Photo of Mark Furletti

Mark helps clients navigate regulatory risks posed by state and federal laws aimed at protecting consumers and small business, particularly in connection with credit, deposit, and payments products. He is a trusted advisor, providing practical legal counsel and advice to providers of financial services across numerous industries.

Yesterday, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (collectively, the agencies) issued a joint statement highlighting potential risks associated with banks’ arrangements with third parties to deliver bank deposit products and services. While the information is not new, it clearly memorializes the issues that have been at the forefront of recent enforcement actions involving banks operating under a Banking-as-a-Service (BaaS) model.

On March 29, the Federal Crimes Enforcement Network (FinCEN), in collaboration with other federal agencies, issued a Notice and Request for Information and Comment (Notice and Request) seeking public comment on its proposal to amend the Customer Identification Program (CIP) Rule requirement for banks to collect a taxpayer identification number, among other information, from a U.S. customer prior to opening an account. Usually, for a U.S. customer this requires banks to collect a full Social Security number (SSN). The amendment comes in response to pressure from fintechs, specifically providers of buy-now, pay-later products that rely on bank partners, for an accommodation from the CIP Rule.

We are pleased to share our annual review of regulatory and legal developments in the consumer financial services industry. With active federal and state legislatures, consumer financial services providers faced a challenging 2023. Courts across the country issued rulings that will have immediate and lasting impacts on the industry. Our team of more than 140 professionals has prepared this concise, yet thorough analysis of the most important issues and trends throughout our industry. We not only examined what happened in 2023, but also what to expect — and how to prepare — for the months ahead.

On January 2, New York Governor Kathy Hochul unveiled her 2024 consumer protection agenda, which includes plans to regulate the “buy now, pay later” (BNPL) industry. Specifically, Governor Hochul plans to propose legislation to require BNPL providers to be licensed in the state and to authorize the New York State Department of Financial Services to propose and issue regulations for the industry. According to Governor Hochul, “New Yorkers are increasingly turning to [BNPL] loans as a low-cost alternative to traditional credit products to pay for everyday and big-ticket purchases. This legislation and regulations will establish strong industry protections around disclosure requirements, dispute resolution and credit reporting standards, late fee limits, consumer data privacy, and guidelines to curtail dark patterns and debt accumulation and overextension.”

On October 13, California Governor Gavin Newsom signed into law Senate Bill 666, which amends the California Financing Law to prohibit a covered entity from charging certain fees in connection with a commercial financing transaction with a small business. Under the law, a small business is defined as an independently owned and operated business, with its principal office located in California, its officers domiciled in California, and, together with affiliates, 100 or fewer employees and average annual gross receipts of $15 million or less over the previous three years. “Covered entities” do not include depository institutions.

Earlier this month, the California Department of Financial Regulation and Innovation (CA DFPI) announced a new rule expanding the definition of unfair, deceptive and abusive acts and practices (UDAAP) to commercial financing. Specifically, the rule makes it unlawful “for a covered provider to engage or have engaged in any unfair, deceptive, or abusive act or practice in connection with the offering or provision of commercial financing or another financial product or service to a covered entity.” The new rule also includes annual reporting requirements (described below) for any covered provider who makes more than one commercial financing transaction to covered entities in a 12-month period or who makes five or more commercial financing transactions to covered entities in a 12-month period that are “incidental” to the business of the covered provider. Importantly, this rule does not apply to banks, credit unions, federal savings and loan associations, current licensees of the CA DFPI or licensees of other California agencies “to the extent that licensee or employee is acting under the authority of” the license.

As discussed here, on April 26, the Texas Bankers Association, the American Bankers Association (ABA), and Rio Bank, McAllen, Texas (Rio Bank) filed a complaint in the U.S. District Court for the Southern District of Texas challenging the Consumer Financial Protection Bureau’s (CFPB or Bureau) final rule under § 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Final Rule). As discussed here, § 1071 amended the Equal Credit Opportunity Act (ECOA) to impose significant data collection and reporting requirements on small business creditors. The plaintiffs’ complaint relied heavily on the Fifth Circuit’s decision in Community Financial Services Association (CFSA) v CFPB, finding the CFPB’s funding structure unconstitutional and, therefore, rules promulgated by the Bureau invalid. The CFPB’s appeal of the Fifth Circuit’s decision is currently pending before the U.S. Supreme Court (discussed here).