Financial Services Law

New Guidance From FFIEC on Mobile Financial Services

Examiners will be paying more attention to mobile financial services (MFS) using new guidance recently issued by the Federal Financial Institutions Examination Council (FFIEC).

What happened

In FIL-31-2016, the FFIEC announced the addition of a new appendix to the Retail Payment Systems booklet of the FFIEC Information Technology Handbook. Intended to assist examiners in evaluating the risks associated with MFS, Appendix E applies to all Federal Deposit Insurance Corporation FDIC supervised institutions.

"The mobile channel provides an opportunity for financial institutions of all sizes to increase customer access to financial services and decrease costs," according to the guidance. But "MFS can pose elevated risks related to device security, authentication, data security, application security, data transmission security, compliance, and third-party management."

Emphasizing "an enterprise-wide risk management approach for effectively managing and mitigating the risks associated with mobile financial services," the guidance discusses four forms of MFS: short message service (SMS) and text messaging, mobile-enabled websites and browsers, mobile applications, and wireless payment technologies.

The first step in using MFS: identifying the risks associated with the type of services being offered and incorporating those risks into the financial institution's existing risk management process. "The complexity and depth of the MFS risk identification varies depending on the functionality provided through the mobile channel and the type of data in transit and at rest," the FFIEC said.

Strategic, operational, compliance, and reputation risks are all relevant, and management should consider risks not just at the institution but also those associated with the use of mobile devices where the customer implements and manages the security settings. Risks associated with the specific devices involved should also be assessed.

The guidance suggests that management should identify the risks associated with the decision to offer MFS and determine what types of services best fit with the vision, goals, and risk appetite of the institution. Unique operational risks are posed by MFS, ranging from transaction initiation to authentication and authorization, as well as the MFS technology itself. Malware and viruses are a real threat, for example, and basic device access controls such as PIN numbers may be insufficient to protect data.

The Appendix highlighted service-specific risks, such as the fact most SMS messages are unencrypted and vulnerable to spoofing, while the portability of mobile devices can lead to them being lost or stolen, resulting in unauthorized payments or fraudulent purchases.

While compliance risks presented by MFS include consumer laws, regulations, and supervisory guidance that may apply to a particular financial product or payment method, MFS are often developed and driven by entities outside the traditional financial services sector, the FFIEC pointed out. "These entities may be unfamiliar with regulatory requirements and supervisory expectations that apply to regulated financial institutions and their services providers," the guidance said. "Management should understand how the institution's risk profile changes when it uses any third party, but particularly a third-party service provider that is unfamiliar with the regulation and supervision of the financial services sector, to design applications."

Reputational risk is particularly relevant in the context of privacy and data security, the FFIEC said. Management should identify and consider how providing MFS may create reputation risk for the institution.

Once risks have been identified, financial institutions need to measure potential risks across all applicable risk categories, with the results prioritized to determine which controls may be appropriate for the services provided by the institution. Then the process of risk mitigation can begin.

"When offering MFS, management should mitigate identified risks by implementing effective controls across the institution," the FFIEC wrote. "Depending on the type of MFS offered, institutions may find that the effective management of risks involves interaction with application developers, mobile network operators, device manufacturers, specialized security firms, and other nonfinancial third-party service providers. Additionally, financial institution management should provide security awareness materials to the institution's customers, which may include prudent security practices for the device (e.g., use of mobile anti-malware, PIN protection) so that customers understand their roles in securing the device and the need for such security."

A "layered approach" to operational risk mitigation will best serve institutions, the guidance suggested, implementing security techniques at the server and database level along with transaction monitoring and geolocation techniques to identify anomalous MFS transactions, topped by customer education. Controls should be in place at enrollment, authentication and authorization, application development and distribution, application security, contracts, customer awareness, and logging and monitoring, the FFIEC said.

Technology risks require a close look from financial institutions, and several controls should be considered to mitigate risks, depending on the type of services, ranging from compensating controls for SMS technology (such as redacting customer account numbers) to requirements for developers of mobile-enabled websites to conduct security testing performed at all post-design phases for mobile apps.

As for compliance risk management, the compliance officer should take appropriate steps, including determining whether applicable disclosure requirements are fully accessible on the mobile device and ongoing monitoring for any legal and regulatory changes with regard to MFS.

Monitoring and reporting systems should be put in place by the institution's management, the FFIEC said, with limits on the level of acceptable risk exposure that the board and management are willing to assume and specific objectives and performance criteria—with qualitative benchmarks to evaluate the success of the product or service—identified.

