[email protected]

Payments is a financial service that is changing rapidly and generating significant regulatory interest. New technologies enable financial institutions to transform how retail and commercial customers make and receive payments. These innovations present sizable growth opportunities, while delivering better experiences and lowering costs. However, new payment capabilities also introduce risks that must be managed. In this case it is helpful to look at what both the CFPB and Federal Reserve are doing and how they might be related.

The CFPB Sees Problems

In September, the CFPB issued a report highlighting several concerns around new payments innovations including:

• Rapid growth of tap-to-pay usage
• Dominant mobile operating systems impose different regulations on contactless payments
• Restrictive tap-to-pay practices may reduce consumer choice and hamper innovation

The CFPB’s goal is to accelerate the shift to open banking and payments to “help people get paid faster, access more attractive rates on deposits and loans, switch more easily, avoid intrusive surveillance, and minimize the consequences of inaccurate credit reporting.”

To do so, the CFPB is working on a new proposed rule titled Personal Financial Data Rights under its Section 1033 authority of the Dodd-Frank Act. If successful, the new Section 1033 rule would govern access to and sharing of consumers’ personal financial data, which would have a massive impact on the relationship between banks, fintechs, and consumers. The proposals under consideration would require that financial firms provide consumers access to their own financial data on deposit accounts, credit cards, and other transaction accounts. Consumers would then be able to provide permissions to this data safely and securely to other financial firms.

In addition to the above report, in June, the CFPB also expressed concern that “Billions of Dollars Stored on Popular Payment Apps May Lack Federal Insurance.” Specifically:

• More than three quarters of adults in the United States have used a payment app.
• Nonbanks can earn money when users store funds on their platforms
• Funds sitting in payment app accounts often lack deposit insurance
• User agreements often lack specific information.

These issues specifically focus on the evolution of payments in point-of-sale (POS) purchases and the role that mobile device operating systems play. The popularity of contactless payments on smartphones and wearables means consumers can securely make POS payments through different apps and services. However, this innovation means that tech companies are playing a prominent role in determining consumers’ payment options. Any restrictions imposed by the dominant operating systems—Apple’s iOS operating system and Google’s Android operating system—will have a major effect on access to payments systems and could hinder the development of a truly open ecosystem.

The Federal Reserve offers a Solution

The Federal Reserve launched FedNow on July 20, 2023. FedNow is a service that provides interbank clearing and settlement enabling funds to be transferred from the account of a sender to the account of a receiver in near real-time and at any time, any day of the year. This service provides many benefits for businesses to help them manage payments effectively and efficiently.

One of the benefits FedNow provides is liquidity management transfer capability to support instant payments. The liquidity management transfer enables participants in the FedNow Service to transfer funds to one another to support liquidity needs related to payment activity. The transfer also supports participants in a private-sector instant payment service backed by a joint account at a Reserve Bank by enabling transfers between the master accounts of participants and a joint account.

Another benefit of FedNow is that it is designed to maintain uninterrupted processing with security features to support payment integrity and data security. End-of-day balances are reported on Federal Reserve accounting records for each participating depository institution on each FedNow Service business day. Access to intraday credit is provided to participants during the business day under the same terms and conditions as for other Federal Reserve services.

What this means for Your Organization

Financial services organizations who offer payment services currently need to continue to watch CFPB developments over the next several months. They will also need to prepare to make necessary changes to their policies, procedures, and compliance training to make sure they are operating under proper CFPB guidelines. In the meantime, FedNow offers many businesses many benefits for their payments services including:

• Depository institutions and their service providers who are thinking of offering payment services can build on FedNow fundamental capability to offer value-added services to their customers.
• Allow your organization to compete with institutions already offering instant payment services.
• Allows organizations to provide interbank clearing and settlement that enables funds to be transferred from the account of a sender to the account of a receiver in near real-time and at any time, any day of the year.

Earlier this year, the Federal Deposit Insurance Corporation (FDIC) issued an enforcement action against Cross River Bank, noting it had engaged in unsafe and unsound banking practices related to its compliance with Fair Lending laws and regulations by failing to establish and maintain internal controls, information systems, and prudent credit underwriting practices.

