On June 28, California Governor Jerry Brown signed AB 129, which repeals a state ban on the issuance or circulation of anything but lawful money of the United States. As described in a legislative staff analysis of the bill, the repeal is designed to ensure that forms of alternative currency such as digital currency, points, coupons, or other objects of monetary value do not violate the law when those methods are used for the purchase of goods and services or the transmission of payments in California.
On July 17, the New York DFS announced a proposal to establish a licensing regime for virtual currency businesses, the first by any state. In January, the DFS held a two-day hearing on developing a regulatory framework for virtual currency firms, and subsequently sought applications for virtual currency exchanges pending completion of the regulations. The proposed regulations define virtual currency as “any type of digital unit that is used as a medium of exchange or a form of digitally stored value or that is incorporated into payment system technology.” This would include digital units of exchange that: (i) have a centralized repository or administrator; (ii) are decentralized and have no centralized repository or administrator; or (iii) may be created or obtained by computing or manufacturing effort. It would exclude digital units that are used solely within online gaming platforms or that are used exclusively as part of a customer affinity or rewards program.
Under the proposal, the state would require companies engaged in the following activities to obtain a so-called BitLicense: (i) receiving or transmitting virtual currency on behalf of consumers; (ii) securing, storing, or maintaining custody or control of such virtual currency on the behalf of customers; (iii) performing retail conversion services; (iv) buying and selling virtual currency as a customer business (as distinct from personal use); or (v) controlling, administering, or issuing a virtual currency. To obtain a license, a business would be required to, among other things: (i) hold virtual currency of the same type and amount as any virtual currency owed or obligated to a third party; (ii) provide transaction receipts with certain required information; (iii) comply with AML rules; (iv) maintain a cyber security program; and (v) establish business continuity and disaster recovery policies. Licensed entities would be subject to DFS supervision, with examinations taking place no less than once every two calendar years. The proposal will be published in the New York State Register’s July 23, 2014 edition, which begins a 45-day public comment period.
On July 4, the European Banking Authority (EBA) released an Opinion that outlines for the EU Council, the European Commission, and the European Parliament requirements that would be needed to regulate virtual currencies. The EBA identified more than 70 risks across several categories and numerous causal drivers for those risks, including that (i) a virtual currency scheme can be created, and then its function subsequently changed, by anyone, and in the case of decentralized schemes, by anyone with a sufficient share of computational power; (ii) payer and payee can remain anonymous; (iii) virtual currency schemes do not respect jurisdictional boundaries and may therefore undermine financial sanctions and seizure of assets; and (iv) market participants lack sound corporate governance arrangements. To address those drivers, the EBA believes a regulatory framework would need to comprise, among other elements: (i) governance requirements for certain market participants; (ii) segregation of client accounts; (iii) capital requirements; and (iv) the creation of “scheme governing authorities” accountable for the integrity of a virtual currency scheme and its key components, including its protocol and transaction ledge. Given that the creation of such a regulatory framework will take time, the EBA recommends that European national prudential regulators take action in the immediate term to discourage financial institutions from buying, holding or selling virtual currencies while no regulatory regime is in place. In addition, the EBA recommends that EU legislators consider declaring market participants at the direct interface between conventional and virtual currencies, such as virtual currency exchanges, to become “obliged entities” under the EU Anti Money Laundering Directive and thus subject to its anti-money laundering and counter terrorist financing requirements. The EBA report follows a recent reportby the inter-governmental Financial Action Task Force (FATF) that provides an overview of virtual currency terms, markets, risks, and law enforcement actions announced to date.
On July 3, the CFPB published a report on its study of the use of remittance histories in credit scoring, which found that (i) remittance histories have little predictive value for credit scoring purposes, and (ii) remittance histories are unlikely to improve the credit scores of consumers who send remittance transfers. The report follows a 2011 CFPB report on remittance transfers, which was required by the Dodd-Frank Act and assessed, among other things, the feasibility of and impediments to using remittance data in credit scoring. At that time, the CFPB identified a number of potential impediments to incorporating remittance history into credit scoring, and noted the need for further research to better address the potential impact of remittance information on consumer credit scoring. Read more…
On June 27, the GAO released a May 2014 report regarding virtual currency. The leaders of the Senate Homeland Security and Governmental Affairs Committee asked the GAO to examine potential policy issues related to virtual currencies and the status of federal agency collaboration in this area. The report summarizes virtual currency policy developments to date, and provides an overview of various interagency working groups and the ways each has so far addressed virtual currencies. The GAO concludes that consumer protection issues have largely not been addressed by the working groups, and recommends that the CFPB identify and join existing interagency working groups to ensure that consumer protection issues are considered as those groups develop virtual currency policies. In response to the report, the CFPB stated that it has been doing its own work on virtual currency, and has collaborated informally, but agreed that it should participate formally in interagency working groups.
