Weekly Fintech Focus

  • President Biden issues an executive order on competition with implications on open banking, UDAAP enforcement, and pricing disclosures.
  • Federal banking regulators seeking to standardize guidance on third-party risk management, seek public comment.
  • FFIEC updates and expands the Operations Booklet of its IT Examination Handbook to address technology risk management expectations for cloud computing and other evolving technologies.
  • FinCEN issues a list of AML priorities as well as considers engaging in a no-action letter process.
  • Colorado becomes the latest state to repeal its ban on credit card surcharges.
  • President Biden signs Congressional Review Act resolution rescinding OCC’s True Lender Rule—now what?

President Biden Issues an Executive Order on Competition with Implications for Financial Institutions

On July 9, 2021, President Biden issued an Executive Order on Promoting Competition in the American Economy. The Executive Order establishes a “whole-of-government” effort to promote competition in the American economy and includes over 70 initiatives by more than a dozen federal agencies to address competition issues identified in the Executive Order. A few of these issues will directly affect fintech and payment related activities, including open banking initiatives, anticompetitive aspects of Consumer Financial Protection Bureau’s (CFPB) authority to prevent unfair, deceptive, or abusive acts and practices (UDAAPs), and fee disclosures.

The most important initiative for the financial industry is likely an initiative to make it easier and cheaper to switch banks by requiring banks to allow customers to take their financial transaction data with them to a competitor. The Executive Order directs the CFPB to commence or continue rulemaking activities under section 1033 of the Dodd-Frank Act to facilitate the portability of consumer financial transaction data to enable consumers to more easily switch financial institutions and use innovative financial products.

The Executive Order also directs the CFPB to enforce the prohibition on UDAAPs to ensure that actors engaged in unlawful activities do not obtain an unfair advantage over competitors who follow the law. To date, the CFPB has not used its UDAAP authority to directly address competition, particularly a scenario where a financial institution is getting ahead of its competition by engaging in illegal acts.

A more minor development, but likely impactful to consumers is an initiative to make it easier for people to get refunds from airlines and to comparison shop for flights by requiring clear upfront disclosure of add-on fees. The Executive Order directs the Department of Transportation to ensure consumers are not exposed or subject to advertising, marketing, pricing, and charging of ancillary fees that may constitute an unfair or deceptive practice or an unfair method of competition. Any changes ordered by the agency would result in changes to checkout flows for airlines and travel companies. Separate from the Executive Order, we anticipate additional action from other regulators like the Federal Trade Commission that could address pricing disclosures and limits on practices like drip pricing.

Banking Agencies Proposing to Jointly Update Third-Party Risk Management Guidance, Seek Input on Bank-Fintech Partnerships

On July 13, 2021, the Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) proposed interagency guidance that would update and standardize the agencies’ respective supervisory guidance on managing risks associated with third-party relationships, including relationships with fintechs.

The FRB, OCC, and FDIC each have issued prior guidance for their respective supervised banking organizations: the FRB’s 2013 guidance, the OCC’s 2013 guidance and 2020 FAQs, and the FDIC’s 2008 guidance. Each agency’s guidance reflects the same general principles and expectations, but there are minor variations between them. Perhaps more importantly for fintechs, only the OCC has issued additional clarifications (in the form of the FAQs) to provide clarity on how the guidance applies to emerging technologies and bank-fintech partnerships.

The proposed guidance is substantially similar to the OCC’s existing guidance and would effectively bring the expectations for FDIC- and FRB-supervised institutions into alignment with existing expectations for OCC-supervised institutions.

The agencies seek comment on (1) the guidance itself, and (2) the extent to which the concepts discussed in the OCC’s FAQs should be incorporated into the guidance. Although not directly requested by the regulators, commenters may also consider the impact of any changes related to the recent Executive Order related to open banking discussed above as it applies to bank’s obligations as covered by the third-party risk management guidance, including the connection of fintechs to bank APIs. The proposed guidance likely will be published in the Federal Register in the coming days with comments due 60 days after publication.

FFIEC Issues IT Risk Management Guidance for Evolving Technology

The Federal Financial Institutions Examination Council (FFIEC) has replaced the existing “Operations” Booklet in its Information Technology Examination Handbook with a new “Architecture, Infrastructure, and Operations” (AIO) Booklet. The IT Handbook serves as regulatory guidance for financial institutions (and indirectly, their nonbank partners and service providers) on regulatory expectations for IT-related safety and soundness, consumer financial protection, and compliance with applicable laws and regulations.

One of the most notable additions to the new AIO Booklet is enhanced discussion of expectations for “evolving technologies,” including cloud computing, zero-trust architecture, artificial intelligence and machine learning, and the Internet of Things. The Booklet emphasizes the importance of strong third-party risk management practices and should be read in conjunction with the banking agencies’ third-party risk management guidance, discussed below.

