Brian Brooks, Chief Operating Officer of the Office of the Comptroller of the Currency (“OCC”) said on Monday that he believes the OCC should investigate the viability and utility of a non-depository payments charter: “One of the things I think we have to ask ourselves as an agency is, if it makes sense to have a non-depository lending charter, which was the original fintech concept, would it also make sense to have a non-depository payments charter?”

In his talk, given as part of the Consensus: Distributed virtual conference, Brooks focused on cross-border concerns that are particularly salient to crypto companies. He notes that we may have come to a point where the traditional state-federal divisions of licensing and oversight authority are less relevant, particularly in the crypto space. Brooks says there is an argument that “crypto looks a lot like banking for the twenty-first century,” in which case a single national license may provide modern update to the current patchwork of laws, which is burdensome and time-consuming for both payments companies and state regulators.

Brooks said “one of [his] missions at the OCC . . . is to investigate the extent to which over time it makes sense to think of crypto companies like banks and to think of charter types that might be appropriate for crypto companies.” While Brooks’ comments focused on crypto in mentioning a payments charter, he noted Stripe and PayPal as non-blockchain payments companies, which would presumably also be covered by such a payments charter.

Amid criticism from virtually every possible constituency, on March 15, 2017, the Office of the Comptroller of the Currency (OCC) released a draft supplement  to its chartering licensing manual related to special purpose national banks leveraging financial technology, or fintech banks. As we indicated in our fintech webinar discussing the proposal last December, the OCC is proposing to apply many conventional requirements for new banks to the fintech charter. While the OCC’s approach is familiar to those of us well versed on the formation of new banks, there are a few interesting items of note to take away from the draft supplement.

• More bank than technology firm. Potential applicants for a fintech charter should approach the project with the mindset that they are applying to become a bank using technology as a delivery channel, as opposed to becoming a technology company with banking powers. While the difference might seem like semantics, the outcome should lead potential applicants to have a risk management focus and to include directors, executives, and advisors who have experience in banking and other highly regulated industries. In order to best position a proposal for approval, both the application and the leadership team will need to speak the OCC’s language.
• Threading the needle will not be easy. Either explicitly or implicitly in the draft supplement, the OCC requires that applicants for fintech bank charters have a satisfactory financial inclusion plan, avoid products that have “predatory, unfair, or deceptive features,” have adequate profitability, and, of course, be safe and sound. Each bank in the country strives to meet those goals, yet many of them find themselves under pressure from various constituencies to improve their performance in one or more of those areas. For potential fintech banks, can you fulfill a mission of financial inclusion while offering risk-based pricing that is consistent with safety and soundness principles without having consumer groups deem your practices as unfair? On the other hand, can you offer financial inclusion in a manner that consumer groups appreciate while achieving appropriate profitability and risk management? We think the answer to both questions can be yes, but a careful approach will be required to convince the OCC that it should be comfortable accepting the proposed bank’s approach.

In a recent American Banker BankThink article, Partner Dan Wheeler explores the possibility that the OCC could rise in stature, while the other banking regulatory agencies fall out of favor.  By largely staying out of Congress’ scrutiny and taking a lead on fintech regulation, Dan argues that the OCC is well positioned to obtain greater chartering and regulatory responsibility under a Trump administration.

Some regulatory agencies, such as the Consumer Financial Protection Bureau and Federal Reserve Board, appear ripe for more congressional criticism and even curbs to their authority under the incoming Trump administration. But one may be in relatively good position to have its authority expanded: the Office of the Comptroller of the Currency.

The OCC has stayed under the radar and avoided the political backlash aimed at other regulators while also emerging as a new leader in the fast-growing area of fintech regulation. The OCC’s focus on innovation and its largely pristine image among lawmakers could lead to greater chartering authority and — if the CFPB continues to lose favor — more responsibility to oversee consumer rules.

Continue Reading Dan’s position, OCC Could Gain Power as Other Agencies Fall Out of Favor, on AmericanBanker.com.

Both Banks and Their Vendors Must Pay Attention

Introduction

First there was the bulletin about third-party vendors issued by the Consumer Financial Protection Bureau (CFPB) in April 2012. Then it was the FFIEC’s guidance on IT service providers in October 2012.  Next came the FDIC’s September 2013 Financial Institution Letter about payment-processing relationships with high-risk merchants.  Then there was the news on October 30, 2013 about the OCC’s guidance on third-party relationships, followed shortly by the Federal Reserve Board’s guidance on managing outsourcing risks in December 2013.

Let’s face it. There has always been guidance and concern about banks and their relationships with third-party service providers. But in recent years it has become quite obvious that the bar has been raised on how banks relate to their third-party processors, program managers, and other service providers. These changes have occurred over time, by a matter of degrees. But it is increasingly plain that we are seeing a significant sea change in how regulators approach the relationships between banks and their third-party vendors. Examiners are digging deeper — especially into the content of bank contracts — and the scope of review is extending to more and more vendors.

