BankBryanCave.com

Main Content

To Deposit or Not to Deposit: a Question for Fintech Charters

December 7, 2016

Categories

The fintech industry has justifiably greeted the OCC’s announcement of a national fintech charter with optimism. But one area where we have seen significant confusion is the possibility of the fintech charter being granted without deposit insurance, and the implications thereof.

Background.  On December 2, 2016, OCC Comptroller Thomas Curry announced that the OCC is planning to take applications from fintech companies wishing to obtain a special purpose national bank charter.  These banks would be national banks with the same privileges and obligations as traditional full-service national banks, but with specialized business plans and that may or may not choose to have deposit taking authority.

In his remarks, Comptroller Curry expressed his excitement about the great potential to expand financial inclusion and reach unbanked and underserved populations.  At the same time, clearly recognizing that there are some industry players that are worried about new sources of competition from fintech banks, or that these new banks might otherwise have unfair advantages, Curry took great pains to seek to alleviate those concerns in his remarks and in the OCC’s white paper on the proposal.

Curry acknowledged that it will be difficult for the agency to determine the requirements to charter a fintech bank because of the “diversity of approach” among fintech companies. He noted that, for example, a payments model would be different than a marketplace lending one. However, he said that the OCC is a “firm believer in tailored innovation” and has the existing framework to evaluate these issues in the chartering process.  Consistent with existing OCC regulation, the white paper states that a special purpose bank that conducts activities other than fiduciary activities must conduct at least one of the following three core banking functions: receiving deposits, paying checks, or lending money.

Read More

The CFPB Proposes Ambitious Payday Lending Regulations

June 6, 2016

Authored by:

Categories

On June 2, 2016, the CFPB released its long-awaited proposed regulations for payday loans, vehicle title and certain high-cost installment loans.  Comments on the proposed rules must be received on or before September 14, 2016.

While most payday lenders would need to make significant changes to their products and practices under the proposed rules, the final rules could well be delayed though legal challenges in court.  The scope of the proposal is extraordinary, even requiring a new credit reporting system, that would need to be built, to facilitate the ability-to-repay requirements of the proposal.  The CFPB is relying on its authority under the Dodd-Frank UDAAP provisions to issue the rules, which is admittedly very broad, but even that might not be enough to support this ambitious proposal.

Nevertheless, because we cannot predict how courts would ultimately rule on the CFPB’s authority, it’s important to understand the proposed rules, prepare comments, and consider what business model changes might be needed.   This article therefore summarizes the key provisions of the proposal.

Read More

New Regs Will Change How Colleges Offer Bank Accounts to Students

December 31, 2015

Authored by:

Categories

On October 30, 2015, the Department of Education issued regulations to impose requirements on the marketing and terms of deposit and prepaid accounts offered to students at educational institutions that participate in Federal student aid programs. According to the DOE, the regulations are intended to ensure that students have convenient access to their title IV, Higher Education Act program funds, do not incur unreasonable and uncommon account fees on their title IV funds, and are not led to believe that they must open a particular financial account to receive Federal student aid. Most of these new rules take effect on July 1, 2016.

On December 16, the CFPB published a Safe Student Account Toolkit “to help colleges evaluate whether to co-sponsor a prepaid or checking account with a financial institution.” The Toolkit includes a Scorecard that can be used by schools when selecting a third-party vendor for student accounts and an Administrator Handbook designed to help school administrators gather relevant information to review, compare and evaluate accounts offered by different financial institutions.

The CFPB’s Toolkit provides guidance on the new DOE regulations, but with a focus on those provisions that are designed to protect students. The CFPB can bring and has brought enforcement actions against colleges under federal consumer protection laws. Their issuing of the Toolkit should be understood as a warning that they also will be enforcing the consumer protection portions of the DOE rules, though perhaps under their unfair, deceptive and abusive practices statute.

