InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed officially launches FedNow instant payment service
On July 20, the Federal Reserve Board launched its FedNow service for instant payments. Banks and credit unions of any size can sign up and use the tool to instantly transfer money for their customers at any time of day on any day of the year, the Fed said. As previously covered by InfoBytes, the Fed began formally certifying participants to use the service in April. Early adopters completed a customer testing and certification program in preparation for sending live transactions through the system. In addition to these early adopting banks and credit unions (and the Treasury Department’s Bureau of Fiscal Service), 16 service providers are also ready to support payment processing for participants. Once fully available, “instant payments will provide substantial benefits for consumers and businesses, such as when rapid access to funds is useful, or when just-in-time payments help manage cash flows in bank accounts,” the Fed explained. The Fed expects that customers of FedNow participants will eventually be able to use a financial institution’s mobile app, website, and other interfaces to send instant payments quickly and securely. As an interbank payment system, FedNow will operate alongside other Fed payment services, including Fedwire and FedACH.
CFPB finds issues in servicemember use of payment apps
On June 20, the CFPB released its Office of Servicemember Affairs Annual Report, highlighting financial threats associated with military families’ use of digital payment apps. The report analyzed complaints submitted by military families, veterans, and servicemembers (totaling 66,400 complaints in 2022 alone, a 55 percent increase from 2021). Notably, servicemembers’ complaints exceeded the percentage filed by all consumers for topics including debt collection, credit cards, mortgages, and more.
Top complaints are linked to: (i) fraud and scams when using digital payment apps; (ii) identity theft and unauthorized account access; and (iii) failure of digital payment app providers to provide timely solutions to servicemember complaints. The Bureau explained that servicemembers can be exposed to greater risks of fraud and scams when using a digital payment app—“[o]ften during a permanent change of duty station, servicemembers face the need to secure housing, a new automobile, or daycare during a short window, which often requires them to conduct more online transactions using digital payment apps.” The Bureau also found that servicemembers are prime targets for identity theft, noting that servicemembers complained that digital payment service providers give insufficient support in response to their complaints.
To address the emerging risks, the Bureau recommended that digital payment app providers invest in privacy and security technology for their apps to combat fraudulent activity. The Bureau also suggested providers improve their responsiveness, especially in the case of military families who may be on a tight timeline during a permanent change of station or deployment. The Bureau also recommended that providers implement tailored policies on fraud losses and automatic fraud detection in recognition of the unique circumstances military families face.
CFPB releases regulatory agenda
The Office of Information and Regulatory Affairs recently released the CFPB’s spring 2023 regulatory agenda. Key rulemaking initiatives that the agency expects to initiate or continue include:
- Overdraft fees. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation Z with respect to special rules for determining whether overdraft fees are considered finance charges.
- FCRA rulemaking. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation V, which implements the FCRA. In January, the Bureau issued its annual report covering information gathered by the Bureau regarding certain consumer complaints on the three largest nationwide consumer reporting agencies (CRAs). CFPB Director Rohit Chopra noted that the Bureau “will be exploring new rules to ensure that [the CRAs] are following the law, rather than cutting corners to fuel their profit model.” (Covered by InfoBytes here.)
- Insufficient funds fees. The Bureau is considering whether to engage in pre-rulemaking activity in November regarding non-sufficient fund (NSF) fees. The Bureau commented that while NSF fees have been a significant source of fee revenue for depository institutions, recently some institutions have voluntarily stopped charging such fees.
- Amendments to FIRREA concerning automated valuation models. On June 1, the Bureau issued a joint notice of proposed rulemaking (NPRM) with the Federal Reserve Board, OCC, FDIC, NCUA, and FHFA to develop regulations to implement quality control standards mandated by the Dodd-Frank Act concerning automated valuation models used by mortgage originators and secondary market issuers. (Covered by InfoBytes here.) Previously, the Bureau released a Small Business Regulatory Enforcement Fairness Act (SBREFA) outline and report in February and May 2022 respectively. (Covered by InfoBytes here.)
- Section 1033 rulemaking. Section 1033 of Dodd-Frank provides that covered entities, such as banks, must make available to consumers, upon request, transaction data and other information concerning consumer financial products or services that the consumer obtains from the covered entity. Over the past several years, the Bureau has engaged in a series of rulemaking steps to prescribe standards for this requirement, including the release of a 71-page outline of proposals and alternatives in advance of convening a panel under the SBREFA and the issuance of a final report examining the impact of the Bureau’s proposals to address consumers’ personal financial data rights. (Covered by InfoBytes here.) Proposed rulemaking may be issued in October.
