INSIGHTS & TRENDS:
The Future of Regulation in the Digital Economy
Margo H.K. Tank, Partner, Head of Digital Commerce & Payments Group; BuckleySandler LLP
As legal advisors to providers in the digital world, we are always thinking about regulation – whether it is coming, when it is coming, and what it will mean for our clients. The “old way” of making rules in response to existing providers may be faltering in an era of customer-driven preferences. If so, a sea change in the regulatory function may be looming. Read more...
GAO URGES CFPB PARTICIPATION IN VIRTUAL CURRENCY WORKING GROUPS
On June 27, the GAO released a May 2014 report regarding virtual currency. The leaders of the Senate Homeland Security and Governmental Affairs Committee asked the GAO to examine potential policy issues related to virtual currencies and the status of federal agency collaboration in this area. The report summarizes virtual currency policy developments to date, and provides an overview of various interagency working groups and the ways each has so far addressed virtual currencies. The GAO concludes that consumer protection issues have largely not been addressed by the working groups, and recommends that the CFPB identify and join existing interagency working groups to ensure that consumer protection issues are considered as those groups develop virtual currency policies. In response to the report, the CFPB stated that it has been doing its own work on virtual currency, and has collaborated informally, but agreed that it should participate formally in interagency working groups.
TRADE GROUP WHITE PAPER ASSESSES VIRTUAL CURRENCY LANDSCAPE
On June 23, the ICBA and The Clearing House published a white paper on virtual currency that (i) defines virtual currency and describes the current regulatory environment; (ii) describes key players in the Bitcoin system; (iii) discusses the application of certain functional and prudential payment system regulations that may be applied to the Bitcoin system and other convertible decentralized virtual currencies; and (iv) evaluates potential regulation of virtual currency, virtual currency investment programs, and exchanges. The paper concludes, among other things, that: (i) credentials used to transact in Bitcoin are functionally similar to prepaid cards and arguably fall within the definition of such cards provided in Regulations E and II; and (ii) the CFPB may determine that cross-border transactions in Bitcoin fall within the scope of the CFPB’s Remittance Transfer Rule, which would require entities facilitating such transfers to comply with the rule’s disclosure, reversibility, and error-resolution requirements. The paper discusses potential safety and soundness oversight for entities in the Bitcoin system. It also suggests that existing regulations intended to protect consumers and market participants in the event of the failure of a securities or commodities exchange may be inapplicable to Bitcoin exchanges, and that alternative means of protecting investors and accountholders—such as disclosure requirements and coordinated state-level registration of exchanges—should be explored.
KANSAS BANK COMMISSIONER ISSUES VIRTUAL CURRENCY GUIDANCE
On June 6, the Office of the State Bank Commissioner of Kansas (OSBC) issued guidance on the regulatory treatment of virtual currencies under the Kansas Money Transmitter Act (KMTA). The guidance focuses on money transmission activities involving decentralized cryptocurrencies, such as Bitcoin. The guidance states that cryptocurrencies in their current form are not covered by the KMTA because they do not fall within the definition of “money”—no cryptocurrency is currently authorized or adopted by any governmental entity as part of its currency—or “monetary value”—there is no recognized standard of value or set value for a single unit of a cryptocurrency. The guidance explains that since the KMTA does not apply to transmission of decentralized cryptocurrencies, an entity engaged solely in the transmission of such currency is not required to obtain a money transmitter license. The guidance adds that, if transmission of virtual currency includes the involvement of sovereign currency in a transaction, it may be considered money transmission depending on how the transaction is organized. The guidance provides several examples of common types of transactions involving cryptocurrency and whether the KMTA applies to each, and outlines for cryptocurrency businesses that conduct money transmission, and entities engaged in money transmission, actions necessary to comply with state law, including licensing.
CFPB BEGINS COLLECTING INPUT ON MOBILE FINANCIAL SERVICES
On June 11, the CFPB released a request for information (RFI) about how consumers are using mobile financial services (MFS) to access products and services, manage finances, and achieve financial goals, with a focus on “economically vulnerable” consumers. The request does not cover point of sale payments, except with respect to mobile payment products targeted to underserved consumers. The request states that the information will be used to inform the CFPB’s “consumer education and empowerment strategies.” On June 12, the CFPB hosted a field hearing on MFS, which included presentations from consumer advocates and emerging mobile services providers regarding the future potential of MFS to reach the underserved. Read more…
FDIC RESTRICTS BANK’S CARD BUSINESSES PENDING BSA COMPLIANCE ENHANCEMENTS
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.
