NAFCU letter to OCC on “Exploring Special Purpose National Bank Charters for Fintech Companies”
WASHINGTON, DC (January 13, 2017) — Thomas J. Curry
Comptroller of the Currency
Office of the Comptroller of the Currency
400 7th Street, S.W.
Washington, D.C. 20219
Re: Exploring Special Purpose National Bank Charters for Fintech Companies
On behalf of the National Association of Federally-Insured Credit Unions (NAFCU), the only national trade association focusing exclusively on federal issues affecting the nation’s federally-insured credit unions, I would like to share with you NAFCU’s thoughts on the recent fintech chartering proposal published by the Office of the Comptroller of the Currency (OCC), entitled “Exploring Special Purpose National Bank Charters for Fintech Companies.”
NAFCU represents over 800 of the nation’s federally-insured credit unions, all of which strive to provide their members with the products and services they need to achieve their individual financial goals. As member-owned, not-for-profit cooperatives operated by volunteer boards, credit unions offer the best means of obtaining credit as a result of their unique structure. Credit unions have traditionally leveraged close community relationships to deliver their own brand of personalized underwriting, and have for many years extended cooperative and provident credit to needy consumers through signature loans and other arrangements. These same methods, packaged within proprietary and automated systems, now arrive on a national scale in the form of “fintech,” a term that the OCC has yet to concretely define. Credit unions are familiar with the success of fintechs because they employ many of the same strategies with great success on a local scale. However, NAFCU and our members are also concerned that fintech companies may seek to take advantage of their special status to avoid compliance with important consumer protection and safety and soundness regulations. Accordingly, NAFCU supports the OCC’s proposal to more closely regulate fintech companies.
General Comments
NAFCU supports the OCC’s initiative to offer fintech companies the opportunity to obtain a special purpose bank charter. Innovation in financial services and technology contributes to the growth of the entire financial sector. However, NAFCU believes that fintech companies require a minimum level of regulation and supervision to ensure fair competition and consumer protection. Although individual business models may vary among what the OCC has broadly termed “fintech companies,” maintenance of minimum capital and liquidity levels is essential to protect the safety and soundness of the entire financial community. NAFCU agrees that baseline capital and liquidity requirements should apply to all chartered fintechs.
NAFCU also believes that chartered fintech companies should be held to the same consumer protection laws as chartered banks and credit unions, and that the OCC should only deviate from such uniformity in extraordinary circumstances. In addition, the OCC should develop notice and comment procedures for soliciting public input on proposed fintech charters that seek to modify a company’s obligations under any consumer financial protection regulation. Likewise, any decision by the OCC to tailor supervisory standards based on a fintech company’s business model should be made available for public inspection.
If fintech companies can demonstrate that a particular business model can operate successfully with streamlined or alternative supervisory standards, then other financial regulators, as well as the public, should be able to access OCC records supporting such a determination. Such a process of adoption and streamlining will be facilitated if other regulators are permitted to review the OCC’s decision making documents that discuss how supervisory standards might be tailored to a fintech applicant’s circumstances, complexity and business model.
Fintech companies must be held to the same consumer protection standards as other financial institutions.
While NAFCU firmly believes that the regulatory climate for credit unions has grown oppressive since the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), we have long supported the intent and protections captured in consumer lending laws, such as the Truth in Lending Act (TILA). Online lenders, however, are not always subject to important consumer protection laws. As such, they often benefit from more nimble operations and lower compliance overhead since they are not burdened by the same disclosure practices and underwriting standards of credit union or bank lenders. In the past, NAFCU and our members have urged Treasury and other financial regulators to promulgate rules that require online market lenders to meet regulatory requirements such as the protections of TILA, underwriting standards for loans, and applicable state usury laws. The OCC’s creation of a special purpose charter, while not a total solution, represents a step in the right direction.
NAFCU appreciates the OCC’s attention to a rapidly growing industry that has so far capitalized on a very favorable regulatory environment. The fintech market consists largely of peer-to-peer lenders, aggregators, hedge funds, and other non-bank entities that have benefited from the limited reach of consumer protection laws. While the current environment has promoted rapid growth of fintech companies, NAFCU and our members are concerned that consumers may be on the receiving end of a bad bargain. It remains unclear whether unregulated online lenders are providing full disclosure about the terms and fees of loans they originate, or whether novel forms of underwriting operate with sensitivity to fair lending laws. In addition, there are some online lenders that originate loans across the country but choose to underwrite the loans in a state that does not have a usury cap. NAFCU urges the OCC to carefully study and identify the practices that online lenders are engaging in to circumvent consumer protection laws and underwriting standards before they are granted a charter.
