The financial technology (“FinTech”) industry has faced an increase in regulatory scrutiny at the federal level and a significant increase in proposed and enacted state legislation regulating bank partner programs. The federal prudential regulatory agencies have examined depository institutions involved in FinTech programs and conveyed significant compliance expectations regarding the programs. State legislatures have continued to consider and adopt laws restricting or regulating FinTech-bank programs. For companies offering earned wage access or payroll advance products, a wave of new legislation imposes licensing and substantive compliance obligations while the Consumer Financial Protection Bureau (“CFPB”) has proposed a new interpretive rule that would reclassify those products as credit subject to the federal Truth in Lending Act.
In July 2024, the Federal Deposit Insurance Corporation (“FDIC”), the Board of the Governors of the Federal Reserve System (“FRB”), and the Office of the Comptroller of the Currency (“OCC”) (“Agencies”) issued a joint statement that identifies potential risks associated with bank and FinTech relationships (“Joint Statement”). The Joint Statement was accompanied with a request for information to identify the benefits, risks, and risk management practices associated with such relationships.
The issues identified in the Joint Statement are not new and largely do not vary from the Interagency Guidance published by the Agencies in June 2023, which was designed to help banking organizations manage risks associated with third-party relationships, including relationships with FinTechs, emphasizing that the risks associated with third-party relationships must be managed by the banks’ sound risk management practices at all stages in the life cycle of the relationship. Since the Interagency Guidance was issued, as discussed below, the Agencies have been bringing actions relating to bank and FinTech partnerships where the bank provides banking services for a non-depository or FinTech partner. The Agencies do not expressly address true lender issues or bank partnership programs, but continue to comment that they support responsible innovation, including banks pursuing third-party arrangements in a safe and sound manner compliant with applicable law. Still, the Agencies’ actions against banks signal that third-party risk management is of the utmost importance and that the Agencies will not shy away from identifying insufficient or third-party programs in “troubled” conditions and prescribing corrective action.
During the past year, the FDIC entered into several consent orders with state-chartered depository institutions relating to safety and soundness concerns, compliance with applicable laws, and third-party oversight and risk management. In January 2024, the FDIC entered into a consent order with Lineage Bank that required it to overhaul its third-party risk management program and FinTech programs due to perceived unsafe or unsound banking practices and limited its ability to grow its partnership program. Lineage Bank’s board was ordered to assume full responsibility for the bank’s policies and procedures and supervision of its programs, it was required to enhance its audit functions to assess the effectiveness of its higher risk programs, and it was ordered to take a more detailed view of its third-party risk management of payment processing and deposit products. The FDIC also imposed reporting requirements and oversight expectations for the bank’s board of directors for a broad range of products and services that the bank offered to its partners, and it required the bank to submit a detailed contingency plan to the FDIC addressing how it would handle a sudden termination of a program relationship.
In February 2024, the FDIC and the Ohio Division of Financial Institutions issued a consent order with Sutton Bank that required it to take action to implement a revised anti-money laundering and countering the financing of terrorism (“AML/CFT”) policy commensurate with its risk profile and to ensure compliance with the Bank Secrecy Act (“BSA”). Sutton Bank was required to develop policies and procedures to ensure that the appropriate oversight of third-party relationships is being conducted, including both initial diligence and through ongoing review. The bank was also required to designate at least one BSA officer who would report to its board of directors and identify program managers responsible for carrying out the AML/CTF program. Within sixty days of the order, Sutton Bank was required to plan for a customer identification program (“CIP”), including a lookback at prepaid card customers since July 1, 2020, to ensure that it knows the true identity of its customers.
Shortly after the Sutton Bank consent order, the FDIC entered into a consent order with Piermont Bank based on similar perceived inadequacies in its AML/CTF program, risk profile, third-party relationships, and CIP. The FDIC also alleged violations of Regulation E and Regulation DD, and it identified alleged deficiencies with Sutton Bank’s compliance management system. Among other things, the FDIC required that Sutton Bank review the documents, records, and data pertaining to its third-party relationships and perform a transaction-by-transaction review of prepaid card customers beginning from July 1, 2020, to ensure that all required CIP information was obtained and that Sutton Bank formed a reasonable belief that it knows the true identity of the customer. Staffing, policies, procedures, controls, testing, board oversight and experience, and ongoing monitoring of FinTech programs were also addressed in the consent order.