On June 23, the ICBA and The Clearing House published a white paper on virtual currency that (i) defines virtual currency and describes the current regulatory environment; (ii) describes key players in the Bitcoin system; (iii) discusses the application of certain functional and prudential payment system regulations that may be applied to the Bitcoin system and other convertible decentralized virtual currencies; and (iv) evaluates potential regulation of virtual currency, virtual currency investment programs, and exchanges. The paper concludes, among other things, that: (i) credentials used to transact in Bitcoin are functionally similar to prepaid cards and arguably fall within the definition of such cards provided in Regulations E and II; and (ii) the CFPB may determine that cross-border transactions in Bitcoin fall within the scope of the CFPB’s Remittance Transfer Rule, which would require entities facilitating such transfers to comply with the rule’s disclosure, reversibility, and error-resolution requirements. The paper discusses potential safety and soundness oversight for entities in the Bitcoin system. It also suggests that existing regulations intended to protect consumers and market participants in the event of the failure of a securities or commodities exchange may be inapplicable to Bitcoin exchanges, and that alternative means of protecting investors and accountholders—such as disclosure requirements and coordinated state-level registration of exchanges—should be explored.
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.
Eighth Circuit Holds Bank That Complied With Reasonable Security Procedures Not Responsible For Loss Of Funds From Fraudulent Payment
On June 11, the U.S. Court of Appeals for the Eighth Circuit held that under the Uniform Commercial Code a bank that complied with commercially reasonable security measures was not responsible for a customer’s loss resulting from a fraudulent payment. Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879, 2014 WL 2598764 (8th Cir. Jun. 11, 2014). The customer sued the bank claiming that a $440,000 wire transfer from its account through the bank’s internet wire transfer system was fraudulently initiated by a third-party. The court explained that Article 4A of the Uniform Commercial Code permits a bank to take steps to protect itself from liability by implementing commercially reasonable security procedures, and if the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer bears the risk of loss from a fraudulent payment order. The parties agreed that the bank complied with its security procedures in accepting the payment order that resulted in the loss for the customer, but disputed whether (i) the bank’s security procedures were commercially reasonable, (ii) the bank accepted the payment order in good faith, and (iii) the bank accepted the payment order in compliance with the customer’s written instructions. The court concluded that the bank’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable because the bank followed 2005 FFIEC guidelines and further enhanced its security to address threats not considered by that potentially outdated guidance. Moreover, the court held that the customer assumed the risk of failure of security procedures by declining some of those procedures. The court also held that in promptly executing a payment order that had cleared its commercially reasonable security procedures, and absent any independent reason to suspect the payment was fraudulent, the bank acted in good faith in processing the payment. Finally, the court determined that an inquiry from the customer as to whether it would be possible for the bank to stop foreign wire transfers did not constitute an instruction to the bank, and therefore the bank did not violate any written instruction from the customer. Based on these holdings, the court concluded that, under the UCC, the loss of funds from the customer’s account fall on the customer and not the bank.
On June 6, the Kansas Office of State Bank Commissioner (OSBC) issued guidance on the regulatory treatment of virtual currencies under the Kansas Money Transmitter Act (KMTA). The guidance focuses on money transmission activities involving decentralized cryptocurrencies, such as Bitcoin. The guidance states that cryptocurrencies in their current form are not covered by the KMTA because they do not fall within the definition of “money”—no cryptocurrency is currently authorized or adopted by any governmental entity as part of its currency—or “monetary value”—there is no recognized standard of value or set value for a single unit of a cryptocurrency. The guidance explains that since the KMTA does not apply to transmission of decentralized cryptocurrencies, an entity engaged solely in the transmission of such currency is not required to obtain a money transmitter license. The guidance adds that, if transmission of virtual currency includes the involvement of sovereign currency in a transaction, it may be considered money transmission depending on how the transaction is organized. The guidance provides several examples of common types of transactions involving cryptocurrency and whether the KMTA applies to each, and outlines for cryptocurrency businesses that conduct money transmission, and entities engaged in money transmission, actions necessary to comply with state law, including licensing.
