Photo of Mike Nonaka

Michael Nonaka is a partner in the firm’s Financial Institutions practice group. He represents banks and other financial institutions on a wide variety of bank regulatory, enforcement, legislative and policy issues.  Mr. Nonaka also is co-chair of the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as big data, blockchain and related technologies, bitcoin and other virtual currencies, same day payments, and online lending.

Introduction  

On August 21, 2020, the California legislature enacted the California Consumer Financial Protection Law (CCFPL), which is to take effect on January 1, 2021.[1]  The law renames the “Department of Business Oversight” (DBO) the “California Department of Financial Protection and Innovation (DFPI)” and, among other things, empowers the department to regulate the offering and provision of consumer financial products or services under California consumer financial laws.[2]  The California legislature noted that the CCFPL strengthens “consumer protections by expanding the ability of the department to improve accountability and transparency in the California financial system and promote nondiscriminatory access to responsible, affordable credit, among other purposes.”[3]  In this blog post, we examine the DFPI’s possible authority over California’s principal privacy laws.  Covington will monitor how active the DFPI is in promulgating and enforcing privacy rules as the contours of the DFPI’s authority become apparent over time.


Continue Reading Privacy Oversight and the California Department of Financial Protection and Innovation

On July 9, 2019, the federal banking agencies released a final rule to simplify aspects of the regulatory capital rules for banking organizations that are not “advanced approaches” banking organizations, i.e., those with less than $250 billion in total consolidated assets and less than $10 billion in total foreign exposure.  Initially proposed in September 2017 as part of the agencies’ ongoing efforts to meaningfully reduce regulatory burden on small and mid-sized banking organizations, the final rule is intended to simplify and clarify certain aspects of the capital rules, and in particular the capital treatment of mortgage servicing assets, certain deferred tax assets, investments in the capital instruments of unconsolidated financial institutions, and minority interests.  Importantly, the Board of Governors of the Federal Reserve System (“Board”) also used the rulemaking as an opportunity to streamline an important aspect of its regulatory framework by permitting bank holding companies, savings and loan holding companies, and state member banks of all sizes to redeem or repurchase their common stock without obtaining formal, prior regulatory approval under most circumstances.

Continue Reading Federal Reserve Rationalizes Stock Buyback Rules

On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”).  Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.

In addition, the FTC is proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.”  Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.

Proposed Revisions to the Safeguards Rule’s Information Security Program Requirements

The Safeguards Rule establishes requirements for the information security programs of all financial institutions subject to FTC jurisdiction.  The Rule, which first went into effect in 2003, requires financial institutions to develop, implement, and maintain a comprehensive information security program.  As currently drafted, the Safeguards Rule has few prescriptive requirements, but instead generally directs financial institutions to take reasonable steps to protect customer information.

The FTC’s proposed revisions would add substantially more detail to these requirements.  Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposed changes is “to better protect consumers and provide more certainty for business.”  The new requirements are primarily based on the cybersecurity regulations issued by New York Department of Financial Services (“NYSDFS”), and the insurance data security model law issued by the National Association of Insurance Commissioners.

Some of the specific proposed changes include:


Continue Reading FTC Proposes to Add Detailed Cybersecurity Requirements to the GLBA Safeguards Rule

On January 28, 2019, Senator Mike Crapo (R.-Id.), Chair of the Senate Committee on Banking, Housing, and Urban Affairs, published a column signaling his support for data privacy and security legislation in the 116th Congress.

In his column, Senator Crapo emphasizes what he sees as the “incredibly positive” developments associated with the development of

Innovation in financial services continues to move at a rapid pace. The significant increase in the number of fintech companies in recent years has highlighted a burgeoning market with significant economic potential, and a commercial need to create efficiencies and modernize the provision of financial products and services. Federal and state financial services regulators remain

On January 17, 2019, the Payment Card Industry Security Standards Council (the “Council”), a payment industry association, released a new framework for PCI software security – the PCI Software Security Framework – to assist companies in designing and maintaining secure software for processing payment transactions. The framework includes two standards: the PCI Secure Software

Introduction

On December 3, 2018, the Dutch Authority for Consumers & Markets (“ACM”) published a speech from its board member, Cateautje Hijmans van den Bergh, regarding potential competition law concerns in the financial technology (“FinTech”) sector.

In particular, further to the European Parliament’s study on FinTech and competition law (the “Study”) – as discussed in

The Office of the Comptroller of the Currency (“OCC”) announced yesterday that a nondepository financial technology (“fintech”) company that engages in a core banking activity, such as paying checks or lending money, can now apply for a special purpose national bank (“SPNB”) charter. This announcement followed shortly after the release of the Treasury Department’s report on nonbank financials, fintech, and innovation, which recommended that the OCC move forward with the charter.

Comptroller of the Currency Joseph M. Otting stated that allowing fintech companies to apply for special purpose national bank charters “helps provide more choices to consumers and businesses, and creates greater opportunity for companies that want to provide banking services in America.”  Comptroller Otting concluded that “companies that provide banking services in innovative ways deserve the opportunity to pursue that business on a national scale as a federally chartered, regulated bank.”

The OCC stated that its decision is consistent with broader government efforts to promote economic opportunity and supports innovation in financial services.  The OCC has made clear that fintech companies with SPNB charters will not be authorized to accept FDIC-insured deposits.  The OCC emphasized that every application by a fintech company for a SPNB charter will be evaluated on the basis of its facts and circumstances and that fintech companies that become special purpose national banks initially will be subject to heightened supervision initially, similar to any de novo bank.

A SPNB charter would be useful in providing a more uniform regulatory framework instead of the current patchwork of state licensing and rate cap regulation that applies to many fintech companies.  The charter also may enable a fintech company to gain direct access to the payment system, subject to the Federal Reserve’s willingness to grant such access.  A company that obtains a SPNB charter also may have less of a need to enter into a partnership with a bank depending on its business model.


Continue Reading The OCC Will Move Forward to Accept Applications for Special Purpose National Bank Charters for Fintech Companies

Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”.  Its most famous use is its role as the architecture of the cryptocurrency Bitcoin, however it has many other potential uses in the financial sector, for instance in trading, clearing and settlement, as well as various middle- and back-office functions.  Its transformative capability also extends far beyond the financial sector, including in smart contracts and the storage of health records to name just a few.

A blockchain is a shared immutable digital ledger that records transactions / documents / information in a block which is then added to a chain of other blocks on a de-centralised network.  Blockchain technology operates through a peer network, where transactions must be verified by participants before they can be added to the chain.

Notwithstanding its tremendous capabilities, in order for the technology to unfold its full potential there needs to be careful consideration as to how the technology can comply with new European privacy legislation, namely the General Data Protection Regulation (the “GDPR”) which came into force on 25 May 2018.  This article explores some of the possible or “perceived” challenges blockchain technology faces when it comes to compliance with the GDPR.


Continue Reading The GDPR and Blockchain