CFPB Issues Innovation Policies
The Consumer Financial Protection Bureau (CFPB) was established by the Dodd-Frank Act (Dodd-Frank) for the primary purpose of implementing and enforcing federal consumer financial law. However, the Dodd-Frank Act also authorises the CFPB to use its powers to accomplish other objectives. One of those objectives is to ensure that markets for consumer financial products and services operate transparently to facilitate access and innovation. Recently, the CFPB reminded the industry of its commitment to innovation when it updated two previously issued policy statements, and established a third, to reduce regulatory uncertainty associated with innovative products and services. The specific changes, which were announced on September 10, 2019, include modifications to the CFPB’s No-Action Letter (NAL) Policy and Trial Disclosure Programme (TDP) Policy, and issuance of the new Compliance Assistance Sandbox (CAS) Policy. A summary of these policies and relevant revisions is provided below.
- No-Action Letter (NAL) Policy: The CFPB issued its initial NAL policy (2016 NAL Policy) on February 18, 2016 to promote financial innovation in cases where new products or services promising substantial consumer benefit also carried significant regulatory uncertainty. Under the policy, successful applicants for NALs would be advised that the Bureau staff had no present intention to recommend initiation of an enforcement or supervisory action against the requester regarding the specific products and requirements addressed in the NAL. During the three-year period in which the 2016 NAL Policy was in effect, the staff issued only one NAL. The underutilisation of NALs prompted a re-evaluation of the initial policy and the issuance of a new NAL policy (2019 NAL Policy), which streamlines the application and review process and amends substantive provisions to encourage use of the NAL Policy. The substantive amendments include making the NALs binding on the Bureau, not simply on Bureau staff, and expressly providing that the NAL recipient may reasonably rely on its protections. The Bureau also released its first NAL under the 2019 NAL Policy to the Department of Housing and Urban Development (HUD) on behalf of more than 1,600 housing counseling agencies (HCAs) that participate in HUD’s housing counseling programme. The NAL states the CFPB will not take supervisory or enforcement action under RESPA against HUD-certified HCAs that have entered into certain fee-for-service arrangements with lenders for pre-purchase housing counseling services. Although counseling services are not necessarily considered innovative, issuance of the first NAL reflects the CFPB’s willingness to grant applications under the new policy.
- Compliance Assistance Sandbox (CAS) Policy: The newly issued CAS Policy provides a mechanism for companies to test a financial product or service in an environment of regulatory uncertainty. The CAS Policy provides greater protection to financial institutions as the approval states that, subject to compliance with specified terms and conditions, the described product or service complies with the identified federal consumer financial law. By contrast, the NAL only provides that the Bureau will not bring an enforcement action related to the approved product or service. Although the CAS Policy provides greater protection, it is only available to limit liability under the Truth in Lending Act, the Electronic Fund Transfer Act, and the Equal Credit Opportunity Act as only these enumerated consumer laws contain statutory safe harbour provisions.
- Trial Disclosure Programme (TDP) Policy: The CFPB’s TDP Policy encourages innovation in the design and delivery of regulatory disclosures under CFPB jurisdiction. The Bureau issued the original version of the policy in September 2013 (2013 TDP Policy). Under the 2013 TDP Policy, if the Bureau approved a specific trial, it would deem the company’s disclosure to comply with, or be exempt from, applicable federal disclosure requirements. Although the 2013 TDP Policy was in effect for approximately six years, the Bureau did not approve any trial disclosure programmes under this policy. To encourage use of the Trial Disclosure Programme, the CFPB issued an amended TDP Policy (2019 TDP Policy), which streamlines the application and review process, sets a 60-day timeline to provide a decision on applications, and establishes an expected two-year time frame for the testing of disclosures.
