The Falcon Cannot Hear the Falconer: Developments in the Laws Affecting Electronic Payments and Financial Services

I. Introduction

The overarching theme in this year’s survey is the unacceptable distance between some depository financial institutions and the third-party fintech partners for which banks are obligated to provide management and oversight. Over the past year, regulators have demonstrated their concern that “the falcon cannot hear the falconer,” by conducting numerous enforcement actions targeting banks and their failure to supervise the activities of their third-party business partners. We discuss certain of these enforcement actions in Part II. In Part III, we review enforcement actions taken by state and federal regulators against fintechs related to unfair, deceptive, and abusive acts and practices (“UDAAP”), including soliciting tips in lieu of fees, not handling consumer complaints properly, not refunding balances on closed accounts promptly, and using dark patterns and negative options to trick consumers. We examine new guidance from the Consumer Financial Protection Bureau (“CFPB”) on international remittance payments in Part IV and on Buy Now, Pay Later products in Part V. In Part VI, we address the amendments by the Federal Deposit Insurance Corporation (“FDIC”) to its rules regarding advertisements about deposit insurance. In Part VII, we discuss New York’s first enforcement action under its new Exempt Income Protection Act. In Part VIII, we address legal developments related to Earned Wage Access products, including new statutes in three states and new guidance in two other jurisdictions. Part IX provides a brief conclusion.

II. Regulators Continue to Scrutinize Banks’ Third-Party Relationships

In last year’s Cyberspace Law Survey, we wrote about joint guidance issued by the Federal Reerve, the FDIC, and the Office of the Comptroller of the Currency (“OCC”) to banks on managing risks associated with third-party relationships and enforcement actions against banks that failed to manage those risks. We noted that, although their joint guidance was a step toward promoting consistency among financial regulators, smaller community banks might find the guidance lacking the clarity and tools necessary to manage third-party risks effectively. Since then, the same agencies have published a guide for community banks in an attempt to address that need. The guide strikes many of the same notes as the prior year’s joint guidance, reinforcing the point that “[e]ngaging a third party does not diminish or remove a bank’s responsibility to operate in a safe and sound manner and to comply with applicable legal and regulatory requirements, including consumer protection laws and regulations, just as if the bank were to perform the service or activity itself.” The guide also includes an appendix of previously published tools to help community banks with various third-party relationships they may have, including those with fintech companies, cloud service providers, and other technology service providers.

Regulators have given no indication that they are losing focus in this area. The past year has been marked by a high number of enforcement actions against financial institutions related to their failures to manage effectively risks associated with their third-party relationships. In November 2023, the FDIC entered into a consent order with First Fed Bank, in connection with the bank’s fintech partner, Quin Ventures. The FDIC determined that the bank engaged in unsafe or unsound banking practices; UDAAP; and violations of the Truth in Lending Act, the Real Estate Settlement Procedures Act, the Electronic Fund Transfers Act, and the section of the FDI Act that prohibits making false or misleading representations about FDIC deposit insurance coverage.

The consent order with First Fed Bank offers only sparse details regarding the alleged UDAAP. The violations concerned “making implied claims that credit products with non-optional debt cancellation features were unemployment insurance, approving consumers who did not qualify for the debt cancellation feature, and misrepresenting the fees and benefits for those products.” The consent order imposed routine remedial obligations on the bank—correcting its violations of law, improving board and senior management oversight, and strengthening its compliance programs. Most notably, the bank must obtain a written non-objection before executing a binding commitment or agreement with a new third party through which it would offer a bank product or offering a new bank product through an existing third party. The non-objection request must include the agreement governing the relationship or the proposed bank product, document and assess the risks associated with the new third party or product, and appropriately detail the procedures, processes, and other actions the bank will take to ensure compliance with consumer protection laws.

The OCC’s January 2024 consent order with Blue Ridge Bank took a similar approach. Determining that Blue Ridge Bank’s Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) compliance program had deficiencies, including systemic internal control breakdowns and insufficient testing, the order requires the bank to strengthen its third-party risk management program. The bank was required to submit a strategic plan to the OCC for review and obtain a written determination of no supervisory objection. The strategic plan must cover at least three years and analyze the bank’s overall risk profile and financial health, use of third-party relationships, and detail the market segments the bank intends to promote or develop. Blue Ridge Bank is prohibited from significantly deviating from the strategic plan without going through the review process again and obtaining a new written determination of no supervisory objection.

