Weekly Fintech Focus

  • Senators seek information about the CFPB’s agenda for fintech
  • OCC’s Acting Comptroller testifies before the Senate
  • Financial regulators updated guidance on authentication and access to services
  • FTC supports Fed’s efforts to update Regulation II to improve compliance with dual debit network availability
  • OFAC takes action against a payments company for sanctions violations
  • CFPB blogs on consumer benefits and risks of Buy-Now, Pay-Later
  • FINRA issues a report addressing cloud computing adoption by member firms
  • BIS issues a bulletin encouraging entity-based regulation of Big Tech companies

Senators Inquire about CFPB’s Fintech Agenda

On July 27, 2021, Senator Sherrod Brown, the Chairman of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, sent a letter to the Consumer Financial Protection Bureau (CFPB) seeking information about what actions the CFPB is taking to protect consumers against risks posed by fintech companies. His letter cites to recent issues caused by a large fintech banking provider, which reportedly faced a wave of complaints related to frozen and closed bank accounts.

Senator Brown’s letter identifies a number of issues that consumers could face when dealing with fintech banking providers, including privacy and fraud risks as well as issues around proper disclosure that the fintech company is not actually a bank. This blog recently covered a large fintech banking provider’s settlement with the California Department of Financial Protection and Innovation addressing the fintech company’s representations and disclosures related to its status as a fintech company rather than a regulated bank.

In addition to seeking insight into CFPB activities around fintech companies, Senator Brown asked for guidance identifying any regulatory gaps that Congressional action could fill.

Acting Comptroller of the Currency Testifies on Regulatory Priorities

The Acting Comptroller of the Currency recently testified before the Senate Banking Committee. His testimony shows a focus on bank risk management taking into consideration new types of banking services, business relationships, and technology. Developments in the industry lead to the OCC concerns around safety and soundness, predatory and discriminatory practices, and adapting to digitization.

The OCC has seen a fragmentation in the banking industry related to risk management as large banks are operating from a “risk on” posture while community banks play catch up and face strategic challenges to grow and compete with economies of scale. In light of this fragmentation, the OCC is concerned with what it calls “capitulation.” The Acting Comptroller described the current scenario as banks operating in “a dynamic economy, there is a constantly evolving set of products, practices, and clients that banks avoid, or limit exposure to, based on their risk appetite.” However, banks of different sizes and capabilities are engaging in and addressing these risks differently, with varying levels of risk assessment. Specifically, the Acting Comptroller notes banks may be setting aside their risk assessments from the pandemic and wading into activities related to cryptocurrencies, SPACs, and buy-now, pay-later (BNPL) services.

Acting Comptroller Hsu emphasized the OCC’s attention to reducing inequality, especially in light of the pandemic, which disproportionally impacted vulnerable groups. These efforts will include reviews of bank-fintech partnerships to understand how to identify and differentiate between rent-a-charter arrangements that the OCC considers harmful predatory lending and healthier partnerships that expand access to credit.

Acting Comptroller Hsu also discussed issues related to digitalization of banking and finance. In particular, he paused approvals of novel charters pending an internal review of the OCC’s licensing framework and to better determine how fintech companies, payments platforms, and digital assets fit within the OCC’s regulatory ambit, and to explore the potential for sandboxes. He intends for the banking regulators to work together to continue to develop regulations that facilitate responsible innovation and limit regulatory arbitrage.

FFIEC Updates Guidance on Authentication

On August 11, Federal Financial Institutions Examination Council (“FFIEC”) issued updated guidance, titled Authentication and Access to Financial Institution Services and Systems, that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems.

The guidance expressly acknowledges that certain authentication controls that were effective in years past no longer provide sufficient defense against evolving and increasingly sophisticated cybersecurity threats, particularly in light of the expansion of remote access, use of APIs, increased connectivity to third parties such as cloud services providers, and other developments.

The guidance includes a number of important developments, but we highlight three in particular here:

First, this guidance is relevant not just to the regulated firms themselves, but also to third-party service providers that provide the systems that are being accessed.

Second, the guidance calls out single-factor authentication as “inadequate” in many situations and indicates a strong preference for use of multi-factor authentication and other enhanced authentication controls to more effectively mitigate risks.

Third, although the guidance is generally not technology- or activity-specific, it makes specific note of the potential for increased fraud in connection with faster, more modern digital payment services that have short processing windows and/or allow customers to initiate a credit “push” of funds to another account. Financial institutions and fintechs engaged in payments activities would be well advised to take notice.

FTC Submits Comment Letter on Regulation II to Encourage Two Network Availability for CNP Debit Transactions

We previously discussed the Federal Reserve’s rulemaking to amend Regulation II (i.e., the Durbin Amendment), which is the first substantive rulemaking related to Regulation II in more than five years. The Durbin Amendment—part of the 2010 Dodd-Frank Act—is designed to provide merchants with greater choice over which network debit card transactions are routed, by requiring card issuers to enable at least two unaffiliated debit access networks. The rulemaking would also clarify that debit card issuers should enable and allow merchants to choose between two unaffiliated networks for card-not-present debit transactions. Currently, the volume of card-not-present transactions processed over networks other than Visa and Mastercard remains low — a situation that the FTC believes is inconsistent with Regulation II.

