Consumer Compliance Outlook: Third Issue 2016

Laws, Regulations, and Supervisory Guidance

Table 1 lists certain federal laws and implementing regulations for financial services and products that may be relevant to fintech firms and their depository institution partners. This is not an exhaustive list, and the applicability of an individual law depends on the particular circumstances.1 State laws and regulations, including usury limits, may also apply. Table 2 highlights Federal Reserve supervisory guidance that is potentially applicable to fintech firms and depository institutions that partner with fintech firms.

Table 1. Examples of Federal Financial Laws That May Apply to Fintech Firms and Fintech-Related Activities




Equal Credit Opportunity Act
(Regulation B) External Link
  • Prohibits creditors from discriminating against credit applicants on the basis of race, color, religion, national origin, sex, marital status, or age, or because all or part of the applicant’s income derives from any public assistance program, or because the applicant has in good faith exercised any right under the federal Consumer Credit Protection Act or any applicable state law
  • Covers both disparate treatment and disparate impact claims
  • Requires creditors to provide borrowers with notice of any action taken on their application for credit
Truth in Lending Act (Regulation Z) External Link
  • Provides meaningful disclosure of credit costs and terms to promote the informed use of consumer credit. The uniformity of disclosures is intended to assist consumers in comparison shopping for credit.
  • Protects consumers against unfair credit billing and credit card practices
  • Regulates credit advertising
Fair Credit Reporting Act (FCRA) (Regulation V) External Link
  • Requires a permissible purpose to obtain a consumer credit report
  • Requires furnishers of information to credit bureaus to implement policies and procedures concerning the accuracy and integrity of the information they furnish and to address consumer disputes about information furnished
  • Imposes disclosure requirements on creditors who take adverse action on credit applications or charge more for credit based on information in a credit report
  • Requires creditors to develop and implement an identity theft prevention program
Fair Debt Collection Practices Act External Link
  • Provides guidelines and limitations on the conduct of third-party debt collectors in connection with the collection of consumer debts
  • Limits certain communications by debt collectors; imposes notice and debt validation requirements; and prohibits false and misleading representations, harassing or abusive conduct, and unfair practices in collecting a debt
Servicemembers Civil Relief Act External Link
  • Allows servicemembers entering active duty to have the interest rate on debts incurred prior to service reduced to 6 percent
  • Protects active duty servicemembers from default judgments and allows them to obtain a suspension of civil proceedings if their service prevents them from appearing to defend a collection action
Military Lending Act External Link
  • Imposes a rate cap of 36 percent on the Military Annual Percentage Rate for credit extended to active duty servicemembers and their dependents and imposes additional restrictions to protect covered borrowers
Section 85 of the National Bank Act External Link
Section 521 of the Depository Institutions Deregulation and Monetary Control Act of 1980 External Link
  • Allows a national bank to charge the highest rate allowed for a state-chartered bank in the national bank’s home state, regardless if the customer is located in- state or out-of-state
  • Permits a state-chartered bank to charge the “highest” allowable rate permitted under its home state law to out-of-state customers as well as in-state customers, the same way a national bank could

Privacy and Data Security

Gramm–Leach–Bliley Act or Financial Services Modernization Act PDF
(Regulation P)
  • Limits when a financial institution may disclose a consumer’s nonpublic personal information to nonaffiliated third parties
  • Requires financial institutions to notify their customers about their information-sharing practices and to tell consumers of their right to opt out if they do not want their information shared with certain nonaffiliated third parties
Federal Trade Commission (FTC) Safeguards Rule (under the Gramm–Leach–Bliley Act) External Link
  • Requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

Bank Secrecy Act

Bank Secrecy Act External Link
  • Requires financial institutions to implement anti-money-laundering procedures, apply customer verification program rules, and report suspicious activity that meets a certain dollar threshold


Section 5 of the FTC Act External Link
  • Prohibits unfair or deceptive acts or practices in trade or commerce
§§1031 External Link & 1036 External Link of the Dodd-Frank Wall Street Reform and Consumer Protection Act (codified as 12 U.S.C. §5531 and §5536)  
  • Prohibits unfair, deceptive, or abusive business acts or practices
Electronic Fund Transfer Act External Link (Regulation E)
  • Provides certain consumer rights regarding the electronic transfer of funds to and from consumers’ bank accounts
  • Requires disclosure of terms and conditions of electronic transfers, limits consumer liability for unauthorized transfers, establishes procedures for recurring preauthorized transfers, and establishes error resolution procedures
Electronic Signatures in Global and National Commerce Act/Uniform Electronic Transactions Act External Link
  • Authorizes the use of electronic records and signatures to create legally valid and enforceable agreements
  • Requires businesses to obtain consumers’ affirmative consent before using electronic records or signatures to comply with a legal requirement to provide information in writing
Section 1867(c) of the Bank Service Company Act External Link
  • Provides federal banking agencies with the authority to regulate and examine the performance of certain services by a third-party service provider for a depository institution (or for any subsidiary or affiliate of a depository institution that is subject to examination by that agency) “to the same extent as if such services were being performed by the depository institution itself on its own premises”
  • The federal banking agencies may also have enforcement authority against a third-party service provider (considered to be an institution-affiliated party) and in other circumstances under the Federal Deposit Insurance Act.
Investment Advisers Act of 1940 External Link
  • Requires that firms or sole practitioners who are compensated for advising others about securities investments register with the U.S. Securities and Exchange Commission and conform to regulations designed to protect investors

Table 2. Federal Reserve Supervisory Guidance That May Be Relevant to Fintech Firms and Their Depository Institution Partners



