chevron-down Created with Sketch Beta.

The Business Lawyer

Spring 2024 | Volume 79, Issue 2

FinTech Regulation: True Lender Legislation, DIDMCA Opt-Out, and Enhanced Federal Scrutiny

Robert Weston Savoie and Rachael Aspery

FinTech Regulation: True Lender Legislation, DIDMCA Opt-Out, and Enhanced Federal Scrutiny

Jump to:


The financial technology (“FinTech”) industry has continued to see increased scrutiny through federal agency focus, state legislation, and litigation.

State legislation codifying so called “true lender” tests into state law continues to spread into new jurisdictions.

There is also particular emphasis by the federal banking agencies on ensuring depository institution compliance with existing regulatory compliance obligations.

Finally, the Federal Deposit Insurance Corporation (“FDIC”) entered into a consent order with Cross River Bank, which is illustrative that the FDIC will review and regulate banks engaged in FinTech programs.


The financial technology (“FinTech”) industry has continued to see increased scrutiny through federal agency focus, state legislation, and litigation. As detailed in last year’s Annual Survey, this scrutiny reflects the maturing nature of the FinTech industry. Colorado passed landmark legislation seeking to opt out of the federal law granting interest rate exportation authority to state-chartered depository institutions, creating a challenge to state-bank lending through an opt-out mechanism that has not been utilized in decades. State legislation codifying so called “true lender” tests into state law continues to spread into new jurisdictions, with two new jurisdictions adopting such tests in the past year. Additionally, high-profile true lender litigation in California has the potential to create case law that will impact FinTech-bank programs operating with respect to California residents.

There is also particular emphasis by the federal banking agencies on ensuring depository institution compliance with existing regulatory compliance obligations. Finally, the Federal Deposit Insurance Corporation (“FDIC”) entered into a consent order with Cross River Bank, which is illustrative that the FDIC will review and regulate banks engaged in FinTech programs just like banks that do not conduct such programs, along with an awareness of the need to focus on individual credit products offered by the originating banks.

Colorado Opts Out of DIDMCA

In June 2023, Colorado adopted legislation opting Colorado out of sections 521 through 523 of the Depository Institutions Deregulation and Monetary Control Act of 1980 (“DIDMCA”), a forty-four-year-old federal law that empowers state banks, insured state and federal savings associations, and state credit unions to charge the interest allowed by the state where they are located, regardless of where the borrower is located and regardless of conflicting state law, or “export” their home state interest rate. When the law was enacted in 1980s, only Iowa and Puerto Rico opted out of DIDMCA and have maintained their opt-out declining to permit interest rate exportation. Since Colorado has opted out of DIDMCA, the result is that out-of-state banks and credit unions are required to follow Colorado’s interest rate and fee restrictions on consumer loans to Colorado residents if the loans are deemed to be made in Colorado. The opt-out goes into effect on July 1, 2024, and applies to consumer credit transactions made or renewed on or after that date.

There is some question about whether the legislation would actually have that impact on out-of-state banks because the opt-out would only apply to loans made in Colorado. Federal interpretations of DIDMCA sections 521 through 523 establish that where a loan is made is based on the parties’ contractual choice-of-law and the location where certain non-ministerial lending functions are performed, such as where the credit decision is made, where the decision to grant credit is communicated from, and from where the funds are disbursed. Under these federal interpretations, out-of-state banks can establish controls to assure that interstate loans are made in the state where the bank is located rather than in the borrower’s state. However, because an effective opt-out establishes that DIDMCA sections 521 through 523 do not apply to “loans made in” the opt-out state, the question would arise whether these federal law interpretations apply for purposes of determining whether a loan was made in an opt-out state, like Colorado. If federal interpretations do not apply, Colorado courts could determine that, even though interstate loans would be deemed made in the state where the bank is located under the federal interpretations, such loans were made in the opt-out state and, therefore, Colorado’s usury laws apply. Prior to the opt-out, Colorado had filed litigation challenging loan charges assessed by out-of-state depository institutions, particularly in the context of a bank partnership program.

