B. Arizona and Maryland Officials Issued Guidance on EWA
The Attorney General of Arizona issued an opinion letter on December 16, 2022, which concluded that an EWA product that is non-recourse is not a loan and does not trigger the state’s Consumer Lenders Act. An EWA product is non-recourse if the provider does not engage in debt collection activities with regard to any unpaid balance, does not sell such balance to a third party, and does not report nonpayment to a consumer reporting agency. In Arizona, EWA programs generally would not involve lending.
Officials in Maryland, however, generally reached the opposite conclusion. The Commissioner of Financial Regulation issued guidance concluding that an EWA product provided directly by an employer to its employee does not trigger the Maryland Commercial Loan Act because the Act does not cover a loan between an employer and employee. To determine whether an EWA payment is provided directly by the employer or by a third-party service provider, the guidance asks three questions: (1) Who bears the risk?; (2) What level of contact does the third party have with the consumer?; and (3) Who benefits from any fees or tips? Under these criteria, most EWA programs would be deemed lending.
C. California Issued Proposed Regulations for EWA Providers
On March 7, 2023, the California Department of Financial Protection and Innovation (“DFPI”) issued proposed regulations requiring registration of certain types of service providers, including providers of “income-based advances.” The proposed regulations would require providers of income-based advances to register with the DFPI, and to file detailed annual reports. An entity registered as a provider of income-based advances under the proposed regulation would not need to register as a lender.
III. FinTech Practice of Soliciting Tips in Lieu of Assessing Fees Is in Regulators’ Crosshairs
In May 2023, regulators in three jurisdictions finalized enforcement actions against a marketplace lender over that entity’s practice of soliciting tips from consumers rather than assessing fees. California, Connecticut, and the District of Columbia each took action against SoLo Funds, Inc. (“SoLo”) for unfair and deceptive practices and other violations under state law. SoLo operated a marketplace lending platform through which individuals could request short-term, small-dollar loans and other participants could agree to fund those loans. SoLo advertised that their platform allowed the potential borrower to request a loan of up to $500 at 0 percent APR, assessed no finance charges, and required the loan be repaid within fifteen days. The potential borrower also had to indicate what percentage of the loan it would pay the lender as a “tip” and what percentage of the loan it would pay to SoLo as a “donation” to support the platform. The DFPI concluded that SoLo was acting as a broker of consumer loans without a license and that the lender “tips” and SoLo “donations” were finance charges that exceeded the permissible interest rates under state law. SoLo entered into a consent order under which it agreed to cease violating California lending laws, refund “donations” it had collected from consumers, and pay a $50,000 civil money penalty.
Connecticut issued a temporary cease and desist order to SoLo on May 4, 2022. The regulator asserted that SoLo was engaged in consumer lending without a license and, since June 2018, had facilitated over 1,600 loans to over 275 borrowers in Connecticut with the most common principal loan amount being $100, the average lender “tip” being $21, and the average “donation” to SoLo being $10. Connecticut claimed SoLo was engaged in unfair, deceptive, and abusive acts in violation of federal law because it provided false and misleading information to consumers. More specifically, the regulator asserted that, because the tips and donations constituted finance charges, the APR could be as high as 4,280 percent and not the 0 percent advertised by SoLo. In May 2023, SoLo entered into a consent order in which it agreed to cease activities in the state until it obtained an appropriate license and became compliant with state law. The company agreed to refund all tips, donations, and other fees paid by Connecticut consumers to SoLo or to third-party lenders through the marketplace and pay a civil money penalty of $100,000. In addition, the Connecticut legislature modified state law to make it clear that finance charges used to calculate APR include amounts voluntarily paid by the consumer.
SoLo resolved similar allegations of wrongdoing in the District of Columbia by entering into a third consent order related to its practice of soliciting “tips,” rather than assessing fees. SoLo agreed to pay $30,000 in restitution to consumers and fines to the District. SoLo also agreed to modify the mobile app not to supply a default tip amount and to block lenders from being able to see the amount of an offered tip prior to committing to fund a loan, thus ensuring that a consumer’s decision not to offer a tip or donation would have no impact on loan approval.
The plaintiff ’s bar actively monitors solicitations by FinTech companies of voluntary payments from consumers and has filed several class action lawsuits alleging that the acceptance of tips in lieu of fees is an unfair practice under state law. These class action lawsuits may explain why the EWA legislation discussed above includes provisions that specifically allow providers to solicit and accept tips.
IV. CFPB Continued Its Focus on AI
In our survey two years ago, we covered a blog post in which the Federal Trade Commission (“FTC”) warned that the use of AI may produce troubling outcomes including unlawful discrimination and reminded the industry that, even though the technology may be new, consumer protection laws still apply. In 2023, the CFPB reiterated these concerns and its commitment to protect individuals’ rights in a joint statement on discrimination and bias in “automated systems,” which was jointly issued with the FTC, the Department of Justice, and the Equal Employment Opportunity Commission. Those agencies emphasized that unlawful discrimination may result from datasets that are unrepresentative or incorporate historical bias, but also that the automated systems may “correlate data with protected classes, which can lead to discriminatory outcomes.” The agencies also expressed concern that many automated systems are “black boxes”—a term that refers to the inherent opacity in certain machine learning models, particularly deep neural networks, that make it challenging, if not impossible, to determine how the systems arrive at their decisions—which makes it difficult to determine if the systems are fair. And finally, the agencies suggested that discrimination may arise from system developers not always understanding or accounting for the context in which their systems may be used.
