This post is the second in a series discussing Open Banking, its implementations, and its implications.  Part 1 is here.

APIs or “Application Programming Interfaces” are everywhere in ecommerce, and they provide the building blocks in the primordial soup of innovations that may stem from open banking. 

Among other roles, APIs provide a protocol allowing one computer system to talk with another.  For example, The Weather Channel (“TWC”) has invested heavily in providing detailed meteorological information and forecasts by region.  TWC could conceivably require people to visit its website as the exclusive way to access this information.  Instead, however, TWC permits some of its information to be accessed automatically across apps, websites, and services and in ways third-party developers can predictably map (e.g., certain tagged data reflects values like “75°F” or “Partly Cloudy”).  TWC has determined such use advances the TWC business plan.  Conversely, the developers of apps, websites, and services have determined using the TWC API is superior to reinventing what TWC has accomplished—or not offering weather information at all. 

Without an API, a third party could create a bot to visit the TWC website and automatically “scrape” the information, but such an approach poses risks.  First, even a slight change to the TWC website could cause the bot to misunderstand which data it is supposed to scrape.  Second, such an approach raises contractual and copyright risks.  See, e.g., Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp.2d 1096 (C.D. Cal. 2007) (granting injunctive relief on grounds that defendant infringed copyright and terms of use through automated screen-scraping of Ticketmaster’s site in order to facilitate its own large-volume ticket brokerage).  Third, this conversion step fails to capture the richer, more reliable, and more on-point data TWC is willing to make available via its API. 

This post is the first in a series discussing open banking, its implementations, and its implications. 

“Open banking” is a phrase that has been coined to capture a current theme in financial sector innovation – one that some say is going to revolutionize banking.  For years, banks have given their customers increasing access to account information.  Now, with open banking, the access is opening to the point where customers can potentially obtain financial services in entirely novel ways, and the customer’s expectations of their bank may shift. 

The push to open consumers’ financial data goes back decades.  In the 1990s and 2000s, financial institutions began giving customers online access to their accounts—and instantaneous access to information previously reserved for monthly statements. Card-based transactions gradually shifted away from signed papers with carbon copy receipts to electronic devices.  With rapid access to financial information, debit cards that could immediately draw on bank accounts became more feasible.  Meanwhile, third-party vendors, such as Intuit, Microsoft, and Checkfree, were among the providers who encouraged institutions to go even further by making financial data available in a format that could be imported into their software; their work led to the promulgation of the Open Financial Exchange (“OFX”) data stream format, among others. 

In the past 10 years, the priorities in data exchange have incorporated the agenda of government proponents.  Notably, in 2016, a U.K. regulatory authority required the country’s nine largest banks to allow certain registered third-party developers to access certain customer data.  In 2018, the European Economic Area began implementing the Second Payment Services Directive (“PSD2”), including its goal to provide financial data through a central register.  In the United States, the Consumer Financial Protection Bureau has expressed its view that consumers should have timely, secure, and transparent access to their financial account information and to data sharing opportunities.  During this same time, digitization has accelerated to unprecedented levels in all facets of life and commerce, and data privacy risk awareness and regulation has emerged. 

You’re Invited – Join the Atlanta Chapter of the BayPay Forum on February 19 for a 2019 Fintech Legal and Regulatory Panel Discussion

On Tuesday, February 19, from 6-8:30 pm, the Atlanta chapter of the BayPay Forum will meet at Bryan Cave Leighton Paisner’s offices in Midtown Atlanta for a networking reception and panel discussion on the state of fintech regulation.

Start 2019 on solid footing with an engaging panel discussion reflecting on regulatory responses to faster payments, open banking/APIs, blockchain applications and ICOs, and other innovations.  Panelists will include Dick Fraher, Vice President and Counsel to the Retail Payments Office at Federal Reserve Bank of Atlanta; C. Ryan Germany, General Counsel and Assistant Commissioner of Securities & Charities, Office of Georgia Secretary of State Brad Raffensperger; Ben Robey, BSA/AML Compliance Specialist at MSB Compliance, Inc.; and Ken Achenbach, Partner at Bryan Cave Leighton Paisner.  The panel will be moderated by Barry Hester, Counsel at Bryan Cave Leighton Paisner.  Details and free registration are available here using the passcode BRYANCAVE. 

