InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS commits to mitigating virtual currency risks
On May 20, NYDFS Superintendent Adrienne A. Harris emphasized the role regulation plays in protecting consumers from cybercriminals in the virtual currency marketplace. According to Harris, NYDFS is committed to mitigating risks in this space by guarding against sanctions evasion and illicit activity and making sure corporate infrastructure and consumer data are well protected from bad actors. Harris stressed that NYDFS “will continue to improve upon [its] regulation and supervision; engage with key stakeholders on important trends and issues; collaborate with state, federal and international regulators; and strive to be a forward-looking, innovative regulator, including through [its] VOLT initiative,” which supports the department’s efforts to increase transparency and enhance supervision related to virtual currency.
OCC discusses use of AI
On May 13, OCC Deputy Comptroller for Operational Risk Policy Kevin Greenfield testified before the House Financial Services Committee Task Force on Artificial Intelligence (AI) discussing banks' use of AI and innovation in technology services. Among other things, Greenfield addressed the OCC’s approach to innovation and supervisory expectations, as well as the agency’s ongoing efforts to update its technological framework to support its bank supervision mandate. According to Greenfield’s written testimony, the OCC “recognizes the paramount importance of protecting sensitive data and consumer privacy, particularly given the use of consumer data and expanded data sets in some AI applications.” He noted that many banks use AI technologies and are investing in AI research and applications to automate, augment, or replicate human analysis and decision-making tasks. Therefore, the agency “is continuing to update supervisory guidance, examination programs and examiner skills to respond to AI’s growing use.” Greenfield also pointed out that the agency follows a risk-based supervision model focused on safe, sound, and fair banking practices, as well as compliance with laws and regulations, including fair lending and other consumer protection requirements. This risk-based approach includes developing supervisory strategies based upon an individual bank’s risk profile and examiners’ review of new, modified, or expanded products and services. Greenfield further noted that “the OCC is focused on educating examiners on a wide range of AI uses and risks including risks associates with third parties, information security and resilience, compliance, BSA, credit underwriting, and fair lending and data governance, as part of training courses and other educational resources.” According to Greenfield’s oral statement, “banks need effective risk management and controls for model validation and explainability, data management, privacy, and security regardless of whether a bank develops AI tools internally or purchases through a third party.”
CFPB delivers 2021 fair lending report to Congress
On May 6, the CFPB issued its annual fair lending report to Congress, which outlines the Bureau’s efforts in 2021 to fulfill its fair lending mandate. Much of the Bureau’s work in 2021 focused on addressing racial injustice and long-term economic consequences of the Covid-19 pandemic. According to the report, the Bureau continued to prioritize promoting fair, equitable, and nondiscriminatory access to credit, with a particular focus on fair lending supervision efforts in areas related to “mortgage origination and pricing, small business lending, student loan origination work, policies and procedures regarding geographic and other exclusions in underwriting, and [] the use of artificial intelligence (AI) and machine learning models.” Fair Lending Director Patrice Alexander Ficklin said that while she is “encouraged by the possibility of utilizing vehicles like special purpose credit programs to expand access to credit,” she remains “skeptical of claims that advanced algorithms are the cure-all for bias in credit underwriting and pricing.” The report addressed enforcement and supervision work, highlighting four fair lending-related enforcement actions taken last year related to (i) illegal redlining practices; (ii) failure to provide accurate denial reasons on adverse-action notices; (iii) UDAAP violations related to the treatment of “gate money” for incarcerated individuals; and (iv) fees and payments associated with immigration bonds. The report also discussed initiatives concerning small business lending and data collection rulemaking, automated valuation models rulemaking, and a final rule amending certain provisions in Regulation X related to Covid-19 protections offered by mortgage servicers. Additionally, the report discussed an interpretive rule concerning ECOA’s prohibition on sex discrimination, stakeholder engagement on matters concerning fair lending compliance and policy decisions, HMDA reporting, and interagency engagement and reporting, among other topics. The report noted that going forward, the Bureau intends to sharpen its focus on digital redlining and algorithmic bias to identify emerging risks as more tech companies influence the financial services marketplace. According to CFPB Director Rohit Chopra, “[w]hile technology holds great promise, it can also reinforce historical biases that have excluded too many Americans from opportunities.”
