Regardless of whether its recommendations are achievable in whole or in part or merely aspirational, the US Department of Treasury's ("Treasury") report issued on July 30, 2018—A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech and Innovation ("Report")—is an ambitious, well-thought-out, comprehensive compendium of proposals to foster innovation in our financial system. Treasury deserves kudos for organizing and analyzing a disparate set of potential reforms to help synchronize old laws with new ways to conduct business. The question is whether this laudable blue-print for reform can serve as the impetus for real change given our current state of affairs.
The Report is the fourth report issued by Treasury in response to President Trump's February 2017 Executive Order No. 13772 ("Executive Order") setting forth certain core principles for the US financial system. The three prior reports generally identified laws, treaties, regulations and other government policies that promote or inhibit federal regulation of the US financial system and included recommended changes consistent with the core principles set forth in the Executive Order.1 While some of the recommendations require action by federal regulators, others require changes to federal or state laws and most require public funds.
This fourth report explores the regulatory landscape for nonbank financial companies with traditional "brick and mortar" footprints not covered in other reports as well as newer business models employed by technologybased firms ("fintech"). As part of the Report, Treasury explores the implications of digitalization and its impact on access to clients and their data. The Report includes limited treatment of blockchain and distributed ledger technologies as these technologies are being explored separately in an interagency effort led by a working group of the Financial Stability Oversight Council ("FSOC"). Treasury's preparation of the Report included discussions with entities focused on data aggregation, nonbank credit lending and servicing, payments networks, financial technology, and innovation. It also consulted with trade groups, financial services firms, federal and state regulators, consumer and other advocacy groups, academics, experts, investors, investment strategists and others with relevant knowledge, and it reviewed a wide range of data, research and other published material from both public and private sector sources.
Nobody should expect every one of the Report's recommendations to be implemented efficiently and immediately, if at all. Some recommendations can be implemented through regulatory fiat, others can be implemented by regulators but only through a formal rulemaking process, and still other recommendations will require congressional action. Some of the recommendations are concrete, and others simply outline principles to inform policymakers. Some in theory could be implemented right away, and others are longer-term in nature. Some recommendations surely at some point will be enacted, and others may never see the light of day. To fully implement all of the recommendations in the Report, federal agencies will need to crisply coordinate their initiatives in a strategic way, states will need to realize that a patchwork of inconsistent "solutions" to the same problems is counter-productive, and Congress will need to seize the initiative to legislate in order to promote rather than to prohibit. Nevertheless, the immense barriers to implementation should not diminish the importance and usefulness of the Report.
This Legal Update provides a high-level summary of the Treasury recommendations set forth in the Report, along with a brief analysis of the key areas and some thoughts regarding the prospects for successful implementation of the pertinent recommendations. Some of the key areas covered in this Legal Update include data aggregation, challenges presented by the state and federal regulatory frameworks, marketplace lending, mortgage lending, short term lending, small-dollar lending, payments, regulatory sandboxes and international approaches and considerations.
DIGITALIZATION, DATA AND TECHNOLOGY
TELEPHONE CONSUMER PROTECTION ACT ("TCPA")
The Report explains that the TCPA has constrained the ability of financial services providers to use digital communication channels despite consumers' increasing reliance on text messaging and email communications through mobile devices. The financial services industry likely will welcome the Report's recommendations with respect to easing such constraints.
