On July 9, the CFPB issued a set of guiding principles aimed to help private industry better protect consumers as new, faster electronic payment systems continue to emerge. “While American consumers benefit from and make use of these payment systems, there remain opportunities to improve efficiency, reduce transaction costs for consumers, and reduce credit and fraud risks,” the CFPB’s announcements stated. Accordingly, the principles advocate for more secure, transparent, accessible, and affordable networks for consumers, and recommend proposals concerning funds availability, fraud and error resolution, and privacy concerns. The Bureau’s announcement comes as the Federal Reserve is currently engaged in an initiative to improve the U.S. payment systems network.
On July 21, the Federal Reserve Board of Governors announced the members of the Faster Payments and Secure Payments Task Force as described in the Strategies for Improving the U.S. Payment System white paper released earlier this year. The committees will advise the Federal Reserve task force chair on meeting agendas, and help prioritize various task force activities, among other payments initiatives. The members include various interest groups representing industry, tech, and government, among others. More information about the task forces and the Fed’s payments improvement initiatives can be found at fedpaymentsimprovement.org.
Just returning from a blockchain workshop in London, where I worked with a number of incredible people to consider solutions to some of the pressing regulatory issues impacting the blockchain technology. While considering these issues I wondered if Bitcoin had gained popularity solely as a protocol and not as a currency, would it have evolved faster and more readily. The almost instantaneous (compared to current standards) transfer of value across the globe would be just one component of the potential possibilities for the technology as recognized by the mainstream public. A secure ledger of property ownership, notarization, recordation of wills and trusts, claims for corporate names and intellectual property – all would be pursued at a much faster, or perhaps more public, pace. Currently, progressive financial institutions have announced their active experiments with the technology, while others quietly research the potential use cases.
The opportunities for developing a cryptographic, distributed, public ledger are endless, rendering predictions for the future, even 5 years from now, difficult. What is clear is that the way we conduct financial transactions will be forever altered – for the better. Payments and payment systems will be more efficient, secure, faster, and less expensive for all in the ecosystem and will also lead to financial inclusion. Government regulation – while antithetical to the original thesis of the Bitcoin protocol – is a necessary component of the “algorithm” as the protection of the public from acts of terrorism and other crimes is in everyone’s interest. So let’s work with it, think creatively about it, and help prepare the protocol, governments and the public for the next 5 years.
Financial Action Task Force Issues Guidance Urging Risk-Based Approach to Virtual Currencies and Services
On June 29, the Financial Action Task Force (FATF) issued a report, Guidance for a Risk-Based Approach to Virtual Currencies,part of a staged approach focusing on the points of intersection that provide gateways to the regulated financial system, in particular, convertible virtual currency exchangers. The Guidance explains the application of the risk-based approach to AML/CFT measures in the virtual currency context, identify the entities involved in virtual currency payment products and services (VCPPS), and clarify the application of the relevant FATF Recommendations to convertible virtual currency exchangers. The guidance provides, among other things, recommendations and encourages member nations to adopt regulations and guidelines similar to those applicable to traditional financial institutions to reduce risk exposure to the banking system.
On June 25, Federal Reserve Governor Jerome Powell delivered remarks at a payments conference hosted by the Federal Reserve Bank of Kansas to discuss improvements to the U.S. payments system. Specifically, Powell advised that payment system participants must work together to improve the payment system, stating “[A]t a minimum, banks, merchants, and other institutions that process or store sensitive financial information need to keep their hardware and software current to the latest industry standards.” He noted that the Federal Reserve has established two task forces regarding the U.S. payment system, one geared towards faster payments and the other geared towards payment security. Powell cited the use of EMV chip cards and tokenization technology as examples of effective payment security measures. In addition, Powell discussed the importance of proactive efforts to implement preventative measures to prepare for potential cyber-attacks or data breaches.
On June 8, Net 1 UEPS Technologies, Inc., a South Africa-based mobile payments company incorporated in Florida, announced that the SEC had closed a FCPA investigation arising out of a contract with the South African Social Security Agency. The SEC and the DOJ opened parallel investigations in November 2012, and the DOJ investigation remains ongoing. Net 1 has asserted that the investigation was instigated by one of the losing bidders on the contract.
OCC Comptroller Discusses Emerging Payment Systems Technology and Cybersecurity, FFIEC Set to Release Cybersecurity Assessment Tool
On June 3, in prepared remarks delivered at the BITS Emerging Payments Forum, OCC Comptroller Thomas Curry advised that as financial institutions continue to develop payment systems, banks need better preparation for potential cyber-risks. Curry warned that “[c]yber criminals will also probe emerging payment systems for vulnerabilities that they can exploit to engage in money laundering[.]” In addition, Curry advocated for more regulatory oversight of digital currencies and non-bank mobile payment providers, such as ApplePay and Google Wallet. Addressing cybersecurity concerns, Curry called for increased information-sharing to promote best practices and strengthen cybersecurity readiness among the banking industry. In particular, he urged financial institutions – of all sizes – to participate in the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a non-profit founded by the banking industry to facilitate the sharing and dissemination of cybersecurity threat information. Moreover, Curry confirmed that the FFIEC will soon be releasing a Cybersecurity Assessment Tool for financial institutions to use when evaluating their cybersecurity risks and risk management capabilities, observing that the tool will be particularly helpful to community banks as cybersecurity threats continue to increase.
On May 27, the Governor of New York State announced that the state Department of Labor published new proposed rules intended to better regulate employers who pay their employees using debit cards. The proposed regulations detail the responsibilities of employers that use debit cards to pay employees, and prohibit employers from profiting from or passing along costs to employees. In addition, the proposed rules prohibit employers from imposing fees (such as those for customer service, account maintenance, overdraft, and inactivity), and require employers to (i) obtain advance consent, which must be documented and kept on record for six years; (ii) make known to employees the local locations where their wages can be accessed for free; and (iii) provide unlimited free ATM withdrawals within a local network, including a method to withdraw the full amount of wages each pay period without penalty. The regulations will take effect following a 45-day notice and comment period.
