Fintech Legal Report – September 2021 | Perkins Coie

Weekly Fintech Focus

• Federal banking agencies publish a guide for community banks on dealing with financial technology companies.
• The CFPB publishes its long-awaited rule proposal on small business credit data.

Federal banking agencies release guide for community banks on exercising due diligence on fintech companies

On August 27, 2021, the Federal Banking Agencies (Federal Reserve, FDIC, and OCC) released “Conducting Due Diligence on FinTech Companies: A Guide for Community Banks” (the Guide). The Guide is intended to serve as a resource for bank management when performing due diligence on potential relationships with FinTech companies. Although the Guide covers community banks, the content can be useful for banks of all sizes and for other types of third party relationships.

The Guide builds on existing federal bank branch oversight guidelines on third-party risk management and is consistent with the agencies’ July 19 proposal to harmonize their existing branch-specific guidelines into a single document applicable to all organizations. banks supervised by the federal government.

The guide highlights six key fintech relationship due diligence topics and discusses relevant considerations, potential sources of information, and illustrative examples. The top six due diligence topics are:

1. Business experience and qualifications – A bank can take into account the business experience of fintech, such as its operational history, customer references and complaints, and any legal or regulatory action against the fintech company. The strategic plans of a fintech are also important for sustaining the service that the fintech provides to the bank. Finally, the experience of fintech managers and administrators is relevant to understanding the expertise of fintech in a given field.
2. Financial condition – The financial position of a fintech can be found in its financial statements, annual reports and public market data. Information about the competitive environment for fintech could also inform a bank about the viability of fintech.
3. Legal and regulatory compliance – A bank can examine the organizational documents and regulatory documents of the fintech, as well as seek legal actions against the fintech company. The policies and procedures of a fintech can also provide insight into a company’s compliance posture.
4. Risk management and controls – Information about a fintech’s risk management and controls can be found in places such as its policies and procedures, self-assessments and audit reports. Parties could also define risk and performance expectations in light of the criticality of functions provided by fintech to the bank.
5. Information security – A bank can review the fintech’s incident management and response policies and assessments, and ask the fintech to complete the information security control assessments. Depending on the service provided, different information security processes and protections will need to be in place.
6. Operational resilience – A bank can assess a fintech’s business continuity plans, incident response plans, disaster recovery plans and related tests to assess the resilience of the fintech. Banks can also determine where fintech data will reside, nationally or internationally.

While the Guide is tailored for fintechs, it does not set new expectations or requirements specific to fintechs. Rather, the Guide reinforces the fact that banks can approach relationships with FinTech companies the same way they would any other relationship with third parties.

CFPB publishes long-awaited draft rule on small business credit data

On September 1, 2021, the Consumer Financial Protection Bureau (CFPB) released a Notice of Proposed Regulatory Proposal (NPRM) designed to help small businesses access credit by increasing transparency in the lending market. Under Section 1071 of the Dodd-Frank Act, which amended the Equal Credit Opportunity Act, the proposed rule would require financial institutions to collect and report to CFPB certain data regarding claims. credit from women, minorities and small businesses. The CFPB proposes to define a “small business” as a business with a gross annual turnover of $ 5 million or less for the previous fiscal year.

According to the press release issued by the CFPB, the purpose of this rule is to better understand the challenges small businesses face when trying to access finance and ways to improve lending practices. Based on the information provided in the NPRM summary, if the proposed rule is finalized, it would effectively create the first comprehensive and qualitative database of small business credit applications in the United States with the aim of placing more emphasis on the small business segments. markets which have traditionally faced significant obstacles in terms of securing financing.

The proposed rule would apply to the following “covered financial institutions” that engage in small business loans: (i) deposit-taking institutions, (ii) online lenders, (iii) platform lenders, (iv) ) community development finance institutions, (v) lenders involved in equipment and vehicle finance, (vi) trade finance companies, (vii) government lending entities and (viii) non-profit lenders lucrative and non-custodial. In addition, the CFPB proposes to define “covered credit transactions” to include loans, lines of credit, credit cards and cash advances to merchants. However, trade credit, utility credit, securities credit and ancillary credit do not fall within the definition proposed under the proposed rule.

Covered financial institutions would be required to collect and report data from information provided by the applicant for small business credit, including, but not limited to, the type of credit (which includes product information from credit, types of guarantees and loan term); the purpose of the loan; the amount requested; the location of the applicant’s business; the gross annual income of the applicant’s previous full financial year; the number of employees; the duration of the applicant’s activity; and the number of primary owners. Covered financial institutions will also need to collect and report additional information such as whether the applicant is a minority-owned and / or female-owned business and the self-reported ethnicity, race and gender of the applicant’s primary owners. .

The CFPB invited comments on questions covering a number of topics such as (i) how to define a small business for the purposes of this data collection; (ii) how best to collect price information for transparency of the cost of credit to small businesses; and (iii) how to balance the benefits of public disclosure with the risk to privacy interests. Additionally, CFPB has launched a new portal designed to encourage small business entrepreneurs to share their stories about credit applications to help CFPB better understand the challenges small businesses face in this area.

Importantly, the proposed rule does not provide any size-based exemption for covered financial institutions, which have started to arouse objection from community banks due to the regulatory burden it would impose. This is of particular concern given the impact the COVID-19 pandemic has had on small businesses and the increased need for small business loans. Small financial institutions will be interested in the burden this proposed rule could place on operations related to the rule’s data collection obligations and how this may affect its ability to lend to small businesses. The privacy and protection of personal data that will be made public in this database is another issue of which the CFPB is aware and which will likely cause public concern during the NPRM’s comment period. At the same time, many stakeholders are happy that the CFPB is taking action to implement this rule and see it as an important effort to help tackle the systemic discrimination of some small businesses and other unfair lending practices. .

If the proposed rule is finalized in its current form, covered financial institutions will have 18 months after the publication of the final rule to comply. The public comment period is 90 days from publication in the Federal Register, and the CFPB does not currently foresee an extension of the deadline.

[View source.]