Treasury Calls for Enhanced Supervision of Fintech Partnerships
Treasury Calls for Enhanced Supervision of Fintech Partnerships
On November 16, 2022, the Department of Treasury (“Treasury”) issued a report titled “Assessing the Impact of New Entrant Non-bank Firms on Competition in Consumer Finance Markets” (“Treasury Report”), which, among other things, recommends that federal financial regulators pursue a more robust regulatory framework for non-bank financial services. Recognizing the continued importance to consumers of bank-fintech relationships to have access to competitive financial services, the Treasury Report encourages “responsible innovation” through enhanced oversight. The Treasury Report includes a set of recommendations to be applied within existing regulatory frameworks to ensure that bank-fintech partnerships continue to reasonably promote competition and innovation while protecting consumers and the safety and soundness of banks.
This Treasury Report was the result of President Biden’s July 9, 2021, Executive Order 14036 , “Promoting Competition in the American Economy” (“Executive Order”). The Executive Order established the White House Competition Council and called for federal agencies to take a number of actions related to the administration’s policies related to competition and anticompetitive behavior.
The Treasury Report recognizes and encourages collaboration between banks and fintechs, noting that bank-fintech relationships have the ability to increase market competition, enhance consumers’ access to financial services, and reduce prohibitive cost barriers to these services. These benefits, however, according to the Treasury Report, come with risks, particularly in new, largely untested financial services products and the limits of the existing regulatory framework. For example, the Treasury Report noted that (1) fintechs, unlike banks, are generally not subject to prudential regulation, (2) the Consumer Financial Protection Bureau’s (“CFPB”) supervisory authority varies based on the fintech’s activities and size, and (3) state supervision of fintechs is uneven, and therefore, “by offering unbundled products and services,” activities of fintechs “can largely be conducted outside the perimeter of federal prudential regulation and oversight.”
Treasury offers a number of recommendations to federal regulators. The recommendations focus on how federal banking regulators and the CFPB can balance the need for competition and the need to promote regulatory oversight of the changing landscape for risk. Importantly, the Treasury Report focuses on the “core consumer finance markets”—i.e., deposits, payments, and credit, and Treasury’s recommendations are framed within existing regulatory authorities.
While this client alert focuses on Treasury’s recommendations, the Treasury Report consists of five sections, which cover a range of topics. First, Treasury provides an overview of the current market landscape, including a description of the regulatory environment applicable to core consumer finance markets. In the second section, Treasury acknowledges and explores the changing financial services landscape, particularly as it relates to the entrance of non-bank firms. The third section of the Treasury Report reviews the opportunities and risks related to new non‑bank firms entering the market, and the benefits that they can bring to consumer finance as a whole. In section four, Treasury reviews how the entry of Big Tech firms could impact consumer finance markets. Finally, in section five, Treasury makes recommendations for how regulators can promote competition and innovation in the markets to benefit consumers.
The Treasury Report focuses on advancing two goals—(1) enabling competition in the delivery of consumer financial services that can benefit consumers while appropriately managing risks; and (2) promoting regulatory oversight across financial institutions that is commensurate to the activities and risks associated with new structures for delivering financial services to consumers.
Treasury supports the ongoing review by the DOJ and the federal banking agencies of the bank merger oversight policies given the changes in the consumer finance markets. Both DOJ and the Federal Deposit Insurance Corporation have previously requested public comment on their respective analyses of bank mergers.
In the area of responsible consumer credit underwriting, Treasury recommends that federal banking regulators: (1) use the existing supervisory framework to give clarity to insured depository institutions (“IDIs”) regarding the use of alternative data and complex algorithms in credit underwriting (particularly in light of the fair lending risks and implications to consumer privacy and data security)—i.e., credit visibility; (2) continue to engage institutions seeking to implement new underwriting approaches through pilot programs and new tools that can encourage self-testing and correction; (3) review current underwriting and fair lending guidance to discover any gaps that may exist in helping IDIs develop risk management processes for products that use new underwriting approaches; (4) clarify and supplement the MRM Supervisory Framework[1] so IDIs’ model risk management processes can guard against unsafe or unsound outcomes; and (5) coordinate with relevant federal agencies to identify and mitigate fair lending violations where alternative data in consumer credit underwriting is used.
