InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
GAO encourages increased collaboration in fintech regulation
In March, the Government Accountability Office ("GAO") issued a report addressing aspects of the fintech marketplace, including the benefits and risks for consumers; current regulatory oversight and challenges; and recommendations for federal action. The report notes that fintech products – such as payments, lending, wealth management, and distributed ledger technologies, among others – generally produce benefits to consumers in the form of lower costs and easier access. Nonetheless, fintech innovation comes with associated risks as certain products may not be covered by existing consumer protection laws, and the extent to which fintech providers are subject to federal and state oversight varies. According to the GAO, fintech providers note that complying with the “fragmented” federal and state requirements is “costly and time consuming.” The report emphasizes the need for regulators to increase collaboration to address key concerns in the fintech market, such as financial account aggregation. The GAO also highlights the efforts other jurisdictions have taken to increase fintech innovation and recommends U.S. federal agencies consider successful foreign regulatory approaches, such as “regulatory sandboxes,” which allow fintech companies to offer products on a limited scale with certain regulatory relief.
Of note, Arizona recently became the first U.S. state to introduce a “regulatory sandbox” for fintech products marketed and sold to Arizona consumers. See InfoBytes summary here.
NYDFS issues cybersecurity compliance certificate reminder
On March 5, the New York Department of Financial Services (NYDFS) published FAQs for regulated entities that have not yet filed cybersecurity certifications of compliance (Certification of Compliance) required under 23 NYCRR 500. The deadline to file was February 15 and notices recently were sent to regulated entities. Among other things, the FAQs state that a separate Certification of Compliance must be filed for each license an entity holds, and that entities who have failed to submit a Certification of Compliance must do so “as soon as possible.” Entities that received a reminder to certify their compliance but filed for an exemption under Section 500.19 are still required to file the Certificate of Compliance to “confirm that they are in compliance with those provisions of the regulation that apply.”
Find continuing InfoBytes coverage on NYDFS’s cybersecurity regulation here.
9th Circuit denies bank’s challenge to FDIC bank secrecy order
On March 12, the U.S. Court of Appeals for the 9th Circuit upheld a 2016 FDIC cease and desist order against a California bank arising out of alleged deficiencies in compliance management relating to the Bank Secrecy Act (BSA) and anti-money laundering laws. According to the opinion, FDIC examinations dating back to 2010 identified areas for BSA compliance improvement. While the bank made adjustments in response to the original findings, a 2012 FDIC examination found the bank’s BSA compliance program still was deficient, including because it did not “establish and maintain procedures designed to ensure adequate internal controls, independent testing, administration, and training”—known as the “four pillars”—and because the bank had not filed a necessary suspicious activity report. The bank argued that the BSA compliance standards were too vague, accused FDIC examiners of bias during the examination in a manner that violated its due process rights, and alleged that the decision was not supported by substantial evidence.
The three-judge panel ruled that (i) there was no bias in the FDIC’s decision to assess a penalty against the bank because there was substantial evidence to support an administrative law judge’s findings that the bank’s failure to maintain adequate controls violated BSA regulations; and (ii) because the BSA and FDIC’s implementing regulations are “economic in nature and threaten no constitutionally protected rights,” vagueness is not an overriding concern. While the “four pillars” of BSA compliance are open to interpretation, the panel noted, the FDIC provides banks with a manual written by the Federal Financial Institutions Examination Council that sets forth a uniform compliance standard. Furthermore, FDIC Financial Institution Letter 17-2010 clarifies that the manual contains the FDIC’s BSA compliance supervisory expectations. “A BSA Officer at the Bank bearing the requisite ‘specialized knowledge’ would understand that compliance with the FFIEC Manual ensures compliance with the BSA. . . . The BSA and its implementing regulations are not unconstitutionally vague,” the panel stated. Therefore, the 9th Circuit held that the manual was entitled to Chevron deference and denied the bank’s petition for review.
