Bryan Cave Leighton Paisner Banking Blog

Main Content

Open Banking: What are Open APIs?

April 11, 2019

Authored by:

Categories

Open Banking: What are Open APIs?

April 11, 2019

Authored by: John Bush and Barry Hester

This post is the second in a series discussing Open Banking, its implementations, and its implications.  Part 1 is here.

APIs or “Application Programming Interfaces” are everywhere in ecommerce, and they provide the building blocks in the primordial soup of innovations that may stem from open banking. 

Among other roles, APIs provide a protocol allowing one computer system to talk with another.  For example, The Weather Channel (“TWC”) has invested heavily in providing detailed meteorological information and forecasts by region.  TWC could conceivably require people to visit its website as the exclusive way to access this information.  Instead, however, TWC permits some of its information to be accessed automatically across apps, websites, and services and in ways third-party developers can predictably map (e.g., certain tagged data reflects values like “75°F” or “Partly Cloudy”).  TWC has determined such use advances the TWC business plan.  Conversely, the developers of apps, websites, and services have determined using the TWC API is superior to reinventing what TWC has accomplished—or not offering weather information at all. 

Without an API, a third party could create a bot to visit the TWC website and automatically “scrape” the information, but such an approach poses risks.  First, even a slight change to the TWC website could cause the bot to misunderstand which data it is supposed to scrape.  Second, such an approach raises contractual and copyright risks.  See, e.g., Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp.2d 1096 (C.D. Cal. 2007) (granting injunctive relief on grounds that defendant infringed copyright and terms of use through automated screen-scraping of Ticketmaster’s site in order to facilitate its own large-volume ticket brokerage).  Third, this conversion step fails to capture the richer, more reliable, and more on-point data TWC is willing to make available via its API. 

Read More

What is Open Banking, and What are its Implications?

April 4, 2019

Authored by:

Categories

This post is the first in a series discussing open banking, its implementations, and its implications. 

“Open banking” is a phrase that has been coined to capture a current theme in financial sector innovation – one that some say is going to revolutionize banking.  For years, banks have given their customers increasing access to account information.  Now, with open banking, the access is opening to the point where customers can potentially obtain financial services in entirely novel ways, and the customer’s expectations of their bank may shift. 

Image by mohamed Hassan from Pixabay

The push to open consumers’ financial data goes back decades.  In the 1990s and 2000s, financial institutions began giving customers online access to their accounts—and instantaneous access to information previously reserved for monthly statements. Card-based transactions gradually shifted away from signed papers with carbon copy receipts to electronic devices.  With rapid access to financial information, debit cards that could immediately draw on bank accounts became more feasible.  Meanwhile, third-party vendors, such as Intuit, Microsoft, and Checkfree, were among the providers who encouraged institutions to go even further by making financial data available in a format that could be imported into their software; their work led to the promulgation of the Open Financial Exchange (“OFX”) data stream format, among others. 

In the past 10 years, the priorities in data exchange have incorporated the agenda of government proponents.  Notably, in 2016, a U.K. regulatory authority required the country’s nine largest banks to allow certain registered third-party developers to access certain customer data.  In 2018, the European Economic Area began implementing the Second Payment Services Directive (“PSD2”), including its goal to provide financial data through a central register.  In the United States, the Consumer Financial Protection Bureau has expressed its view that consumers should have timely, secure, and transparent access to their financial account information and to data sharing opportunities.  During this same time, digitization has accelerated to unprecedented levels in all facets of life and commerce, and data privacy risk awareness and regulation has emerged. 

Read More

FinCEN Grants Permanent Relief for Autorenewals

September 13, 2018

Authored by:

Categories

Exercising “exceptive” relief authority, FinCEN has extended permanent relief from the beneficial ownership requirements of its new Customer Due Diligence (CDD) rule to existing autorenewing CDs and safe deposit boxes, as well as existing autorenewing commercial lines of credit and credit cards that do not require underwriting review and approval.  FinCEN reasoned that these products pose such a low risk for money laundering and terrorist financing activity that the benefits of requiring the collection of this information does not outweigh the impacts of compliance on financial institutions and their customers.  Specifically, institutions need not treat rollovers or renewals of such products as “new accounts” requiring the collection of the beneficial ownership elements of the CDD rule, whether or not the initial accounts were established prior to the rule’s May 11, 2018 effective date.

