InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB finalizes rule to change its supervision designation procedures for nonbanks
On April 16, the CFPB issued a procedural rule to change how the Bureau will designate nonbanks for supervision. Under the CFPA, the CFPB was authorized to supervise a nonbank covered person if the Bureau had reasonable cause to determine if the nonbank covered person was engaged in financial services-related conduct that posed a risk to consumers. In 2013, the CFPB issued a rule providing procedures to govern supervisory designation proceedings under this authority; in 2022, the CFPB published a final rule amending the procedural rule to allow it to publicize its resolution of any contested designation proceeding (covered by InfoBytes here). In late February 2024, the CFPB transitioned to a new organizational structure for its supervision and enforcement work, and this rule will reflect the technical changes of the new structure in the context of supervisory designation proceedings.
According to the Bureau, there were small differences between two separate provisions under the 2013 rule that allowed nonbanks to consent to the CFPB’s exercise of supervisory authority. The new procedural rule will combine these provisions and clarify a few points of distinction from the two original provisions, including (i) a consent agreement does not constitute an admission; and (ii) supervision durations following consent agreements can be negotiated on a case-by-case basis, instead of applying a default duration of two years.
Regarding the Supervision Director’s notice of reasonable cause, the rule will expand the possible methods of delivery to include other methods that are “reasonably calculated to give notice.” Additionally, the rule states that the initiating official may withdraw a notice, and that they may file a written reply to the notice recipient’s response, neither of which was not contemplated under the previous rule. The Bureau said these changes could allow for more transparency in the decision-making process.
Concerning a supplemental oral response, the Bureau noted under the previous rule, a respondent nonbank entity presented supplemental oral responses to the Associate Director for Supervision, Enforcement, and Lending. In light of the elimination of the Associate Director position pursuant to a recent reorganization that split the Division of Supervision, Enforcement, and Fair Lending into a Division of Enforcement and a Division of Supervision, the rule provided that the Director of the Bureau will assume the Associate Director’s adjudicative roles and supervision-related functions. Therefore, the Director will be responsible for issuing a decision and order subjecting an entity to the Bureau’s supervision or terminating a proceeding.
The rule further stipulated that (i) an additional time limit for mail and delivery services are no longer warranted, since email would be “generally instantaneous”; (ii) there will be a 13,000-word limit for the proceeding filings; (iii) any changes to time or word limits can be decided between the initiating official and the respondent with a notice to the Director and will be subject to change by the Director.
Regarding the confidentiality of proceedings, the rule maintained a process for the CFPB to decide whether to publicly release final decisions and orders, including orders entered as a result of respondent failing to file a response and therefore defaulting. The Bureau did note, however, consent agreements entered into between the initiating official and the respondent will not be subject to public release under the rule.
The rule also established an issue exhaustion requirement, requiring respondents to raise arguments they have in their written response to the Bureau to avoid waiving the argument in future proceedings. The Bureau will invite public comments which must be submitted 30 days after publication in the Federal Register, although the rule will be exempt from the notice-and-comment rulemaking requirements under the APA as a rule of agency organization, procedure, or practice. The rule will be effective upon publication to the Federal Register, and it will apply to proceedings pending on the effective date, unless the Director determined that it will be “not practicable.”
Nacha’s new rules intends to reduce business fraud that uses credit-push payments
On March 18, Nacha announced rule amendments intended to reduce the incidence of frauds that leverage credit-push payments, such as vendor impersonation and business email compromise (BEC). While, importantly, the rules will not shift liability for ACH payments as between the parties, they will establish obligations on originating financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) to monitor the sending and receipt of payments for potential fraud, and they will empower the same to flag potentially fraudulent payments for action. Specifically, the rule amendments will allow “the originating financial institution (ODFI) to request the return of the payment for any reason, the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely, and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim.”
As part of the amendment announcement, NACHA cited the FBI’s Internet Crime Complaint Center’s 2023 annual report, noting that BEC, vendor impersonation, and payroll impersonation are examples of fraudulent activities “that result in payments being ‘pushed’ from a payer’s account to the account of a fraudster,” and that there were 21,489 BEC complaints totaling $2.9 billion in reported losses in 2023, making BEC the second-costliest cybercrime category.