Fed issues proposal to amend internal appeals process
On February 27, the Federal Reserve Board (Board) published proposed amendments to its guidelines on the internal appeals process for institutions that receive an adverse material supervisory determination. According to the proposal, the goal of the amendments is to improve and expedite the appeals process, which was established in 1995 and applies to any material supervisory determination, including matters related to an examination or inspection, which does not have an alternative, independent appeals process. The current guidelines allow for an institution to file a written appeal, which will be reviewed by a panel selected by the Federal Reserve Bank (Bank). The panel is made up of persons who are not employed by the Bank and have no affiliation with the material supervisory determination in question. Institutions also have further appeal rights to the Bank’s president and then a member of the Board. Proposed changes to the process include:
- reducing the number of appeal levels to two and providing a separate independent review at both appeal levels;
- establishing an accelerated process for appeals that relate to institutions becoming “critically undercapitalized” under the Prompt Corrective Action (PCA) framework as a result of the material supervisory determination, in order to ensure the review occurs within the required PCA timeframe; and
- instituting specific standards of review at both appeals stages. The first panel of review would be required to review the documentation “as if no determination had previously been made.” The final panel, made up primarily of Board staff, would review whether the initial appeals determination is “reasonable and supported by a preponderance of the evidence in the record,” and the decision of the final review panel would be made public.
The proposed amendments also contain changes to the Board’s Ombudsman policy, which, among other things would allow the Ombudsman—if requested by the institution or Federal Reserve personnel—to attend hearings or deliberations relating to the appeal as an observer. The proposal also would formalize many of the Ombudsman’s current activities, including receiving all complaints related to the Board’s supervisory process and facilitating informal resolution of institution’s concerns.
Seven state regulators agree to streamline money service licensing process for fintech companies
On February 6, the Conference of State Bank Supervisors (CSBS) announced that financial regulators from seven states have agreed to a multi-state compact that will offer a streamlined licensing process for money services businesses (MSB), including fintech firms. The seven states initially participating in the MSB licensing agreement are Georgia, Illinois, Kansas, Massachusetts, Tennessee, Texas and Washington. The CSBS expects other states to join the compact. According to the CSBS, “[i]f one state reviews key elements of state licensing for a money transmitter—IT, cybersecurity, business plan, background check, and compliance with the federal Bank Secrecy Act—then other participating states agree to accept the findings.” CSBS noted that the agreement is the first step in efforts undertaken by state regulators to create an integrated system for licensing and supervising fintech companies across all 50 states.
The announcement of the MSB licensing agreement follows a May 2017 CSBS policy statement, which established the 50-state goal, and—as previously covered by InfoBytes—is a part of previously announced “Vision 2020” initiatives designed to modernize and streamline the state regulatory system to be capable of supporting business innovation while still protecting the rights of consumers.
Review procedures need enhancing according to GAO’s Regulatory Flexibility Act compliance report
On January 30, the Government Accountability Office (GAO) released its annual report on federal financial regulators’ compliance with the Regulatory Flexibility Act (RFA). Specifically, the report assessed whether certain regulators adhered to the RFA when drafting and implementing regulations that may affect small entities. Such regulators include the Federal Reserve, Commodity Futures Trading Commission, CFPB, FDIC, OCC, and SEC (collectively, the "agencies"). Under the RFA, the agencies must either (i) certify that a rule would not have a significant economic impact on a substantial number of small entities, or (ii) perform a regulatory flexibility analysis to assess the rule’s impact on small entities and “consider alternatives that may minimize any significant economic impact of the rule.” The report disclosed issues related to certifications. Examples included (i) providing incomplete disclosures of data sources or methodologies of economic analysis and impact; (ii) failing to provide definitions for criteria used to determine a “substantial number” or a “significant economic impact”; and (iii) relying on alternative and potentially outdated definitions of small entities. Additionally, GAO noted that many regulators were unable to provide supporting documentation for their analyses. GAO presented 10 recommendations for enhancing compliance procedures, and stressed that regulators should “develop and implement specific policies and procedures for consistently complying with RFA requirements and related guidance for conducting RFA analyses.” Specific recommendations for each agency are located here.
