FinTech Lending Laws TL;DR
For FinTechs co's with interest in lending
Here’s your TL;DR on how innovative FinTech lenders are regulated…
Truth in Lending Act (TILA) and Reg Z
Before someone takes out credit, TILA1 requires that you provide a disclosure that shows items like minimum interest rate, APR, possible rate changes, and potential customer liability.
TILA Applies If You…
Regularly extend consumer credit2,
The credit is subject to a finance charge or is payable in more than 4 installments,3 and
The credit is for consumer purposes (personal, family, or household purposes).
TILA also offers a few consumer protections, like:
Caps consumer liability for unauthorized credit transactions at $50.
You can withhold payments for a credit charge if you dispute it within 60 days of receiving the relevant statement.
You can also withhold payments if you claim a merchant didn’t perform its end of the bargain.4
Electronic Funds Transfer Act (EFTA) and Reg E
The EFTA applies to any financial company that’s authorized to move money for a consumer via an electronic transfer (e.g., ACH, internet, mag strip, NFC).
Key EFTA Requirements
Disclosures: Before the first transaction, you need to disclose basic info like fees, transaction limits, and the process to resolve errors.
Statements: You must send monthly statements if an electronic transfer happened that month (otherwise, you send quarterly statements).
Notice: You must give 21 days’ notice for any term changes.
Theft: If your card or device was stolen, your unauthorized payment liability is limited to $50 if you notify your financial institution (FI) within 2 days. Otherwise, you’re liable up to $500.
Non-Theft: For unauthorized charges not stemming from theft, you have no liability if you notify your FI within 60 days of the relevant statement. After that, you have unlimited liability.
Alternatives: You can’t require the use of electronic payment methods as a condition of credit (but you can provide incentives).
Fair Credit Reporting Act (FCRA)
FinTechs that use or provide reports about consumers are subject to FCRA.6
You can think of FCRA as regulating two areas: (1) users of consumer reports and (2) providers of consumer reports.
Let’s look at those two pieces:
Consumer Reports: reports that (1) reflect your character, reputation, personal characteristics, or mode of living (NOT just FICO!) and (2) are used for “permissible purposes” (determining credit, insurance, employment, and certain others7).
Consumer Reporting Agencies (CRAs): are businesses that supply consumer reports to others for compensation (e.g., Equifax).
Consumer Report User Restrictions
Can only use them for “permissible purposes” (see above).
Must provide “adverse action notices” if there is denial of credit or risk-based pricing. These include info like: the reason for the decision and the credit score used.
Can’t share them with third parties, with a few exceptions (e.g., if the report only show transactional info).
Must have an identity theft program.
CRAs have extensive requirements like:
Ensuring reports are only shared for a permissible purpose.
Being able to share collected info with consumers.
Having a system for managing disputes.
Being able to fix incorrect info.8
If a FinTech builds and sells tools that gauge a consumer’s credit risk…that makes the FinTech a CRA (e.g., using someone’s phone habits to gauge their credit risk, and selling that to lenders).
Equal Credit Opportunity Act (ECOA) & Reg B
At its core, ECOA prohibits discrimination in consumer and commercial lending.
Discrimination: ECOA prohibits credit discrimination (in the form of disparate treatment or impact) based on someone being a member of a protected class.
Protected Classes: race, color, religion, national origin, sex, marital status, age, income source, sexual orientation, and gender identity.
Disparate Treatment happens when you treat someone differently because they belong to a protected class.
Disparate Impact happens when there’s a discriminatory outcome, regardless of whether it was intentional. If there’s a disparate impact, a lender must be able to show that there wasn’t a more reasonable alternative.9
Decision Notices: Lenders must provide notices of their decision within 30 days of receiving a completed app. They must also provide notices when they take action on an incomplete app, take adverse action on an account (e.g., close a line of credit), or if an applicant doesn’t accept a counter offer.
A few practical ECOA considerations:
Marketing materials shouldn’t exclude or discourage customers based on race, age, sexual orientation, etc.
If a FinTech lender wants to use alternative data or machine learning in its underwriting, they need to ensure the outcome doesn’t have a discriminatory disparate impact.
Consumer FinTech lenders can be liable for unfair, deceptive, or abusive acts and practices (UDAAPs). You can think of these SpaghettiOs like:
“Unfair:”10 behavior like not implementing sufficient security practices, or refusing to release a mortgage after a customer pays it off.
“Deceptive:”11 behavior like “no hidden fees!” when there are fees, or presenting variable interest as if it were fixed.
“Abusive:”12 behavior like...well, there actually hasn't been that much “abusive” enforcement yet. But it would be behavior like knowing a customer doesn’t speak English, only giving them an agreement in English, and misleading them about what it says.
