chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2021-2022 | Volume 77, Issue 1

Developments in the Laws Affecting Electronic Payments and Financial Services

Stephen Middlebrook, Sarah Jane Hughes, Thomas Burke Kierner, and Peter Maskow

Summary

  • In this year’s survey, we discuss rulemakings, enforcement actions, and other litigation that has significantly impacted the law governing payments and financial services.
  • In Parts II and III, the regulation of FinTech entities is explored. Parts IV and V address virtual currency applications. Parts VI and VII cover updates from the CFPB. Part VIII identifies an FTC warning on the use of AI.
  • Finally, in Part IX, we provide our thoughts on what business lawyers may expect to see in the next year or two.
Developments in the Laws Affecting Electronic Payments and Financial Services
iStock.com/GoodLifeStudio

Jump to:

I. Introduction

The past year proved to be a busy period for the regulation of electronic payments and financial services. In this year’s survey, we discuss rulemakings, enforcement actions, and other litigation that has significantly impacted the law governing payments and financial services. Part II addresses the ongoing fight between federal and state authorities over which should properly regulate FinTech entities and describes some new steps the Office of the Comptroller of the Currency (“OCC”) has taken to assert its authority in this area. Part III details an enforcement action that California regulators took against a FinTech company they determined had misrepresented its relationship with its banking partner. Efforts by both federal and state regulators to assert their authority over virtual currency, including a relatively new form of virtual currency called a stablecoin, are discussed in Part IV. The decision of a federal judge upholding the application of the District of Columbia’s money transmission statute to a virtual currency business is addressed in Part V. Part VI covers much-needed guidance from the Consumer Financial Protection Bureau regarding Earned Wage Access products while Part VII discusses the Bureau’s loss of a court challenge to part of its regulations governing prepaid accounts. In Part VIII, we address a warning from the Federal Trade Commission (“FTC”) to businesses employing artificial intelligence that the use of algorithms that discriminate based on race or other protected classes is a violation of federal law. Section IX provides our thoughts on what business lawyers may expect to see in the next year or two.

II. A Busy Year for the Regulators, FinTechs, Assignees of Loans, and Digital Assets Entities

In 2020 the OCC finalized two rules that deftly would have provided FinTechs with many benefits of Special Purpose National Bank Charters (“SPNBCs”) without corresponding charter obligations. These rules were the Permissible Interest on Loans that Are Sold, Assigned, or Otherwise Transferred Rule (“Valid-When-Made Rule”) and an ill-fated National Banks and Federal Savings Associations as Lenders Rule (“True Lender Rule”). The OCC also continued defending its SPNBC plans against the challenge brought by the New York State Department of Financial Services (“DFS”). This Part describes these developments and the FDIC’s companion Valid-When-Made Rule.

On July 31, 2018, the OCC announced its plans to take applications for SPNBCs from FinTechs. DFS challenged the OCC’s plans on September 14, 2018, arguing that the OCC lacked authority to charter entities that did not take deposits, absent express statutory authority to do so. DFS prevailed in the trial court. The OCC appealed and, as the survey year closed, the Second Circuit decided in favor of the OCC on standing and ripeness grounds and remanded the action to the district court.

The Valid-When-Made Rule clarified that assignees of bank-originated obligations may charge interest “permissible before the transfer . . . after the transfer.” The OCC cited National Bank Act authority under 12 U.S.C. § 24 to make loans, enter into contracts, and sell loans made and to transfer obligations under contracts made. The rights of assignees to enforce contract terms including interest rates was the issue in Madden v. Midland Funding, LLC, in which the buyer of consumer credit-card obligations bought from a Delaware national bank sought to collect from a New York resident. The consumer argued that the purchaser was entitled not to the interest rate allowed by the agreement but to a lower rate provided for under New York’s usury law. The Valid-When-Made Rule constituted a regulatory work-around—or rejection— of the Second Circuit’s position that assignees were not covered by the preemption of state usury ceilings that national banks and federal thrifts that originated the loans enjoy under federal laws.