Participants will take away product and service design implications and a better understanding of the consumer protection, safety and soundness, jurisdictional, other policy issues at play.  Discussion will address, among other issues:

Exercising “exceptive” relief authority, FinCEN has extended permanent relief from the beneficial ownership requirements of its new Customer Due Diligence (CDD) rule to existing autorenewing CDs and safe deposit boxes, as well as existing autorenewing commercial lines of credit and credit cards that do not require underwriting review and approval.  FinCEN reasoned that these products pose such a low risk for money laundering and terrorist financing activity that the benefits of requiring the collection of this information does not outweigh the impacts of compliance on financial institutions and their customers.  Specifically, institutions need not treat rollovers or renewals of such products as “new accounts” requiring the collection of the beneficial ownership elements of the CDD rule, whether or not the initial accounts were established prior to the rule’s May 11, 2018 effective date.

FinCEN previously issued temporary relief to autorenewing CDs and loan products established prior to May 11, 2018, and in a second release extended this relief through September 9, 2018.  The new release both extends this treatment indefinitely and expands it to include certain safe deposit box rentals, such that the exception applies now to any of the following occurring on or after May 11, 2018:

• A rollover of a CD, defined as a deposit account that has a specified maturity date, prior to which funds cannot be withdrawn without the imposition of a penalty, and which does not permit the customer to add funds;
• A renewal, modification, or extension of a loan (e.g., setting a later payoff date) that does not require underwriting review and approval;
• A renewal, modification, or extension of a commercial line of credit or credit card account (e.g., setting a later payoff date) that does not require underwriting review and approval; and
• A renewal of a safe deposit box rental (e.g., upon the automatic deduction of the rental fee as agreed-upon between a bank and its customer).

FinCEN is careful in this September 7, 2018, release to explain that it does not relieve institutions of the obligation to collect and verify the identity of beneficial owners of legal entity customers where the initial account opening of such accounts occurs on or after May 11, 2018.  It does mean, however, that institutions need not collect beneficial ownership information for certain older accounts of the types described above (those opened prior to May 11, 2018) solely because they are rolled over or renewed.

On July 31, 2018, the OCC announced that it had finalized parameters for its new limited-purpose financial technology national bank charter and is ready to begin taking applications.  This release follows several years of formal deliberation on the topic and coincided with the release of a 222-page U.S. Treasury report on innovation.  Industry reactions have been wide-ranging – will this level the playing field or usher in a FinTech “apocalypse“?

Highlights of the OCC notice include:

• Designation of the charter type as a national bank.  Like its other special-purpose charters, including the non-depository trust company or the credit card bank, the FinTech charter will be a “national association” in the National Bank Act sense of the term.  As the saying goes, membership will have its privileges (and burdens):  capital requirements, examinations, and federal preemption of certain state laws.
• Eligibility for qualified applicants that plan to conduct activities “within the business of banking.”  Pursuant to existing OCC regulations, a limited-purpose national bank not engaging in fiduciary activities “must conduct at least one of the following three core banking functions:  receiving deposits; paying checks; or lending money.”  In its FinTech charter announcement, the OCC notes that it “views the National Bank Act as sufficiently adaptable to permit national banks to engage in traditional activities like paying checks and lending money in new ways.  For example, facilitating payments electronically may be considered the modern equivalent of paying checks.”
• A requirement for a commitment to “financial inclusion.”  We will see how this element is administered.  In theory it provides a non-depository parallel to the Community Reinvestment Act (“CRA”).
• Publication and comment period.  Just as for other types of national banks, applications will feature newspaper publication requirements and will be generally subject to public review and comment.

The OCC stated that its decision to open the door for this new form of national bank “is consistent with bi-partisan government efforts at federal and state levels to promote economic opportunity and support innovation that can improve financial services to consumers, businesses, and communities.”  Comptroller Otting added:

Providing a path for fintech companies to become national banks can make the federal banking system stronger by promoting economic growth and opportunity, modernization and innovation, and competition.  It also provides consumers greater choice, can promote financial inclusion, and creates a more level playing field for financial services competition.

Treasury’s report is consistent with these themes, noting, “A forward-looking approach to federal charters could be effective in reducing regulatory fragmentation and growing markets by supporting beneficial business models” and that the OCC should proceed with “thoughtful consideration” of FinTech charter applications.  Treasury also calls out specifically the need for updating regulations that relate to data aggregation, for addressing those which have become “outdated” in light of technological advances (e.g., in the mortgage lending and servicing space, according to Treasury), and for a regulatory approach that enables “responsible experimentation” in the financial sector.

