In the final installment of the four-part "Payments Year in Review" series, hosts Keith Barnett and Carlin McCrory discuss significant enforcement actions and regulatory trends
In the final installment of the four-part "Payments Year in Review" series, hosts Keith Barnett and Carlin McCrory discuss significant enforcement actions and regulatory trends. The discussion begins with the increased scrutiny from the Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) on bank and nonbank partnerships, emphasizing sound risk management and compliance. Key themes include third-party risk management, board governance, Bank Secrecy Act/Anti-Money Laundering compliance, and liquidity risk. The episode also addresses the proposed FDIC deposit insurance record-keeping rule.
The discussion then shifts to Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) enforcement actions, highlighting more than 50 actions in 2024, many involving payment elements. The CFPB primarily targeted Regulation E violations and overdraft fees, while the FTC focused on telemarketing sales rules, chargeback rates, and returns. It is anticipated that regulatory enforcement will be lighter in 2025 due to the administration change.
Payments Pros – The Payments Law Podcast
2024 Payments Year in Review: CFPB and FTC Regulatory Trends – Part Four
Hosts: Keith Barnett and Carlin McCrory
Aired: February 20, 2025
Keith Barnett:
Welcome to another episode of Payments Pros, a Troutman Pepper Locke Podcast, focusing on the highly regulated and ever-evolving payment processing industry. This podcast features insights from members of our FinTech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry. My name is Keith Barnett, and I’m one of the hosts of the podcast.
Before we jump into today's episode, let me remind you to visit and subscribe to our blog, TroutmanFinancialServices.com. And don't forget to check out our other podcasts on troutman.com/podcasts. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services, and more. Make sure to subscribe to hear the latest episodes.
Today, I'm joined here with co-host, Carlin McCrory, for the final part of our review of the 2024 payments landscape, as well as our predictions for what we may expect in 2025. Carlin, thank you for joining me today. Let's just jump right into this, and discuss the enforcement actions that we saw in 2024.
Carlin McCrory:
Thanks, Keith. Today, I'm predominantly going to talk about enforcement from the FDIC, and OCC broadly speaking. To set the stage for my portion of the conversation today, regulatory scrutiny of bank and non-bank partnerships has grown significantly over the past 18 months. The scrutiny follows a number of pronouncements in the preceding years emphasizing the need for banks that enter into these FinTech partnerships, to ensure that the conduct their program safely, soundly, and in compliance with applicable law.
Going back to June of 2023, guidance said that the use of third parties can offer banking organizations, significant benefits such as quicker, and more efficient access to technologies, human capital, delivery channels, product services, and markets. But the federal bank agencies also cautioned that the use of third parties does not remove the need for sound risk management. So, this guidance sets the stage for what the bank regulatory agencies are looking for. And the guidance states that business relationships with third parties engaged in lending, payment, or deposit activities for the benefit of the bank, or through the bank should be evaluated by banks using both the third-party risk management guidance, and the various risk management processes, and rules that apply to traditional lending payments, and deposit relationships.
Ultimately, the focus is on managing these risks associated with third parties. And the regulatory scrutiny that is meaningful to us has been focused on these banking as a service partnership. The regulators have made it clear that the use of third parties doesn't in any way diminish or remove a bank's responsibility to perform all of the activities in a safe and sound manner, and in compliance with applicable law. Including those related to consumer protection, so UDAP, and security of customer information.
Ultimately, to the extent that a bank uses a third party, the bank can't outsource its responsibility for compliance. As we all know, the bank is ultimately responsible for the activities of any third-party partner. Banks have to engage in this rigorous oversight of these third-party relationships that support, and I quote, "Critical activities," which those words are used in that June 2023 guidance. These critical activities are activities that cause significant risk, have significant customer impact, or have a significant impact on the organization's finances or operations.
What are some important factors to consider when structuring third-party risk management processes? These would be things like oversight and accountability, periodic independent reviews, effective documentation and reporting. The guidance also emphasizes the importance of due diligence, which should be conducted in business experience and qualifications, financial condition, legal and regulatory compliance, risk management, and control processes, information security, and operational resilience. So, most of the public enforcement actions, except for a few of the most recent are based on BSA, AML issues, or failure to comply with specific consumer protection laws.