The FDIC promulgated its own Valid-When-Made Rule on July 22, 2020. The FDIC relied on section 27 of the FDI Act to allow state banks (the OCC rule applies to national banks) to export interest at rates permissible in the state where the bank is located. Seven states challenged the rule on August 20, 2020. The action was pending as this survey year ended.

The OCC’s later-repealed True Lender Rule could have resolved legal uncertainty about which entity—the chartered depository institution or its non-bank partners—originated loans and, consequently, whether federal or state interest-rate laws govern these loans. The Rule provided that the lender is the bank that either (1) is named in the loan agreement as the lender or (2) funded the loan. The Rule also provided that “[i]f, as of the date of origination, one bank is named as the lender in the loan agreement for a loan and another bank funds that loan, the bank that is named as the lender in the loan agreement makes the loan.” The party that is the lender on this basis is responsible for compliance with federal laws for the loans.

On May 11, 2021, the Senate passed a resolution to repeal the True Lender Rule under the Congressional Review Act, which also enjoins subsequent promulgation of the same or a similar rule unless specifically authorized by a law enacted after the disapproval. After this survey year closed, the House passed the resolution and the President signed it. Thus, the opportunity that the Rule would have provided to FinTechs is dead.

This survey year also produced the first sanctions imposed by the Treasury Department’s Office of Foreign Assets Control (“OFAC”) against digital asset firms. The first of these actions involved BitGo, a provider of technology that enables digital currency transactions. The 183 “apparent violations”—all between March 10, 2015, and December 11, 2019—involved digital currency transactions by persons in Crimea, Cuba, Iran, Sudan, and Syria for which BitGo allegedly had “reason to know” of the users’ locations. BitGo settled the claims for $98,830. On February 8, 2021, OFAC announced that a second similar action, against BitPay, Inc., was settled for $507,375.

In a February 2021 regulatory filing with the Securities and Exchange Commission, Coinbase disclosed that certain of its transactions were “under review” by OFAC. The two settlements and the regulatory filing make clear that sanctions compliance for digital assets entities is a growing part of OFAC’s work.

III. California Settles Claims Against FinTech Company for Misrepresenting Banking Services

FinTech providers were also under scrutiny at the state level. In March 2021, the California Department of Financial Protection and Innovation (“DFPI”) entered into a settlement agreement with Chime regarding Chime’s use of the words “bank” and “banking” in marketing the company’s products. Chime is a FinTech that works with bank partners to offer consumer bank accounts online. It manages the programs on behalf, and with the oversight, of the bank partners. But Chime is not a bank, and according to the DFPI Chime was not clear enough about this fact. Its principal website domain was chimebank.com, and its marketing efforts contained language that, according to the DFPI, could lead consumers to think they were banking with Chime.

Chime escaped without financial penalty, but was required to make significant changes to its marketing efforts. Chime agreed to cease using its domain “chimebank.com,” beef up its internal marketing compliance program, and clearly disclose that it is not a bank and that banking services are being provided by Chime’s bank partners. Much has been written over the last few years about the rise of so-called “neobanks” and their disruption of the traditional consumer financial services market. However, these companies, like Chime, are often not banks at all. The Chime settlement agreement with DFPI is a good reminder that FinTech companies, in their quest to create a cohesive brand strategy, should be careful not to misrepresent their role.

IV. Regulatory Guidance and Challenges Related to Virtual Currency and the Adoption of Stablecoins for Payment Activity

A. OCC Issues Interpretive Letter Permitting the Use and Creation of Stablecoins by Banks, But for How Long?

In January 2021, the OCC issued an interpretive letter allowing banks to use Independent Node Verification Networks (“INVNs”) and stablecoins for payment activities. An INVN is “a shared electronic database where copies of the same information are stored on multiple computers.” Stablecoins are assets “designed to maintain a stable value relative to an identified fiat currency.” The letter expanded upon prior statements permitting banks to facilitate cryptocurrency and fiat currency exchange transactions, and encouraging them to hold “reserves” for stablecoins on at least a one-to-one basis.