The first set of rule amendments are effective October 1, which, among other things, allow an RDFI to use return code R17 for potential fraud, including for “false pretenses,” and an ODFI to request a return from an RDFI for any reason, including fraud. The first set of amendments also provided RDFIs “with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses,” subject to Regulation CC. Finally, the RDFI will be required to promptly return any unauthorized consumer debit by the 6th banking day after it reviewed a consumer’s signed Written Statement of Unauthorized Debit.
The first set of rule amendments will be followed by subsequent (phase 1 and phase 2) amendments. The phase 1 amendments, effective March 20, 2026, will, among other things, require ODFIs, and non-consumer originators, third party providers, and third party senders with an annual ACH origination volume of six million or more to implement or enhance appropriate risk-based process and procedures to identify fraudulent transfers. Under phase 1, NACHA will also require RDFIs with ACH receipt volumes of 10 million or more to establish risk-based processes and procedures to identify fraudulent activity. The second phase, effective June 19, 2026, will require fraud risk monitoring for the remaining non-consumer originators, third party providers, and third-party senders.
CFPB, federal and state agencies to enhance tech capabilities
On March 26, the CFPB announced as a part of a coordinated statement with other federal and state agencies, the intent to enhance its technological capabilities. As part of this initiative, the CFPB will be hiring more technologists to help enforce laws and find remedies for consumers, workers, small businesses, etc. These technologists will join interdisciplinary teams within the CFPB to monitor and address potential violations of consumer rights within the evolving tech landscape, particularly considering the growing attention to generative artificial intelligence (AI). The CFPB's technologists will be tasked with identifying new technological developments, recognizing potential risks, enforcing laws, and developing effective remedies. CFPB Director Rohit Chopra emphasized the essential role of technology in the Bureau’s efforts to regulate data misuse, AI issues, and big tech involvement in financial services. Chopra and Chief Technologist Erie Meyer remarked that the CFPB has integrated technologists into its core functions, with these experts now actively involved in supervisory examinations, enforcement actions, and other regulatory proceedings. They also note that the CFPB has researched how emerging technologies, such as generative AI and near-field communication, are used in consumer finance. To foster a competitive and “law-abiding” marketplace, Chopra and Meyer also note that the CFPB will continue to issue policy guidance to assist firms with understanding legal obligations.
Department of Energy discontinues crypto mining survey following a settlement agreement
On March 1, a cryptocurrency company (plaintiff) and the U.S. Department of Energy submitted a settlement agreement to the U.S. District Court for the Western District of Texas to discontinue an emergency crypto mining survey once approved by the Office of Management and Budget.
According to the settlement agreement, the Department of Energy initiated an emergency three-year collection of a Cryptocurrency Mining Facilities Survey in January, which the plaintiff claimed did not comply with various statutory and regulatory requirements for the emergency collection of information. Following the court’s approval of the plaintiff’s temporary restraining order, which protected plaintiffs from completing the survey issued by the Department of Energy and protected any information they may have already submitted, the Department of Energy discontinued its emergency collection, and said it will proceed through notice-and-comment procedures for approval of any collection of information covering such data. As a result of the discontinuation of the emergency collection request, no entity or person is required to respond to the survey.
As part of the settlement agreement, the Department of Energy will destroy any information it had already received from survey responses. In addition to a $2,199.45 payment for the plaintiffs’ litigation expenses, the Department of Energy also agreed to publish a new Federal Register notice of a proposed collection of information and withdraw its original notice.
U.S. Attorney General taps professor to lead new technology-focused roles
On February 22, the U.S. Attorney General, Merrick B. Garland, announced that he tapped Jonathan Mayer to head the DOJ’s first Chief Science and Technology Advisory and Chief Artificial Intelligence (AI) Officer roles. The roles are housed in the DOJ’s Office of Legal Policy which is developing a team of technical and policy experts in technology-related areas important to the Department’s responsibilities. These topics include cybersecurity and AI with the aim to advise leadership and collaborate with other components across the Department and with federal partners on cutting-edge technological issues. As the first Chief Science and Technology Advisor, Mayer will contribute technical expertise on cybersecurity, AI, and emergent technology matters.
