Overlap Between the GDPR and PSD2

The Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly consents to such disclosure. The new legislation is intended to improve competition and innovation in the EU market for payment services. The General Data Protection Regulation (GDPR), which is due to take effect from May 25, 2018, enhances individuals’ rights when it comes to protecting their personal data. The interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns.

For example, where banks refrain from providing TPPs access to customer payment data for fear of breaching the privacy rights of their customers under the GDPR, competition authorities may consider this a breach of competition law. This concern is already becoming a reality for banks – on October 3, 2017, the European Commission carried out dawn raids on banking associations in Poland and the Netherlands following complaints from fintech rivals that the associations were not providing them with what they considered legitimate access to customer payment data.

Continue Reading

Senate Passes Dodd-Frank Reform Bill

The Senate on Wednesday passed a bill sponsored by Sen. Mike Crapo that would roll back some of the regulations put in place by the Dodd-Frank Act following the 2008 financial crisis.  The Economic Growth, Regulatory Relief and Consumer Protection Act, which was passed in a 67-31 bipartisan vote, would provide notable regulatory relief to regional banks by raising the threshold by which bank holding companies are presumptively subject to enhanced prudential standards under Dodd-Frank from $50 billion to $250 billion in total consolidated assets.  The bill also includes provisions to lessen the regulatory burden on community banks, such as tailoring mortgage regulations and creating an exemption to the Volcker Rule for small banks, and would add some new consumer protection measures, including an expansion of access to free credit freezes following a data breach.  The legislation will now move to the House, where Rep. Jeb Hensarling, chairman of the House Financial Services Committee, has indicated a desire to add around 30 measures to the Senate bill, and resolve any differences with the Senate bill through negotiations in the reconciliation process (external link).

CFPB RFI on Regulations Adopted Since its Establishment in 2011, and on New Regulations

The Consumer Financial Protection Bureau (the Bureau) announced today the eighth in a series of at least twelve broad Requests for Information (RFIs) seeking public comment on a range of Bureau activities and practices. Today’s RFI, on rulemaking by the Bureau, seeks comments and information on whether the Bureau should:

  • amend any rules that the Bureau has issued since its creation; or
  • issue new rules under its statutory rulemaking authorities.

The RFI is focused on the substance of Bureau rules, and not the Bureau’s rulemaking process — which is the subject of a separate RFI. Moreover, it is limited to rules adopted, or to be adopted, by the Bureau since its creation in 2011. Another RFI, to be issued in the coming weeks, will seek comment on rules issued by other agencies and inherited by the Bureau in 2011, when the Bureau assumed responsibility for the enforcement of enumerated consumer laws previously administered by other Federal banking agencies.

Continue Reading

FinCEN Extends Regulations to Initial Coin Offerings

On March 6, 2018, the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) released its response to Senator Ron Wyden’s (D-OR) request for information relating to FinCEN’s oversight and enforcement of virtual currency activities.  In the letter, FinCEN outlined its intent to regulate certain operators of initial coin offerings (“ICOs”) as money transmitters subject to Bank Secrecy Act (“BSA”) requirements.

Considering FinCEN’s regulatory approach to virtual currencies since 2011, it comes as no surprise that it has decided to apply the BSA and anti-money laundering/combating the financing of terrorism (“AML/CFT”) regulatory compliance framework to ICOs.  FinCEN amended the BSA’s definition of money service businesses (“MSBs”) in 2011 to accommodate virtual currency exchangers and administrators.  In 2013, the agency issued interpretive guidance clarifying that virtual currency exchangers and administrators are considered money transmitters that are required to comply with the BSA and its implementing regulations.[1]  In 2014, FinCEN specified that harvesters of virtual currency that engage in activity constituting acceptance and transmission of currency are considered money transmitters and, therefore, must comply with the BSA.

FinCEN’s treatment of ICOs, however, can depend on the “facts and circumstances of each case” and is open to some interpretation.  The agency stated that “[t]he application of AML/CFT obligations to participants in ICOs will depend on the nature of the financial activity involved in any particular ICO.”

