InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFTC subcommittee issues report on responsible AI use
On May 2, a CFTC subcommittee on Emerging and Evolving Technologies issued a report on the responsible use of artificial intelligence (AI) by exchanges, clearinghouses, futures commission merchants, brokers, and data repositories, among others, interested in using AI in financial markets. The report examined AI use cases in financial services, reviewed the risks of AI for CFTC-registered entities, and set out five recommendations for the CFTC: (1) the CFTC should host a public roundtable discussion with industry leaders; (2) the CFTC should define and adopt an AI risk management framework to assess consumer harms and benefits of AI use by CFTC-registered entities; (3) the CFTC should create an inventory of existing AI regulations and identify gaps where staff guidance or rulemaking would be needed; (4) the CFTC should establish a process to align its policies with other federal agencies; and (5) the CFTC should increase staff participation in domestic and international dialogues around AI.
GAO calls for the FDIC to address outstanding recommendations
On April 30, GAO sent a letter to the FDIC on its outstanding recommendations, emphasizing the importance of two priority recommendations, which pertained to blockchain technology and fintech. Regarding blockchain technology, the letter stressed the need for the FDIC and other financial regulators to establish a formal mechanism to identify and address blockchain-related risks. Despite the regulator's coordination, the response to crypto-asset risks had been criticized as untimely. With respect to fintech, this recommendation would have the FDIC and relevant agencies clarify the appropriate use of alternative data in loan underwriting for banks that partner with fintech lenders. The letter also called for the FDIC's attention to additional high-risk areas, including IT management, human capital, federal real property, cybersecurity, and the personnel security clearance process.
CFPB finalizes rule to change its supervision designation procedures for nonbanks
On April 16, the CFPB issued a procedural rule to change how the Bureau will designate nonbanks for supervision. Under the CFPA, the CFPB was authorized to supervise a nonbank covered person if the Bureau had reasonable cause to determine if the nonbank covered person was engaged in financial services-related conduct that posed a risk to consumers. In 2013, the CFPB issued a rule providing procedures to govern supervisory designation proceedings under this authority; in 2022, the CFPB published a final rule amending the procedural rule to allow it to publicize its resolution of any contested designation proceeding (covered by InfoBytes here). In late February 2024, the CFPB transitioned to a new organizational structure for its supervision and enforcement work, and this rule will reflect the technical changes of the new structure in the context of supervisory designation proceedings.
According to the Bureau, there were small differences between two separate provisions under the 2013 rule that allowed nonbanks to consent to the CFPB’s exercise of supervisory authority. The new procedural rule will combine these provisions and clarify a few points of distinction from the two original provisions, including (i) a consent agreement does not constitute an admission; and (ii) supervision durations following consent agreements can be negotiated on a case-by-case basis, instead of applying a default duration of two years.
Regarding the Supervision Director’s notice of reasonable cause, the rule will expand the possible methods of delivery to include other methods that are “reasonably calculated to give notice.” Additionally, the rule states that the initiating official may withdraw a notice, and that they may file a written reply to the notice recipient’s response, neither of which was not contemplated under the previous rule. The Bureau said these changes could allow for more transparency in the decision-making process.
Concerning a supplemental oral response, the Bureau noted under the previous rule, a respondent nonbank entity presented supplemental oral responses to the Associate Director for Supervision, Enforcement, and Lending. In light of the elimination of the Associate Director position pursuant to a recent reorganization that split the Division of Supervision, Enforcement, and Fair Lending into a Division of Enforcement and a Division of Supervision, the rule provided that the Director of the Bureau will assume the Associate Director’s adjudicative roles and supervision-related functions. Therefore, the Director will be responsible for issuing a decision and order subjecting an entity to the Bureau’s supervision or terminating a proceeding.
The rule further stipulated that (i) an additional time limit for mail and delivery services are no longer warranted, since email would be “generally instantaneous”; (ii) there will be a 13,000-word limit for the proceeding filings; (iii) any changes to time or word limits can be decided between the initiating official and the respondent with a notice to the Director and will be subject to change by the Director.
Regarding the confidentiality of proceedings, the rule maintained a process for the CFPB to decide whether to publicly release final decisions and orders, including orders entered as a result of respondent failing to file a response and therefore defaulting. The Bureau did note, however, consent agreements entered into between the initiating official and the respondent will not be subject to public release under the rule.
The rule also established an issue exhaustion requirement, requiring respondents to raise arguments they have in their written response to the Bureau to avoid waiving the argument in future proceedings. The Bureau will invite public comments which must be submitted 30 days after publication in the Federal Register, although the rule will be exempt from the notice-and-comment rulemaking requirements under the APA as a rule of agency organization, procedure, or practice. The rule will be effective upon publication to the Federal Register, and it will apply to proceedings pending on the effective date, unless the Director determined that it will be “not practicable.”