California governor orders state to create blockchain regulatory framework
On May 4, the California governor issued an executive order calling on the state to create a transparent and consistent framework for companies operating in blockchain, cryptocurrency, and related financial technologies. This framework, the governor stated, should harmonize federal and California laws and balance innovation with consumer protection. The executive order outlined several priorities, including:
- The framework should include input from a range of stakeholders for potential blockchain applications and ventures;
- The Department of Financial Protection and Innovation (DFPI) should engage in a public process, including with federal agencies, to “develop a comprehensive regulatory approach to crypto assets harmonized with the direction of federal regulations and guidance” and should “exercise its authority under the California Consumer Financial Protection Law (CCFPL) to develop guidance and, as appropriate, regulatory clarity and supervision of private entities offering crypto asset-related financial products and services” in the state;
- DFPI should publish consumer protection principles that include model disclosures, error resolution, and other criteria, and “seek input from stakeholders and licensees in order to publish guidance for California state-chartered banks and credit unions”;
- DFPI should engage in actions to protect consumers, including initiating enforcement actions to enforce the CCFPL, enhancing its review of consumer complaints related to crypto asset-related financial products and services and working with companies to remedy such complaints, and publishing consumer education materials;
- GovOps should issue a request for innovative ideas to explore opportunities for deploying blockchain technologies that address public-serving and emerging needs; and
- Members of the Governor's Council for Postsecondary Education should “identify opportunities to create a research and workforce environment to power innovation in blockchain technology, including crypto assets” to “expose students to emerging opportunities.”
The governor emphasized that while blockchain technology over the past decade “has laid the foundation for a new generation of innovation, spurring a rise in entrepreneurialism in sectors including financial technology,” among others, its impact “is both uncertain and profound” and carries risks and legal implications.
OCC hosts virtual innovation hours
On May 4, the OCC announced it will host virtual Innovation Office Hours on June 14 through 15 to promote responsible innovation in the federal banking system. As previously covered by InfoBytes, the OCC established the Office of Innovation in 2017 to implement certain aspects of the OCC’s responsible innovation framework, including, among other things: (i) creating an outreach and technical assistance program; (ii) conducting awareness and training activities for OCC staff, such as implementing an internal web page that provides OCC staff a ‘one-stop-shop’ to access information on industry trends and innovative products, services, and processes; and (iii) encouraging coordination and facilitation among the regulatory community and industry stakeholders. According to the OCC’s recent announcement, parties should request a virtual office hours session by May 20 and should provide information on their interested topic(s). The OCC will determine specific meeting times and arrangements after it receives and accepts the request.
Special Alert: Federal court says state bank, fintech partner must face Maryland’s allegation of unlicensed lending before state ALJ
A federal court late last month told a state-chartered bank and its fintech partner that they must return to a state administrative law proceeding to fight a Maryland enforcement action alleging that their failure to obtain a license to lend and collect on loans violated state law — potentially rendering the terms of certain loans unenforceable.
The Missouri-chartered bank and its partners attempted to remove an action brought by the Office of the Maryland Commissioner of Financial Regulation to the U.S. District Court for the District of Maryland, but the district court determined that removal was not proper and that Maryland’s Office of Administrative Hearings was the appropriate venue.
OCFR initially filed charges in January 2021 in Maryland’s Office of Administrative Hearings against the bank and its partner asserting the bank made installment and consumer loans and extended open-ended or revolving credit in the state without being licensed or qualifying for an exception to licensure. As a result, OCFR said they “‘may not receive or retain any principal, interest, or other compensation with respect to any loan that is unenforceable under this subsection.’” It said that not only are the bank’s loans to all Maryland consumers possibly unenforceable, but also that the bank, or its agents or assigns, could in the alternative be “prohibited from collecting the principal amount of those loans from any of these consumers or from collecting any other money related to those loans.”
The OCFR’s charge letter also said the fintech company that provided services to the bank violated the Maryland Credit Services Business Act by providing advice and/or assistance to consumers in the state “with regard to obtaining an extension of credit for the consumer when accepting and/or processing credit applications on behalf of the Bank without a credit services business license.” Additionally, the OCFR alleged violations of the Maryland Collection Agency Licensing Act related to whether the fintech company engaged in unlicensed collection activities, thus subjecting it to the imposition of fines, restitutions, and other non-monetary remedial action.
The defendants filed a notice of removal to federal court last year while the enforcement action was still pending before the OAH; OCFR moved to remand the case back to the agency.
In granting the OCFR’s motion to remand, the court concluded that the OCFR persuasively argued that the defendants have not properly removed this case from the OAH for several reasons, including that the OAH does not function as a state court. “Pursuant to 28 U.S.C. § 1441, a defendant may remove to federal court ‘any civil action brought in a State court of which the district courts of the United States have original jurisdiction.’” However, the court determined that, while defendants correctly observed that the OAH possesses certain “court-like” attributes, its limitations clearly showed that it does not function as a state court.
In reaching this conclusion, the court considered several undisputed facts, including that the OCFR is a unit of the Maryland Department of Labor “responsible for, among other things, issuing licenses to entities wishing to issue loans to consumers in Maryland and investigating violations of Maryland’s consumer loan laws.” The court also said that, while OCFR has authority under Maryland law to investigate potential violations of law or regulation and has the ability to issue cease and desist orders, revoke an individual’s license, or issue fines, it cannot enforce its own subpoenas or orders — and that its decisions are not final and may be appealed to a state circuit court.
The defendants had argued that the case involved a federal question as a result of the complete preemption of state usury laws by Section 27 of the FDI Act. The court said licensure, not state usury law claims, was the issue at hand.