This week, the FTC submitted a comment letter to the Federal Reserve for this rulemaking. The FTC is responsible for enforcing Regulation II with respect to certain entities, such as the debit card networks. The FTC’s comment letter endorses the Federal Reserve’s proposed clarifications related to card-not-present transactions and suggests additional modifications to strengthen the rule. The FTC recommends that the Federal Reserve (i) ensure that debit card networks do not create incentives for issuers to evade Regulation II’s mandate that two unaffiliated networks be available for each type of debit transaction; and (ii) prohibit debit card networks from paying incentives to an issuer based on how debit transactions are routed by merchants that use that issuer’s debit cards.

OFAC Takes Action Against Payments Company

A money transmitter and prepaid access provider reached a $1.4 million settlement with the Office of Foreign Assets Control (OFAC) for alleged violations of OFAC-administered sanctions programs by processing payments for parties in certain jurisdictions and regions subject to sanctions and payments on behalf of sanctioned persons on OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List). The alleged violations, which OFAC characterized as “non-egregious,” related to commercial transactions processed by the company on behalf of its corporate customers and card-issuing financial institutions and resulted from multiple sanctions compliance control breakdowns.

The enforcement action marks the latest in a series of recent OFAC actions that emphasized specific controls for effective screening for sanctioned locations. OFAC specifically cited the company’s failure to use IP address geolocation data to identify users in sanctioned jurisdictions, echoing similar findings in several recent OFAC enforcement actions against fintechs, payments companies, and online service providers. The action also emphasized the importance of performing algorithm testing to be sure filters flag close matches to SDN List entries, screening for Business Identifier Codes (BICs) especially when OFAC includes them in SDN List entries, and holding flagged payments until they have been reviewed even during backlog periods.

BNPL on the CFPB’s Radar

An early July CFPB blog post on the benefits and risks of buy-now, pay-later (BNPL) products has received attention from industry participants looking for indications of the CFPB’s views on one of the fastest-growing segments in lending. Citing a December 2020 survey that found that 42% of American consumers have used BNPL at least once, the blog post (titled “Should you buy now and pay later?”) provided a high-level overview of BNPL products and highlighted benefits and risks for the increasingly popular payment option. The post did not directly criticize BNPL or provide guidance for industry participants that offer BNPL products, but did note that “BNPL products don’t have the same protections as other types credit.”

FINRA Cloud Computing

The Financial Industry Regulatory Authority’s (FINRA) Office of Financial Innovation recently issued a report based on its review of the implications of cloud computing on the securities industry. FINRA recommends that member firms pay close attention to cybersecurity issues related to cloud adoption through allocation of responsibilities in contracts between member firms and cloud service providers. FINRA also reminds its members that outsourcing activities to third parties such as cloud service providers does not relieve the member of its responsibility to comply with all securities laws and regulations and FINRA rules associated with the outsourced activity. FINRA notes that it will penalize the member for failing to address regulatory violations committed by the member’s third-party vendors.

BIS and Big Tech Beyond Activity-Based Regulation

The August 2, 2021, BIS Bulletin article focused on “big tech” firms entering the financial services sector and the various policy challenges that their entry and growth in the space has created globally. Certain challenges such as mitigation of financial risks and consumer protection have traditionally been within the scope of central banks and financial regulators. However, the article notes that there are emerging challenges surrounding the concentration of market power, data privacy issues, and data governance that arise in the context of big tech which currently appear to fall outside the scope of central banks’ and certain financial regulators’ oversight authority.

Of particular interest, the article outlines a proposal to expand the scope of the current “activity-based regulatory” framework, which requires financial services providers to hold licenses for specific business lines (e.g., money transmitter licenses), to include a complementary framework that develops specific “entity-based” rules. Given that big tech poses a unique set of challenges within the financial services industry, the article notes that certain existing licensing requirements will fall short of addressing the challenges posed by such dominant platforms.

In response, the European Union, China, and the United States have begun developing an entity-based approach for big tech companies, but efforts have been rather limited outside of the competition domain. Although, China has taken more concrete steps—specifically with regard to revising the regulation of financial holding companies (FHCs) to require companies holding two or more types of financial institutions that satisfy a given size threshold to apply for a FHC license. In the United States, however, big tech has mainly been the focus of proposals to reduce data concentration and anti-competitive practices, and the article recommends that central banks follow up such initiatives by conducting studies on the potential systemic impact of big tech operations and possible spillover effects to the financial sector. This is especially key for big tech companies offering systemically important payment services on a large scale, since the current “systemically important financial institution” designation is often limited to traditional financial institutions (e.g., banks and insurers).

As the nature of the public policy challenges for the financial sector continues to expand due to rapid digital innovation, evidenced by big tech’s movement into payment systems, the article encourages financial regulators and central banks to urgently invest resources to better understand and monitor such developments in order to be better prepared to take future action as needed.