Consumer Financial Services Law

Curry Defends OCC's Fintech Charter, New York's DFS Sues

By Craig D. Miller, Partner, Financial Services

Stepping down as the leader of the Office of the Comptroller of the Currency (OCC), Thomas J. Curry highlighted the efforts of the agency to encourage financial innovation, particularly the agency's decision to grant fintech charters, as another lawsuit was filed challenging those charters.

What happened

With his five-year term as comptroller of the OCC ending May 5, Curry spoke at the Fintech and the Future of Finance Conference at Northwestern University about financial innovation. Calling it "an exciting time to be in banking," Curry hailed the ways in which fintech has changed how consumers relate to financial service providers and take charge of their finances.

"For me, one of the most exciting parts of this wave of innovation is the potential for technology to expand access to the unbanked and underserved, in the same way that the Internet helped democratize information," Curry told attendees. "Data from the [Federal Deposit Insurance Corporation] and others show that minorities and other traditionally underserved populations may embrace fintech at even higher rates than the general population."

Innovation is also changing the back end of banking, payments processing and even regulation, he noted, describing his approach as one of "responsible innovation" that fits within a company's business plan, with risks understood and managed and consumers treated fairly.

The OCC has engaged in multiple efforts to support responsible innovation both within banks and among fintech companies, Curry explained, which has resulted in "a debate about the appropriate way to license a fintech company and supervise its activities on a national scale."

He walked through the agency's publications and requests for comment culminating in the March publication of draft licensing standards for fintech charters.

"At the heart of the issue is the fundamental nature of the business of banking—the business of banking is dynamic and I would urge caution to anyone who wants to define banking as a static state," Curry said. "Such a view risks choking off growth and innovation. The federal banking system has served as a common source of strength for communities across the country and for the broader national economy for more than 150 years because it was allowed to adapt to meet the evolving need of consumers, business and communities."

The OCC's efforts are a result of a shift in regulatory perspective, he added. "Early on in this process, we recognized that our regulatory instinct has been to say no and to be too risk averse," he acknowledged. "Over the last two years, we've worked very hard to take a more open approach, while still maintaining appropriate caution to prevent reckless and bad behavior."

Curry's advocacy did little to quell concerns, as a few days later the New York Department of Financial Services (DFS) filed a suit challenging the OCC's decision to grant special-purpose bank charters "to a boundless class of undefined financial technology companies."

The federal court complaint—which largely tracks the allegations in a similar suit filed by the Conference of State Bank Supervisors (CSBS) last month but is more robust in scope—did not hold back in its criticism of the OCC's plans.

"The Fintech Charter Decision is lawless, ill-conceived, and destabilizing of financial markets that are properly and most effectively regulated by New York State," the DFS argued. "It also puts New York financial consumers—and often the most vulnerable ones—at great risk of exploitation by federally chartered entities improperly insulated from New York law. The OCC's reckless folly should be stopped."

Numerous risks result from the OCC's decision, including "weakening regulatory controls on usury, payday loans, and other predatory lending practices" and "creating competitive advantages for large, well-capitalized 'fintech' firms, which can overwhelm smaller market players and thereby stunt rather than foster innovation in financial products and services," the DFS alleged.

The OCC's action is "legally indefensible" because it "grossly exceeds" the agency's statutory authority in violation of a fundamental premise of federal banking law, the complaint stated, and that the "business of banking" necessarily includes deposit taking. Noting that the agency has attempted to exceed the bounds of its statutory authority before, only to be struck down by the courts, the DFS said the OCC self-regulated its power to establish fintech charters in a 2003 regulation that created a new category of nationally chartered institutions described as "special purpose" banks.

"If validated by the courts, this agency sleight of hand, practiced on the barest of administrative records, plus a 'whitepaper' and a manual … would upend almost one and a half centuries of established federal banking law and displace a nation of 50 state financial regulators that annually supervise hundreds of billions of dollars in non-bank transactions," according to the complaint. "There is absolutely no evidence that Congress ever intended, much less expressly authorized, any such seismic shift in the allocation of established regulatory responsibility. For over 150 years, there has been dual authority, split between the federal and state governments, but the business of non-depository, non-bank institutions has been entirely regulated by states."

