Alston & Bird Consumer Finance Blog

Banking Regulatory Agencies

Financial Services Advisory | The (Bay) State of the Model Money Transmission Modernization Act

By ,

Executive Summary
7 Minute Read

Massachusetts has joined the growing list of states that have at least partially adopted the Model Money Transmission Modernization Act. Our Financial Services Group examines the model act, how the Bay State has adopted it, and the implications for money transmitters.

  • The Massachusetts act applies to any entity that transfers money within the United States
  • The act only applies to consumer transactions, a major difference from the national model
  • Requirements of the act take effect January 1, 2026

________________________________________________

Massachusetts is the first state of 2025 to sign its version of the Model Money Transmission Modernization Act into law. The model act is a set of nationwide standards for the supervision and regulation of money transmitters created by state and industry experts and approved by the Conference of State Bank Supervisors (CSBS) in 2021. Since then, 25 states have enacted legislation to adopt, in whole or in part, a version of the model act.

Both the governor and state commissioner of banks emphasized the need to protect consumers and pointed to the widespread use of peer-to-peer payment applications as an important reason for adopting the new law. While regulation of businesses offering peer-to-peer payment services may have been a goal, the new law is far more comprehensive than the current framework, which addresses cross-border money transmissions and the sale of checks or money orders.

Scope of the New Massachusetts Act

Historically, Massachusetts has only required entities engaging in the business of selling, issuing, or registering checks or engaging in foreign money transmission activities, such as facilitating cross-border transactions, to obtain licenses. The new law repeals the prior law and replaces it with a statutory framework influenced by the model act. The new law applies to any entity that provides transfers of money between individuals or entities within the United States if it does not otherwise qualify for an exemption.

Specifically, the new law regulates the following activities as “money transmission”: (1) the sale or issuance of payment instruments to a person in Massachusetts; (2) the sale or issuance of stored value to a person in Massachusetts; or (3) the receipt of money for transmission from a person in Massachusetts.

In addition to expanding the scope, the new law incorporates key provisions from the model act, including express exemptions for operators of payment systems providing processing, clearing, or settlement services and for entities acting as agents of payees in accordance with statutory requirements.

Comparison to Model Act

While closely modeled on the model act, the new law does differ from the model act in a few notable ways.

Expressly for consumer purposes only

The definition of “money transmission” in the new law refers to the provision of such services to individuals and corporate entities. At the same time, the definition is expressly limited to “transactions engaged in by a person for personal, family or household purposes.” This addition limits the scope of the new law to consumer purposes. In contrast, the model act does not specify the purpose of the transactions, implying that it applies to both consumer and commercial transactions.

Silent on payroll processing services

The new law did not adopt the model act’s explicit inclusion of “payroll processing services” in its definition of money transmission. However, it did not expressly exempt payroll services, as is the case in other states, such as California.

The Division of Banks has posted select opinions interpreting the current law, including one as recently as November 2024, providing guidance on the licensing requirements for payroll and employee benefit services. The division concluded the services provided by the payroll service provider were not licensable under the state’s laws on cross-border money transmissions because none of the services involved the “transfer of money to foreign countries,” although certain other check services were licensable under the state’s laws on the sale of checks or money orders.

In reaching this conclusion, the deputy commissioner of banks and general counsel cautioned that “legislation has been filed that would overhaul the licensing and regulation of money transmission and would include domestic money transmission within the licensure requirement.”

Although Massachusetts may interpret payroll processing services as falling under the category of commercial services exempted by the limitations on money transmission set forth in the new law, recent guidance has focused on the presence of foreign transmission activity as the determining factor in resolving the question of whether licensure is required.

Does not adopt virtual currency provisions

The new law did not adopt the virtual currency provisions of the model act. Opinions posted on the division’s website clarify that entities involved in virtual currency transactions, such as exchanges or kiosks, may not require a foreign transmittal agency license if their activities do not involve transmitting funds to foreign countries.

The division often concluded that these entities’ activities did not involve transmitting funds to foreign countries, which was the primary driver for requiring such a license. The division’s conclusions are based on the specific facts presented in each case, and different facts may lead to different outcomes. As Massachusetts begins regulating domestic transactions, it remains unclear whether the new law will be interpreted to apply to virtual currency transactions.

Impact on Current Licensees

Licenses obtained under the current law will remain in effect, but renewals for the year 2026 and after will need to be filed in accordance with the new law.

Existing licensees will need to comply with the requirements in the new law, including maintaining a surety bond, permissible investments, and meeting the tangible net worth requirements.

Effective Date

New laws take effect in Massachusetts 90 days after the governor signs the law, unless the new law is an emergency law or pertains to certain matters excluded under the Massachusetts Constitution, making the effective date of the new law April 1, 2025. The new law states that the majority of its requirements will take effect January 1, 2026. Persons engaged in money transmission in Massachusetts that are required under the new law to obtain licensure must file an application for licensure by June 1, 2026 and may continue their activities while their application is pending until the application has been approved, withdrawn, or denied.

Model Act Adoption Landscape

Many states have adopted the model act either wholly or in part since the CSBS approved the model act in 2021. These states include:

  • Arizona
  • Arkansas
  • California
  • Connecticut
  • Georgia
  • Hawaii
  • Illinois
  • Indiana
  • Iowa
  • Kansas
  • Maine
  • Maryland
  • Massachusetts
  • Minnesota
  • Missouri
  • Nevada
  • New Hampshire
  • North Dakota
  • South Carolina
  • South Dakota
  • Tennessee
  • Texas
  • Vermont
  • West Virginia
  • Wisconsin

States’ Partial Adoptions of the Model Act

The model act regulates money transmission by establishing licensing, financial security, and reporting requirements and includes exemptions for certain entity types. While the goal of the model act was harmonization in the money transmission industry, states have not uniformly adopted the model act, with some choosing to adopt only certain provisions and others choosing to exempt activities the model act defines as licensable.

