Financial technology, or fintech, is poised to be the center of U.S. regulation in 2017. Industry experts estimate that between July 2015 and January 2016, more than $5.5 billion was invested in the fintech sector. As fintech continues to gain traction in both the United States and abroad, European countries are already addressing regulatory hurdles to ensure that fintech innovation can thrive.
Over the past year, following a series of regulatory enforcement actions against fintech companies, lawmakers have introduced measures to ease the regulatory burden on fintech companies. Given these recent legislative and regulatory developments, the future of the regulatory landscape is unclear. However, there is no question that there is significant potential for positive substantive reform.
WHAT MAKES FINTECH DIFFERENT?
Traditional banks and capital companies are witnessing an emergence of marketplace lenders, peer-to-peer lending, mobile payments/wallets, equity crowdfunding and currency transfers. These developments are changing the way individuals and businesses within the financial community interact.
Under the existing web of state and federal regulatory regimes in the United States, however, fintech companies — which are sometimes more akin to software and technology companies — may need to operate in the highly regulated world of consumer finance.
As a result, fintech has gained the attention of regulators, who are becoming increasingly aware that reform is needed. Fintech companies are often uniquely positioned in the financial services market, and they have evolving business models that use the latest technological innovation.
Policymakers are attempting to develop a regulatory framework for fintech that encourages growth and innovation while balancing a corresponding need to address systemic risk, protect the marketplace and safeguard consumers.
Current and future regulations need to be clear and transparent in their applicability, scope and interpretation so that fintech firms can appropriately navigate the industry’s fluctuating environment.
Furthermore, the regulatory scheme must be dynamic and adaptable to handle the innovation coming from FinTech and the fast pace at which technologies move and evolve.
The natural progression of technological advances in fintech requires a more focused look at how state and federal governments will protect consumers, ensure marketplace fairness, and protect the financial sector from cybersecurity attacks.
Complicating matters is the lure to use “big data” — that is, to analyze large sets of data to reveal patterns, trends and associations — within the fintech model. Developments in data collection and analysis raise new concerns about data privacy and security as well as the collection of data across international borders.
Likewise, fintech companies, along with traditional companies, are subject to threats that arise out of the use of technology, like social engineering. Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
This new cybersecurity threat allows hackers and other bad actors to use social media to gather and use information to manipulate individuals within a company to divulge small pieces of information that can be utilized to breach a system or obtain personal data.
THE REGULATORY TREND
In the meantime, the current regulatory environment in the United States could serve to stifle technological advances and cause the United States to fall behind in this important area of innovation.
In the last year, fintech has been the direct subject of enforcement actions that may have deterred further investment in this area. The Consumer Financial Protection Bureau has been one of the most active agencies in engaging the fintech industry.
In large part, this is because many of the financial innovations that have come out of the fintech revolution do not fit neatly within the realm of banking or financial services but are certainly consumer products or services.
On Sept. 27, 2016, the CFPB ordered online lender Flurish Inc. to pay $1.83 million in refunds and a civil penalty of $1.8 million for failing to deliver the promised benefits of its products. Flurish Inc. dba LendUp, CFPB No. 2016-CFPB-0023, 2016 WL 6646132 (Sept. 27, 2016).
Flurish, a San Francisco-based company doing business as LendUp, offers small-dollar loans through its website to consumers in certain states. In its consent order, the CFPB alleged that LendUp did not give consumers the opportunity to build credit and provide access to cheaper loans, as it claimed it would. LendUp did not admit to any wrongdoing.
Just a few months earlier, news headlines touted an opportunity for innovative, tech-savvy startups to fill a void in the payday lending space amid increasing regulatory enforcement against legacy brick-and-mortar payday lenders.
But the CFPB’s order against LendUp made it clear that despite the physical differences between brick-and-mortar lending operations and fintech alternatives, both are equally subject to the regulatory framework and consumer financial laws that govern the industry as a whole.
Specifically, the CFPB alleged that LendUp:
- Misled consumers about graduating to lower-priced loans: LendUp advertised all of its loan products nationwide, but certain lower-priced loans and other benefits were not available outside of California.
- Hid the true cost of credit: LendUp’s advertisements on Facebook and other internet search results allowed consumers to view various loan amounts and repayment terms but did not disclose the annual percentage rate.
- Reversed pricing without consumer knowledge: For a particular loan product, borrowers could select an earlier repayment date in exchange for a discount on the origination fee. LendUp did not tell customers that if they later extended the repayment date or defaulted on the loan, it would void the discount.
- Understated the annual percentage rate: LendUp allowed consumers to obtain their loan proceeds more quickly in exchange for a fee, a portion of which was retained by LendUp. LendUp did not always include these retained fees in their annual percentage rate disclosures to consumers.
- Failed to report credit information: LendUp began making loans in 2012 and advertised its loans as credit-building opportunities, but it did not furnish any information to credit- reporting companies until February 2014. It also failed to develop any written policies and procedures about credit reporting until April 2015.
In a press release following the announcement of the settlement agreement, LendUp stated that the issues identified by the CFPB mostly dated back to the company’s early days when it was a seed-stage startup with limited resources and as few as five employees.
This recent action appears to be the continuation of a trend of enforcement actions directed at fintech companies, which started with an enforcement action against Dwolla Inc. in March 2016. Dwolla Inc., CFPB No. 2016-CFPB-0007, 2016 WL 4523122 (Mar. 2, 2016).
Dwolla operates an online payment platform that facilitates the transfer of funds between consumers and merchants. The CFPB alleged that Dwolla misrepresented the depth of its data security measures and the safety and security of transactions performed using its platform.