FinCEN also stated that it will coordinate enforcement of AML/CFT obligations on ICOs with the Securities Exchange Commission (“SEC”) and the Commodities Futures Trading Commission (“CFTC”).  As a general matter, those that deal in securities and participate in an ICO would implicate SEC authority, while those that broker commodities would fall under CFTC authority.

[1] As money transmitters, virtual currency exchangers and administrators are required to, among other things, register with FinCEN as a MSB, develop a written AML compliance program, file suspicious activity and currency transaction reports, and adhere to know-your-customer (“KYC”) requirements in accordance with the BSA.

Is Cryptocurrency a Viable Solution for the Unbanked in Africa?

When bitcoin entered the public’s eye for the first time in 2013, it was touted as one of the greatest inventions for the unbanked in Africa. The World Bank estimates that of the 2 billion people without access to the modern financial system, a third live in Sub-Saharan Africa. In recent months, bitcoin and cryptocurrency as whole have received much attention. Further, the underlying blockchain technology has gained mainstream acceptance. While the potential of such technology seems to be limitless, the question remains whether cryptocurrency is a viable solution for the unbanked in Sub-Saharan Africa.

On its face, Bitcoin appeared to be the front runner and ideal candidate for cross-border transactions, especially remittance payments.  However, the volatile nature of the cost associated with such transactions as well as the lack of a robust cryptocurrency ecosystem, has limited the effectiveness of Bitcoin on the African continent.

For many, the cost to send money into Africa through banks and wire services can be a challenge, with transaction fees usually in the range of at least 10 percent. Intra-African money transfer is even more expensive and the cost can rise to as high as 17 percent. Although Bitcoin was initially cheaper with the average transaction fee being only a few cents, in recent months, the transaction fee has proven to be extremely volatile. In December 2017, the average transaction fee climbed to as high as 50 USD, while in March 2018, it dropped to about 2 USD. Because the transaction fee within the bitcoin network does not depend on the amount of bitcoins being sent, for smaller transactions, the cost of transaction would be prohibitively high.

An additional problem lies in the cost of exchanging Bitcoin into local currency, and the lack of an ecosystem to support such exchanges. Because merchants do not universally accept Bitcoin as a means of payment, recipients of cryptocurrency must deal with the issue of converting into local currency. With low demand for bitcoin in sub-Saharan Africa, the ecosystem to support cryptocurrency is currently not robust enough to make the exchange market liquid.

New cryptocurrency platforms also face strong competition from existing fintech companies such as M-Pesa, the ubiquitous mobile money in Kenya. M-Pesa is supported by Safaricom, the biggest telecommunication company in the Kenya market with more than 70 percent of the market share. In 2015, Safaricom stopped its business with other Bitcoin payment processing companies, further limiting the ability of new cryptocurrency companies to break into the Kenyan market. Moreover, Kenya’s high court has held that Safaricom is not legally required to conduct business with such companies, giving the telecommunications company a semi-monopoly and adding further obstacles to the advancement of cryptocurrency technologies in Kenya.

The history of BitPesa, one of the oldest and best-funded blockchain companies in Africa, is illustrative of the difficulty in offering bitcoin remittance service in Africa, but also the potential the underlying technology has to solve banking issues on the continent. BitPesa initially aimed to provide a consumer level cross-border remittance service. However, when faced with the challenges highlighted above, BitPesa pivoted to provide a business-to-business (B2B) payment service instead. Currently, BitPesa is best used by entrepreneurs in Africa who utilize it as a foreign exchange and B2B cross-border payment system for large transactions. BitPesa has been gaining traction in recent time with over 6,000 customers across the continent, demonstrating that the future of cryptocurrency on the continent of Africa may be going in an upward trajectory.

As cryptocurrency and blockchain technology mature, and transaction costs are reduced, using cryptocurrency as a means of remittance may become a reality for many in Sub-Saharan Africa. Further, cryptocurrency and blockchain technology are gaining acceptance among African millennials who desire to not only use the technology but find ways to learn and innovate upon it. With the demand for cryptocurrency on the rise universally, and a growing base of millennials understanding the underpinnings of the technology, it is foreseeable that in the near future, cryptocurrency could very well be a solution for the unbanked in Sub-Saharan Africa.