The Report recommends that regulators mitigate the risk of liability for calling a reassigned number—a telephone number formerly belonging to a consenting consumer that is subsequently given to another person— by creating a database of reassigned numbers and a broader safe harbor for calls to reassigned numbers so that a caller who had consent from a previous subscriber has a sufficient opportunity to learn that the number has been reassigned. The Report also suggests that updated TCPA regulations should provide clarity on what types of technology constitute an "automatic telephone dialing system" for TCPA purposes given the TCPA's restrictions on the use of autodialers.2 Finally, the Report notes the importance to the industry of clear guidance on reasonable methods for consumers to revoke consent under the TCPA, including through congressional action if necessary. The Report's TCPA recommendations align with the Federal Communications Commission's ("FCC") rulemaking agenda. In March 2018 the FCC sought comment on how to address the reassigned numbers issue.3
FAIR DEBT COLLECTION PRACTICES ACT ("FDCPA")
Treasury recommends that the Bureau of Consumer Financial Protection ("Bureau") promulgate regulations under the FDCPA to codify that reasonable digital communications, especially when they reflect a consumer's preferred method, are appropriate for use in debt collection. Consumers increasingly prefer to communicate with their financial services providers digitally, such as through text messages and email, but the potential litigation risk from inadvertently disclosing information regarding debts to an unauthorized third party discourages debt collectors from digital communications with consumers. The Federal Trade Commission ("FTC") had noted in 2009 that it was unaware of information demonstrating that unauthorized third parties were more likely to have access to debt collection messages conveyed through digital means than through letters and phone calls and that it did not believe in imposing restrictions on debt collectors' use of email and instant messages in the absence of such data.4 Industry stakeholders have argued in favor of an automatic "opt-in" that is deemed to constitute consent in the event that a consumer provides an email address or other digital communications method in connection with his or her financial services agreement. The industry is likely to favor such "opt-in" consent method because it could be implemented through consumer contracts.
CONSUMER ACCESS PROTECTIONS
The Report discusses how data aggregators and fintechs should be able to access a consumer's financial information only with informed consumer consent following receipt of adequate disclosures. To achieve that goal, the Report recommends that the Bureau work with the private sector to develop best practices and consumers be given adequate means to revoke prior authorization. If implemented in a thoughtful manner, these principles-based protections should give consumers a meaningful opportunity to control use of and access to their financial information.
DATA SHARING BARRIERS
The Report discusses how data aggregation in general, and APIs5 in particular, face operational and regulatory barriers. The Report recommends that the private sector develop a solution to allow financial services companies and data aggregators to establish data sharing agreements that use secure and efficient methods of data access and banking regulators revise their third-party guidance to remove ambiguity related to regulatory authority over fintechs' use of APIs. These recommendations, while generally appearing to be noncontroversial, seem unlikely to be achieved in the near-term because it will be difficult to build consensus among market participants and a variety of resourceconstrained regulators.
DATA SECURITY AND BREACH NOTICE
The Report recommends that Congress enact a federal data security and breach notification law. The current fragmented regulatory regime results in gaps in data security requirements and duplicative costs for institutions that service consumers located in multiple states with inconsistent breach notification laws. While proposals similar to the Report's recommendation have previously failed, in part because of state opposition to federal preemption of the existing state breach notification laws, the frequent occurrence of major, nationwide data breaches may mean that the situation is at a tipping point where such a federal law becomes a reality.
DIGITAL LEGAL IDENTITY
To combat the difficulties of identity proofing that have increased with the growth of customers' preferences for online or mobile financial transactions and with the disaggregation of financial services, the Report recommends that public and private sector stakeholders work together to develop trustworthy digital legal identity services and products in the financial services sector that are portable across governmental agencies and unrelated financial institutions. In particular, the Report highlights existing initiatives by the Office of Management and Budget and under the REAL ID Act of 2005 as potential foundations for a digital legal identity framework. However, we expect that the viability of a digital legal identity will be driven more by congressional willingness to fund the public portion of the public-private initiatives and an interest on the part of regulators in providing legal certainty to those relying on such initiatives than willingness by the private sector to act independently.
CLOUD TECHNOLOGY AND FINANCIAL SERVICES
The Report recommends that regulators modernize requirements and guidance to better provide for appropriate adoption of new technologies such as cloud computing, including formally recognizing independent US audit and security standards that sufficiently meet regulatory expectations and set clear and appropriately tailored chain outsourcing expectations.
The Report recommends that regulators establish a cloud and financial services working group to develop cloud policies that reflect the interests of key industry stakeholders, including providers, users and others impacted by cloud services. Financial regulators should seek to promote the use of cloud technology within the existing US regulatory framework to help financial services companies reduce the risks of noncompliance and compliance costs associated with meeting multiple and sometimes conflicting regulations. The Report also recommends that regulators be wary of imposing requirements that data must be stored within a particular jurisdiction (e.g., data localization) and should instead seek other supervisory or appropriate technological solutions to potential data security, privacy, availability and access issues.