Read More

CFPB Guidance On Recurring Electronic Debits

November 30, 2015

Authored by:

Categories

On November 23, 2015, the CFPB issued a Bulletin alerting companies that they must obtain proper authorization from consumers before automatically debiting their accounts. The Bulletin relates to the Electronic Fund Transfer Act requirements for “preauthorized electronic fund transfers,” which are EFTs scheduled in advance to recur at substantially regular intervals. The preauthorized EFTs in the CFPB’s spotlight are those that debit a consumer’s account.

Regulation E of the EFTA provides that preauthorized EFTs from a consumer’s account must be authorized by a “writing signed or similarly authenticated by the consumer.” The authorization must be readily identifiable as such and have clear terms, and the person obtaining that authorization must provide a copy to the consumer. It’s important to keep in mind that these are two separate requirements. The Bulletin clarifies how a company can obtain the consumer’s authorization, and describes the critical elements of that authorization, but leaves unanswered certain questions about delivering a copy of the authorization to the consumer when it is obtained by telephone.

Content of the Authorization

As noted above, the consumer’s authorization must be readily identifiable as such and must have clear terms. The Bulletin states that companies sometimes provide consumers with notices of terms for preauthorized EFTs that fail to disclose “critical information.” The CFPB explains that the authorization must be clear as to the recurring nature of the transfers and the amount and timing of the payments agreed to. Of course the authorization also needs to identify the consumer and the account to be charged. Regardless of how the consumer’s authorization is obtained, which is discussed below, all of this information needs to be in the authorization and in the copy provided to the consumer.

Read More

CFPB “Guidance” on Marketing Services Agreements

October 19, 2015

Authored by:

Categories

On October 8, 2015, the CFPB announced new “Guidance About Marketing Services Agreements,” publishing a Compliance Bulletin on the subject of RESPA Compliance and Marketing Services Agreements.  The Bulletin is lacking in clear “guidance,” at least in the sense of outlining regulatory standards, but it does provide an unequivocal warning that marketing services agreements (MSAs) in the mortgage industry are much less likely to pass regulatory scrutiny than in the past.

The CFPB expresses “grave concerns” about the use of MSAs to evade the requirements of RESPA, and they note that certain mortgage industry participants have already stopped entering into MSAs given the RESPA compliance burdens.  To ensure that the industry is getting the message, they warn that careful consideration of the legal and compliance risks “would be in order” for all industry participants, especially in light of the increase in whistleblower complaints under RESPA.

Every MSA must comply with the RESPA Section 8 prohibition on the payment or receipt of any fee, kickback or other “thing of value” for the referral of mortgage loan or other “settlement services” business.  However, compensation for goods or facilities actually furnished or services actually performed is permissible under Section 8, at least so long as the compensation reflects the fair market value of the goods, facilities or services.  The industry has long attempted to rely on this exception for the payments for services actually performed as a means to avoid Section 8 violations.  This has usually worked in the past, but it’s going to be much harder to make this work in the future.

Read More

FinCEN Proposes Broad AML Obligations for Investment Advisers

August 31, 2015

Categories

As part of its continuing but slow expansion of the types of financial institutions that are subject to anti-money laundering (AML) obligations under the Bank Secrecy Act and USA PATRIOT Act, FinCEN proposed on August 25, 2015, to require certain investment advisers to establish and maintain AML programs and file suspicious activity reports (the Proposed Rules).  The Proposed Rules go further than FinCEN’s 2002 and 2003 proposals for investment advisors, which generally were limited to proposing AML program requirements only, without additional suspicious activity reporting and certain other record keeping requirements.

In explaining its rationale for the Proposed Rules, FinCEN acknowledges that advisers work with financial institutions that are already subject to BSA requirements, such as when executing trades through broker-dealers to purchase or sell client securities, or when directing custodial banks to transfer assets.  FinCEN notes, however, that these institutions may not have sufficient information to assess suspicious activity or money laundering, and that investment advisers therefore have an important role to play in safeguarding the financial system from terrorist activities and financial crime.