Financial services companies that are developing innovative products and services should explore the pros and cons associated with the aforementioned policies and consider partnering with regulatory agencies as part of their overall development strategy for new products and services. Legal counsel should partake in these discussions to ensure each policy’s benefits and risks, as well as how they apply to the institution’s specific circumstances, are well understood. While the recent modifications to the CFPB’s innovation policies were viewed favourably by financial institution commenters, it remains to be seen whether they will be sufficient to encourage broader acceptance by the industry.
Pending BSA/AML Legislation May Provide Relief and Improve Transparency
Two important pieces of proposed legislation making their way through Congress attempt to address on-going concerns with the U.S. anti-money laundering (AML) landscape. The Secure and Fair Enforcement Banking Act of 2019 (SAFE Banking Act) focuses on the legal cannabis industry and attempts to resolve financial institutions’ concerns over providing banking services to businesses whose product is illegal at the federal level. The SAFE Banking Act was passed by the House of Representatives earlier this year and currently awaits action by the Senate Committee on Banking, Housing, and Urban Affairs. Meanwhile, the aptly titled Improving Laundering Laws and Increasing Comprehensive Information Tracking of Criminal Activity in Shell Holdings Act (ILLICIT CASH Act), recently introduced in the Senate, focuses on improving U.S. corporate transparency by targeting business structures commonly used to disguise beneficial ownership. Both pieces of pending legislation are discussed below.
SAFE Banking Act
In recent years, the legalisation of cannabis in some states has presented legal dilemmas for financial institutions. With cannabis still criminalised at the federal level and Obama-era leniency a thing of the past, federally insured banks have been prevented from providing services to legitimate cannabis-related businesses. Lacking bank access, the businesses rely heavily on cash for operations, which, in turn, creates higher business expenses and public safety issues.
The SAFE Banking Act of 2019 seeks to provide legal clarity and safe harbour to financial institutions and other entities so they can serve legitimate cannabis-related businesses in states where such activity is legal. As currently written, the bill provides various protections to depository institutions and associated service providers, including protections from regulatory enforcement and limitations on liability. The protections from regulatory enforcement generally prohibit federal regulators from taking certain actions against depository institutions solely because they provide financial services to a legitimate cannabis-related business or service provider. Actions federal regulators are prohibited from taking on this basis include:
- Terminating or limiting an institution’s federal deposit insurance.
- Prohibiting, penalising, or otherwise discouraging a depository institution from providing financial services to or for a cannabis-related business or service provider.
- Recommending or encouraging a depository institution not to offer or to downgrade the services offered to a legitimate cannabis-related business or service provider.
- Taking adverse corrective or supervisory action on loans made to legitimate cannabis-related businesses or service providers.
The SAFE Banking Act also states that a depository institution or associated service provider, including their officers, directors, and employees, may not be held liable pursuant to any federal law or regulation, solely for providing financial services to a cannabis-related business or servicer provider within a state in which cannabis activity has been legalised. The above protections also extend to the investment of any income derived from providing such a financial service. Insurers are afforded similar protections under the bill.
In addition to the protections offered to depository institutions and insurers, the bill also provides protections to other entities that do business with cannabis-related businesses or service providers by declaring that the proceeds from a transaction involving activities of a cannabis-related business or service provider shall not be considered proceeds from an unlawful activity solely because of their source. While this protection is targeted to ancillary businesses, it will also benefit financial institutions due to existing BSA requirements on reporting suspicious activity that may be associated with criminal activity.
ILLICIT Cash Act
While the SAFE Banking Act provides a measure of BSA/AML relief to financial institutions, the ILLICIT Cash Act serves to generally strengthen BSA/AML enforcement within the United States, with a primary focus on corporate transparency. The most significant provision of the ILLICIT CASH Act would establish beneficial ownership reporting requirements which target legal entities commonly known as “shell” companies.
Shell companies present challenges to AML efforts due to the layer of secrecy they afford their beneficial owners. The proposed legislation attempts to address this concern by requiring that certain companies file beneficial ownership information with FinCEN at the time of formation. The requirement will also apply to existing companies which will have two years from the bill’s enactment to comply. Changes to a company’s beneficial ownership information require that an update be filed within 90 days. Under the bill, financial institution’s may, as part of its customer due diligence programme, obtain this beneficial ownership information from FinCEN with consent of the customer involved. Similar legislation, the Corporate Transparency Act, passed the House of Representatives on October 22, 2019, and is headed to the Senate for consideration.
