On Wednesday, July 22, 2020, Acting Comptroller of the Currency Brian Brooks reaffirmed his interest in being seen as an agent of modernization in a letter clarifying the authority of national banks and federal savings associations to provide cryptocurrency services for customers.

The letter from the Office of the Comptroller of the Currency (“OCC”) discusses the increasing acceptance of cryptocurrency, and especially Bitcoin, as a method of payment and form of investment. It acknowledges a correlating growing demand for “safe places, such as banks, to hold unique cryptographic keys associated with cryptocurrencies on behalf of customers and to provide related custody services.” Three reasons – a safe way to hold cryptocurrency keys; a secure storage service; and custodian services for assets managed by investment advisors – are cited in the letter as driving the demand for cryptocurrency custody services.

The safekeeping services are described as a modernization of special deposit and safe deposit boxes, falling within “longstanding authorities to engage in safekeeping and custody activities.” Thus, “the authority to provide safekeeping services extends to digital activities and, specifically, that national banks may escrow encryption keys used in connection with digital certificates because a key escrow service is a functional equivalent to physical safekeeping.”

On July 20, 2020, the Office of the Comptroller of the Currency (“OCC”) issued a notice of proposed rulemaking that would determine the “true lender” of a national bank or federal savings association loan in the context of a partnership between a bank and a third party.  The proposed rule states that a bank is a true lender of a loan “if, as of the date of origination, it is named as the lender in the loan agreement or funds the loan” and would apply to all national banks and federal savings associations.  Most recently, the OCC addressed the related “valid when made” doctrine and held that interest rates established on bank-originated loans remain valid even after the loan is transferred to a non-bank partner.  This final rule, however, did not address the true lender question, and this week’s proposed rule does just that.     

The OCC proposed this rule in response to the “increasing uncertainty” surrounding the legal principles that apply to the loans made in the course of bank and third party relationships.  Courts are not unified in their analysis and have looked to both “the form of the transaction” and a battery of fact-intensive tests to determine the true lender of a loan.  While federal rulemaking addresses many relationships between banks and third parties such as making payments and taking deposits, there is not much guidance on these relationships as it relates to lending.  See e.g., 12 CFR 5.20(e).  Per the OCC’s proposed rule, this uncertainty “may discourage banks and third parties from entering into relationships, limit competition, and chill the innovation that results from these partnerships.”  Taken together, these unintended consequences would restrict consumer access to affordable and available credit. 

The Office of the Comptroller of the Currency’s (“OCC”) attention to modernizing regulation to better accommodate innovative products and industries is continuing full steam ahead since our recent post about a potential payments charter. In the weeks since we posted that article, Brian Brooks has become the acting Comptroller of the Currency, so it should come as no surprise that his goals are garnering some attention.

On Thursday, June 6, the OCC issued a notice of proposed rulemaking seeking public comment to update its rules for national bank and federal savings association activities and operations and an advance notice of proposed rulemaking seeking comment on rules on national banks’ and federal savings associations’ (banks) digital activities. These releases confirm that the agency is “reviewing its regulations on bank digital activities to ensure that its regulations continue to evolve with developments in the industry.”

As part of a substantial modification of the regulatory system, the OCC seeks comment on additional flexibility for banks with respect to permissible derivatives activities, tax equity finance transactions, corporate governance, anti-takeover provisions, capital stock issuances and repurchases, and participation in financial literacy programs.

In addition, the OCC seeks comment on a significant number of banking issues related to digital technology and innovation. The OCC asks whether current legal standards are sufficient flexible, whether they create undue hurdles, and whether there are other areas they should cover. Their requests for comments also touch on current questions, namely whether the pandemic has brought any concerns to light and what issues are unique to smaller institutions – which performed well with the rollout of the SBA’s Paycheck Protection Program, but may encounter hard times to come.

Brian Brooks, Chief Operating Officer of the Office of the Comptroller of the Currency (“OCC”) said on Monday that he believes the OCC should investigate the viability and utility of a non-depository payments charter: “One of the things I think we have to ask ourselves as an agency is, if it makes sense to have a non-depository lending charter, which was the original fintech concept, would it also make sense to have a non-depository payments charter?”

In his talk, given as part of the Consensus: Distributed virtual conference, Brooks focused on cross-border concerns that are particularly salient to crypto companies. He notes that we may have come to a point where the traditional state-federal divisions of licensing and oversight authority are less relevant, particularly in the crypto space. Brooks says there is an argument that “crypto looks a lot like banking for the twenty-first century,” in which case a single national license may provide modern update to the current patchwork of laws, which is burdensome and time-consuming for both payments companies and state regulators.