The guidance also included a work program with a separate set of seven objectives intended to assist examiners in determining the state of risk and controls at an institution (or third party) providing MFS. Tracking the guidance in the Appendix, objectives include "Management effectively responds to issues raised or problems related to MFS," "Financial institution management appropriately and effectively measures risks associated with MFS and determines the likelihood and impact of those risks," and "Financial institution management maintains effective oversight of MFS activities. Management maintains appropriate reporting for various levels of management to support that oversight."

To read Appendix E, click here.

Why it matters

For financial institutions considering MFS—or already making use of mobile financial services—the Appendix is a "must read," offering insight into how examiners will evaluate an institution with regard to its mobile services. The FFIEC emphasized an enterprise-wide risk management approach, with the guidance offering many of the relevant risks to consider while noting that the list of risks and controls was not exhaustive.

back to top

One-Two Punch for Transparency: Beneficial Owners Outed

In an apparent effort to create the impression of strong U.S. policy response in the wake of the Panama Papers, the U.S. Department of the Treasury (Treasury) announced three initiatives to promote greater transparency and reduce the use of shell companies to conduct illegal financial transactions. The first was the release of the Financial Crimes Enforcement Network's (FinCEN) final beneficial ownership rules. Simultaneously, Treasury submitted to the United States Congress a new legislative proposal to require corporations to provide certain information on beneficial ownership at the time of corporate formations. Treasury also proposed a new regulation to require certain foreign-owned single-member limited liability companies to obtain tax identification numbers. Other than the new beneficial ownership rule, the prospects for other legal changes in the near term are questionable. The proposed legislation is not dissimilar to other proposals previously submitted to Congress to create greater transparency in corporation formations, and they have historically been controversial. The proposed Treasury regulation is only the first step of the rulemaking and may not become final for months or years, if at all.

What happened

The FinCEN announcement of its final beneficial ownership rule, coming on the eve of the departure of FinCEN Director Jennifer Shasky-Calvery, caps a more than four-year effort to impose regulations requiring banks and other financial institutions to conduct certain customer due diligence (CDD) on beneficial owners of legal entities. Intended to clarify and strengthen existing CDD requirements, the final rule applies to banks, brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities. These covered entities must now collect certain identifying information on the "beneficial owner" of accounts—the natural person who owns and controls the legal entity—and verify such information.

"The CDD Final Rule advances the BSA by making available to law enforcement valuable information needed to disrupt illicit finance networks," Treasury said in a statement about the final rule. "This will in turn increase financial transparency and augment the ability of financial institutions and law enforcement to identify the assets and accounts of criminals and national security threats. This will also facilitate compliance with sanctions programs and other measures that cut off financial flows to these actors."

The FinCEN rule is deceptively simple. It defines "legal entity customers" to include corporations, limited liability companies (LLCs), general partnerships, and other entities that are created by filing a public document or formed under the laws of a foreign jurisdiction. Excluded from the definition are a number of different types of financial institutions, as well as investment advisers, certain entities registered with the Securities and Exchange Commission, insurance companies, and foreign governmental entities that are engaged only in noncommercial, governmental activities.

Treasury set forth three "core elements" of CDD: identifying and verifying the identity of the beneficial owners of companies opening accounts; understanding the nature and purpose of customer relationships to develop customer risk profiles; and conducting ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information. Every financial institution should include explicit requirements for these elements in its Bank Secrecy Act and anti-money laundering (BSA/AML) program, Treasury said, which will enable clarity and consistency across sectors.

In a new requirement, the final rule requires that covered entities must identify and verify the identity of the beneficial owners of all legal entity customers at the time a new account is opened (even where an existing customer opens a new account).

The financial institution should identify each person or individual who owns 25 percent or more of the equity interests in the legal entity customer and at least one individual who exercises "significant managerial control" over the customer. The two-part process may identify the same individual, and if no individual owns 25 percent or more of the equity interests, then a beneficial owner may be identified solely under the control prong. Financial institutions have a choice about how to comply with the identification rule by using a standard certification form provided by Treasury or "by any other means that satisfy" the substantive requirements of the obligation. The final rule published in the Federal Register includes the certification form.

Like the Customer Identification Program recordkeeping requirement, covered financial institutions must maintain records of the beneficial ownership information collected for five years after the end of the customer relationship and records of steps taken to verify the information for five years after verification. Regulatory expectations that the institution will conduct ongoing monitoring to identify and report suspicious transactions and—on a risk basis—maintain and update customer information are unchanged.

