Weekly Fintech Focus
- CA DBO cracks down on point-of-sale financing. Companies that offer deferred payment options at point-of-sale could be lenders in California.
- The White House issues the world’s first binding guidance on regulating AI. Agencies should take a light-touch approach and consider how regulations promote the growth of AI.
- State money transmission laws are in flux. Rhode Island just combined its laws governing electronic money transfers and sale of checks into one regime.
- The FTC brought an action against a fuel card company for hidden fees.
- The FTC announced that its recent data security orders will inform how it issues orders going forward, including more specific requirements for companies implementing safeguards to correct problems, more accountability for third-party assessors, and C-Suite compliance attestations for the company’s data security programs.
California Denies a License to a Fintech Point-of-Sale Financing Company
On December 30, 2019, the California Department of Business Oversight (DBO) announced through a Statement of Issues that it was denying a license under the California Financing Law (CFL) to Sezzle Inc., a fintech company that offered interest free, installment financing to consumers through a point-of-sale integration into the merchant’s online purchasing process (the “Sezzle Order”). At the same time, the DBO announced a separate order against an unnamed company that also offers point-of-sale deferred payment financing, stating that the company’s point-of-sale product is a loan product subject to licensure in California (the “Unnamed Company Order”).
Point-of-sale financing options are proliferating in the U.S. and around the world. In general, these companies allow a consumer to buy-now-pay-later through a payment plan entered at the point of sale that involves no more than four installments. The companies do not charge interest, but will charge late fees and some other fees. Sezzle, like many other point-of-sale deferred payment companies, views its product as outside of state consumer lending laws by structuring its services as a purchase of a credit sale contract from the merchant. The exemption for this practice is limited under California law, raising the issue of whether the proposed structure is a true credit sale or rather evades the California Finance Law.
The DBO’s Sezzle order denied the company’s lender license application because the company had been conducting unlicensed lending activity in the state. The order analyzes what constitutes a loan and whether the company acted as a lender under California law. In its analysis, the DBO reviews common law to derive principles under which a company may be subject to California’s lending laws through the structure of the program and the involvement of the company. In short, the DBO determined that the company’s deep involvement in the consumer’s purchase of goods and establishing an extension of credit means that the company has been lending to consumers in California without a license instead of purchasing credit sale contracts from merchants. Additionally, the DBO stated that in some transactions, the effective APR could be up to 600% despite the user agreement stating that consumers would be charged no interest and no fees if payments are made on time.
In both the Sezzle Order and the Unnamed Company Order, the DBO presented numerous arguments for why the transactions at issue are loans and not credit sales. First, the orders stated that the intent of the parties helps determine whether a transaction is a loan. Although the products are not presented to customers explicitly as loans, the fact that a customer is making a purchase and paying later fits with the common law understanding of what constitutes a loan. Note, however, that the Sezzle User Agreement refers to the transaction as extending credit to the consumer and that the transaction provides the consumer with the right to defer payment. Second, the DBO argued that the contract between the point-of-sale financing company and the merchant existed prior to the customer initiating the purchase, which indicates that the transaction is a loan. In the Sezzle Order, the DBO notes that Sezzle’s involvement with its merchants “goes well beyond any non-lending relationship yet permitted by California courts.” Third, the DBO argued that assuming the contract at the point of sale indicates that the transaction is a loan. Finally, the DBO argued that the point-of-sale financing company creating the forms and conducting the underwriting could mean that the transaction is a loan.
There are numerous forms of point-of-sale installment financing, so the Sezzle Order and the Unnamed Company Order cannot be applied uniformly to all models. However, both orders rely on similar factors for their conclusion that the point-of-sale financing conducted by the companies is lending. Prior to offering a point-of-sale installment financing business in California, companies should seek counsel to evaluate the company’s business model in light of the DBO’s recent action.
White House Releases Draft Memo on Regulation for Artificial Intelligence
On January 7, 2020, the Acting Director of the Office of Management and Budget, Russell T. Vought released a draft memorandum to the heads of Executive Departments and Agencies providing guidance on how to regulate the development and use of artificial intelligence (AI) applications by regulated entities (the “AI Principles”). The White House is calling the AI Principles the first binding guidance on AI issued in the world. The AI Principles are open for public comment for 60 days from publication.
The AI Principles result from the American AI Initiative announced in an Executive Order in early 2019 and are, according to U.S. officials, the first set of binding principles on AI issued by any governing body in the world. The AI Principles apply to how the government regulates AI as developed by the private sector and do not apply necessarily to the government’s own development and deployment of AI applications. Although the AI Principles do not directly apply to independent agencies (such as financial regulators like the CFTC, CFPB, Federal Reserve, NCUA, FTC, and SEC), all government agencies are expected to utilize the AI Principles when regulating AI applications developed and deployed by regulated entities. Further insights into the AI Principles can be gleaned from Acting Director Vought’s op-ed, published in Bloomberg.
