♫"Summertime and the living is easy"♫ or at least we hope it is for our growing readership. Our Explainer Things team is spicing up your consumer finance news with pop culture – Dua Lipa, The Big Lebowski, The Police, and The Karate Kid. Plus, we give you substantive analysis about why the news we cover matters for you and yours – who says we can't be useful AND entertaining? An interesting piece of news not quite big enough to merit its own blurb: The CFPB's funding structure continues to produce litigation before the Supreme Court. The Supreme Court already agreed to review the Fifth Circuit's 2022 decision holding the CFPB's funding structure unconstitutional. The Second Circuit expressly disagreed with the Fifth Circuit in March and the losing party in that case petitioned the Supreme Court this month for certiorari review, too. That move won't really impact the merits of the case, but it confirms that the stakes of this issue are extremely high.
We're also following the new legislation on earned wage access in Nevada, and expect to have more on that in next month's edition.You can continue to expect blurbs relevant to payments, crypto, fintech, cards, and more, with our quick analysis (aka Akerman's Take) on why that news matters to you.
- CFPB to Big Tech Payments: I’ll Be Watching You
- New Guidance for Bank/Fintech Partnerships: This is Banking, Not Nam…There are Rules
- Crypto Update: “Fighting Always Last Answer to Problem” – a Lesson the SEC Should Have Learned from Mr. Miyagi
- TCPA: New Rules? Ask Dua Lipa or the FCC
- It’s 10:00 pm. Do You Know if the Money in Your Fintech App Is Insured?
CFPB to Big Tech Payments: I'll Be Watching You
The twice-yearly rulemaking agenda for federal agencies was published this month and the CFPB's list of rulemakings included a new one: supervision of larger participants in the consumer payments markets. If adopted, the rule would allow the agency to supervise non-bank payments providers such as Venmo, CashApp, and potentially Apple and Google. But the CFPB could be casting a much wider net to include other emerging fintech products. The CFPB's rulemaking agenda lists July of this year as the target date for the proposal, but gives very few details about the scope of the rulemaking. Being "supervised" by the CFPB means the agency conducts routine exams of a company's compliance with laws and regulations by interviewing company employees and reviewing company documents. The CFPB has the authority to supervise non-banks if they are "larger participants" of markets for consumer financial products or services and the CFPB defines the market in a rulemaking. It currently supervises non-bank larger participants in five other markets: credit reporting, debt collection, student loan servicing, international money transfers, and auto financing. If this new rule is adopted, it would add payments providers to that list.
The CFPB just won't let up on "big tech" payments providers. In just the past year, there have been document requests, reports, and consumer advisories (oh my!) announcing potential consumer harm in the payments market. The agency is now moving past the bully pulpit and planning to exert some real power over the payments apps through supervision. Did someone at the CFPB have a bad breakup with a payments app and listen to "Every Breath You Take" one too many times? The agency is watching over that market like a jealous ex-lover. Even Sting would be impressed by the creepiness.
It will be interesting to see how the CFPB defines the "consumer payments" market and, as a result, which companies will end up subject to regular exams. Rulemakings to define "larger participants" in a market typically move quickly, so expect a rule proposed this July to be finalized in 2024 – meaning the agency could begin examinations as early as next year.
New Guidance for Bank/Fintech Partnerships: This is Banking, Not Nam…There are Rules
The Fed, FDIC, and OCC finalized risk management guidance for banks when creating and evaluating relationships with fintechs and other third parties. The new interagency guidance supersedes existing guidance on third-party relationships by each agency separately and is intended to bring uniformity and consistency to the fast-growing bank partnership landscape. According to the regulators, partner relationships present significant benefits for banks but may also reduce a bank's direct control over activities and introduce new risks.
This guidance lays out six stages in the "life cycle" of a bank relationship: Planning, Due Diligence & Third-Party Selection, Contract Negotiation, Ongoing Monitoring, and Termination. It then lays out key principles for banks to consider at each stage. For example, during the Ongoing Monitoring Phase, the guidance recommends that banks perform regular periodic control assessments and ongoing monitoring of partners to confirm the quality of controls. Further, banks should continually track and analyze external threats to partners by monitoring the internet for cyber threats and public and private sources of reputational, sanctions, and financial information.
To paraphrase Walter from The Big Lebowski, the rules for bank/fintech partnerships are starting to look more like bowling, and less like 'Nam. With this guidance, there are finally some clear rules for how banks and fintechs should work together. The prudential regulators have made no secret of their skepticism of bank partnerships with fintech companies (aka "banking as a service" or "BaaS"). But the skepticism has mostly come in the form of public statements or one-off enforcement actions, like the FDIC consent agreement with Cross River Bank last month. We know how much companies love regulation by enforcement.
While this guidance is high-level and does not provide specifics for any particular relationship, it does provide a more concrete roadmap for banks and fintechs to follow to manage risk. If you're a fintech in a relationship with a bank, expect changes to your regular compliance checks as banks start adopting this guidance. And if you're a fintech looking for a bank partner, this guidance should help you prepare for the kinds of questions banks will ask you. We expect these vetting processes to get increasingly complex, time-consuming, and burdensome.
Crypto Update: "Fighting Always Last Answer to Problem" – a Lesson the SEC Should Have Learned from Mr. Miyagi
June was an exciting time for crypto. It started on Friday, June 2, with the release by two U.S. House committees of a discussion draft bill titled the Digital Assets Market Structure (DAMS). DAMS would provide the first comprehensive statutory framework for digital assets. Then, that following Monday, the SEC sued Binance, and then sued Coinbase on Tuesday. That same Tuesday, the House Committee on Agriculture met to discuss the DAMS bill as part of its "The Future of Digital Assets: Providing Clarity for Digital Asset Spot Markets" panel event. All this in the first week of the month!