On June 3, Visa announced that it teamed with Pew Charitable Trusts to develop voluntary prepaid card standards and a designation for cards that meet those standards. To qualify for the designation, which Visa believes “will signify a new level of simplicity, protection and opportunity,” a prepaid card must have the following features: (i) flat monthly fee covering all basic activities; (ii) no additional charges for declined transactions, customer service, in-network ATM withdrawal or balance inquiries, PIN or signature transactions, cash back at point of sale, or overdrafts; (iii) “consumer friendly” communication of fees—e.g. fee box and disclosures; and (iv) “quick-use guide” for using the card at the lowest cost. In addition, issuers seeking the designation must provide the following consumer protections: (i) individual FDIC/NCUA insurance; (ii) Regulation E dispute resolution rights; (iii) coverage under Visa’s zero liability policy; and (iv) access to Visa’s Prepaid Clearinghouse Service to assist with fraud prevention.
On May 29, the House Oversight Committee released a staff report on Operation Choke Point, DOJ’s investigation of banks and payment processors purportedly designed to address perceived consumer fraud by blocking fraudsters’ access to the payment systems. The report provides the following “key findings”: (i) the operation was created by DOJ to “choke out” companies it considers to be “high risk” or otherwise objectionable, despite the fact that those companies are legal businesses; (ii) the operation has forced banks to terminate relationships with a wide variety of lawful and legitimate merchants; (iii) DOJ is aware of these impacts and has dismissed them; (iv) DOJ lacks adequate legal authority for the initiative; and (v) contrary to DOJ’s public statements, Operation Choke Point is primarily focused on the payday lending industry, particularly online lenders. The findings are based on documents provided to the committee by DOJ, including internal memoranda and other documents that, among other things, “acknowledge the program’s impact on legitimate merchants” and show that DOJ “has radically and unjustifiably expanded its [FIRREA] Section 951 authority.” The committee released the nearly 1,000 pages of supporting documents, which are available in two parts, here and here.
On May 16, the Conference of State Bank Supervisors Emerging Payments Task Force held a public hearing to examine the changing payments landscape and opportunities and risks presented by current and emerging technologies. The Legacy Payment Systems panel focused on continued efforts to improve efficiency and speed while simultaneously “preserving consumer confidence and system stability.” The Retail Payments Innovations panelists described innovative electronic and mobile payment systems and suggested that further innovation would be best supported by existing regulatory framework, which offers sufficient consumer protections. Finally, the Virtual Currencies panel urged state and federal regulators to “provide clear and consistent regulatory expectations and guidance without restricting innovation.” The event was the most recent of a number held by federal and state policymakers to address the proliferation of emerging financial technologies used to move money and transfer funds, which range from enhancements of traditional ACH or credit and debit methods of payment to virtual currencies that disrupt the traditional model. The CSBS is expected to use public hearings like this one to develop a proposed regulatory framework for state agencies.
On May 19, the Senate Banking Committee’s chairman and ranking member, Senators Tim Johnson (D-SD) and Mike Crapo (R-ID), sent a letter to the leaders of the Treasury Department, the SEC, the CFTC, the OCC, the FDIC, and the Federal Reserve Board regarding recent developments in the use of virtual currencies and their interaction with the global payment system. The Senators ask the regulators a series of questions related to the role of virtual currencies in the U.S. banking system, payment system, and trading markets, and the current role of federal regulators in developing local, national, and international enforcement policies related to virtual currencies. The Senators also seek the agencies’ expectations on virtual currency firms’ BSA compliance, and ask whether an enhanced regulatory framework for virtual currencies is needed.
On May 12, the Connecticut Department of Banking issued a consumer advisory about risks associated with virtual currencies. The advisory provides background information and highlights benefits of virtual currency, but cautions that: (i) virtual currency is subject to minimal regulation and is susceptible to cyberattacks; (ii) virtual currency accounts are not backed by the FDIC; (iii) investments tied to virtual currency are volatile; (iv) investors in virtual currency reply upon “unregulated companies that may lack appropriate internal controls and may be more susceptible to fraud and theft than regulated financial institutions;” and (v) investors will have to rely upon the strength of their own computer security systems, as well as security systems provided by third parties to protect from cyberattacks.
On May 6, the U.S. House of Representatives passed by voice vote three financial services bills: (i) H.R. 2672, which would require the CFPB to allow individuals and businesses to apply to have an area designated as “rural” for purposes of exemptions to the CFPB mortgage rules; (ii) H.R. 3329, which would require the Federal Reserve Board to allow bank holding companies and savings and loan holding companies with assets of less than $1 billion to incur higher amounts of debt when acquiring other banks than are allowed for larger holding companies—the current asset ceiling for that special allowance is $500 million and applies only to bank holding companies; and (iii) H.R. 4386, which would permit FinCEN, in fulfilling its responsibility to supervise registered money services businesses (MSBs), to rely on state agency examinations of MSBs that provide international remittance transfer services and other non-bank financial institutions such as gaming establishments and jewel merchants.