One exemption that has seen inconsistent adoption is that of payroll processing services, with some states expressly exempting payroll processors, other states choosing to be silent on whether payroll processing services constitute money transmission, and a third approach, such as that taken in Iowa, where the state adopted an “agent of the payor” exemption that applies to payroll processing.

Additionally, the model act provides an option for states to impose uniform licensing and disclosure requirements on virtual currency business activity. Only a few states, including Maine and Minnesota, have opted to include the model act’s virtual currency provisions. Other states are continuing to regulate virtual currency activity either through new licensing regimes or through regulatory interpretations of their money transmission laws.

Despite improved alignment between the states, companies engaging or seeking to engage in money transmission activities must continue managing compliance individually for each state.

2025 Adoptions of the Model Act

Massachusetts is the latest state to regulate domestic money transmission. Nearly half the states that have adopted at least part of the model act did so in 2024. We anticipate momentum in adoption of the model act will continue this year. Some states, including Alaska, Idaho, and Virginia, have pending legislation to address whether the state will also adopt a form of the model act later in the year.

We further note that while states are continuing to consider adopting the model act, Kansas, South Carolina, and Wisconsin each have new money transmission laws based on the model act that went into effect January 1, 2025.

Originally published January 22, 2025.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team.

Financial Services Advisory: CFPB Finalizes Open Banking Rule on Consumer Financial Data Rights

By , ,

Executive Summary
8 Minute Read

Our Financial Services Group unpacks the Consumer Financial Protection Bureau’s final rule on consumer financial data rights under Section 1033 of the Dodd–Frank Act.

  • The rule requires “data providers” to provide consumers and authorized third parties, upon request, with access to certain consumer financial data
  • “Data providers” include Regulation E banks and credit unions, Regulation Z card issuers, payment facilitators, and digital-wallet providers
  • Compliance deadlines are staggered based on institution size, with an exclusion for financial institutions with less than $850 million in assets

_______________________________________________________________

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its rule on personal financial data rights under Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act. Known as the “open banking rule,” it permits consumers to access, control, and share their financial data with authorized third parties. The rule creates a significant shift in control over consumer data in the United States, and it is intended to provide consumers with greater control over financial data, foster competition, and stimulate innovation across the financial services industry. The rule applies broadly to banks, credit unions, and nonbank financial institutions, all of which must make consumer financial data available upon authorized request.

Key Provisions

The rule requires a “data provider” to make available, without charge, “covered data” about consumer financial products and services to consumers and certain “authorized third parties,” in electronic form, upon request by the consumer. The rule requires the provision of such data in standardized, machine-readable formats to promote consistency between financial institutions and third parties. The CFPB will name standard-setting bodies to develop consensus standards to assess compliance with the rule.

Who is a “data provider”?

The CFPB has said its definition of “data provider” will continue to evolve, but it has prioritized financial institutions and card issuers. The rule defines a “data provider” as:

  • A financial institution – that is, a bank or credit union – as defined in Regulation E, 12 CFR 1005.2(i), excluding those with less than $850 million in assets.
  • A card issuer as defined in Regulation Z, 12 CFR 1026.2(a)(7), including buy now/pay later providers.
  • Any other person that “controls or possesses information concerning a covered consumer financial product or service that the consumer obtained” from that person, including providers offering payment facilitation products and services such as digital-wallet providers.

What is “covered data”?

The rule defines “covered data” as essential consumer financial information, including:

  • At least 24 months of transaction information in the control or possession of the data provider.
  • Account balance information.
  • Information to initiate payment to or from a Regulation E account directly or indirectly held by the data provider, including an account and routing number that can be used to initiate an Automated Clearing House transaction.
  • Terms and conditions, or agreements evidencing the terms of the legal obligation between a data provider and a consumer for a covered consumer financial product or service, including pricing information such as APRs and other pricing terms.
  • Upcoming bill payment information.
  • Basic information needed for account verification, limited to name, address, email address, and phone number associated with the covered consumer financial product or service.

Data providers will not have to provide confidential commercial information, including proprietary algorithms that might be used to derive credit or risk scores and information that is used solely for the purpose of fraud detection, money laundering, or other unlawful behavior.

Who is an “authorized third party”?

Fintech apps and data aggregators that offer services to consumers using their data are included as third parties. Authorized sharing with these entities must be based on informed consent that is to be renewed annually.

  • A “third party” means any person that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer’s covered data.
  • To access a consumer’s data, the third party must (1) provide the consumer with an authorization disclosure containing key terms of the data access; (2) provide a statement to the consumer in the authorization disclosure certifying that the third party agrees to obligations set forth in the final rule; and (3) obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
  • Third parties are limited in the collection, use, and retention of covered data to what is “reasonably necessary” to provide a product or service to a customer. Use of the data for targeted advertising, cross-selling of other products or services, or the sale of covered data are prohibited.

