Technology and Innovation in Financial Services

Transcription

1 Technology and Innovation in Financial Services David Beam Partner Marcus Christian Partner Ori Lev Partner Jeffrey Taft Partner

2 Overview of the Panel Innovation, Technology and Bank Regulation Regulatory Challenges for a Payments Startup Convergence of Finance and Technology Cybersecurity Risks and Mitigants 2

3 INNOVATION, TECHNOLOGY AND BANK REGULATION 3

4 OCC Innovation Initiative In August 2015, OCC announced an initiative to improve the OCC s ability to identify and understand trends and innovations in the financial services industry. In March 2016, OCC issued a whitepaper entitled Supporting Responsible Innovation in the Federal Banking System: An OCC Perspective. Comments on the whitepaper were due May 31, OCC will host a forum on responsible innovation on June 23, 2016, to discuss comments received on the whitepaper and lead discussions regarding financial services innovation. 4

5 OCC Innovation Initiative OCC defines responsible innovation as use of new or improved financial products, services, and processes to meet the evolving needs of consumers, businesses, and communities in a manner that is consistent with sound risk management and is aligned with the bank s overall business strategy. Recognizes the importance of new ideas, products, and operational approaches in the rapidly changing environment. Emphasizes effective risk management and corporate governance. Innovation must be consistent with safety and soundness, compliant with applicable laws and regulations, and protective of consumers rights. 5

6 Guiding Principles for OCC s Approach to Responsible Innovation Responsible innovation principles call for the OCC to: Support responsible innovation Foster an internal culture receptive to responsible innovation Leverage agency experience and expertise Encourage responsible innovation that provides fair access to financial services and fair treatment of consumers Further safe and sound operations through effective risk management Encourage banks of all sizes to integrate responsible innovation into their strategic planning Promote ongoing dialogue through formal outreach Collaborate with other regulators 6

7 OCC Innovation Initiative What is expected from the OCC Innovation Initiative? OCC and federal banking regulators are likely to take a caution approach to innovation but want to be inclusive. Could OCC create special or limited purpose charter aimed at companies using technology to deliver financial products and services and what would be required? Credit card banks and trust companies are examples of limited purpose entities and number of Internet banks chartered in 1999/2000 Would benefits of an OCC charter outweigh the compliance costs and regulatory expectations associated with being a bank OCC has publicly noted interest in national bank charter by technology companies but de novo banking charters have been vey limited 7

8 Marketplace Lending - Regulation Federal Trade Commission FinTech Forum on Marketplace Lending (June 9, 2016) State of marketplace lending and implications for consumers How best to protect consumers as the market evolves Treasury Department Report Opportunities and Challenges in Online Marketplace Lending (May 10, 2016) Enhancing oversight of small business lenders Facilitating interagency coordination on marketplace lending regulatory issues across a range of federal and state agencies FDIC guidance to banks involved in marketplace lending (Supervisory Insights Winter 2015) 8

9 Examples of recent Bank Partnerships with Technology Companies JPMorgan and OnDeck OnDeck providing its technology to JPMorgan Process will be entirely digital, with approval and funding generally received within one day Citi Community Capital and Lending Club Lending to a fund that purchases LMI loans Community Reinvestment Act focus Wells Fargo Startup Accelerator Program Focused on startups that create solutions for financial institutions and enterprise customers 9

10 State Regulation and Innovation NYSDFS BitLicense In June 2015, NYDFS published its final BitLicense rules. In September 2015, NYDFS approved the first BitLicense application (Circle Internet Financial). This week, NYSDFS granted license to XRP II, LLC, an affiliate of Ripple Labs, Inc. NYSDFS Trust Company Approvals In May 2015, NYDFS granted the first charter under the New York Banking Law (NYBL) to virtual currency company itbit Trust Company, LLC a commercial Bitcoin exchange. In October 2015, NYDFS granted a charter under the NYBL to Gemini Trust Company, LLC (Gemini) a Bitcoin exchange. 10

11 State Regulation and Innovation Delaware Blockchain Initiative In April 2016, Governor Jack Markell announced today the establishment of the Delaware Blockchain Initiative Designed to encourage expanded use and development of distributed ledger and smart contract technologies by Delaware-incorporated businesses Considering creation of a new type of corporate shares, dubbed "distributed ledger shares State Licensing for Money Service Businesses 11

