Alston & Bird Consumer Finance Blog


California DFPI Digital Asset Lending Regulatory Year in Review

A&B ABstract:

In December of 2022 California released an interagency progress report (“Report”) analyzing the current regulatory status of Web3, Crypto Assets, and Blockchain. The report was prepared pursuant to Executive Order N-9-22 (the “Order”) issued by California Governor Gavin Newsome on May 4, 2022, which declared California’s intent to regulate blockchain, including crypto assets and related financial technologies, and directed California state agencies, including the Governor’s Office of Business and Economic Development (“GO-Biz”), the Government Operations Agency, the Business, Consumer Service and Housing Agency, and the Department of Financial Protection and Innovation (“DFPI”) to collect feedback from various stakeholders to understand the risks and explore opportunities for the state. The Order, among other directives, advises these California agencies, led by DFPI, in consultation with GO-Biz, to create a regulatory framework for crypto assets in coordination with federal and state authorities, with the goals of ensuring equity, regulatory clarity, consumer protection, innovation, and job growth. Although these new technologies present some novel questions, for entities engaging in lending backed by digital assets, the DFPI has made clear that the California Financing Law and similar regulatory burdens apply.

Current Registration Requirements

The Report follows earlier requests for public comment, including from the DFPI, which published a request for public comment (the “Request”) stating an intent to develop a comprehensive state regulatory framework for the offering of digital asset related financial products and services in California. Within the previous request for comment, the DFPI states that it possesses the authority to develop comprehensive regulations under the California Consumer Financial Protection Law (CCFPL), which authorizes the DFPI to “prescribe rules regarding registration requirements applicable to a covered person engaged in the business of offering or providing a consumer financial product or service.” Accordingly, the DFPI has put forth that it currently has the authority to require licensing and regulation of crypto asset-related financial products. In the Order issued by Governor Newsom “crypto assets” is defined as “a digital asset, which may be a medium of exchange, for which generation or ownership records are supported through a blockchain technology.” Given this backdrop, we can expect the DFPI to issue regulations without further legislative input.

Public Feedback

Responses to the request for comment and other opportunities to provide public input resulted in several key suggestions for regulation, including the following:

  • Provide regulatory clarity—including by basing regulations on specific types of activities, products, and services (rather than specific entities).
  • Harmonize with federal guidelines—including by modeling key terms and requirements on those used by federal regulators.
  • Avoid over-regulation—including by minimizing compliance costs.

CCFPL Regulation and Supervision

The Report states that DFPI has issued licenses to 10 crypto asset related companies that engage in lending activities under California financial licensing laws. Some make consumer loans that are secured by crypto assets, while others make commercial loans to crypto asset-related companies. In addition to licensing and other compliance activity, the Report further notes that enforcement actions were also underway. The highlighted enforcement actions within the report related to companies allegedly operating crypto deposit accounts that qualified as unregistered securities as well as investment schemes. The Report did not highlight any enforcement actions related to loans secured by crypto assets or other licensing violations.

However, on November 18, 2022 and November 22, 2022, the DFPI suspended California Financing Law licenses for two entities in connection with their crypto asset platforms. In both instances, the entities paused activity on their platforms. The investigation of one entity remains ongoing while the other entered into an agreement to pause collection of repayments and interest on loans belonging to California residents while its CFL License is suspended or as further agreed to between the DFPI and the entity.


While many aspects of Web3, Crypto Assets, and Blockchain regulation remain unclear, it is clear that those engaging in lending activities collateralized or otherwise related to such assets are regulated under the CCFPL and other California law, and must abide by the same strictures as any other lender.

CFPB Continues Scrutiny of Algorithmic Technology

On May 26, 2022 the Consumer Financial Protection Bureau released a Consumer Financial Protection Circular stating that creditors utilizing algorithmic tools in credit making decisions must provide “statements of specific reasons to applicants against whom adverse action is taken” pursuant to ECOA and Regulation B. The CFPB previously stated that circulars are policy statements meant to “provide guidance to other agencies with consumer financial protection responsibilities on how the CFPB intends to enforce federal consumer financial law.” The circular at issue posits that some complex algorithms amount to an uninterpretable “black-box,” that makes it difficult—if not impossible—to accurately identify the specific reasons for denying credit or taking other adverse actions. The CFPB concluded that “[a] creditor cannot justify noncompliance with ECOA and Regulation B’s requirements based on the mere fact that the technology it employs to evaluate applications is too complicated or opaque to understand.”