In its May 2024 consent order with Thread Bank, the FDIC required the bank to review its Banking-as-a-Service and Lending-as-a-Service programs to confirm the adequacy of the due diligence, transaction monitoring, and Anti-Money Laundering/Countering the Funding of Terrorism (“AML/CFT”) compliance programs, and to establish an exit plan for failed fintech relationships (including third-, fourth-, and fifth-party providers) and submit its revised policies and procedures to the FDIC for review and comment.

The FDIC’s February 1, 2024, consent order with Sutton Bank related to AML/CFT issues with its fintech and prepaid products. The consent order requires the bank to implement a revised plan to prevent money laundering and terrorism financing that meets all regulatory requirements. Sutton Bank also must obtain an independent review of its AML/CFT staffing and ensure this function receives adequate funding and resources. In addition, the bank must revise its policies and procedures for identifying and reporting suspicious activity and managing its third-party risk, including completing an inventory of third-party relationships. The consent order includes specific provisions to address deficiencies in the customer identification program for prepaid card programs and requires a “lookback review” to July 1, 2020. The FDIC did not assess a civil money penalty.

Although these banks negotiated consent orders without paying civil money penalties, business lawyers may wonder whether cutting a big check would have been preferable to having regulators assert so much control over the banks’ operations and future business ventures. In the world of partnering with fintech startups, the ability to be nimble is valuable. One thing seems to be clear: If federal regulators do not think a bank is able or willing to manage its third-party relationships effectively, those regulators show little hesitation in imposing more careful oversight.

III. Regulators Target Fintechs for UDAAP Violations Related to Soliciting Tips in Lieu of Fees

A. CFPB Sues Marketplace Lender That Solicits Tips in Lieu of Assessing Fees

In last year’s survey, we wrote about enforcement actions brought by California, Connecticut, and the District of Columbia against marketplace lender SoLo Funds, Inc. (“SoLo”) for UDAAP and other violations of state law. Alleging similar facts and violations, the CFPB sued SoLo in federal court in California in May 2024. The CFPB stated that SoLo falsely advertised that consumers could obtain loans with “no interest,” “0% APR,” or “0% interest” while simultaneously inviting other consumers to serve as individual lenders to fund loan requests and earn a profit from purported “tips” paid by borrowers. Only 0.5 percent of loans funded on the platform did not pay a lender tip. SoLo also prompted borrowers to make a “donation” that went to SoLo and obscured the method by which borrowers could avoid paying the donation. Between March 2018 and December 2022, SoLo facilitated 543,021 loans, collecting $12,945,777 in lender tip fees and $6,860,642 in donations to SoLo, along with $2,467,211 in other borrower-paid fees. CFPB charged SoLo with engaging in unfair, deceptive, and abusive practices, and with violating the Fair Credit Reporting Act.

B. CFPB Fines Chime for Unfair Practices Related to Delayed Payment of Balances on Closed Accounts

On May 7, 2024, the CFPB entered into a Consent Order and Stipulation of Facts with Chime Financial, Inc. (“Chime”). Chime is a fintech company that “designed and services [consumer banking] accounts . . . for . . . two FDICinsured . . . ‘partner banks.’” Chime had publicized a policy of automatically returning customers’ balances over $1 by check within fourteen days of the closing. The CFPB found that Chime had failed to follow this policy in “thousands of instances,” and, in many cases, Chime failed to deliver refunds within ninety days.

The CFPB found Chime’s conduct “unfair” and ordered Chime to pay a civil penalty of $3.25 million, to make redress of at least $1.3 million to consumers, and to come into compliance with applicable laws. Chime’s experience should remind all business lawyers that failure to follow your own terms and conditions can be deemed an unfair and deceptive practice.

C. California DFPI Enters into Consent Order with Chime Related to Complaint Handling

The California Department of Financial Protection and Innovation (“DFPI”) entered into a consent order with Chime related to deficiencies in its handling of certain consumer complaints. The consent order is sparse on detail as to the nature of the offending behavior, but does state that “Chime’s complaint handling violated the [California Consumer Financial Protection Law] with regard to, among other things, occasional mistakes that occurred in Chime’s responsiveness to those complaints.” The order also acknowledged that, “[w]hile the number of mistakes during the Investigation Period was relatively small in comparison to the overall number of consumer complaints received, the mistakes were important to the affected consumers.” DFPI assessed a civil money penalty of $2.5 million.

