dwt.com

What to Expect When Your Expecting….

To Develop a Mobile Payments Solution with a Financial Institution

Karen Ross

dwt.com

Overview

Mobile Payments Ecosystem

Regulatory Oversight • OCC – Third Party Relationship Risk

Management Guidance • CFPB – Enforcement Policy

CFPB’s Project Catalyst • Pros and Cons

dwt.com

MOBILE PAYMENTS ECOSYSTEM

dwt.com

Mobile Payments Ecosystem

4

dwt.com

High Profile Players – who is doing the engaging?

Staged digital wallet using NFC-HCE

Online wallet with off-line capabilities

Pass-through NFC digital wallet

E-commerce digital wallet

In-app Payments

Retailer mobile wallet group

5

dwt.com

High Profile Players

Apple’s Pay NFC debit/credit wallet app

Facebook’s two-step mobile checkout for digital content

Sprint’s Touch wallet

Amex’s Serve platform (repurposed as a wallet)

Burger King wallet (with Firethorn)

Starbucks prepaid card/wallet app

6

dwt.com

Mobile Payments Deployments

Near-field communication (NFC)

Cloud-based

Hybrid

Closed-loop

POS

Remote (mobile app or browser)

“In app”

7

dwt.com

Running the Maze

Business of banking / Deposit-Taking

Truth in Lending Act / Reg Z

Regu

latio

n B

Bank Secrecy Act

OFAC Reg D

Truth in Savings Act

Regulation II

Gramm-Leach-Bliley Act Fair Credit Reporting Act

Data breach/security

FDIC Deposit Insurance

E-SIGN Act

Unfair, Deceptive or Abusive Acts and Practices Laws

State Money Transmitter Laws

State Privacy and Security Statutes

Card brand rules Gift

car

d

Anti-Money Laundering Compliance

OFAC

TISA/Reg DD

Reg CC

Escheat

Durbin Amendment Identity-Theft Red Flags

Check 21

Truth in Billing Electronic Fund Transfer Act / Regulation E

Regulation DD

8

dwt.com

OCC: THIRD PARTY RISK MANAGEMENT GUIDANCE

What to Expect …

dwt.com

Risk Management Life Cycle

dwt.com

Planning

Assess the deal Complexity

Compare potential financial benefits to costs needed to control risks

Nature of service provider’s interactions with bank’s customers, including access to customer information, complaints, etc.

Applicability of certain laws, including BSA/AML, privacy, and information security

Identify inherent risks of outsourced activity

Assess impact on strategic goals, objectives, and risk appetite

When critical activities are involved, present deal to board and obtain board approval

dwt.com

Bank due diligence of service providers

Strategies and goals – ensure third party’s strategies and goals do not conflict with the bank’s

Legal and regulatory compliance – ensure third party:

– Is properly licensed;

– Has the expertise, processes and controls to enable the bank to remain compliant

Financial condition – review audited financial statements

Business experience and reputation – assess work history, including customer complaints or litigation, time in business, changes in activities or business model

Fee structure and incentives – avoid burdensome upfront fees or inappropriate risk taking

dwt.com

Qualifications, backgrounds, and reputations of company principals – including thorough background checks on senior management, employees, and subcontractors with access to critical systems or confidential information

Risk management – third party’s risk management policies, processes, and internal controls, including processes for escalating, remediating, and holding management accountable

Information security – assess experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities

Management of information systems – understand business process and technology used, including change management processes

Resilience – ability to response to service disruptions, including disaster recovery and business continuity plans

Bank due diligence of service providers

dwt.com

Incident reporting and management programs – ensure there are document processes and accountability for identifying, reporting, investigating and escalating incidents

Physical security – to ensure safety and security of facilities, employees, and technology

HR management – program to train and hold employees accountable for compliance with internal procedures

Bank due diligence of service providers

dwt.com

Reliance on subcontractors – volume and types of activities subcontracted, and ability to assess, monitor, and mitigate subcontractor risks

Insurance coverage – fidelity bond coverage for dishonest acts and negligence and hazard insurance for fire, loss of data, and protection of documents

Conflicting contracts with others – assess potential liability transferred to bank based on agreements to indemnify others

Bank due diligence of service providers

dwt.com

Bank contracts with third parties should generally specify the following:

Nature and scope of the arrangement – frequency, content, and format of the service provided, including ancillary services, the location of performance, and terms of use of the bank’s information, facilities, systems, etc.