On May 5, a virtual currency company and its subsidiary agreed to pay a $700,000 civil money penalty for violating multiple provisions of the Bank Secrecy Act (BSA), in which both companies acted as a money service business and seller of virtual currency without properly registering with FinCEN, as well as, failed to implement and maintain an adequate anti-money laundering (AML) program. Furthermore, according to a Statement of Facts and Violations, FinCEN also charged the subsidiary for not filing or untimely filing suspicious activity reports related to several financial transactions. In addition to the civil money penalty, terms of the agreement require both companies to, among other things, (i) engage in remedial steps to ensure future compliance with AML statutory obligations; and (ii) enhance their current internal measures for compliance with the BSA. In a separate DOJ announcement, both companies entered into a settlement agreement to resolve potential criminal charges with the U.S. Attorney’s Office in the Northern District of California. Under terms of the DOJ settlement, both companies agreed to forfeit a total of $450,000, which will be credited to satisfy FinCEN’s $700,000 penalty, in exchange for the government not criminally prosecuting the companies for the aforementioned conduct.
On May 7, NYDFS granted its first charter to a New York-based commercial Bitcoin exchange. In February, the company requested a charter under the NYDFS’s application process, which included a thorough review of the company’s anti-money laundering, capitalization, consumer protection, and cyber security standards. Under the New York Banking Law, the company can start its operations immediately, but is subject to continual supervision by the NYDFS. Indeed, Superintendent Lawsky noted, “regulation will ultimately be important to the long-term health and development of the virtual currency industry.”
Tennessee Enacts Legislation Requiring Payment Service Providers to Provide Adequate Disclosures to Merchants
On April 17, the Tennessee Governor Bill Haslem signed H.B. 547, which requires the disclosure of fees and other details in contracts entered into by payment service providers with merchants located within the state. The legislation requires the payment service providers to provide merchants with information detailing where the merchant can obtain access to operating rules, regulations, and bylaws under the agreement. In addition, the law requires payment service providers to disclose (i) the effective date of the agreement; (ii) terms of the agreement; (iii) any provisions relating to early termination or cancellation of the agreement; and (iv) a full schedule of all payment services fees with respect to the credit card, debit card, or other payment services under the agreement. The law also requires payment service providers to supply merchants with a monthly statement of fees, total value of transactions, and in some cases the aggregate fee percentage.
On March 23, the FTC announced – via blog post – the formation of the Office of Technology Research and Investigation (OTRI), a newly formed research office within its Bureau of Consumer Protection. The OTRI succeeds the Mobile Technology Unit and will have an enhanced mission within the FTC to investigate technology issues encompassing privacy, data security, automobiles, smart phones, smart homes, emerging payment methods, Internet of Things, and big data.
On March 23, Department of the Treasury’s OFAC announced a settlement agreement with a large money services business (MSB) for failing to implement an effective compliance program “to identify, interdict, and prevent transactions in apparent violation of the sanctions programs administered by OFAC.” According to the settlement, prior to the MSB’s 2013 “long term solution” to screen its transactions in real time against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), deficiencies in the company’s transaction monitoring compliance procedures allowed for the processing of hundreds of transactions with OFAC-sanctioned individuals and countries. Specifically, OFAC alleged that from October 20, 2009 to April 1, 2013, the MSB processed over 100 transactions to or from an account registered to an individual on the SDN List because its “automated interdiction filter” did not initially identify the account holder as a potential match to the SDN List, and when it did, the MSB Operations Agents dismissed alerts on six separate occasions after failing to obtain or review documentation corroborating the identity of the SDN. Under the terms of the agreement, the MSB will (i) pay over $7 million to the Department of the Treasury and (ii) within six months, provide OFAC a summary of the company’s current policies and procedures as they relate to screening transactions and/or customers” to ensure compliance with OFAC regulations.
Recently, FinCEN announced a $1 million civil money penalty against the former Chief Compliance Officer (CCO) of a large financial services company for allegedly violating the Bank Secrecy Act (BSA) and its implementing regulations. In its complaint, FinCEN alleges that the CCO, from 2003 through 2008, failed to implement and maintain an effective AML program and file timely Suspicious Activity Reports as required by the BSA. As a result, the company’s money transfer system was used to carry out fraudulent activities causing customers to incur substantial losses. In addition to the penalty, FinCEN is seeking to prohibit the former CCO from participating, directly or indirectly, in the affairs of any financial institution.
Special Alert: CSBS Issues Policy, Draft Model Regulatory Framework, and Request for Comment Regarding State Regulation of Virtual Currency
On December 16, 2014, the Conference of State Bank Supervisors (“CSBS”) issued a Policy on State Regulation of Virtual Currency (the “Policy”), Draft Model Regulatory Framework, and a request for public comment regarding the regulation of virtual currency. The Policy and Draft Model Regulatory Framework were issued through the work of the CSBS Emerging Payments Task Force (the “Task Force”). The Task Force was established to explore the nexus between state supervision and the development of payment systems and is seeking to identify where there are consistent regulatory approaches among states.
As a result of its work to date, the Policy recommends that “activities involving third party control of virtual currency, including for the purposes of transmitting, exchanging, holding, or otherwise controlling virtual currency, should be subject to state licensure and supervision.” The Policy states that state regulators have determined certain activities involving virtual currency raise concerns in three areas: consumer protection, marketplace stability, and law enforcement. Read more…