D. FTC Order Concludes Intuit Inc. Engaged in Deceptive Practices by Advertising Free Tax Returns and Then Steering Consumers to Paid Products

The Federal Trade Commission (“FTC”) issued an Opinion and Final Order determining that Intuit Inc., the maker of the popular TurboTax tax filing software, engaged in deceptive advertising in violation of the FTC Act and deceived consumers when it ran ads for “free” tax products and services for which many consumers were ineligible. Intuit advertised that consumers with “simple tax returns” could file a return for free, but upon entering data for their return, many consumers were told they would need to upgrade to a paid version of the product. The opinion reviews a number of TurboTax advertisements and identifies in detail the statements that the FTC found to be deceptive and describes the modifications necessary to bring the advertisement into compliance with the law. Business lawyers who review marketing materials would be wise to review the opinion and share portions of it with their clients.

E. FTC Fines Cash Advance App Brigit $18 Million Over Its Use of “Dark Patterns” and Negative Options

In November 2023, the FTC announced a settlement with cash advance app Brigit related to deceptive claims the company made about its services and for violations of the restrictions on negative options under the Restore Online Shoppers’ Confidence Act (“ROSCA”), including related rules promulgated thereunder. Under the settlement, Brigit will pay $18 million, which will be used to make refunds to consumers.

The FTC charged Brigit with multiple violations related to false and deceptive statements made about the Brigit service. Specifically, Brigit marketed its app as allowing users to obtain cash advances of up to $250 whenever needed. The FTC cited Brigit’s claims it would deliver such cash advances to members “instantly,” “quickly,” “ASAP,” “within seconds,” “when you need it,” and “in case of emergency.” Brigit told consumers they could expect “[f]ree instant transfers” and promised “no hidden fees … or fine print,” and “[n]o … processing fees.”

The FTC also asserted Brigit made it too difficult for users to cancel monthly subscriptions, employing “dark patterns” and negative options to prevent users from discontinuing the service and avoiding the monthly fee. Brigit does not offer customer support by telephone, and users who asked about cancellation via email or chat were told to log into the app to manage their subscriptions. The app, however, did not provide a clear way to cancel. Instead, customers “were directed to leave the mobile app to visit Brigit’s website, where they had to log in again and start the process anew.” In addition, consumers had to answer a survey before they could cancel their paid plan. The complaint included quotations from internal emails in which employees stated it was part of the company’s business plan to make cancellation “frictionful.” The complaint detailed the statements and practices that the FTC deemed illegal, looking at television ads, YouTube videos, Facebook, Instagram, the Brigit website, app store, and app enrollment process. It would be well worth the time for in-house compliance officers and marketing staff to review the complaint and see what the FTC found objectionable.

F. FTC Sues Bill Pay Service Doxo Over “Dark Patterns” Used to Trick Consumers

The FTC previously expressed its concern over the use of “dark patterns” to manipulate consumers into buying products or services they do not really want. In April 2024, the FTC acted on its concerns by suing Doxo, Inc. and its founders, alleging the company used “dark patterns” and other forms of deception to trick consumers into using its bill pay platform. The FTC describes “dark patterns” as “design tricks that manipulate consumers into taking unwanted actions.” Doxo allegedly employed “dark patterns” to “dup[e] consumers into using its service by disguising itself as their billers’ official payment channel.” Doxo accomplished this by “plac[ing] ads to intercept consumers attempting to reach their billers directly and styl[ing] the headlines of ads and other weblinks—often featuring only the biller’s name, not Doxo’s—so that they appear to be the biller’s own page.” Consumers that paid their bills via Doxo unwittingly paid “junk fees” to Doxo that would have been avoided if they paid their bills directly. The FTC noted that Doxo received a large volume of complaints from both consumers and billers, but did not modify its practices.

The FTC also alleged violations of the ROSCA rules on negative options. The complaint details practices the FTC asserts are unlawful, including images from offending ads and websites, and is an instructive read for those wishing to learn more about dark patterns.