At the federal level, the FTC and CFPB have authority to enforce “unfair” and “deceptive” acts, while the CFPB can enforce those two + “abusive” acts. This is why you’ll see them discussed as UDAPs (FTC; “abusive” is left out) and UDAAPs (CFPB).
UDAAPs mainly apply to consumer lenders. But some states (e.g., California) have commercial UDAAP laws.
Debt Collection Regs
You need to consider two key things in debt collecting: (1) whether you need a license and (2) you need to comply with the FDCPA.
Debt Collection Licenses
Some states require licenses for debt collection, but most have exemptions if you’re collecting debt you own, or a lawyer is collecting it for you. Otherwise, you probably need a collection license.
Fair Debt Collections Practices Act (FDCPA) and Reg F
At the federal level, consumer debt collection is regulated by the FDCPA. It mainly applies to third-party collection agencies.
The FDCPA does NOT apply to (1) the lender, (2) the lender’s employees, or (3) commercial loans. However, FDCPA sets “best practices,” so collectors tend to follow it anyways.
Under the FDCPA, you:
Can’t engage in abusive, unfair, harassing practices.
Must give the debtor a certain notice.
Must stop collections if the debtor disputes the debt.
Must follow guardrails on social media, text, phone, and email comms.
And states may have similar debt collection regs.
Military Member Regs
FinTech lenders need to be mindful of two military-related lending regs: the Military Lending Act (MLA) and Servicemembers Civil Relief Act (SCRA). A few examples of their regs:
You can’t charge interest > 36%.
You have to provide specific disclosures.
You can’t charge prepayment penalties.
Active servicemembers can cap their interest at 6%.
Lending Platform TL;DR
Some FinTech lenders use platforms where they act as an intermediary between investors and customers. These lenders typically don’t sell the loans directly to investors. Instead, they issue “notes” that are tied to the customer loans.
For example, if Laura goes and gets a loan on a platform, that platform doesn’t give her loan to an investor.
Instead, the lender holds Laura’s loan, and gives the investor a “note.” This note is an IOU that says the platform will pass any payments from the borrower to the investor. The investor holds the risk of the borrower not repaying.
Lending platform notes count as “securities.”
The sale of securities must either be registered with the SEC or fall under an exemption. Registration tends to be more expensive and involved, but some platform lenders do it (e.g., LendingClub and Prosper).
Otherwise, platforms can potentially rely on an exemption:
Rule 506(c): You can only sell to accredited investors, but you can publicly advertise the offering.
Reg CF or Reg A+: More on these in a forthcoming crowdfunding TL;DR...
FinTech lending platforms can package customer loans together and sell investors an interest in that bundle of loans (vs buying a specific loan indirectly via a note).
That bundling is a “securitization,” and triggers two key obligations: (1) the bundled securities must be registered with the SEC and (2) the lending platform must own at least 5% of the bundles (so they retain some of the risk).
Investment Company Act
Any company that invests or holds securities that account for more than 40% of its total assets is an “investment company.” They must either register with the SEC (not fun, generally) or fall under an exemption (phew, much better).
Lending platforms that mainly issue notes or securitizations will likely meet the 40% securities threshold.
The SEC hasn’t claimed that lending platforms need to register as an investment company yet. If that changes, there are a few possible exemptions lending platforms may be able to rely on:
Section 3(c)(1):15 If there are fewer than 100 holders of the securities and you don’t offer them publicly.
Section 3(c)(4): If you only make small consumer loans.
Section 3(c)(5): If you primarily make commercial loans for certain purposes.
Section 3(c)(7): If you only sell securities to individuals that have $5M or more of investments or other certain institutional buyers, and don’t offer them publicly.
An “investment adviser” is anyone who (1) is in the business of providing advice (2) about securities (3) for compensation.
Investment advisers need to register with the SEC or relevant state. This generally involves providing disclosures, and being subject to record-keeping and limits on what they can advertise.
If a FinTech lending platform charges customers for any recommendations or analysis, they would qualify as investment advisers. Most lending platforms structure fees to avoid this issue.
A “broker” is someone who connects borrowers with lenders. They run the spectrum from people who just refer leads to people that help you throughout the whole loan application.
Many states require these brokers to be licensed, post bonds, and/or file regular reports unless they satisfy an exemption.
Most typically, no license is required if a broker does not receive an advance fee (i.e., they only get paid if the applicant gets their own).
Payday loans are short-term, high-interest loans, usually for $500 or less.
