Fintech Law TL;DR (Sept 20)
Blue Ridge -- Hsu Speech -- Money2020
Hi all 👋
I’ll be at Money2020 next month. If you’ll be around and want to meet up (email me at fintechtldr@gmail.com or reach out via Twitter).
We released new Fintech Layer Cake episodes on what the CFPB is and does and an insider view of the CFPB with two great attorneys from Manatt’s financial services group who both worked at the Bureau. Also, we apparently missed a great fintech pun with the podcast…
If your email clips this, click here to read it in browser.
The OCC’s Lookin’ at Fintech
Back in July, we talked about how fintechs were apparently dealing with regulators' scrutiny of their bank partners. I didn’t talk about it too much, since there weren’t many useful takeaways. But we now have more visibility into what at least one regulator worries about when it comes to fintech-bank partnerships.
First, the acting head of the OCC gave a speech that reveals how the Office is thinking about fintech. Second, the OCC entered into an agreement with a fintech bank sponsor, requiring the bank to tighten up how it works with fintechs.
Implications
You can read more detail on the two below, but let’s do the fun stuff up front. Some things fintech operators shouldn’t be surprised by over the coming year:
Bank partners raising their standards, making it harder for fintechs to find good bank sponsors.
Banks scrutinizing fintech partners more, and maybe even terminating higher-risk ones with compliance issues.
Fintechs facing increased on-going compliance costs due to bank partners asking for more.
Banks passing their own increased compliance costs onto fintech partners.
Hsu Speech
Let’s dig into a speech from Michael Hsu, the Acting Comptroller of the OCC (the primary national bank regulator). There’s been a lot of FUD chatter around his speech…
But Hsu acknowledges what fintechs offer by acknowledging fintech has lots of positives! He says fintechs can offer banks expertise, economies of scale, speed to market, and access to innovative tech the banks otherwise wouldn’t have.
However, Hsu is worried about safety and soundness risks that fintechs may create for the banking system. He cites, for example, IT issues (think: a fintech’s infosec, or having redundant IT systems in case of tech failure).
The most interesting bit, IMO, is a series of questions Hsu says banks and fintechs should be able to answer. There’s a whole paragraph of them, but you can put them in key themes:
How will the bank and fintech handle things breaking? Think: tech failing or the fintech going bankrupt.
Who’s responsible for customers? Think: owning customer complaints and disputes.
How can the partnership damage the faith and stability of the banking system?
That last bucket is interesting, and includes an opaque question from Hsu: “How are bank and fintech business models changing and how are incompatibilities reconciled?”
What I think this question is getting at is asking (1) whether the things that drive a bank and fintech have changed as the partnership model has grown, and (2) whether the fintech and bank know that and mitigate it. Are there lurking, misaligned incentives that could drive a bank to, for example, ignore a fintech’s compliance problems, or that drive a fintech to cut compliance corners?
Fintech folks should ask themselves if they can answer the above questions (all the ones from Hsu’s speech, really). And if not, they might be worth chatting with your bank partner about.
I’m not too worked up about this speech. Whether the fintech-bank partnership model threatens financial stability comes down to how programs are run in practice. I’d wager there are plenty of fintechs out there who run their compliance programs better than some banks.
Blue Ridge Agreement
The second bit of OCC news is that Blue Ridge Bank signed an agreement with the OCC. Blue Ridge partners with various fintechs, and the agreement lays out corrective measures the bank has to make to its fintech partner compliance practices.
While it’s not certain, the agreement may have stemmed from a potential Blue Ridge merger with another bank, which was called off earlier this year. My general impression of the agreement is Blue Ridge’s fintech programs seem to have grown faster than the bank’s compliance capabilities.
At a high level, the Blue Ridge agreement lays out a few buckets of requirements:
The bank needs a “non-objection” from the OCC before they sign up any new fintech partnerships or new products with existing fintechs (practically, this is like getting the OCC’s pre-approval, except non-objection let’s the OCC say they never ‘approved’ a particular fintech).
The bank needs to bolster its third-party risk management program, covering things like:
On-going monitoring of fintech programs
Having a contingency plan in place in case a fintech fails
Having a CPA assess their fintech program accounting
IT risks
They need to bolster their BSA program, customer due diligence, and suspicious activity reporting program.
Adequate compliance staffing and resources
Some have suggested that at least one of Blue Ridge’s fintech partners contributed to the scrutiny. If true, it’s a good reminder that fintechs should be wise about which banks they partner with, since a compliant fintech may have to deal with the compliance fallout that a bank’s less-compliant fintechs could trigger.
It’s also a good reminder that banks (and fintechs!) that mess up can face higher regulatory and compliance standards than those that don’t. Investing in and getting compliance right up front can be worth its weight in gold in the long run.