- Property Assessed Clean Energy (PACE) financing. The Bureau issued an NPRM last month to extend TILA’s ability-to-repay requirements to PACE transactions. (Covered by InfoBytes here.) The proposed effective date is at least one year after the final rule is published in the Federal Register (“but no earlier than the October 1 which follows by at least six months Federal Register publication”), with the possibility of a further extension to ensure compliance with a TILA timing requirement.
- Supervision of Larger Participants in Consumer Payment Markets. The Bureau is considering whether to engage in pre-rulemaking activity next month to define larger participants in consumer payment markets and further the scope of the agency’s nonbank supervision program.
- Nonbank registration. The Bureau announced its intention to identify repeat financial law offenders by establishing a database of enforcement actions taken against certain nonbank covered entities. (Covered by InfoBytes here.) The Bureau anticipates issuing a final rule later this year.
- Terms and conditions registry for supervised nonbanks. At the beginning of the year, the Bureau issued an NPRM that would create a public registry of terms and conditions used in non-negotiable, “take it or leave it” nonbank form contracts that “claim to waive or limit consumer rights and protections.” Under the proposal, supervised nonbank companies would be required to report annually to the Bureau on their use of standard-form contract terms that “seek to waive consumer rights or other legal protections or limit the ability of consumers to enforce or exercise their rights” and would appear in a publicly accessible registry. (Covered by InfoBytes here.) The Bureau anticipates issuing a final rule later this year.
- Credit card penalty fees. The Bureau issued an NPRM in February to solicit public feedback on proposed changes to credit card late fees and late payments and card issuers’ revenue and expenses. (Covered by InfoBytes here.) Under the CARD Act rules inherited by the Bureau from the Fed, credit card late fees must be “reasonable and proportional” to the costs incurred by the issuer as a result of a late payment. A final rule may be issued later this year.
- LIBOR transition. In April, the Bureau issued an interim final rule, amending Regulation Z, which implements TILA, to update various provisions related to the LIBOR transition. Effective May 15, the interim final rule further addresses LIBOR’s sunset on June 30, by incorporating references to the SOFR-based replacement—the Fed-selected benchmark replacement for the 12-month LIBOR index—into Regulation Z. (Covered by InfoBytes here.)
CFPB general counsel highlights risks in payments industry
On May 9, CFPB General Counsel and Senior Advisor to the Director, Seth Frotman, discussed the evolution of the payments system and its significant impact on consumer financial protection. Speaking before the Innovative Payments Association, Frotman commented that over the past few years, growth in the use of noncash payments (i.e. ACG, cards, and checks) accelerated faster from 2018 to 2021 than in any previous period, with the value of noncash payments since 2018 increasing nearly 10 percent per year, approaching almost $130 trillion in 2021. The value of ACH transfers and the number of card payments also increased tremendously, Frotman noted, pointing to a rapid decline in ATM cash withdrawals and the use of checks. He observed that the use of peer-to-peer (P2P) payment platforms and digital wallets is also growing quickly, with more traditional financial institutions redoubling their efforts to expand product offerings to capture market shares in this space. Additionally, several large tech firms, drawing on their significant customer bases and brand recognition, are looking to integrate payment services into their operating systems, with some offering payment products used by consumers daily, Frotman said.
Addressing concerns relating to data harvesting and privacy, Frotman said the Bureau is concerned that companies, including big tech companies, are using payment data to engage in behavioral targeting or individualized marketing, while some companies are sharing detailed payments information with data brokers or third parties as a way to monetize data. These behaviors, which he said only increase as payment systems continue to grow, raise the potential for harm, including limiting competition and consumer choice and stifling innovation. Frotman added that these issues are not limited to big tech. Banks, Frotman said, are also rolling out digital wallets as a way to access payment information, and Buy Now Pay later lenders are collecting consumer data “to increase the likelihood of incremental sales and maximize the lifetime value extracted from each current, past, or potential borrower.” Frotman reminded attendees that the Bureau has several critical tools at its disposal to address concerns about how data is bought, sold, used, and protected, and warned the payments industry to comply with applicable legal requirements.
Frotman also discussed challenges facing “gig” and other non-standard workers when trying to navigate consumer financial markets, particularly with respect to the intersection between how workers are being paid and the EFTA. According to Frotman, the Bureau is concerned about whether gig workers are being improperly required to receive payments through a particular financial institution or via a particular payment product or app. Frotman instructed employers to provide payment options that do not require workers to establish an account with a particular institution to ensure they do not run afoul of the EFTA’s “compulsory use” provision. Consumers who use a personal P2P app for work transactions are also entitled to EFTA protections with respect to fraud and error resolution, Frotman added. Frotman closed his remarks by touching briefly on liquidity and stability in the P2P payment system. He warned that consumers who use P2P payment products to store funds do not have the same level of protection as consumers who use traditional banking products.