The alleged misrepresentations included fairly typical assurances on Dwolla’s website regarding its data protection measures, including that
- Transactions on the website were safe and secure.
- Dwolla’s website empowered “anyone with an internet connection to safely send money to friends or businesses.”
- Dwolla’s data security practices “exceeded industry standards.”
Dwolla encrypted information “utilizing the same standards required by the federal government.”
- All consumer information was “securely encrypted and stored.”
- The company was “PCI-compliant,” meaning it complied with the Payment Card Industry Data Security Standard.
Although Dwolla did not suffer any reported cyberattacks (e.g., a data breach), the CFPB fined the company because it found that these representations were false.
Dwolla did not encrypt all of its customers’ sensitive information, was not PCI-compliant and failed to “adopt and implement data-security policies and procedures reasonable and appropriate for the organization,” according to the CFPB’s consent order.
Although the CFPB never alleged that consumer data breaches had occurred, the agency found that Dwolla’s representations regarding data encrypting and storage were inaccurate.
The CFPB based the enforcement action on a number of deficiencies that directly contradicted Dwolla’s representations regarding its data security measures. These included a failure to:
- Implement appropriate data security policies and procedures until at least September 2012
- (nearly three years after its inception in 2009).
- Implement a written data security plan until at least October 2013.
- Conduct adequate risk assessments.
- Use encryption technology to properly safeguard consumer information.
- Provide adequate or mandatory employee training on data security.
- Practice secure software development for consumer facing applications.
To be sure, irrespective of Dwolla’s security practices at the time or actual risk to consumers, the CFPB sent a clear message to fintech companies that their internal risk management programs must be consistent with representations made to consumers.
Significantly, in both the LendUp and Dwolla actions, the CFPB expressed a reluctance to grant startup companies any grace period for timely developing compliant policies and procedures — even where those companies are seeking to develop products that could one day benefit millions of underbanked consumers.
Over the last year, regulators have assessed significant penalties on relatively new fintech companies, leaving many industry stakeholders wondering if fintech companies will be able to thrive in the existing regulatory environment.
ATTEMPTS TO ESTABLISH A FEDERAL REGULATORY FRAMEWORK
In an attempt to establish a more favorable federal regulatory framework, Congress has responded with several bills to help fintech thrive here at home.
First, on Sept. 12, 2016, the U.S. House of Representatives passed a nonbinding resolution, House Resolution 835, that calls on the government to establish a national policy for technology to promote consumer access to financial tools and online commerce.
The resolution specifically expresses a legislative desire to:
- Develop a national policy to encourage the development of tools for consumers to learn to protect their assets in a way that maximizes the promise customized, connected devices hold to empower consumers, foster economic growth, and create new commerce and markets.
- Prioritize accelerating the development of alternative technologies that support transparency, security and authentication in a way that recognizes their benefits, allows for future innovation, and responsibly protects consumers’ personal information.
- Recognize that technology experts can play an important role in the development of consumer-facing technology applications for manufacturing, automobiles, telecommunications, tourism, healthcare, energy and general commerce.
- Support further innovation and economic growth, and ensure cybersecurity and the protection of consumer privacy.
The resolution’s focus on prioritizing acceleration of the “development of alternative technologies that support transparency, security and authentication” is indicative of significant national support for the further development of emerging fintech systems, such as blockchain technology, while underscoring the need for a national policy and legislative framework under which this technology can operate.
Similarly, late last year, Republican U.S. Rep. Patrick McHenry of North Carolina introduced H.R. 6118, which would establish a federal regulatory framework to allow fintech the flexibility to move innovative products and services to market without unnecessary regulatory delay.
The bill was introduced as part of the Innovation Initiative that McHenry jointly launched with fellow Republican and House Majority Leader Kevin McCarthy of California. In a statement on the Innovation Initiative’s website, McHenry and McCarthy said:
New technology is driving change all around us. Our goal is to advance policy solutions that will foster more private-sector innovation and job growth, by empowering entrepreneurs to pursue their dreams. We must also bring this innovation into government — too many well-intentioned programs are failing because of an out-of- date infrastructure. By modernizing how these institutions operate, we will create a more efficient, effective and accountable government for all citizens.
While the CFPB, Federal Trade Commission and Office of the Comptroller of the Currency have continued to focus their efforts on clarifying existing standards, this newly proposed legislation serves to create a clear and transparent mechanism for fintech companies to get regulatory approval to fast-track innovations.
H.R. 6118 asks 12 federal regulatory agencies to work together to foster innovation through creation of Financial Services Innovation Offices within each agency.
Under the proposed legislation, fintech companies can apply for an “enforceable compliance agreement” with the FSIOs. If accepted, these agreements would allow the introduction of a product or service under an alternative compliance plan that would waive or modify out-of-date or unduly burdensome regulation.
This proposed legislation could address one of the key challenges faced by tech-savvy lenders by allowing them to expeditiously bring innovative financial products to market while ensuring that their practices comply with the applicable regulatory framework.
Surely, there is a significant potential for wholesale reform of the regulatory oversight of the fintech industry in the coming year. To encourage fintech innovation, regulators will need to revamp the harsh regulatory regimes that currently govern fintech companies.
The goal is to strike a workable balance between protecting consumers and the financial system on the one hand and promoting innovation on the other.
Notwithstanding the potential for regulatory reform, fintech companies will be forced to implement significant compliance programs to avoid misleading or harming consumers or allowing the financial system to be utilized for illicit purposes.
Republished with permission. This article first appeared in Westlaw Journal Bank & Lender Liability on May 18, 2017.