The DFS cited two examples of concrete harm to New York's financial market stability and consumer protection controls. State-licensed money transmitters using technologically innovative operating platforms could qualify for an OCC charter and "escape" New York's regulatory requirements, stripping "customers of non-depository money transmitters of critical financial protections otherwise guaranteed by New York law," the DFS told the court. "This result is especially troubling when you consider that a disproportionate number of consumers who use money transmitters are often the most economically vulnerable."

Second, the OCC's charter decision "effectively negates New York's strict interest-rate caps and anti-usury laws," the regulator alleged. "This perverse regulatory outcome … could realistically lead in New York to the proliferation of prohibited payday lending by out-of-state OCC-chartered entities seeking to import their usurious trade into the state to exploit financially vulnerable consumers."

The DFS asked for a declaration that the OCC exceeded its statutory authority under the National Bank Act and that the fintech charters are null and void.

To read Comptroller Curry's prepared remarks, click here.

To read the complaint in Vullo v. OCC, click here.

Why it matters

Although former comptroller Curry clearly hoped that financial innovation—including the fintech charters—would be his legacy at the OCC, the DFS's complaint, following on the heels of the CSBS lawsuit, as well as other pushback, leaves that legacy uncertain. Also unclear: how the new Acting Comptroller Keith Noreika will handle the issue. He has yet to take a position on the fintech charters, leaving the industry in a holding pattern to wait and see if the OCC will move forward. At the very least, states are flexing their regulatory muscles against the national agency in an effort to assert control over these critical issues. We expect to see more efforts by states to challenge the OCC's efforts to consolidate power over financial services businesses, including renewed emphasis on rolling out the previously announced statewide integrated licensing and supervisory system.

back to top

President's Executive Order on Cybersecurity: Impact on Banks Unclear

By Richard E. Gottlieb, Partner, Financial Services

President Donald Trump has signed an executive order addressing cybersecurity. But for financial institutions, is the executive order much ado about nothing? Not exactly.

What happened

On May 11, President Trump issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.

President Trump's executive order demands agency-specific cyber reports within 90 days of the order and requires adoption of digital defense standards, the Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology (NIST). The order further contains three core priorities: (1) protection of federal networks; (2) updating of antiquated systems; and (3) cooperation among federal agencies. Of relevance to financial institutions, the order likewise reinforces earlier initiatives of the Obama administration to enhance the nation's critical infrastructure, including for banks, that are at the "greatest risk of attacks." To protect critical infrastructure, the secretary of Homeland Security will provide a report to President Trump on the vulnerability of electric utility grids as well as financial, healthcare and telecommunications systems. The government will also work to combat botnets.

As for protecting the public online, the order requires the government to establish policies with an emphasis on cyber deterrence and to hire additional cybersecurity experts to help defend the country from hackers.

Other than the sweeping reviews required by the order, President Trump's cyber order is, in many ways, derivative of President Obama's Cybersecurity National Action Plan (CNAP), issued in February 2016. Under that plan, the Obama administration created a Commission on Enhancing National Cybersecurity, established a federal chief information security officer and focused attention on enhancements to the nation's critical infrastructure. Likewise, the Obama administration released a cybersecurity research and development strategic plan, and developed efforts to "deter, discourage and disrupt" malicious activities, including by state actors.

The Trump executive order is similar in a number of ways in that it largely endorses the Obama administration's approach. For example, it largely builds on CNAP by pushing many of its core initiatives, such as focusing on enhancements to the country's so-called "critical infrastructure." For banks and other financial institutions, the executive order offers little new. And by way of contrast, there is far more attention being directed to New York's new and exceedingly more detailed cybersecurity regulations.

Just days before the order, the American Bankers Association (ABA) urged legislators to establish national data protection standards for companies that handle consumers' payment data, a topic omitted from the President's order. While the financial services industry is motivated to provide such protections—in part by requirements such as those found in the Gramm-Leach-Bliley Act (GLBA), and likewise because of New York's tough new cyber standards—the ABA letter noted that just 0.2 percent of records exposed in data breaches were attributable to the financial sector, according to data from the Identity Theft Resource Center.