CFPB DIRECTOR ANNOUNCES PREPAID CARD RULE DELAY, DISCUSSES OTHER INITIATIVES
On June 10, CFPB Director Richard Cordray testified before the Senate Banking Committee in connection with the CFPB’s recently released Semiannual Report to Congress. The hearing covered a broad range of topics, including, among several others, prepaid cards, student loans, small dollar loans, and arbitration clauses. Director Cordray advised in response to an inquiry from Senator Menendez (D-NJ) that the CFPB’s prepaid card proposed rule, which the CFPB recently indicated could be released in June, likely will not come until the end of the summer. He reassured the Senator that the delay does not indicate any particular problem about the rulemaking, only that certain of the issues raised have been “hard to work through.” Read more…
VISA, PEW DEVELOP VOLUNTARY PREPAID CARD STANDARDS
On June 3, Visa announced that it teamed with Pew Charitable Trusts to develop voluntary prepaid card standards and a designation for cards that meet those standards. To qualify for the designation, which Visa believes “will signify a new level of simplicity, protection and opportunity,” a prepaid card must have the following features: (i) flat monthly fee covering all basic activities; (ii) no additional charges for declined transactions, customer service, in-network ATM withdrawal or balance inquiries, PIN or signature transactions, cash back at point of sale, or overdrafts; (iii) “consumer friendly” communication of fees—e.g. fee box and disclosures; and (iv) “quick-use guide” for using the card at the lowest cost. In addition, issuers seeking the designation must provide the following consumer protections: (i) individual FDIC/NCUA insurance; (ii) Regulation E dispute resolution rights; (iii) coverage under Visa’s zero liability policy; and (iv) access to Visa’s Prepaid Clearinghouse Service to assist with fraud prevention.
MINNESOTA APPELLATE COURT HOLDS EMAIL SIGNATURE NOT NECESSARILY EVIDENCE OF INTENT TO SIGN ATTACHMENTS
On June 2, the Minnesota Court of Appeals held that under the Uniform Electronic Transaction Act (UETA), an electronic signature in an email message does not necessarily evidence intent to electronically sign an attached document, and that whether the sender has electronically signed the attachment is dependent on certain facts and circumstances. SN4, LLC v. Anchor Bank, No. A13-1566, 2014 WL 2441343 (Minn. Ct. App., Jun. 2, 2014). A multifamily real estate purchaser sued a bank after negotiations between the parties over the sale of two properties held by the bank fell through. The purchaser claimed that the bank breached its contract by refusing to sell at a price the purchaser claims was established through a series of emails between the parties. The trial court rejected the buyers’ argument that the bank electronically subscribed to the agreement under the UETA and held that the purported agreement did not satisfy the statute of frauds because only the buyers subscribed to it. The appeals court affirmed, holding that under UETA each transaction must be examined to determine whether the parties agreed to conduct the transaction by electronic means. Here, the court held, there was no express or implied agreement between the parties that the bank would electronically sign the agreement. Further, the court held that even assuming the parties agreed to conduct the transaction electronically, the bank did not electronically sign the agreement. The court explained that “whether a sender has electronically signed an attached document depends on the circumstances, including whether the attached document itself contains the sender’s electronic signature and whether the attached document is intended to be a draft or final version.” In this case, the purported agreement the buyers sought to enforce was attached to an electronically signed email, but the signature lines in the attached agreement lacked the bank’s handwritten or electronic signature. The court added that the subject email and subsequent emails indicated that neither party considered the agreement to be final.
CYBER RISK & DATA SECURITY:
EIGHTH CIRCUIT HOLDS BANK THAT COMPLIED WITH REASONABLE SECURITY PROCEDURES NOT RESPONSIBLE FOR LOSS OF FUNDS FROM FRAUDULENT PAYMENT
On June 11, the U.S. Court of Appeals for the Eighth Circuit held that under the Uniform Commercial Code (UCC) a bank that complied with commercially reasonable security measures was not responsible for a customer’s loss resulting from a fraudulent payment. Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879, 2014 WL 2598764 (8th Cir. Jun. 11, 2014). The customer sued the bank claiming that a $440,000 wire transfer from its account through the bank’s internet wire transfer system was fraudulently initiated by a third-party. The court explained that Article 4A of the UCC permits a bank to take steps to protect itself from liability by implementing commercially reasonable security procedures, and if the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer bears the risk of loss from a fraudulent payment order. The parties agreed that the bank complied with its security procedures in accepting the payment order that resulted in the loss for the customer, but disputed whether (i) the bank’s security procedures were commercially reasonable, (ii) the bank accepted the payment order in good faith, and (iii) the bank accepted the payment order in compliance with the customer’s written instructions. The court concluded that the bank’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable because the bank followed 2005 FFIEC guidelines and further enhanced its security to address threats not considered by that potentially outdated guidance. Moreover, the court held that the customer assumed the risk of failure of security procedures by declining some of those procedures. The court also held that in promptly executing a payment order that had cleared its commercially reasonable security procedures, and absent any independent reason to suspect the payment was fraudulent, the bank acted in good faith in processing the payment. Finally, the court determined that an inquiry from the customer as to whether it would be possible for the bank to stop foreign wire transfers did not constitute an instruction to the bank, and therefore the bank did not violate any written instruction from the customer. Based on these holdings, the court concluded that, under the UCC, the loss of funds from the customer’s account fall on the customer and not the bank.