FinCEN previously issued temporary relief to autorenewing CDs and loan products established prior to May 11, 2018, and in a second release extended this relief through September 9, 2018.  The new release both extends this treatment indefinitely and expands it to include certain safe deposit box rentals, such that the exception applies now to any of the following occurring on or after May 11, 2018:

  • A rollover of a CD, defined as a deposit account that has a specified maturity date, prior to which funds cannot be withdrawn without the imposition of a penalty, and which does not permit the customer to add funds;
  • A renewal, modification, or extension of a loan (e.g., setting a later payoff date) that does not require underwriting review and approval;
  • A renewal, modification, or extension of a commercial line of credit or credit card account (e.g., setting a later payoff date) that does not require underwriting review and approval; and
  • A renewal of a safe deposit box rental (e.g., upon the automatic deduction of the rental fee as agreed-upon between a bank and its customer).

FinCEN is careful in this September 7, 2018, release to explain that it does not relieve institutions of the obligation to collect and verify the identity of beneficial owners of legal entity customers where the initial account opening of such accounts occurs on or after May 11, 2018.  It does mean, however, that institutions need not collect beneficial ownership information for certain older accounts of the types described above (those opened prior to May 11, 2018) solely because they are rolled over or renewed.

Read More

OCC Provides a Path for FinTech Charters

August 24, 2018

Categories

On July 31, 2018, the OCC announced that it had finalized parameters for its new limited-purpose financial technology national bank charter and is ready to begin taking applications.  This release follows several years of formal deliberation on the topic and coincided with the release of a 222-page U.S. Treasury report on innovation.  Industry reactions have been wide-ranging – will this level the playing field or usher in a FinTech “apocalypse“?

Highlights of the OCC notice include:

  • Designation of the charter type as a national bank.  Like its other special-purpose charters, including the non-depository trust company or the credit card bank, the FinTech charter will be a “national association” in the National Bank Act sense of the term.  As the saying goes, membership will have its privileges (and burdens):  capital requirements, examinations, and federal preemption of certain state laws.
  • Eligibility for qualified applicants that plan to conduct activities “within the business of banking.”  Pursuant to existing OCC regulations, a limited-purpose national bank not engaging in fiduciary activities “must conduct at least one of the following three core banking functions:  receiving deposits; paying checks; or lending money.”  In its FinTech charter announcement, the OCC notes that it “views the National Bank Act as sufficiently adaptable to permit national banks to engage in traditional activities like paying checks and lending money in new ways.  For example, facilitating payments electronically may be considered the modern equivalent of paying checks.”
  • A requirement for a commitment to “financial inclusion.”  We will see how this element is administered.  In theory it provides a non-depository parallel to the Community Reinvestment Act (“CRA”).
  • Publication and comment period.  Just as for other types of national banks, applications will feature newspaper publication requirements and will be generally subject to public review and comment.

The OCC stated that its decision to open the door for this new form of national bank “is consistent with bi-partisan government efforts at federal and state levels to promote economic opportunity and support innovation that can improve financial services to consumers, businesses, and communities.”  Comptroller Otting added:

Providing a path for fintech companies to become national banks can make the federal banking system stronger by promoting economic growth and opportunity, modernization and innovation, and competition.  It also provides consumers greater choice, can promote financial inclusion, and creates a more level playing field for financial services competition.

Treasury’s report is consistent with these themes, noting, “A forward-looking approach to federal charters could be effective in reducing regulatory fragmentation and growing markets by supporting beneficial business models” and that the OCC should proceed with “thoughtful consideration” of FinTech charter applications.  Treasury also calls out specifically the need for updating regulations that relate to data aggregation, for addressing those which have become “outdated” in light of technological advances (e.g., in the mortgage lending and servicing space, according to Treasury), and for a regulatory approach that enables “responsible experimentation” in the financial sector.