FTC report highlights 2017 privacy and data security enforcement work
On January 18, the FTC released its annual report on the agency’s privacy and data security work performed in 2017. Among other items, the report highlights consumer-related enforcement activities in 2017, including:
- a settlement with a ride-sharing company over allegations that it violated the FTC Act by making deceptive claims about its privacy and data practices (previously covered by InfoBytes here);
- the first EU-U.S. Privacy Shield action resulting in settlements with three companies over allegations that they falsely claimed they were certified to take part in the framework (previously covered by InfoBytes here); and
- a joint settlement with the New Jersey Attorney General against a “smart” television manufacturer for claims that it secretly gathered users’ viewing data and sold it to third parties who used the data for targeted advertising (previously covered by InfoBytes here).
The report also covers the FTC’s approval of TRUSTe’s proposed modifications to its safe harbor program under the Children’s Online Privacy Protection Act of 1998 (COPPA), previously covered by Infobytes here; and the agency’s actions related to the national “Do Not Call” Registry.
OCC Recent Enforcement Actions Target BSA/AML Compliance Programs and National Flood Insurance Act Violations
On December 14, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such parties. The new enforcement actions include cease and desist orders, civil money penalty orders, removal/prohibition orders, and restitution orders. The list also includes recently terminated enforcement actions.
Cease and Desist Order. On November 9, the OCC issued a consent order (2017 Order) two days after converting a Japanese bank’s two New York branches under the supervision of the New York Department of Financial Services (NYDFS) to federally licensed branches under the supervision of the OCC. As part of the OCC’s approval process, the bank’s federal branches and New York branches agreed to the issuance of the 2017 Order, which requires adherence to “remedial provisions . . . substantively the same as those” in consent orders entered into in 2013 and 2014 with NYDFS. The previously issued consent orders addressed deficiencies related to the bank’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) sanctions compliance programs, specifically concerning the removal of key warnings to regulators on transactions with sanctioned countries.
The 2017 Order, among other things, requires the bank to: (i) submit an action plan on enhancing internal controls and updating policies and procedures to correct BSA/AML deficiencies, address provisions applicable under the Office of Foreign Assets Control’s requirements, and implement requirements outlined in the 2013 and 2014 consent orders; (ii) ensure adherence to the action plan and 2017 Order under the direction of the bank’s general manager; (iii) submit a management oversight plan designed to improve and enhance the bank’s sanctions compliance programs; and (iv) prevent the retention or future engagement of any individual identified and “barred by the 2014 Consent Order from engaging, directly or indirectly, in any duties, responsibilities, or activities at or on behalf of the [b]ank or the [b]ank’s affiliates that involve their banking business in the [U.S.].” The 2017 Order does not require the bank to pay a civil monetary penalty.
Civil Monetary Penalty. On October 10, the OCC assessed a $452,000 civil monetary penalty against a national bank lender for alleged violations of the National Flood Insurance Act and/or the Flood Disaster Protection Act. The bank agreed to pay the penalty without admitting or denying any wrongdoing.
OCC Announces Recent Enforcement Actions and Terminations
On October 19, the OCC released a list of new enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such parties. The OCC also released a list of recently terminated enforcement actions. The new enforcement actions include cease and desist orders, civil money penalty orders, personal cease and desist orders, removal/prohibition orders, and notices. The personal cease and desist orders relate to four directors of a Texas bank that were each fined $5,000 for breaches of fiduciary duty and unsafe or unsound practices. These practices allegedly included approving and ratifying loans with “concessionary and liberal terms to unqualified borrowers” in order to “finance the borrower’s purchase of stock in the [b]ank’s holding company to raise capital for the Bank.” (See civil money penalties here, here, here, and here.)
Pennsylvania Issues Reminder to Fintech Companies of Licensing Requirements
On October 6, prompted by the “evolving technological innovations that impact the financial services sector” and the rise of “technology focused companies offering financial services via new delivery mechanisms,” the Pennsylvania Department of Banking and Securities (Department) issued a reminder of the Department’s “long-standing position” that all persons offering financial services to the consumers of the Commonwealth of Pennsylvania must be licensed by the Department and comply with consumer protection requirements before conducting business with Pennsylvania consumers. “The Department regulates financial transactions based upon the transaction offered or delivered, not the method of delivery,” and as a result, fintech companies must comply with all applicable statutes and regulations.