Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Utah amends consumer lending requirements

    State Issues

    On March 24, the Utah governor signed HB 319, which modifies provisions related to consumer lending in the state, including registration, reporting, and operational requirements for deferred deposit lenders. Among other things, the provisions require deferred deposit lenders to provide borrowers at least 30 days’ notice of default before initiating a civil action, allowing a borrower the opportunity to remedy the default. HB 319 also requires deferred deposit lenders seeking to renew a registration to report, for the immediately preceding calendar year, the total number of loans extended, the total dollar amount loaned, the number of borrowers who were extended loans, and the percentage of loans that were not repaid based on the terms of the loan, among other items. HB 319 further allows third party debt collection agencies to charge a “convenience fee” when debtors use a credit or debit card for the transaction of business, provided the convenience fee amount is disclosed prior to being charged and the debtor is given an alternative payment method that does not carry a fee. The amendments take effect 60 days following adjournment of the legislature.

    State Issues State Legislation Consumer Finance Consumer Lending Deferred Deposit Lenders Third-Party Debt Collection

    Share page with AddThis
  • OCC updates FAQs on third-party risk management

    Agency Rule-Making & Guidance

    On March 5, the OCC released Bulletin 2020-10, which provides answers to frequently asked questions (FAQs) concerning its existing guidance on management of third-party relationships, including relationships with fintech firms and data aggregators. This bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” rescinds (but incorporates the substance of) OCC Bulletin 2017-21 (covered by InfoBytes here). Key topics addressed in the new FAQs include:

    • clarifying the definition of “third-party relationships” and “business arrangements”;
    • outlining expectations for banks that have third-party relationships with cloud computing providers or data aggregators;
    • addressing a bank’s reliance on and use of third party-provided reports, certificates of compliance, and independent audits;
    • discussing risk management when a third party—such as a less established fintech firm, start-up, or other small business—has limited ability to provide the same level of financial information or other due diligence-related information as a more established third party;
    • suggesting approaches for due diligence and ongoing monitoring in instances where the bank has limited negotiating power;
    • addressing ways banks can offer products or services to underbanked/underserved populations through fintech third-party relationships;
    • discussing considerations for banks when entering into a marketplace lending arrangement with a nonbank entity; and
    • outlining measures to address risk management when obtaining alternative data from a third party that may be used by or on behalf of a bank.

    The bulletin also reiterates that banks are expected “to practice effective risk management regardless of whether the bank performs an activity internally or through a third party,” and that a “bank’s use of third parties does not diminish the bank’s responsibility to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations.”

    Agency Rule-Making & Guidance OCC Third-Party Risk Management Fintech

    Share page with AddThis
  • Fed governor discusses modernizing payment systems for community banks

    Federal Issues

    On February 27, Federal Reserve (Fed) Governor Michelle W. Bowman spoke before the Banking Outlook Conference held at the Federal Reserve Bank of Atlanta on ways the Fed can increase transparency and modernize payment services for community banks. Bowman stated that the Fed is “uniquely positioned as a provider of payment services and as a supervisor of banks to ensure that our nation’s evolving financial system works for community banks.” Bowman discussed how the Fed can achieve this objective by, among other things, (i) adopting an additional same-day automated clearinghouse (ACH) window, which “will allow banks and their customers, particularly those located outside the eastern time zone, to use same-day ACH services during a greater portion of the business day”; (ii) implementing FedNow, which would, as previously covered by InfoBytes, “facilitate end-to-end faster payment services, increase competition, and ensure equitable and ubiquitous access to banks of all sizes nationwide”; and (iii) encouraging partnerships between community banks and fintech firms to “leverage the latest technology to provide customer-first, community-focused financial services and provide customers with efficiencies, such as easy-to-use online applications or rapid loan decisionmaking.” Bowman highlighted the Fed’s fintech innovation office hours, as well as the Fed’s recently launched fintech innovation webpage (covered by InfoBytes here), and emphasized the Fed’s desire to hear directly from banks and fintech companies on innovation challenges.

    With respect to third-party service providers, Bowman proposed several important initiatives for the Fed to help community banks effectively manage their third-party relationships and access innovative new technology. These include providing clear, consistent due diligence guidance on third-party relationships to provide uniform standards that are aligned with guidance issued by the OCC and other banking agencies. Bowman also suggested increasing the transparency of its third-party supervisory program by releasing information that may be useful about key service providers to community banks, and tailoring regulatory burdens for community banks with assets under $1 billion.

