Weekly Fintech Focus

• Bank and credit union industry groups come out against the Fintech Charter, while Comptroller Brooks pushes forward.
• The CFPB plans on issuing a proposed rule to address consumer-authorized access to financial records and data aggregation.
• The CFPB issues an RFI in an effort to expand access to credit and prevent discrimination.
• FinCEN issues an advisory alerting financial institutions to patterns of COVID-19-related cybercrime.
• Three states sue the OCC over its recent valid-when-made rule.
• New York is on the verge of becoming the second state to require TILA-like disclosures for commercial financing.

Bank and Credit Union Industry Groups Are Against the Fintech Charter

Several bank and credit union industry groups warned the Office of the Comptroller of the Currency (OCC) in a letter that they would take action against the agency if it tries to create a special-purpose national bank charter that would make it significantly easier for payments-focused fintechs to deploy products nationwide, amongst other things (known as the “Fintech Charter”). The OCC has been exploring the Fintech Charter since 2016 (for prior coverage see here).

In their letter, the industry groups stated that they had “serious concerns” about the Fintech Charter and that such charters may introduce risk that may undermine the role that national banks play in the economy. The letter notes several possibilities, including regulatory arbitrage and ambiguity, centered on how fintechs would be supervised.

However, Brian Brooks, acting Comptroller of the Currency, suggested in a recent interview with one of the members of the banking industry group that the OCC could first introduce a national version of a state money transmission license designed to give fintech payment companies a federal preemption option, presumably to avoid the 50-state approach currently in effect. Brooks also introduced the idea that nonbanks could have access to the Federal Reserve’s payments systems and stated that payments services should remain under the supervisory umbrella of an agency like the OCC.

In support of his statements, Comptroller Brooks said, “[t]he OCC is the only agency that provides comprehensive nationwide supervision of institutions. There’s no other organization that does that in the banking system and given that payments is [sic] one of the core banking functions, we don’t want it to leave the supervisory field of vision. We want to be able to continue to ensure the safety and soundness of the system without letting the core activities bleed into the shadow banking system, where it has now gone.”

Notwithstanding, Comptroller Brooks also hypothesized that state-level regulators may be well-positioned to focus on other activities, like lending, as he views lending as “something that can be done on a state-by-state basis” as “local credit unions, small banks and others [gather] the deposits inside of one state [and] only lend to customers in one state; but when it comes to payments, payments really are inherently borderless.”

The industry groups made clear that they were not in favor of the OCC’s approach in pursuing the Fintech Charter.

CFPB Plans Proposed Rule on Consumer-Authorized Access to Financial Records

On July 24, 2020, the Consumer Financial Protection Bureau (CFPB) announced that later this year it will issue an advanced notice of proposed rulemaking (ANPR) about consumer-authorized access to financial records. This announcement follows a symposium the CFPB held on this topic in February of this year, which we discussed here. In the ANPR, the CFPB will seek input on numerous aspects of relationships between consumers, financial institutions, and third-party data aggregators, and how the CFPB can ensure a consumer’s access to his/her own financial data as required by Section 1033 of the Dodd-Frank Act.

The CFPB’s announcement states that the ANPR will:

• Solicit stakeholder input on ways that the CFPB might effectively and efficiently implement the financial access rights described in Section 1033 of the Dodd-Frank Act. Different market participants have helped authorized data access become more secure, effective, and subject to consumer control. The CFPB expects these trends to continue, but also sees indications that some emerging market practices may not reflect the access rights described in Section 1033.
• Seek information regarding the possible scope of data that might be made subject to protected access as well as information that might bear on other terms of access, such as those relating to security, privacy, effective consumer control over access and accessed data, and accountability for data errors and unauthorized access.
• Inquire into whether—and if so, how—issues of regulatory uncertainty with respect to Section 1033 and its interaction with other statutes within the CFPB’s jurisdiction, such as the Fair Credit Reporting Act, may be impacting this market to the potential detriment of consumers; and seek information that may help resolve such uncertainty.

CFPB Issues RFI in an Effort to Expand Access to Credit and Prevent Discrimination

The CFPB issued a request for information (RFI) seeking public input on how best to create a regulatory environment that expands access to credit and ensures that all consumers and communities are protected from discrimination. The CFPB intends to use information provided to prevent unlawful discrimination and foster innovation while simultaneously addressing regulatory compliance.

The CFPB specifically requested comments and information so that it can identify opportunities to prevent credit discrimination; encourage responsible innovation; promote fair, equitable, and nondiscriminatory access to credit; address potential regulatory uncertainty; and develop viable solutions to regulatory compliance challenges under the Equal Credit Opportunity Act (ECOA) and Regulation B.