The OCC drew on precedent authorizing a national bank to offer an electronically stored value (“ESV”) system, characterizing ESV as the electronic equivalent of paper payment systems and likening ESV’s functionality to services already provided by banks. The OCC observed that the distinction between stablecoins and cards with ESV used to facilitate cashless payments is merely “technological in nature.” The letter also noted stablecoins’ efficiency in the retention, transfer, transmission, and exchange of fiat currency value and their particular usefulness in cross-border transfers.

The OCC found that banks possess the requisite expertise to facilitate exchange, settle transactions, and manage their position as a financial intermediary. These factors, coupled with the demand for banks to use INVNs and stablecoins, led the OCC to conclude that banks may “validate, store, and record payments transactions by serving as a node on an INVN,” and to approve the use of INVNs and stablecoins for permissible payment activities. Finally, the letter permits banks to “buy, sell, and issue stablecoin to facilitate payments.”

The OCC acknowledged risks concomitant with stablecoins, including difficulty in verifying parties to a transaction and the need to safeguard reserve assets, maintained on a one-to-one ratio, to ensure satisfaction of liquidity needs and to cover potential losses. Moreover, it cautioned that cryptocurrency payment activities increase risks associated with Bank Secrecy Act and anti-money laundering compliance, and that stablecoin issuance requires conformity with applicable securities regulations.

Acting Comptroller Michael Hsu has asked OCC staff to review the agency’s cryptocurrency actions. Hsu expressed concern that the OCC’s cryptocurrency positions lacked “full coordination with all stakeholders” and were not part of a broader regulatory strategy.

B. New York Resolves Regulatory Action Against Stablecoin Issuer and Cryptocurrency Exchange

Demonstrating that concerns about stablecoin reserves are well-founded, the New York Attorney General (“NYAG”) investigated a cryptocurrency exchange platform, Bitfinex, and the issuer of the stablecoin Tether. The NYAG found that Tether’s disclosures about the reserves claimed to back the stablecoin were misleading. Specifically, the NYAG found that Tether included in its “reserves” money lent to Bitfinex, failed to announce changes made to its reserve disclosures (despite the disclosures’ referencing “other assets and receivables from loans” as a component of reserves), and failed to disclose Bitfinex’s capital liquidity issues resulting from its loss of control of approximately $850 million. While neither Bitfinex nor Tether admitted the findings, they agreed to pay the State of New York a penalty of $18.5 million, to publish the categories of assets backing its reserves for two years, and to discontinue future activities with New York residents and businesses.

C. FinCEN Issues Notice of Proposed Rulemaking to Track Cryptocurrency Transactions

To enhance the ability of law enforcement agencies to track the flow of money in convertible virtual currency (“CVC”) or digital assets with legal tender status (“LTDA”), the Financial Crimes Enforcement Network (“FinCEN”) issued a proposed rulemaking pursuant to the Bank Secrecy Act. Specifically, the proposed rule would require reporting, record keeping, and verification in connection with transactions greater than $3,000 involving either un-hosted wallets or wallets that are “otherwise covered.” The proposed rule would require banks and money services businesses to report transactions to FinCEN within fifteen days of their occurrence, and to keep records related to their customer, their customer’s CVC or LTDA transactions, and the counterparties to such transactions. FinCEN’s second notice of the proposed rulemaking identified additional authority under the Anti-Money Laundering Act and supplemented information on the reporting.

