Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 13, OCC Deputy Comptroller for Operational Risk Policy Kevin Greenfield testified before the House Financial Services Committee Task Force on Artificial Intelligence (AI) discussing banks' use of AI and innovation in technology services. Among other things, Greenfield addressed the OCC’s approach to innovation and supervisory expectations, as well as the agency’s ongoing efforts to update its technological framework to support its bank supervision mandate. According to Greenfield’s written testimony, the OCC “recognizes the paramount importance of protecting sensitive data and consumer privacy, particularly given the use of consumer data and expanded data sets in some AI applications.” He noted that many banks use AI technologies and are investing in AI research and applications to automate, augment, or replicate human analysis and decision-making tasks. Therefore, the agency “is continuing to update supervisory guidance, examination programs and examiner skills to respond to AI’s growing use.” Greenfield also pointed out that the agency follows a risk-based supervision model focused on safe, sound, and fair banking practices, as well as compliance with laws and regulations, including fair lending and other consumer protection requirements. This risk-based approach includes developing supervisory strategies based upon an individual bank’s risk profile and examiners’ review of new, modified, or expanded products and services. Greenfield further noted that “the OCC is focused on educating examiners on a wide range of AI uses and risks including risks associates with third parties, information security and resilience, compliance, BSA, credit underwriting, and fair lending and data governance, as part of training courses and other educational resources.” According to Greenfield’s oral statement, “banks need effective risk management and controls for model validation and explainability, data management, privacy, and security regardless of whether a bank develops AI tools internally or purchases through a third party.”
On May 6, the CFPB issued its annual fair lending report to Congress, which outlines the Bureau’s efforts in 2021 to fulfill its fair lending mandate. Much of the Bureau’s work in 2021 focused on addressing racial injustice and long-term economic consequences of the Covid-19 pandemic. According to the report, the Bureau continued to prioritize promoting fair, equitable, and nondiscriminatory access to credit, with a particular focus on fair lending supervision efforts in areas related to “mortgage origination and pricing, small business lending, student loan origination work, policies and procedures regarding geographic and other exclusions in underwriting, and  the use of artificial intelligence (AI) and machine learning models.” Fair Lending Director Patrice Alexander Ficklin said that while she is “encouraged by the possibility of utilizing vehicles like special purpose credit programs to expand access to credit,” she remains “skeptical of claims that advanced algorithms are the cure-all for bias in credit underwriting and pricing.” The report addressed enforcement and supervision work, highlighting four fair lending-related enforcement actions taken last year related to (i) illegal redlining practices; (ii) failure to provide accurate denial reasons on adverse-action notices; (iii) UDAAP violations related to the treatment of “gate money” for incarcerated individuals; and (iv) fees and payments associated with immigration bonds. The report also discussed initiatives concerning small business lending and data collection rulemaking, automated valuation models rulemaking, and a final rule amending certain provisions in Regulation X related to Covid-19 protections offered by mortgage servicers. Additionally, the report discussed an interpretive rule concerning ECOA’s prohibition on sex discrimination, stakeholder engagement on matters concerning fair lending compliance and policy decisions, HMDA reporting, and interagency engagement and reporting, among other topics. The report noted that going forward, the Bureau intends to sharpen its focus on digital redlining and algorithmic bias to identify emerging risks as more tech companies influence the financial services marketplace. According to CFPB Director Rohit Chopra, “[w]hile technology holds great promise, it can also reinforce historical biases that have excluded too many Americans from opportunities.”