In particular, the CFPB requests commenters to respond to the following categories and questions:

• Disparate Impact. Should the CFPB provide additional clarity regarding its approach to disparate impact analysis under ECOA and/or Regulation B? If so, in what way(s)?
• Limited English Proficiency. In what ways should the CFPB provide additional clarity under ECOA and/or Regulation B to further encourage creditors to provide assistance, products, and services in languages other than English to consumers with limited English proficiency?
• Special Purpose Credit Programs. In what ways should the CFPB address any potential regulatory uncertainty and facilitate the use of Special Purpose Credit Programs? Should the CFPB clarify any of the Special Purpose Credit Program provisions in Regulation B?
• Affirmative Advertising to Disadvantaged Groups. In what ways should the CFPB provide clarity under ECOA and/or Regulation B to further encourage creditors to use affirmative advertising to reach traditionally disadvantaged consumers and communities?
• Small Business Lending. In what way(s) might the CFPB support efforts to meet the credit needs of small businesses, particularly those that are minority or women owned?
• Sexual Orientation and Gender Identity Discrimination. In the Bostock v. Clayton County decision in June 2020, the U.S. Supreme Court held that the prohibition against sex discrimination in Title VII of the Civil Rights Act of 1964 encompasses sexual orientation discrimination and gender identity discrimination. Should the Supreme Court’s decision in Bostock affect how the CFPB interprets ECOA’s prohibition of discrimination on the basis of sex? If so, in what way(s)?
• Scope of Federal Preemption. What are examples of potential conflicts or intersections between state laws, state regulations, and ECOA and/or Regulation B, and should the CFPB address such potential conflicts or intersections? Should the CFPB provide further guidance to assist creditors evaluating whether state law is preempted to the extent it is inconsistent with the requirements of ECOA and/or Regulation B?
• Public Assistance Income. In what ways should the CFPB provide additional clarity under ECOA and/or Regulation B regarding when all or part of the applicant’s income derives from any public assistance program? Should the CFPB provide guidance on how to address situations where creditors seek to ascertain the continuance of public assistance benefits in underwriting decisions?
• Artificial Intelligence and Machine Learning. In what ways should the CFPB provide more regulatory clarity under ECOA and/or Regulation B to help facilitate innovation in a way that increases access to credit for consumers and communities in the context of artificial intelligence and machine learning without unlawful discrimination? In what ways should the CFPB modify requirements or guidance concerning notifications of action taken, including adverse action notices, under ECOA and/or Regulation B to better empower consumers to make more informed financial decisions and/or to provide additional clarity when credit underwriting decisions are based in part on models that use artificial intelligence and/or machine learning?
• ECOA Adverse Action Notices. In what ways should the CFPB provide additional guidance under ECOA and/or Regulation B related to when adverse action has been taken by a creditor, requiring a notification that includes a statement of specific reasons for the adverse action?

As background, the ECOA and Regulation B make it unlawful for any creditor to discriminate against any applicant, with respect to any aspect of a credit transaction on the basis of race, color, religion, national origin, sex, marital status, or age; because all or part of the applicant’s income derives from any public assistance program; or because the applicant has in good faith exercised any right under the Consumer Credit Protection Act.

Comments may be submitted through the Federal eRulemaking Portal or via email at 2020-RFI-ECOA@cfpb.gov (subject line: Docket No. CFPB-2020-0026).

FinCEN Issues Advisory on Cybercrime During COVID-19

On July 30, 2020, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to alert financial institutions to potential indicators of cybercrime and cyber-enabled crime that FinCEN has observed during the COVID-19 pandemic. The red flags in the advisory should be considered indicators and be considered in the context of each customer’s historical financial activity, the facts and circumstances of the transaction, the character of the transaction in line with the financial institution’s and customer’s business practices, and whether a transaction or the customer exhibits multiple indicators at the same time.

Fintechs utilize a variety of fraud detection software and services, and they offer these to other financial institutions. Continually adapting to new and developing cyber threats is especially important as online transaction volume increases at a staggering pace during the pandemic and consumers quickly adopt online financial practices that may be new or unfamiliar to many.