For more information on the current state of blockchain technology including a synopsis of the use of cryptocurrency in various countries in Africa, please visit the Global Blockchain Business Council Annual Report located here.

Advancing Blockchain Cybersecurity: Technical and Policy Considerations for the Financial Services Industry

Blockchain is a powerful innovation that is poised to bring substantial positive change to the financial services industry as well as many other industries.  Despite such promise, blockchain, like any emerging financial services technology, must be evaluated from the perspective of cybersecurity risk – both to an individual financial institution and to the broader and interconnected financial services industry – because cybersecurity is a primary concern to policymakers and financial institutions.

We co-authored a whitepaper with Microsoft and the Chamber of Digital Commerce that explores the cybersecurity benefits of blockchain technologies in the financial services industry.  The paper’s objectives are to educate policymakers and financial industry participants about how blockchains may fit within broader cybersecurity objectives, create a shared understanding of some of the cybersecurity considerations and risk inherent to blockchain, and form recommendations for policymakers and industry to facilitate blockchain innovations that address extant and emerging cybersecurity threats.



CFPB Issues Request for Information on External Engagements

On February 21, 2018, the Consumer Financial Protection Bureau (the “Bureau” or “CFPB”) issued a Request for Information (“RFI”) seeking comments and information from the public regarding the Bureau’s public and non-public external engagements, including but not limited to field hearings, town halls, roundtables, and meetings of the Advisory Board and Councils.  The Bureau intends to use the comments received to better understand how it may improve or revise its engagements to better achieve its statutory objectives.  This RFI is the fifth in a call for evidence from Acting Director Mick Mulvaney to “ensure the Bureau is fulfilling its proper and appropriate functions to best protect consumers.”

As noted above, the RFI identifies four types of public and non-public external engagements:  field hearings, town halls, roundtables, and meetings of the Advisory Board and Councils.  Field hearings focus on a specific topic and are open to the public and announced on the Bureau’s website.  While field hearings are held in geographically diverse locations throughout the United States, they are also livestreamed on the Bureau’s website.  Town halls may be public or invitation-only, and are typically organized around a specific topic or financial education.  Roundtables are invitation-only events with the Bureau to discuss particular issues with interested parties.  Finally, the Bureau has organized four formal advisory groups (the Advisory Board and three Councils) to advise the Bureau on various aspects of the consumer financial market.  Advisory group meetings are announced to the public in the Federal Register and on the Bureau’s website, and the meetings are livestreamed.  In addition, the Bureau publishes a summary of the meetings.

In the RFI, the Bureau seeks feedback on all aspects of the Bureau’s processes related to external engagements, but identifies the following as specific “areas of interest”:

  • Strategies for seeking public and private feedback from diverse external stakeholders on the Bureau’s work;
  • Structures for convening diverse external stakeholders and the public to discuss Bureau work in ways that maximize public participation and constructive input, including but not limited to structures currently used by the Bureau (field hearings, town halls, roundtables, and meetings of the advisory groups);
  • Processes for transparency in determining topics, locations, timing, frequency, participants, and other elements of public and private engagements;
  • Vehicles for soliciting public and private perspectives on the Bureau’s work from outside Washington, D.C.;
  • Strategies for promoting transparency of external engagements while protecting confidential business information and encouraging frank dialogue;
  • Strategies and channels for distributing information about external engagements to maximize public awareness and participation; and
  • New approaches, methods, or practices that would elicit constructive input on the Bureau’s work.

The Bureau began accepting comments on February 26, 2018, and the comment period is 90 days.

SEC Adopts New Guidance on Public Company Cybersecurity Disclosures and Insider Trading

On February 21, 2018, the U.S. Securities and Exchange Commission (the “Commission”) approved a statement and interpretive guidance that provides the Commission’s views on a public company’s disclosure obligations concerning cybersecurity risks and incidents (the “2018 Commission Guidance”). This guidance reinforces and expands upon previous cybersecurity disclosure guidance issued by the Division of Corporation Finance (the “Staff”) in October 2011  (the “2011 Staff Guidance”).  The 2018 Commission Guidance also focuses on two additional issues: (i) maintenance of comprehensive policies and procedures related to cybersecurity, including sufficient disclosure controls and procedures, and (ii) insider trading in the cybersecurity context.