V. Bitcoin Is “Money” for Purposes of Money Transmission Laws in the District of Columbia

In 2019, Larry Dean Harmon was charged in federal court in the District of Columbia with engaging in money transmission without a license in violation of the D.C. Money Transmitters Act (“MTA”) and with money laundering and operating an unlicensed money transmitting business in violation of 18 U.S.C. §§ 1956 and 1960. The allegations against Harmon related to the operation of a Bitcoin “tumbler”—a service that for a fee would transmit Bitcoin through a series of transactions in an effort to mask the (illegal) origins of the virtual currency. Harmon moved to dismiss the two counts related to money transmission on the grounds that Bitcoin is not money for purposes of the MTA and, thus, his tumbler service was not engaged in money transmission. Although the MTA does not define the term “money,” the court held that the word is commonly understood to mean “a medium of exchange, method of payment, or store of value” and that Bitcoin fell within that definition. Defendant noted that the D.C. Department of Insurance, Securities and Banking (“DISB”), which has authority to enforce the MTA, had indicated on its webpage that virtual currencies were unregulated and consumers should be aware of the increased risks they pose. The court was not persuaded by the DISB webpage, which it viewed as a consumer alert and not an official interpretation of the law, and denied the motion to dismiss.

Subsequently, prosecutors made the court aware of a nonpublic letter DISB had sent to a company that had inquired about the need to obtain a money transmitter license for a virtual currency project. DISB informed the company that it would not need a money transmitter license because virtual currency services do not involve the transmission of money. Based on this new information, the defendant moved for reconsideration. The court denied the motion, holding that the DISB letter was legally not entitled to deference and, even if it was, the reasoning set forth in the letter was entirely unpersuasive. In particular, the court opined that the DISB letter misinterpreted and misapplied guidance on virtual currencies issued by FinCEN. The Harmon decision signals that courts are increasingly capable of sophisticated analysis of virtual currency issues and will not always defer to litigants or administrative agencies when applying the law to virtual currency businesses.

VI. CFPB Issues Advisory Opinion and Guidance on Earned Wage Access Products

On December 10, 2020, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion regarding Earned Wage Access (“EWA”) products. The advisory opinion primarily addresses the question of if and when an EWA program is covered by the Truth in Lending Act (“TILA”) and Regulation Z. EWA products provide workers with access to funds that they have earned but that have not yet been paid to them. The advisory opinion concludes that EWA programs that meet certain requirements are not an “extension of credit” and not subject to TILA or Regulation Z.

The advisory opinion builds upon commentary included in regulations regarding payday lending issued in 2017. Those regulations suggested that an EWA product that allows an employee to draw accrued wages ahead of a scheduled payday recoups the advance through payroll deduction, and does not provide recourse against the employee might not be a form of lending. Relying on the 2017 regulations, the CFPB concluded that EWA programs that “provide access to the consumer’s own funds” through transactions that are “limited to the accrued cash value of employee wages” are not an extension of credit for purposes of Regulation Z.

Under CFPB’s advisory opinion, an EWA product qualifies as a Covered EWA Program which is not an extension of credit and not subject to Regulation Z if it meets all of the following criteria:

  1. The provider contracts with the employer.
  2. The advance does not exceed the amount of earned wages verified by the employer.
  3. The employee pays no fee, voluntary or otherwise, for the service. The advance must be sent to an account of the employee’s choice. If the account receiving the advance is a prepaid account offered by the provider, then certain additional fee restrictions apply to the prepaid account.
  4. The provider recovers the advance only through payroll deduction from the next paycheck. One additional deduction may be attempted if the first deduction fails for technical reasons.
  5. If the advance can’t be collected through the payroll deduction, the provider can’t otherwise collect from the employee.
  6. The provider must make certain warranties to employee, including that there will be no fees, no recourse against the employee, and no debt collection activities.
  7. The provider may not conduct a credit assessment or credit reporting.

EWA products that do not verify an employee’s earned wages with the employer, do not recoup the funds through payroll deduction, or that otherwise do not meet these criteria would still potentially be subject to Regulation Z.

CFPB also issued an approval order for an EWA program. Through this type of order, CFPB grants an entity a safe harbor from legal liability regarding a certain product or practice if it follows certain conditions prescribed in the order. The approval order describes one of the entity’s EWA programs and concludes that the EWA product at issue is not an extension of credit. The approved EWA program differs from criteria for a Covered EWA Program in some respects. The EWA program does provide a method to access the EWA payment without a fee, but it also offers other methods of accessing EWA funds that do involve a fee. In addition, while the advisory opinion allows an EWA provider to make a single additional attempt at recoupment if the first attempt fails for technical reasons, the approval order permits the provider to re-present the deduction in the two subsequent paychecks if the initial recoupment fails. CFPB does not explain why the approval order varies from the criteria set forth in the advisory opinion. We expect CFPB will issue additional approval orders or other forms of guidance regarding EWA products in the future.