    Federal Issues Federal Reserve Community Banks Third-Party Vendor Management Fintech ACH OCC

    Share page with AddThis
  • FDIC guide encourages fintech/bank partnerships

    Agency Rule-Making & Guidance

    On February 24, the FDIC’s technology lab, FDiTech, announced the release of a new guide intended to assist fintech companies and other third parties with bank partnerships. Conducting Business with Banks: A Guide for Fintechs and Third Parties identifies several areas for third parties to consider when exploring potential partnerships with banks relevant to navigating regulatory requirements and due diligence processes. These include being able to: (i) “[u]nderstand the framework of laws and regulations” applicable to banks, such as those “related to consumer protection, privacy and data security, . . . the Bank Secrecy Act[,] and federal anti-money laundering laws”; (ii) “[m]aintain a well-managed and financially strong business”; (iii) respond to requests for information from potential partners that demonstrate “product integrity, risk management mitigation, and consumer protection”; and (iv) demonstrate the ability to ensure ongoing compliance with applicable laws and regulations and that appropriate monitoring systems have been implemented. In addition, the guide also outlines special considerations for modelers, and emphasizes that banks will expect to understand a third party’s use of models and algorithms or other automated decision-making systems.

    As previously covered by InfoBytes, FDiTech was established in 2019 to encourage innovation within the banking industry, support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.

    Agency Rule-Making & Guidance FDIC Fintech Third-Party Risk Management

    Share page with AddThis
  • Fed governor identifies community banks' fintech challenges


    On February 10, Federal Reserve (Fed) Governor Michelle W. Bowman spoke before the Conference for Community Bankers on the interaction between innovation and regulation for community banks. In discussing her “vision for creating pathways to responsible community bank innovation,” Bowman identified particular challenges facing smaller banks when identifying and integrating new technologies and offered suggestions for ways the Fed can assist these banks in managing relationships with third-party service providers. Acknowledging that responsible innovation requires community banks to identify goals and pinpoint products and services to implement their strategies, Bowman recognized that compliance costs can create an outsized and undue burden on smaller banks and stated that federal regulations should be tailored to bank size, risk, and complexity. Among other things, Bowman stated that the Fed could align its third-party service provider guidance with the OCC and other banking agencies to provide uniform standards to banks. “It is incredibly inefficient to have banks and their potential fintech partners and other vendors try to navigate unnecessary differences and inconsistencies in guidance across agencies,” Bowman noted. Regulators and supervisors have a role in easing the burden for community banks, she added, noting that third-party guidance should allow banks to conduct shared due diligence on potential partners and pool resources to avoid duplicating work. In addition, Bowman commented that the Fed could help banks make this choice by publishing a list of service providers subject to regulatory supervision and increasing transparency around “who and what” the Fed evaluates. Bowman further stated that any guidance should also explain what due diligence looks like for potential fintech partners, since standards applied to other third parties may not be universally applicable. Giving community banks a better vision of what success in due diligence looks like, Bowman stated, will require releasing more information on its necessary elements.

    Bowman also highlighted the Fed’s upcoming fintech innovation office hours, as well as the Fed’s recently launched fintech website section, (both covered by InfoBytes here), which are designed to help provide access to Fed staff, highlight supervisory observations regarding fintech, provide a hub of information for interested stakeholders on innovation-related matters, and deliver practical tips for banks and other companies interested in engaging in fintech activity.

    Fintech Federal Reserve Third-Party Community Banks Vendor Management

    Share page with AddThis
  • District Court: Michigan privacy law covers out-of-state residents


    On January 16, the U.S. District Court for the Eastern District of Michigan denied a publishing company’s motion to dismiss putative class allegations that it disclosed subscribers’ personal information to third parties, ruling that the subscribers did not need to live in Michigan in order to bring claims under the state’s Personal Privacy Protection Act (PPPA). According to the plaintiff, the company allegedly disclosed magazine subscribers’ personal reading information (PRI) to data aggregators that would then supplement it with additional information (including age, gender, income, and employer names) in order to create detailed customer profiles. The company then allowed “almost any organization to rent a customer list containing numerous categories of detailed customer information,” the plaintiff alleged. The company argued, however, that the plaintiff, who resides in Virginia, lacked standing to bring claims under the PPPA because the law protects only Michigan residents. The company also contended that the plaintiff failed to demonstrate concrete injury suffered as a result of the company’s alleged disclosure of PRI to third parties without consent.

    The court disagreed with both arguments, stating that the company’s argument “rests solely on the fact that a non-Michigan resident has never brought suit under the PPPA,” which is “unpersuasive and contravened by the language of the statute and case law.” The PPPA does not impose a residency requirement in order for customers to qualify for protections under the statute, the court stated, noting that “[i]f the Michigan legislature intended to limit the statute to Michigan residents, it could have done so explicitly.” Among other things, the court also concluded that the plaintiff satisfied the injury-in-fact element for Article III standing because “the alleged economic harm caused by the disclosure of PRI provides support to conclude [the plaintiff] suffered a concrete injury.”

    Courts Class Action State Issues Privacy/Cyber Risk & Data Security Third-Party

    Share page with AddThis
  • OCC highlights key risks affecting the federal banking system in semiannual risk report

    Federal Issues

    On December 9, the OCC released its Semiannual Risk Perspective for Fall 2019, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations, including credit, operational, and interest rate risks. While the OCC commented that “bank financial performance is sound,” it also advised that “[b]anks should prepare for a cyclical change while credit performance is strong,” emphasizing that “[c]redit risk has accumulated in many portfolios.” The OCC also highlighted that competition with nonbank mortgage and commercial lending could pose a risk as well.

