FinTech Law TL;DR (March 21)
CFPB's Unfairness - OppFi Suit - Worker Finances
Hi folks 👋
A few intro updates:
Second, I had a great chat with a friend who’s raising funds for a venture in the bill pay space, and I’m excited about what they’re building + initial traction. If you’re interested in connecting with them, reach out (firstname.lastname@example.org).
Third, a correction: in the last edition I mentioned that several states have Earned Wage Access (EWA) laws. That’s incorrect; they’re just proposed bills. No states have passed EWA laws yet. S/o to Ben LaRocco from Earnin for helpfully pointing that out.
Unfairness Is Fair Game
Those of us who work in tech tend to use the phrase “scope creep” in a negative way. It’s something to be avoided. Focus on the task at hand; don’t get distracted by shiny “what ifs.”
The CFPB, on the other hand, seems to really be leaning into the idea of scope creep.
One of the CFPB’s key tools is the authority to go after “unfair, deceptive, or abusive acts and practices,” or UDAAPs. I like to think of UDAAPs as the catch-all “don’t be a bad actor” for consumer financial services. And the “unfair” piece of that got pretty interesting last week.
The CFPB announced changes to the UDAAP part of its supervision manual. Agents use that manual as a sort of checklist when they examine a company. What changed: the CFPB wants any kind of discrimination to count as an “unfair” UDAAP violation.
Let’s break down what this means:
Discrimination based on characteristics such as race and religion is bad. The US has some laws prohibiting consumer finance discrimination. At the federal level, the two big ones are: (1) the Fair Housing Act (discrimination in homebuying) and (2) the Equal Credit Opportunity Act (discrimination in the extension of credit).
However, these anti-discrimination laws are limited in scope and don’t cover everywhere that discrimination can happen. So the CFPB wants to plug the gaps. Think: identity verification, customer support, credit reporting, fraud flags.
“Unfairness” normally covers things like refusing to release a lien after a mortgage is paid off (see footnote for the legalese ↗️1) But it hasn’t been used for discrimination. Until now.
If you work in compliance, I’d recommend digging into what changed in the manual (Ballard Spahr has a really good summary). As an example, companies will be required to show they assessed discriminatory risks and outcomes, including documenting how different customer demographics are impacted by fees and decision-making algorithms.
Some fintechs will be in for a reckoning. Two examples to get you thinking:
What do your ads look like? Where do you show them? If your ads are all white dudes, you may want to rethink how self-aware you are. Or if you’re a lender that targets Facebook groups that are disproportionately one race, or gender, or any other attribute that’s protected, you’ve got a problem.
What about fraud? If your fraud rates happen to disprortionately flag and reject people of a certain nationality, for example, that’s a problem. See also, the NYT report on instances where “fraud” is likely being used as a reason to deny insurance claims for Black real estate owners.
The big picture:
Current US discrimination laws have gaps. And “law in the books” (what a law says) is very different from “law in action” (how it’s enforced). All of that means our anti-discrimination laws have a long way to go, so giving the CFPB broad authority to treat discrimination as “unfair” may be a good step in the right direction.
My biggest concern: regulators are known for killing good, responsible innovation in the name of consumer protection. “When you’re a hammer, everything’s a nail,” as the saying goes. So I’m curious to see how wisely the CFPB uses this new power.
The CFPB has aggressively been pushing its jurisdiction under director Rohit Chopra (see this Manatt update for more). Someone’s going to challenge this new scope. PayPal, for example, has torpedoed the CFPB’s rules on Prepaid Cards for years in court on the grounds the CFPB exceeded their authority. Something similar will probably happen here, and I’m not convinced the new scope will hold up.
OppFi sued CA’s financial regulator, filing a complaint for declaratory and injunctive relief. Which is legalese for “OppFi is asking a court to say its regulatory model is OK and the regulator should back off.”
CA has a law limiting interest to 36% for $2.5K-10K consumer loans, and OppFi charges more than that. We talked a few weeks ago about the true lender regulatory approach to attacking bank partnerships:
[B]ased on factors like program oversight and who holds the economics of the loan, who is the real lender? If it’s the bank, then the loan can preempt state interest rate caps. If it’s the bank partner, then it can’t.
CA’s financial regulator told OppFi it violated the CA interest rate cap because OppFi was the true lender and charged more than 36%. So the company is preemptively suing with the hopes that a court will say their model is fine.
A CA District Court recently rejected CA’s attempt to invalidate the FDIC’s valid-when-made rule. I’m not placing bets on how OppFi’s suit comes out, though. Fintech lenders should be watching closely; a win for OppFi would be huge. 🍿
They both involve companies that processed payments or accounts for businesses, and consistently disregarded signs of fraud.