Performance measures or benchmarks – namely conformance with regulatory standards through incentives for desirable outcomes and penalties for poor performance

dwt.com

Bank contracts with third parties should generally specify the following:

Responsibilities for providing, receiving and retaining information – types of reports needed (performance, control audits, financial statements, BSA/AML, OFAC, etc) and when needed;

Address failure to adhere and ability to exit

Notice of financial difficultly, data breaches, compliance lapses, enforcement actions, etc.

Notice to the bank before service provider makes relevant changes, including strategic business changes

dwt.com

Right to audit and require remediation – bank need right to audit, monitor performance, and require remediation in certain circumstances

Responsibility for compliance with applicable laws – identify specific laws that service provider must comply with and grant bank compliance auditing rights

Cost and compensation – describe all compensation for services, avoiding burdensome upfront fees or inappropriate incentives that encourage excessive risk

Ownership and licensing

Confidentiality and integrity

Business resumption and contingency plans

Indemnification

Insurance

Bank contracts with third parties should generally specify the following:

dwt.com

Dispute resolution

Limits on liability

Default and termination

Customer complaints – specify who is responsible for handling complaints, though bank must receive a copy of every complaint even if third party is handling the complaint

Subcontracting

Foreign-based third parties

OCC supervision – stipulate that performance of activities by external parties is subject to OCC oversight

Bank contracts with third parties should generally specify the following:

dwt.com

Level of monitoring and oversight depends on level of risk and complexity of relationship

Ongoing review of third parties should include:

– Business strategy issues, including reputation and litigation

– Compliance requirements

– Financial condition, including insurance coverage

– Personnel and retention of knowledge

– Risk management, as evidenced by audit reports

– Ability to respond to threats, vulnerability, disruptions, etc.

Ongoing Monitoring

dwt.com

Termination

Expiration; seek an alternative; bring the activity in house

Breach

Bank needs to plan for eventual termination, including: – Resources needed to transition activities away

from service provider

– Risks with data retention and destruction

– Handling of joint IP developed during relationship

– Reputation risk if termination is the result of the third party’s failure to meet expectations

dwt.com

Risks Associated with Third Party Relationships

– Operational risk

• Concentrations – when a single third party is relied on for multiple activities, or when third parties are located in the same geographic area

– Compliance risk

• When products or services are not properly reviewed for compliance with laws, regulations, or the bank’s policies and procedures

• When third party manages a product in a manner is unfair, deceptive, or abusive

• When third party does not adequate monitor for BSA/AML or OFAC issues

dwt.com

Risks Associated with Third Party Relationships

– Reputation risk

• From poor service, security lapses, inappropriate sales recommendations, or violations of consumer law resulting in litigation, loss of business or negative perceptions

– Strategic risk

• From incompatibility with bank’s strategic objectives or inadequate return on investment

• From failing to perform adequate due diligence or having inadequate risk management infrastructure

– Credit risk

• From the issuance of low-quality receivables and loans

• From poor account management, customer service, or collection activities

dwt.com

Link to OCC’s Guidance

http://occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html

dwt.com

CFPB: ENFORCEMENT POLICY

What to Expect…

dwt.com

CFPB’S Enforcement Powers

Transferred laws:

- TILA, ECOA, FDCPA, Privacy in GLBA, RESPA, and others

12 U.S.C. 5481(12) “enumerated consumer laws”

New authority:

- Power to prohibit unfair, deceptive, and abusive acts and practices

Dodd-Frank Act § 1031 (codified at 12 U.S.C. §§ 5531(a); 5536(a)(1))

26

dwt.com

Who Is Setting UDAAP Precedent?

