Weekly Fintech Focus

  • The California DFPI begins operating January 2021 and looks to regulate new industries.
  • The OCC finalizes its rule on fair access to financial services, prohibiting large banks from denying services to whole industries.
  • Federal banking regulators publish proposed rule to impose additional notification requirements for a broader range of computer-security incidents.

California DFPI Begins Operating and Focuses on New Industries

January 2021 brings with it a newly named and newly empowered California consumer financial protection agency. Effective January 1, the California Department of Business Oversight is now the Department of Financial Protection and Innovation (DFPI). In its monthly bulletin, the DFPI states that it will “immediately” begin to “review and investigate consumer complaints against previously unregulated financial products and services, including debt collectors, credit repair and consumer credit reporting agencies, debt relief companies, rent to own contractors, private school financing, and more.” As we noted in this blog before, the new DFPI has expanded authority to oversee new industries. Its actions last year prior to the name change, including those against new industries like the buy-now-pay-later industry (discussed here and here) may give an indication of where the DFPI is heading.

The DFPI is also preparing to open an Office of Financial Technology Innovation to engage with new industries and consumer advocates to “encourage consumer friendly innovation and job creation.” The DFPI intends for this office to work proactively to create a responsible regulatory framework for emerging products and services.

OCC Finalizes Fair Access Rule

On January 14, 2021, the Office of the Comptroller of the Currency (OCC) finalized its rule to prohibit large national banks and federal savings associations (more than $100 billion in assets) from declining to service whole industries that are engaged in lawful business activities. We discussed the proposed rule here. In the final rule, the OCC states that the agency has a “broad responsibility to ensure that banks make decisions about whether to provide a person with financial services on the basis of impartial criteria that are free from prejudice or favoritism.” The OCC notes that banks should ensure impartiality by “relying on empirical data that are evaluated consistent with their established, impartial risk-management standards” because any other methods of evaluation could lead to a bank “ratify[ing] decisions that are based, in whole or in part, on prejudices or favoritism and would threaten banks’ safety and soundness.” Banks are not obligated to offer any particular financial service, operate in any particular geographic area, or provide services to any particular person. Rather, the OCC expects that banks “do their homework and be able to show their work” regarding any financial service offered to any individual customer. The rule takes effect April 1, 2021.

Banking Regulators Publish Proposed Rule On Computer-Security Incident Notifications

On January 12, 2021, the OCC, Federal Reserve, and Federal Deposit Insurance Corporation (FDIC) published a notice of proposed rulemaking that would require a covered entity to provide its primary federal regulator with prompt notification of any “computer-security incident” that is a “notification incident.” The proposed rule would also institute certain notification requirements for bank service providers. The proposed rule would expand security incident notification obligations beyond those currently required by the Gramm-Leach-Bliley Act (GLBA), which only requires notification as soon as possible of incidents involving unauthorized access to, or use of, sensitive customer information, and does not cover incidents that disrupt operations but do not compromise sensitive customer information. Comments are due April 12, 2021.

The proposed rule defines “computer-security incident” as an “occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” A “notification incident” is defined as “a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair — the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.” The “notification incident” definition includes language that is consistent with the “core business line” and “critical operation” definitions in the resolution-planning rule issued by the Federal Reserve and FDIC.

Under the proposed rule, a bank would be required to notify its prudential regulator no later than 36 hours after the bank has a good faith belief that a notification incident has occurred. Bank service providers are also required to notify at least two individuals at each affected bank customer immediately after the service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the Bank Service Company act for four or more hours. Covered bank services include (i) check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution, as well as components that underlie these activities; and (ii) data processing, back office services, and activities related to credit extensions, as well as components that underlie these activities. Bank regulators would take enforcement action directly against the bank service provider for failure to notify rather than citing the banking organization for the service provider’s notification failure.

Certain “computer-security incidents” are excluded as they do not rise to the level of “notification incidents,” including limited distributed denial of service attacks that are promptly and successfully managed by the bank.