Read More

FinCEN Extends Temporary Beneficial Ownership Rule Relief for Older Autorenewing Products

August 9, 2018

Authored by:

Categories

The temporary exception that FinCEN extended to autorenewing CDs and loans established prior to the May 11, 2018 compliance effective date of its beneficial ownership requirements was scheduled to expire on August 9, 2018.  On August 8, FinCEN published a short release in which it announced the extension of this relief through September 8, 2018.  FinCEN noted that it was providing this extension in order to further consider the issues raised by the application of these aspects of its Customer Due Diligence (CDD) rules to such products.

As a reminder, this exception only applies to CDs and loans that (i) automatically rollover or renew and (ii) were established prior to May 11, 2018.  Such accounts or loans established subsequent to this date (and older accounts that are renewed on new or modified terms) are fully subject to the CDD rules, and all accounts are subject to its general due diligence and monitoring requirements.  In particular, institutions should continue to collect or update beneficial ownership information as other “risk events” warrant for particular customers–including those whose autorenewing CDs or loans or other accounts were established prior to May 11, 2018.  FinCEN has given as an example of such risk or “trigger” events an unexplained spike in cross-border wire transfers.  Moreover, as we noted previously, OFAC’s strict liability framework continues to apply to any U.S. person that does business with a sanctioned party, so institutions that do not collect beneficial ownership information may be exposed to this type of risk.

Read More

FinCEN’s Temporary Relief for Autorenewable CDs and Loans

May 30, 2018

Authored by:

Categories

In a unique administrative ruling under delegated “exceptive” authority, on May 16, 2018 FinCEN issued relief from its new beneficial ownership requirements through at least August 9, 2018, for “certain financial products and services that automatically rollover or renew (i.e., certificate of deposit (CD) or loan accounts) and were established before the Beneficial Ownership Rule’s Applicability Date, May 11, 2018.”

FinCEN acknowledged in its notice that “some covered institutions have not treated such rollovers or renewals as new accounts and have established automatic processes to continue the banking relationship with the customer.”

The exception is effective retroactively from May 11, 2018 and expires on August 9, 2018.  FinCEN added that it was considering whether additional relief may be appropriate for such products and services established prior to May 11, 2018 and expected to rollover or renew thereafter.

We will explore how we got here, but first, some practical considerations:

  • Institutions that have already set into motion new systems, procedures, and communications to collect this info on renewable loans and CDs established prior to May 11 will need to decide whether to discontinue these measures, or alternatively to conclude there is now greater flexibility for handling customers that do not adhere to them – e.g., by failing to submit a completed ownership certification form.  The prevailing view among our clients seems to be the latter.
  • Institutions that were still rushing to implement such measures will need to decide whether to put these plans on hold or to continue to develop them as to loans and CDs established prior to May 11, 2018.  The preference within the industry in this regard appears to be a function of how far along these plans are into production, and the extent to which they constitute separate solutions specific to these existing account types.
  • Any discussions with examiners and auditors about any changes to implementation plans in light of this release should be direct and documented.  We would encourage institutions to think broadly and generously about the purpose of these rules and the BSA generally, and what risks to the bank (such as sanctions exposure or fraud) might be mitigated by the spirit if not the letter of FinCEN’s new rules.  OFAC’s strict liability framework for doing business with sanctioned parties is unaffected by the relief afforded by FinCEN’s May 16 notice.
  • Institutions should consider ways to continue socializing their views to FinCEN, through trade associations or otherwise, as this interim relief appears directly responsive to industry feedback such as that provided in an April 27 hearing held by the House Financial Services Committee (e.g., “. . . there is no reason to believe that an auto-renewal is evidence that a change in beneficial ownership might have occurred. The FAQ 12 guidance is further complicated by the fact that these products include contractual provisions requiring the financial institution to auto renew them without interruption.”)