Stakeholder Perspectives and Compliance Considerations

Reactions to the final rule have been split. Consumer advocates have voiced support for the rule and the empowerment of consumers to control how and where their data can be used, as well as the ability to switch banks more easily. Just hours after the final rule was released, however, the Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank, a community bank in Kentucky, filed a joint lawsuit in the Eastern District of Kentucky requesting injunctive relief. The plaintiffs allege that the CFPB overstepped its statutory authority (in that Section 1033 relates to a consumer’s right to access their own information and does not speak to access by authorized third parties) and will expose banks to unreasonable liability risk. Forcing banks to share customers’ sensitive financial information while handcuffing banks from managing the risks of doing so, they allege, will increase fraud and the misuse of customer data.

Some of this concern stems from the allocation of responsibility for data security and accountability in the rule. It allows that data providers can deny access to data, but only if the denial is (1) directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security; and (2) applied in a consistent and nondiscriminatory manner. Data providers must keep a record of when a consumer or third-party request is refused. In the event of a security breach, data providers must notify affected consumers and the CFPB promptly. Notably, the rule requires data providers to verify that third parties uphold data privacy and security standards, but it places limited regulatory obligations on third parties themselves, leaving accountability for data security largely with the data providers. Data providers argue that the rule essentially forces them to subsidize third-party access to consumer data without sharing the cost burden.

During the rule comment period, a range on commentators raised concerns about potential overlaps and compliance complexities with other existing consumer financial laws, and the CFPB has attempted to address those issues in the final rule. Many comments focused on the need for clarity on how the rule interacts with laws such as the Electronic Fund Transfer Act (EFTA), Fair Credit Reporting Act (FCRA), and Gramm–Leach–Bliley Act (GLBA).

  • In comments before the final rule, data providers requested that the CFPB extend the Regulation E error resolution requirements to third parties such as data aggregators. The CFPB reasoned, however, that consumers should address these concerns with their primary financial institution, in line with statutory error resolution rights under the EFTA. Furthermore, data providers and third parties that are Regulation E financial institutions will continue to have error resolution obligations in the event of data breaches.
  • During the comment period to the final rule, there was concern that it would expand FCRA compliance. In the final rule, the CFPB clarified that data providers sharing information at the consumer’s request “does not cause data aggregators to incur legal liability under the FCRA that they would not otherwise assume through their ordinary operations” and would not “alter the types of data, parties, or permissible purposes covered by the FCRA.”
  • Some commentors asked how the rule’s data limitations align with GLBA permissions. The CFPB states Section 1033’s data sharing requirements coexist with GLBA but do not override or replace its mandates, maintaining distinct protections under each law.

Compliance Tiers and Timeline

The rule provides compliance deadlines that are staggered based on institution size:

  • First Tier: Depository institution data providers that hold at least $250 billion in total assets and nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024 must comply by April 1, 2026.
  • Second Tier: Depository institution data providers that hold at least $10 billion in total assets but less than $250 billion in total assets and nondepository institution data providers that generated less than $10 billion in total receipts in both calendar year 2023 and calendar year 2024 must comply by April 1, 2027.
  • Third Tier: Depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets must comply by April 1, 2028.
  • Fourth Tier: Depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets must comply by April 1, 2029.
  • Fifth Tier: Depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets must comply by April 1, 2030.

Conclusion: Prioritizing Readiness

The CFPB’s Section 1033 rule represents a transformative shift in the U.S. financial regulatory landscape, centering consumer control over data rights and driving the industry to an open banking model. Fintech advocates view it as an essential step towards consumer empowerment, while banks and credit unions warn of risks to data security and have liability concerns. Even as the CFPB begins assessing applications for standard-setting bodies, legal and compliance teams from institutions and fintech companies alike should begin to look ahead, with a focus on data security, potential contractual updates with third parties, and regulatory alignment.

Originally published November 22, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.

Financial Services Advisory: The UK Introduces a New Reimbursement and Compliance Monitoring Regime for Authorised Push Payment Scams

By ,

Our UK Financial Services Group examine the UK’s new mandatory reimbursement rules that will require payment service providers (PSPs) to reimburse victims of scam transactions.

  • The new rules will apply to all PSPs that participate in CHAPS and the Faster Payments Scheme and that operate ‘relevant accounts’
  • Consumers still have a responsibility to exercise caution before claiming a reimbursement, but PSPs will now have to be more vigilant when processing authorised push payments
  • Under the new requirements, PSPs could be required to reimburse consumers up to £85,000 per scam claim, consistent with the Financial Services Compensation Scheme reimbursement limit

___________________________________________________________________________

Payment service providers that participate in the Faster Payment Scheme in the UK and make payments on behalf of consumers from UK accounts will soon be subject to the Faster Payments Scheme Reimbursement Rules. The rules will require (subject to certain exceptions) payment services providers that send or receive funds on behalf of consumers to reimburse consumers when the payment was authorised by the consumer as a result of a scam.

The rules come into force on 7 October 2024, so payment service providers that participate in the Faster Payment Scheme must ensure that they are prepared. In addition to registering with the Faster Payments Operator, in-scope payment service providers must ensure that they have the relevant procedures and practices in place to monitor for scam transactions through the Faster Payments Scheme to avoid having to reimburse victims for scam transactions.

Authorised push payment (APP) scams happen when a person uses a fraudulent or dishonest course of conduct to manipulate, deceive, or persuade someone into sending money to an account outside their control.

With the aim of identifying and reducing the number of APP scams, the Financial Services and Markets Act 2023 (FSMA 2023) placed a statutory obligation on the UK Payment Systems Regulator (PSR) to introduce a Reimbursement Requirement for APP scam payments made over the Faster Payments Scheme (FPS) given that the PSR has oversight over payment systems in the UK (as opposed to payment services which are regulated by the Financial Conduct Authority).