Many involved the engagement of an intermediary vast provider between the bank and the ultimate non-bank third party, or end user, end customer. Some of these are troubling because they are primarily based on the general failure of the bank to properly conduct these programs, and they weren't necessarily tied to specific BSA or specific compliance failures. The orders were broad and just stating that the programs weren't conducted adequately. There are also numerous informal enforcement actions, board resolutions, and MOUs, and other scrutiny being applied to these types of partnerships. All of these actions and the guidance should impact how a bank in this space is setting up and operating their program, and FinTechs who are looking to partner with banks, or who maybe already are partnered with banks should take heed, and also look at these enforcement actions so they know what the regulators are looking for.
There's certainly a lot of lessons to be learned from these orders to be applied to risk management processes, as well as the contracts that banks enter into with their FinTech partners. It's critical to keep in mind that all of the orders emphasize that third-party relationships, and risk, and compliance management are corporate governance issues.
When we look at the enforcement actions from 2024, we see some general themes
here out of the orders. Some broad themes are third-party risk management and oversight, which I'll get into a little more detail. General board governments in all aspects, BSA/AML. This includes not only for third-party partners, but more broadly, as it applies to the bank, just general internal controls, risk management systems, having an adequate compliance program. Some of the orders required SAR look backs to make sure that all SARs that should have been filed were filed.
Liquidity risk and capital preservation were also themes within the orders. But more specifically, as it relates to third-party risk management of these bank-FinTech partnerships, the orders look at a variety of different things and mention a variety of different things, including conducting appropriate due diligence on each partner, which should be specific to each partner as well. Strengthening board oversight of these programs, ensuring management knowledge and expertise to implement and manage these types of programs, and execute on the bank's compliance management systems.
Updating policies and procedures to contemplate third-party involvement in bank activities. Monitoring some sort of ongoing compliance with the agreements and applicable law through testing and compliance assessments. Ensure that program changes are appropriately reviewed, and access to account level information during program operation and on an ongoing basis, which I'll talk a little bit about the proposed record keeping rule in a minute. Then, ensuring that partners respond to information requests thoroughly and promptly with consequences for failures to respond promptly.
Overall, I just threw at you all a lot of different information and factors, but a lot should go into each one of these partnerships, and a lot of thought goes into the contracts as well between the partners. In a large number of partner banks are under formal enforcement by their primary federal banking regulator when you look at the banks who are working in the bank FinTech space.
Moving on to that deposit insurance record-keeping rule that I just referenced. The purpose of this rule, which currently, as I'm talking today is in proposed form. The purpose is for an FDIC-insured depository institution that has, and I quote, "Custodial deposit accounts with transactional features is required to maintain records of beneficial ownership in a specified format." So, ultimately, the goal of this rule is looking at some of these bank FinTech partnerships to make sure that the bank has direct, continuous, and unrestricted access to the records in the data format specified in the rule.
This rule stems from the Synapse failure where there were core records kept for the consumers or the ultimate customers, if you will. The FDIC wants to make sure that these banks who are in these FinTech partnerships have constant access to the balance of each customer. In addition, the rule requires that there must be continuity plans, including some backup, record keeping, and technical capabilities to ensure compliance. The proposed rule also requires implementation of appropriate internal controls to accurately determine your respective beneficial ownership interests associated with each custodial deposit account. And conduct reconciliations against the beneficial ownership interests or records no less frequently than the close of each business day.
There are also some requirements for the contractual arrangement between the FinTech and the bank. Ultimately, like I said, this is all for FDIC insurance purposes, and making sure that these banks can have access to the customer records. Because the biggest problem with Synapse is that, Synapse was not a bank. When it failed, there was no FDIC insurance to cover all of these customers. Rather, the banks are all still operational, but we're trying to determine who is owed what amounts of money. So, the banks must have access to that information.
One of the things that I've heard FinTechs and banks concerned about with this rule is there is a very specific required formatting for the information within the proposed rule. There's been some pushback because we certainly have plenty of bank FinTech partners who are providing this direct, continuous, unrestricted access to information without it being in a prescribed format. Ultimately, even with the administration change, I do think we will see some form of this rule finalized, but it may have some changes due to the administration change.
The other proposed rule that I want to very briefly discuss is the proposed Brokered Deposit Rule. On July 30, 2024, the FDIC proposed substantive changes to the 2020 Brokered Deposit Rule. Brokered deposits are any deposits that are obtained, whether directly or indirectly, from or through the mediation or assistance of a deposit broker. The proposed rule seeks to undo large chunks of this 2020 rule by doing a host of different things. I think, in some, instead of going into detail about the proposed rule, the good news here is, we are all suspecting that with the administration change that this proposed rule will die.