The CFPB also published an Issue Spotlight to draw attention to the risks associated with the increased reliance on chatbots by financial institutions. The CFPB distinguished between rule-based chatbots, which follow a specific flowchart-like structure to generate predetermined responses, and more sophisticated AI language model chatbots that leverage machine learning and natural language processing to dynamically generate responses. Regardless of the type of chatbot, though, the CFPB noted that there are risks associated with the deployment of—and especially the over-reliance on—chatbots. The CFPB warned that companies that rely on poorly designed chatbots risk eroding customer trust, causing consumer harm, and violating the law. While the CFPB did not explicitly offer recommendations to the industry, business lawyers may note that the CFPB seems particularly concerned with systems that deprive convenient access to live, human agents, who the agency appears to believe are better at resolving complex problems and providing accurate information and meaningful customer assistance. In addition to providing easy-to-access “off-ramps” to access human agents, financial institutions would be well advised to design and test their chatbots with regulatory hot button issues in mind, including ensuring that the chatbot accurately identifies when a customer is attempting to trigger the financial institution’s legal obligations (e.g., dispute resolution obligations under Regulation E or Regulation Z).
As a crack-down on a faulty algorithm, the CFPB entered into a consent order with Hello Digit, LLC (“Digit”) to settle claims that Digit engaged in deceptive acts and practices in connection with its automated savings tool. Digit offers an application that uses a proprietary algorithm that analyzes its customers’ checking accounts and automatically transfers what it represented as the “perfect amount” to save. Digit then would automatically transfer that amount from the customer’s checking account to an interest-bearing “for the benefit of ” account at a third-party partner bank. Digit represented to consumers that, in the unlikely event that the transfer resulted in an overdraft fee, Digit would reimburse the customer and that it did not retain any of the interest earned from the money held on deposit at its partner banks. In reality, though, Digit’s algorithm could not identify the “perfect amount” to transfer and it did retain a portion of the interest earned on the deposits at its partner banks.
Digit estimated that “approximately 1–2% of Digit users experience[d] overdrafts as a result of using the service.” The CFPB alleged that Digit’s practice of reimbursing overdraft fees was not as robust as it promised. Of the more than 70,000 requests it received to reimburse overdraft fees, Digit declined more than 7,200 such requests. Reasons that Digit declined to reimburse affected customers included an internal policy to only provide two reimbursements per customer and an eligibility requirement that customers continue to have their checking account connected to the service. The CFPB also alleged that, despite Digit’s representations to the contrary, it “retained significant net interest income from consumer funds.”
As part of the order, Digit agreed to cease making misrepresentations about its automated savings tool, the conditions under which it will reimburse overdraft fees, and whether it will retain or benefit from interest accrued from customer deposits. Digit also agreed to provide customer redress of no less than $68,145 and notably a civil money penalty of $2.7 million. Business lawyers are reminded that their clients should be wary of promising that their automated decision-making products are capable of “perfection.”
V. Fake Accounts Generated Real Fines for Banks that Caused Harms to Consumers
Since 2020, enforcement actions by federal regulators point to continuing problems that major banks have had opening accounts for consumers. In 2020, Wells Fargo agreed to pay a $3 billion fine for opening accounts that its customers did not request. Federal regulators settled actions against U.S. Bank in 2022 and against Bank of America in 2023 regarding similar account-management issues—sending serious warnings of what-not-to-do in managing consumers’ banking or credit card accounts, key among them not misappropriating credit reports or other customers’ data to open fictitious accounts or accounts without consumers’ permission.
VI. MoneyGram: Which State May Escheat Unclaimed Prepaid Funds?
Disputes over abandoned property arise infrequently but when they do, they are significant. In 2023, the Supreme Court decided Delaware v. Pennsylvania, which involved prepaid financial products. MoneyGram had been applying the longstanding, common-law practices articulated in Texas v. New Jersey, directing escheat of abandoned property to the State of the creditor’s last known address, or, if the provider did not retain records of the creditor’s address, to the State in which the company holding the funds was incorporated. In Delaware v. Pennsylvania, the Court determined that the prepaid instruments were sufficiently similar to “money orders” to be governed by the Disposition of Abandoned Money Orders and Traveler’s Checks Act, permitting escheat to the State “in which [the] instrument was purchased.”
VII. Regulators Signaled Increased Scrutiny of Banks’ Third-Party Relationships
The Federal Reserve, the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency jointly issued guidance on managing risks associated with third-party relationships, rescinding and replacing prior guidance that each agency had issued separately. The guidance identified five stages in the life cycle of a third-party relationship and discussed factors that are relevant to each stage that a banking organization may consider, depending on the third-party relationship’s degree of risk and complexity. The joint guidance is a step toward promoting consistency among financial regulators on an important topic, but some banking organizations—particularly smaller community banks—may find the guidance lacks “the necessary clarity or supplemental tools to facilitate” effective third-party risk management.