The temporary exception that FinCEN extended to autorenewing CDs and loans established prior to the May 11, 2018 compliance effective date of its beneficial ownership requirements was scheduled to expire on August 9, 2018.  On August 8, FinCEN published a short release in which it announced the extension of this relief through September 8, 2018.  FinCEN noted that it was providing this extension in order to further consider the issues raised by the application of these aspects of its Customer Due Diligence (CDD) rules to such products.

As a reminder, this exception only applies to CDs and loans that (i) automatically rollover or renew and (ii) were established prior to May 11, 2018.  Such accounts or loans established subsequent to this date (and older accounts that are renewed on new or modified terms) are fully subject to the CDD rules, and all accounts are subject to its general due diligence and monitoring requirements.  In particular, institutions should continue to collect or update beneficial ownership information as other “risk events” warrant for particular customers–including those whose autorenewing CDs or loans or other accounts were established prior to May 11, 2018.  FinCEN has given as an example of such risk or “trigger” events an unexplained spike in cross-border wire transfers.  Moreover, as we noted previously, OFAC’s strict liability framework continues to apply to any U.S. person that does business with a sanctioned party, so institutions that do not collect beneficial ownership information may be exposed to this type of risk.

In a unique administrative ruling under delegated “exceptive” authority, on May 16, 2018 FinCEN issued relief from its new beneficial ownership requirements through at least August 9, 2018, for “certain financial products and services that automatically rollover or renew (i.e., certificate of deposit (CD) or loan accounts) and were established before the Beneficial Ownership Rule’s Applicability Date, May 11, 2018.”

FinCEN acknowledged in its notice that “some covered institutions have not treated such rollovers or renewals as new accounts and have established automatic processes to continue the banking relationship with the customer.”

The exception is effective retroactively from May 11, 2018 and expires on August 9, 2018.  FinCEN added that it was considering whether additional relief may be appropriate for such products and services established prior to May 11, 2018 and expected to rollover or renew thereafter.

We will explore how we got here, but first, some practical considerations:

• Institutions that have already set into motion new systems, procedures, and communications to collect this info on renewable loans and CDs established prior to May 11 will need to decide whether to discontinue these measures, or alternatively to conclude there is now greater flexibility for handling customers that do not adhere to them – e.g., by failing to submit a completed ownership certification form.  The prevailing view among our clients seems to be the latter.
• Institutions that were still rushing to implement such measures will need to decide whether to put these plans on hold or to continue to develop them as to loans and CDs established prior to May 11, 2018.  The preference within the industry in this regard appears to be a function of how far along these plans are into production, and the extent to which they constitute separate solutions specific to these existing account types.
• Any discussions with examiners and auditors about any changes to implementation plans in light of this release should be direct and documented.  We would encourage institutions to think broadly and generously about the purpose of these rules and the BSA generally, and what risks to the bank (such as sanctions exposure or fraud) might be mitigated by the spirit if not the letter of FinCEN’s new rules.  OFAC’s strict liability framework for doing business with sanctioned parties is unaffected by the relief afforded by FinCEN’s May 16 notice.
• Institutions should consider ways to continue socializing their views to FinCEN, through trade associations or otherwise, as this interim relief appears directly responsive to industry feedback such as that provided in an April 27 hearing held by the House Financial Services Committee (e.g., “. . . there is no reason to believe that an auto-renewal is evidence that a change in beneficial ownership might have occurred. The FAQ 12 guidance is further complicated by the fact that these products include contractual provisions requiring the financial institution to auto renew them without interruption.”)

Let’s revisit how this unfolded as a regulatory matter.

The supplemental FAQs issued by FinCEN on April 3, 2018 provided certain interpretations of its own final rules, originally published on May 11, 2016, including that it believed a bank established a “new account” each time an autorenewing loan or CD renewed (see FAQ 12).  FinCEN opined at that time on ways a bank could comply with the Beneficial Ownership certification requirements implicated by the opening of a “new account” for a legal entity customer in such cases, namely by (1) providing the required information and certification on FinCEN’s new form or its equivalent once and (2) agreeing at that time to notify the bank of any change in such information going forward.  FinCEN’s view then was that a customer’s agreement to notify a bank of any changes in its beneficial ownership information can be considered a “certification” of this information for purposes of subsequent rollovers of renewable products.

Just in time for the effective date of FinCEN’s Customer Due Diligence (CDD) and Beneficial Ownership Rules, on May 11, 2018 the Federal Financial Institutions Examination Council (FFIEC) published updates to its Bank Secrecy Act/Anti-Money Laundering Examination Manual.  The FFIEC is an interagency body comprised of representatives of the U.S. Federal Reserve Board, the FDIC, OCC, CFPB, NCUA, and state banking regulators.  The agencies’ changes (1) replace existing CDD sections of the manual and (2) add new Beneficial Ownership overview and exam procedures sections, in each case corresponding to the new CDD and Beneficial Ownership requirements.