The bill, in its entirety, includes various other provisions targeted at improving the U.S. BSA/AML regulatory regime, including the following:
- Establishment of an effective feedback loop and reporting requirements allowing the flow of communication among law enforcement, regulators, and financial institutions so that financial institutions may better understand the actions taken by law enforcement as a result of SAR filings.
- More options for data sharing among financial institutions, peers, and affiliates in certain circumstances so that patterns of suspicious activity can be more easily tracked and identified.
- Mandates in support of the use of innovation to identify and control financial crime including a new regulatory track that allows for testing of innovative approaches to anti-money laundering programmes and “bulk reporting” of low-level risks to regulators and law enforcement.
- Establishment of a “tech symposium” hosted by FinCEN which gathers U.S. and international stakeholders to demonstrate and experiment with the latest technologies.
- Mandates for government studies on various topics relevant to BSA/AML enforcement.
The proposed legislation described above provides a much-needed combination of relief and enforcement and shows that Congress is aware of some of the practical concerns faced by financial institutions and law enforcement. While there is bipartisan support for both bills, it is difficult to assess the likelihood of enactment. However, financial institutions should continue to monitor developments in Washington to ensure their long-term outlook on BSA/AML compliance is well informed.
California Consumer Privacy Act Amendments: The end or just the beginning?
In September 2019, after a significant amount of effort, the California legislature agreed to several amendments to the California Consumer Privacy Act (CCPA) of 2018. The amendments are generally business friendly and provide relief and short-term exemptions from certain CCPA obligations. The CCPA, also known as California Assembly Bill 375, was introduced in early 2018 and passed into law in mid-2018. It is scheduled to take effect on January 1, 2020, with enforcement starting on July 1, 2020.
Throughout 2019, several Assembly Bill (AB) amendments were proposed in the California legislature that attempted to amend provisions of the CCPA, many of which were recently approved by California Governor Newsom. Most of the amendments are considered favourable to entities doing business in California as they provide temporary relief for certain complex CCPA obligations. For example, one amendment reduces the ambiguity of the definition of “personal information" within the existing version of the CCPA. Another amendment requires that consumers who request access to or deletion of their personal data held by the company use their account with that company to verify their identity. This amendment will simplify the verification process and reduce the often-difficult validation process associated with access and deletion requests. In addition, certain personal data exchanged between companies to fulfill customer requests will also be exempt from the CCPA until January 1, 2021. One of the more popular amendments is that, for a period of time, “a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or contractor of the business” is exempt from the CCPA as long as their personal information is not processed for ancillary purposes, such as marketing to that individual. Of course, the company is required to follow other established data privacy obligations and regulations, such as the federal Gramm-Leach-Bliley Act, as the CCPA amendments do not preempt federal law.
While a number of CCPA amendments provide businesses with a measure of relief, others impose additional obligations on businesses. Those amendments, although only recently passed, will take effect on January 1, 2020, along with the original CCPA requirement. For example, Assembly Bill 1202, if signed by the governor, will require certain businesses to register as data brokers by January 1, 2020, providing a much-compressed timeframe for companies to comply.
As organisations prepare for the CCPA and other possible changes in state privacy laws, there are a few things they should consider when developing their approach to comprehensive data privacy compliance. First, each state’s approach to data privacy will differ to some degree, and a geographically diverse organisation must be able to manage the differences in an effective manner. Second, as with the CCPA, new state privacy laws and their corresponding regulations are likely to evolve until their enforcement date, requiring organisations to be agile in their implementation strategies. Third, the maturation of data privacy law is a global occurrence and companies with international reach must have policies and procedures to ensure they are aware of and prepared for privacy law changes wherever they may occur.