Working with Third Parties2

Supervision and Regulation (SR) 13–19/Consumer Affairs (CA) 13–21: Guidance on Managing Outsourcing Risk External Link
  • Addresses outsourced activities performed by traditional core bank processing and information technology service providers as well as operational activities such as accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing
  • Highlights the potential risks arising from the use of service providers
  • Describes the elements of an appropriate service provider risk management program
  • Supplements existing guidance on technology service providers (TSP) issued by the Federal Financial Institutions Examination Council (FFIEC)
SR 07–19: Confidentiality Provisions in Third-Party Agreements External Link
  • Explains that it is contrary to Federal Reserve regulation and policy for agreements to contain confidentiality provisions that (1) restrict the banking organization from providing information to Federal Reserve supervisory staff; (2) require or permit, without the prior approval of the Federal Reserve, the banking organization to disclose to a counterparty that any information will be or was provided to Federal Reserve supervisory staff; or (3) require or permit, without the prior approval of the Federal Reserve, the banking organization to inform a counterparty of a current or upcoming Federal Reserve examination or any nonpublic Federal Reserve supervisory initiative or action
  • Notes that banking organizations that have entered into agreements containing such confidentiality provisions are subject to legal risk


SR 15–2/CA 15–1: Guidance on Private Student Loans with Graduated Repayment Terms at Origination External Link
  • Provides guidance on private student loans with graduated repayment terms at origination
SR 10–2: Interagency Statement on Meeting the Needs of Creditworthy Small Business Borrowers External Link
  • Discusses banking agencies’ views on prudent lending practices for creditworthy small business borrowers
SR 08–7/CA 08–10: Interagency Examination Procedures for the Identity Theft Red Flags and Other Regulations under the FCRA External Link
  • Provides examination procedures for regulations implementing the following three provisions of the FCRA, as amended by the Fair and Accurate Credit Transactions Act:
    • Duties of users regarding address discrepancies (12 CFR 222.82) (Address Discrepancy rule)
    • Duties regarding the detection, prevention, and mitigation of identity theft (12 CFR 222.90) (Identity Theft Red Flags rule)
    • Duties of card issuers regarding changes of address (12 CFR 222.91) (Card Issuer rule)


SR 16-14: FFIEC Information Technology Examination Handbook — Information Security Booklet External Link
  • Announces the revised FFIEC information security booklet, which highlights characteristics of effective information security programs
  • Includes examination procedures for cybersecurity threats and resource requirements
  • Reviews the stages of an IT risk management program
SR 12–14: Revised Guidance on Supervision of Technology Service Providers External Link
  • Addresses the agencies’ statutory authority to supervise third-party servicers that enter into contractual arrangements with regulated financial institutions
  • Outlines the agencies’ risk-based supervisory program
  • Emphasizes that a financial institution’s management and board of directors have the ultimate responsibility for ensuring outsourced activities are conducted in a safe and sound manner and comply with applicable laws and regulations
SR 05–19: Interagency Guidance on Authentication in an Internet Banking Environment External Link
  • Addresses the need for risk-based assessments, customer awareness, and security measures to reliably authenticate customers accessing financial institutions’ Internet-based services
  • Emphasizes that the agencies consider single-factor authentication, if it is the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or moving funds to other parties. Supplemented by SR 06–13, which includes an FAQ to assist institutions and TSPs in conforming to the guidance, and by SR 11–9, which updates agencies’ expectations for supervised financial organizations regarding customer authentication, layered security, and other controls
SR 01–15: Standards for Safeguarding Customer Information External Link
  • Establishes standards for financial institutions related to administrative, technical, and physical safeguards for customer records and information
SR 00–17: Guidance on the Risk Management of Outsourced Technology Services External Link
  • Focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services

Bank Secrecy Act

SR 10–11: Interagency Examination Procedures for Reviewing Compliance with the Unlawful Internet Gambling Enforcement Act of 2006 External Link
  • Provides an overview of the Unlawful Internet Gambling Enforcement Act of 2006
  • Sets forth procedures for reviewing compliance by institutions with the joint rule of Treasury (31 CFR Part 132) and the Board (12 CFR Part 233)
SR 05–8: Interagency Interpretive Guidance on the Provision of Banking Services to Money Services Businesses Operating in the United States External Link
  • Clarifies the requirements of the Bank Secrecy Act and anti-money-laundering regulations in relation to the provision of banking services to money services businesses operating in the United States
SR 05–7: Account Relationships with Money Services Businesses External Link
  • Describes current issues in providing banking services to money service businesses and the views of the Federal Reserve, the other federal financial institutions supervisory agencies, and the Financial Crimes Enforcement Network about assessing and controlling the varying levels of risk associated with such accounts


SR 11–7: Guidance on Model Risk Management External Link
  • Provides guidance to banking organizations and supervisors concerning model risk management, including model validation


1 The descriptions provided in both tables should not be interpreted as comprehensive statements of the laws, regulations, or policies that may apply. Rather, these tables are intended to give a broad overview of the applicable requirements.

2 See also Consumer Financial Protection Bureau, Bulletin 2012-03, “Service Providers” (April 13, 2012); PDF Federal Deposit Insurance Corporation (FDIC), FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6, 2008); External Link FDIC, FIL-50-2016, “FDIC Seeking Comment on Proposed Guidance for Third-Party Lending” (July 29, 2016); External Link National Credit Union Administration, Supervisory Letter No. 07-01: “Evaluating Third Party Relationships” (October 2007); External Link and Office of the Comptroller of the Currency, Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” (October 30, 2013). External Link