Continue Reading

Treasury Issues Regulatory Reform Recommendations for the Orderly Liquidation Authority

On Wednesday, February 21, the Treasury Department issued a report regarding the Orderly Liquidation Authority (“OLA”) established by Title II of the Dodd-Frank Act under which the FDIC may be appointed as receiver of a severely distressed and systemically important financial company. This report was prepared in response to the President’s April 21, 2017 memorandum directing the Secretary of the Treasury to examine the OLA to propose recommendations for reform consistent with the President’s seven “Core Principles” for financial regulatory reform set forth in an Executive Order of February 3, 2017, and to determine whether reforms to the Bankruptcy Code are appropriate.[1]

The OLA has been controversial since the Dodd-Frank Act was enacted because critics have worried that it encourages excessive risk-taking, moral hazard, and exposure to taxpayers. Treasury agrees that, as enacted, Title II “confers far too much unchecked administrative discretion, could be misused to bail out creditors, and runs the risk of weakening market discipline.”

As it currently stands, a failing systemically important financial institution may be subject to the OLA if, among other things, the FDIC, the Federal Reserve Board, and the Secretary of the Treasury have made certain findings, including that no private sector recapitalization or acquisition alternative is available and that resolution of the company under the Bankruptcy Code would have serious adverse effects on U.S. financial stability. The establishment of a specialized resolution process under the Bankruptcy Code was considered at the time Dodd-Frank was enacted, and legislative proposals to create such a bankruptcy mechanism have emerged from time to time since then, but Congress has not taken action.

A central part of the report’s recommendations is to establish a specialized bankruptcy process for financial companies, which if enacted, would be “the resolution method of first resort,” leaving the OLA as a last resort. Treasury refers to the revised bankruptcy process as “Chapter 14” bankruptcy, under which the shareholders, executives, and creditors of the financial company will ultimately bear all losses from the failure. Under this new framework, which is modeled on a “single point of entry” approach to resolution, a bridge company would be established within 48 hours after the bankruptcy court approves the transfer of assets, including the ownership interests of operating subsidiaries. Operating subsidiaries such as insured depository institutions would remain open and continue to service customers, thereby lessening the potential for depositors to run and the need for other insolvency regimes such as the Federal Deposit Insurance Act to resolve the failing institution. The existing directors and management of the failed company would be dismissed, and directors and management of the new company would be chosen by the new owners of the bridge company.

Importantly, the OLA would be modified but not eliminated. Recommended modifications in the report include elimination of ad-hoc decisions by the FDIC, provision for adjudication of claims by a bankruptcy court, repeal of the tax-exempt status of a bridge company, and greater clarity on resolution strategy. Under the Treasury’s assessment, “without assurance of OLA as an emergency tool, foreign regulators would be more likely to impose immediate new requirements on foreign affiliates of U.S. bank holding companies, raising their costs of business and harming their ability to compete internationally.”

[1] The OLA report is the fourth report from Treasury on the Administration’s Core Principles for Financial Regulation. Treasury previously issued reports on asset management and insurance, capital markets, and banks and credit unions.

FCC: Bitcoin Mining Equipment is Causing Interference to T-Mobile in Brooklyn

Yesterday, the Federal Communications Commission sent a letter to an individual in Brooklyn, New York, alleging that a device in the individual’s residence that is being used to mine Bitcoin is generating spurious radiofrequency emissions, causing interference to a portion of T-Mobile’s mobile telephone and broadband network.

The letter states that on November 30, 2017, FCC agents investigated complaints of interference by T-Mobile and determined that it was being caused by an Antminer 5s Bitcoin Miner device. The letter states that the determination was specific to this particular device, and is not meant to suggest or find that all Antminer s5 devices cause unlawful interference. As a consequence, the letter does not suggest that all Bitcoin mining devices raise regulatory concerns.

Nevertheless, the letter is an important reminder that while consumer electronics products such as the Antminer s5 do not require an FCC license to operate, they emit radiofrequency energy and therefore must operate within certain parameters to avoid causing harmful interference to other devices or networks.