Post on 02-Oct-2020
dwt.com
What to Expect When Your Expecting….
To Develop a Mobile Payments Solution with a Financial Institution
Karen Ross
dwt.com
Overview
Mobile Payments Ecosystem
Regulatory Oversight • OCC – Third Party Relationship Risk
Management Guidance • CFPB – Enforcement Policy
CFPB’s Project Catalyst • Pros and Cons
dwt.com
MOBILE PAYMENTS ECOSYSTEM
dwt.com
Mobile Payments Ecosystem
4
dwt.com
High Profile Players – who is doing the engaging?
Staged digital wallet using NFC-HCE
Online wallet with off-line capabilities
Pass-through NFC digital wallet
E-commerce digital wallet
In-app Payments
Retailer mobile wallet group
5
dwt.com
High Profile Players
Apple’s Pay NFC debit/credit wallet app
Facebook’s two-step mobile checkout for digital content
Sprint’s Touch wallet
Amex’s Serve platform (repurposed as a wallet)
Burger King wallet (with Firethorn)
Starbucks prepaid card/wallet app
6
dwt.com
Mobile Payments Deployments
Near-field communication (NFC)
Cloud-based
Hybrid
Closed-loop
POS
Remote (mobile app or browser)
“In app”
7
dwt.com
Running the Maze
Business of banking / Deposit-Taking
Truth in Lending Act / Reg Z
Regu
latio
n B
Bank Secrecy Act
OFAC Reg D
Truth in Savings Act
Regulation II
Gramm-Leach-Bliley Act Fair Credit Reporting Act
Data breach/security
FDIC Deposit Insurance
E-SIGN Act
Unfair, Deceptive or Abusive Acts and Practices Laws
State Money Transmitter Laws
State Privacy and Security Statutes
Card brand rules Gift
car
d
Anti-Money Laundering Compliance
OFAC
TISA/Reg DD
Reg CC
Escheat
Durbin Amendment Identity-Theft Red Flags
Check 21
Truth in Billing Electronic Fund Transfer Act / Regulation E
Regulation DD
8
dwt.com
OCC: THIRD PARTY RISK MANAGEMENT GUIDANCE
What to Expect …
dwt.com
Risk Management Life Cycle
dwt.com
Planning
Assess the deal Complexity
Compare potential financial benefits to costs needed to control risks
Nature of service provider’s interactions with bank’s customers, including access to customer information, complaints, etc.
Applicability of certain laws, including BSA/AML, privacy, and information security
Identify inherent risks of outsourced activity
Assess impact on strategic goals, objectives, and risk appetite
When critical activities are involved, present deal to board and obtain board approval
dwt.com
Bank due diligence of service providers
Strategies and goals – ensure third party’s strategies and goals do not conflict with the bank’s
Legal and regulatory compliance – ensure third party:
– Is properly licensed;
– Has the expertise, processes and controls to enable the bank to remain compliant
Financial condition – review audited financial statements
Business experience and reputation – assess work history, including customer complaints or litigation, time in business, changes in activities or business model
Fee structure and incentives – avoid burdensome upfront fees or inappropriate risk taking
dwt.com
Qualifications, backgrounds, and reputations of company principals – including thorough background checks on senior management, employees, and subcontractors with access to critical systems or confidential information
Risk management – third party’s risk management policies, processes, and internal controls, including processes for escalating, remediating, and holding management accountable
Information security – assess experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities
Management of information systems – understand business process and technology used, including change management processes
Resilience – ability to response to service disruptions, including disaster recovery and business continuity plans
Bank due diligence of service providers
dwt.com
Incident reporting and management programs – ensure there are document processes and accountability for identifying, reporting, investigating and escalating incidents
Physical security – to ensure safety and security of facilities, employees, and technology
HR management – program to train and hold employees accountable for compliance with internal procedures
Bank due diligence of service providers
dwt.com
Reliance on subcontractors – volume and types of activities subcontracted, and ability to assess, monitor, and mitigate subcontractor risks
Insurance coverage – fidelity bond coverage for dishonest acts and negligence and hazard insurance for fire, loss of data, and protection of documents
Conflicting contracts with others – assess potential liability transferred to bank based on agreements to indemnify others
Bank due diligence of service providers
dwt.com
Bank contracts with third parties should generally specify the following:
Nature and scope of the arrangement – frequency, content, and format of the service provided, including ancillary services, the location of performance, and terms of use of the bank’s information, facilities, systems, etc.
