Weekly Fintech Focus
- The FFIEC updates its guidance on pandemic planning in response to COVID-19, and many other financial regulators issue similar guidance.
- The California DBO issues a proposed rule to clarify its broad agent of the payee exemption.
- The UK launches a consultation on auditing AI systems for compliance and fairness.
FFIEC Updates Guidance on Pandemic Planning in Response to COVID-19
On March 6, 2020, the Federal Financial Institutions Examination Council (FFIEC) issued an updated interagency statement on pandemic planning to guide financial institutions that business continuity plans should address the threat of a pandemic outbreak and how such an outbreak would impact delivery of critical financial services. The updated interagency statement contains only slight modifications to the guidance the FFIEC already provides in its examination manual and was previously issued in 2006 (avian flu) and 2007.
The FFIEC reminds financial institutions that pandemic planning presents unique challenges to a financial institution because of the unknown scale and duration of the pandemic event. Disasters like earthquakes or events such as terrorist attacks are more localized and have shorter durations, but a pandemic can occur in multiple waves, lasting months at a time, and estimates for the human effects vary by orders of magnitude. Accordingly, a pandemic plan for a financial institution should be flexible and evolving to address ongoing business impacts and take into account changing risk assessments. A financial institution must also take into consideration the effects on its third-party service providers, especially those that provide critical services to the financial institution.
To address the unique challenges posed by a pandemic, the financial institution’s business continuity plan should provide for:
- A preventive program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event.
- A documented strategy that provides for scaling the institution’s pandemic efforts, so they are consistent with the effects of a particular stage of pandemic outbreak.
- A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that large numbers of the institution’s staff are unavailable for prolonged periods.
- A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue.
- An oversight program to ensure ongoing review and updates to the pandemic plan.
Financial institutions covered by the FFIEC guidance will also be inquiring of their service providers, such as cloud service providers and payment processors, and how the providers are planning for and addressing the threats of a pandemic. Currently, financial institutions are adapting questions that the institutions receive or may receive from regulators into questionnaires to their service providers. Third-party service providers should look at financial institution guidance, including that from the FFIEC to anticipate these questions and to engage in management level discussions about how to ensure that critical services are provided in light of the threats and challenges posed by a pandemic.
In addition to the FFIEC guidance, numerous financial regulators and other parties have provided guidance over the years related to pandemic planning or specifically for the threats posed by COVID-19. For more detail (much of which is in directly in line with FFIEC guidance), please see the following links:
- Federal Reserve
- OCC – Major Disasters and Natural Disasters and Emergencies
- FFIEC – Business Continuity Management
The European Union has also issued guidance to financial institutions on business continuity and pandemic planning. For more detail, please see the following links:
- European Central Bank
- European Banking Authority – COVID-19 Guidance; Guidelines on Outsourcing Arrangements; Guidelines on Internal Governance
Perkins Coie is working with many clients on business continuity and pandemic planning from many perspectives, and some of our current guidance from an employment law perspective is available here, here, and here.
California Issues Proposed Rule to Modify its Agent of the Payee Exemption
California’s Department of Business Oversight (DBO) recently released a draft rulemaking to clarify the scope of the state’s agent of the payee exemption under the California Money Transmission Act, with comments due April 20, 2020. The proposed rule clarifies certain definitions and establishes that the agent of the payee exemption does not apply to stored value transactions.
Currently, the California agent of the payee exemption exempts from money transmitter licensing requirements transactions in which an agent is appointed by a payee to receive funds on behalf of the payee. For the exemption to apply, there must be a written agreement between the agent and the payee that establishes that a payor’s payment to the agent for goods or services satisfies the payor’s obligation to the payee.
The DBO asserts that it has received numerous requests for interpretive opinions seeking guidance on how the exemption applies to different business models where multiple entities facilitate the settlement of funds for payment. It provides a few examples of this in its Initial Statement of Reasons accompanying the proposed rule. While there are numerous versions, the online marketplace model generally involves a payment processor receiving funds from a customer and transmitting it to a marketplace, and then a second payment processor receiving the funds from the marketplace and sending the funds to the merchant. The proposed rule would clarify that there can be successive agents that facilitate the settlement of funds as in the online marketplace model, and that such activity does not meet the definition of “money transmission.” Further, a “payee” can be a direct or indirect payee, meaning that a “payee” would include a commerce platform that does not have title or possession of the goods or service sold, but facilitates the purchase or transfer of the goods or services. For example, an online platform that matches consumers with a third-party service provider would be an indirect provider of a service as the commerce platform would provide a bundle of services to the consumer, including the search algorithm, purchasing infrastructure, shipping and return processing, and customer complaints, among others. Even where the third-party merchant is unseen by the consumer, the online marketplace or commerce platform can be covered by the exemption.
With these broad definitions, and in its explanation of the proposed rule, the DBO contemplates that there can be more than one agent of the payee in a purchase transaction. For example, where an online marketplace receives funds and settles to an intermediary, and then the intermediary settles to the payee, both the online marketplace and the intermediary could be exempt. Specifically, the DBO states that the agent of the payee exemption applies to each transaction for purposes of the exemption analysis. So, in an online marketplace scenario, the transaction involves a customer (payor) making a purchase from a marketplace (payee), constituting one transaction, and then a second transaction takes place between the marketplace (payor) and the merchant (payee). In each separate transaction the exemption would apply.
The proposed rule defines “goods and services” to mean any good or service, other than money transmission services, for which the payor has a payment obligation to the payee. The DBO is interpreting this term broadly so that the determining factor is whether the transaction involves a payment obligation of a payor to a payee, rather than what qualifies as a good or service. For example, the DBO makes clear that the term “services” includes charitable purposes.
The agent of the payee exemption does not apply to stored value under the proposed rule. The DBO notes that because the agent of the payee exemption in California is “self-executing,” meaning that a company does not need to apply for the exemption, there is a chance that a company could mistakenly treat stored value that is eventually used to pay for goods or services as exempt. The proposed rule makes this clarification because such a determination by a company would likely lead to the illogical result that stored value is no longer regulated activity in California. The DBO states that one way to differentiate whether activity is stored value or money received for transmission is whether a beneficiary of the funds is identified—as in the stored value context, no beneficiary is identified where there is pre-funded value available for later use.
UK Issues AI Auditing Regulatory Consultation
Recently, the United Kingdom’s Information Commissioner’s Office (ICO) launched a consultation on the draft artificial intelligence (AI) auditing framework guidance for organizations. The UK’s ICO is an independent authority set up to uphold information rights as the regulator for data protection and freedom of information under the Data Protection Act 2018 and Freedom of Information Act 2000. The ICO is sponsored by the Department for Digital, Culture, Media & Sport.
The consultation provides guidance on how to understand data protection law in relation to AI and provides recommendations for organizational and technical measures to mitigate the risks AI poses to individuals, as well as a methodology for auditing AI applications to ensure personal data is processed fairly. The guidance does not provide generic ethical or design principles for AI, but rather focuses on data protection compliance. In short, the guidance addresses (1) compliance accountability for upholding data protection principles when using AI applications; (2) lawfulness, fairness, and transparency of processing personal data in AI systems; (3) the principle of security and data minimization in AI systems; and (4) facilitating the exercise of individuals’ rights about their personal data in AI systems.
The consultation closes on April 1, 2020, and the ICO is seeking feedback from compliance-focused members of organizations such as data protection officers, risk managers, general counsels, and technology specialists such as machine learning experts, data scientists, and software developers and engineers.