Let’s revisit how this unfolded as a regulatory matter.

The supplemental FAQs issued by FinCEN on April 3, 2018 provided certain interpretations of its own final rules, originally published on May 11, 2016, including that it believed a bank established a “new account” each time an autorenewing loan or CD renewed (see FAQ 12).  FinCEN opined at that time on ways a bank could comply with the Beneficial Ownership certification requirements implicated by the opening of a “new account” for a legal entity customer in such cases, namely by (1) providing the required information and certification on FinCEN’s new form or its equivalent once and (2) agreeing at that time to notify the bank of any change in such information going forward.  FinCEN’s view then was that a customer’s agreement to notify a bank of any changes in its beneficial ownership information can be considered a “certification” of this information for purposes of subsequent rollovers of renewable products.

Read More

Regulators Update BSA/AML Exam Manual Sections

May 15, 2018

Authored by:

Categories

Just in time for the effective date of FinCEN’s Customer Due Diligence (CDD) and Beneficial Ownership Rules, on May 11, 2018 the Federal Financial Institutions Examination Council (FFIEC) published updates to its Bank Secrecy Act/Anti-Money Laundering Examination ManualThe FFIEC is an interagency body comprised of representatives of the U.S. Federal Reserve Board, the FDIC, OCC, CFPB, NCUA, and state banking regulators.  The agencies’ changes (1) replace existing CDD sections of the manual and (2) add new Beneficial Ownership overview and exam procedures sections, in each case corresponding to the new CDD and Beneficial Ownership requirements.

The publication of this new content was announced through separate press releases by the FDIC, OCC, and NCUA.  The OCC’s release (OCC Bulletin 2018-12) makes the technical point that the new CDD content replaces pages 56-59 of the FFIEC manual, last updated in 2014, and the FDIC’s release (FIL-26-2018) adds that the new sections will be incorporated into the manual in its next update.  The FFIEC’s examination manual is used by the bank regulators in conducting supervisory BSA/AML exams and features step-by-step review procedures to be used by examiners, consistent with the FFIEC’s statutory purpose of establishing uniform forms and regulatory examination processes.

One doesn’t generally expect new substantive guidance or interpretation to emerge from the FFIEC examination procedures, but a review of this new content emphasizes the following:

(1) BSA/AML exams including scope periods on or after May 11, 2018 will feature scrutiny of new accounts opened on or after that date.  At this point, the CDD and Beneficial Ownership rules are live and in full effect, and institutions will be expected to adhere to them.  For example, the revised examiner’s guide specifies:  “3. On the basis of a risk assessment, prior examination reports, and a review of the bank’s audit findings, select a sample of new accounts opened for legal entity customers since May 11, 2018 to review for compliance with the Beneficial Ownership Rule.”  The transition and implementation period for this rule is officially over.

Read More

GDPR Considerations for Community Banks

May 9, 2018

Categories

The May 25, 2018, compliance effective date of the EU’s General Data Protection Regulation (GDPR) is just weeks away, and many U.S.-based companies have at least by now taken stock of their EU customer base and operations, and developed a baseline set of compliance plans.  For many, that might only entail a data inventory and controls that would ensure that changes to the company’s business plan, advertising strategies, and physical footprint would be assessed for GDPR compliance in advance, just as with any other area of compliance.  However, for companies whose business relies upon the gathering and use of consumer data, the GDPR implementation process has been onerous.

In particular, as recent American Banker coverage has described, this compliance effort is hitting financial institutions of all sizes hard.  While the exact nature and magnitude of enforcement exposure is still unclear, U.S. banks should take a broad view of their overseas business – including where U.S. customers temporarily work or travel – in order to stay ahead of GDPR compliance issues.

For U.S.-based small businesses, including community banks, the conventional wisdom has focused on whether the institution solicits or services EU customers.  Unfortunately this approach may cause banks or other businesses to underestimate their potential exposure.