The new Treasury proposal focuses on the beneficial owners of foreign-owned single-member LLCs. These entities would be subject to additional reporting and recordkeeping requirements under the proposal, with the LLCs required to obtain entity identification numbers from the Internal Revenue Service (IRS) (which in turn mandates the identification of a natural person as a responsible party), file an information tax return form each year with the IRS to identify "reportable transactions," and maintain records and books in support.

In addition, Treasury sent beneficial ownership legislation to Congress for consideration. "The Administration is committed to working with Congress to pass meaningful legislation that would require companies to know and report adequate and accurate beneficial ownership information at the time of a company's creation, so that the information can be made available to law enforcement," the agency explained. "The misuse of companies to hide beneficial ownership is a significant weakness in the U.S. anti-money laundering/counter financing of terrorism regime that can only be resolved by Congressional action."

The Treasury proposal would require companies formed in the United States to file beneficial ownership information with Treasury at the time of creation or ownership transfer, with civil money penalties for the failure to comply. Technical amendments to the Geographic Targeting Order (GTO) authority would also clarify FinCEN's power to collect information under GTOs, such as those issued earlier this year addressing "all cash" real estate purchases made in Miami and New York City.

To read the final CDD rule, click here.

To read the NPRM, click here.

To read the proposed legislation, click here.

Why it matters

Furthering Treasury's goal of cracking down on money laundering, the final rule strengthens CDD requirements for financial institutions. While the rule goes into effect in July, covered entities have until May 11, 2018, to achieve compliance. The extension for implementation was one of several changes FinCEN made from the August 2014 proposed rule, including expanding the list of exemptions and making use of the standardized beneficial ownership form optional. Treasury "has long focused on countering money laundering and corruption, cracking down on tax evasion, and hindering those looking to circumvent our sanctions," Treasury Secretary Jacob J. Lew said in a statement about the final rule, NPRM, and proposed legislation. "Building on years of important work with stakeholders, the actions we are finalizing today mark a significant step forward to increase transparency and to prevent abusive conduct within the financial system."

back to top

RushCard Settles Service Disruption Suit for $20.5M

RushCard will pay a total of $20.5 million to settle a lawsuit over an incident that resulted in thousands of consumers being shut out of their prepaid card accounts last October.

What happened

According to the prepaid card company, a switch in payment processors caused the high-profile interruption in service lasting from October 12 to October 31 that triggered a Consumer Financial Protection Bureau (CFPB) investigation as well as several class action lawsuits.

Multiple suits were filed and consolidated in New York federal court. Plaintiffs claimed that during the service disruption, they were unable to access their RushCard accounts, and therefore, their funds, resulting in economic harm such as missed bill payments (with accompanying late fees) and the inability to pay for daily living expenses. Causes of action included negligence, breach of contract, breach of fiduciary duty, unjust enrichment, conversion, fraud, and violations of consumer protection statutes.

RushCard countered with multiple defenses, most notably an arbitration provision in the customer agreement that would prevent classwide resolution of the lawsuits.

To avoid protracted litigation—and its costs—the parties reached a deal.

The nationwide settlement class covers all cardholders with an open RushCard account as of October 12. Previously, the defendant provided a "fee holiday" for account holders from November 1, 2015, to February 29, 2016. During this period, cardholders were not assessed any monthly fees, transaction fees, ATM fees, or any other fees provided for in the fee schedule of the cardholder agreement in effect at the time. RushCard also provided certain cardholders with a $25 account credit.

On top of these benefits that have already been provided, the settlement provides for three tiers of relief for class members. In Tier One, class members will be reimbursed for all fees assessed by the defendant during the period of October 12 through 31 to the extent the fees were not previously reimbursed or credited. Monthly fees for October 2015 will be prorated such that class members will be reimbursed for the portion of monthly fees allocable to the service disruption. Class members do not have to file a claim or take any action to receive Tier One benefits. Including the previously issued credits, fee reimbursements are estimated to be in the neighborhood of $12.5 million.

For Tier Two relief, RushCard agreed to pay up to $100 to class members who attempted to use their RushCard or access their account during the service disruption, and who suffered a financial or other loss as a result but do not have, or do not wish to provide, documentation of their loss. The $100 payment is subject to an offset for any prior payments received to compensate for out-of-pocket expenses, other than the fee holiday. RushCard will pay up to $5 million for Tier Two claims.