The OCC entered into a consent order with Blue Ridge Bank in January 2024 after identifying that it was in a “troubled condition” due to its continued failure to establish a reasonably designed BSA/AML program, and noting perceived deficiencies in independent testing, insufficient staffing, and control failures tied to its third-party risk management program. The OCC required Blue Ridge Bank to establish an action plan to remediate all BSA/AML issues identified, and to enhance and improve its third-party risk management program for FinTechs. Consistent with prior regulatory actions, Blue Ridge Bank is prohibited from establishing new FinTech partnerships or expanding upon existing FinTech relationships without the OCC’s permission. Blue Ridge Bank is also required to develop a strategic capital plan that covers a three-year timeframe and maintain its capital at a level no less than required by the consent order and that also exceeds well-capitalized standards.
The FRB and the Arkansas State Bank Department issued a consent order against Evolve Bankcorp and Evolve Bank & Trust (collectively, “Evolve”). The FRB stated that one of Evolve’s partners was engaged in unsafe and unsound banking practices because it failed to have an effective risk management program and framework, and it also filed for bankruptcy. Evolve was required by the FRB to address its ongoing compliance concerns independent of the bankruptcy proceedings pending for the partner. The consent cease-and-desist order required Evolve’s board to draft a plan to strengthen board oversight of the bank’s management and operations, to ensure its compliance with BSA/AML requirements and Office of Foreign Assets Control regulations, and to enhance its third-party risk management program. The order included policy and procedure enhancements, staffing and training requirements, identifying and reporting risk exposure with respect to its FinTech partners, enhancing its credit and inherent risk ratings, and establishing measures to ensure Evolve’s board provides approval of expanding existing FinTech partnerships or onboarding new FinTech partnerships.
State legislatures have continued to propose and enact state consumer credit laws designed to regulate FinTech companies that operate through partnerships with traditional depository institutions. As discussed in prior surveys, these laws are generally structured to exempt depository institutions themselves but regulate non-bank entities with whom they partner by treating the non-banks as if they are the lenders in credit transactions. This has led to the moniker “true lender” being applied to describe the legislation. True lender legislation was proposed in the District of Columbia, Alaska, Florida, Maryland, Missouri, Nevada, and Washington during the period covered by this survey, while only the Washington bill has been enacted as of this writing.
The recent wave of proposed legislation was largely modeled on earlier consumer credit legislation in Illinois, Maine, New Mexico, Connecticut, and Minnesota. As discussed in the prior survey, these laws generally exempt depository institutions themselves, but are structured to regulate non-bank entities with whom they partner by treating the non-banks as if they are the “true lenders” in consumer credit transactions. Hallmarks of true lender legislation are tests to treat the non-lenders as if they are the lender if they directly or indirectly hold, acquire, or maintain the predominant economic interest in the loans, and in some cases when they conduct pre-origination activity and also hold a right or requirement of first refusal to purchase the loan or a receivable to the loan, or if the totality of the circumstances indicate they are the true lender.
Effective June 6, 2024, Washington amended its Consumer Loan Act (“CLA”) to enact true lender language, including the predominant economic interest standard, the prohibition applicable to bank agents and servicers, and a totality of the circumstances test. The amendments to the CLA also extended its licensing requirement to apply to each “loan” made by a licensee, or persons subject to the CLA, to a resident of or a person physically located in Washington. The amendments to the CLA further provide that if a loan exceeds the permitted interest rate of 25 percent per annum, a person is a lender making a loan subject to the CLA, notwithstanding the fact that the person purports to act as an agent, service provider, or in another capacity for another person that is exempt, if, among other things: the person holds, acquires, or maintains, directly or indirectly, the predominant economic interest in the loan; or the totality of the circumstances indicate that the person is the lender, and the transaction is structured to evade the CLA requirements.
States are continuing to propose legislation to opt out of sections 521 through 523 of the Depository Institutions Deregulation and Monetary Control Act of 1980 (“DIDMCA”), which allow states to decline to permit interest rate exportation that the DIDMCA would otherwise allow, albeit with less frequency. For many years, only Iowa and Puerto Rico continued to opt out of DIDMCA. As detailed in the previous Annual Survey, Colorado adopted legislation opting out of sections 521 through 523 of DIDMCA, which applies to consumer credit transactions made or renewed on or after that date.
