Financial Services Law

Curry Defends OCC's Fintech Charter, New York's DFS Sues

By Craig D. Miller, Partner, Financial Services

Stepping down as the leader of the Office of the Comptroller of the Currency (OCC), Thomas J. Curry highlighted the efforts of the agency to encourage financial innovation, particularly the agency's decision to grant fintech charters, as another lawsuit was filed challenging those charters.

What happened

With his five-year term as comptroller of the OCC ending May 5, Curry spoke at the Fintech and the Future of Finance Conference at Northwestern University about financial innovation. Calling it "an exciting time to be in banking," Curry hailed the ways in which fintech has changed how consumers relate to financial service providers and take charge of their finances.

"For me, one of the most exciting parts of this wave of innovation is the potential for technology to expand access to the unbanked and underserved, in the same way that the Internet helped democratize information," Curry told attendees. "Data from the [Federal Deposit Insurance Corporation] and others show that minorities and other traditionally underserved populations may embrace fintech at even higher rates than the general population."

Innovation is also changing the back end of banking, payments processing and even regulation, he noted, describing his approach as one of "responsible innovation" that fits within a company's business plan, with risks understood and managed and consumers treated fairly.

The OCC has engaged in multiple efforts to support responsible innovation both within banks and among fintech companies, Curry explained, which has resulted in "a debate about the appropriate way to license a fintech company and supervise its activities on a national scale."

He walked through the agency's publications and requests for comment culminating in the March publication of draft licensing standards for fintech charters.

"At the heart of the issue is the fundamental nature of the business of banking—the business of banking is dynamic and I would urge caution to anyone who wants to define banking as a static state," Curry said. "Such a view risks choking off growth and innovation. The federal banking system has served as a common source of strength for communities across the country and for the broader national economy for more than 150 years because it was allowed to adapt to meet the evolving need of consumers, business and communities."

The OCC's efforts are a result of a shift in regulatory perspective, he added. "Early on in this process, we recognized that our regulatory instinct has been to say no and to be too risk averse," he acknowledged. "Over the last two years, we've worked very hard to take a more open approach, while still maintaining appropriate caution to prevent reckless and bad behavior."

Curry's advocacy did little to quell concerns, as a few days later the New York Department of Financial Services (DFS) filed a suit challenging the OCC's decision to grant special-purpose bank charters "to a boundless class of undefined financial technology companies."

The federal court complaint—which largely tracks the allegations in a similar suit filed by the Conference of State Bank Supervisors (CSBS) last month but is more robust in scope—did not hold back in its criticism of the OCC's plans.

"The Fintech Charter Decision is lawless, ill-conceived, and destabilizing of financial markets that are properly and most effectively regulated by New York State," the DFS argued. "It also puts New York financial consumers—and often the most vulnerable ones—at great risk of exploitation by federally chartered entities improperly insulated from New York law. The OCC's reckless folly should be stopped."

Numerous risks result from the OCC's decision, including "weakening regulatory controls on usury, payday loans, and other predatory lending practices" and "creating competitive advantages for large, well-capitalized 'fintech' firms, which can overwhelm smaller market players and thereby stunt rather than foster innovation in financial products and services," the DFS alleged.

The OCC's action is "legally indefensible" because it "grossly exceeds" the agency's statutory authority in violation of a fundamental premise of federal banking law, the complaint stated, and that the "business of banking" necessarily includes deposit taking. Noting that the agency has attempted to exceed the bounds of its statutory authority before, only to be struck down by the courts, the DFS said the OCC self-regulated its power to establish fintech charters in a 2003 regulation that created a new category of nationally chartered institutions described as "special purpose" banks.

"If validated by the courts, this agency sleight of hand, practiced on the barest of administrative records, plus a 'whitepaper' and a manual … would upend almost one and a half centuries of established federal banking law and displace a nation of 50 state financial regulators that annually supervise hundreds of billions of dollars in non-bank transactions," according to the complaint. "There is absolutely no evidence that Congress ever intended, much less expressly authorized, any such seismic shift in the allocation of established regulatory responsibility. For over 150 years, there has been dual authority, split between the federal and state governments, but the business of non-depository, non-bank institutions has been entirely regulated by states."