Brooks said “one of [his] missions at the OCC . . . is to investigate the extent to which over time it makes sense to think of crypto companies like banks and to think of charter types that might be appropriate for crypto companies.” While Brooks’ comments focused on crypto in mentioning a payments charter, he noted Stripe and PayPal as non-blockchain payments companies, which would presumably also be covered by such a payments charter.

Amid criticism from virtually every possible constituency, on March 15, 2017, the Office of the Comptroller of the Currency (OCC) released a draft supplement  to its chartering licensing manual related to special purpose national banks leveraging financial technology, or fintech banks. As we indicated in our fintech webinar discussing the proposal last December, the OCC is proposing to apply many conventional requirements for new banks to the fintech charter. While the OCC’s approach is familiar to those of us well versed on the formation of new banks, there are a few interesting items of note to take away from the draft supplement.

• More bank than technology firm. Potential applicants for a fintech charter should approach the project with the mindset that they are applying to become a bank using technology as a delivery channel, as opposed to becoming a technology company with banking powers. While the difference might seem like semantics, the outcome should lead potential applicants to have a risk management focus and to include directors, executives, and advisors who have experience in banking and other highly regulated industries. In order to best position a proposal for approval, both the application and the leadership team will need to speak the OCC’s language.
• Threading the needle will not be easy. Either explicitly or implicitly in the draft supplement, the OCC requires that applicants for fintech bank charters have a satisfactory financial inclusion plan, avoid products that have “predatory, unfair, or deceptive features,” have adequate profitability, and, of course, be safe and sound. Each bank in the country strives to meet those goals, yet many of them find themselves under pressure from various constituencies to improve their performance in one or more of those areas. For potential fintech banks, can you fulfill a mission of financial inclusion while offering risk-based pricing that is consistent with safety and soundness principles without having consumer groups deem your practices as unfair? On the other hand, can you offer financial inclusion in a manner that consumer groups appreciate while achieving appropriate profitability and risk management? We think the answer to both questions can be yes, but a careful approach will be required to convince the OCC that it should be comfortable accepting the proposed bank’s approach.

In a recent American Banker BankThink article, Partner Dan Wheeler explores the possibility that the OCC could rise in stature, while the other banking regulatory agencies fall out of favor.  By largely staying out of Congress’ scrutiny and taking a lead on fintech regulation, Dan argues that the OCC is well positioned to obtain greater chartering and regulatory responsibility under a Trump administration.

Some regulatory agencies, such as the Consumer Financial Protection Bureau and Federal Reserve Board, appear ripe for more congressional criticism and even curbs to their authority under the incoming Trump administration. But one may be in relatively good position to have its authority expanded: the Office of the Comptroller of the Currency.

The OCC has stayed under the radar and avoided the political backlash aimed at other regulators while also emerging as a new leader in the fast-growing area of fintech regulation. The OCC’s focus on innovation and its largely pristine image among lawmakers could lead to greater chartering authority and — if the CFPB continues to lose favor — more responsibility to oversee consumer rules.

Continue Reading Dan’s position, OCC Could Gain Power as Other Agencies Fall Out of Favor, on AmericanBanker.com.

Both Banks and Their Vendors Must Pay Attention

Introduction

First there was the bulletin about third-party vendors issued by the Consumer Financial Protection Bureau (CFPB) in April 2012. Then it was the FFIEC’s guidance on IT service providers in October 2012.  Next came the FDIC’s September 2013 Financial Institution Letter about payment-processing relationships with high-risk merchants.  Then there was the news on October 30, 2013 about the OCC’s guidance on third-party relationships, followed shortly by the Federal Reserve Board’s guidance on managing outsourcing risks in December 2013.

Let’s face it. There has always been guidance and concern about banks and their relationships with third-party service providers. But in recent years it has become quite obvious that the bar has been raised on how banks relate to their third-party processors, program managers, and other service providers. These changes have occurred over time, by a matter of degrees. But it is increasingly plain that we are seeing a significant sea change in how regulators approach the relationships between banks and their third-party vendors. Examiners are digging deeper — especially into the content of bank contracts — and the scope of review is extending to more and more vendors.