The PSR decided to implement a policy that requires APP scam victims to be reimbursed by payment service providers (PSPs) because they provide services that enable the transfer of funds using the FPS. This is known as the FPS Reimbursement Requirement. The PSR decided to implement this policy by requiring the Faster Payments Operator to put the FPS Reimbursement Requirement into the Faster Payments Scheme rules. The resulting rules are known as the FPS Reimbursement Rules and will come into effect on 7 October 2024.

Application
The new FPS Reimbursement Requirement will apply to all PSPs that directly or indirectly participate in the Faster Payments Scheme and that operate ‘relevant accounts’, which are accounts that are held in the UK and can send or receive payments using the FPS, but they do not include accounts provided by credit unions, municipal banks, and national savings banks.
The FPS Reimbursement Requirements only apply to FPS APP scam payments, which are fraudulent or dishonest acts or courses of conduct to manipulate, deceive, or persuade a consumer into transferring funds from the consumer’s relevant account to a relevant account not controlled by the consumer, if:

  • The transfer is executed through the FPS.
  • The recipient is not who the consumer intended to pay.
  • The payment is not for the purpose the consumer intended.

A consumer who has made one or more FPS APP scam payments is defined as a ‘victim’. Note that for these purposes, consumer includes micro-enterprises and charities.

FPS Reimbursement Requirement
The FPS Reimbursement Requirement requires a ‘sending PSP’ (the PSP that operates the account from which the FPS APP scam payment was made) to reimburse the victim of an FPS APP scam payment, subject to certain exceptions.

Reimbursable FPS APP Scam
An FPS APP scam is only reimbursable if the sending PSP determines that:

  • The Consumer Standard of Caution Exception does not apply or the victim was a vulnerable consumer when the APP scam payment was authorised.
  • The victim is not party to the fraud.
  • The victim is not claiming fraudulently or dishonestly.
  • The victim is not claiming for an amount which is the subject of a private civil dispute.
  • The victim is not claiming for an amount which the victim paid for an unlawful purpose.

Exceptions to the Reimbursement Requirement
PSPs are not required to reimburse an FPS APP scam payment when the Consumer Standard of Caution applies. The Consumer Standard of Caution Exception applies when a sending PSP can demonstrate that a consumer who has made an FPS APP scam claim has, as a result of gross negligence, not complied with one or more of the following standards (the Consumer Standard of Caution):

  • The consumer should have regard to any intervention made by their sending PSP or a competent national authority (CNA).
  • The consumer should, upon learning or suspecting that they have fallen victim to an APP scam, report the FPS APP scam claim promptly to their sending PSP.
  • The consumer should respond to any reasonable and proportionate requests for information made by their sending PSP.
  • The consumer should, after making an FPS APP scam claim, consent to the sending PSP reporting to the police on the consumer’s behalf or request they directly report the details of an APP scam to a CNA.

Note that the Consumer Standard of Caution Exception does not apply if the victim was a vulnerable consumer when they made at least one of the FPS APP scam payments in the FPS APP scam claim and this had a material impact on their ability to protect themselves from the scam.

Guidance on what is a ‘vulnerable customer’ is set out in the Financial Conduct Authority ‘Guidance for firms on the fair treatment of vulnerable customers’, which states that all customers are at risk of becoming vulnerable and this risk is increased by characteristics of vulnerability related to four key drivers:

  • Health – health conditions or illnesses that affect the ability to carry out day-to-day tasks.
  • Life events – life events such as bereavement, job loss, or relationship breakdown.
  • Resilience – low ability to withstand financial or emotional shocks.
  • Capability – low knowledge of financial matters, low confidence in managing money (financial capability), or low capability in other relevant areas such as literacy or digital skills.

The guidance also provides specific examples.

In its consultation paper, the PSR describes ‘gross negligence’ as a ‘very high bar which will critically depend on the individual circumstances of each case’. It interprets gross negligence to be ‘a higher standard than the standard of negligence under common law’, with the consumer having to have shown a ‘very significant degree of carelessness’.

Time Limits to Claim Reimbursement
PSPs are not required to reimburse FPS APP scam payments reported more than 13 months after the date of the final FPS APP scam payment of the claim (consistent with the timeframes for reimbursement for unauthorised payments under the Payment Services Regulations 2017) or FPS APP scam payments that occurred before 7 October 2024.

Maximum Amount of Reimbursement
PSPs are not required to reimburse APP scam victims above the maximum level of reimbursement, even if the consumer was assessed as vulnerable. The PSR had previously set the maximum level at £415,000 in line with the Financial Ombudsman maximum reimbursement limit. However, after a brief consultation, the PSR recently decided to lower this amount to £85,000 per FPS APP scam claim, in line with the maximum level of reimbursement set under the Financial Services Compensation Scheme.

Assessment of FPS APP Scams
Once a sending PSP receives a reported FPS APP scam, the sending PSP must notify the receiving PSP (the PSP providing the relevant account into which APP scam payments are received) within two hours of the claim being reported. The receiving PSP then has the opportunity to respond to the sending PSP with any information it believes to be relevant to the FPS APP scam claim, up to a maximum of three business days after the notification from the sending PSP of the claim being raised.

The sending PSP cannot complete its assessment of the FPS APP scam claim until either the opportunity to respond has elapsed or all receiving PSPs have responded to the notification.