Performance measures or benchmarks – namely conformance with regulatory standards through incentives for desirable outcomes and penalties for poor performance
dwt.com
Bank contracts with third parties should generally specify the following:
Responsibilities for providing, receiving and retaining information – types of reports needed (performance, control audits, financial statements, BSA/AML, OFAC, etc) and when needed;
Address failure to adhere and ability to exit
Notice of financial difficultly, data breaches, compliance lapses, enforcement actions, etc.
Notice to the bank before service provider makes relevant changes, including strategic business changes
dwt.com
Right to audit and require remediation – bank need right to audit, monitor performance, and require remediation in certain circumstances
Responsibility for compliance with applicable laws – identify specific laws that service provider must comply with and grant bank compliance auditing rights
Cost and compensation – describe all compensation for services, avoiding burdensome upfront fees or inappropriate incentives that encourage excessive risk
Ownership and licensing
Confidentiality and integrity
Business resumption and contingency plans
Indemnification
Insurance
Bank contracts with third parties should generally specify the following:
dwt.com
Dispute resolution
Limits on liability
Default and termination
Customer complaints – specify who is responsible for handling complaints, though bank must receive a copy of every complaint even if third party is handling the complaint
Subcontracting
Foreign-based third parties
OCC supervision – stipulate that performance of activities by external parties is subject to OCC oversight
Bank contracts with third parties should generally specify the following:
dwt.com
Level of monitoring and oversight depends on level of risk and complexity of relationship
Ongoing review of third parties should include:
– Business strategy issues, including reputation and litigation
– Compliance requirements
– Financial condition, including insurance coverage
– Personnel and retention of knowledge
– Risk management, as evidenced by audit reports
– Ability to respond to threats, vulnerability, disruptions, etc.
Ongoing Monitoring
dwt.com
Termination
Expiration; seek an alternative; bring the activity in house
Breach
Bank needs to plan for eventual termination, including: – Resources needed to transition activities away
from service provider
– Risks with data retention and destruction
– Handling of joint IP developed during relationship
– Reputation risk if termination is the result of the third party’s failure to meet expectations
dwt.com
Risks Associated with Third Party Relationships
– Operational risk
• Concentrations – when a single third party is relied on for multiple activities, or when third parties are located in the same geographic area
– Compliance risk
• When products or services are not properly reviewed for compliance with laws, regulations, or the bank’s policies and procedures
• When third party manages a product in a manner is unfair, deceptive, or abusive
• When third party does not adequate monitor for BSA/AML or OFAC issues
dwt.com
Risks Associated with Third Party Relationships
– Reputation risk
• From poor service, security lapses, inappropriate sales recommendations, or violations of consumer law resulting in litigation, loss of business or negative perceptions
– Strategic risk
• From incompatibility with bank’s strategic objectives or inadequate return on investment
• From failing to perform adequate due diligence or having inadequate risk management infrastructure
– Credit risk
• From the issuance of low-quality receivables and loans
• From poor account management, customer service, or collection activities
dwt.com
Link to OCC’s Guidance
http://occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html
dwt.com
CFPB: ENFORCEMENT POLICY
What to Expect…
dwt.com
CFPB’S Enforcement Powers
Transferred laws:
- TILA, ECOA, FDCPA, Privacy in GLBA, RESPA, and others
12 U.S.C. 5481(12) “enumerated consumer laws”
New authority:
- Power to prohibit unfair, deceptive, and abusive acts and practices
Dodd-Frank Act § 1031 (codified at 12 U.S.C. §§ 5531(a); 5536(a)(1))
26
dwt.com
Who Is Setting UDAAP Precedent?