As a result, Colorado took the position that state-chartered banks and credit unions were required to comply with Colorado’s interest rate limitations and fee restrictions with respect to consumer loans made to Colorado residents or renewed after that date. DIDMCA opt-outs have been proposed in the District of Columbia, Minnesota, and Rhode Island but none of them has been enacted as of this writing.
Several financial trade associations filed a complaint in federal court in Colorado in March 2024 on behalf of their members that sought declaratory judgment and preliminary and permanent injunctive relief against the Colorado Attorney General and the Administrator of the Colorado Uniform Consumer Credit Code, asserting that the legislation violated the trade associations’ constitutional rights by attempting to expand the federally granted opt-out right to loans not actually “made in” Colorado under federal law.
In an interesting turn of events, the FDIC filed an amicus curiae brief in support of Colorado’s position and asserted that loan transactions between parties in different states are made in the state where the borrower enters into the transaction. This position contradicted the FDIC’s longstanding position that loans are made in the state where the bank performs key non-ministerial functions, and claimed to distinguish its prior longstanding position in arguing that the distinction between where a bank is located under section 521 and where a loan is made under section 525 should not be conflated.
The court granted the trade associations’ motion for a preliminary injunction in June 2024. As a result, Colorado was enjoined from enforcing the rate and fee limitations “with respect to any loan made by the [trade associations’] members, to the extent the loan is not ‘made in’ Colorado and the applicable interest rate in Section 1831d(a) exceeds the rate that would otherwise be permitted.” The court found strong support in the interpretation of where a loan is “made” in the plain language of section 521 when viewing the statutory scheme holistically and when coupled with the Federal Deposit Insurance Act and Title 12 of the United States Code, containing the National Bank Act.
FinTech companies offering earned wage access (“EWA”) products, sometimes called earned wage advance products, have seen significant developments within the past year. In general, earned wage access products are focused on providing consumers access to funds that are associated with earned but unpaid wages. As discussed below, the structure of EWA products varies considerably from one product to another, including based upon whether they are third-party company offerings or payroll and employer integrated products. Five states have passed laws creating new EWA laws that regulate these products, typically clarifying that they are not considered loans under state law. At least one regulatory agency has taken the opposite tack and has sought to regulate the products as consumer loans. The CFPB has issued a proposed interpretive rule (“Proposed EWA Rule”) that is focused on EWA products that would bring them within the scope of the Truth in Lending Act (“TILA”) and would treat optional expedited funds transfer fees and voluntary tips as finance charges.
Five states have enacted EWA laws. In general, the laws have similar provisions in which they broadly define EWA as encompassing both consumer-direct programs and employer-integrated programs. While the nature of the terminology and the regulations differ regarding those types of programs, the requirement to obtain a license and adhere to the law generally applies to both types of activity.
Missouri adopted the law with the earliest effective date and provides a representative example of the adopted laws. Under current Missouri law, registration as an EWA provider is required to engage in the business of EWA services in the state. A “provider” is a person who is in the business of offering and providing EWA services to consumers. “Earned wage access services” includes providing consumer-directed wage access services, employer-integrated wage access services, or both. The law clarifies that “consumer-directed wage access services” means the business of offering or providing EWA services directly to a consumer based on the consumer's representation and the provider's reasonable determination of the consumer's earned but unpaid income. In contrast, “employer-integrated wage access services” means the business of delivering to consumers access to earned but unpaid income that is based on employment, income, and attendance data obtained directly or indirectly from an employer.
Missouri law also clarifies that EWA providers must fully disclose the fees charged for their services, including subscription fees and any fees charged to facilitate expedited delivery of the proceeds of the advances. However, the definition of a fee excludes voluntary tips, donations, or gratuities. The law also prohibits EWA providers from reporting negative payment performance on a consumer’s credit report or to a debt collector, or seeking to obtain repayment via a lawsuit, utilize collection agencies, or sell the amounts owed to third parties for collection. Finally, EWA products are not treated as a loan or other form of credit under Missouri law.
Four other states have adopted similar EWA laws. Nevada’s EWA law became effective in July, 2024. South Carolina’s law was effective November 21, 2024. The Wisconsin law took effect on September 1, 2024, and the Kansas law became effective on January 1, 2025.