The publication of this new content was announced through separate press releases by the FDIC, OCC, and NCUA.  The OCC’s release (OCC Bulletin 2018-12) makes the technical point that the new CDD content replaces pages 56-59 of the FFIEC manual, last updated in 2014, and the FDIC’s release (FIL-26-2018) adds that the new sections will be incorporated into the manual in its next update.  The FFIEC’s examination manual is used by the bank regulators in conducting supervisory BSA/AML exams and features step-by-step review procedures to be used by examiners, consistent with the FFIEC’s statutory purpose of establishing uniform forms and regulatory examination processes.

One doesn’t generally expect new substantive guidance or interpretation to emerge from the FFIEC examination procedures, but a review of this new content emphasizes the following:

(1) BSA/AML exams including scope periods on or after May 11, 2018 will feature scrutiny of new accounts opened on or after that date.  At this point, the CDD and Beneficial Ownership rules are live and in full effect, and institutions will be expected to adhere to them.  For example, the revised examiner’s guide specifies:  “3. On the basis of a risk assessment, prior examination reports, and a review of the bank’s audit findings, select a sample of new accounts opened for legal entity customers since May 11, 2018 to review for compliance with the Beneficial Ownership Rule.”  The transition and implementation period for this rule is officially over.

The May 25, 2018, compliance effective date of the EU’s General Data Protection Regulation (GDPR) is just weeks away, and many U.S.-based companies have at least by now taken stock of their EU customer base and operations, and developed a baseline set of compliance plans.  For many, that might only entail a data inventory and controls that would ensure that changes to the company’s business plan, advertising strategies, and physical footprint would be assessed for GDPR compliance in advance, just as with any other area of compliance.  However, for companies whose business relies upon the gathering and use of consumer data, the GDPR implementation process has been onerous.

In particular, as recent American Banker coverage has described, this compliance effort is hitting financial institutions of all sizes hard.  While the exact nature and magnitude of enforcement exposure is still unclear, U.S. banks should take a broad view of their overseas business – including where U.S. customers temporarily work or travel – in order to stay ahead of GDPR compliance issues.

For U.S.-based small businesses, including community banks, the conventional wisdom has focused on whether the institution solicits or services EU customers.  Unfortunately this approach may cause banks or other businesses to underestimate their potential exposure.

For purposes of the GDPR, compliance obligations for companies without a physical presence in the EU are generally only implicated if the company (1) offers goods and services in the EU or (2) monitors the behavior of EU customers (referred to affectionately as “data subjects” in the regulation).

Of particular concern for community banks is whether tourists, foreign work assignments, or overseas service members could cause the bank to become subject to GDPR obligations.

Jonathan and I discuss two major deals for our us: the formation of Bryan Cave Leighton Paisner (BCLP) and the return or Barry Hester in this latest episode of The Bank Account.

Bryan Cave Leighton Paisner LLP is the result of the mergers of historically U.S.-based Bryan Cave LLP and historically U.K.-based Berwin Leighton Paisner LLP.  As a truly global firm with over 1,600 lawyers operating literally around the clock, we believe Bryan Cave Leighton Paisner is well positioned to serve clients around the globe.  Our blog is still available at BankBryanCave.com, but is also now available at BankBCLP.com.  We’ll figure out over time what our branding looks like.

Barry Hester re-joins our financial institutions practice after serving for many years as an assistant general counsel for EverBank and TIAA FSB.  In this episode of The Bank Account, we talk with Barry about his experience with the “good guy” and “bad guy” banking compliance laws.  The “good guy” laws include the Servicemembers Civil Relief Act and the Military Lending Act, while the “bad guy” laws include the Bank Secrecy Act and Anti-Money Laundering laws.  As noted in the podcast, Barry has already been busy contributing good content for our blog, with a post last week about FinCEN’s new FAQ on the Customer Due Diligence rules.

As discussed previously, we are sponsoring two teams, one of lawyers and one of bankers, for the Atlanta Ragnar Trail Run on April 13th and 14th.  Sixteen of us will be taking turns running five mile legs at the Georgia International Horse Park over a 24-hour (or so) period.  Team BSA (or Bankers Speed Ahead) will generally consist of our friendly bankers, while Team AML (or Awkwardly Moving Lawyers) will consist of our compatriots from the firm.  I expect our next podcast will relay some interesting stories from the trails.