LATEST REGULATORY DEVELOPMENTS IMPACTING
THE FINANCIAL SERVICES INDUSTRY
FINRA has announced that it is conducting a targeted examination of broker-dealer practices related to retail communications about “crypto asset” products and services. As part of this sweep, FINRA is asking broker-dealers for all retail communications that were distributed or made available by a broker-dealer or its affiliates on behalf of the broker-dealer that refer or relate to crypto assets or services involving crypto transactions or the holding of cryptocurrency during the period of July 1, 2022, to September 30, 2022.
The Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury issued a final rule on September 29, 2022, implementing the bipartisan Corporate Transparency Act’s beneficial ownership information reporting provisions. What’s noteworthy is that FinCEN used this as an opportunity to expand the definition of beneficial ownership to include any individual who exercises substantial control over the reporting company.
New cryptocurrency legislation awaits California Governor Gavin Newsom’s signature after passing the California Assembly on August 30, 2022. If signed into law, California’s Digital Financial Assets Law would create sweeping requirements that, among other things, would mandate that digital asset exchanges and crypto companies obtain licenses to operate within the State of California, but not until January 2025, as described in more detail below. Many observers have compared the new California legislation to New York State’s BitLicense regulation, which was adopted in 2015.
As of August 11, 2022, approval is now required by the UK Financial Conduct Authority (FCA) before acquiring direct or indirect control of an FCA-registered cryptoasset business. Failure to attain such approval is a criminal offense. This is due to the UK Money Laundering Regulations (MLRs) having been updated to apply the change in control regime under Part 12 of the Financial Services and Markets Act 2000 (FSMA), as modified by Schedule 6B of the updated MLRs, to FCA-registered cryptoasset exchange providers and custodian wallet providers.
Driven by an increase in online and mobile app shopping during the COVID-19 pandemic, the “buy now, pay later” (BNPL) market has experienced exponential growth. BNPL is a type of short-term financing that allows consumers to make purchases and pay off the balances in typically interest-free, small-dollar installments.
More than six years after it was decided, the practical consequences of the US Court of Appeals for the Second Circuit’s Madden v. Midland Funding, LLC decision continue to diminish. The decision—which held that, under some circumstances, a loan originated by a bank became subject to state usury laws once transferred to a non-bank—implicitly rejected the long-standing doctrine of “valid when made” and once threatened to upend the lending industry. It has been repeatedly narrowed and rarely expanded.
On January 5, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a report detailing consumer complaint deficiencies by the national credit reporting agencies (NCRAs). Specifically, the CFPB found that, in 2021, the NCRAs together reported relief in response to less than 2% of covered complaints, down from nearly 25% of covered complaints in 2019. The CFPB noted three fact patterns believed to lead to inaccurate consumer credit reporting and thus potentially the denial of credit or offer of credit on less favorable terms.
The three federal banking agencies (i.e., the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency—collectively, the Agencies) published a final rule (the Rule) on November 23, 2021, requiring “banking organizations” to notify their primary federal regulator within 36 hours in the event of certain types of computer-security incidents. The Rule separately requires “bank service providers” to notify banking organization customers as soon as possible in the event of any incident that has or is reasonably likely to materially affect those customers for four or more hours.
As highlighted previously, three federal banking agencies (the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency) recently issued proposed risk management guidance regarding third-party relationships (Proposed Guidance). Among other things, the Proposed Guidance specifies that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each banking organization.
The proposed guidance also identifies principles that are applicable to each stage of the third-party risk management life cycle, including: (1) developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party; (2) performing proper due diligence in selecting a third party; (3) negotiating written contracts that articulate the rights and responsibilities of all parties; (4) having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews; (5) conducting ongoing monitoring of the third party’s activities and performance; and (6) developing contingency plans for terminating the relationship in an effective manner. The proposed guidance provides extensive details on all the above identified principles.