This most recent circular follows a proposal from the CFPB related to review of AI used in automated valuation models (“AVMs”). As we noted in our previous post on that topic, the CFPB stated that certain algorithmic systems could potentially run afoul of ECOA and implementing regulations (“Regulation B”). In that prior outline of proposals with respect to data input, the CFPB acknowledged that certain machine learning algorithms may often be too “opaque” for auditing. The CFPB further theorized that algorithmic models “can replicate historical patterns of discrimination or introduce new forms of discrimination because of the way a model is designed, implemented, and used.”

Pursuant to Regulation B, a statement of reasons for adverse action taken “must be specific and indicate the principal reason(s) for the adverse action. Statements that the adverse action was based on the creditor’s internal standards or policies or that the applicant, joint applicant, or similar party failed to achieve a qualifying score on the creditor’s credit scoring system are insufficient.” In the circular, the CFPB reiterated that, in utilizing model disclosure forms, “if the reasons listed on the forms are not the factors actually used, a creditor will not satisfy the notice requirement by simply checking the closest identifiable factor listed.” In another related advisory opinion, the CFPB earlier this month also asserted that the provisions of ECOA and Reg B applies not just to applicants for credit, but also to those who have already received credit. This position echoes the Bureau’s previous amicus brief on the same topic filed in John Fralish v. Bank of Am., N.A., nos. 21-2846(L), 21-2999 (7th Cir.). As a result, the CFPB asserts that ECOA requires lenders to provide “adverse action notices” to borrowers with existing credit. For example, the CFPB asserts that ECOA prohibits lenders from lowering the credit limit of certain borrowers’ accounts or subjecting certain borrowers to more aggressive collections practices on a prohibited basis, such as race.

The CFPB’s most recent circular signals a less favorable view of AI technology as compared to previous statements from the Bureau. In a blog post from July of 2020, the CFPB highlighted the benefits to consumers of using AI or machine learning in credit underwriting, noting that it “has the potential to expand credit access by enabling lenders to evaluate the creditworthiness of some of the millions of consumers who are unscorable using traditional underwriting techniques.” The CFPB also acknowledged that uncertainty concerning the existing regulatory framework may slow the adoption of such technology. At the time, the CFPB indicated that ECOA maintained a level of “flexibility” and opined that “a creditor need not describe how or why a disclosed factor adversely affected an application … or, for credit scoring systems, how the factor relates to creditworthiness.” In that prior post, the CFPB concluded that “a creditor may disclose a reason for a denial even if the relationship of that disclosed factor to predicting creditworthiness may be unclear to the applicant. This flexibility may be useful to creditors when issuing adverse action notices based on AI models where the variables and key reasons are known, but which may rely upon non-intuitive relationships.” That post also highlighted the Bureau’s No-Action Letter Policy and Compliance Assistance Sandbox Policy as tools to help provide a safe-harbor for AI development. However, in a recent statement, the CFPB criticized those programs as ineffective and it appears those programs are no longer a priority for the Bureau. So too, that prior blog post now includes a disclaimer that it “conveys an incomplete description of the adverse action notice requirements of ECOA and Regulation B, which apply equally to all credit decisions, regardless of the technology used to make them. ECOA and Regulation B do not permit creditors to use technology for which they cannot provide accurate reasons for adverse actions.” The disclaimer directs readers to the CFPB’s recent circular as providing more information. This latest update makes clear that the CFPB will closely scrutinize the underpinnings of systems utilizing such technology and require detailed explanations for their conclusions.

Update Regarding the CFPB’s Buy Now, Pay Later Orders

In a prior post, we reported that the language used in orders recently issued by the CFPB to leading Buy Now, Pay Later (“BNPL”) providers suggested that the CFPB intends to use the information it collects to build enforcement cases rather than monitor market developments. We also reported that if this is the case, it is a departure from historic precedent and can be considered an end-run around the procedural safeguards established by Congress in Section 1052 of the Dodd-Frank Act to ensure that due process is afforded to financial institutions that become the target of CFPB enforcement investigations.

The CFPB’s intentions were apparently confirmed in a January 5 article in Axios about the BNPL orders, which quotes the CFPB’s small dollar, marketplace and installment lending program manager as saying:

It is certainly possible that we could as a result of the data collection take enforcement action.