In Tier Three, class members who provide "reasonable documentation of substantiated losses" will be eligible for a payment of the lesser of the substantiated losses or $500 (also subject to an offset for prior payments). A total of $1.5 million will be provided by RushCard for Tier Three payments; any unclaimed amounts in either Tier Two or Tier Three funds will revert back to the defendant.

RushCard also promised to pay for the costs of claims administration, class notice, service awards of $500 for each of the 15 class representatives, as well as attorneys' fees and expenses not to exceed $1.5 million.

"The valuable benefits made available pursuant to the settlement squarely address the issues raised in the litigation and provide very significant relief to the proposed Settlement Class Members," the plaintiffs argued in their memorandum in support of the unopposed motion for preliminary approval of the settlement.

Noting that more than 400,000 individuals maintained RushCard accounts during the service disruption, the plaintiffs argued that the deal was "fair, adequate, and reasonable," asking the court to grant preliminary approval.

To read the plaintiffs' memorandum in support of the unopposed motion for preliminary approval of the settlement in Fuentes v. UniRush, click here.

Why it matters

On May 17, U.S. District Court Judge J. Paul Oetken granted preliminary approval to the $20.5 million deal, likely closing the chapter on the RushCard service disruption. However, the incident drew attention to the prepaid card industry generally and may have provided additional support for the Consumer Financial Protection Bureau (CFPB) in its efforts to enact new regulation of prepaid accounts. The Bureau released proposed regulations for the prepaid card market in November 2014, but they have yet to be finalized.

back to top

Latest Blow To Payday Lenders: Google Ban

Joining the ranks of guns, drugs, and illegal activities, payday loan advertisements are no longer allowed on Google.

What happened

"When reviewing our policies, research has shown that these loans can result in unaffordable payment and high default rates for users so we will be updating our policies globally to reflect that," Google's Global Product Policy Director David Graff blogged about the decision. "This change is designed to protect our users from deceptive or harmful financial products and will not affect companies offering loans such as Mortgages, Car Loans, Student Loans, Commercial loans, Revolving Lines of Credit (e.g. Credit Cards)."

The new policy takes effect July 13 and will apply to paid ads for loans and some related products where repayment is due within 60 days of the date of issue. In the United States, the prohibition will also include advertisements for loans with an annual percentage rate of 36 percent or higher. Links for payday lenders will still appear in Google's organic search results.

Reaction to the move was mixed. Consumer advocacy groups hailed the policy change, with Wade Henderson, president and CEO of The Leadership Conference on Civil and Human Rights, issuing a statement that Google's new stance "addresses many of the long-standing concerns shared by the entire civil rights community about predatory payday lending. These companies have long used slick advertising and aggressive marketing to trap consumers into outrageously high interest loans—often those least able to afford it."

On the other end of the spectrum, the Online Lenders Alliance released a statement calling the ban an "unprecedented abuse of power" that will only exacerbate the inability of consumers to have access to credit. "It's disappointing that a site created to help give users full access to information is making arbitrary choices on the advertisements users are allowed to see from legal businesses," the group said. The Community Financial Services Association of America agreed, releasing a statement critical of the "blanket assessment about the payday lending industry rather than discerning the good actors from the bad actors. This is unfair towards those that are legal, licensed lenders."

Other search engines—including Yahoo and Bing—still permit payday loan ads; Facebook enacted a similar prohibition last August.

Google's position brings the company in line with state and federal regulators cracking down on the payday lending industry, from the Federal Trade Commission to New York's Department of Financial Services.

The Consumer Financial Protection Bureau (CFPB) has now released a report finding that online payday loans "add a steep, hidden cost" to consumers by racking up bank fees. The Bureau also expects to publish a rule on payday lending later this spring.

To read Google's blog post announcing the ban, click here.

Why it matters

In the blog post announcing the change, Google said it plans to continue to review the effectiveness of the new policy, "but our hope is that fewer people will be exposed to misleading or harmful products." Advocacy groups have reportedly now turned their attention to other search engines with the hopes they will follow in Facebook's and Google's footsteps and adopt a similar ban.

back to top

LendingClub Hit With Class Action Over Usurious Interest

A New York resident, Ronald Bethune, accused LendingClub Corporation of violating the state's usury laws by charging him 29.97 percent interest on his loan—roughly twice the 16 percent limit under New York law and high enough to trigger criminal usury charges. Bethune alleges LendingClub did not have the right to charge an amount above the New York limit, despite using a bank from outside the state in accordance with applicable law and general practices.

