Laws, Regulations, and Supervisory Guidance
Table 1 lists certain federal laws and implementing regulations for financial services and products that may be relevant to fintech firms and their depository institution partners. This is not an exhaustive list, and the applicability of an individual law depends on the particular circumstances.1 State laws and regulations, including usury limits, may also apply. Table 2 highlights Federal Reserve supervisory guidance that is potentially applicable to fintech firms and depository institutions that partner with fintech firms.
Table 1. Examples of Federal Financial Laws That May Apply to Fintech Firms and Fintech-Related Activities
LAW OR REGULATION |
HIGH-LEVEL DESCRIPTION |
Credit |
|
Equal Credit Opportunity Act (Regulation B) |
|
Truth in Lending Act (Regulation Z) |
|
Fair Credit Reporting Act (FCRA) (Regulation V) |
|
Fair Debt Collection Practices Act |
|
Servicemembers Civil Relief Act |
|
Military Lending Act |
|
Section 85 of the National Bank Act Section 521 of the Depository Institutions Deregulation and Monetary Control Act of 1980 |
|
Privacy and Data Security |
|
Gramm–Leach–Bliley Act or Financial Services Modernization Act (Regulation P) |
|
Federal Trade Commission (FTC) Safeguards Rule (under the Gramm–Leach–Bliley Act) |
|
Bank Secrecy Act |
|
Bank Secrecy Act |
|
Other |
|
Section 5 of the FTC Act |
|
§§1031 & 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (codified as 12 U.S.C. §5531 and §5536) |
|
Electronic Fund Transfer Act (Regulation E) |
|
Electronic Signatures in Global and National Commerce Act/Uniform Electronic Transactions Act |
|
Section 1867(c) of the Bank Service Company Act |
|
Investment Advisers Act of 1940 |
|
Table 2. Federal Reserve Supervisory Guidance That May Be Relevant to Fintech Firms and Their Depository Institution Partners
GUIDANCE LETTER |
HIGH-LEVEL DESCRIPTION |
Working with Third Parties2 |
|
Supervision and Regulation (SR) 13–19/Consumer Affairs (CA) 13–21: Guidance on Managing Outsourcing Risk |
|
SR 07–19: Confidentiality Provisions in Third-Party Agreements |
|
Credit |
|
SR 15–2/CA 15–1: Guidance on Private Student Loans with Graduated Repayment Terms at Origination |
|
SR 10–2: Interagency Statement on Meeting the Needs of Creditworthy Small Business Borrowers |
|
SR 08–7/CA 08–10: Interagency Examination Procedures for the Identity Theft Red Flags and Other Regulations under the FCRA |
|
Technology |
|
SR 16-14: FFIEC Information Technology Examination Handbook — Information Security Booklet |
|
SR 12–14: Revised Guidance on Supervision of Technology Service Providers |
|
SR 05–19: Interagency Guidance on Authentication in an Internet Banking Environment |
|
SR 01–15: Standards for Safeguarding Customer Information |
|
SR 00–17: Guidance on the Risk Management of Outsourced Technology Services |
|
Bank Secrecy Act |
|
SR 10–11: Interagency Examination Procedures for Reviewing Compliance with the Unlawful Internet Gambling Enforcement Act of 2006 |
|
SR 05–8: Interagency Interpretive Guidance on the Provision of Banking Services to Money Services Businesses Operating in the United States |
|
SR 05–7: Account Relationships with Money Services Businesses |
|
Other |
|
SR 11–7: Guidance on Model Risk Management |
|
Endnotes
1 The descriptions provided in both tables should not be interpreted as comprehensive statements of the laws, regulations, or policies that may apply. Rather, these tables are intended to give a broad overview of the applicable requirements.
2 See also Consumer Financial Protection Bureau, Bulletin 2012-03, “Service Providers” (April 13, 2012); Federal Deposit Insurance Corporation (FDIC), FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6, 2008); FDIC, FIL-50-2016, “FDIC Seeking Comment on Proposed Guidance for Third-Party Lending” (July 29, 2016); National Credit Union Administration, Supervisory Letter No. 07-01: “Evaluating Third Party Relationships” (October 2007); and Office of the Comptroller of the Currency, Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” (October 30, 2013).