For purposes of the GDPR, compliance obligations for companies without a physical presence in the EU are generally only implicated if the company (1) offers goods and services in the EU or (2) monitors the behavior of EU customers (referred to affectionately as “data subjects” in the regulation).

Of particular concern for community banks is whether tourists, foreign work assignments, or overseas service members could cause the bank to become subject to GDPR obligations.

Read More

FinCEN Provides Relief to CDD Obligations for Existing Customers

April 5, 2018

Authored by:

Categories

The Financial Crimes Enforcement Network (FinCEN) published long-awaited additional Frequently Asked Questions on April 3, 2018 (the “Guidance”) relating to its Customer Due Diligence (CDD) Rule, which FinCEN promulgated pursuant to the Bank Secrecy Act (the “CDD Rule”).  This comes at a time when most covered institutions are in the final stages of implementing plans to comply with the CDD Rule by its May 11, 2018 compliance applicability date.  FinCEN previously published technical amendments to the Rule on September 29, 2017 and an initial set of FAQs on July 19, 2016.  While such Guidance does not have the weight of authority of statute or regulation, it has traditionally helped to form the basis for examination and enforcement expectations.  Here we will focus on themes in the new Guidance relating to application of the rule to existing customers.

As a reminder, the CDD Rule was originally published on May 11, 2016 after years of public hearings and comment periods.  The rule sets forth CDD as a “fifth pillar” of a BSA/AML compliance program in addition to those established by the Bank Secrecy Act itself:  system of internal controls, the appointment of a responsible officer, training, and independent testing.  CDD entails upfront due diligence and ongoing monitoring, and this rule establishes the collection of Beneficial Ownership information as a required element of CDD for legal entity customers.  In releasing the CDD Rule, FinCEN emphasized that CDD is not technically a new requirement but has always been an expected part of a BSA/AML program that results in effective suspicious activity monitoring and risk mitigation.

Read More

CFPB Issues Balloon Mortgage and Other Small Creditor Ability-to-Repay Relief

On May 29, 2013, the Consumer Financial Protection Bureau (CFPB) issued a final rule amending the Ability-to-Repay (ATR) and Qualified Mortgage (QM) rules it issued on January 10, 2013.  Within this final rule are two new categories of small creditor QMs.  The first, for small creditor portfolio loans, was adopted exactly as proposed alongside the January ATR rule and permits small creditors in all markets to make portfolio loans that are QMs even though the borrower’s DTI ratio exceeds the general QM 43% cap.  As a reminder, small creditors for these purposes are those with less than $2 billion in assets at the end of the preceding calendar year that, together with their affiliates, made 500 or fewer covered first-lien mortgages during that year.

The second new QM is a welcome even if only temporary category of balloon mortgages.  Unlike the small creditor portfolio QM, this interim QM was not an express part of the so-called “concurrent proposal” issued in January.  This is simply but significantly a QM that meets all of the existing rural balloon-payment QM requirements except the controversial limitation that the creditor operate primarily in “rural” or “underserved” areas. 

As written, the new balloon QM category expires two years after the ATR rules take effect on January 10, 2014.  The CFPB characterizes this two-year window as a “transition period” useful for two purposes:  (1) it will give the CFPB time to consider whether its definitions of “rural” and “underserved” are in fact too narrow for the needs of the rural balloon-payment QM rule and (2) it will give creditors time to “facilitate small creditors’ conversion to adjustable-rate mortgage products or other alternatives to balloon-payment loans.”  The CFPB took pains to argue that Congress “made a clear policy choice” not to extend QM status to balloon mortgages outside of rural and underserved areas, and the agency reiterated its belief that adjustable-rate mortgages pose less risk to consumers than balloons:  “The Bureau believes that balloon-payment mortgages are particularly risky for consumers because the consumer must rely on the creditors’ nonbinding assurances that the loan will be refinanced before the balloon payment becomes due.  Even a creditor with the best of intentions may find itself unable to refinance a loan when a balloon payment becomes due.”  For these reasons, creditors may expect future CFPB scrutiny intended to bury, not save, balloon mortgages.   

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.