Assuming this quote is accurate, recipients of CFPB 1022(c)(4) market monitoring orders should be well aware that any information provided to the agency may be used for enforcement purposes.

Did the CFPB follow PRA requirements in issuing its Big Tech orders?

On October 21, the CFPB issued a series of orders to “collect information on the business practices of large technology companies operating payments systems in the United States.”

The CFPB sent the orders to six companies: Amazon, Apple, Facebook, Google, PayPal, and Square. In a statement accompanying the press release announcing the orders, Director Chopra described the CFPB’s action as an “inquiry into big tech payment platforms” and stated that he had ordered “six technology platforms offering payment services” to turn over information about their products, plans and practices. Responses from the companies to the CFPB orders are due by December 15.

The CFPB issued the orders pursuant to Section 1022(c)(4) of the Consumer Financial Protection Act (CFPA), its so-called market monitoring authority. See 12 U.S.C. 5512(c). This authority permits the CFPB to collect information regarding the activities of “covered persons” (a defined term) for the purpose of monitoring markets for risks to consumers in the offering or provision of “consumer financial products or services” (another defined term). This jurisdictional limitation is important – the CFPB cannot issue these orders to any company in the country; the orders may only be sent to companies that are engaged in offering or providing financial services (or that are service providers to those companies). Hence the CFPB’s necessary and intentional focus on large technology companies operating payments systems in the United States, rather than all technology companies.

Importantly, CFPB information collections under Section 1022(c)(4) of the CFPA are not exempt from the Paperwork Reduction Act (PRA) of 1995. See 44 U.S.C. 3501 et seq. PRA requires that agencies obtain Office of Management and Budget (OMB) approval before requesting most types of information from the public. See 5 C.F.R. 1320.5(a). As part of the general PRA review process, agencies must seek two rounds of public comment regarding a proposed information collection for a combined minimum of 90 days.

In reviewing an agency’s information collection request, OMB’s Office of Information and Regulatory Affairs (OIRA) will determine among other things whether the request is necessary for the proper performance of the agency’s functions, is not duplicative of information otherwise accessible to the agency, and has practical utility. See 5 C.F.R. 1320.5(d). If OIRA approves the agency’s information collection request, OMB will issue the agency a unique control number. An agency may not conduct or sponsor and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number. See 5 C.F.R. 1320.5(b).

The PRA and OMB’s implementing regulation each define “collection of information” to mean obtaining answers to identical questions posed to “ten or more persons” within a twelve-month period. See 44 U.S.C. 3502(3) and 5 C.F.R  1320.3(c). This means that PRA requirements generally do not apply to information collected from nine or fewer institutions. However, OMB regulations further specify that “[a]ny collection of information addressed to all or a substantial majority of an industry is presumed to involve ten or more persons.” See 5 CFR 1320.3(c)(4)(ii). OMB guidance provides:

“All such collections require OMB review and approval. Agencies may have evidence showing that this presumption is incorrect in a specific situation. In such a case, the agency may proceed with the collection without seeking OMB approval. Upon OMB request, however, the agency needs to provide that evidence to OMB and needs to abide by OMB’s determination as to whether the collection of information requires OMB approval.” See OIRA, “The PRA of 1995: Implementing Guidance for OMB Review of Agency Information Collection,” Draft, Ch. II.C.3 (August 16, 1999).

The CFPB did not seek public comment on its proposed information collection before issuing its October 21st orders, and does not appear to have obtained OMB approval of its proposed information collection prior to issuing its October 21 orders. The reason it did not do so appears to be because it issued orders to only six companies, which are fewer than the ten institutions necessary for mandatory application of the PRA. However, the question remains whether the six institutions (which the CFPB described as “Tech Giants” in its press release) collectively represent a “substantial majority” of the industry identified by the CFPB (i.e., “large technology companies operating payments systems in the United States”).

While it is not clear from OMB regulations or guidance what proportion of an industry would constitute a “substantial majority” for PRA purposes, it is not inconceivable that the combined size and market share of Amazon, Apple, Facebook, Google, PayPal and Square might constitute a substantial majority of the “big tech payment platforms” industry. If this is the case, OMB rules create a presumption that the CFPB’s October 21st orders are subject to the PRA. Under normal circumstances, when considering a proposed information collection, CFPB staff are expected to consult with the agency’s OIRA desk officer as appropriate and the CFPB’s PRA officer will also offer CFPB leadership an independent opinion regarding the applicability of the PRA. Additionally, the CFPB may have prepared evidence for submission to OMB to rebut the presumption that its proposed information collection is subject to the PRA. However, nothing in the CFPB’s press release, sample order, Director’s statement or November 1 request for comment address the applicability of the PRA to the information sought from the six companies.

