response requirements that would, among other requirements, mandate live customer phone service and quarterly complaint reporting to CA for many companies offering consumer financial services in CA.
Per Reuters, Brokerage TradeZero settled SEC charges over falsely telling customers they didn’t restrict purchases of meme stocks in 2021. The brokerage paused trading for 10 minutes in AMC, GME, and KOSS at the direction of its clearing broker, but later told the public it hadn’t paused purchases.
The SEC released two ESG-related proposals. The first requires investment funds with ESG-focused names to invest at least 80% of their assets consistently with their name. The second requires ESG funds to make detailed disclosures about their strategies.
The FDIC releases its 2022 Risk Review report, covering the top risks banks face this year.
A federal court shut down a credit repair pyramid scheme that falsely promoted what its credit repair product could do.
And two for the legal 🦅s:
A three-judge 5th Circuit panel decided the SEC’s use of administrative hearings in a securities fraud case was unconstitutional, mainly because (1) the claims were civil in nature (so the defendant was entitled to a jury trial) and (2) Congress can’t delegate authority to the SEC. Matt Levine has a fantastic write-up on the ruling if you want more.
In the CFPB’s suit against CashCall, the 9th Circuit rejected CashCall’s constitutional challenge to the CFPB, affirmed the company’s and CEO’s liability, and opened the door for restitution damages. See Ballard Spahr’s write up if you want more details.
Elsewhere (crypto):
The OpenSea product manager who was publicly accused of insider trading last September was arrested and charged by the DOJ with wire fraud and money laundering tied to his insider trading arrangement.
The main national regulator for credit unions sent a letter to credit unions outlining how they should approach adding crypto products and technology.
The FDIC is apparently pulling back from working with other regulators on crypto matters, per Politico, suggesting it may diverge from the others’ guidance.
The CFTC sued Gemini over allegedly false or misleading claims it made to the CFTC about its futures product.
CA sent a cease and desist order to Voyager over its crypto yield accounts (similar to the BlockFi Interest Account).
California’s financial regulator asked for public input on how it should think about crypto regulatory guidance. Questions range from how to make CA the “most desirable home state” for crypto companies, to combatting crypto scams and requiring crypto companies to register.
The head of NY’s financial regulator says the agency will triple the size of its crypto unit by EOY and is working to update its crypto guidance, per CoinDesk.
A FinCEN associate director of enforcement and compliance told the crypto industry to proactively blacklist problematic wallets before the government does.
The CFTC charged two people with running a $44M crypto ponzi scheme.
Arthur Hayes, the former CEO of BitMEX, was sentenced to two years of probation after pleading guilty to willfully failing to implement AML programs at the exchange, per CoinDesk.
Coinbase filed a motion to dismiss in a class action lawsuit over whether 79 of its offered tokens were unregistered securities, per WSJ. The outcome could shape the US’s crypto securities framework.
The FTC released a report finding that consumers reported losing over $1B to crypto fraud scams from Jan ‘21 to March ‘22.
The Fed released its 2021 US household well-being report; 12% of US adults reported using crypto in the prior year, while only 2% said they used it to make a payment or purchase, and 1% said they used it to send money to friends or family.
Sui Generis (Fun Finds)
On this week’s episode of “everything is fintech:” You Eat a Credit Card’s Worth of Plastic Every Week.
One of the business law profs from my alma mater is apparently teaching a class on Elon Musk law:
Hi. I’m Reggie. I’m a fintech product lawyer at Lithic
Reach out (email or Twitter) if you’re interested in any of the following:
Sponsoring the newsletter
Early stage fintech looking to raise
Collaborating
Just want to say hey!
If you want to use a card issuer that makes it simple for companies of all sizes to issue cards INSANELY fast, come talk to Lithic. Lithic’s hiring if you want to come work with me!
Are you a fintech company looking to fill roles? If you want your open roles highlighted in two editions (currently) read by 2K+ folks, check out the FinTech Law TL;DR Pallet. It’s a targeted fintech audience of primarily legal, compliance, product, and operations folks.
Any views expressed are my own (well, sort of? I mean, they’re based on laws and regulations, so they’re not really “mine”?). Nothing here is legal or financial advice.
The release says nothing about existing NALs being rescinded, so presumably they’re still good.