Payment of the Reimbursable Amount
If the sending PSP determines that the reported FPS APP scam payments are reimbursable, it must pay the reimbursable amount to the victim of the scam within five business days of the claim being raised.
Sending PSPs may pause the five-business-day reimbursement timescale by using the ‘stop the clock provision’ only when it has requested further information to assess the reported FPS APP scam claim. However, in any case, the sending PSP must complete the assessment, decide whether the FPS APP scam claim is to be reimbursed or not, and close the claim before the end of the thirty-fifth business day following the reporting of the FPS APP scam claim.

Excess
The sending PSP may apply a single claim excess to each FPS APP scam claim, up to the maximum claim excess value set by the PSR (£100). However, sending PSPs may not apply an excess if the victim was a vulnerable consumer.

Payment of the Reimbursable Contribution Amount
Once a sending PSP has paid the reimbursable amount to the victim of the FPS APP scam, then the reimbursable contribution amount shall become payable by the receiving PSP. The result is that both sending PSPs and receiving PSPs must be vigilant when processing payments through the Faster Payments Scheme.

The reimbursable contribution amount owed by the receiving PSP to the sending PSP is half the reimbursable amount and would be proportioned if there is more than one receiving PSP. The reimbursable contribution amount is payable within five business days following notice from the sending PSP.

Key Milestones
The FPS Reimbursement Rules set out certain key milestones:

  • By 20 August 2024, all in-scope PSPs must have registered with the Faster Payments Operator for the purposes of identification within the FPS reimbursement directory, reporting data, and compliance monitoring and management.
  • By 20 September 2024, all in-scope PSPs must have been onboarded to the Reimbursement Claims Management System (RCMS) Core for the purposes of accessing the FPS reimbursement directory, reporting data, and compliance monitoring and management.
  • From the proposed date of 1 May 2025, all in-scope PSPs must be onboarded to the RCMS Core + Claims and using the system to complete all actions required of them as defined by the FPS Reimbursement Rules to manage FPS APP scam claims, communicate with PSPs about FPS APP scam claims, and comply with the information collation, retention, and provision obligations.

Extension to CHAPS Payments
The Bank of England, as the operator of CHAPS, also published its draft of the CHAPS Reimbursement Rules in May 2024 and updated them in August 2024.

The intention of the new requirements is to mirror the protections set to be afforded to victims of APP scams who lose money via the FPS and to provide consistent outcomes, as well as consistent processes for firms, across both payment systems.

The PSR also published a policy statement and Specific Direction 21 on 6 September 2024. The Specific Direction requires banks and other PSPs participating in CHAPS to comply with the Bank of England’s new CHAPS Reimbursement Rules. It also confirmed that the CHAPS Reimbursement Rules will also come into force on 7 October 2024 in line with the FPS Reimbursement Requirements.

Originally published October 2, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.

Financial Services / Antitrust Advisory: FDIC, OCC, and DOJ Update Guidance on Bank Merger Evaluations

By , , ,

Executive Summary
12 Minute Read
Last week, each of the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Department of Justice Antitrust Division (DOJ) revised how they will review bank mergers. Our Financial Services and Antitrust teams highlight what banks considering mergers should know about the changes.

  • Bank Merger Act (BMA) filers should anticipate increased scrutiny and a broader analysis from the FDIC, OCC, and DOJ
  • Competitive-effects considerations will extend beyond deposit concentrations to nontraditional sources of competition, although the FDIC stopped short of considering certain nonbank competition, such as fintechs
  • BMA filers should underscore their proposed merger’s net positive impact on the convenience and needs of the community
  • The FDIC has expanded its interpretation of the BMA to encompass transactions that would not have previously required a filing
  • The Board of Governors of the Federal Reserve System, the third primary federal banking regulator, did not release updated guidelines

______________________________________________________________________

On September 17, 2024, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Department of Justice Antitrust Division (DOJ) each adopted revised approaches to their reviews of bank mergers.

In separate releases, the FDIC and OCC updated and expanded their existing guidance, signaling more in-depth, holistic strategies in evaluating mergers involving insured depository institutions (IDIs) under the Bank Merger Act (BMA). The OCC simultaneously adopted a final rule eliminating its expedited review and streamlined application processes for certain bank merger applications. The DOJ, which plays a complementary role in the banking regulators’ analysis of anticompetitive effects, likewise updated its competitive-effects guidelines for reviewing mergers under the BMA and the Bank Holding Company Act of 1956 (BHC Act).

The FDIC’s final policy statement on bank merger transactions supersedes its existing policy statement first published in 1997 and last revised in 2008. In a coordinated effort, the OCC’s final rule and policy statement on business combinations amended its procedures for reviewing applications under the BMA and provides guidance for its review process. Meanwhile, the DOJ withdrew from its 1995 bank merger guidelines, opting instead to evaluate bank mergers using the general 2023 merger guidelines applicable to other industries, as described in a newly issued 2024 banking addendum to the 2023 merger guidelines.

The Board of Governors of the Federal Reserve System, which also evaluates merger applications under the BMA and the BHC Act, did not participate in this coordinated undertaking or otherwise publicly alter its existing precedent-based approach.

The DOJ will apply its standard merger analysis to all transactions subject to the BMA and the BHC Act, whereas the banking regulators’ releases apply only to mergers under the BMA. The policy statement by the FDIC, the primary federal regulator for state-chartered IDIs that are not members of the Federal Reserve System, will apply only to such IDIs. Under the updated guidance, however, FDIC-regulated institutions will now need to notify the FDIC of a broader range of transactions, including acquisitions of nonbanking assets or entities that did not previously merit a filing. While not all such transactions will require a formal BMA application, the FDIC will now determine whether such transactions constitute a “merger in substance” on a case-by-case basis. The OCC’s final rule will apply only to those institutions under its supervision, i.e., national banks and federal savings associations.