IV. CFPB Issues Guidance on Remittance Payments

The CFPB issued guidance on international remittance transfers on March 27, 2024 (“Circular 2024-02”), warning providers that falsely advertising the cost or speed of sending remittances violates the Consumer Financial Protection Act’s prohibitions on “deceptive acts or practices.” This guidance applies to traditional providers of international money transfers as well as “digital wallets” that are able to effect international money transfers. CFPB warns providers not to engage in the following practices:

• (1) Falsely marketing “no fee” or “free” services when the provider in fact charges fees for its services, including charges for converting funds to a different currency or imposing exchange-rate spreads on consumers;
• (2) Burying promotional conditions in fine print and failing to make clear that a promotional offer is limited in duration or temporary in scope—even if the conditions are disclosed later in the transaction; and
• (3) Deceptively advertising how long remittance transfers will take when the transfers take much longer because remittance-transfer recipients often rely on transfers for day-to-day living expenses or time-sensitive emergencies.

In connection with the first, the CFPB cited the FTC’s guidance on use of the word “free.” The CFPB also mentioned the FTC’s pathbreaking 1953 action against Book-of-the-Month Club and the “extreme care” that should be exercised to avoid deceiving consumers about possibly getting something for nothing. Circular 2024-02 also discussed CFPB’s prior enforcement action against Chime, because the respondent advertised transfers to Nigeria as being offered “with no fees” when fees were charged.

V. CFPB Confirms Buy Now, Pay Later Providers Are Credit Card Providers

Through an interpretive rule issued in May 2024, the CFPB “confirm[ed] that Buy Now, Pay Later (‘BNPL’) lenders are credit card providers.” The new rule provides consumers with certain rights that apply to traditional credit cards, including the right to dispute charges and demand refunds from BNPL providers after returning products.

BNPL products are closed-end loans, typically payable in four or fewer installments without a finance charge. To access BNPL, a consumer creates a digital user account with a BNPL provider either through a merchant’s checkout process or through the BNPL provider’s application or website. The CFPB maintains these digital user accounts mimic conventional credit cards and, under the broad definition of “credit card” under Regulation Z, the digital account is a “credit card” and BNPL providers are “card issuers” and “creditors.”

This rule, however, does not apply all provisions of Regulation Z to BNPL providers. Because the loans are not open-end credit, provisions such as the penalty fee limits and the ability-to-repay requirements do not apply to BNPL loans. The interpretive rule is applicable as of July 30, 2024. Having issued an interpretive rule, the CFPB avoided the notice-and-comment rulemaking process applicable to substantive rules under the Administrative Procedure Act, which will likely draw a legal challenge from industry.

VI. FDIC Modernizes Rules on Deposit Insurance Coverage Statements

In December 2023, the FDIC finalized a rule to amend Part 328 of its regulations—which already broadly prohibits misusing the FDIC’s name or logo, false advertising, and knowingly making misrepresentations regarding deposit insurance—to reflect how depositors currently do business with insured depository institutions (“IDIs”), increasingly through fintech intermediaries.

The FDIC modernized some rules applicable to IDIs related to signage and customer disclosures and provides clearer guidance to IDIs and non-bank entities on the enforcement of existing bans on misrepresentations by detailing specific instances where information might be misleading. It redefines “non-deposit product” to encompass crypto-assets and requires IDIs to create and uphold written policies that ensure adherence to the new regulations. The rule extends beyond mere “advertising” to include any “statement” that could be interpreted as misleading concerning FDIC insurance.

Perhaps most relevant to fintechs, the final rule provides a non-exhaustive list of what constitutes a material omission for non-banks, including (1) failing to disclose that it is not an FDIC-insured institution and that FDIC coverage only protects against the failure of the IDI; (2) failing to disclose that non-deposit products are not insured by the FDIC when both deposit and non-deposit products are offered on a website; and (3) failing to disclose that certain conditions must be satisfied when making statements regarding pass-through insurance.

Mature fintechs are facing the challenge of updating their large catalog of existing statements to comply with this rule, and fintechs of all age and size may be frustrated adapting to the new requirements, longing for the now bygone practice of having concise assurances that customer funds are protected by FDIC insurance. The final rule went into effect April 1, 2024, with a compliance deadline set for January 1, 2025.

