On July 31, 2018, the U.S. Department of the Treasury (“Treasury”) released a report on “Nonbank Financials, Fintech, and Innovation,” its fourth and final report on the U.S. financial system pursuant to Executive Order 13772 (the “Report”). At over 200 pages long, with 80 separate recommendations, the Report addresses products and services ranging from payments and marketplace lending to debt collection and wealth management. While many of Treasury’s recommendations would have a positive impact on creating a national and state regulatory environment to foster innovation in financial services, the Report is ambitious, and implementing many of its recommendations will be a massive effort in legislation, policy-making and regulatory oversight.
The Report outlines four broad areas of focus: (1) adapting regulatory approaches to the aggregation, sharing, and use of consumer financial data; (2) aligning the regulatory framework to combat unnecessary fragmentation, and addressing new business models enabled by new financial technologies; (3) updating activity-specific regulations across a range of products and services offered by nonbank financial institutions; and (4) promoting agile regulation and responsible experimentation.
Here are some highlights of the Report’s recommendations:
Federal Fintech Charter: The Report sets forth several recommendations to update the U.S. regulatory framework to better enable innovation in financial services. Most notably, Treasury recommends that the Office of the Comptroller of the Currency (“OCC”) move forward with its proposed special purpose national bank charter (the “Fintech Charter”). Originally announced in December 2016, the Fintech Charter had stalled, due in part to the transition from the Obama to Trump administrations and the resulting change of OCC leadership, as well as lawsuits by the Conference of State Bank Supervisors (“CSBS”) and the New York State Department of Financial Services (“NYDFS”) attempting to block the charter. (Both lawsuits were dismissed as unripe because the OCC had not yet decided whether to grant charters. But similar lawsuits almost certainly will be brought if the OCC actually begins granting Fintech Charters).
The Report recommends that the OCC continue to develop its Fintech Charter, which Treasury describes as an additional means to both reduce regulatory fragmentation and support beneficial business models. The Report lays out specific suggested criteria for Fintech Charter applicants—for example, that applicants not be permitted to accept FDIC-insured deposits, to reduce risks to taxpayers. Remarkably, just hours after the release of the Report, Comptroller of the Currency Joseph M. Otting separately announced that the OCC will begin accepting applications for Fintech Charters from fintech companies that are engaged in the business of banking, but do not take deposits. Also in line with Treasury’s recommendation in the Report, the OCC announced that the Fintech Charter does not require deposit insurance from the FDIC.
Harmonizing State Regulation: For several years running, nonbank fintech firms have raised concerns about the lack of regulatory harmonization across U.S. state-based regulatory regimes, particularly on money transmission and lending activities. An online or mobile fintech startup could potentially reach customers in all 50 states upon launch, and with that national, multi-state reach comes significant regulatory and licensing requirements and costs if the fintech startups’ activities were to require state level licensing (and also some costs to determine whether licensing is even required or not).
The Report does not recommend complete preemption of state laws and regulations, but instead that state regulators “strive to achieve greater harmonization.” Treasury suggests states consider drafting model laws that can be uniformly adopted, and also applauds states’ current efforts to streamline licensing requirements and coordinate examinations. For example, Treasury specifically supports Vision 2020, an effort by CSBS to improve state regulation through harmonizing the multi-state supervisory processes and redesigning the Nationwide Multistate Licensing System (“NMLS”). Treasury also cautions, though, that such efforts must be “much more accelerated” and recommends that if states are unable to achieve meaningful harmonization within three years, the U.S. Congress should step in to “encourage greater uniformity in rules governing lending and money transmission to be adopted, supervised, and enforced by state regulators.”
Regulatory Sandbox: The fragmented nature of the U.S. financial regulatory system (federal and state) requires fintech firms to engage with several, even dozens of, regulators, which causes significant burdens in terms of time, money, and startup capital. Fragmentation also raises the likelihood of inconsistency, or even direct conflict among regulator interpretations and positions.
The Report recommends that federal and state regulators establish a unified regulatory sandbox to coordinate and expedite regulatory relief and permit meaningful experimentation for innovative products, services, and processes. The Report states that Treasury will work with federal and state financial regulators to design it. The Report further states that if regulators cannot or will not coordinate a single regulator solution, then Treasury recommends that Congress should consider legislation to provide for a single regulatory sandbox, including preemption of state laws if necessary.
Payments: Innovation and disruption by nonbank fintech firms has been increasingly visible in the payments space. New technologies and companies have heightened consumer expectations for the speed and convenience of payments in online and mobile commerce. But significant barriers to entry and innovation exist in payments. For money transmitters—generally nonbank firms that transfer funds or value between individuals—regulation is highly fragmented. Money transmitter licensing is governed by state law and for any fintech firm with a nationwide footprint, either a license or determination of exemption from licensing is necessary in every state prior to launch. Despite the fragmented regulatory framework and layered nature of the legacy payment systems (check, credit/debit card, ACH and wire), payments has been an area of increasing innovation and competition.