Keith Barnett:
Thanks, Carlin. That was great. That was interesting overview of what happened last year. For my part, I'm going to talk about the FTC and CFPB enforcement actions in 2024. I'm not going to refer to specific enforcement actions for various reasons, but chief among them in the interest of time. Instead, I'm going to talk about trends from both the FTC and the CFPB. And if you want specifics, keep in mind that we have done podcasts on specific FTC and CFPB enforcement actions. So, if you want specifics, then, you can just go back and listen to our prior podcasts.
For 2024, the CFPB and the FTC initiated over 50 enforcement actions between the two of them. Out of all of these enforcement actions, only a handful of them were actually specific to payments. But a good bit of them actually had some sort of payments element to it. So, you can get a lot out of these just few that were specific to payments and even those that were not specific to the payments or a payment processor, just by looking at the common themes.
For example, the CFPB initiated enforcement actions against both banks and FinTechs. Common theme there with the CFPB was that, it was looking at potential Reg E violations. Even when a REG E violation was not clear from the plain language of REG E, the CFPB would shoehorn a UDAP issue if it could not find a specific REG E violation against the bank or the FinTech. An area that the CFPB has been continuing to look at includes overdraft fees by the bank when a person had sufficient funds in the account at the time of the transaction was initiated, but not at settlement. The CFPB has been hitting on that for the past several years and continue to see that as a potential UDAP violation.
On the FTC front, we did see FTC enforcement actions against FinTechs, and the FTC was focusing on the telemarketing sales rule. Now, stripping aside whether or not the FinTech's activities actually fell within the telemarketing sales rule, if you look at the theme in these enforcement actions, you'll see that the FTC was looking at two things, and those are chargeback rates and returns.
With respect to returns, the FTC used NACHA as the guideline, the NACHA rules as the guideline in particular. Even though the NACHA rules are specific industry rules and not federal or state law. You'll see that the FTC used the return rates for NACHA as kind of the guidepost. Similarly, when it comes to chargeback rates with respect to any type of card activity, interestingly here, but it's also consistent, and on theme for the FTC. Is that the FTC used the visa standard when it came to whether or not it believed that chargeback rates were excessive. Like I said, if you want more specifics and specific enforcement actions, you can just go back to our prior podcast and listen to those specific enforcement actions.
But also, both the FTC and the CFPB initiated enforcement actions against non-banks, and non-FinTechs for alleged violations of the rules that control their particular industries. But keep in mind that there are payments bend to these even though the payment processor or the banks were not subject to the enforcement actions. For example, there were several enforcement actions against debt collectors for alleged unlawful collection activities. These are things that processors and banks should keep in mind because the processors and banks are processing payments for these debt collectors.
So, when you are doing that, you want to look back at some of the things that are themes in the actual enforcement actions against both the banks and FinTechs. For example, return rates if you do service a debt collector. Another theme here were cards that had Truth and Lending Act related disclosures and issues. So, even though these are not direct payments related issues, these are things related to the lenders, and what the lenders are disclosing to their customers. Once again, if these are cards, whether it be virtual, or plastic, or in these days metal, keep in mind that there are disclosure issues that are there.
So, finally, I'll close my part of this by talking about very briefly at a high level that there were two lawsuits that were filed by the CFPB in December against payments-related companies or payments-related issues against both banks and FinTechs. I'll put it that way. As of the date of this recording, there is no settlement, and it appears that the defendants are going to fight. We will see if the CFPB will keep up with the enforcement actions that it recently filed in light of the expected regime change in 2025. I personally am not expecting the CFPB to really pursue these outstanding enforcement actions hard, but we will see what happens because 2025, I expect to see lighter regulatory enforcement and more deals in the payments industry. And if you're going to have lighter regulatory enforcement, I'm pretty sure the CFPB and the FTC are going to look to see if it's really worth pursuing the enforcement actions that they initiated in 2024.
Carlin, thank you for joining me today and thank you to our audience for listening to today's episode. Don't forget to visit our blog, TroutmanFinancialServices.com and subscribe so you can get the latest updates. Please be sure to also subscribe to this podcast via Apple Podcast, Google Play, Stitcher, or whatever platform you use. We look forward to the next time.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.