On May 4, the California governor issued an executive order calling on the state to create a transparent and consistent framework for companies operating in blockchain, cryptocurrency, and related financial technologies. This framework, the governor stated, should harmonize federal and California laws and balance innovation with consumer protection. The executive order outlined several priorities, including:
- The framework should include input from a range of stakeholders for potential blockchain applications and ventures;
- The Department of Financial Protection and Innovation (DFPI) should engage in a public process, including with federal agencies, to “develop a comprehensive regulatory approach to crypto assets harmonized with the direction of federal regulations and guidance” and should “exercise its authority under the California Consumer Financial Protection Law (CCFPL) to develop guidance and, as appropriate, regulatory clarity and supervision of private entities offering crypto asset-related financial products and services” in the state;
- DFPI should publish consumer protection principles that include model disclosures, error resolution, and other criteria, and “seek input from stakeholders and licensees in order to publish guidance for California state-chartered banks and credit unions”;
- DFPI should engage in actions to protect consumers, including initiating enforcement actions to enforce the CCFPL, enhancing its review of consumer complaints related to crypto asset-related financial products and services and working with companies to remedy such complaints, and publishing consumer education materials;
- GovOps should issue a request for innovative ideas to explore opportunities for deploying blockchain technologies that address public-serving and emerging needs; and
- Members of the Governor's Council for Postsecondary Education should “identify opportunities to create a research and workforce environment to power innovation in blockchain technology, including crypto assets” to “expose students to emerging opportunities.”
The governor emphasized that while blockchain technology over the past decade “has laid the foundation for a new generation of innovation, spurring a rise in entrepreneurialism in sectors including financial technology,” among others, its impact “is both uncertain and profound” and carries risks and legal implications.
On May 4, the OCC announced it will host virtual Innovation Office Hours on June 14 through 15 to promote responsible innovation in the federal banking system. As previously covered by InfoBytes, the OCC established the Office of Innovation in 2017 to implement certain aspects of the OCC’s responsible innovation framework, including, among other things: (i) creating an outreach and technical assistance program; (ii) conducting awareness and training activities for OCC staff, such as implementing an internal web page that provides OCC staff a ‘one-stop-shop’ to access information on industry trends and innovative products, services, and processes; and (iii) encouraging coordination and facilitation among the regulatory community and industry stakeholders. According to the OCC’s recent announcement, parties should request a virtual office hours session by May 20 and should provide information on their interested topic(s). The OCC will determine specific meeting times and arrangements after it receives and accepts the request.
Special Alert: Federal court says state bank, fintech partner must face Maryland’s allegation of unlicensed lending before state ALJ
A federal court late last month told a state-chartered bank and its fintech partner that they must return to a state administrative law proceeding to fight a Maryland enforcement action alleging that their failure to obtain a license to lend and collect on loans violated state law — potentially rendering the terms of certain loans unenforceable.
The Missouri-chartered bank and its partners attempted to remove an action brought by the Office of the Maryland Commissioner of Financial Regulation to the U.S. District Court for the District of Maryland, but the district court determined that removal was not proper and that Maryland’s Office of Administrative Hearings was the appropriate venue.
OCFR initially filed charges in January 2021 in Maryland’s Office of Administrative Hearings against the bank and its partner asserting the bank made installment and consumer loans and extended open-ended or revolving credit in the state without being licensed or qualifying for an exception to licensure. As a result, OCFR said they “‘may not receive or retain any principal, interest, or other compensation with respect to any loan that is unenforceable under this subsection.’” It said that not only are the bank’s loans to all Maryland consumers possibly unenforceable, but also that the bank, or its agents or assigns, could in the alternative be “prohibited from collecting the principal amount of those loans from any of these consumers or from collecting any other money related to those loans.”
The OCFR’s charge letter also said the fintech company that provided services to the bank violated the Maryland Credit Services Business Act by providing advice and/or assistance to consumers in the state “with regard to obtaining an extension of credit for the consumer when accepting and/or processing credit applications on behalf of the Bank without a credit services business license.” Additionally, the OCFR alleged violations of the Maryland Collection Agency Licensing Act related to whether the fintech company engaged in unlicensed collection activities, thus subjecting it to the imposition of fines, restitutions, and other non-monetary remedial action.
The defendants filed a notice of removal to federal court last year while the enforcement action was still pending before the OAH; OCFR moved to remand the case back to the agency.
In granting the OCFR’s motion to remand, the court concluded that the OCFR persuasively argued that the defendants have not properly removed this case from the OAH for several reasons, including that the OAH does not function as a state court. “Pursuant to 28 U.S.C. § 1441, a defendant may remove to federal court ‘any civil action brought in a State court of which the district courts of the United States have original jurisdiction.’” However, the court determined that, while defendants correctly observed that the OAH possesses certain “court-like” attributes, its limitations clearly showed that it does not function as a state court.