In contrast to the legislation creating EWA laws, at least one state financial services regulatory agency has sought to characterize EWA products as consumer loans or to apply consumer loan law regulations. The Maryland Commissioner of Financial Regulation issued guidance on EWS products in August 2023. The guidance states that an EWA product may be a loan when it is originated by a private company, due to the liberal scope of the consumer lender licensing laws in Maryland. The Maryland guidance specifically excluded a loan between an employer and an employee from the definition of “loan” and thus the question of whether an EWA product is a “loan” appears only relevant for consumer-direct EWA products. For consumer-direct EWA products the Commissioner stated the need for a “case by case” analysis to determine whether a third-party provider is a service provider to the employer or a lender. The Commissioner will analyze the following features when conducting such an analysis: (1) the party who bears the economic risk, employer or provider; (2) what level of contact the third party has with the consumer; and (3) who benefits from any “fee” or “tip” that is paid. Finally, the Commissioner indicates that a tip or fee would likely be “interest” and thus subject to Maryland rate caps.
The Proposed EWA Rule seeks to classify EWA products as “debt” and “credit” under TILA, replacing the CFPB’s prior advisory opinion on the subject, and modifies its general discussion of what constitutes “debt” under TILA. In its prior advisory opinion, the CFPB’s general discussion of what constitutes “debt” under TILA, citing to Black’s Law Dictionary, required a fact-specific confirmation regarding certain EWA products not being subject to TILA. In contrast, the Proposed EWA Rule points to other dictionaries, such as Merriam-Webster, in furtherance of a broader definition of debt. The consequence of this treatment is that EWA products would become subject to TILA unless otherwise exempt, regardless of whether the products are non-recourse transactions. The CFPB structured the rule as an interpretive rule, a procedure that is designed to clarify existing law, but stated that it was only a proposed interpretive rule designed to replace the prior advisory opinion, and as a result the CFPB was inviting comments prior to formally issuing the Proposed EWA Rule as a final interpretive rule.
The CFPB noted that the term “debt,” which is not defined in TILA, simply means “something owed” and thus is broad enough to capture non-recourse transactions in which a party has no recourse to seek to collect any amounts. The CFPB’s statements contradict its prior statements in the 2020 advisory opinion, in which the CFPB noted that the common meaning of the term debt was one of a “liability on a claim; a specific sum of money due by agreement or otherwise.” At the time of the 2020 advisory opinion, the CFPB’s view was that because consumers had no liability or obligation to repay the amounts advanced, they could not qualify as a debt, and thus were outside of TILA. Needless to say, the CFPB now views the term “debt” to be more expansive.
The CFPB also seeks to clarify the treatment of optional expedited funds delivery charges and tips with respect to TILA. The CFPB framed its analysis by noting that a fee or charge is a finance charge under TILA where it is both incidental to the extension of credit and imposed directly or indirectly by the creditor. With respect to the first element, the CFPB noted that charges do not have to necessarily have a substantial connection to the credit in order to be incident to the credit. With respect to the second prong, the CFPB took the position that optional charges may nonetheless be viewed as imposed directly or indirectly by the creditor, stating that “a creditor can ‘impose’ a cost on a consumer—in the sense of exacting it from them—‘directly or indirectly’ even if that payment is not required for the extension of credit.”
While the CFPB’s rationale for the first prong was similar between the two types of charges, the analysis for the second prong differed. For expedited funds transfer fees, the CFPB reasoned that the marketing surrounding EWA products structured the product as a short-term liquidity solution and resulted in consumers predominantly choosing the expedited option, and that the absence of a fee for some loans did not override its presence for others. In this regard, the CFPB took the view that the consumer’s decision to pay the fee in order to receive expedited funds delivery overrode the fact that the fee was not required, and thus the fee was “imposed” even in contexts in which the consumer could have received the extension of credit without paying the fee.
The CFPB’s analysis of “tips” and similar voluntary payments was somewhat different in that the CFPB focused primarily on the fact that tips are a significant source of revenue for companies that accept them. The CFPB reasoned that because a creditor was leveraging its “authority—real or implied” to “extract” a tip, the tips were therefore “imposed” by the creditor and met the test under TILA. The CFPB did not discuss the source or authority explaining the use of the term “extract,” or its relevance to the imposition of a charge or the definitions of “impose” that were cited.