The change to the DOJ’s process became effective upon its release. The FDIC’s policy statement will take effect 30 days after its publication in the Federal Register. The OCC’s final rule will become effective on January 1, 2025.

How Will the FDIC’s, OCC’s, and DOJ’s Revised Policies Impact Merger Reviews? 

In assessing an application under the BMA, federal banking regulators have long had to consider, among other things: (1) the transaction’s monopolistic or anticompetitive effects; (2) the institutions’ financial and managerial resources and future prospects; (3) the convenience and needs of the community to be served; (4) the risk to the stability of the U.S. banking or financial system; and (5) the effectiveness of combating money laundering activities. However, banking regulators have discretion in interpreting and applying the factors. In the FDIC’s policy statement and the OCC’s final rule, the regulators clarified how they intend to construe those factors going forward.

While the DOJ technically retains the ability to independently challenge bank mergers, it has rarely done so. However, banking regulators are required to consider the DOJ’s assessment of the monopolistic or anticompetitive effects. Following its review, the DOJ’s views are provided to bank regulators in a nonpublic competitive-factors report. For many years, the DOJ conducted this analysis under the 1995 bank merger guidelines. After withdrawing from those guidelines, the DOJ will now use the same standards and theories of harm it applies to other industries, as explained by a clarifying banking-specific addendum.

Monopolistic or anticompetitive effects

Under the 1995 bank merger guidelines, the DOJ and the federal banking regulators focused primarily on commercial bank deposit concentrations of the geographic markets in which the transaction parties operated and how the proposed combination would affect the same. The DOJ, FDIC, and OCC have each indicated a move to a more multifactored approach, considering additional products and sources of competition, including nontraditional sources of competition. In prior public statements discussing the need to revisit its guidance on bank merger reviews, the DOJ had cited changes in the banking system, including “the popularization of interstate banking, financial conglomeration, online and mobile banking, and the digital transformation of the economy.”

Issued in late 2023 and substantially broader and more complex than the 1995 bank merger guidelines, the DOJ’s 2023 merger guidelines provide a robust framework with which to assess proposed mergers. The DOJ’s 2024 banking addendum highlights a number of 2023 guidelines that the DOJ views as particularly relevant to IDI mergers. For example, the addendum emphasizes those guidelines that describe the DOJ’s approach to transactions involving vertical integration, a pattern or series of acquisitions by the same buyer, and deals involving multisided platforms.

The FDIC stated that it will look at all relevant geographic markets (local, regional, and national) based on where the merging entities operate, consider all relevant market participants and their total deposits, and consider the size and competitive effects of the resulting IDI. Both the FDIC and OCC clarified that this factor is considered in combination with the convenience and needs of the community. The FDIC elaborated that this balancing may be particularly relevant in rural communities, where the needs of the community may outweigh interests in increased competition. The FDIC also expanded its competition analysis to consider credit unions, thrifts, and Farm Credit System institutions, though it declined industry participants’ requests to include fintechs and other nonbank financial services companies.

The OCC did not provide further detail on how it will evaluate competition factors, citing the complexity of the competition factor review and the involvement of the DOJ in its deliberations.

Financial resources, managerial resources, and future prospects

The FDIC separately addresses the considerations relevant to the BMA’s financial-resources, managerial-resources, and future-prospects criteria. In addition to an individual review of each of the foregoing factors, the OCC also considers all three in combination, noting their relatedness. In particular, the OCC looks at these factors in the context of the economic and operating environment and in light of the size, complexity, and risk of the institutions (a sentiment echoed by the FDIC). The OCC is less likely to approve a transaction when the resulting IDI would be less than adequate in any of these three categories. Moreover, the OCC will consider whether the acquiring institution has experienced rapid growth, a factor also considered by the FDIC, or has engaged in multiple acquisitions with overlapping integration periods, and how that may impact these factors.

Financial Resources. Achieving a resulting IDI with less financial risk than that posed by the institutions individually underpins the FDIC’s financial resources considerations. The FDIC walked back its original use of “weaker” in response to comments so as not to dissuade financially sound IDIs from acquiring less-stable institutions. Unsurprisingly, both the FDIC and OCC emphasized the resulting institution’s ability to meet capital standards. Notably, the FDIC also reiterated its ability to condition approval upon entry into written agreements specifying enhanced capital requirements.

Managerial Resources. The FDIC and OCC each dedicated substantial attention to the managerial-resources factor. Both regulators will look to management’s perceived ability to integrate the IDIs and, at a structural level, the IDIs’ compliance management systems. Among other considerations, the FDIC will evaluate the proposed management’s existing responsiveness to regulatory questions, its record of managing and overseeing rapid growth, and individuals’ backgrounds and experience (including the performance and supervisory records of IDIs in which they’ve played a role). The FDIC will also specifically consider consumer compliance ratings and Community Reinvestment Act (CRA) ratings, along with the performance of parent companies and their ability to provide support. The OCC emphasized due diligence to assess the target’s weaknesses and an analysis of the acquirer’s ability to offset such weaknesses.

Future Prospects. The FDIC and OCC will consider both internal and external factors. The FDIC will look closely at any changes being made to the resulting IDI, including to its operations, products, and services, whereas the OCC cited management’s ability to implement the resulting institution’s business plan as an important consideration. Both regulators will study the acquirer’s historical performance integrating merger targets. Both regulators will also evaluate the existing economic environment and competitive landscape.