In reaching this conclusion, the court considered several undisputed facts, including that the OCFR is a unit of the Maryland Department of Labor “responsible for, among other things, issuing licenses to entities wishing to issue loans to consumers in Maryland and investigating violations of Maryland’s consumer loan laws.” The court also said that, while OCFR has authority under Maryland law to investigate potential violations of law or regulation and has the ability to issue cease and desist orders, revoke an individual’s license, or issue fines, it cannot enforce its own subpoenas or orders — and that its decisions are not final and may be appealed to a state circuit court.
The defendants had argued that the case involved a federal question as a result of the complete preemption of state usury laws by Section 27 of the FDI Act. The court said licensure, not state usury law claims, was the issue at hand.
During a status conference held last month to discuss OCFR’s motion to remand, defendants requested an opportunity to file a motion certifying the case for appeal. The court will hold in abeyance its remand order pending resolution of that motion. Parties’ briefings are due by the end of May.
If you have any questions regarding the ruling or its ramifications, please contact a Buckley attorney with whom you have worked in the past.
On April 27, acting Comptroller of the Currency Michael J. Hsu issued a statement regarding stablecoin standards after appearing before the Artificial Intelligence and the Economy: Charting a Path for Responsible and Inclusive AI symposium hosted by the U.S. Department of Commerce, National Institute of Standards and Technology, FinRegLab, and the Stanford Institute for Human-Centered Artificial Intelligence. According to Hsu, the internet has “technical foundations” that “provide for an open, royalty-free network.” He further noted that “[t]hose foundations did not emerge on their own. They were developed by standard setting bodies like IETF (Internet Engineering Task Force) and W3C (World Wide Web Consortium), which had representatives with differing perspectives, a shared public interest ethos, and a strong leader committed to the vision of an open and inclusive internet.” Hsu further stated that stablecoins do not have “shared standards and are not interoperable.” However, to make stablecoins “open and inclusive,” Hsu said that he believed that “a standard setting initiative similar to that undertaken by IETF and W3C needs to be established, with representatives not just from crypto/Web3 firms, but also from academia and government.” As previously covered by InfoBytes, Hsu discussed stablecoin policy considerations earlier this month in remarks before the Institute of International Economic Law at Georgetown University Law Center, calling for the establishment of an “intentional architecture” for stablecoins developed through principles of “[s]tability, interoperability and separability,” as well as “core values” of “privacy, security, and preventing illicit finance.”
NYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. Such characteristics of virtual currencies can create compliance challenges, but also can present new possibilities for new technology-driven control measures. In the guidance, NYDFS outlined expectations for New York State-regulated virtual currency companies, including: (i) establishing control measures that may leverage blockchain analytics; (ii) augmenting due diligence controls; (iii) conducting transaction monitoring of on-chain activity; and (iv) conducting sanctions screening of on-chain activity. NYDFS also emphasized "the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions."
As previously covered by InfoBytes, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance, which provided guidance for effectively managing cyber insurance risk. The framework is the first guidance released by a U.S. regulator on cyberinsurance. NYDFS noted it has “engaged with external stakeholders to inform this new guidance and continues to conduct significant outreach to state, federal and international regulators; industry; and other experts in the field to ensure New York maintains a robust regulatory regime and remains a destination for virtual currency companies to operate.”
On April 21, the UK’s Financial Conduct Authority (FCA) secured a £2,000,000 account forfeiture consent order against a fintech startup that purportedly offers due diligence and underwriting services. The FCA noted that the funds were supposedly an investment received from a software firm, but observed that the fintech company moved the money repeatedly to different bank accounts in several countries in transactions with no legitimate business purpose. The funds, which the FCA had already frozen in October and December 2020, were allegedly “the proceeds of illegal activity connected to criminal proceedings in the United States of America concerning an alleged conspiracy to commit wire fraud against banks, credit card companies and other financial service providers in the USA.” While the FCA is not alleging that the fintech company was involved in the conspiracy, it flagged concerns in response to the company’s application to become a regulated firm. The company has since withdrawn its application to be regulated by the FCA.