There are 10 AI Principles that direct how government agencies should approach regulation of AI applications. The AI Principles direct that regulators take a light touch to regulation and that any regulation or other action by an agency should promote AI innovation, engage with industry and the public on AI development, limit regulatory overreach and encourage flexible regulatory frameworks, and promote trustworthy technology that meets principles of fairness, non-discrimination, and privacy as established in U.S. law.
In summary, the 10 AI Principles require that agencies do the following:
- Public Trust in AI – Address issues of public trust in AI through promoting reliable, robust, and trustworthy AI applications.
- Public Participation – Provide opportunities for the public to participate at all stages of the rulemaking process.
- Scientific Integrity and Information Quality – All regulatory and non-regulatory agency approaches to AI should be consistent with and informed by principles of scientific integrity.
- Risk Assessment and Management – All regulatory and non-regulatory agency approaches to risk assessment and risk management should be consistent across agencies and technologies. Risk assessment and management will differ depending on the AI application, but agencies should conduct these tasks under the direction of Executive Order 12866, “Regulatory Planning and Review.”
- Benefits and Costs – Agencies should consider all societal costs, benefits, and distributional effects before regulating AI applications. Such considerations should include comparing the costs and benefits of employing AI compared to using existing systems.
- Flexibility – When developing regulatory and non-regulatory agency approaches, agencies should pursue performance-based and flexible approaches that are adaptable to changing technologies. These actions should also not disadvantage U.S. companies compared to international regulation of AI.
- Fairness and Non-Discrimination – AI applications have the capacity to both decrease and increase discriminatory effects. Agencies should consider issues of fairness and non-discrimination with respect to outcomes and decisions produced by AI applications.
- Disclosure and Transparency – Agencies should be transparent throughout the rulemaking process. What constitutes appropriate disclosure and transparency is context-specific and agencies should consider the sufficiency of existing or evolving legal, policy, and regulatory environments before regulating.
- Safety and Security – Agencies should promote the development of AI systems that are safe and secure throughout the full lifecycle of an AI application.
- Interagency Coordination – Agencies should coordinate to share experiences with AI applications to ensure consistency and predictability.
Rhode Island Updates Money Transmission Licensing Law
Rhode Island’s new regulation combining existing laws that regulate electronic money transmission and the sale of checks into one regime took effect on January 1, 2020. In short, the regulation introduces the new concept of “currency transmission” activity. While this concept still regulates the sale or issuance of payment instruments and stored value, and receiving money or monetary value for transmission (including the holding of funds incidental to transmission), it only regulates these activities to the extent that such services are provided “primarily for personal, family, or household purposes.”
Moreover, the new regulation introduces the concept of virtual currency and expressly includes maintaining control of virtual currency or transactions in virtual currency on behalf of others as being part of regulated currency transmission activity.
FTC Alleges Fuel Card Company Charged Millions in Hidden Fees
The Federal Trade Commission (FTC) alleged that FleetCor charged its business customers hundreds of millions of dollars in hidden fees after making false promises about helping customer save money on fuel costs. The FTC’s complaint alleges that FleetCor told potential customers that they would save money, be protected from unauthorized charges, and have no set-up, transaction or membership fees.
As alleged, the complaint identifies obfuscated fees totaling at least hundreds of millions of dollars that were often charged on a per-transaction basis or that were required for membership. Moreover, the FTC alleges that FleetCor did not post customer payments when received, which led to even more fees, including late fees and high credit risk fees.
The complaint charges FleetCor and its CEO with violating the FTC Act’s prohibition on unfair and deceptive acts and practices.
Improvements to FTC Data Security Orders
The Director of the FTC’s Bureau of Consumer Protection, Andrew Smith, announced that the FTC has implemented substantial improvements to its data security orders as evidenced by several orders in 2019. Specifically, the data security orders are now more specific, increase third-party assessor accountability, and elevate data security considerations to the company’s executive officers and board of directors.
FTC orders still require companies to implement a comprehensive, process-based data security program, and will include more specific directions related to safeguards that must be implemented to address alleged problems. Additionally, the increase in third-party assessor accountability resulted in the FTC requiring assessors to specifically identify evidence that supports the assessor’s conclusions, including independent sampling, employee interviews and document review. Such documents related to the assessment must be retained and cannot be protected from disclosure to the FTC based on certain privileges. Lastly, senior officers must now provide annual certifications of compliance to the FTC and companies must present their written information security program to the company’s board of directors.