In recent months, public commentary from some of the regulators has revealed even more clearly how this recent guidance will impact banks and their vendors. In this article we will describe the regulatory developments and provide some practical guidance as to what this will mean — not only for banks, but for their processors and other service providers.  (A print-friendly version is also available.)

Recent Regulatory Developments

Banks and other financial institutions have always been expected to choose their vendors carefully and to monitor the performance of those vendors. Most institutions have done a reasonably good job in this regard. However, recent regulatory publications and the focus of recent regulatory examinations and enforcement actions indicate that the standards and expectations are now much higher.

The CFPB issued a bulletin on April 13, 2012 regarding the use of service providers, accompanied by a press release stating, “CFPB to Hold Financial Institutions and their Service Providers Accountable.”  This bulletin, CFPB Bulletin 2012-03 (the CFPB Bulletin), states that the CFPB “expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law.” (emphasis added).

While the issue of vendor oversight and management is not new to the financial services industry, recent enforcement actions by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) manifest heightened attention by federal regulators.  A bank’s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution.

Federal regulators traditionally have looked with an understanding, yet skeptical, eye towards the issue of outsourcing. Current guidance is clear, however, as to where the responsibility lies. As summarized by the Federal Deposit Insurance Corp. (FDIC) in FIL-44-2008, “An institution’s board of directors and senior management are ultimately responsible managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

Meet the New Boss

Armed with its mandate by Title X of the Dodd-Frank Act to protect consumers, the CFPB entered the vendor management fray by issuing Bulletin 2012-03. Although the message contained in the bulletin was nearly identical to previously issued guidance by the OCC and FDIC, it did provide additional insight. First, the bulletin noted that Title X of Dodd-Frank provides a definition of a “service provider,” which includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Although the legislation did not specifically define the word material, bankers should assume such subjectivity will be interpreted broadly by federal regulators.)  Secondly, and more importantly, the bulletin provided banks a non-exhaustive list of “steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers,” which include:

• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
• Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
• Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive act or practices;
• Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and
• Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

On October 30th, the OCC issued new guidance on third-party relationships and associated risk management. The Bulletin, OCC 2013-29, rescinded and replaced prior guidance on this subject (OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9) but specifically retained numerous other OCC and interagency issues on third-party relationships as listed in Appendix B to the Bulletin.

The Bulletin states that the OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of the relationship. It details the expected management of all aspects of third-party relationships and is more specific than prior guidance about the responsibility of a bank’s board of directors for overseeing the management processes. For example, the board must ensure an effective process is in place, approve the bank’s risk-based policies governing third-party management, review and approve plans for using third parties, approve contracts with third parties, review management’s ongoing monitoring of the relationships and hold accountable those employees who manage the relationships.

While the Bulletin focuses on third-party relationships that involve “critical activities,” a bank’s judgment of what is critical could be subject to second guessing, particularly if the bank experiences difficulties with consumers or the examiner otherwise believes that the bank’s risk management process is weak.

Read More on BryanCavePayments.com.

Bank regulators have been as busy as usual in 2012, but some of the more interesting regulatory and legal changes have come from non-bank regulators and the courts. And, the JOBS Act changes described below actually lifts the regulatory burden on banks a bit, a rare respite in an otherwise challenging regulatory environment.

The JOBS Act eases bank capital activities and M&A.  The Jumpstart Our Business Startups Act affects community banks in 4 key ways:

• “Going public” is easier. Banks that have less than $1 billion in gross revenue can qualify as an “emerging growth” company and take advantage of relaxed rules that allow them to “test the waters” and obtain a confidential prior review of an IPO filing by the SEC, provide reduced executive compensation disclosures and file without a SOX 404 attestation by the bank’s auditors.
• The “crowdfunding” rule (expected in early 2013) will provide banks significant flexibility in raising $1 million per year from their community without IPO-type expenses and without adding new investors to their shareholder count.
• Private offerings are easier. Rules affecting private offerings are being relaxed so that a bank will be able to use public solicitation and advertising to attract investors as long as the bank takes reasonable steps to ensure that those investors are accredited.
• Going or staying private is easier because the shareholder count triggering “going public” was raised from 500 to 2,000. And, shareholders from a bank’s “crowdfunding” offerings and from employee compensation plans are now excluded from the shareholder count. These helpful changes to shareholder count rules mean that some banks can bring in new investors or even acquire another bank without triggering the obligation to “go public,” a significant cost and compliance barrier. Also, banks with a shareholder count under 1,200 can “go private” following a 90-day waiting period.