The DFS cited two examples of concrete harm to New York's financial market stability and consumer protection controls. State-licensed money transmitters using technologically innovative operating platforms could qualify for an OCC charter and "escape" New York's regulatory requirements, stripping "customers of non-depository money transmitters of critical financial protections otherwise guaranteed by New York law," the DFS told the court. "This result is especially troubling when you consider that a disproportionate number of consumers who use money transmitters are often the most economically vulnerable."

Second, the OCC's charter decision "effectively negates New York's strict interest-rate caps and anti-usury laws," the regulator alleged. "This perverse regulatory outcome … could realistically lead in New York to the proliferation of prohibited payday lending by out-of-state OCC-chartered entities seeking to import their usurious trade into the state to exploit financially vulnerable consumers."

The DFS asked for a declaration that the OCC exceeded its statutory authority under the National Bank Act and that the fintech charters are null and void.

To read Comptroller Curry's prepared remarks, click here.

To read the complaint in Vullo v. OCC, click here.

Why it matters

Although former comptroller Curry clearly hoped that financial innovation—including the fintech charters—would be his legacy at the OCC, the DFS's complaint, following on the heels of the CSBS lawsuit, as well as other pushback, leaves that legacy uncertain. Also unclear: how the new Acting Comptroller Keith Noreika will handle the issue. He has yet to take a position on the fintech charters, leaving the industry in a holding pattern to wait and see if the OCC will move forward. At the very least, states are flexing their regulatory muscles against the national agency in an effort to assert control over these critical issues. We expect to see more efforts by states to challenge the OCC's efforts to consolidate power over financial services businesses, including renewed emphasis on rolling out the previously announced statewide integrated licensing and supervisory system.

back to top

President's Executive Order on Cybersecurity: Impact on Banks Unclear

By Richard E. Gottlieb, Partner, Financial Services

President Donald Trump has signed an executive order addressing cybersecurity. But for financial institutions, is the executive order much ado about nothing? Not exactly.

What happened

On May 11, President Trump issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

President Trump's executive order demands agency-specific cyber reports within 90 days of the order and requires adoption of digital defense standards, the Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST). The order further contains three core priorities: (1) protection of federal networks; (2) updating of antiquated systems; and (3) cooperation among federal agencies. Of relevance to financial institutions, the order likewise reinforces earlier initiatives of the Obama administration to enhance the nation's critical infrastructure, including for banks, that are at the "greatest risk of attacks." To protect critical infrastructure, the secretary of Homeland Security will provide a report to President Trump on the vulnerability of electric utility grids as well as financial, healthcare and telecommunications systems. The government will also work to combat botnets.

As for protecting the public online, the order requires the government to establish policies with an emphasis on cyber deterrence and to hire additional cybersecurity experts to help defend the country from hackers.

Other than the sweeping reviews required by the order, President Trump's cyber order is, in many ways, derivative of President Obama's Cybersecurity National Action Plan (CNAP), issued in February 2016. Under that plan, the Obama administration created a Commission on Enhancing National Cybersecurity, established a federal chief information security officer and focused attention on enhancements to the nation's critical infrastructure. Likewise, the Obama administration released a cybersecurity research and development strategic plan, and developed efforts to "deter, discourage and disrupt" malicious activities, including by state actors.

The Trump executive order is similar in a number of ways in that it largely endorses the Obama administration's approach. For example, it largely builds on CNAP by pushing many of its core initiatives, such as focusing on enhancements to the country's so-called "critical infrastructure." For banks and other financial institutions, the executive order offers little new. And by way of contrast, there is far more attention being directed to New York's new and exceedingly more detailed cybersecurity regulations.

Just days before the order, the American Bankers Association (ABA) urged legislators to establish national data protection standards for companies that handle consumers' payment data, a topic omitted from the President's order. While the financial services industry is motivated to provide such protections—in part by requirements such as those found in the Gramm-Leach-Bliley Act (GLBA), and likewise because of New York's tough new cyber standards—the ABA letter noted that just 0.2 percent of records exposed in data breaches were attributable to the financial sector, according to data from the Identity Theft Resource Center.

Companies that are not subject to legislative or statutory requirements, on the other hand, have a less than stellar track record at protecting such information, the ABA said, noting that 81.3 percent of records exposed in breaches this year were at businesses, including retail. With breaches increasing and affecting even more consumers each year, the time has come for other industries to pick up the slack, the ABA wrote.