One day prior to the public release of the consent order, the CEO of Cross River Bank mentioned how regulators are monitoring firms that serve fintechs amid the recent volatility in the banking sector. He also stated, “Regulatory scrutiny on banks in general is increasing and the events with [Silicon Valley Bank] will only expand those efforts with a specific focus on banks that support fintech.” In the consent order, regulators are reviewing credit products offered by both the bank and the third party fintech partners. Many people are viewing this as a sign the federal regulators are attempting to narrow the gap in how financial institutions and non-banks are regulated.

March has been a very active month in the financial services industry. In addition to new regulations becoming active, there have been several bank failures which is affecting how banks are looking at their policies and procedures.

BAI has put together an FAQ document helping explain what is going on and what banks can do to make sure they don’t run into the issues that caused the other banks to fail. Read BAI’s “FAQs – The Current Regulatory Environment and the Bank Term Funding Program – (March 2023*)” to learn more.

On April 3, 2023, the Consumer Protection Financial Bureau (CFPB) issued a policy statement to summarize how it defines and analyzes the elements of abusive acts and provides relevant examples.

There are two abusiveness prohibitions. An abusive act or practice: (1) Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or (2) Takes unreasonable advantage of:

• A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;
• The inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or
• The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

Abusive Acts may include actions or omissions that obscure, withhold, de-emphasize, render confusing, or hide information relevant to the ability of a consumer to understand terms and conditions. It can take numerous forms, such as buried disclosures, physical or digital interference, overshadowing, using complex language, omitting material terms, and various other means of manipulating consumers’ understanding.

The second form of “abusiveness” under the CFPA prohibits entities from taking unreasonable advantage of certain circumstances. Congress determined that it is an abusive act or practice when an entity takes unreasonable advantage of three particular circumstances. The circumstances are:

• A “lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service.” This circumstance concerns gaps in understanding affecting consumer decision-making.
• The “inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service.” This circumstance concerns unequal bargaining power where, for example, consumers lack the practical ability to switch providers, seek more favorable terms, or make other decisions to protect their interests.
• The “reasonable reliance by the consumer on a covered person to act in the interests of the consumer.” This circumstance concerns consumer reliance on an entity, including when consumers reasonably rely on an entity to make a decision for them or advise them on how to make a decision.

The statutory text of the prohibition does not require that the consumer’s lack of understanding was reasonable to demonstrate abusive conduct. Similarly, the prohibition does not require proof that some threshold number of people lacked understanding to establish that an act or practice was abusive.

The Consumer Financial Protection Bureau (the Bureau) is currently writing regulations to implement section 1033 of the Dodd-Frank Act (DFA). The proposed rules would require a covered entity to make available transaction data and other information concerning a consumer financial product or service obtained from a covered entity to a consumer or to a third party (agent, trustee, or representative acting on behalf of a consumer), at the consumer’s request. It also requires the Bureau to develop standards for the development and use of standardized formats for information made available to consumers. It enables consumers to allow consumers to transfer data to a new company, to a new service provider without having to start over. The Bureau stated the proposal will impact “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” There are six categories of information that must be made available to consumers:

• Periodic statement information for transactions which have settled;
• Information regarding prior transactions that have not yet settled;
• Information about prior transactions not typically shown on periodic statements or online banking portals;
• Online banking transactions that the consumer set up but has not processed;
• Account identity information; and
• Other information, including consumer reports, fees, bonuses, rewards, discounts, and information about security breaches that exposed a consumer’s identity or financial information.

Third parties who collect, use, or retain consumer information would be obligated to:

• Authorization disclosures including key terms of access, and categories of information accessed, and how to revoke it;
• Protocols for the solicitation and obtain consumers’ consent to the terms of access
• A statement of adherence to obligations regarding collection, use, and retention of the consumer’s information
• Limiting collection, use, and retention of consumer-authorized information to what is reasonably necessary to provide a product or service
• Providing consumers with a simple means to revoke authorization
• Implementing data security standards to prevent exposing consumers to data security harms

The CFPB is considering an exemption based on a threshold based on asset size or activity level.