To create a clearer and more consistently applied regulatory framework, where the fintech, and not the IDI, is providing services, Treasury recommends that the federal banking agencies finalize the proposed interagency guidance on risk management of third-party relationships (“TPRM Guidance”). The TPRM Guidance would confirm that the IDI is responsible for conducting its activities, including those conducted by a third party, in a safe and sound manner. The Treasury Report also noted that the federal banking agencies have the legal authority to “regulate and supervise IDI activities . . . conducted directly, or with or through a third-party relationship as though all aspects of the activities were performed by the IDI itself,” and as a result, “the activities performed on behalf of the IDI by a Fintech would be subject to the laws and regulations applicable to the IDI and subject to supervision and examination by the IDI’s federal regulator.”
Treasury further recommends that regulators include in the final TPRM Guidance, language to help IDIs negotiate contractual provisions that align with their internal oversight and risk management policies.
Treasury also noted the “significant benefits” that could result from “enhanced coordination among the full suite of relevant federal agencies” to ensure that fintechs participating in a bank‑fintech partnership are appropriately supervised.
Treasury recommends that the federal banking regulators revise their supervisory practices with respect to the Interagency Lending Principles for Offering Responsible Small-Dollar Loans (“SD Lending Guidance”). It further recommends updating the SD Lending Guidance to cover larger loan amounts and the ways in which the SD Lending Guidance applies to bank-fintech lending relationships in order to cover more aspects of a loan program. Treasury recommends that regulators provide IDIs with sufficient guidance on how to offer small-dollar loans while maintaining compliance with applicable laws and regulations.
For non-bank lenders that do not operate through a relationship with an IDI, the Treasury recommends that the CFPB monitor and investigate small-dollar installment loan product developments and review its authorities to determine if it can directly supervise larger non-bank consumer lenders. These would include buy-now-pay-later (“BNPL”) and installment loan providers. In September 2022, the CFPB issued a report on its key insights on the BNPL market and identified areas of risk of consumer harm, including, according to the CFPB, inconsistent consumer protections for BNPL borrowers and overextension of BNPL borrowers.
To facilitate continued access to shared financial data, Treasury recommends that the CFPB adopt a rule to implement Section 1033 of the Dodd-Frank Act. The final rule should clearly define the scope of financial data subject to the consumer’s access rights. Further, the TPRM Guidance should also clarify “an IDI data holder’s assessment of consumer-authorized access by third-party data aggregators and data users,” and any obligations an IDI has to protect consumer‑authorized data from fourth-party[2] misuse. Treasury also recommends that the CFPB review its authorities to consider how it can supervise data aggregators, which Treasury states can have expansive amounts of consumer data with little supervision over their information security or data practices.
Like other recent developments, the Treasury Report and its recommendations reflect expected heightened regulatory scrutiny of fintechs and bank-fintech partnerships. The CFPB has already taken a series of actions signaling its focus on fintechs, including, as noted above, the BNPL report, as well as orders directed to a number of “Big Tech” companies related to their payments business practices. In addition, the Office of the Comptroller of the Currency also in August 2022 reached a settlement agreement with a supervised bank relating to its alleged failures in the bank’s supervision and oversight of a fintech in the bank’s partnership with the fintech.
The Treasury Report also suggests a primary role for the CFPB in the enhanced supervision of fintechs, as many of the Treasury Report recommendations called for either the CFPB to assess its supervisory authority over fintechs or more coordination with the CFPB.
We will continue to monitor developments relating to the recommendations made by Treasury in the Treasury Report.
Jason Nerland, a Law Clerk in our Washington, D.C. office, contributed to the writing of this alert.
[1] Treasury uses this term to collectively refer to the existing, principles-based approaches for model risk management supervision that the federal banking regulators set out in their model risk management guidance and supervisory practices.
[2] A “fourth-party” data use is one that receives, through a data aggregator, consumer-authorized data from an IDI.