Convenience and needs of the community

The FDIC and OCC provided additional insight into how they expect applicants to address the proposed merger’s impact on the convenience and needs of the community. Perhaps the most significant development is the FDIC’s analysis of whether an application can demonstrate that the resulting institution will better meet the convenience and needs of the community, including the filer’s commitment to doing so. While the OCC focused less on the resulting institution’s improvement in meeting the convenience and needs of the community, it notes a net positive impact is likely to satisfy this factor. Both the FDIC and OCC expect filers to provide specific examples of how the transaction will benefit the community, such as greater access to products and services, and reduced prices and fees. Both regulators emphasized consideration of the transaction’s impact on low- and moderate-income communities and will evaluate historical CRA ratings. Branch expansions, closings, and consolidations during the three years following the merger will play a role in the FDIC’s and the OCC’s analyses. The OCC also independently considers factors such as job losses and opportunities and efforts to support affordable housing initiatives.

Public input remains important because both regulators recognized the potential for public hearings and the need to consider public commentary when evaluating whether to hold a hearing. The FDIC will now presumptively require public hearings for transactions resulting in an institution with $50 billion or more in consolidated assets. Unlike the FDIC, the OCC did not adopt deal-size thresholds for presumptive hearings; instead, the OCC “will balance the public’s interest in the transaction with the value or harm of a public meeting to the decision-making process.”

Financial stability

When considering a post-merger institution’s risk to the stability of the market, the FDIC and OCC evaluate the size of the entities involved, the availability of substitute providers, the post-merger institution’s contributions to the complexity of the financial system, and the extent of cross-border activities. Both regulators will continue to analyze the institutions’ interconnectedness with the U.S. banking system. The OCC separately emphasized its consideration of the degree of difficulty of winding up the post-merger institution’s business in the event of failure or insolvency.

While the FDIC was careful to note that size alone is not dispositive, it adopted a $100 billion threshold, above which institutions will receive heightened scrutiny and can expect greater processing times. The FDIC stopped short of defining “additional scrutiny,” but noted such transactions are likely to involve additional information requests and more frequent communications with both regulators and community members. The OCC retained existing heightened standards for transactions resulting in an institution with consolidated assets of $50 billion or more and elected to not alter that threshold. The OCC also reinforced its ability to impose conditions on the approval of a merger posing financial stability risks, such as requiring asset divestitures or setting minimum capital requirements.

Combating money laundering activities

The FDIC expects that post-merger IDIs will implement effective programs to combat money laundering and the financing of terrorism. To determine this, the FDIC evaluates each institution’s general policies, procedures, and processes; anti-money laundering and counter-the-financing-of-terrorism programs; risk management programs; compliance with the Bank Secrecy Act; and remediation efforts pursuant to an outstanding corrective program. The OCC did not expand upon its policies for combating money laundering activities in its policy statement but did state that any open or pending anti-money laundering actions raised concerns for approving the merger.

How Will the OCC’s Final Rule Affect BMA Filers?

The OCC’s final rule and policy statement eliminated the streamlined application and expedited review provisions under Part 5 of Title 12 of the Code of Federal Regulations. The OCC historically accepted a “streamlined” BMA application under Section 5.33(j), which avoided open-ended prompts in favor of discrete questions. Filers eligible to file a streamlined application, along with transactions deemed a business reorganization, were subject to expedited review under Section 5.33(i), which deemed a filing approved on the fifteenth day after the applicable comment period expires (absent action to the contrary). The OCC does not expect this change to significantly alter the filing burden or timeline because, inter alia, it historically takes action on eligible filings within the 15-day expedited-review period.

The FDIC, which did not previously have a streamlined application option, has retained its unique expedited processing mechanism.

Final Thoughts and Key Takeaways

  • Though not an overhaul of its existing approach, filers should expect heightened scrutiny of proposed mergers from the FDIC, OCC, and DOJ.
  • The FDIC and OCC’s “new” considerations are consistent with our experience in seeking approval of transactions under the BMA.
  • Potential BMA filers should be cautious to infer a lack of interagency coordination from the Federal Reserve, which often prefers to rely on precedent than to issue guidance and is responsible for reviewing mergers under the BMA and BHC Act.
  • By announcing that it will apply its general 2023 merger guidelines to banking transactions, the DOJ has signaled that it intends to consider a broader range of competition theories and concerns when performing its competition review of bank deals.

Originally published September 26, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team or one of the attorneys on our Antitrust Team.

Financial Services Advisory: FDIC Proposes Rule to Establish Custodial Account Recordkeeping Requirements

By ,

Executive Summary
6 Minute Read

Our Financial Services Team studies the Federal Deposit Insurance Corporation’s plans to require insured depository institutions (IDIs) to keep specific records so that they know the actual owner of deposits placed by fintechs and BaaS providers.

  • IDIs would be required to implement internal controls over the covered accounts
  • IDIs would be permitted to contract with a third party to assist in meeting the recordkeeping requirements
  • Comments on the proposed rule are due 60 after it’s published in the Federal Register

_____________________________________________________________________________

On September 17, 2024, the Federal Deposit Insurance Corporation (FDIC) issued a notice of proposed rulemaking (NPRM), Recordkeeping for Custodial Accounts, that would establish new recordkeeping requirements for insured depository institutions (IDIs) about certain custodial accounts that are often used by financial technology companies and banking as a service (BaaS) providers to hold their customers’ deposits and facilitate transactions. The NPRM appears to be a direct response to the May 2024 collapse of Synapse Financial Technologies, a fintech provider that maintained custodial transaction accounts for end-users. Synapse, former FDIC Chair Jelena McWilliams as bankruptcy trustee for Synapse, and certain partner banks have been unable to reconcile the actual amount of funds in the custodial accounts with existing records related to those accounts, restricting end-users’ access to the funds.