"It's time to get serious about building a security infrastructure that brings banks, payment networks and retailers together to safeguard sensitive financial data," James Ballentine, executive vice president, congressional relations and public affairs for the ABA, wrote to the members of the U.S. Senate and House of Representatives. "It's time to pass a strong, consistent national standard for fighting data breaches and give consumers the protection they deserve."

The first step toward protecting federal networks: abiding by the NIST cybersecurity framework, Homeland Security adviser Tom Bossert explained at a press conference about the order. Although the government established the framework in 2013 for private companies, it has yet to follow it. "If we don't move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts," Bossert explained.

The ABA praised the executive order, which "will enhance the security of government systems and help protect our critical financial infrastructure—and ultimately bank customers—through enhanced information sharing and greater cross-industry collaboration," president and CEO of the group, Rob Nichols, said in a statement. "The financial services industry is committed to help protect our country's critical sectors and economic security. America's banks will continue to work closely with the White House, Congress and others to establish clear lines of public-private communication, while avoiding inconsistent or duplicative regulation that might undermine our efforts to protect banks and the customers they serve."

To read the ABA's letter, click here.

To read the executive order, click here.

Why it matters

The executive order reinforces the initiatives of the prior administration, and should be read in conjunction with efforts by state regulators to bring greater protections to financial networks and customer financial data.

back to top

FINRA on Social Media, Digital Communications

By David J. Gershon, Partner, Financial Services

The Financial Industry Regulatory Authority (FINRA) took on social media in new guidance that attempts to apply existing rules governing communications to online networking platforms.

What happened

Regulatory Notice 17-18 offers guidance about how existing rules and guidance apply to communications made by firms and registered representatives via social media sites or using personal devices.

SEC Rule 17a-4(b)(4) requires firms to retain records of digital communications relating to their businesses. In Regulatory Notice 17-18, FINRA explains that whether a communication is subject to the retention requirement turns "on its content and not upon the type of device or technology used to transmit the communication." Communications made via social media may also be subject to the rules regarding suitability and supervision and other content requirements. Firms are responsible for training employees about the differences between business and nonbusiness communications and the measures required to ensure that business communications are retained, retrievable and supervised.

Generally, posts by third parties, such as customers, on social media sites do not constitute communications of the firm or its associated persons, but there are key exceptions that apply to this general rule. If the firm or an associated person has paid for or been involved in the preparation of the content (which FINRA defines as "entanglement") or explicitly or implicitly endorsed or approved the content (referred to as "adoption"), then the post would be considered a firm communication.

FINRA has adopted a similar approach to links. A firm is prohibited from linking to a third-party site that the firm knows or has reason to believe contains false or misleading content. Further, a firm cannot include a link on its website if there are any red flags indicating the linked site contains false or misleading content. As with posts, a firm can be responsible for content on a linked third-party site if the firm has adopted or become entangled with the content.

To flesh out these general rules, the notice illustrates the application of existing rules to a variety of situations involving social media.

Text messaging. When customers interact with firms and associated persons using text messaging, covered entities should retain records of the communications. "As with social media, every firm that intends to communicate, or permit its associated persons to communicate, with regard to its business through a text messaging app or chat service must first ensure that it can retain records of those communications as required by" the record retention rules, FINRA cautions.

Linking to or sharing content. FINRA cautions that firms can be responsible for content (such as an article or a video) posted by an independent third party if the firm shares or links to it, the regulator adding that the responsibility can extend even further. Whether a firm has adopted the linked content of an independent third-party website through the use of a link is fact-dependent, according to FINRA, with two factors critical to the analysis. First, whether the link is ongoing (meaning the link is continuously available to investors who visit the firm's site and the linked site could be updated or changed by the third party and investors would nonetheless be able to use the link), and second, whether the firm has influence or control over the content of the third-party site.

A firm can also be responsible for links to links: If a firm shares or links to content that in turn links to other content over which the firm has influence or control, the firm would then have adopted the other content.

Native advertising. While covered entities are permitted to use native advertising (i.e., content that bears a similarity to articles, news or other content that surrounds it online), any native advertising "must prominently disclose the firm's name, reflect accurately any relationship between the firm and any other entity or individual who is also named, and reflect whether mentioned products or services are offered by the firm." The usual requirements that firms' communications be fair, balanced and not misleading also apply.