What happened

In June 2015, Ronald Bethune completed a loan arranged by LendingClub for a loan of $33,250 at 29.97 percent interest, payable in 60 equal monthly installments. The amount of interest paid on the principal over the five-year period was almost the same as the principal loaned to Bethune.

The defendant's business model is based on "cutting out the banks from the personal consumer loan process, and replacing them with an internet-based matching system where private investors fund private borrowers' personal loans, with [LendingClub] assuming the role of the bank to facilitate and service the loans," according to Bethune's New York federal court complaint.

According to the complaint, LendingClub marketed to and solicited consumers to submit applications for funding, created the application, and established the loan criteria. The defendant then performed the traditional bank function of performing a credit analysis on the borrower and, based on that analysis, set the interest rate and repayment terms for the borrower's promissory note.

The company then made information available to investors to find lenders who could agree to fund a portion of a loan, an entire loan, or a group of loans. Once a lender steps forward, the borrower receives the approved loan amount, with LendingClub holding onto the note as the holder and servicer.

"There is nothing that Plaintiff alleges was illegal or improper about the above-described business model of [LendingClub], with the very significant exception that a large percentage of the notes that [LendingClub] has entered into with individual consumers, including Plaintiff, carry an interest rate that violates the state law where the borrower resides," Bethune alleged.

According to Bethune, LendingClub created a "pass through" sham party known as WebBank to avoid state usury laws and remain unregulated by the government, the plaintiff said. Instead of building in "a legitimate bank" in a state without usury laws, LendingClub "elected to create the illusion that a bank (without usury rate limitations) was lending the funds to the borrowers, so as to attempt to legitimize the otherwise usurious loans," Bethune alleged. This allowed the defendant to "actively circumvent state usury laws, while avoiding a significant share of the income with a legitimate banking institution, or being forced to accept the regulatory and governmental oversight of the marketing, sale, and servicing of its loans."

According to Bethune, until recently, WebBank did not have any bank offices and was fully owned and controlled by a nonfinancial institution. In 2015, it held only $226 million in assets while purportedly funding almost $4 billion in loans for LendingClub, the plaintiff said. WebBank existed simply to act as a funding agent in the state of Utah—which has no usury limits—and then transfer the note after two days to LendingClub.

The defendant was forced to change its practices after a recent Second Circuit Court of Appeals decision in Madden v. Midland Funding, LLC, the plaintiff added, leading to an "enhanced relationship" between LendingClub and WebBank.

Bethune's suit seeks to certify a class of borrowers nationwide with a subclass of New York consumers. In addition to claims that LendingClub violated state usury laws, the complaint seeks to hold the defendant responsible under the federal Racketeer Influenced and Corrupt Organizations Act (RICO) based on the enterprise consisting of LendingClub and WebBank and the predicate acts of a scheme to charge usurious interest rates facilitated by the use of U.S. mail and wire.

Restitution—including disgorgement of all profits and unjust enrichment—as well as actual and exemplary damages and an order enjoining LendingClub from its allegedly improper conduct and practices were requested in the complaint as remedies for the class.

Key takeaways from this case:

  • This case is in substance an attack on the way marketplace lending platforms use funding banks. Nothing alleged by the plaintiff is different from the defendant's ongoing business practices.
  • The first issue in this case is whether the mandatory arbitration clause with class action waiver will be enforced by the courts. The CFPB has proposed disallowing such practice, but its action is not final in this regard and there is much debate regarding the subject.
  • Marketplace lenders legally originate loans using banks such as WebBank, which are state-chartered and FDIC-insured, which enables them to operate in other states and export the interest rate allowed by the home state. This is done through the Federal Deposit Insurance Act and the full faith and credit principle.
  • What is interesting about this case is that it attempts to broaden the CashCall v. Morrissey decision from the West Virginia Supreme Court which held that the originating platform was essentially acting as the true lender and that the bank's role was insufficient. This is different than the Madden case which challenges the ability of a nonbank to charge bank interest under federal preemption grounds. In contrast, Bethune challenges that there ever was a real bank.
  • What we know about LendingClub and other marketplace lending platforms is that the role of the banks is generally quite robust in comparison to other online lending platforms and that the originating platforms are in close contact with the banks and employ the banks' policies and procedures. Moreover, loans are originated with bank funds, not platform funds. It is questionable whether this case will succeed on the merits.

To read the complaint in Bethune v. LendingClub Corp., click here.

back to top