Payday lenders generally face extra scrutiny from federal and state regulators. If a FinTech lender makes small, short-term, high-interest loans, they’ll need to consider whether federal or state payday regs are triggered (e.g., they’re illegal in New York).
Interest Rate Limits
Many states put “usury limits” on how much interest lenders can charge. The limit may vary or apply based on factors like: consumer or commercial, loan size, or industry (home, auto).
They’re also often split into “civil” limits and “criminal” limits, where criminal interest rate limits are usually higher and carry stiffer penalties.
Usury law violations can result in penalties like fines and having to give up interest that exceeds what’s allowed in that state.
Interest Rate Reliance
Banks can rely on the interest rate laws in the state where the loan was made. This is why many state banks are based in Utah; the state has friendly interest rate caps (read: none).
But a lot of FinTechs partner with banks. So, uhh, how does that work?
Bank partners can rely on a bank’s state interest laws thanks to two legal theories:
Valid When Made theory says you can rely on a loan’s interest rate if it was valid when the loan was made. Aka, a Wisconsin FinTech lender that buys loans from a Utah bank partner can rely on Utah’s interest rate laws (and disregard Wisconsin’s) as long as the loans were OK when the bank made them.16
True Lender theory says you should look at who the “true lender” of the loan is to determine the interest rate laws apply. This is usually done by asking “who holds the economics and risk?” True Lender is less common, and has mainly been used to attack payday lenders.
Choice of Law
Many contracts have “choice of law” clauses. These say hey I know I’m buying this CashApp hoodie online while I’m sitting in San Francisco, but if any dispute happens, the laws of New York (not CA) will actually apply.
These clauses can add extra protection for FinTechs looking to rely on the interest rate laws of the state where a loan was originally made. Most (but not all!) states will respect choice of law clauses.
Lending industries like mortgage, student, and auto loans are subject to their own industry-specific lending regulations that could each be a book themselves.
FinTech lenders are subject to anti-money laundering and Bank Secrecy Act obligations. See the AML and BSA TL;DR for details.
Don’t want to miss more FinTech law summaries as they roll out in the coming weeks?
If you enjoyed the summaries, why not share?
Hi! I’m Reggie. I’m a FinTech lawyer at BlueVine, and any views expressed are my own (well, sort of? I mean, they’re laws and regulations, so they’re not really “mine”). These TL;DRs are not legal or financial advice, obv.
Laws are implemented by regulations. In this example, TILA is the law, while Reg Z is the regulation that provides the actionable detail industry players need to know how to comply. Laws and regs are often used interchangeably (like “Reg Z” to refer to TILA). For simplicity, we’ll just use the law’s name.
Specifically, companies who offered credit >25 times in the prior year.
Oh how convenient, most BNPL companies don’t charge interest (aka, a finance charge) and don’t offer more than 4 installments...
Oddly, this only applies if the transaction is in the same state as, or within 100 miles of, the cardholder’s mailing address.
Note: TILA (credit only) gives you a blanket $50 liability cap; EFTA doesn’t. So you have more protection for credit charges than debits.
Technically, the Fair and Accurate Credit Transactions Act (FACTA) amended FCRA. But we’ll just refer to them collectively as FCRA.
Other purposes include: eligibility for a government license, for assessing the credit risk of an investment, other legit business needs, or government-issued travel charge cards.
Though the credit agencies are notorious for making the process of fixing errors practically infeasible…
To use the more complete legal jargon, a lender must show a legitimate business necessity that can’t reasonably be achieved in a way that has a less discriminatory impact on a protected class.
The legal “unfair” test: (1) likely to cause substantial harm, (2) the harm can’t be reasonably avoided by the consumer, and (3) the harm is not outweighed by any benefits to consumers or competition.
The legal “deceptive” test: a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances.
The legal “abusive” test: an act or practice that: (1) materially interferes with the ability of a consumer to understand a term or condition of the product or service, or (2) takes unreasonable advantage of the consumer’s (a) lack of understanding of the risks, costs, or terms, (b) inability to protect its interests in selecting or using the product/service, or (c) reasonable reliance on the company to act in the consumer’s best interest.
Accredited investor = (1) someone who has $200k in annual income for at least the past 2 years (or $300k combined income if married), (2) someone who has a net worth of at least $1M, (3) entities w/ >$5M in assets, (4) entities owned by all accredited investors, (5) certain knowledgeable employees, and (6) people with certain certifications (like Series 65).
Accepting non-accredited investors triggers extra disclosures.
These “Sections” are in the Investment Company Act.
There’s a court case, “Madden,” that doesn’t belong in a TL;DR. But the short version is: there’s now some uncertainty about the Valid When Made theory, but…it’s not a significant concern for bank partners yet.