    Specific areas of concern that the OCC described include: elevation of operational risk as advances in technology and innovation in core banking systems result in a changing and increasingly complex operating environment; increased use of third-party service providers that contribute to continued threats of fraud; need for prudent credit risk management practices that include “identifying borrowers that are most vulnerable to reduced cash flows from slower than anticipated economic growth”; “volatility in market rates [leading] to increasing levels of interest rate risk”; LIBOR’s anticipated cessation and whether banks have started to determine the potential impact of cessation and develop risk management strategies; and strategic risks facing banks as non-depository financial institutions (NDFI) use evolving technology and expand data analysis abilities (the OCC commented that NDFIs “are strong competitors to bank lending models”). The OCC also noted that there is increased interest from banks in sharing utilities with NDFIs to implement Bank Secrecy Act/anti-money laundering compliance programs and sanctions processes and controls.

    Federal Issues OCC Agency Rule-Making & Guidance Risk Management Bank Regulatory Third-Party LIBOR Fintech Bank Secrecy Act Bank Compliance

    Share page with AddThis
  • District Court denies request to enforce modified CID, says CFPB can issue third-party CID


    On October 18, the U.S. District Court for the District of Columbia denied defendants’ request to enforce a modified Civil Investigative Demand (CID) and prevent the CFPB from obtaining personal information about the defendants’ clients via CIDs to third parties. In August 2017, the CFPB issued a CID to the defendants requesting various documents and information. The defendants challenged the scope of the original CID and, following mediation, the parties stipulated to a modified CID that no longer sought personal information of the defendants’ clients who obtained products or services related to immigration bonds. The CFPB subsequently issued third party CIDs and requested the personal information of the defendants’ clients from certain other parties. In March 2019, the defendants moved to enforce the modified CID, claiming that the CFPB “reneged on its stipulation and [acted] in bad faith” by seeking this personal information from third parties. The court, however, denied the defendants’ request to enforce the modified CID, ruling that “the modified CID makes no mention of CIDs issued to other parties,” and that the parties’ stipulation did not “preclude the CFPB from acquiring any type of information from third parties.” The court also explained that it was unclear whether the defendants had standing to contest the CFPB’s CID to a third party, noting that the defendants failed to state how they would suffer an injury if the pertinent information was disclosed by a third party.

    Courts CFPB CIDs Third-Party

    Share page with AddThis
  • CFPB report finds one in four consumers have debts in collection

    Federal Issues

    On July 18, the CFPB released a report providing an overview of third-party debt collection tradelines from 2004 to 2018, which the Bureau segmented into two parts: debt buyer tradelines and non-buyer debt collections tradelines. The CFPB’s report, “Market Snapshot: Third-Party Debt Collections Tradeline Reporting,” is based on a nationally representative sample of approximately 5 million credit records from one of the three major credit bureaus. According to the report, as of the second quarter of 2018, more than one in four consumers in the sample have at least one debt in collection by third-party debt collectors. Additionally, fewer than 900 unique furnishers of third-party collections tradelines nationwide reported unpaid debts for consumers in the sample, according to the Bureau—a decrease from the 2,294 collectors reported back in 2004. The report also notes that in the second quarter of 2018, the top four debt buyers account for 90 percent of all debt buyer tradelines for consumers in the sample, while the top four non-buyers, by comparison, accounted for just 13 percent of reported tradelines. Furthermore, in the second quarter of 2018, 3 out of 4 of all reported tradelines in the sample from non-buyers were for non-financial debt, such as medical, telecommunications, or utilities debt. Buyers, in contrast, were more likely to report unpaid financial, retail, or banking debts.

    Federal Issues CFPB Third-Party Debt Collection Consumer Finance

    Share page with AddThis
  • Oregon enacts new vendor data breach notification requirements

    State Issues

    On May 24, the Oregon Governor signed SB 684, which amends the state’s data breach notification provisions related to third-party vendors. Among other provisions, the amendments require vendors that are contracted to maintain or access personal information on behalf of a covered entity to (i) notify the covered entity “as soon as is practicable but not later than 10 days” after discovering a security breach or believing a breach has occurred; and (ii) notify the state Attorney General if a security breach involves personal information of more than 250 consumers, or an undetermined amount of consumers, provided that the covered entity has not already done so. SB 684 also updates the definition of personal information to include usernames in combination with other authentication factors used to access a consumer’s account, and establishes that a covered entity or vendor may “affirmatively defend” against allegations it has not adequately safeguarded personal information by showing that it maintained reasonable security measures for protecting personal information in compliance with HIPAA or the Gramm-Leach-Bliley Act, as applicable. The amendments take effect January 1, 2020.

    State Issues State Legislation Data Breach Privacy/Cyber Risk & Data Security Third-Party

    Share page with AddThis