Elsewhere (non-crypto)
The Fed plans to launch FedNow in 2023, per WSJ. Supposedly.
The CFPB’s been busy with reports. First, they released their 2021 report on mortgage activity, finding refinancings dropped and home purchase loans rose.
Second, they released their BNPL report, nine months after sending inquiries to BNPL providers. There are some fun numbers to peruse, but nothing seems groundbreaking. The Bureau highlights the rapid growth of BNPL products and the space’s shrinking profit margins. They’re also still worried about users getting sufficient disclosures, abusive use of users’ data, and the potential for debt overaccumulation.
CFPB Director Rohit Chopra said the Bureau is exploring how fraud rules might need to be updated for P2P providers like Zelle and Venmo, per AmBanker.
Last bit of CFPB news: the Bureau filed a petition to force Block (f/k/a Square) to comply with the Bureau’s investigation of Cash App’s complaint and dispute handling processes, per Bloomberg Law. The CFPB claims Block hasn’t provided all of the data and docs requested in 2020 and 2021, but Block claims they had sent clarifying questions to the Bureau and had not heard back.
Two bits of income share agreement (ISA) news: first, Better Future Forward, an income share agreement (ISA) provider, reached a final compliance plan with the CFPB, including updated ISA disclosures. The company said they’ll share the disclosure format publicly (yay for open sourcing basic legal stuff), which could be a good reference for other ISA providers. The plan follows a consent order from about a year ago. Second, CA’s financial regulator announced proposed rules that would treat ISAs similar to loans.
The FTC filed a complaint against Credit Karma over the company’s use of ads that led people to believe they were “pre approved” for credit cards. The FTC alleges that around ⅓ of “preapproved” applicants were denied after a credit check. Credit Karma disagreed with the claims but agreed to a consent order (with a $3M fine) so they can move on.
Visa, Mastercard, and Amex plan to add a new merchant category code for guns, per WSJ. Gun control advocates believe this might help banks and credit card companies track and flag suspicious gun purchases. This follows NY’s and CA’s AGs pressuring the card networks to do the same.
The DOJ released its opinion on the fiasco that led to Jelena McWilliams stepping down from the FDIC’s board, ultimately finding the Dem majority had authority to override McWilliams’ objections to slotting review of bank M&A standards on the FDIC’s agenda.
Big banks like BoA, Barclays, Citigroup, Goldman, and others are close to an agreement over employee use of messaging apps like WhatsApp, which violates regulatory requirements to keep written comms for certain amounts of time, per WSJ.
In senatorial news (it’s a word, I swear), twelve Republican Senators sent a letter to CFPB Director Chopra urging him to stop using aggressive tactics to further his agenda, and Sen. Mitt Romney urged the FDIC to not shut down the ILC bank charter option, per AmBanker.
Elsewhere (crypto)
The FDIC sent cease and desist letters to various crypto companies for making misleading statements about FDIC insurance, including FDICcrypto.com. 🤦
The SEC plans to create a new office focused on crypto companies’ public disclosures. SEC Chair Gary Gensler asserted that existing securities laws are sufficient to protect crypto investors and don’t necessarily need to be updated, but recognized it “may be appropriate to be flexible in applying existing” requirements. Gensler also testified before Congress, reiterating his belief that the vast majority of crypto tokens are securities.
In other SEC news, Grayscale disclosed SEC inquiries suggesting XLM, ZEC, and ZEN may be securities, per CoinDesk.
California passed a bill that would require any company engaged in “digital financial asset” business to get a license with the state regulator, and that stablecoins issued after Jan 1, 2028 can only be issued by banks. Some have likened it to NY’s BitLicense.
President Biden’s crypto exec order called for reports from various government groups, and they’re starting to flow in. The White House’s Office for Science and Technology released its report on bitcoin mining’s environmental and energy impacts. Treasury released three reports on a CBDC, and financial stability, AML, and other considerations. DOJ released its report on criminal implications, and the Commerce Department’s report addressed US competitiveness. Lastly, the White House released a framework for “comprehensive” crypto regulation.
The DOJ is forming the “Digital Asset Coordinators Network,” a network of federal prosecutors focused on crypto crimes.
Lastly, Coinbase employees and other Tornado Cash users are suing the OFAC over its Tornado Cash sanctions, per CoinDesk.
Sui Generis (Fun Finds)
Hi. I’m Reggie. I’m a fintech product lawyer at Lithic.
Reach out (email or Twitter) if you’re interested in any of the following:
Sponsoring the newsletter
Early stage fintech looking to raise
Collaborating
Just want to say hey!
Any views expressed are my own (well, sort of? I mean, they’re based on laws and regulations, so they’re not really “mine”?). Nothing here is legal or financial advice. Don’t get your legal advice from Substack, duh.