General Scope and Examination Authority

Under the Proposed Rules, covered investment advisers would include any persons who are registered or required to be registered with the SEC under section 203 of the Investment Advisers Act.  This would include both primary advisers and subadvisers.  However, because advisers with less than $100 million in regulatory assets under management are generally prohibited from registering with the SEC, those advisers would not be subject to the Proposed Rules.

Read More

Your Cybersecurity Expectations and Standards Have Just Gone Up

July 29, 2015

Categories

On June 30, 2015, the FFIEC released a Cybersecurity Assessment Tool and User’s Guide (“Guide”) intended “to help institutions identify their risks and assess their cybersecurity preparedness.” Financial institutions handling sensitive customer data should view this as a mixed blessing.

It is often said by technology and cybersecurity experts that the question is not whether a company will experience a security breach, but when. The important question then is how the company responds to that breach. One implication of these statements is that an institution should do the best that it can, but that no one should be punished too severely when the inevitable breach occurs. It was, after all, unavoidable.

The release of the Cybersecurity Assessment Tool arguably changes that analysis. Now there are more specific standards against which institutions may be judged. Those who fail to conduct an adequate cybersecurity risk assessment and implement appropriate controls can expect, when the inevitable security breach occurs, that plaintiffs and regulators will point to the Cybersecurity Assessment Tool as evidence that the institution failed to take appropriate steps to mitigate the risks.

Read More

FinCEN’s Beneficial Owner Proposal Conflicts with FCRA

April 2, 2015

Authored by:

Categories

On August 4, 2014, FinCEN released proposed rules that would require banks and certain other financial institutions to identify the “beneficial owners” of their business entity customers and to verify the identity of each such beneficial owner (the “Proposal”).  If the Proposal results in final rules that are substantially identical to the proposed rules, financial institutions might be unable to comply without violating the federal Fair Credit Reporting Act (“FCRA”).

Under the Proposal, “beneficial owners” would generally include at least one manager of the entity and each individual owning 25% or more of the entity.  This could mean up to five individuals if no manager also owns 25% or more of the entity.

The Proposal would require a financial institution first to identify the customer’s beneficial owners.  This should be reasonably manageable because institutions would be able to provide a certification form to its customer and require that the customer name its beneficial owners.  Financial institution’s would not be required to take independent steps to verify the status of such persons as beneficial owners.

The potential legal conflict arises under the second prong of the Proposal, under which the financial institution would be required to verify the identity of those persons whom it has been told are the customer’s beneficial owners.  The Proposal would require a financial institution to verify the identity of each beneficial owner using risk-based procedures that are “identical to the covered financial institution’s Customer Identification Program procedures required for verifying the identity of customers that are individuals.”

Whether in a deposit or loan context, banks often will obtain a single credit report or other consumer report for the combined purposes of an initial OFAC screen, to confirm the customer’s creditworthiness, and to verify the customer’s identity under the institution’s Customer Identification Program (“CIP”).  Such reports are “consumer reports” under the FCRA and therefore subject to the FCRA’s rules, including with respect to when such reports may be obtained.

Read More

Complying with the Rules When Posting Privacy Notices Online

March 16, 2015

Authored by:

Categories

On October 28, 2014, the CFPB amended the consumer privacy rules of Regulation P to allow financial institutions to post privacy notices online rather than mailing the required annual notice each year.  Some institutions are already taking advantage of this alternate delivery method.  There are conditions to this option, however, and some institutions might not be satisfying those conditions.  It is important to confirm that your institution is meeting the following conditions if you have decided to take advantage of the new rule:

  1. No Opt Outs.  The alternate delivery method can be used only if you do not share your customers’ information in any way for which the customer has the right to opt out under Regulation P or Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA).  This provision of the FCRA is the one under which information that otherwise would be a “consumer report,” such as credit experience with third parties, may be shared with an affiliate for other than marketing purposes so long as the consumer is given an opt-out right.
  2. Satisfy the FCRA Affiliate Sharing Rules.  You must have previously satisfied the affiliate sharing rules of Section 624 of the FCRA or you do so other than by delivery of the annual Regulation P privacy notice.  This provision seems to cause some confusion.  Section 624 of the FCRA is the provision under which an affiliate of a financial institution that receives certain information (such as transaction information) may not use that information for marketing purposes unless the consumer is notified of such use and given a chance to opt out.  The Section 624 notice would only need to be given one time so long as an institution honors consumers’ opt outs indefinitely, or could be delivered other than as part of a Regulation P privacy notice.  Therefore, so long as you are not relying on the annual Regulation P privacy notice to satisfy Section 624, you satisfy this condition to the alternate method for delivery of your annual Regulation P notice.
  3. No Changes to the Notice.  The privacy notice you post online cannot have changed since consumers received the immediately previous notice, other than to eliminate categories of information that you disclose or categories of third parties to whom you disclose information.  So, for example, if you previously shared information in a way that required that you to offer the consumer an opt-out right, you could stop such sharing.  This would allow you to satisfy the no opt-out rule described above and post your modified privacy notice online.
  4. Model Notice.  You must use the model form of privacy notice included in Regulation P.
  5. Notify Consumers of the Posting.  You must notify your customers each year that your privacy notice is available online and that it will be mailed to customers who request it by telephone.  This notice can be provided on an account statement, coupon book, or any other notice or disclosure that you are required or expressly and specifically permitted to issue to the customer under any other provision of law.
  6. Post the Notice Continuously in a Public Location.  Your privacy notice must be posted continuously and in a clear and conspicuous manner on a page of your Web site that consists only of the privacy notice and that can be accessed by consumers without having to log in, provide a password or agree to any conditions.
  7. Mail Upon Request.  If any customer requests a copy of the privacy notice by telephone, you must mail it to him or her within 10 days.

This alternate method for delivery of the annual Regulation P privacy notice will be attractive to many financial institutions, but don’t forget these conditions to this method.

Read More

New CFPB Disclosure Requirements Come Up Short

February 26, 2015

Authored by:

Categories

On October 28, 2014, the Consumer Financial Protection Bureau (“CFPB”) issued a final rule amending Regulation P (the “Amendment”), which implements the consumer privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”).  In most cases prior to the amendment, Regulation P required financial institutions to mail paper copies of the annual privacy disclosure, which many in the financial industry felt was overly costly and needlessly burdensome.  The new rule permits covered institutions to publish privacy notices electronically on their websites, but only after satisfying the following conditions:

  1. The financial institution does not disclose nonpublic personal information to nonaffiliated third parties other than for the exception purposes that do not allow for consumer opt-outs, such as for servicing or processing the consumer’s account;
  2. The financial institution’s information sharing practices do not trigger opt-out rights pursuant to Regulation P or Section 603 of the Fair Credit Reporting Act (“FCRA”);
  3. The requirements of the affiliate sharing provisions of FCRA Section 624, as applicable, were previously satisfied or the annual privacy notice is not the only notice provided to satisfy those requirements;
  4. The information contained in the privacy notice has not changed since the customer received the previous notice, except for changes to eliminate categories of information the institution disclosures or categories of third parties to whom the information is disclosed;
  5. The financial institution uses the model form provided in Regulation P as its annual privacy notice;
  6. The financial institution must make its customers aware that its privacy notice is available on its website, that it will mail a paper copy of the notice to customers who request it by calling a specific number, and that the notice has not changed since the prior year’s version.  The financial institution can satisfy this requirement by inserting, at least once per year, a clear and conspicuous statement on an account statement, a coupon book, or on a notice or disclosure required by any provision of law.  The statement must include a specific URL that can be used to access the website;
  7. The financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice; and
  8. The financial institution must mail, within ten days of a request, a paper copy of the notice to any customer who makes such request by telephone.

Importantly, if the financial institution changes its privacy practices or engages in information-sharing activities for which customers have a right to opt-out, it must use one of the permissible delivery methods that predated the rule change (paper notices or electronic with E-Sign consent).

Read More
The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.