State Legislatures Continue to Adopt True Lender Legislation

State legislatures in Connecticut and Minnesota enacted state consumer credit laws that are designed to regulate FinTech companies that operate through partnerships with traditional depository institutions. These laws are modeled on the consumer credit laws enacted in Illinois, Maine, and New Mexico. As discussed in the previous Annual Survey, these laws are generally structured to exempt depository institutions themselves, but regulate non-bank entities with whom they partner by treating the non-banks as if they are the lenders in credit transactions. This leads to the moniker “true lender” in describing the legislation. FinTech businesses often operate through partnerships with traditional depository institutions, which makes this legislation, focusing on such partnerships and limiting the interest rates of consumer credit products facilitated through them, particularly impactful for FinTech companies.

Connecticut True Lender Legislation

The Connecticut legislature enacted true lender legislation applicable to loans subject to the Connecticut Small Loan Act (“SLA”), codified a predominant economic interest test in the SLA, and expanded the license requirement to capture brokering and facilitating activities of small loans. The Connecticut legislation, effective October 1, 2023, treats non-lenders as if they are the lender if they hold, acquire, or maintain, directly or indirectly, the predominant economic interest in the loans, conduct pre-origination activity, and hold a right or requirement of first refusal to purchase the loan or a receivable to the loan, or if the totality of the circumstances indicate that they are the true lender.

Connecticut also raised the small loan limit from $15,000 to $50,000, thereby increasing the loan amount subject to licensure under the SLA, limited the annual percentage rate (“APR”) on loans of $5,000 to $50,000 to 25 percent, and redefined APR as an all-in APR calculated similar to the federal Military Lending Act (“MLA”), but in a manner that includes any fee or charge not separately excluded under Connecticut law (“CT-MAPR”). If a small loan is less than $5,000, the maximum interest rate cannot exceed the lesser of 36 percent CT-MAPR, or the maximum permitted by the MLA. For loans over $50,000, the SLA would not apply, and the civil usury limit would remain a maximum APR of 12 percent.

Minnesota True Lender Legislation

The Minnesota legislature adopted similar requirements, effective January 1, 2024, for small dollar “consumer small loans” and “consumer short-term loans,” as defined, in conjunction with capping the APR on these loans at a 50 percent all-in APR. The all-in APR includes all interest, finance charges, and fees, and must be determined in accordance with either the actuarial method or the United States Rule method. If the all-in APR exceeds 36 percent on a consumer small loan or consumer short-term loan, a lender is required to engage in an ability-to-pay analysis that must be based on the calculation of the borrower’s debt-to-income ratio for the loan period, supported by documents evidencing the borrower’s net income, major financial obligations, and basic living expenses.

Federal Banking Agencies Issue Guidance on Risks Associated with Third-Party Relationships

In acknowledging the growing number of third-party relationships in the financial space and to ensure consistency in guidance, the FDIC, the Board of the Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued a joint guidance (“Interagency Guidance”) in June 2023 designed to help banking organizations manage risks associated with third-party relationships, including relationships with FinTechs. While recognizing that such relationships provide great benefits to financial institutions and to consumers, the agencies emphasized that the risks associated with third-party relationships must be managed by sound risk management practice of the bank at all stages in the life cycle of the relationship.

The agencies acknowledged that not all relationships present the same level of risk and require the same oversight, and that third-party relationships must be right-sized for the institution. As a result, the bank may need to prescribe certain compliance or operational requirements on the FinTech or other third party to mitigate the bank’s risk of noncompliance with applicable laws. The Interagency Guidance reaffirms that the use of third-party relationships does not absolve a banking organization of its obligation to operate in a safe and sound manner and comply with all applicable laws and regulations.

The Interagency Guidance did not directly address true lender issues or bank partnership programs, continuing a pattern of not addressing state true lender arguments. Nevertheless, the Interagency Guidance suggests that the agencies are not opposed to bank partner programs in principle. FinTechs and other businesses engaged in third-party relationships with financial institutions should be aware of the agencies’ emphasis on risk management programs, the role that third parties play, and the compliance obligations that banks have as they pursue bank partnership programs.