OCC REPORT HIGHLIGHTS CYBERSECURITY, BSA-AML, INDIRECT AUTO UNDERWRITING CONCERNS
On June 25, the OCC published its semiannual risk report, which provides an overview of the agency’s supervisory concerns for national banks and federal savings associations, including operational and compliance risks. As in prior reports and as Comptroller Curry has done in speeches over the past year, the report highlights cyber-threats and BSA/AML risks. The OCC believes cyber-threats continue to evolve and require heightened awareness and appropriate resources to identify and mitigate the associated risks. Specifically, the OCC is concerned that cyber-criminals will transition from disruptive attacks to attacks that are intended to cause destruction and corruption. Extending another recent OCC theme, the report notes that the number, nature, and complexity of both foreign and domestic third-party relationships continue to expand, resulting in increased system and process interconnectedness and additional vulnerability to cyber-threats. The report also states that BSA/AML risks “remain prevalent given changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud.” The OCC adds that “BSA programs at some banks have failed to evolve or incorporate appropriate controls into new products and services,” and again cautions that a lack of resources and expertise devoted to BSA/AML risk management can compound these concerns. Finally, the OCC expressed concern that competitive pressures in the indirect auto market are leading to an erosion of underwriting standards. The OCC’s supervisory staff plans to review retail credit underwriting practices at banks, especially for indirect auto.
FFIEC LAUNCHES CYBERSECURITY RESOURCES WEB PAGE
On June 24, the FFIEC unveiled a new web page that will serve as a central repository for current and future FFIEC-related materials on cybersecurity. Although the FFIEC did not release any new resources, the launch shows the continuing focus of banking regulators on emerging cybersecurity risks. The FFIEC noted that the launch coincided with a pilot program through which state and federal regulators will assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience.
ANSI SEEKS PARTICIPANTS FOR TECHNICAL COMMITTEE ON SECURITY
On June 25, the American National Standards Institute (ANSI) issued a call for organizations with an interest in security to participate in an advisory committee to a new International Organization for Standardization (ISO) technical committee. The ISO is planning to restructure its security sector to consolidate the work of three existing technical committees—Societal security; Fraud countermeasures and controls; and Management system for quality of private security company operations. The new committee will begin work on January 1, 2015 and will cover standardization in the field of security including but not limited to general security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, and homeland security. Organizations interested in participating in the advisory committee must contact ANSI by July 4, 2014.
ENFORCEMENT & INVESTIGATIONS:
ATTORNEY GENERAL VOWS TO CONTINUE OPERATION CHOKE POINT
On June 23, the DOJ released a transcript of a message delivered by Attorney General Eric Holder in which he pledged to continue investigations of financial institutions “that knowingly facilitate consumer scams, or that willfully look the other way in processing such fraudulent transactions.” These investigations are part of the DOJ’s “Operation Choke Point,” which has faced criticism from financial institutions and their advocates on Capitol Hill, and which payday lenders recently filed suit to halt. Opponents of the operation assert that the DOJ investigations, combined with guidance from prudential regulators, are targeting lawful businesses and cutting off their access to the financial system. In his remarks, the AG promised that the DOJ will not target “businesses operating within the bounds of the law,” but vowed to continue to pursue “a range of investigations into banks that illegally enable businesses to siphon billions of dollars from consumers’ bank accounts in exchange for significant fees.” Mr. Holder stated that he expects the DOJ to resolve some of these investigations in the coming months.
HOUSE OVERSIGHT COMMITTEE CHOKE POINT INQUIRY SHIFTS TO FDIC
On June 9, Darrell Issa (R-CA), Chairman of the House Oversight Committee, and Jim Jordan (R-OH), an Oversight subcommittee chairman, sent a letter to FDIC Chairman Martin Gruenberg that seeks information regarding the FDIC’s role in Operation Choke Point and calls into question prior FDIC staff statements about the agency’s role. The letter asserts that documents obtained from the DOJ and recently released by the committee demonstrate that, contrary to testimony provided by a senior FDIC staff member, the FDIC “has been intimately involved in Operation Choke Point since its inception.” The letter also criticizes FDIC guidance that institutions monitor and address risks associated with certain “high-risk merchants,” which, according to the FDIC, includes firearms and ammunition merchants, coin dealers, and payday lenders, among numerous others. The letter seeks information to help the committee better understand the FDIC’s role in Operation Choke Point and its justification for labeling certain businesses as “high-risk.” For example, the letter seeks (i) all documents and communications between the FDIC and the DOJ since January 1, 2011; (ii) all FDIC documents since that time that refer to the FDIC’s 2012 guidance regarding payment processor relationships; and (iii) all documents referring to risks created by financial institutions’ relationships with firearms or ammunition businesses, short-term lenders, and money services businesses.