During a status conference held last month to discuss OCFR’s motion to remand, defendants requested an opportunity to file a motion certifying the case for appeal. The court will hold in abeyance its remand order pending resolution of that motion. Parties’ briefings are due by the end of May.
If you have any questions regarding the ruling or its ramifications, please contact a Buckley attorney with whom you have worked in the past.
Hsu discusses stablecoin standards
On April 27, acting Comptroller of the Currency Michael J. Hsu issued a statement regarding stablecoin standards after appearing before the Artificial Intelligence and the Economy: Charting a Path for Responsible and Inclusive AI symposium hosted by the U.S. Department of Commerce, National Institute of Standards and Technology, FinRegLab, and the Stanford Institute for Human-Centered Artificial Intelligence. According to Hsu, the internet has “technical foundations” that “provide for an open, royalty-free network.” He further noted that “[t]hose foundations did not emerge on their own. They were developed by standard setting bodies like IETF (Internet Engineering Task Force) and W3C (World Wide Web Consortium), which had representatives with differing perspectives, a shared public interest ethos, and a strong leader committed to the vision of an open and inclusive internet.” Hsu further stated that stablecoins do not have “shared standards and are not interoperable.” However, to make stablecoins “open and inclusive,” Hsu said that he believed that “a standard setting initiative similar to that undertaken by IETF and W3C needs to be established, with representatives not just from crypto/Web3 firms, but also from academia and government.” As previously covered by InfoBytes, Hsu discussed stablecoin policy considerations earlier this month in remarks before the Institute of International Economic Law at Georgetown University Law Center, calling for the establishment of an “intentional architecture” for stablecoins developed through principles of “[s]tability, interoperability and separability,” as well as “core values” of “privacy, security, and preventing illicit finance.”
NYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. Such characteristics of virtual currencies can create compliance challenges, but also can present new possibilities for new technology-driven control measures. In the guidance, NYDFS outlined expectations for New York State-regulated virtual currency companies, including: (i) establishing control measures that may leverage blockchain analytics; (ii) augmenting due diligence controls; (iii) conducting transaction monitoring of on-chain activity; and (iv) conducting sanctions screening of on-chain activity. NYDFS also emphasized "the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions."
As previously covered by InfoBytes, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance, which provided guidance for effectively managing cyber insurance risk. The framework is the first guidance released by a U.S. regulator on cyberinsurance. NYDFS noted it has “engaged with external stakeholders to inform this new guidance and continues to conduct significant outreach to state, federal and international regulators; industry; and other experts in the field to ensure New York maintains a robust regulatory regime and remains a destination for virtual currency companies to operate.”
UK's FCA secures £2,000,000 account forfeiture order against fintech start up
On April 21, the UK’s Financial Conduct Authority (FCA) secured a £2,000,000 account forfeiture consent order against a fintech startup that purportedly offers due diligence and underwriting services. The FCA noted that the funds were supposedly an investment received from a software firm, but observed that the fintech company moved the money repeatedly to different bank accounts in several countries in transactions with no legitimate business purpose. The funds, which the FCA had already frozen in October and December 2020, were allegedly “the proceeds of illegal activity connected to criminal proceedings in the United States of America concerning an alleged conspiracy to commit wire fraud against banks, credit card companies and other financial service providers in the USA.” While the FCA is not alleging that the fintech company was involved in the conspiracy, it flagged concerns in response to the company’s application to become a regulated firm. The company has since withdrawn its application to be regulated by the FCA.
DFPI concludes MTA licensure not required for direct purchase and sale of cryptocurrency
Recently, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to the purchase and sale of virtual currency. The redacted opinion letter examines whether a Company that offers customers the opportunities to deposit fiat currency to a Company account and then draw down that balance to purchase virtual currency from the company requires MTA licensure. The Company explained that virtual currency is purchased from a third party and is transferred to the customer’s Company-issued virtual currency wallet where it can then be stored, transferred to an external wallet, or sold for fiat currency. When a customer later wants to sell the purchased virtual currency for fiat currency, the transaction occurs in a similar fashion. The Company stated that “virtual currency sales to customers are from the Company’s own inventory,” and that for purposes of the opinion, DFPI “assumes these sales occur independently of the Company’s own transactions with third parties.”
DFPI concluded that because the Company’s activities are limited to directly purchasing and selling cryptocurrency to customers, it does not require an MTA license because it does “not involve the sale or issuance of stored value or receiving money for transmission.” Specifically, DFPI stated that because the “customer’s fiat currency balance in the Company account does not meet the definition of stored value” and because “funds in that account can only be used for virtual currency purchases from the Company or transferred out to the customer’s external bank account,” the closed loop stored value “does not constitute issuance of stored value that is regulated under the MTA.” DFPI reminded the Company that its determination is limited to the presented facts and that any change could lead to different conclusions.