Influencers. Firms that use "influencers" to promote their brands, products or services may become "entangled" and responsible for the resulting communication where the fact of the sponsorship is material information for consumers. Firms should "clearly identify as advertisements any communications that take the form of comments or posts by influencers and include the broker-dealer's name as well as any other information required for compliance," according to FINRA.

Testimonials and endorsements. Testimonials and endorsements are subject to a similar standard. FINRA does not consider the unsolicited opinions or comments of third parties posted on a social network to be communications by themselves. But if a firm or an associated person "likes" or shares an unsolicited comment, they have adopted it and subjected it to the communication rules, FINRA says, "including the prohibition on misleading or incomplete statements or claims, the testimonial requirements … and the supervision and record-keeping rules."

To comply with the required disclosures for a testimonial, firms may place the disclosure "in close proximity" to the testimonial or provide it through a clearly marked hyperlink accompanying the testimonial using language such as "important testimonial information," FINRA adds, provided that the testimonial is not false, misleading, exaggerated or promissory.

Certain corrections. Does a firm risk "adopting" a third party's content if it corrects information about the firm? Using a hypothetical directory of businesses that contained information about the firm (such as a misspelled name or inaccurate website address), FINRA advises that the correction of such information would not be subject to the communication rules, as they pertain to factual information.

To read Regulatory Notice 17-18, click here.

Why it matters

Regulatory Notice 17-18 should be required reading for covered entities engaging with customers on social media. FINRA emphasizes that whether a communication is subject to record-keeping requirements depends on the content and not the type of device or technology, explaining that answering the question of whether activity will be considered a communication is often fact-dependent.

back to top

Battle Continues Over Colorado Nonbank Action

By Brian S. Korn, Partner, Financial Services

The Colorado regulator facing a lawsuit from two banks seeking to work with nonbank partners filed a motion to dismiss the case, arguing that the banks lack standing to sue and that the federal preemption defense asserted does not by itself give rise to a federal question.

What happened

The dispute began when WebBank and Cross River Bank requested that a Colorado federal court enjoin enforcement actions brought by the state's administrator of the Uniform Consumer Credit Code against their nonbank lending platforms, from which market and service loans were originated by the banks.

The administrator's enforcement action argued that the nonbank partners are the "true lenders" of such loans and the banks could not validly assign their ability to export interest rates as state banks under federal law, citing Madden v. Midland Funding.

WebBank and Cross River's complaints argued that the National Bank Act preempts the administrator's actions and that the loans were legal under the "valid when made" rule, requesting a declaration to protect their federal statutory and contractual rights. The marketplace lending model embodied by the banks and their nonbank partners is not subject to the state lending laws of individual borrower's home states, the banks told the court.

Administrator Julie Ann Meade responded with a motion to dismiss the complaints, advancing four arguments for the court to toss the lawsuits.

First, she argued that the court lacks subject matter jurisdiction because the federal question arose in the context of an affirmative defense. "The well-pleaded complaint rule provides that a federal preemption defense does not, by itself, give rise to federal question jurisdiction," the defendant wrote. While an exception exists for state usury claims asserted directly against a national bank, Cross River and Web Bank are state-chartered institutions, the administrator said. This federal/state detail is likely a tough argument for Colorado, since the state cited a case involving federal law (Madden) against banks that are state-regulated and lend in Colorado under a different statute.

The second argument was that the banks also lack standing to bring suit against the administrator because the underlying enforcement action was taken against the nonbank partners—not Cross River or WebBank. Although the banks claimed to have suffered harm as a result of the administrator's enforcement action, "The alleged injuries identified by [the banks] belong to [the nonbanks] or are too attenuated to constitute standing," the defendant wrote.

For the third argument, the administrator examined the act's exportation provision. Interest exportation under the statute does not apply to state-chartered banks and does not extend to bank subsidiaries, affiliates or agents, according to the motion to dismiss, with no clear intent that Congress intended to preempt state laws that would otherwise apply to nonbanks.

The federal legislature could have provided in the act that banks' interest exportation rights preempt state laws as applied to nonbanks, but it did not, and adding support to the proposition that only banks currently have exportation rights, legislation was introduced in Congress last year to amend the act to extend such rights to nonbanks, the defendant said. As with the first argument, since the banks export their rates to other states under an alternate federal statute, the Federal Deposit Insurance Act (FDIA), it would appear that this argument will fall flat.