BIG DATA, MACHINE LEARNING AND ARTIFICIAL INTELLIGENCE
As the Report points out, the artificial intelligence ("AI") revolution is here. Treasury offers insight into the problems it anticipates from the use of AI in the financial services ecosystem.
The Report notes a laundry list of uses of AI in the financial services industry, including surveillance and risk management, fraud identification, AML monitoring, investment/quant trading opportunities, chat bots and certain loan underwriting tasks. Although absent from the Report, machine learning ("ML") and alternative data can be used to reach vast untapped markets of "credit invisibles" (persons without traditional FICO scores), which is a huge opportunity.
AI presents pros and cons for financial services companies and consumers. Competition fosters innovation and may lead to better consumer products and services. The Report mentions that competition may present challenges as well. What if, Treasury worries, the firms with the strongest AI win a monopoly or duopoly? Perhaps a vicious cycle develops: consumers flock to the industry leader, so the leader gets more data, which makes its AI smarter, so it pulls further into the lead; repeat. Smart machines can detect fraud, but can also be used to promote fraud, e.g., through more realistic-looking sham phishing methods. Treasury does not mention it, but you could easily envision an AI arm's race, e.g., ML that spots problematic conduct pitted against ML that conceals such conduct.
There is some debate as to whether AI and ML will elevate biases in the provision of financial services. On one hand, ML underwriting may take biased humans out of the loop. But, ML systems may learn their own biases, for example, by using proxies for protected classes (e.g., determining that purchasers of high heeled shoes should be denied credit). The Report further notes that ML is notoriously opaque. This is often unhelpful, for example, when the law requires reasons for adverse credit decisions, or where regulators are trying to predict how a portfolio management tool will react in times of stress.
Finally, big data raises privacy issues. Big data drives AI, thus generating a need for more and more data to feed the AI machine, which can lead to data vulnerabilities. On top of which, ML will be using that data in new ways that may reveal more than people anticipate. An example that Treasury does not mention occurred not long ago—smart machines reviewing purchasing patterns alerted marketers that certain women were pregnant before those women publicly disclosed their pregnancies.
The Report makes a number of recommendations that are entirely correct but often not so easy to implement. Treasury offers the following advice: First, regulators should refrain from layering "unnecessary burdens" on the use of AI and ML. The issue is that "unnecessary burdens" is not a clear standard and may be interpreted in different ways by financial services providers and regulators. Second, regulators should be clear in their guidance. This is a laudable goal. Sometimes lack of clarity is a regulatory stratagem, but not always—sometimes it reflects a complex and unclear reality. The latter is harder to solve.
Third, regulators should coordinate when it comes to developing AI and ML policy. This is an ambitious goal, especially given what Treasury wants to accomplish (i.e., address when humans should be accountable, address when humans should have primary decision making authority, ensure that the work force is ready for digital labor, ensure that AI is transparent for consumers and ensure that AI is robust against manipulation). Finally, the Report notes that the government should invest in AI. This is likely a good idea, so long as government supports, rather than displaces or tramples upon, industry.
1 US Department of the Treasury, A Financial System that Creates Economic Opportunities: Banks and Credit Unions (June 2017); US Department of the Treasury, A Financial System that Creates Economic Opportunities Capital Markets (October 2017); US Department of the Treasury, A Financial System that Creates Economic Opportunities Asset Management and Insurance (October 2017).
2 Historically, the industry has argued that the definition of "autodialer" under the TCPA was too broad because it includes equipment that merely has the capacity to make an autodialed call, rather than being limited to equipment that actually is used by an autodialer.
4 Collecting Consumer Debts: The Challenges of Change: A Federal Trade Commission Workshop Report, https://www.ftc.gov/reports/collecting-consumer-debtschallenges- change-federal-trade-commission-workshop report.
5 "Application Programming Interfaces" mean a program that links the aggregator's or fintech's systems to the financial services provider's systems, and uses predefined communication and data exchange protocols to transfer information.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2018. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.