Weekly Fintech Focus

  • Acting Comptroller of the Currency gave a speech describing his vision for supervising crypto and fintech firms in similar ways to banks.
  • The FTC issued enforcement policy guidance related to subscriptions and negative option marketing to tighten compliance.
  • The FTC issued a final rule amending the GLBA Safeguards Rule to cover “finders” and to significantly increase certain requirements for financial institution security requirements.

Bank Regulator Outlines Vision for Bank-Like Supervisory Regime for Crypto and Fintech Firms

On November 3, 2021, Acting Comptroller of the Currency Michael J. Hsu discussed clarifying and modernizing the bank regulatory perimeter in a speech titled “Leveling Up Banking and Finance” at the American Fintech Council’s Fintech Policy Summit 2021.

The speech addressed risks posed by “synthetic banking providers” or “SBPs,” referring to fintech and cryptocurrency firms that offer bank-like services but operate outside the regulatory regime applied to traditional banks.

The speech defined two specific problems that “pose significant medium- to long-term risks to consumers, businesses, and financial stability.”

  • First, for fintechs, the speech highlighted potential risks created by the “rebundling” of traditional banking services such as taking deposits, making loans, and facilitating payments, through entities that are not regulated as banks.
  • Second, for crypto firms, many of which operate within a regulatory regime (such as New York’s BitLicense or the Office of the Comptroller of the Currency’s (OCC) national trust bank charter, or a U.S. Securities and Exchange Commission (SEC)-registered broker-dealer), the speech highlighted the potential risks that could build up through the involvement of unregulated affiliates that are not subject to consolidated supervision by prudential regulators. The speech called specific attention to firms with ambitions to become “universal” (i.e., offering everything from crypto custody to retail brokerage to market making to asset management to prime brokerage).

Acting Comptroller Hsu’s definition of these two problems contains a “vision for modernizing the bank regulatory perimeter,” with the intended goal of bringing these firms inside it.

The speech did not provide specifics on how this vision will be realized, but made reference to a “holistic strategy” involving chartering decisions, interpretive letters, and the soon-to-be-communicated results of the “crypto sprint” underway by the OCC, the Federal Reserve, and Federal Deposit Insurance Corporation over the last several months.

FTC Provides Enforcement Guidance for Subscriptions and Negative Options

On October 22, 2021, the Federal Trade Commission (FTC) issued a policy statement and published a press release providing guidance on its plans for enforcement against negative option marketing. Negative option marketing is a term that refers to a broad category of transactions in which a consumer will continue to receive a product or service unless the consumer takes an affirmative action to cancel the agreement or otherwise reject the products or services that he or she is receiving under the agreement. Negative option programs often take the form of subscriptions that automatically renew or a free trial that turns into a recurring payment for goods or services. The FTC explains that their policy statement puts “companies on notice that they will face legal action if their sign-up process fails to provide clear, up-front information, obtain consumers’ informed consent, and make cancellation easy.”

In summary, the FTC provides three general guidelines for companies related to negative option marketing. In order to conduct such marketing in a compliant manner, the companies should:

  1. Provide clear and conspicuous disclosure of material terms of the offer, including costs, deadlines to stop future charges, the amount and frequency of the charges, how to cancel, and information that keeps the consumer from being deceived about the characteristics of the product or service;
  2. Obtain express informed consent from the consumer to the terms of the offer. This includes obtaining the consumer’s express informed consent of the negative option feature separately from other portions of the transaction; and
  3. Provide a simple, reasonable, and easily accessible method of cancellation. The method of cancellation should be as easy to use as the method the consumer used to buy the product or service.

In its policy statement, the FTC notes that its enforcement actions primarily rely on Section 5 of the FTC Act (15 U.S.C. § 45(a)), the Restore Online Shoppers’ Confidence Act (ROSCA) (15 U.S.C. §§ 8401-8405), and the Telemarketing Sales Rule (16 C.F.R. Part 310), as well as the Rule on the Use of Prenotification Negative Option Plans (16 C.F.R. Part 425), the Electronic Fund Transfer Act (EFTA) (15 U.S.C. §§ 1693-1693r), and the Postal Reorganization Act (i.e., the Unordered Merchandise Statute) (39 U.S.C. § 3009).

FTC Issues Final Rule Expanding the GLBA’s Safeguards Rule

The FTC recently released its final rule amending the Gramm-Leach-Bliley Act’s (GLBA) Standards for Safeguarding Customer Information (Safeguards Rule). Financial institutions covered by the updated Safeguards Rule will be required to develop far more involved security programs. The FTC is also seeking comment on whether the Safeguards Rule should be further amended to require a financial institution to report certain security events to the FTC.

The changes in the final rule include requirements applicable to the design and organization of a financial institution’s security program:

  • Requiring written risk assessments that include requirements such as the safeguards that must be designed and implemented to address identified risks and the methods to be taken to conduct employee training and oversight of service providers.
  • Designation of a “Qualified Individual” for oversight and implementation of the security program with an annual report provided by the Qualified Individual to the board.

The final rule also expands the definition of “financial institution” to include entities that are “significantly engaged in activities that are incidental to [] financial activity” as defined by the Bank Holding Company Act. This change brings into the scope of the Safeguards Rule the act of finding as discussed in 12 CFR 225.86(d)(1). A “finder” is described as a person that “bring[s] together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.” The FTC notes that this change of the definition of “financial institution” should not be considered a significant expansion of the Safeguards Rule coverage “as it expands the definition only to include entities that are engaged in activity that is incidental to financial activity” and brings the definition under the Safeguards Rule into harmony with other agencies’ GLBA rules (e.g., CFPB, SEC).

The final rule also creates a small business exemption for those financial institutions that collect information on fewer than 5,000 consumers. These smaller financial institutions would be exempt from the requirements to create a written risk assessment, develop an incident response plan, and provide an annual report to the board.