27

dwt.com

Cop on the Beat

CFPB’s enforcement action count (complaints and settlements):

– 2012 – 6

– 2013 – 20

– 2014 (first 6 months) - 7

UDAAP-based actions

– 16 in 2012 & 2013

• 9 were settlements

– 3 in first half of 2014

• 2 were settlements

28

dwt.com

What’s the Big Deal?

Malleable concepts that depend on facts and circumstances

– UDAAP-based rulemakings have been limited

• Remedies to enforce credit obligations

• Telemarketing

– Know it when you see it

29

dwt.com

What’s the Big Deal?

Body of CFPB settlements – looks and feels like common law BUT:

– Lacks checks and balances

– No judge

– Subjective interpretations with little rationale

– No admissions by parties

– New policy but no notice & comment

30

dwt.com

PROJECT CATALYST

What to Expect…

dwt.com

What is it?

An initiative at the CFPB dedicated to support innovators in the development of consumer-friendly financial products and services

Three elements:

– Engagements with innovators

– Participation in CFPB policy development

– Staying on top of emerging trends to keep the CFPB a “forward-looking organization”

dwt.com

Pilot programs

Pitch a change to a financial regulation that would foster innovation

Collaborate with the CFPB on the development of a product or service – Three companies participating so far

• BillGuard - alerts people to questionable debit or credit card charges and helps them resolve billing disputes quickly.

– The company shares billing dispute date with the CFPB.

• Plastyc – an alternative to traditional banking

– Focus on easy deposits and access

• Simple – an alternative to traditional banking

– Explores how people can gain insight into their spending habits; gives CFPB data on what tools can encourage saving.

dwt.com

Trial disclosure programs

Develop a new concept disclosure and ask the CFPB for approval to test it in a live market

Apply for a compliance waiver

– But a waiver does not protect you from class action lawsuits or enforcement actions from other regulators

Extensive information sharing with the CFPB is required

dwt.com

No-action-letter (NAL) policy

NAL policy proposed in October 2014; comments due December 15, 2014; not expected to be finalized until spring / summer of 2015

Policy to request that the CFPB review a certain product or service offering that does not necessarily comply with the law and conclude that they do not have a present intention to bring an enforcement action

– Meant for product expected to be offered – not for purely hypothetical products or well-established products

– Not for issues currently pending before the CFPB

– Not for UDAAP matters

Application

– Describe product or service, timetable for release, identification of consumer benefits and potential risks compared to other products

– Must identify specific provisions of statutes and regulations creating uncertainty, along with an explanation of why they should not apply

– Must identify applicant; cannot be anonymous

dwt.com

No-action-letter (NAL) policy

Staff will review application and decide whether to issue a NAL

Limitations

– Subject to immediate modification and/or revocation

– Disclaimed as a waiver and non-binding

– Subject to retrospective enforcement in some cases

– Not binding or worthy of deference (or is it?)

NAL and supporting data to be disclosed to CFPB

dwt.com

No-action-letter (NAL) policy

Issues with the NAL proposed policy

– Very narrow range of products to which this would apply

– High threshold to show that a NAL is needed

• Must show that product modifications that would alleviate regulatory issues are not feasible

• Must demonstrate that there is no better way to address the uncertainty than a NAL

– Avowed policy to grant few no-action letters: NAL policy will be used “only rarely and on the basis of exceptional circumstances.”

– NALs are revocable by the CFPB at any time

– Confidentiality terms are unlikely to provide much comfort; innovators risk free-riding problems

– Exclusion of UDAAP issues leaves significant uncertainty for product and service providers

See DWT’s assessment of the NAL policy here: http://www.paymentlawadvisor.com/2014/10/24/cfpb-proposes-no-action-letter-policy-for-innovative-products/

dwt.com

Thank You!

Karen A. Ross karenross@dwt.com 202.973.4269