Fintech companies should be subject to heightened cybersecurity standards.
In a joint advance notice of proposed rulemaking (ANPR) issued in October 2016, the OCC outlined “Enhanced Cyber Risk Management Standards” that would ensure minimum levels of resiliency for financial entities and their partners. See Office of the Comptroller of the Currency, Enhanced Cyber Risk Management Standards, 81 Fed. Reg. 74315 (Oct. 26, 2016). These standards are designed to ensure, among other things, the safety of sensitive consumer information in a highly interconnected financial system. With respect to who will ultimately be subject to these enhanced standards, the OCC noted that “covered entities” may encompass third parties that operate as part of “sector-critical systems.” Id. at 74319. The OCC has stated that providers of financial technology services to participants in the financial sector are “vital to the financial sector.” Id. at 74316.
NAFCU believes that fintech companies stand to play a vital role in the financial sector and their cybersecurity standards should reflect the increased risk of handling and processing large volumes of financial data online. If fintech companies are to be entrusted with aggregating millions of consumer records and information—both financial and non-financial in some instances—then they should be held to the same high standards as banks and credit unions of similar size and complexity.
Of course, not all fintech companies may wish to obtain a special purpose charter. As states like New York begin to develop their own cybersecurity standards, fintech companies may find it expedient to adopt a patchwork of state-developed frameworks and policies, undermining the success of the NIST Cybersecurity Framework and the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT). In order to ensure that all financial sector entities are held accountable to the same baseline cybersecurity requirements, the OCC should reserve chartering for fintechs that can demonstrate high levels of cybersecurity maturity based on the domains identified in the CAT. NAFCU believes that such a requirement will ensure greater sector harmonization of the cybersecurity standards developed by the FFIEC.
Enhanced cybersecurity standards for chartered fintech companies would also offset the risk associated with a potential Consumer Financial Protection Bureau (CFPB) rulemaking on access to consumer financial records. See Consumer Financial Protection Bureau, Request for Information Regarding Consumer Access to Financial Records, 81 Fed. Reg. 83806, 83809 (Nov. 2016). In its request for information, the CFPB states that it is “concerned…that some market participants may decide to restrict consumer permissioned access to data in ways that undermine consumer interests identified in section 1033 [of the Dodd-Frank Act].” See id. The CFPB appears to endorse a data regime where consumers can freely share transaction histories and other records with financial aggregators on a mostly unrestricted basis—consistent with section 1033 of Dodd-Frank. Although the CFPB acknowledges security problems associated with its consumer-centric view of data ownership, fintech companies should be held to standards that ensure that the transfer of consumer records among aggregators and other companies is accomplished safely and without risk of theft or loss.
Conclusion
NAFCU recognizes that the OCC’s decision to offer fintech companies a special purpose national bank charter is only the first step towards developing a fair playing field for all financial sector participants. As the OCC begins to identify requirements for prospective charter applicants, it should ensure that online lenders, aggregators and other non-bank entities that seek the benefits of a charter are generally held to the same consumer protection and data standards as banks and credit unions.
NAFCU believes that while there is merit to a flexible regulatory regime for companies offering innovative services and products, flexibility must be tempered with concern for overall sector stability. Fintech companies may unlock unprecedented growth but may also represent unprecedented risks. The OCC should ensure that innovation is both responsible and fair, and should take steps to ensure that the safety of the financial system is the work of all sector participants. NAFCU appreciates the chance to submit comments regarding the OCC’s proposed fintech charter. Should you have any questions or concerns, please do not hesitate to contact me at amorris@nafcu.org or (703) 842-2266.
Sincerely,
Andrew Morris
Regulatory Affairs Counsel
About NAFCU
The National Association of Federally-Insured Credit Unions is the only national trade association focusing exclusively on federal issues affecting the nation’s federally-insured credit unions. NAFCU membership is direct and provides credit unions with the best in federal advocacy, education and compliance assistance. For more information on NAFCU, go to www.nafcu.org or @NAFCU on Twitter.