12 REGULATORY CHALLENGES FOR A PAYMENTS STARTUP 12

13 Who Needs a State Money Service Business ( MSB ) License? Anyone who receives money (and, in many states, monetary value ) for transmission Touching the funds requires a license. Anyone who issues stored value or payment instruments Anyone who exchanges currency 13

14 State Licensing of Money Services Businesses 48 States and DC require MSBs to obtain licenses South Carolina legislature just passed an MSB law; the governor is expected to sign Licensing requirement applies if you provide money services to residents of the state even if you have no physical presence there. A national platform requires a suite of 49 licenses. Out of pocket costs to obtain these licenses is ~$1 million. 14

15 Requirements for MSB Licensee Surety bonds Capitalization requirements Permissible investments to back outstandings Consumer protection requirements Examination and supervision by state regulators Recordkeeping AML programs Regular filings with state regulators Extensive personal disclosures for principals 15

16 The Banking Problem Increasingly hard for a money services business to find a bank willing to provide banking services. In 2005, FinCEN and the federal banking agencies issue guidance on providing banking services to MSBs. Guidance says that minimum due diligence of an MSB customer includes: Applying the banking organization s Customer Identification Program; Confirming FinCEN registration, if required; Confirming compliance with state or local licensing requirements, if applicable; Confirming agent status, if applicable; and Conducting a basic Bank Secrecy Act/Anti-Money Laundering risk assessment to determine the level of risk associated with the account and whether further due diligence is necessary. 16

17 The Banking Problem (Cont.) Due diligence requirements led many banks to stop offering services to MSBs; others curtailed services to less established MSBs. MSBs viewed as riskier (such as those offering digital currency services) were hit especially hard. In 2014, FinCEN issued clarifying guidance designed to alleviate some bank concerns. FinCEN, as the agency primarily responsible for administering the Bank Secrecy Act, expects banking organizations that open and maintain accounts for MSBs to apply the requirements of the Bank Secrecy Act, as they do with all accountholders, based on risk. [T]he Bank Secrecy Act does not require, and neither does FinCEN expect, banking institutions to serve as the de facto regulator of the money services business industry any more than of any other industry. Effect of FinCEN s 2014 guidance has been limited Still extremely difficult to find a bank willing to provide services to MSBs. 17

18 Application to Virtual Currencies In many states, a license is required to receive monetary value for transmission. Monetary value is typically defined as a medium of exchange, whether or not redeemable for money. Bitcoin and most general purpose digital currencies qualify. Exchanges/hosted wallets that receive and hold digital currencies, sell digital currencies, or exchange digital currencies are potentially subject to licensing. Providers of noncustodial wallets generally are not subject to licensing. 18

19 MSB Laws Don t Work With Digital Currency Service Providers MSB laws require licensees to hold permissible investments equal to outstandings. PIs generally include cash, bank deposits, and various high-quality, liquid investments. In no state do digital currencies qualify as PIs. For traditional money transmitters, the funds received from customers serve as the PIs. Ensures one-to-one match of outstandings to PIs. Can t use Bitcoins or other digital currencies as PIs, meaning that PIs to back up digital currency outstandings need to come from other sources. New York BitLicense rules address this. Other states have explicitly brought digital currencies under their laws without addressing this issue. 19

20 MSB Laws and Digital Currency Service Providers Lodestar of AML policy is transparency but many digital currency systems are anonymous by design. Verifying identity of counterparty in a digital currency transaction is difficult Most decentralized digital currency systems are anonymous by design. How do you verify that the counterparty isn t on the OFAC list? 20

21 CONVERGENCE OF FINANCE AND TECHNOLOGY 21

22 FinTech What s Happening at the CFPB Fostering Innovation? Project catalyst Trial Disclosures No Action Letters Marketplace Lending & the CFPB Dwolla Consent Order 22

23 Fostering Innovation? Project Catalyst November 2012 Initiative designed to encourage consumer-friendly innovation and entrepreneurship in markets for consumer financial products and services. Lack of concreteness Forum for communication with industry Office hours Let s collaborate Means for CFPB to gather information/data What s in it for industry? 23

24 Fostering Innovation? Project Catalyst Sharing data with CFPB BillGuard; Plastyc; Simple Data in; nothing out Research Early intervention credit counseling (BarclayCard and Clarifi) Tax Time Savings (H&R Block) Promoting Savings by Prepaid Card Users (American Express) Most recent announcement: Dec