Recently, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to the purchase and sale of virtual currency. The redacted opinion letter examines whether a Company that offers customers the opportunities to deposit fiat currency to a Company account and then draw down that balance to purchase virtual currency from the company requires MTA licensure. The Company explained that virtual currency is purchased from a third party and is transferred to the customer’s Company-issued virtual currency wallet where it can then be stored, transferred to an external wallet, or sold for fiat currency. When a customer later wants to sell the purchased virtual currency for fiat currency, the transaction occurs in a similar fashion. The Company stated that “virtual currency sales to customers are from the Company’s own inventory,” and that for purposes of the opinion, DFPI “assumes these sales occur independently of the Company’s own transactions with third parties.”
DFPI concluded that because the Company’s activities are limited to directly purchasing and selling cryptocurrency to customers, it does not require an MTA license because it does “not involve the sale or issuance of stored value or receiving money for transmission.” Specifically, DFPI stated that because the “customer’s fiat currency balance in the Company account does not meet the definition of stored value” and because “funds in that account can only be used for virtual currency purchases from the Company or transferred out to the customer’s external bank account,” the closed loop stored value “does not constitute issuance of stored value that is regulated under the MTA.” DFPI reminded the Company that its determination is limited to the presented facts and that any change could lead to different conclusions.
On April 25, the CFPB announced it was invoking a “dormant authority” under the Dodd-Frank Act to conduct supervisory examinations of fintech firms and other nonbank financial services providers based upon a determination of risk. “This authority gives us critical agility to move as quickly as the market, allowing us to conduct examinations of financial companies posing risks to consumers and stop harm before it spreads,” CFPB Director Rohit Chopra explained. The Bureau has direct supervisory authority over banks and credit unions with more than $10 billion in assets, certain nonbanks regardless of size that offer or provide consumer financial products or services, and the service providers for such entities. With this announcement, the Bureau now plans to use a provision under Section 1024 of Dodd-Frank that allows it to examine nonbank financial entities, upon notice and an opportunity to respond, if it has “reasonable cause” to determine that consumer harm is possible.
In tandem with the announcement, the Bureau also issued a request for public comment on an updated version of a procedural rule that implements its statutory authority to supervise nonbanks “whose activities the CFPB has reasonable cause to determine pose risks to consumers,” including potentially unfair, deceptive, or abusive acts or practices. The statute requires that the Bureau “base such reasonable cause determinations on complaints collected by the CFPB, or on information from other sources,” which the Bureau stated may include “judicial opinions and administrative decisions, . . . whistleblower complaints, state partners, federal partners, or news reports.” “Given the rapid growth of consumer offerings by nonbanks, the CFPB is now utilizing a dormant authority to hold nonbanks to the same standards that banks are held to,” Chopra stated.
Among other things, the new rule establishes a disclosure mechanism intended to increase transparency of the Bureau’s risk-determination process. Specifically, the new rule will exempt final decisions and orders by the CFPB director from being considered confidential supervisory information, allowing the Bureau to publish the decisions on their website. Subject companies will be given an opportunity seven days after a final decision is issued to provide input on what information, if any, should be publicly released. According to the Bureau, there “is a public interest in transparency when it comes to these potentially significant rulings by the Director as head of the agency. Also, if a decision or order is publicly released, it would be available as a precedent in future proceedings.”
The procedural rule is effective upon publication in the Federal Register and has a 30-day comment period.
- Kathryn L. Ryan to discuss "State licensing and NMLS challenges" at MBA’s Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Fair lending and equal opportunity laws” at the MBA Legal Issues and Regulatory Compliance Conference
- Jeffrey P. Naimon to discuss “Contemplating the boundaries of UDAAP” at the MBA Legal Issues and Regulatory Compliance Conference
- Steven vonBerg to speak at closing “super session“ on compliance topics at MBA Legal Issues and Regulatory Compliance Conference
- Buckley Webcast: Fifth Circuit muddles CFPB’s plans to use in-house judges in enforcement proceedings
- Jeffrey P. Naimon to discuss “Understanding the ESG impact on compliance” at the ABA’s Regulatory Compliance Conference