U.S. Developments

Regulatory Updates

New Rules for Prepaid Cards, Digital Wallets, and P2P Transfer Apps Become Effective

As reported in this blog last year, the U.S. Consumer Financial Protection Bureau (“CFPB”) created a final rule implementing the Electronic Fund Transfer Act (“Regulation E”) and the Truth in Lending Act (“Regulation Z”). Originally released in October 2016, with an effective date of October 1, 2017, the final rule was delayed several times and finally became effective on April 1. The rule means that consumer protection measures like those for unauthorized charges and errors that have applied to products such as debit cards in the past will now apply to prepaid cards, digital wallets (e.g., Google Wallet), and person-to-person payment applications (e.g., Venmo and PayPal). Notable exclusions to the new rule include gift cards and applications like Apple Pay that do not store any value. Many providers now covered by the law have already adjusted their product offerings and terms of service to prepare for the new rule. Frequent delays in the effective date and numerous opportunities to make changes to the final rule have resulted in these platforms being subject to an increasingly complex regulatory framework.

FDIC Notes Gaps in Contracts with Tech Service Vendors

This week, the Federal Deposit Insurance Corp. (“FDIC”) published a letter to banks highlighting gaps in technology vendor contracts discovered during examinations. The letter, which applies to all FDIC-supervised institutions, notes that some technology vendor agreements do not adequately define which party is responsible for managing risks such as business continuity and incident responses. The letter also provides that when contracts do not adequately address these risks, they fall to the regulated financial institution. Finally, the letter reminds financial institutions that Section 7 of the Bank Service Company Act creates an obligation to notify the FDIC regional office when they enter into agreements with technology service providers to provide certain services, including those such as data processing and internet/mobile banking services. To that end, the FDIC has created a form that institutions can use to report these relationships.