The red flags to be aware of are:

• Targeting and Exploitation of Remote Platforms and Processes
  • Spelling of names in account information does not match government ID or other onboarding documentation
  • Pictures in identity documentation are blurry or low resolution, or have other aberrations
  • Images of identity or other documentation have visual irregularities that indicate digital manipulation, especially around information fields like name, address, or other personal identifiers
  • A customer’s physical description on identity documentation does not match other images of the customer
  • A customer refuses to provide or delays providing identity documentation
  • Customer logins occur from a single device or IP address across multiple seemingly unrelated accounts, often within a short period of time
  • The IP address associated with logins does not match the stated address in identify documentation
  • Customer logins occur within a pattern of high network traffic with decreased login success rates and increased password reset rates
  • A customer calls the financial institution to change account communication methods and authentication information, then quickly attempts to conduct transactions to an account that the customer has never transacted with before
• Phishing, Malware, and Extortion
  • Information technology enterprise activity related to transaction processes or information is connected to cyber indicators that have been associated with possible illicit activity. Look for evidence of malicious cyber activity in system log files, network traffic, or file information
  • Email addresses related to COVID-19 do not match the name of the sender or the corresponding domain of the company sending the message
  • Unsolicited emails related to COVID-19 from untrusted sources encourage readers to open embedded links for files or to provide personal or financial information
  • Emails from untrusted sources similar to legitimate telework vendor accounts offer remote application software, often advertised at no or reduced cost
  • Emails contain subject lines associated with phishing schemes (e.g., “Coronavirus Updates,” “2019-nCov: New confirmed cases in your City”)
  • Text messages have embedded links purporting to be from government relief programs
  • Embedded links or webpage addresses for COVID-19 resources have irregular URLs
• Business Email Compromise Schemes
  • A customer’s transaction instructions contain different language, timing, and amounts in comparison to prior transaction instructions
  • Transaction instructions, typically involving a healthcare-sector counterparty originate from an email account closely resembling a known customer’s email account
  • Emailed transaction instructions direct payment to a different account for a known beneficiary
  • Emailed transaction instructions request to move payment methods from checks to ACH transfers as a response to the pandemic

States Sue to Block OCC’s Valid-When-Made Rule

The Office of the Comptroller of the Currency (OCC) recently issued a final rule codifying its valid-when-made rule. Now, three states (CA, IL, and NY) have sued the OCC in the Northern District of California, claiming that the OCC’s rule would unlawfully and “dramatically expand preemption of state interest-rate caps” and thereby “facilitate predatory lending through sham ‘rent-a-bank’ partnerships designed to evade state law.” The complaint alleges that the OCC does not have the authority to issue this rule because the OCC’s jurisdiction is federally chartered banks, but the rule allows any entity that purchases loans from federally chartered banks to charge the same interest rate as the federally chartered bank in excess of rates permitted by state law. Additionally, the complaint alleges that the OCC failed to follow proper procedures that Congress prescribed for OCC rules that preempt state consumer protection laws, including conducting a case-by-case review of state’s laws and consulting with the CFPB.

New York Passes Law to Require Commercial Lending Disclosures

The New York State legislature recently passed a bill (S5470B) that would require additional disclosures in some commercial financing transactions. The bill now goes to the Governor’s desk for signature. The bill would require some commercial lenders and financing companies that use specified disclosure formats to disclose to borrowers information about loan amounts, pricing, and other terms. The New York Department of Financial Services (NYDFS) would draft the disclosure formats. If this bill becomes law, New York will become the second state (after California) to require specific disclosures in commercial financing transactions.

Under the law, covered “providers” would be required to comply with certain disclosure obligations when offering “commercial financing.” Covered “commercial financing” includes open-end and closed-end loans, sales-based financing, factoring transactions, and other forms of commercial financing not intended for personal, family or household purposes. While the bill is aimed at protecting small business borrowers, the bill would not be limited by the size of the business of the borrower. A “provider” is defined to include a person who solicits and presents commercial financing offers on behalf of a third party. The definition of “provider” excludes entities that serve as technology service providers so long as the technology service provider has no interest in the commercial financing extended to the borrower. The term also excludes persons who make de minimis transactions, and certain financial institutions, including state and federal chartered banks.

While the drafting of specific regulations will fall to the NYDFS, the bill would require that commercial financing companies provide the following in their disclosures:

• The total amount of the commercial financing or amount of credit available
• The finance charge
• The annual percentage rate (APR), expressed as a yearly rate, inclusive of any fees and finance charges, and calculated in accordance with the Truth in Lending Act and Regulation Z
• The total repayment amount
• The term of the financing
• The payment amounts, including the frequency of the payments or schedule of payments, as applicable
• A description of all potential fees and charges, such as late fees and returned payment fees
• Prepayment penalties
• A description of collateral requirements or security interests, if applicable