VII. PayPal Succeeds in Invalidating Parts of the CFPB’s Prepaid Account Rule

The D.C. District Court sided with PayPal in its challenge to two provisions of the CFPB’s Prepaid Account Rule (“Rule”). The provisions, effective on April 1, 2019, were: (i) the highly prescriptive short-form disclosure requirement and (ii) the prohibition on linking credit features to an account for thirty days.

Under the Rule, financial institutions that offer prepaid accounts must generally provide certain pre-acquisition disclosures to consumers. One such disclosure is a tabular short form disclosure that lists the most common fees assessed in connection with the account being issued. The Rule prescribes use and location of disclaimers, pixel and font size, color, and content, among other things. According to PayPal, following the prescriptive tabular format caused confusion and led many customers to believe that PayPal had begun to assess fees for services that were performed for free.

The Rule also requires card issuers to wait thirty days after a consumer registers a prepaid account before linking certain credit features to that account. As applied to PayPal, this prohibited PayPal from allowing consumers to attach their own separate credit products that they’ve had for years to PayPal’s digital wallets for the first thirty days after they have acquired the digital wallet product. The court concluded the CFPB had exceeded its statutory authority with regard to both challenged provisions, granted PayPal’s motion for summary judgment, and vacated both provisions. The CFPB has filed an appeal, so the longer-term status of the Rule is unknown.

The court, however, did not consider PayPal’s argument that the Rule violated PayPal’s First Amendment rights, which is unfortunate. There is growing interest in the intersection of financial disclosure regulations and freedom of speech, and we have previously covered how courts apply First Amendment principles to the “the pervasive and extremely detailed disclosure requirements that regulators frequently impose on electronic financial products and services.”

VIII. FTC Issues Warning Related to the Sale and Use of Artificial Intelligence

The FTC staff announced through an April 2021 blog post that selling or using algorithms that are biased on the basis of race or other protected classes violates federal law. Citing the agency’s experience in enforcing the FTC Act, the Fair Credit Reporting Act, and the Equal Credit Opportunity Act against developers and users of artificial intelligence (“AI”), the FTC offered guidance on how to use AI in a compliant way. When developing algorithms, businesses should ensure that data that the algorithm is built on does not exclude information from particular populations. Once the algorithm is developed, it should be tested, both before initial use and periodically thereafter, to identify and avoid discriminatory outcomes. The blog post also advised businesses to consider using transparency frameworks and independent standards so biases may come to light, and cautioned against making untruthful statements about what the algorithm can do and how the data is used. New technology is never perfect, but the FTC reminds businesses that a practice is unfair if it causes more harm than good.

Financial institutions and FinTechs heavily rely on AI, such as to authenticate customer identity, detect suspicious transactions, prevent fraud, enable better and more efficient customer service, and for many other purposes. This FTC blog post is a good reminder for electronic payment companies to examine existing AI systems to evaluate their risk of noncompliance. After all, as the FTC warned, companies need to hold themselves accountable “or be ready for the FTC to do it for you.”

IX. Conclusion

As in past years, we continue to see regulators struggle to deal with new and evolving financial products. We anticipate that federal and state agencies will continue to fight over which should have primary authority over the FinTechs. Business lawyers should also expect to see additional regulations and enforcement actions in the area of virtual currency. We note that Federal Reserve Chair Jerome Powell has already announced that in the near future the Federal Reserve Board will publish a paper discussing use of new technology in payments, including the possibility of issuing a central bank digital currency. The Board has also issued proposed rules governing the use of FedNow, its new instant payment system which it expects to be available in 2023. As the regulatory framework for real-time payment networks evolves, we expect to see additional actions from CFPB and states with regard to new financial products like Earned Wage Access which are made possible by these new payment networks.

    Authors