The Chief AI Officer role was created pursuant to a presidential executive order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. In this role, Mayer will work on intra-departmental and cross-agency efforts on AI and adjacent issues, and he will also lead the Justice Department’s newly established Emerging Technology Board, which coordinates and governs AI and other emerging technologies across the Department.
Mayer has a PhD in computer science from Stanford University and a J.D. from Stanford Law School. Mayer is an assistant professor at Princeton University’s Department of Computer Science and School of Public and International Affairs where his research is focused on the intersection of technology, policy, and law with an emphasis in criminal procedure, national security, and consumer protection.
Financial Stability Board’s letter addresses financial topics for upcoming G20 meeting
On February 20, the Financial Stability Board (FSB) released a letter from its Chair, Klaas Knot, to the G20 Finance Ministers and Central Bank Governors ahead of the February 28-29 G20 meeting, setting up the agenda for maintaining global financial stability. The FSB is an organization made up of senior financial officials from G20 countries as well as international financial organizations including the International Monetary Fund, the World Bank, and the European Central Bank. The letter addressed financial system vulnerabilities, including the takeaways from the March 2023 banking crisis, nonbank financial intermediation (NBFI), digitalization of finance, climate change effects, and cross-border payment efficiency.
On the first topic, the letter highlighted lessons wrought by the March 2023 banking crisis; the FSB advocated the need for public-sector backstop funding mechanisms, and more analytical work on interest rate and liquidity risk to explore vulnerabilities. On NBFI, the letter noted a structural vulnerability in asset management as the “potential mismatch between the liquidity of fund investments and daily redemption of fund units in open-ended funds[.]” On digital innovation, the letter urges the G20 to closely monitor any risks to financial stability, including crypto, tokens, and artificial intelligence. On climate change, the FSB plans to further analyze climate-related financial risks to financial stability. Last, on cross-border payments, the G20 Cross-border Payments Roadmap goal is to make cross-border payments “faster, cheaper, and more transparent and inclusive” while keeping their integrity and maintaining the “safety of the system.” The letter noted that FSB has collaborated with AML experts in both the public and private sectors to “increase the efficiency of payments systems and further enhance their integrity and safety.”
FDIC orders bank to plan termination of relationships with “significant” fintech partners
Recently, the FDIC released a consent order against a Tennessee bank as part of its release of January Enforcement Decisions and Orders. The FDIC stated that within sixty days of the effective date of the consent order, the bank must “submit a general contingency plan to the Regional Director… [on] how the [b]ank will administer an effective and orderly termination with significant third-party FinTech partners,” as part of its Third-Party Risk Management program for the bank. The Program must assess and manage the risks posed by all fintech firms associated with the bank. It will include policies related to due diligence and risk assessment criteria that are appropriate to the products and services provided by the fintech partner. The bank must also engage an independent firm for completion of a comprehensive Banking-as-a-Service Risk Assessment Report.
The bank further consented, without admitting or denying any charges of unsafe or unsound banking practices, to board supervision of the bank’s management and approval of the bank’s policies and objectives, qualified management, the Regional Director’s prior consent for new or expanded lines of business that would result in an annual 10 percent growth in total assets or liabilities, and a comprehensive strategic plan.
States endorse the CFPB’s rule to regulate fintechs
Recently, 19 state attorneys general submitted a comment letter supporting the CFPB’s proposed rule that would expand the CFPB’s supervisory authority to regulate nonbank fintech firms that offer digital payment services. They emphasized the importance of regulating nonbank financial institutions, including popular digital payment applications. The proposed rule aims to protect consumers from fraud, unregulated investment risks, and data privacy concerns. It addresses issues such as the lack of FDIC insurance for funds stored in digital payment applications, customer service problems, and potential risks associated with investment activities. The state attorneys general commend the CFPB for exercising its authority to improve the regulation of consumer financial products and urge prompt publication and implementation of the final rule.