House subcommittee holds hearing on stablecoin regulation
The House Financial Services Subcommittee on Digital Assets, Financial Technology and Inclusion recently held a hearing to examine stablecoins’ role in the payment system and to discuss proposed legislation for creating a federal framework for issuing stablecoins. A subcommittee memorandum identified different types of stablecoins (the most popular being pegged to the U.S. dollar to diminish volatility) and presented an overview of the market, which currently consists of more than 200 different types of stablecoins, collectively worth more than $132 billion. The subcommittee referred to a 2021 report issued by the President’s Working Group on Financial Markets, along with the FDIC and OCC (covered by InfoBytes here), in which it was recommended that Congress pass legislation requiring stablecoins to be issued only by insured depository institutions to ensure that payment stablecoins are subject to a federal prudential regulatory framework. The subcommittee discussed draft legislation that would define a payment stablecoin issuer and establish a regulatory framework for payment stablecoin issuers, including enforcement requirements and interoperability standards.
Subcommittee Chairman, French Hill (R-AR), delivered opening remarks, in which he commented that the proposed legislation would require stablecoin issuers to comply with redemption requirements, monthly attestation and disclosures, and risk management standards. Recognizing the significant amount of work yet to be done in this space, Hill said he believes that “innovation is fostered through choice and competition,” and that “one way to do that is through multiple pathways to become a stablecoin issuer, though with appropriate protections [to] prevent regulatory arbitrage and a race to the bottom.” He cited reports that digital asset developers are leaving the U.S. for countries that currently provide a more established regulatory framework for digital assets, and warned that this will stymie innovation, jobs, and consumer/investor protection. He also criticized ”the ongoing turf war between the SEC and CFTC” with respect to digital assets, and warned that “[w]hen you have two agencies contradicting each other in court about whether one of the most utilized stablecoins in the market is a security or a commodity, what you end up with is uncertainty.”
Witness NYDFS Superintendent Adrienne A. Harris discussed the framework that is currently in place in New York and highlighted requirements for payment stablecoin issuers operating in the state. In a prepared statement, Harris said many domestic and foreign regulators call the Department’s regulatory and supervisory oversight of virtual currency the “gold standard,” in which virtual currency entities are “subject to custody and capital requirements designed to industry-specific risks necessary for sound, prudential regulation.” Harris explained that NYDFS established “additional regulations, guidance, and company-specific supervisory agreements to tailor [its] oversight” over financial products, including stablecoins, and said the Department is the first agency to provide regulatory clarity for these types of products. She highlighted guidance released last June, which established criteria for regulated entities seeking to issue USD-backed stablecoins in the state (covered by InfoBytes here), and encouraged a collaborative framework that mirrors the regulatory system for more traditional financial institutions and takes advantage of the comparative strengths offered by federal and state regulators. Federal regulators will be able to comprehensively address “macroprudential considerations” and implement foundational consumer and market protections, while states can “leverage their more immediate understanding of consumer needs” and more quickly modernize regulations in response to industry developments and innovation, Harris said.
Fed governor outlines CBDC risks
On April 18, Federal Reserve Governor Michelle W. Bowman cautioned that the risks of creating a U.S. central bank digital currency (CBDC) may outweigh the benefits for consumers. Bowman said the Fed continues to engage in exploratory work to understand how a CBDC could potentially improve payment speeds or better financial inclusion, and noted that the agency is also trying to understand how new potential forms of money like CBDCs and other digital assets could play a larger role in the economy. In prepared remarks delivered before Georgetown University’s McDonough School of Business Psaros Center for Financial Markets and Policy, Bowman raised several policy considerations relating to privacy, interoperability and innovation, and the potential for “unintended effects” on the banking system should a CBDC be adopted. She also commented that due to the upcoming rollout of the agency’s FedNow Service in July (covered by InfoBytes here), real-time retail payments will happen without the introduction of a CBDC. With respect to privacy, Bowman cautioned that any CBDC “must ensure consumer data privacy protections embedded in today’s payment systems continue and are extended into future systems.” She added that “[i]n thinking about the implications of CBDC and privacy, we must also consider the central role that money plays in our daily lives, and the risk that a CBDC would provide not only a window into, but potentially an impediment to, the freedom Americans enjoy in choosing how money and resources are used and invested.”
NYDFS, crypto payment company reach AML/cybersecurity settlement
On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.
Fed to launch FedNow in July
On March 15, the Federal Reserve Board announced a July launch date for its FedNow Service. (Covered by a Special Alert here.) Beginning the first week of April, the Fed will start formally certifying participants, with early adopters completing a customer testing and certification program in preparation for sending live transactions through the system. The certification process “encompasses a comprehensive testing curriculum with defined expectations for operational readiness and network experience,” the Fed explained. “We couldn’t be more excited about the forthcoming FedNow launch, which will enable every participating financial institution, the smallest to the largest and from all corners of the country, to offer a modern instant payment solution,” said Ken Montgomery, First Vice President of the Federal Reserve Bank of Boston and FedNow program executive. “With the launch drawing near, we urge financial institutions and their industry partners to move full steam ahead with preparations to join the FedNow Service,” Montgomery added.