Examples: egregious return rates, companies that had already been subject to FTC actions, ignoring alarms raised by their bank partner, and employees advising on how best to hide credit laundering.
One release includes a $2.3M fine, and both involve bans from the types of payment processing that got them in trouble.
The CFPB published a blog post announcing a new initiative focused on rural America, including emphases on:
Rural Banking Deserts: which often lead to higher fees and interest from non-bank alternatives, loss of local knowledge of how rural communities operate, and racial disparities in credit and banking access.
Discriminatory and Predatory Agricultural Credit: including historical discrimination against Black farmers.
Manufactured Housing: where PE firms buy properties and force evictions.
It seems like the CFPB is mainly on an info-gathering mission at this stage, since it asked folks to share their experiences and submit complaints.
The CFPB released a blog highlighting issues US workers face, noting that larger businesses dominate many markets in a way that undermines worker influence. It shows that the CFPB actually uses the info the public shares with it; the release and examples are a result of the CFPB’s recent invitation to workers and unions to share their experiences.
The agency saw two big themes:
Employer-driven debt, often facilitated by required training or equipment. One example cites a large healthcare provider that requires nurses to complete a company-run training program and, if they fail to work full time, they’ll owe $10K.
Second, privacy concerns, often involving (1) the collection and use of worker info beyond a reasonable scope or (2) selling worker info to FIs, insurers, and other employers. The blog post cites an employer who used a tool to track worker hours, but workers weren’t made aware the tool tracked them outside of working hours, too.
Equifax, Experian, and Transunion are planning to remove medical debt from consumer reports this summer, per WSJ.
Per Protocol, the FTC recently released the third settlement order in recent years that includes a newer, bold strategy: requiring companies to destroy algorithms when underlying data was acquired via unscrupulous means.
Affirm halted a planned bond sale after its largest investor backed out due to general market volatility, per Bloomberg.
A US PIRG report suggests BNPL regulations could come soon after the CFPB closes its public inquiry on March 25, per American Banker.
The SEC released 500+ pages of proposed rules that would require public companies to disclose info about the climate and greenhouse gas effects of their businesses.
The CFPB has made recent procedural rule changes that make it easier for the agency to litigate, and make it harder for defendants to appeal, per American Banker. The changes will likely let the agency move a lot faster.
The OCC issued a final rule providing criteria for when national banks or savings associations may qualify for SAR exemptions.
NY’s financial regulator fined Moneygram $8.25M for failing to sufficiently supervise agents in NYC that processed suspicious transactions to China that violated the BSA.
FinCEN announced $140M of penalties against USAA Federal Savings Bank for willful violations of the Bank Secrecy Act. The fines were driven by the bank failing to make sure its compliance program grew with its customer base, resulting in unreported suspicious transactions.
Having touched debt collections and the regulatory spiderweb that entangles it, I’ve always been super interested in what TrueAccord is building. Not Boring’s recent write up on them is worth a read if you’re not familiar.
Anyone who works in payments should read Ayo’s Children of Durbin post. It ain’t short, but it’s worth it.
Treasury released crypto-specific guidance on the Russia sanctions.
The Dept of Labor urged 401(k) providers to use extreme care before adding crypto as a 401(k) option.
DOJ has created a new task force to prosecute people and institutions hiding Russian assets from sanctions, including crypto exchanges.
Sen. Warren introduced an overly broad crypto sanctions bill, per Coindesk.
Members of Congress sent a letter to SEC Chair Gary Gensler asking about the Commission’s use of its Enforcement Division investigations to go on fishing expeditions of crypto companies.
David Ikenna tweeted a great thread on the status of payments for cannabis and crypto:
Brett Harrison @Brett_FTXUS1/ Cannabis and digital assets
Sui Generis (Fun Finds)
Hi. I’m Reggie. I’m a FinTech product lawyer at Lithic
Sponsoring the newsletter
Early stage fintech looking to raise
Just want to say hey!
Lithic’s hiring if you want to come work with me! And if you’re curious about using Lithic to issue cards to send $, spend $, sponsor your own card program, or anything else, get in touch (email@example.com).
Any views expressed are my own (well, sort of? I mean, they’re based on laws and regulations, so they’re not really “mine”?). Nothing here is legal or financial advice.
For the curious, the UDAAP definition of “unfair,” it means: (1) the act/practice likely causes substantial harm to a consumer, (2) the harm couldn’t be reasonably avoided by the consumer, and (3) the harm isn’t outweighed by benefits to consumers to competition.