Pay No Attention to the Circus: For Fintech Industry, Focus on States
Amidst a number of crises, many of which have been self-inflicted, the President’s policy agenda has stalled. Faced with a new, difficult political reality, a stymied Congress has been unable to enact significant legislation thus far this year, and the prospects for improvement seem dim, despite several critical deadlines for Congressional action looming next month. More than seven months into the Trump administration, hundreds of high-level federal government jobs sit unfilled, significantly impairing the ability of key federal agencies to set and drive towards their policy objectives for the next four years.
Though the vast majority of the political media coverage is focused on what’s happening (or, to be more precise, not happening) in Washington, the truth is that the federal government, led by a chaotic new administration and paralyzed by a polarized Congress, has not, and likely will not, be the source of significant policy changes for many facets of the American economy for the foreseeable future. Instead, in state capitols across the country, governors, state legislatures, and state agencies are busy issuing guidance and rules, enacting new laws, and shaping the landscape of industries doing business within their borders. Though the immediate implications of these actions are limited to the geographical boundaries of the states in which they take place, past experience suggests that key state activities often set precedent adopted by other states and, in some cases, by the federal government. For fintech, the states will be an important source of activity amid Washington gridlock.
Beginning this week, a wide swath of financial services companies doing business in New York are required to comply with new cybersecurity rules issued by the New York Department of Financial Services (NYDFS), which regulates state-chartered financial companies doing business in the state. For these entities, the new rules establish minimum requirements for cybersecurity programs and policies, data encryption, multi-factor authentication, incident reporting, and third-party risk management. Thus, even fintech companies not directly regulated by NYDFS must be aware of, and to some degree compliant with, the new rules, as any state-chartered financial services company in New York with which they have a business arrangement may be required to extend several of these new requirements to their fintech partners, under the rule’s third-party risk management requirements. Did you miss the announcement of New York’s new cybersecurity requirements for financial services companies? NYDFS first proposed the new cybersecurity rules last fall, while most of the country was focused on the presidential election.
In May, the banking supervisors of the six states that comprise New England (Massachusetts, Vermont, New Hampshire, Rhode Island, Maine, and Connecticut) let slip publicly that they are mulling the creation of a regional compact that would allow fintech companies to test new products in a safe, controlled regulatory environment; in other words, a New England regulatory sandbox. Under the “New England Regulatory Fintech Sandbox”, any fintech chartered in one of the six New England states could be granted access to a lighter touch regulatory environment in the other five to test its products and liaise with those states’ banking supervisors in a dialogue to better understand and shape the regulatory expectations for innovative, technology-fueled solutions that may not fit squarely within existing state laws or regulations. The New England compact could launch as early as this year.
The Conference of State Bank Supervisors (CSBS), the national organization of bank regulators from across the country, earlier this year announced “Vision 2020” – an effort intended to deliver in the next three years a comprehensive, streamlined multi-state supervisory and regulatory framework for fintech firms that would enable state-chartered companies to more easily do business across state lines. To design and implement this vision, the state banking supervisors will focus their efforts on harmonizing state supervisory requirements for fintech companies and making supervision more efficient and making it easier for state-chartered banks to provide services to non-banks. To realize this vision of better aligned, state-driven fintech regulation, ultimately, state banking regulators across the country will need to promulgate rules or guidance to implement CSBS’ policy recommendations.
All of this activity – plus a desire to maintain oversight and supervision over fintech firms doing business in their states – drove the decision by several state banking supervisors to legally challenge the authority of the Office of the Comptroller of the Currency (OCC), a federal agency, to issue special-purpose charters to certain fintech companies, which would exempt those companies from compliance with state law and instead move them to a federal compliance structure. The Obama-era OCC, which first proposed the fintech charter, fiercely defended it. Thus far, the Trump administration has defended the notion of granting special-purpose charters to fintech firms somewhat less vocally than their predecessors, but with one very important caveat: The OCC is one of the many federal agencies referenced earlier that is still operating without a permanent head. Accordingly, the alignment between the Obama-era OCC and today’s OCC, which is helmed by an interim Comptroller of the Currency, Keith Noreika, could be broken once Joseph Otting, President Trump’s nominee to permanently fill the position, receives Senate confirmation.
Thus, for fintech firms, the intense focus on Washington, which is rife with change, uncertainty, vacancies and gridlock, belies the notion that no significant policy changes are in the offing; they’re simply taking place at the state level, out of the political spotlight.