Companies that are not subject to legislative or statutory requirements, on the other hand, have a less than stellar track record at protecting such information, the ABA said, noting that 81.3 percent of records exposed in breaches this year were at businesses, including retail. With breaches increasing and affecting even more consumers each year, the time has come for other industries to pick up the slack, the ABA wrote.

"It's time to get serious about building a security infrastructure that brings banks, payment networks and retailers together to safeguard sensitive financial data," James Ballentine, executive vice president, congressional relations and public affairs for the ABA, wrote to the members of the U.S. Senate and House of Representatives. "It's time to pass a strong, consistent national standard for fighting data breaches and give consumers the protection they deserve."

The first step toward protecting federal networks: abiding by the NIST cybersecurity framework, Homeland Security adviser Tom Bossert explained at a press conference about the order. Although the government established the framework in 2013 for private companies, it has yet to follow it. "If we don't move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts," Bossert explained.

The ABA praised the executive order, which "will enhance the security of government systems and help protect our critical financial infrastructure—and ultimately bank customers—through enhanced information sharing and greater cross-industry collaboration," president and CEO of the group, Rob Nichols, said in a statement. "The financial services industry is committed to help protect our country's critical sectors and economic security. America's banks will continue to work closely with the White House, Congress and others to establish clear lines of public-private communication, while avoiding inconsistent or duplicative regulation that might undermine our efforts to protect banks and the customers they serve."

To read the ABA's letter, click here.

To read the executive order, click here.

Why it matters

The executive order reinforces the initiatives of the prior administration, and should be read in conjunction with efforts by state regulators to bring greater protections to financial networks and customer financial data.

back to top

Alleged Overcharges Cost Mortgage Lender $1.4M With California's DBO

By John W. McGuinness, Partner, Litigation

The California Department of Business Oversight (DBO) reached a $1.4 million deal with a mortgage lender after taking action based on alleged overcharges of per diem interest to California borrowers.

What happened

A Michigan-based mortgage lender overcharged "thousands" of California residents, the regulator alleged, which was discovered during regulatory examinations conducted in 2011 and 2013. California law prohibits lenders from charging interest on mortgage loans prior to the business day that immediately precedes the day the loan proceeds are disbursed.

According to the DBO, during the exams, it found that the lender violated this prohibition on so-called per diem interest. The lender agreed to work with the regulator to avoid an enforcement action and conducted a series of self-audit reports during 2015 and 2016 of the 24,755 loans funded during the period of August 2011 to May 2015.

The audits identified a number of loans in which excess per diem interest had been charged or documentation was not available to determine whether an overcharge had occurred, according to the consent order. The lender provided refunds to approximately 3,400 affected borrowers totaling $293,126.54, including payment of the required 10 percent annual interest from the date of the overcharge.

In addition to the audits that already took place, the lender agreed to conduct self-audits using the same procedures and methods for loans funded from May 1, 2015, through Feb. 28, 2017, and promised to continue the self-audit process on new loans for one year following the execution date of the consent order. Each of the audit reports provided to the DBO must include the total number of loans, the number of loans with per diem interest charged, and a determination whether excess per diem interest was charged or the documentation makes it impossible to determine whether excess per diem was charged.

On top of the refunds already paid, the lender will pay $125 for each additional loan revealed in the self-audits where either the borrower was charged per diem interest in excess of that permitted by state law or the loan lacks the required documentation to determine whether excess per diem was charged.

The lender will also pay the DBO a $1.1 million penalty.

To read the consent order, click here.

Why it matters

The DBO continues to take actions against lenders for per diem interest violations. "I'm pleased we have reached this agreement," DBO Commissioner Jan Lynn Owen said in a statement. "It compensates borrowers for the financial harm they suffered, and requires the firm to continue following improved policies and procedures designed to prevent this from happening again."

back to top



pursuant to New York DR 2-101(f)

© 2020 Manatt, Phelps & Phillips, LLP.

All rights reserved