Nacha’s new rules intends to reduce business fraud that uses credit-push payments
On March 18, Nacha announced rule amendments intended to reduce the incidence of frauds that leverage credit-push payments, such as vendor impersonation and business email compromise (BEC). While, importantly, the rules will not shift liability for ACH payments as between the parties, they will establish obligations on originating financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) to monitor the sending and receipt of payments for potential fraud, and they will empower the same to flag potentially fraudulent payments for action. Specifically, the rule amendments will allow “the originating financial institution (ODFI) to request the return of the payment for any reason, the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely, and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim.”
As part of the amendment announcement, NACHA cited the FBI’s Internet Crime Complaint Center’s 2023 annual report, noting that BEC, vendor impersonation, and payroll impersonation are examples of fraudulent activities “that result in payments being ‘pushed’ from a payer’s account to the account of a fraudster,” and that there were 21,489 BEC complaints totaling $2.9 billion in reported losses in 2023, making BEC the second-costliest cybercrime category.
The first set of rule amendments are effective October 1, which, among other things, allow an RDFI to use return code R17 for potential fraud, including for “false pretenses,” and an ODFI to request a return from an RDFI for any reason, including fraud. The first set of amendments also provided RDFIs “with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses,” subject to Regulation CC. Finally, the RDFI will be required to promptly return any unauthorized consumer debit by the 6th banking day after it reviewed a consumer’s signed Written Statement of Unauthorized Debit.
The first set of rule amendments will be followed by subsequent (phase 1 and phase 2) amendments. The phase 1 amendments, effective March 20, 2026, will, among other things, require ODFIs, and non-consumer originators, third party providers, and third party senders with an annual ACH origination volume of six million or more to implement or enhance appropriate risk-based process and procedures to identify fraudulent transfers. Under phase 1, NACHA will also require RDFIs with ACH receipt volumes of 10 million or more to establish risk-based processes and procedures to identify fraudulent activity. The second phase, effective June 19, 2026, will require fraud risk monitoring for the remaining non-consumer originators, third party providers, and third-party senders.
CFPB, federal and state agencies to enhance tech capabilities
On March 26, the CFPB announced as a part of a coordinated statement with other federal and state agencies, the intent to enhance its technological capabilities. As part of this initiative, the CFPB will be hiring more technologists to help enforce laws and find remedies for consumers, workers, small businesses, etc. These technologists will join interdisciplinary teams within the CFPB to monitor and address potential violations of consumer rights within the evolving tech landscape, particularly considering the growing attention to generative artificial intelligence (AI). The CFPB's technologists will be tasked with identifying new technological developments, recognizing potential risks, enforcing laws, and developing effective remedies. CFPB Director Rohit Chopra emphasized the essential role of technology in the Bureau’s efforts to regulate data misuse, AI issues, and big tech involvement in financial services. Chopra and Chief Technologist Erie Meyer remarked that the CFPB has integrated technologists into its core functions, with these experts now actively involved in supervisory examinations, enforcement actions, and other regulatory proceedings. They also note that the CFPB has researched how emerging technologies, such as generative AI and near-field communication, are used in consumer finance. To foster a competitive and “law-abiding” marketplace, Chopra and Meyer also note that the CFPB will continue to issue policy guidance to assist firms with understanding legal obligations.
Department of Energy discontinues crypto mining survey following a settlement agreement
On March 1, a cryptocurrency company (plaintiff) and the U.S. Department of Energy submitted a settlement agreement to the U.S. District Court for the Western District of Texas to discontinue an emergency crypto mining survey once approved by the Office of Management and Budget.
According to the settlement agreement, the Department of Energy initiated an emergency three-year collection of a Cryptocurrency Mining Facilities Survey in January, which the plaintiff claimed did not comply with various statutory and regulatory requirements for the emergency collection of information. Following the court’s approval of the plaintiff’s temporary restraining order, which protected plaintiffs from completing the survey issued by the Department of Energy and protected any information they may have already submitted, the Department of Energy discontinued its emergency collection, and said it will proceed through notice-and-comment procedures for approval of any collection of information covering such data. As a result of the discontinuation of the emergency collection request, no entity or person is required to respond to the survey.
As part of the settlement agreement, the Department of Energy will destroy any information it had already received from survey responses. In addition to a $2,199.45 payment for the plaintiffs’ litigation expenses, the Department of Energy also agreed to publish a new Federal Register notice of a proposed collection of information and withdraw its original notice.