The DAMS bill is undoubtedly Congress' best attempt to date at workable statutory framework for digital assets. It's fairly long at 162 pages, but the release is accompanied by a short summary of the bill and a section breakdown for easier reading. The bill proposes to address security vs. commodity classification, enable an alternative trading system (ATS) for registering digital assets, create a digital commodity exchange, attempt to resolve regulatory coordination issues, and establish strategic hubs for digital assets and innovation at the SEC and the CFTC. The Binance and Coinbase lawsuits are also hefty reads (hundreds of pages). We don't fully analyze them here, except to say they allege similar violations of the Securities Exchange Act of 1934 and the Securities Act of 1933 for failure to register as an exchange / broker / clearing agency and for offering unregistered securities. Oh, and the SEC also alleges Binance engaged in fraud. Both Binance and Coinbase deny the allegations.
Who saw these developments coming? Well, everyone. After Coinbase CEO Brian Armstrong noted in January that Coinbase had met with the SEC over 30 times to discuss a path to compliance without receiving feedback from the agency, it was painfully clear – the SEC is dead set on fighting. And, for Binance, this SEC suit is no surprise given the June 2022 SEC enquiry investigation into Binance's BNB token ICO and the CFTC's lawsuit in March of this year. So, what is to be learned from these developments? Truly, isn't this just the classic bully vs. bullied tale?
Let's review in the context of the classic 80s martial-arts drama, The Karate Kid. When Daniel LaRusso (Coinbase/Binance) moves into a new and foreign environment, he quickly catches the attention of Johnny Lawrence (the SEC), the town tough guy. At first, Daniel attempts to befriend Johnny and his Cobra Kai buddies, only to discover they have no interest in newcomers and care only about maintaining authority at all costs. The SEC may do well to remember Daniel takes some hits initially, but, in the end, he defeats Johnny and Cobra Kai and the audience leaves cheering for the underdog.
We all know life has a way of imitating art. So, Chair Gensler, before you command your Johnny to "sweep the leg," you had better be sure he can defend crypto's "crane kick." You know we'll be watching and cheering from the stands!
TCPA: New Rules? Ask Dua Lipa or the FCC
On June 9, the FCC issued a Notice of Proposed Rulemaking to "clarify and strengthen consumers' rights under the TCPA to grant and revoke consent to receive robocalls and robotexts." The most significant proposed changes include:
- Codifying the FCC's 2015 decision and order holding that consumers can revoke consent to receive robocalls using any reasonable means;
- Requiring callers and texters to honor requests to revoke consent within 24 hours, instead of the 30 days allowed under the current rules;
- Codifying the FCC's earlier decision that callers can send a single post-revocation text message confirming a consumer's revocation of consent, so long as that text does not include telemarketing language; and
- Allowing callers/texters to include a request for clarification as to the scope of the consumer's revocation request, provided that if the consumer does not respond, the revocation must be treated as revocation of consent for all robocalls and robotexts.
The Proposed Rulemaking is available here.
Dua Lipa's rule number one is "Don't Pick Up the Phone," but the FCC has new rules for robocalls that permit more calling, not less. For many companies sending automated calls or texts, the majority of the proposed rules merely codify what they have already been doing. The most significant, and favorable, proposed rule is to allow callers to send a clarification text to consumers after the consumer revokes consent. One of the trickiest areas of TCPA compliance for many companies is how to handle multiple call campaigns. For example, should a consumer's revocation of consent made in response to a specific campaign be treated as campaign-specific or does it revoke consent for all communications from that company? This proposed new rule provides some much needed clarification. And, with that, we recommend taking some advice from Dua Lipa – "I got new rules, I count 'em."
It's 10:00 pm. Do You Know if the Money in Your Fintech App Is Insured?
The CFPB thinks you might not. It issued a report / Issue Spotlight and consumer advisory The CFPB thinks you might not. It issued a report / Issue Spotlight and consumer advisory regarding risks to consumers who store funds in non-bank payment apps. It determined that many of these apps do not store funds in FDIC insured accounts and it urges consumers to transfer balances to banks or credit unions that provide deposit insurance.
In its report, the CFPB makes a number of findings, including that while banks must provide detailed information on deposits, payment apps do not. The report argues that terms for these products are "confusing, murky, or even silent on exactly where consumer funds are being held or invested" and what would happen if the provider or entity holding the funds were to fail. Additionally, the report notes that while some accounts may provide FDIC pass-through insurance, whether the provider and bank have properly set up the pass-through insurance cannot be determined until after a bank failure. It also notes that some providers impose pre-conditions on receiving deposit insurance, such as engaging in certain activities with the account before it is eligible for insurance.
At the end of the report, the CFPB briefly notes that there are in fact state laws that apply to these accounts, including that licensed providers satisfy net worth, bonding, and permissible investment requirements imposed by almost every state.
Consumers should know whether their funds are FDIC insured. And that's exactly what the CFPB's prepaid rule requires. See 12 C.F.R. § 1005.18(b)(2)(xi). But CFPB never mentions its own rule in either its advisory or report. The report also mischaracterizes applicable state laws. Citing a law review article, the CFPB concludes "most MSB laws were designed with companies like Western Union or MoneyGram in mind, traditional firms that did not maintain customers’ funds for more than a few days." However, this ignores that many states have specifically revised their laws to address issues posed by stored-value products.
This report is just another in a series of actions by the CFPB focused on the purported risks posed by non-bank and fintech providers of consumer financial products and services. We obviously expect this to continue. The Issue Spotlight all but implies state licensing regimes for stored value products are insufficient by conflating risks of depositing funds with a non-bank to investing in publicly traded securities.