27
dwt.com
Cop on the Beat
CFPB’s enforcement action count (complaints and settlements):
– 2012 – 6
– 2013 – 20
– 2014 (first 6 months) - 7
UDAAP-based actions
– 16 in 2012 & 2013
• 9 were settlements
– 3 in first half of 2014
• 2 were settlements
28
dwt.com
What’s the Big Deal?
Malleable concepts that depend on facts and circumstances
– UDAAP-based rulemakings have been limited
• Remedies to enforce credit obligations
• Telemarketing
– Know it when you see it
29
dwt.com
What’s the Big Deal?
Body of CFPB settlements – looks and feels like common law BUT:
– Lacks checks and balances
– No judge
– Subjective interpretations with little rationale
– No admissions by parties
– New policy but no notice & comment
30
dwt.com
PROJECT CATALYST
What to Expect…
dwt.com
What is it?
An initiative at the CFPB dedicated to support innovators in the development of consumer-friendly financial products and services
Three elements:
– Engagements with innovators
– Participation in CFPB policy development
– Staying on top of emerging trends to keep the CFPB a “forward-looking organization”
dwt.com
Pilot programs
Pitch a change to a financial regulation that would foster innovation
Collaborate with the CFPB on the development of a product or service – Three companies participating so far
• BillGuard - alerts people to questionable debit or credit card charges and helps them resolve billing disputes quickly.
– The company shares billing dispute date with the CFPB.
• Plastyc – an alternative to traditional banking
– Focus on easy deposits and access
• Simple – an alternative to traditional banking
– Explores how people can gain insight into their spending habits; gives CFPB data on what tools can encourage saving.
dwt.com
Trial disclosure programs
Develop a new concept disclosure and ask the CFPB for approval to test it in a live market
Apply for a compliance waiver
– But a waiver does not protect you from class action lawsuits or enforcement actions from other regulators
Extensive information sharing with the CFPB is required
dwt.com
No-action-letter (NAL) policy
NAL policy proposed in October 2014; comments due December 15, 2014; not expected to be finalized until spring / summer of 2015
Policy to request that the CFPB review a certain product or service offering that does not necessarily comply with the law and conclude that they do not have a present intention to bring an enforcement action
– Meant for product expected to be offered – not for purely hypothetical products or well-established products
– Not for issues currently pending before the CFPB
– Not for UDAAP matters
Application
– Describe product or service, timetable for release, identification of consumer benefits and potential risks compared to other products
– Must identify specific provisions of statutes and regulations creating uncertainty, along with an explanation of why they should not apply
– Must identify applicant; cannot be anonymous
dwt.com
No-action-letter (NAL) policy
Staff will review application and decide whether to issue a NAL
Limitations
– Subject to immediate modification and/or revocation
– Disclaimed as a waiver and non-binding
– Subject to retrospective enforcement in some cases
– Not binding or worthy of deference (or is it?)
NAL and supporting data to be disclosed to CFPB
dwt.com
No-action-letter (NAL) policy
Issues with the NAL proposed policy
– Very narrow range of products to which this would apply
– High threshold to show that a NAL is needed
• Must show that product modifications that would alleviate regulatory issues are not feasible
• Must demonstrate that there is no better way to address the uncertainty than a NAL
– Avowed policy to grant few no-action letters: NAL policy will be used “only rarely and on the basis of exceptional circumstances.”
– NALs are revocable by the CFPB at any time
– Confidentiality terms are unlikely to provide much comfort; innovators risk free-riding problems
– Exclusion of UDAAP issues leaves significant uncertainty for product and service providers
See DWT’s assessment of the NAL policy here: http://www.paymentlawadvisor.com/2014/10/24/cfpb-proposes-no-action-letter-policy-for-innovative-products/