U.S. Attorney General taps professor to lead new technology-focused roles
On February 22, the U.S. Attorney General, Merrick B. Garland, announced that he tapped Jonathan Mayer to head the DOJ’s first Chief Science and Technology Advisory and Chief Artificial Intelligence (AI) Officer roles. The roles are housed in the DOJ’s Office of Legal Policy which is developing a team of technical and policy experts in technology-related areas important to the Department’s responsibilities. These topics include cybersecurity and AI with the aim to advise leadership and collaborate with other components across the Department and with federal partners on cutting-edge technological issues. As the first Chief Science and Technology Advisor, Mayer will contribute technical expertise on cybersecurity, AI, and emergent technology matters.
The Chief AI Officer role was created pursuant to a presidential executive order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. In this role, Mayer will work on intra-departmental and cross-agency efforts on AI and adjacent issues, and he will also lead the Justice Department’s newly established Emerging Technology Board, which coordinates and governs AI and other emerging technologies across the Department.
Mayer has a PhD in computer science from Stanford University and a J.D. from Stanford Law School. Mayer is an assistant professor at Princeton University’s Department of Computer Science and School of Public and International Affairs where his research is focused on the intersection of technology, policy, and law with an emphasis in criminal procedure, national security, and consumer protection.
Financial Stability Board’s letter addresses financial topics for upcoming G20 meeting
On February 20, the Financial Stability Board (FSB) released a letter from its Chair, Klaas Knot, to the G20 Finance Ministers and Central Bank Governors ahead of the February 28-29 G20 meeting, setting up the agenda for maintaining global financial stability. The FSB is an organization made up of senior financial officials from G20 countries as well as international financial organizations including the International Monetary Fund, the World Bank, and the European Central Bank. The letter addressed financial system vulnerabilities, including the takeaways from the March 2023 banking crisis, nonbank financial intermediation (NBFI), digitalization of finance, climate change effects, and cross-border payment efficiency.
On the first topic, the letter highlighted lessons wrought by the March 2023 banking crisis; the FSB advocated the need for public-sector backstop funding mechanisms, and more analytical work on interest rate and liquidity risk to explore vulnerabilities. On NBFI, the letter noted a structural vulnerability in asset management as the “potential mismatch between the liquidity of fund investments and daily redemption of fund units in open-ended funds[.]” On digital innovation, the letter urges the G20 to closely monitor any risks to financial stability, including crypto, tokens, and artificial intelligence. On climate change, the FSB plans to further analyze climate-related financial risks to financial stability. Last, on cross-border payments, the G20 Cross-border Payments Roadmap goal is to make cross-border payments “faster, cheaper, and more transparent and inclusive” while keeping their integrity and maintaining the “safety of the system.” The letter noted that FSB has collaborated with AML experts in both the public and private sectors to “increase the efficiency of payments systems and further enhance their integrity and safety.”
FDIC orders bank to plan termination of relationships with “significant” fintech partners
Recently, the FDIC released a consent order against a Tennessee bank as part of its release of January Enforcement Decisions and Orders. The FDIC stated that within sixty days of the effective date of the consent order, the bank must “submit a general contingency plan to the Regional Director… [on] how the [b]ank will administer an effective and orderly termination with significant third-party FinTech partners,” as part of its Third-Party Risk Management program for the bank. The Program must assess and manage the risks posed by all fintech firms associated with the bank. It will include policies related to due diligence and risk assessment criteria that are appropriate to the products and services provided by the fintech partner. The bank must also engage an independent firm for completion of a comprehensive Banking-as-a-Service Risk Assessment Report.
The bank further consented, without admitting or denying any charges of unsafe or unsound banking practices, to board supervision of the bank’s management and approval of the bank’s policies and objectives, qualified management, the Regional Director’s prior consent for new or expanded lines of business that would result in an annual 10 percent growth in total assets or liabilities, and a comprehensive strategic plan.
States endorse the CFPB’s rule to regulate fintechs
Recently, 19 state attorneys general submitted a comment letter supporting the CFPB’s proposed rule that would expand the CFPB’s supervisory authority to regulate nonbank fintech firms that offer digital payment services. They emphasized the importance of regulating nonbank financial institutions, including popular digital payment applications. The proposed rule aims to protect consumers from fraud, unregulated investment risks, and data privacy concerns. It addresses issues such as the lack of FDIC insurance for funds stored in digital payment applications, customer service problems, and potential risks associated with investment activities. The state attorneys general commend the CFPB for exercising its authority to improve the regulation of consumer financial products and urge prompt publication and implementation of the final rule.