FinCEN Issues AML Priorities and Considers No-Action Letters

The Financial Crimes Enforcement Network (FinCEN) recently announced two documents it was required to produce under the Anti-Money Laundering Act of 2020 (AML Act). First, FinCEN issued its first list of priorities for anti-money laundering and countering the financing of terrorism (the Priorities). The federal banking regulators also issued an interagency statement clarifying the applicability of the Priorities would apply to banks, and FinCEN issued a parallel statement on the Priorities’ applicability to non-bank financial institutions. The Priorities are intended to identify significant AML/CFT threats to U.S. bank and non-bank entities. Second, FinCEN issued a report explaining that FinCEN may undertake a rulemaking to develop a no-action letter process, but that such a process would be a challenge for the agency.

The Priorities are broad, and include the following:

  • Corruption
  • Cybercrime
  • Domestic and international terrorist financing
  • Fraud
  • Transnational criminal organizations
  • Drug trafficking organizations
  • Human trafficking and human smuggling
  • Proliferation financing

FinCEN explains that these Priorities can be read along with other reports, including the Treasury’s 2020 Illicit Finance Strategy document and the 2018 National Risk Assessment to help financial institutions assess and respond to risks. Due to their breadth, FinCEN’s Priorities are not clear guidance for specific actions by covered institutions, but the Priorities do at least list the areas that FinCEN will be focusing on in its exams and potential future rulemakings. Financial institutions can take this time to reassess their AML/CFT programs to ensure they address these Priorities where relevant and to ensure their suspicious activity reporting system is tailored to alert them to these activities. We anticipate future guidance related to these Priorities, which will likely provide more details on each.

FinCEN’s report on developing a no-action letter process notes that a FinCEN no-action letter process could be feasible, but that there are numerous hurdles to such a process and given FinCEN’s resource and enforcement limitations, it would likely do so in consultation with other agencies. After its consultation period, FinCEN raised numerous concerns about a no-action process ranging from the limited FinCEN staffing, to FinCEN’s actions affecting financial institutions that are regulated by many other regulators. If FinCEN does engage in a no-action letter process, the agency cautions that such a process will likely be long, ranging from 90 to 120 days for easier no-action requests to several months or over a year for more complex requests, particularly given the potential for disagreement between regulators. The upcoming rulemaking process will provide an opportunity for stakeholders to comment on how the no-action letter process can be developed to best benefit the industry.

Colorado Repeals Ban on Credit Card Surcharges

Earlier this month, Colorado Governor Jared Polis signed into law a repeal of his state’s prohibition on credit card surcharges by merchants. The law repeals the prohibition surcharges and also limits the maximum surcharge amount per transaction to (i) 2% of the total cost to the buyer for the sales or lease transaction, or (ii) the merchant discount fee. Merchants will be required to display a surcharge notice on the merchant’s premises or prior to the customer’s completion of a sale or lease transaction when conducting the transaction online. Surcharges will still be prohibited on cash payments, payments by check, debit card payments or payments made for the redemption of a gift card. Prohibitions on surcharges are nearly eradicated in the United States after existing in close to a third of states just a few years ago.

OCC’s True Lender Rule Rescinded—Now What?

On June 30, 2021, President Biden signed a congressional resolution invalidating the OCC’s True Lender Rule under the Congressional Review Act.

The OCC issued the True Lender Rule in October 2020 to provide guidance for determining which party in bank lending partnerships between a national bank or federal savings association and a non-bank lender (such as a fintech marketplace lender) was the “true lender,” which determines which laws (in particular, which usury laws) apply to the loans. The rule was criticized by consumer protection advocates who argued that the rule permitted so-called “rent-a-charter” partnership arrangements with national banks and federal savings associations to circumvent state consumer protection laws.

Now that the OCC’s True Lender Rule has been invalidated, the law governing when a national bank or federal savings association is acting as a “true lender” has reverted back to the court-created standards, applied on a case-by-case basis, that governed true lender questions before the True Lender Rule was finalized last October. As a result, banks, fintech firms, and nonbank lenders and servicers operating under a bank partnership model, particularly any that began engaging in new activities or jurisdictions in reliance on the True Lender Rule, should re-familiarize themselves with applicable court-created standards and any state law requirements that could now apply again.

It is not yet clear whether the OCC intends to issue a replacement rule, or if it does, what standards that rule would impose. Rules invalidated under the Congressional Review Act may not be replaced with a “substantially similar” rule without an act of Congress, which could present a hurdle for the OCC. Acting Comptroller of the Currency Michael Hsu indicated in a statement that the OCC “will consider policy options, consistent with the Congressional Review Act, that protect consumers while expanding financial inclusion.”