"Given that state usury claims against bank subsidiaries, affiliates and agents are not preempted, such claims certainly are not preempted when asserted against third parties who purchase bank loans," the administrator argued. "Third-party purchasers act on their own behalf and have an even more remote claim to a bank's interest exportation rights than bank subsidiaries or agents."

The recent Second Circuit decision in Madden sets forth this exact proposition, the defendant said. "Thus, the language of the relevant banking statutes, supported by case law, compels the conclusion that Congress unambiguously intended to grant interest exportation rights only to banks," the administrator wrote. "Those rights do not preempt state law as applied to nonbank purchasers." Again, the state of Colorado appears to be arguing that the Madden case (a National Bank Act case) should apply to banks that claim preemption under the FDIA. This argument, if adopted, would be unprecedented and serve to extend the Madden case to the entire marketplace lending third-party bank model.

Abstention principles provided the fourth argument for the defendant. The nonbank entities removed the underlying enforcement action to federal court, but the administrator's remand motion to state court remains pending. If that motion is granted, then the federal court should—in light of the Younger v. Harris abstention doctrine—dismiss the case, the defendant said.

Alternatively, the federal district court could decline jurisdiction under the Declaratory Judgments Act. The banks filed their lawsuit after the administrator's complaint was filed against the nonbank partners and after those defendants removed the case to federal court. "[T]hus, the [banks'] complaint appears to be used for the purpose of 'procedural fencing' or 'to provide an arena for a race to res judicata,'" the motion to dismiss argued, requesting the banks' complaints be dismissed with prejudice.

To read the motion to dismiss in Cross River Bank v. Meade, click here.

To read the complaint, click here.

Why it matters

This round of motions by the state of Colorado attempts to dismiss the case on procedural, and not substantive, grounds. If successful, the state would be able to further limit the industry's activities in Colorado. If unsuccessful, the marketplace lenders and their banking partners might have claimed an important victory in defending their business model. The industry is anxiously watching.

back to top

Alleged Overcharges Cost Mortgage Lender $1.4M With California's DBO

By John W. McGuinness, Partner, Litigation

The California Department of Business Oversight (DBO) reached a $1.4 million deal with a mortgage lender after taking action based on alleged overcharges of per diem interest to California borrowers.

What happened

A Michigan-based mortgage lender overcharged "thousands" of California residents, the regulator alleged, which was discovered during regulatory examinations conducted in 2011 and 2013. California law prohibits lenders from charging interest on mortgage loans prior to the business day that immediately precedes the day the loan proceeds are disbursed.

According to the DBO, during the exams, it found that the lender violated this prohibition on so-called per diem interest. The lender agreed to work with the regulator to avoid an enforcement action and conducted a series of self-audit reports during 2015 and 2016 of the 24,755 loans funded during the period of August 2011 to May 2015.

The audits identified a number of loans in which excess per diem interest had been charged or documentation was not available to determine whether an overcharge had occurred, according to the consent order. The lender provided refunds to approximately 3,400 affected borrowers totaling $293,126.54, including payment of the required 10 percent annual interest from the date of the overcharge.

In addition to the audits that already took place, the lender agreed to conduct self-audits using the same procedures and methods for loans funded from May 1, 2015, through Feb. 28, 2017, and promised to continue the self-audit process on new loans for one year following the execution date of the consent order. Each of the audit reports provided to the DBO must include the total number of loans, the number of loans with per diem interest charged, and a determination whether excess per diem interest was charged or the documentation makes it impossible to determine whether excess per diem was charged.

On top of the refunds already paid, the lender will pay $125 for each additional loan revealed in the self-audits where either the borrower was charged per diem interest in excess of that permitted by state law or the loan lacks the required documentation to determine whether excess per diem was charged.

The lender will also pay the DBO a $1.1 million penalty.

To read the consent order, click here.

Why it matters

The DBO continues to take actions against lenders for per diem interest violations. "I'm pleased we have reached this agreement," DBO Commissioner Jan Lynn Owen said in a statement. "It compensates borrowers for the financial harm they suffered, and requires the firm to continue following improved policies and procedures designed to prevent this from happening again."

back to top