25 Fostering Innovation? Trial Disclosures October 2013 Legal safe harbor for testing approved trial disclosures to consumers New disclosures or delivery methods Safe harbor from federal law enforcement and private rights of action Commitment to work with state regulators Approved trial programs to be publicly identified None to date 25

26 Fostering Innovation? No Action Letters February 2016 Limited scope: substantial regulatory uncertainty, e.g., where product involves new technologies that did not exist when regulations adopted No safe harbor: No Action Letter only states that staff has no present intent to recommend enforcement or supervisory action; non-binding and revocable Substantial disclosure by applicant: disclose consumer risks, share data, NAL and request summary made public Surprise: None to date 26

27 CFPB and Marketplace Lending Complaints Larger Participant Rule coming Big Data FTC Report ECOA: disparate impact risk in use of big data FCRA: what is a consumer report? Adverse action/risk-based pricing notices Anonymized data fn 85 Reg E required use 27

28 CFPB & Marketplace Lending UDAAP Use of data (Compucredit) Sale of data (Lead Publisher; Sequoia One) Information security (Dwolla) Federalizing Usury? True Lender and Madden CashCall A Perfect Storm? 28

29 CFPB: Dwolla Online payment network Alleged misrepresentations: safe and secure ; safer than credit cards; exceeds or surpasses industry standards; sets a new precedent for the industry for safety and security ; PCI compliant Findings: Failed to: employ reasonable and appropriate measures to protect data from unauthorized access, adopt and implement reasonable and appropriate data security policies and procedures, & ensure employees properly trained Not all information encrypted; not PCI compliant 29

30 CFPB: Dwolla Claim of deceptive conduct No consumer harm; no data breach Prescriptive remedies Not limited to alleged deceptive conduct reasonable and appropriate data-security measures Risk assessments, training, customer authentication procedures, data-security audit Message: CFPB plans to be active in this space 30

31 CYBERSECURITY RISKS AND MITIGANTS 31

32 Cybercrime is Where the Money Is.... Now Organized cybercriminals around the world monetize crimes compromising the confidentiality, integrity, or availability of information and systems. Then When asked why he robbed banks, Willie Sutton supposedly answered, I rob banks because that s where the money is.

33 Cyber Threats are Evolving 33

34 34

35 Regulatory Enforcement Actions and Lawsuits 35

36 36

37 Implementing a Written Information Security Program Assessment* Regulatory obligations Contractual obligations Industry best practices Threats Likelihood Impact Existing plans and programs Systems *The specific elements of a WISP will depend upon the organization, its business and its regulators, among other factors. 37 Data maps and flows Where does data come from? How sensitive is it? Why do you gather it? Where is it stored? Who has access to it? Data analytics plans Data licenses Data lakes

38 Implementing a Written Information Security Program Selected Elements* Regular cybersecurity audits Regular risk assessments Adoption of risk management standards (such as ISO 27001) Employee training General and specific Tracking of employee training Training effectiveness assessment *The specific elements of a WISP will depend upon the organization, its business and its regulators, among other factors. 38 Disciplinary measures Encryption of sensitive data Physical security of locations, systems and records containing sensitive data Ability to preserve and produce data in litigation without inadvertent disclosure Cloud computing policy

39 Implementing an Effective Incident Response Capacity The Written Plan A written computer security incident response plan ensures that business priorities guide the response function. This plan should: Clearly state goals and objectives; Categorize incidents to which the plan applies; Establish incident severity categories and corresponding levels of deployment; Identify response team members and their respective roles; and Provide a structure that enables agile decision-making by the response team. The plan must be regularly assessed and revised as necessary to reflect new assets, business activities or technologies. 39

40 Implementing an Effective Incident Response Capacity The Team EXTERNAL SUPPORT Software and Hardware Vendors Internet Service Providers Outside Counsel EXTERNAL TEAM INTERNAL TEAM Information Technology & Security Corporate Counsel and Compliance Communications Business Management Other: Customer Care; HR; Physical Security; Investor Relations Forensics Expertise Industry Working Groups Insurance Providers Crisis Communications Specialist Law Enforcement Other Government Agencies

41 The Need for a Proactive Enterprise-Wide Approach Manage regulatory and compliance risk; Establish a written information security plan; Ensure effective cybersecurity through vendor and customer agreements; Prepare for incidents; Limit exposure to regulatory enforcement and private litigation; and Engage with appropriate industry and government stakeholders. 41

42 Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC ); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.