Cross River Bank FDIC Order

The FDIC and Cross River Bank entered into a consent order relating to allegations by the FDIC that the bank was engaged in unsafe or unsound practices relating to applicable fair lending laws and regulations. The FDIC also alleged that the bank failed to establish and maintain internal controls, information systems, and prudent credit underwriting practices, which it neither admitted nor denied.

Among its provisions, the consent order placed limitations on the ability of the bank to establish new products. The bank was required to prepare and submit a list of all credit products and an explanation of the third parties involved, i.e., the FinTech companies partnering with the bank. For any new product or partnership with a new FinTech, the consent order required that the FDIC approve, or provide “non-objection,” for any products or third-party FinTech relationships not included on the aforementioned list. The consent order also included specific requirements regarding third-party risk assessments and product assessments.

In order to ensure the bank’s compliance with fair lending laws, the consent order required that the bank’s board of directors increase its supervision and direction of management, along with its oversight and monitoring of their internal controls, information systems, credit underwriting, and internal auditing. Additionally, the board was also required to assume greater responsibility over establishing prudent credit underwriting practices, monitoring of fair lending compliance, identifying, correcting, and preventing fair lending violations to the extent possible, and enhancing the bank’s internal audit system as it relates to fair lending laws and regulations.

Furthermore, the board was required to ensure that specific corrective actions take place. These corrective actions included eliminating, correcting, and preventing the unsafe and unsound banking practices identified (although not enumerated within the consent order); establishing policies and procedures to address such practices; appropriately addressing the deficiencies and weaknesses identified in the FDIC’s 2021 examination; and fully complying with the requirements of the consent order. Finally, the consent order required multiple reviews, some through independent third parties, of information systems, fair lending compliance risk management, and fair lending resources, along with enhanced monitoring and training.

California True Lender Declaratory Judgment Action & Ensuing Litigation

As detailed in a previous Annual Survey, FinTech lending programs often encounter challenges regarding who should be viewed as the true lender in a particular program. One FinTech company, Opportunity Financial, LLC (“OppFi”), sought to resolve this question through litigation to affirmatively establish that its bank partner, FinWise Bank, was the true lender, through a complaint for declaratory and injunctive relief against the California Department of Financial Protection and Innovation (“DFPI”). In its complaint, OppFi sought to prevent the DFPI from applying California rate limitations applicable to non-depository lenders, but not to loans by depository institutions, to the loans made by OppFi’s bank partner. In seeking to avoid the DFPI’s characterization of OppFi as the true lender subject to the rate limitations applicable to non-depository lenders, OppFi’s claim relied upon California laws that limit interest rates applicable to non-depository lenders and federal interest rate preemption. In response, the DFPI filed a cross-complaint alleging violations of the California Financing Law, which governs non-depository lenders, and the California Consumer Financial Protection Law. The DFPI alleged that OppFi was engaged in predatory lending through a “rent-a-bank” partnership structured to avoid state interest rate limitations. Accordingly, the DFPI alleged that OppFi should be viewed as the true lender, and that the licensing and interest rate limitations of the California Financing Law should apply to the loans at issue.

In September 2022, the court concluded that it could not rule, as a matter of law, that FinWise was the lender of the loans at issue and preclude California scrutiny of the loans. In response, the DFPI filed a request for a preliminary injunction against OppFi, asking the court to order OppFi to cease facilitating new loans to California borrowers at rates that would exceed California’s usury limits. In its opposition to the DFPI’s motion, OppFi provided a detailed overview of its arguments, focusing on the status of FinWise Bank as the lender, exempt from the California Financing Law by California law and entitled to reply on federal interest rate exportation authority. As of this writing, the court has not ruled on the DFPI’s request for a preliminary injunction. However, the ruling is likely to have a significant impact on FinTech-bank partnerships in the future if it concludes that a FinTech would be (or could be) viewed as the true lender under California law, including the potential applicability of state licensing regimes and interest rate authority.