On money transmission, the Report recommends that states work to harmonize money transmitter requirements for licensing and supervisory examinations. In addition, Treasury encourages the Federal Reserve to move quickly to facilitate a faster retail payments system, perhaps by developing a real-time settlement service, that would allow for more efficient and widespread access to innovative payment capabilities. Such a system should take into account the ability of smaller financial institutions, such as community banks and credit unions, to access innovative technologies and payment services.
Consumer Access to Financial Data: Vast amounts of currently available financial and transaction data can be readily aggregated and analyzed through data mining, artificial intelligence (“AI”) and machine learning. Applications that draw on this data make it possible for consumers to view banking and other financial account information (often held at different financial institutions) on a single platform, compare financial and investment products, and even make payments or execute transactions. That said, significant questions remain about how these data aggregation-focused fintechs operate and how they should be regulated.
In the U.S., most data aggregation fintechs still access consumer financial data through “screen-scraping.” There has been no regulatory requirement or industry consensus to migrate to data sharing via application programming interfaces (“APIs”), despite APIs generally being viewed as providing more secure access to data. This issue also raises questions of security and liability for failing to keep customer data secure as required under the federal Gramm-Leach-Bliley Act (“GLBA”) and state privacy/data security laws (such as the NYDFS cybersecurity regulations). FIs have expressed concerns that they may bear the burden of any losses arising from a breach or compromise of consumer information at the data aggregator or a downstream fintech application. Data aggregators and consumer fintech application creators counter that FI API access could restrict types of data the data aggregators are able to access.
The Report does not recommend that fintechs and FIs move to APIs for consumer data sharing. Rather, the Report recommends that the banking regulators remove ambiguity stemming from the third-party guidance that discourages banks from moving to more secure methods of data access such as APIs, and that “Treasury believes that the U.S. market would be best served by a solution developed by the private sector” and that such a private solution “should address data sharing, security, and liability.” But Treasury’s position does not acknowledge the current regulatory requirements that place security obligations and liability on the FIs, with little incentive for nonbank fintechs to take on security and liability obligations absent a specific regulatory requirement. Here, the Report falls short of the clarity that both FI and nonbank industry participants have sought
Data Breach Notice
The Report highlights that the U.S. does not have a national law establishing security standards for nonbanks regarding sensitive personal information, uniform standards for data breach notifications, or providing a mechanism to resolve data breach disputes. The Report notes that in the absence of a federal law, states have been aggressive in developing their own data security and breach notification laws. Each state law may apply to any company located in that state or that does business with residents of that state. In practice, this means that in the event of a data breach companies could be subject to the data breach notification laws of 50 states as well as of the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, establishing in effect a “most restrictive alternative” scheme.
State laws for data breach notification often include specific provisions regarding the number of affected individuals that will trigger notification requirements, the timing of notification, and form of notification, among other requirements. Unsurprisingly, state data breach notification laws are far from uniform. Indeed, they vary in a number of significant ways, including with respect to the most fundamental aspect: the scope of data covered under the definition of “personal information.” Other inconsistencies among states’ breach notification laws can make compliance difficult for firms and foster disparate treatment for consumers. The lack of uniformity and efficiency affects both non-banks and financial institutions.
The Report contains a specific recommendation that Congress enact a federal data security and breach notification law to protect consumer financial data and notify consumers of a breach in a timely manner. According to Treasury, such a law should be based on the following principles:
- Protect consumer financial data
- Ensure technology-neutral and scalable standards based on the size of an entity and type of activity in which the entity engages
- Recognize existing federal data security requirements for financial institutions (such as GLBA)
- Employ uniform national standards that preempt state laws
Overall, the Report posits that, for U.S. fintechs to remain competitive on the global market, it is critical that U.S. regulators evolve and not to allow fragmentation in the U.S. financial regulatory system to impede innovation. But many of the Report’s recommendations face significant practical obstacles. Many require action by Congress, which is always a challenge. Other Report recommendations hinge on adoption of uniform state legislation—for example, that states draft and adopt a model law for money transmission licensing and regulation. Yet such a model law already exists—the Uniform Law Commission published the Uniform Money Services Act in 2000—and to date it has only been enacted in 12 states. Finally, other recommendations require a coordinated effort by different, and often competing, stakeholders. For example, the creation of one regulatory sandbox requires more than 50 different regulatory agencies to cooperate and cede their own jurisdiction to one (yet to be determined) regulator.
But at least a few agencies have shown a willingness to cooperate. The OCC is moving forward with accepting Fintech Charter applications. The CFPB announced in July 2018 that it was creating a new Office of Innovation, to focus on policies for facilitating innovation, engaging with entrepreneurs and regulators, and reviewing outdated or unnecessary regulations.
The Report establishes a comprehensive framework for a large-scale industry, legislator and regulator conversation on how best to adjust the U.S. financial services regulatory regime to the fast-moving and potentially revolutionary changes currently underway in financial technology, and how best to position the U.S. as a fintech-forward nation. If you have questions regarding the Report, or regarding bank or nonbank fintech products and services, please contact a member of Dykema’s Fintech, Payments and Digital Commerce Group or Financial Services Regulatory and Compliance Group.
To sign up for e-mail updates from the NextGen Financial Services Report, click here.