Digital innovations are transforming all aspects of society, with big data processing enabling the development of astonishing new digital tools. With each new technical product comes both benefits and risks that are unproven, and often unknown, at the time of launch. The Innovation Policy announced by the CFPB demonstrates that it is prepared to assist the financial service industry as it, too, uses technology to improve its consumers lives.
Unregulated Technology Comes With Threats
The technology industry as it currently exists is only about 20 years old, but its expanse is already global, with digital access available to billions of people. Over time, though, significant damage has been caused to millions of users because of the swift, unwieldy and unregulated growth of big data and its connectivity processes. In 2015, the Ponemon Institute and Symantec Corp released a study that revealed that the cause of 47 percent of data breaches is a criminal or malicious attack. The remaining 53 percent of these breaches are caused by less intentional but still damaging human activity.
Two relevant events provide excellent examples:
- In July 2015, more than 21.5 million people were adversely affected when data breaches occurred in the files of the U.S. Office of Personnel Management. Included in those files: Social Security numbers, fingerprints, health and financial histories, and more. The extent of the damages immediately suffered is still not known, and a full revelation of related losses may never be known.
- In 2014, theft from a vendor account resulted in a breach of the databanks of Home Depot®. The thieves stole 56 million consumer credit card accounts, costing the home improvement company at least $80 million before insurance coverage kicked in.
CFPB Anticipated Potential Threats
The financial services sector is not immune from the technological tidal wave of innovation and the undiscovered threats that may lurk within it. In 2012, as the Bureau of Consumer Financial Protection (hereafter “Bureau”) was developing its policies, it proposed a process whereby financial services providers could “test” the feasibility and functionality of newly designed financial products without automatically voiding their compliance with industry regulations.
Based on the premise that the public needs “accurate and effective disclosures” to make sound financial decisions, the Bureau proposed that a provision be created to allow “safe harbor” during the real-world testing of those products. Upon proper registration of the new, proposed product, the Bureau (and its implementation arm, the CFPB) would either exempt the originating entity from otherwise applicable regulations or “deem” the entity to be in compliance with those rules for a specified period. During that period, the entity could test the risks and benefits of the new financial tool while the Bureau determined where the product would fit within existing regulatory guidelines, if and when it was proven safe.
The Bureau has specifically stated that its intent is to encourage banks, credit unions and other financial services providers to develop new financial management tools for the benefit of their customers. By following the proposed processes, the purchasing public could access the product’s potential benefits during the period when potentially harmful bugs were worked out, and a home for the product was found within the regulatory scheme.
The Final Policy
On February 18, the CFPB publicized the final policy. It stated that the CFPB will issue a “no-action letter” (NAL) related to “innovative financial products or services that promise substantial consumer benefit where there is substantial uncertainty about whether or how specific provision of certain statutes implemented or regulations issued would be applied.” The NAL will include a statement that the CFPB has no intention to initiate enforcement actions against the entity requesting the NAL in relation to the products that are the subject of the letter. The CFPB will post both the request and the NAL on its website.
There are five sections to the policy:
- Information included in the request
- Possible staff responses to requests
- Factors the staff may consider when evaluating the request
- The limitations and general contents of the NAL
- Data regarding the entities who are making the request
For industry participants, Section A provides guidelines. Along with submitting entity information, the NAL request must clearly demonstrate
- How the product functions
- Its terms
- The manner of its public presentation
- Any consumer disclosures associated with it
As well, the request should also state:
- A presentation timetable
- The product’s benefit to the public
- An explanation of potential risks it poses
- Why the product requires an NAL to be issued (this section seeks statutory, regulatory, legal and policy standards that would identify the product as non-compliant)
- A list of safeguards that will accompany the product during the testing phase
- Additional data regarding the status of the product and the processes the requester will follow to prove its safety and benefits to the public
NAL’s Issued in Exceptional Instances Only
The CFPB doesn’t anticipate reviewing more than three NAL request per year, and the policy states that they will not be “routinely available.” Instead, NAL’s will be issued in exceptional circumstances, after a demonstration that the proposed product is worthy of the regulatory relief.
Technology has easily surpassed the industrial capacity to regulate it, as disastrous financial losses caused by its misuse demonstrate. However, potential benefits may outweigh the risk of loss when thoughtfully considered. The CFPB seeks to provide consumers with the fastest possible access to innovative financial solutions while mitigating or avoiding the risk of loss they may cause. The new policy appears to provide the framework to accomplish that goal.