In addition to certifying early adopters for the July launch, the Fed said it will continue to engage with financial institutions and service providers to complete the testing and certification program throughout 2023 and beyond. FedNow “will launch with a robust set of core clearing and settlement functionality and value-added features,” the agency said, explaining that “[m]ore features and enhancements will be added in future releases to continue supporting safety, resiliency and innovation in the industry as the FedNow network expands in the coming years.”
9th Circuit orders district court to reassess $7.9 million civil penalty against payments company
On January 27, the U.S. Court of Appeals for the Ninth Circuit ordered a district court to reassess its decision “under the changed legal landscape since its initial order and opinion” in an action concerning alleged misrepresentations made by a bi-weekly payments company. The Bureau filed a lawsuit against the company in 2015, alleging, among other things, that the company made misrepresentations to consumers about its bi-weekly payment program when it overstated the savings provided by the program and created the impression the company was affiliated with the consumers’ lender. In 2017, the district court granted a $7.9 million civil penalty proposed by the Bureau, as well as permanent injunctive relief, but denied restitution of almost $74 million sought by the agency. (Covered by InfoBytes here.) The company appealed the district court’s conclusion that it had engaged in deceptive practices in violation of the Consumer Financial Protection Act, while the Bureau cross-appealed the district court’s decision to deny restitution. The 9th Circuit consolidated the appeals for consideration.
During the pendency of the cross-appeals, the U.S. Supreme Court issued a decision in 2020 in Seila Law LLC v. CFPB, in which it determined that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau (covered by a Buckley Special Alert). Following Seila, former Director Kathy Kraninger ratified several prior regulatory actions (covered by InfoBytes here), including the enforcement action brought against the company. At issue in the company’s appeal is whether the Bureau has authority to pursue its claims, including whether the agency’s funding mechanism is unconstitutional and whether its case is distinguishable from other actions and is entitled to dismissal for the Bureau director’s unconstitutional for-cause removal provision.
The appellate court declined to offer a position on these issues, and instead left them for the district court to consider. The 9th Circuit noted that since the district court’s 2017 order, “sister circuit courts have split” on the funding issue. “We vacate the district court’s order and remand, allowing it to reassess the case under the changed legal landscape since its initial order and opinion,” the appellate court wrote, directing the district court to “provide further consideration to [the company’s] argument on the constitutionality of the Bureau’s funding mechanism.” With respect to the Bureau’s appeal of the restitution denial, the 9th Circuit remanded the case to allow the district court to consider the effect CFPB v. CashCall and Liu v. SEC may have on the action (covered by InfoBytes here and here), as well as whether the agency “waived its claim to legal restitution by characterizing it only as a form of equitable relief before the district court.”
Credit union to pay $558,000 in cyber fraud case
On January 12, the U.S. District Court for the Eastern District of Virginia ruled that a credit union (defendant) is responsible for $558,000 in compensatory damages for processing a payment order that was allegedly induced through fraud by the beneficiary, but later rescinded its decision to award punitive damages. According to the initial opinion and order, in October 2018, the plaintiff received a “spoofed” email from an unknown third party claiming to be one of the plaintiff’s suppliers. The email instructed the plaintiff to change its banking remittance information for the supplier. However, unknown to the plaintiff, the new banking information contained in the email belonged to an individual who had opened a personal account with the defendant months prior. The order stated that from October to November in 2018, the plaintiff made four payments to the individual’s account held by the defendant, identifying the supplier as the beneficiary. The plaintiff sued alleging that the defendant failed to “comport with basic security standards that resulted in the unlawful diversion of funds.” According to the opinion and order, the court found that Virginia Commercial Code required the defendant to reject the deposits if it knew there was a discrepancy between the intended beneficiary and the account receiving the deposit. The court further wrote that the defendant did not have a duty to “proactively” discover a discrepancy, but found that “the evidence at trial illustrated that [the defendant] did not maintain reasonable routines for communicating significant information to the person conducting the transaction. If [the defendant] had exercised due diligence, the misdescription would have been discovered during the first [] transfer.” Additionally, the court stated the defendant did have “actual knowledge” of the fraud because “the transfers generated real-time warnings that the name of the intended beneficiary [] did not match the name of the owner of the account receiving the [deposits].” The court awarded the plaintiff $558,000 in compensatory damages and $200,000 in punitive damages. However, the court rescinded the punitive damage award stating that the plaintiff has not provided sufficient evidence to support punitive damages.