The Federal Reserve also noted, in its Supervision and Regulation Report issued in May 2023, that it was closely monitoring supervised institutions that engaged in “complex third-party relationships with fintech companies to deliver banking products.” The Federal Reserve flagged third-party risk management as a supervisory priority for large financial institutions, and it flagged operational risk as a supervisory priority for community banking organizations and regional banking organizations.
Cross River Bank, a New Jersey state-chartered bank that is a Bank-as-a-Service (“BaaS”) provider to various FinTech companies, entered into a consent order with the FDIC resolving claims that the bank engaged in unsafe or unsound practices related to fair lending compliance. At the heart of the consent order were concerns regarding lax third-party oversight that were apparently flagged by the FDIC in a 2021 Report of Examination.
Without specifying the details that gave rise to the enforcement action, the consent order requires the bank to develop internal controls and policies and procedures designed to ensure fair lending compliance of its third-party partners. The bank also must submit for review, and receive written non-objection from the FDIC, before offering a new credit product or onboarding a new third-party partner through which it would offer a credit product. The bank is required as well to engage independent third parties acceptable to the FDIC to assess whether the bank’s information systems are sufficient for it to perform its oversight obligations and evaluate the fair lending compliance of its third-party partners.
In what may be seen as a signal to other banks that have expanded to the BaaS market, the FDIC’s message is clear and was later summarized in the Interagency Guidance mentioned above: “[T]he use of third parties does not diminish or remove banking organizations’ responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations . . . .”
VIII. Cryptocurrency
A. Trading In or Out of the United States: CFTC Sued Binance and Its Founder
On March 27, 2023, the Commodity Futures Trading Commission (“CFTC”) sued Binance, founder Changpeng Zhao, and three related entities operating Binance’s platform for violations of the Commodity Exchange Act and CFTC regulations for running a crypto derivatives exchange for U.S. customers without being registered with the CFTC since July 2019, as well as other violations. Among other charges, the complaint asserted that Binance helped U.S. customers, including New York and Chicago-based high-frequency trading firms, evade Binance’s own compliance controls since at least October 2020. Binance allegedly profited from trading activity by U.S. customers. The CFTC charged Binance’s former chief compliance officer, Samuel Lim, with aiding and abetting the violations. In its complaint and the accompanying press release, the CFTC detailed Binance’s willful failure to register and its actions to evade U.S. commodities rules. CFTC Chair Rostin Behnam stated that “there is no location, or claimed lack of location, that will prevent the CFTC from protecting American investors.” Binance moved for dismissal. Binance argued that the CFTC focused on alleged efforts to regulate “foreign individuals and corporations that reside and operate outside the United States.” Challenges to jurisdiction in actions based on U.S. securities law are not new, whether in private actions or agency enforcement actions. The jurisdiction issue now emerges in private commodities and CFTC enforcement actions, such as that against Binance.
B. Crypto Deposits’ Ownership Depends on Providers’ Terms of Use
Many persons who deposited crypto assets with Celsius Network LLC (“Celsius”) found that what they assumed was their property was the property of Celsius and its bankruptcy estate, available to Celsius’ creditors. Chief Judge Martin Glenn’s opinion explained how Celsius became the owner of the crypto assets in “Earn accounts” through contractual “terms of use.” This result, articulated in one of several high-profile bankruptcy proceedings pending in this survey year, provides lessons for owners of crypto shopping among providers going forward. The decision signals unsecured creditor status for customers of providers of Celsius, as well as of FTX and its affiliates and subsidiaries and of BlockFi Inc. In a stipulated order involving the FTC, Celsius agreed to a permanent ban from handling consumers’ assets based on Celsius’ false promises that their deposits would be safe and always available to customers.
C. Federal Reserve Denied Custodia Bank, Inc. Membership in the Federal Reserve System
In January 2023, the Board of Governors denied the application by Custodia Bank, Inc. (“Custodia”) for membership in the Federal Reserve System, which is governed by section 9 of the Federal Reserve Act. The order detailed the Board’s “fundamental concerns” with Custodia’s application based on four factors—the managerial factor, the financial factor, the corporate-powers factor, and the convenience-and-needs-of-the-community factor. Custodia did not seek federal deposit insurance, which would have allowed it to avoid the Change in Bank Control Act and the Community Reinvestment Act; nor, as a nonbank, would Custodia have been subject to the restrictions and prudential supervision and regulations of the Bank Holding Company Act. The Board’s thorough analysis may assist Custodia, if it chooses to reapply, or any other applicant seeking membership.
IX. Conclusion
This year’s survey reinforces a recurring message from prior years: When a company employs new technology to offer existing products in a new way or to generate entirely new products, the company must comply with existing laws, even if there is not yet a statute or regulation specifically targeted to that new process or new product. Good ol’ fashioned prohibitions on unfair and deceptive acts and practices can easily be adapted to ensnare any company whose conduct is legally deficient. If we may again borrow from T.S. Eliot, this is the way the start-up ends, not with an IPO but with a consent order.