In recent months, public commentary from some of the regulators has revealed even more clearly how this recent guidance will impact banks and their vendors. In this article we will describe the regulatory developments and provide some practical guidance as to what this will mean — not only for banks, but for their processors and other service providers.  (A print-friendly version is also available.)

Recent Regulatory Developments

Banks and other financial institutions have always been expected to choose their vendors carefully and to monitor the performance of those vendors. Most institutions have done a reasonably good job in this regard. However, recent regulatory publications and the focus of recent regulatory examinations and enforcement actions indicate that the standards and expectations are now much higher.

The CFPB issued a bulletin on April 13, 2012 regarding the use of service providers, accompanied by a press release stating, “CFPB to Hold Financial Institutions and their Service Providers Accountable.”  This bulletin, CFPB Bulletin 2012-03 (the CFPB Bulletin), states that the CFPB “expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law.” (emphasis added).

Read More

While the issue of vendor oversight and management is not new to the financial services industry, recent enforcement actions by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) manifest heightened attention by federal regulators.  A bank’s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution.

Federal regulators traditionally have looked with an understanding, yet skeptical, eye towards the issue of outsourcing. Current guidance is clear, however, as to where the responsibility lies. As summarized by the Federal Deposit Insurance Corp. (FDIC) in FIL-44-2008, “An institution’s board of directors and senior management are ultimately responsible managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

Meet the New Boss

Armed with its mandate by Title X of the Dodd-Frank Act to protect consumers, the CFPB entered the vendor management fray by issuing Bulletin 2012-03. Although the message contained in the bulletin was nearly identical to previously issued guidance by the OCC and FDIC, it did provide additional insight. First, the bulletin noted that Title X of Dodd-Frank provides a definition of a “service provider,” which includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Although the legislation did not specifically define the word material, bankers should assume such subjectivity will be interpreted broadly by federal regulators.)  Secondly, and more importantly, the bulletin provided banks a non-exhaustive list of “steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers,” which include:

• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
• Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
• Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive act or practices;
• Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and
• Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

On October 30th, the OCC issued new guidance on third-party relationships and associated risk management. The Bulletin, OCC 2013-29, rescinded and replaced prior guidance on this subject (OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9) but specifically retained numerous other OCC and interagency issues on third-party relationships as listed in Appendix B to the Bulletin.

The Bulletin states that the OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of the relationship. It details the expected management of all aspects of third-party relationships and is more specific than prior guidance about the responsibility of a bank’s board of directors for overseeing the management processes. For example, the board must ensure an effective process is in place, approve the bank’s risk-based policies governing third-party management, review and approve plans for using third parties, approve contracts with third parties, review management’s ongoing monitoring of the relationships and hold accountable those employees who manage the relationships.

While the Bulletin focuses on third-party relationships that involve “critical activities,” a bank’s judgment of what is critical could be subject to second guessing, particularly if the bank experiences difficulties with consumers or the examiner otherwise believes that the bank’s risk management process is weak.

Read More on BryanCavePayments.com.

Bank regulators have been as busy as usual in 2012, but some of the more interesting regulatory and legal changes have come from non-bank regulators and the courts. And, the JOBS Act changes described below actually lifts the regulatory burden on banks a bit, a rare respite in an otherwise challenging regulatory environment.

The JOBS Act eases bank capital activities and M&A.  The Jumpstart Our Business Startups Act affects community banks in 4 key ways:

• “Going public” is easier. Banks that have less than $1 billion in gross revenue can qualify as an “emerging growth” company and take advantage of relaxed rules that allow them to “test the waters” and obtain a confidential prior review of an IPO filing by the SEC, provide reduced executive compensation disclosures and file without a SOX 404 attestation by the bank’s auditors.
• The “crowdfunding” rule (expected in early 2013) will provide banks significant flexibility in raising $1 million per year from their community without IPO-type expenses and without adding new investors to their shareholder count.
• Private offerings are easier. Rules affecting private offerings are being relaxed so that a bank will be able to use public solicitation and advertising to attract investors as long as the bank takes reasonable steps to ensure that those investors are accredited.
• Going or staying private is easier because the shareholder count triggering “going public” was raised from 500 to 2,000. And, shareholders from a bank’s “crowdfunding” offerings and from employee compensation plans are now excluded from the shareholder count. These helpful changes to shareholder count rules mean that some banks can bring in new investors or even acquire another bank without triggering the obligation to “go public,” a significant cost and compliance barrier. Also, banks with a shareholder count under 1,200 can “go private” following a 90-day waiting period.