FSOC report highlights AI, climate, banking, and fintech risks; CFPB comments
On December 14, the Financial Stability Oversight Counsel released its 2023 Annual Report on vulnerabilities in financial stability risks and recommendations to mitigate those risks. The report was cited in a statement by the Director of the CFPB, Rohit Chopra, to the Secretary of the Treasury. In his statement, Chopra said “[i]t is not enough to draft reports [on cloud infrastructure and artificial intelligence], we must also act” on plans to focus on ensuring financial stability with respect to digital technology in the upcoming year. In its report, the FSOC notes the U.S. banking system “remains resilient overall” despite several banking issues earlier this year. The FSOC’s analysis breaks down the health of the banking system for large and regional banks through review of a bank’s capital and profitability, credit quality and lending standards, and liquidity and funding. On regional banks specifically, the FSOC highlights how regional banks carry higher exposure rates to all commercial real estate loans over large banks due to the higher interest rates.
In addition, the FSOC views climate-related financial risks as a threat to U.S. financial stability, presenting both physical and transitional risks. Physical risks are acute events such as floods, droughts, wildfires, or hurricanes, which can lead to additional costs required to reduce risks, firm relocations, or can threaten access to fair credit. Transition risks include technological changes, policy shifts, or changes in consumer preference which can all force firms to take on additional costs. The FSOC notes that, as of September 2023, the U.S. experienced 24 climate disaster events featuring losses that exceed $1 billion, which is more than the past five-year annual average of 18 events (2018 to 2022). The FSOC also notes that member agencies should be engaged in monitoring how third-party service providers, like fintech firms, address risks in core processing, payment services, and cloud computing. To support this need for oversight over these partnerships, the FSOC cites a study on how 95 percent of cloud breaches occur due to human error. The FSOC highlights how fintech firms face risks such as compliance, financial, operational, and reputational risks, specifically when fintech firms are not subject to the same compliance standards as banks.
Notably, the FSOC is the first top regulator to state that the use of Artificial Intelligence (AI) technology presents an “emerging vulnerability” in the U.S. financial system. The report notes that firms may use AI for fraud detection and prevention, as well as for customer service. The FSOC notes that AI has benefits for financial instruction, including reducing costs, improving inefficiencies, identifying complex relationships, and improving performance. The FSOC states that while “AI has the potential to spur innovation and drive efficiency,” it requires “thoughtful implementation and supervision” to mitigate potential risks.
House Financial Services Committee questions financial agency representatives on technological implementations
On December 5, the U.S. House Financial Services Subcommittee on Digital Assets, Financial Technology and Inclusion held a hearing on “Fostering Financial Innovation: How Agencies Can Leverage Technology to Shape the Future of Financial Services.” The Committee invited representatives to testify from the SEC, OCC, FDIC, CFPB, NCUA, and the Federal Reserve. The representatives fielded an array of questions focused on artificial intelligence, cryptocurrencies, and central bank digital currencies (CBDCs), and broadly focused on the need to balance technological innovation within the financial sector with managing risk.
On cryptocurrencies, congressional representatives posed questions on the nature of criminal activity among other risks. The discussion addressed bank risks related to crypto assets—while banks do not hold crypto assets, the representative from the Federal Reserve noted how banks may face liquidity risks when holding deposits from crypto-related companies. On CBDCs, the Committee asked for an update on the U.S. CBDC; the Federal Reserve representative mentioned the Fed’s current research on CBDC technologies but noted that the agency is still “a long way off from thinking about the implementation of anything related to a CBDC.”
On the topic of artificial intelligence, agency representatives discussed how banks are using the technology for fraud monitoring and customer service. The discussion addressed how artificial intelligence technology can create deepfakes using generative models to mimic an individual’s appearance or voice, and thus help scammers bypass traditional security checks. In response, some countries have implemented a secure digital ID that biometrically syncs to one’s smartphone, and the NCUA noted that it is currently evaluating this technology.