The NPRM refers to the accounts it covers as “custodial deposit accounts with transactional features,” defined as “deposit account[s]: (1) [e]stablished for the benefit of beneficial owners; (2) [i]n which the deposits of multiple beneficial owners are commingled; and (3) [t]hrough which beneficial owner(s) may authorize or direct a transfer through the account holder from the custodial deposit account to a party other than the account holder or beneficial owner.”

Specifically, for each nonexempt covered account, the proposed rule would require IDIs to maintain records in a prescribed format of account ownership, beneficial ownership, ownership right and capacity (e.g., single account, trust account, business account), current balances, and accrued interest balances. Each IDI that holds nonexempt covered accounts would be required to implement internal controls appropriate to its size and the nature, scope, and risk of its activities related to those covered accounts, including by maintaining accurate balances at the beneficial ownership level and reconciling account balances at the close of each business day.

The NPRM would permit IDIs to contract with a third party (e.g., a fintech or BaaS provider that established the covered account) to “assist the [IDI] in meeting” the recordkeeping requirements of the proposed rule. The IDI must:

  • Have direct, continuous, and unrestricted access to the records maintained by the third party, even in the event of the third party’s business interruption, insolvency, or bankruptcy.
  • Have a continuity plan and technical capabilities to ensure compliance with the NPRM, including backup recordkeeping capabilities.
  • Implement internal controls to accurately determine and daily reconcile the beneficial ownership of covered accounts.
  • Have a contractual relationship with the third party that:
    • Clearly defines roles and responsibilities for recordkeeping, including by assigning to the IDI the third party’s rights to access data held by other parties.
    • Requires the third party to implement internal controls that would be required of the IDI if the IDI were performing the outsourced function.
    • Requires a periodic, but not less than annual, validation by an independent third party to assess and verify that the third party is maintaining accurate and complete records consistent with the provisions of the proposed rule.
    • Does not relieve the IDI of its responsibilities under the proposed rule.

The proposed rule would exempt certain covered accounts from its requirements, including: (1) accounts holding only trust deposits; (2) accounts established by a government depositor; (3) accounts established by or on behalf of one or more brokers, dealers, or investment advisers; (4) interest on lawyers trust accounts; (5) accounts held in connection with an employee benefit plan or retirement plan; (6) accounts maintained in connection with a real estate transaction; (7) accounts maintained by a mortgage servicer in a custodial or other fiduciary capacity; (8) accounts that are prohibited by federal or state law to disclose the identities of the beneficial owners of the deposits; (9) accounts maintained through deposit placement or reciprocal networks for purposes other than payment transactions; (10) accounts holding security deposits for homeownership associations governed by state law; and (11) accounts holding security deposits tied to residential or commercial leasehold interests.

IDIs holding nonexempt covered accounts would be required to establish and maintain written policies and procedures to achieve compliance with the proposed rule and annually certify compliance with the proposed rule to the IDI’s FDIC regional or area office and the appropriate federal banking agency. Further, these IDIs would be required to submit a report to the IDI’s FDIC regional or area office and the appropriate federal banking agency a description of any material changes to the IDI’s information technology systems; a list of account holders that maintain nonexempt covered accounts at the IDI, the total balance of these accounts, and total number of beneficial owners of these accounts; the results of the IDI’s periodic recordkeeping compliance testing; and the results of the independent validations of records maintained by third parties.

Violations of the proposed rule would be subject to enforcement actions under Section 8 of the Federal Deposit Insurance Act and potential termination of the offending IDI’s deposit insurance.

In an accompanying press release, FDIC Chair Martin Gruenberg stated that the proposed rule “is an important step to ensure that banks know the actual owner of deposits placed in a bank by a third party such as Synapse, whether the deposit has actually been placed in the banks, and that the banks are able to provide the depositor their funds even if the third party fails” that would “strengthen the FDIC’s ability to make deposit insurance determinations” and “strengthen compliance with anti-money laundering and countering the finance of terrorism law.”

While the NPRM, if finalized as proposed, would facilitate FDIC administration of pass-through deposit insurance claims by end-users whose funds are held in custodial accounts, the main, practical impact of the rule would likely be that fintech companies and BaaS providers will need to develop recordkeeping and reporting obligations that satisfy explicit FDIC requirements – all under the close scrutiny of their IDI partners. We anticipate that IDIs that hold custodial accounts subject to a final rule as well as their fintech company and BaaS provider partners will need to implement considerable updates to technology systems, internal control practices, and their contractual arrangements to comply with these requirements.

The FDIC’s proposal follows revised rules governing FDIC deposit insurance coverage advertising and misrepresentation, a recent proposed rulemaking and request for information relating to brokered deposits, a July joint statement and request for information relating to bank–fintech arrangements, general third-party risk management guidance that federal agencies updated in 2023, and a handbook the agencies released earlier this year to assist community banks in implementing the guidance.

The FDIC is seeking comment on the NPRM.  Interested IDIs, fintech companies, and BaaS providers should review the NPRM and consider submitting comments. Comments on the NPRM are due 60 days after the proposed rule’s publication in the Federal Register.

Originally published September 24, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.