VII. N.Y. Attorney General Enforces State’s Exempt Income Protection Act

The N.Y. Attorney General secured an Assurance of Discontinuance (“Assurance”) from Pathward, N.A., a South-Dakota–based national bank. The April 17, 2024, Assurance stems from Pathward’s violations of New York’s 2009 Exempt Income Protection Act (“EIPA”) by unlawfully freezing consumer accounts and transferring funds to debt collectors. Pathward also violated section 63(12) of the N.Y. Executive Code, as well as sections 5222 and 5232 of the N.Y. Civil Practice Code. Pathward agreed to pay $706,664.67, comprised of a penalty of $627,000 and restitution of $79,664.67.

The EIPA prohibits debt collectors from using legal process to obtain funds that qualify as government benefits, which are protected by the New York Code. The EIPA protects balances such as social security benefits, veterans’ benefits, and disability insurance, up to an amount that New York State’s Department of Financial Services resets every three years, and the account holder’s protected wages, which vary based on where the account holder works in the state. When bank balances contain “statutorily exempt payments,” legal process “is deemed void by operation of law and banks must not restrain accounts at all.” These provisions may not be waived by agreement with account holders.

Pathward’s card-holder and demand-deposit-account agreements contained waivers of this EIPA protection. The Assurance maintains that the waiver provision is deceptive in that Pathward attempts to waive liability that may not be waived under the New York Code. Pathward and its servicers deceptively informed consumers that they had “court orders,” instead of claims generated by debt collectors. Pathward agreed to various forms of relief, including changes to business practices in responding to legal process, restitution, and ongoing monitoring and compliance. This action appears to be the first enforcement of the EIPA.

VIII. Earned Wage Access

In last year’s survey we wrote about how Missouri and Nevada enacted the first state statutes and Arizona and Maryland promulgated guidance dealing with Earned Wage Access (“EWA”) products. This year, several more states have adopted rules governing EWA. In addition, on February 20, 2024, a federal bill was introduced in Congress.

A. Kansas, South Carolina, and Wisconsin Adopt EWA Statutes

In 2024, Kansas, South Carolina, and Wisconsin adopted EWA statutes. Like the measures enacted in Missouri and Nevada last year, these laws create a licensing scheme for EWA providers and establish minimal regulatory frameworks for these services. In South Carolina, EWA providers must register and post a surety bond, make certain disclosures to consumers, and are prohibited from engaging in certain debt collection activities. In return for registration and compliance, the EWA provider will not be deemed a “lender” and the EWA service will not be treated as a “loan.” Interestingly, the latter provision exempting EWA providers from lending regulations was not included in the Wisconsin enactment, leaving open the possibility that EWA services in that state could be subject to both EWA and lending rules.

B. Connecticut and Montana Officials Issue Guidance on EWA

The Connecticut Department of Banking issued guidance on EWA products following legislative amendments to the state’s consumer lending statutes. Those amendments modified the definition of “small loan” to mean “any loan or extension of credit, or the purchase of, or an advance of money on, a borrower’s future potential source of money, including, but not limited to, future pay, salary, pension income or a tax refund, if . . . the amount . . . is fifty thousand dollars or less . . . and the APR is greater than twelve per cent.” Consequently, the Department concluded that “advances of money on future wages or salary that have been earned but not yet paid, commonly referred to as ‘earned wage access’ products, are generally covered by the Small Loan Lending and Related Activities Act.” In contrast, the Montana Attorney General issued an opinion stating that an EWA product that limits advances to amounts already earned by the consumer, charges no fees or interest, and is fully non-recourse to the consumer is not a “consumer loan” or “deferred deposit loan” under state law.

IX. Conclusion

Our annual survey has a consistent theme from year to year: The use of technology in the provision of financial services is subject to the same laws and regulations that govern old-fashioned banking products. Financial institutions are responsible for oversight and control of their fintech partners. Unfair and deceptive practices, even when implemented with cutting-edge technological prowess, are still unfair and deceptive practices. New products born out of technological innovation, such as BNPL and EWA, will be subject to developing regulatory frameworks. And, while the fortunes of fintech companies may soar like falcons, it is important that they stay tethered to their banking partners on solid ground.