In less than three months, Silicon Valley Bank (SVB), Signature Bank, and First Republic Bank collapsed due to liquidity and interest rate risk issues. The total assets of these three institutions were $548.5 billion, surpassing the total assets of all bank failures in 2008 by almost $200 billion. Aggressive increases in the federal funds rate led to decreased values in long term bond and mortgage-backed securities and lowered the institutions’ ability to meet customer demand for cash during large simultaneous bank runs. Other institutions with large amounts of uninsured deposit balances could have similar risks.

The Federal Reserve and Federal Deposit Insurance Corporation (FDIC) released reports stating the collapses resulting from bank mismanagement of interest rate risk, and regulators acting to slow to follow up on previously noted concerns with the organization’s risk management actions. The failure of the three banks is estimated to have cost the FDIC $36 billion from its deposit insurance fund.

On May 11, 2023, The FDIC Board voted 3-2 to propose a 0.125% special assessment to banks with uninsured deposits over $5 billion to replenish the deposit insurance fund. The special assessment would apply beginning the first quarter of 2024 and would continue for a total of eight quarters. Earlier in the month, the FDIC proposed a potential reform to the deposit insurance system, offering three options to the FDIC deposit insurance limit. The options include (1) limited coverage, or maintaining status quo, with the option to change in the future, (2) unlimited coverage, offering full coverage for all depositors and all types of deposit accounts, or (3) a targeted approach, which means it would offer different deposit insurance coverage across account types. The FDIC Insurance Reform report was quoted as saying, “Business payment accounts are not currently defined in the structure of the deposit insurance system but must be identifiable for the viability of Targeted Coverage”.

Finally, interest rate risk oversight and stress testing requirements are currently in place for institutions $250 billion or larger. The Dodd-Frank Act (DFA) originally set the threshold at $50 billion and above to comply with the requirements. The threshold was raised during deregulations efforts in 2018 to only include institutions deemed to be “systemically important”. Analysis reports provided by the Federal Reserve and FDIC have suggested the failed banks could have been considered systemically important to the banking system. Regulatory changes in this area would be expected to take longer to become law.

On March 30, 2023, the Consumer Financial Protection Bureau (CFPB) issued a final rule amending Regulation B to implement Section 1071 of the Dodd-Frank Act, also known as the Small Business Data Collection Act. It applies to Banks, Credit Unions and Fin-Techs that originated at least 100 covered originations in each of the two preceding calendar years.

Data must be collected and reported on by small businesses, which are defined as a business which had $5 million or less in gross annual revenue for its preceding fiscal year. Covered credit transactions need to be reported on which includes transactions made to a small business, specifically loans, lines of credit, credit cards, merchant cash advances, and credit products used for agricultural purposes. Credit transactions that are excluded from reporting requirements are trade credit, public utilities credit, securities credit, incidental credit, transaction that are reportable under HMDA, insurance premium financing, factoring, leases, consumer designated credit that is used for business or agricultural purposes, letters of credit, and purchases of originated covered credit transactions.

A covered application which triggers data collection, reporting, and related requirements when submitted by a small business is defined as an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested. Application types which are excluded are reevaluation, extension, or renewal requests on existing business credit accounts, unless the request seeks additional credit amounts; inquiries and prequalification requests; solicitations, firm offers of credit, and other evaluations that the financial institution initiates, unless the financial institution invites the business to apply. Effective Dates are rolled out in the following phases:

• October 1, 2024, if it originated at least 2,500 covered originations in both 2022 and 2023
• April 1, 2025, if it originated at least 500 covered originations in both 2022 and 2023
• January 1, 2026, if it originated at least 100 covered originations in both 2024 and 2025

Specific data point requirements can be found within the CFPB data points chart.

For more information on Section 1071, click here to watch BAI’s webinar: HMDA for business, Section 1071: Small business lending data collection rule and its implications.