Surrogate Regulators: The Vendor Management / Fintech Connection
If you build it, they will regulate it—but should they?
That’s a question financial institutions should be asking as agencies like the Consumer Finance Protection Board (CFPB) and Office of the Comptroller of the Currency (OCC) jockey to regulate Fintech firms.
On its surface, it may seem like the obvious answer is yes—that regulators should work to ensure Fintech companies follow the same laws, rules and regulations as their traditional counterparts to protect consumers and ensure the integrity of the financial system.
Yet Fintech is a broad term. On the one hand, it includes a huge swath of nonbank payment and technology providers that often compete directly with banks and credit unions while piggybacking on existing payments networks—everything from Square and Lending Club to Venmo and PayPal.
On the other side are the third-party vendors and partners that enable regulated financial institutions to compete. This includes everyone from mobile banking and digital wallet providers to core vendors. It’s a huge umbrella.
Some might say that every one of these vendors needs to be regulated, but I’d argue that many of them already are—particularly those that provide products and services to regulated banks—thanks to existing vendor management regulations.
Banks and credit unions are ultimately responsible for the actions and activities of their third-party providers. Financial institutions are required to ensure vendors are meeting regulatory requirements. That includes:
- risk assessments
- policies and procedures
- IT security
- data confidentiality
- financial stability
- disaster recovery
Financial institutions undergo considerable vendor due diligence, carefully monitoring third-party vendors and collecting a long list of documentation including Statement on Standards for Attestation Engagements 16 (SSAE 16s), disaster recovery plans and tests, incident response plans and tests, financials, summary findings and evaluations. They work to ensure vendors are meeting specific, measurable performance standards. Through the examination of banks and credit unions, regulators are essentially examining these third-party Fintech companies.
But what about nonbank competitors? The CFPB is on the job. While the CFPB has examination authority over financial institutions with $10 billion or more in assets, it’s also tasked with policing financial transactions conducted in the shadows of the system. It’s clear the agency has included Fintech companies in this mandate—taking full advantage of its enforcement authority using the Consumer Financial Protection Act’s unfair and deceptive practices provisions.
Just this October the agency ordered online lender Flurish, Inc (doing business at LendUp) to refund customers $1.83 million and pay a $1.8 million civil penalty for not giving customers the promised opportunity to build credit and access cheaper loans—violating the Truth in Lending Act and Reg Z, among others. Earlier this year the agency hit online payment system Dwolla with a $100,000 penalty for “deceiving consumers about its data security practices and the safety of its online payment system.”
The CFPB is also reaching out to Fintech firms that are unclear about how specific regulations apply to their products and services as part of Project Catalyst, an effort to “promote consumer-friendly innovation” and monitor emerging trends. Part of the program allows companies to apply for a “no-action letter” to reduce regulatory uncertainty. Applicants explain their specific regulatory concerns and how their innovation will help consumers. If all seems well under the specific regulation inquired about, the CFPB will provide a letter stating “staff isn’t planning to recommend initiation of supervisory or enforcement action.”
With financial institutions providing a de facto exam of Fintech vendors and the CFPB tackling other innovators, there’s already a good balance between financial institutions, regulators and Fintech firms.
That’s why I question the necessity of adding another regulator to the mix. The OCC’s Office of Innovation is expected to begin operating next year, but its approach is ironically not very innovative—using the same slow methodology and comment approach it’s used for years compared to the more forward-thinking CFPB. It began by announcing plans to develop a framework for evaluating new and innovative products and services in August 2015 and finally released them this October. There’s also been talk of a “future fintech charter” issued by the OCC, American Banker reports.
Will adding another level of regulation to Fintech companies improve the outcome for customers or banks? Unlikely. In fact, it might even put banks out of business. Think about it: If the OCC directly regulates Fintech distributors, what’s to stop them from offering their products and services directly to consumers and small businesses—cutting banks and credit unions out of the loop.
Perhaps the OCC’s attention would be better directed at its existing responsibilities, including overseeing too-big-to-fail institutions like Wells Fargo—which for years fraudulently opened close to two million customer accounts under the regulator’s watch.
With the CFPB on the job and the increased scrutiny financial institutions have placed on third-party vendors, it seems unnecessary—and maybe even a fatal mistake—for the OCC to join the fray. Others have already taken on the task.