Take-Away: If the PRA applies to the CFPB’s October 21st orders, there are two significant consequences. First, without an OMB-approved control number attached to the orders, the recipients are under no legal obligation to respond to the CFPB. Second, contrary to the statutory purposes of the PRA articulated by Congress, the public will have been deprived of the meaningful opportunity to provide comment regarding the proposed orders in advance of their issuance. Such comments would foreseeably focus on important considerations raised by the proposal, including for instance the utility of the information being sought and the logical nexus between demands for internal memoranda relating to potential future business plans and the CFPB’s limited authority to monitor for present risks to consumers in the current offering or provision of consumer financial products and services. Such commentary, if sought and received by the CFPB, could only help it craft its orders in a way that achieves its goals while remaining faithful to the statutory purposes of the PRA. In as much as the CFPB’s novel use of its Section 1022(c)(4) authority creates a precedent for the future, additional transparency from the CFPB regarding the application of the PRA to its October 21st orders may be warranted, and would undoubtedly be welcome before December 15.

New York Proposes Guidance for Regulated Virtual Currency Licensees

A&B ABstract

Since the New York Department of Financial Services (“NYDFS”) finalized regulations for virtual currency firms in 2015, several regulated virtual currency licensees (“Licensees”) have sought permission to issue new virtual currencies (i.e., coins) in addition to those included in their initial license applications. On December 11, 2019, NYDFS issued Proposed Guidance in response to these requests, and will accept comments until January 27, 2020.

Proposed Model Framework

The Proposed Guidance discusses a proposed model framework for a coin-listing or adoption policy (“Policy”) and a procedure for obtaining NYDFS approval of a Policy.  Specifically, the Proposed Guidance would require each Policy to address, at a minimum, the Licensee’s governance, risk, and monitoring of its coins.


The board of directors of the Licensee, or any equivalent governing body, must:

  • Approve the Policy;
  • Independently make decisions to approve or disapprove a new coin;
  • Consider and address any and all conflicts of interest in connection with any review and/or decision-making process for a new coin;
  • Maintain specific minutes for meetings during which a new coin is addressed; and
  • Keep specific records of the application of the Policy to each new coin.

The Licensee must conduct and document a full risk assessment of any new coins in a way that is entirely free of conflicts of interest. It must consider operational risks, risks associated with any technology or systems enhancements, cybersecurity risks, risks related to code defects, and legal and regulatory risks. A Licensee also must ensure that an independent audit of all associated risks is conducted.


A Licensee must maintain policies and procedures to monitor adherence to the Policy.  At a minimum, such policies and procedures must include:

  • Periodic re-evaluation of the coin;
  • Adoption, documentation, and implementation of control measures to manage risks; and
  • A process for de-listing the coin.

Proposed Procedures

A Licensee may submit its Policy to the NYDFS for formal approval.  After receiving approval, the Licensee will be able to self-certify to NYDFS that its proposed adoption or listing of new coins complies with its NYDFS-approved Policy. After self-certification, a Licensee need only provide prior written notice to the NYDFS of its intent to offer and use the new coins. A Licensee with an approved Policy would not be required to obtain the approval of the NYDFS for a new coin, unlike a Licensee that does not maintain an approved Policy.

Significantly, all Licensees, irrespective of whether they maintain a Policy approved by the NYDFS, must inform the NYDFS of all coins used or offered in connection with their business activities no later than at the time of their next quarterly filing.

Comment Deadline

Interested parties should submit their comments to by January 27, 2020, with the subject line “Proposed Coin Listing Policy Framework.” All such comments may be subject to public inspection.


NYDFS Superintendent Linda Lacewell has indicated that she wants New York to remain at the “jurisdiction of choice” for innovation, and these Proposed Guidelines are indicative of the state’s continued efforts to keep that standing. To that end, we can expect to see the NYDFS provide further regulatory clarity and efficiency for emerging financial services technologies and take steps to ensure that its regulation reflects the industry’s fast-paced, evolving market.