On October 18, 2012, the OCC released stress testing guidance  for national banks and federal savings associations with $10 billion or less in total assets.  While the regulatory authorities clarified in May of this year that the Supervisory Guidance on Stress Testing for Banking Organizations with More than $10 Billion in Total Consolidated Assets would not apply to community banks, the OCC has now confirmed that the stress testing requirements in Dodd-Frank have “trickled down” to community banks, at least to those regulated by the OCC. The guidance states that appropriate stress testing should be performed at least annually.

Fortunately for community bankers, the stress testing guidance is greatly scaled back from the rules applicable to larger institutions, and the requirements are flexible in many respects. The guidance specifically states that the OCC does not specifically endorse any particular stress testing model and that banks with smaller scale and lesser complexity may be able to satisfy the requirements of the guidance by performing single spreadsheet analysis in some cases. This acknowledgement is in stark contrast to the onerous requirements applicable to larger banks, which can be read to require testing of all likely and unlikely scenarios using a wide variety of scenarios through the use of a number of different models.

On June 20, 2012,  the OCC issued an interim final rule (the “Rule”) that amends its existing regulations on legal lending limit in response to Section 610 of the Dodd Frank Act. Section 610 amended the federal lending limits statute, (12 USC § 84) to include credit exposures arising from derivative transactions and repurchase agreements, reverse repurchase agreements, securities lending transactions, and securities borrowing transactions. The Rule also takes into account differences that existed between national banks and saving associations and preserves some of the statutory exceptions that savings associations previously enjoyed. The Rule provides three different methods for calculating credit exposure, one of which will be applicable to larger banks and two that will be more attractive to regional and community banks.

The Rule is relevant to state chartered banks as well since Section 611 of Dodd Frank provides that state banks may only engage in derivative transactions if the law of the sate takes into account credit exposure to derivatives. During the past legislative session many state legislatures passed laws addressing this issue.  For example, Georgia amended its legal lending limit statute, GA Code Ann § 7-1-285 to include credit exposure under a derivative when calculating its legal lending limit to any one borrower. The Georgia statute also allows a bank to determine the actual credit exposure pursuant to a methodology acceptable to the Department of Banking and Finance and the bank’s primary federal regulator. One would expect the various state regulators to look very carefully at the three options presented by the OCC when determining the method they will approve for their respective state. The Rule lends itself very well to state regulatory application in that it is devised in a manner that will allow banks to adopt a compliance regimen that fits their size and risk management requirements, subject to an overall requirement that whichever method they choose is always subject to safety and soundness requirements.

Specifically, the Rule provides that banks can choose to measure the credit exposure of derivatives (except credit derivatives) in one of three ways:

1. through an OCC-approved internal model,
2. by use of a look-up table that fixes the attributable exposure at the execution of the transaction, or
3. by use of a look-up table that incorporates the current mark to market and a fixed add-on for each year of the transaction’s remaining life.

For credit derivatives (transactions in which banks buy or sell credit protection against loss on a third-party reference entity), the Rule provides a special process for calculating credit exposure, based on exposure to the counterparty and reference entity. With respect to securities financing transactions, institutions can choose to use either an OCC-approved internal model or fix the attributable exposure based on the type of transaction (repurchase agreement, reverse repurchase agreement, securities lending transaction, or securities borrowing transaction).

Q2 GDP Announced

On Friday, the Commerce Department released its report on the country’s gross domestic product for the second quarter showing that the GDP grew at an annual rate of 1.3 percent, after having grown at an annual rate of 0.4 percent in the first quarter — a number that itself was revised sharply down from earlier estimates of 1.9 percent.

Senate to Hold CFPB Nomination Hearing

On Thursday, the Senate Banking Committee held a hearing on the nomination of Richard Cordray to be the new Director of the Consumer Financial Protection Bureau. While the nomination can be sent to the floor, Senate Republicans have vowed to block Cordray’s nomination and any other nominees for the directorship because they insist that the agency be run by a Commission rather than a Director and have its funding determined by Congress.

Carper/Blunt Introduce Consumer Data Security Bill

On Thursday, Sens. Tom Carper (D-Dela.) and Roy Blunt (R-Mo.) introduced legislation titled “The Data Security Act of 2011” which would require entities such as financial establishments, retailers, and federal agencies to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. These new requirements would apply to retailers who take credit card information, data brokers who compile private information and government agencies that possess nonpublic personal information.

Senate Nomination Hearings for New Bank Regulators

On Tuesday, the Senate Banking Committee held a hearing to consider the pending nominations for Martin Gruenberg to head the FDIC, Thomas Curry to be Comptroller, and Roy Woodall to be a member of the Financial Stability Oversight Council. Senator Richard Shelby, the Banking Committee’s top Republican, said after the hearing that he would support Gruenberg’s nomination but would need more to review Curry’s record before offering his support. The nominations will now be sent to the floor for full consideration by the Senate.

More Information

If you have any questions regarding any of these issues, please contact:

Matt Jessee, Policy Advisor
matt.jessee@bryancave.com
1 314 259 2463