Fintech Legal Report – September 2021 | Coie Perkins

Weekly Fintech focus

  • Federal banking agencies release guide for community banks on conducting due diligence on fintech companies.
  • The CFPB releases its long-awaited proposed small business credit data rule.

Federal Banking Agencies Release Guide for Community Banks on Conducting Fintech Business Due Diligence

On August 27, 2021, the Federal Banking Agencies (Federal Reserve, FDIC and OCC) released “Doing Due Diligence on FinTech Companies: A Guide for Community Banks(the guide). The guide is intended to serve as a resource for bank management when performing due diligence on potential relationships with fintech companies. can be useful for banks of any size and for other types of third-party relationships.

The Guide draws on existing federal banking agency supervisory guidelines on third-party risk management and is consistent with agency recommendations Proposal of July 19 harmonize their existing agency-specific guidance into a single document applicable to all federally supervised banking organizations.

The guide highlights six key due diligence topics for fintech relationships and discusses relevant considerations, potential sources of information and illustrative examples. The six main due diligence topics are:

  1. Business experience and qualifications – A bank may consider fintech business experience, such as its operating history, customer referrals and complaints, and any legal or regulatory action against the fintech. A fintech’s strategic plans are also important to sustain the service that the fintech provides to the bank. Finally, the experience of fintech executives and directors is relevant to understanding fintech expertise in a given area.
  2. Financial condition – A fintech’s financial condition can be found in its financial statements, annual reports, and public market data. Information about the fintech competitive environment could also inform a bank about the viability of fintech.
  3. Legal and regulatory compliance – A bank can review the fintech’s organizational documents and regulatory filings, as well as conduct a search for legal actions against the fintech. A fintech’s policies and procedures can also provide insight into the company’s compliance posture.
  4. Risk management and controls – Information about a fintech’s risk management and controls can be found in places such as its policies and procedures, self-assessments, and audit reports. The parties could also outline risk and performance expectations given the criticality of the functions provided by fintech to the bank.
  5. Information Security – A bank can review the fintech’s incident management and response policies and assessments and ask the fintech to perform information security control assessments. Depending on the service provided, different information security processes and protections will need to be in place.
  6. Operational resilience – A bank can assess a fintech’s business continuity plans, incident response plans, disaster recovery plans, and associated testing to assess the resiliency of the fintech. Banks can also determine where fintech data will reside, domestically or internationally.

While the guide is tailored to fintechs, it does not establish new fintech-specific expectations or requirements. Rather, the Guidance emphasizes that banks can approach relationships with fintech companies the same way they would any other relationship with a third party.

CFPB Releases Long-Awaited Proposed Small Business Credit Data Rule

On September 1, 2021, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed regulation (NPRM) designed to help small businesses access credit by increasing transparency in the lending market. Under Section 1071 of the Dodd-Frank Act, which amended the Equal Credit Opportunity Act, the proposed rule would require financial institutions to collect and report to the CFPB certain data regarding loan applications. credit for women, minorities and small businesses. The CFPB proposes to define a “small business” as a business with gross annual revenue of $5 million or less for its preceding fiscal year.

According to Press release Issued by the CFPB, the purpose of this rule is to better understand the challenges faced by small businesses when trying to access finance and ways to improve lending practices. Based on the information provided in the NPRM summary, if the proposed rule is finalized, it would effectively create the first comprehensive and qualitative database of small business credit applications in the United States with the goal of increasing the focus in the small business segments. market that have traditionally encountered significant obstacles in obtaining financing.

The proposed rule would apply to the following “covered financial institutions” that engage in small business lending: (i) deposit-taking institutions, (ii) online lenders, (iii) platform lenders, (iv ) community development financial institutions, (v) lenders involved in financing equipment and vehicles, (vi) commercial finance companies, (vii) government lending entities and (viii) non-custodial lenders to non-profit. In addition, the CFPB proposes to define “covered credit transactions” to include loans, lines of credit, credit cards and merchant cash advances. However, trade credit, utility credit, securities credit and collateral credit are not covered by the proposed definition under the Proposed Rule.

Covered financial institutions would be required to collect and report data from information provided by the small business credit applicant, including but not limited to type of credit (which includes credit, types of guarantees and duration of the loan); the purpose of the credit; the amount requested; the applicant’s place of business; the applicant’s gross annual income for the previous full financial year; the number of employees; the duration of the applicant’s activity; and the number of primary owners. Covered financial institutions will also need to collect and report additional information such as whether the applicant is a minority-owned business and/or a women-owned business and the self-reported ethnicity, race and gender of the applicant’s primary owners. .

The CFPB sought comments on questions covering a number of issues such as (i) how to define a small business for the purposes of this data collection; (ii) how best to collect price information for small business credit cost transparency; and (iii) how to balance the benefits of public disclosure against the risk to privacy. Additionally, the CFPB has launched a new portal designed to encourage small business entrepreneurs to share their stories about applying for credit to help better inform the CFPB about the challenges small businesses face in this area.

Importantly, the proposed rule does not provide any size-based exemption for covered financial institutions, which has begun to raise objections from community banks due to the regulatory burden it would impose. This is of particular concern given the impact the COVID-19 pandemic has had on small businesses and the increased need for small business loans. Small financial institutions will be interested in the burden this proposed rule could place on operations related to the rule’s data collection obligations and how that may affect its ability to lend to small businesses. The confidentiality and protection of personal data that will be made public in this database is another issue of which the CFPB is aware and which will likely raise public concerns during the NPRM comment period. At the same time, many stakeholders are pleased that the CFPB is taking steps to implement this rule and view it as an important effort to help address systemic discrimination of some small businesses and other unfair lending practices. .

If the proposed rule is finalized in its current form, affected financial institutions will have 18 months after the publication of the final rule to comply. The public comment period is 90 days from publication in the Federal Registerand the CFPB does not anticipate any extension of the deadline at this time.

[View source.]

Darcy J. Skinner