On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-awaited rule on Personal Financial Data Rights (referred to herein as the “Open Banking Rule”).

The Open Banking Rule requires banks, credit unions, and other financial service providers to make available consumers’ data upon request to those consumers or other third parties designated by such consumers. The rule is issued to implement the personal financial data rights established by the Consumer Financial Protection Act of 2010 (“CFPA”).  In particular, Section 1033 of the CFPA, provides consumers with a right to access their account information and authorize certain third parties to access such information on the consumer’s behalf.  Subject to the newly finalized Open Banking Rule, Section 1033 requires covered banks, credit unions, financial institutions, and certain payment providers to make available consumers financial data to that consumer or third party authorized to receive such information on the consumer’s behalf.

The Open Banking Rule casts a wide-net and has substantial implications not only on the data providers (defined below), but also on the third parties receiving such information on behalf of the requesting consumer.  The same day the Open Banking Rule was released, a Kentucky-based bank and two trade associations filed a lawsuit in federal district court in Kentucky challenging the rule, and we expect more lawsuits to follow.  These legal challenges could delay or impact implementation of the rule, and Taft will continue to monitor their status.

We’ve boiled down the basics here in an FAQ format to demystify the implications this proposed rule would have on the payments industry.

Q: Who does the Open Banking Rule Apply to?

A: The Open Banking Rule applies to “data providers,” which are financial institutions (as defined in Regulation E), card issuers (as defined in Regulation Z), or any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.

Q: Which entities are considered “data providers”?

A: Data providers include depository institutions such as banks or credit unions, and nondepository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services.

Q: Which entities are not covered under the Open Banking Rule?

A: Data providers are exempt if they are depository institutions that hold $850 million or less in total assets, which is based on U.S. Small Business Administration (“SBA”) size standards.

Q: Who is an “authorized third party” under the Open Banking Rule?

A:   An “authorized third party” is a third party that is authorized to receive “covered data” about “covered financial products and services” available in electronic form to consumers.  An “authorized third party” is defined as a third party that has complied with the authorization procedures set forth in subpart D of the Open Banking Rule. For a third party to comply with subpart D and obtain authorization from a consumer to become an “authorized third party,” it must obtain authorization from the consumer on an annual basis. Continued use of a third party’s services does not constitute authorization. Authorization must include the following “near in time” type disclosures to the consumer as a precursor to obtaining authorization:

  • Name of the third party that will be authorized to access the covered data.
  • Name of the data provider that will be in control or possession of the covered data that will be processed by the third party.
  • The categories of covered data that will be accessed.
  • The purpose of accessing the covered data.
  • The time frame that the authorization will cover (up to one year)
  • A description of the revocation mechanism for granting consent.

 Q: What is “covered data”?

A: “Covered data” is financial information that a financial institution (or “data provider”) must make accessible to consumers and authorized third parties upon request. Financial information includes, among other things, account balances, account terms and conditions, information necessary to initiate payments (including, account and routing numbers), transaction amounts, transaction dates, payment types, rewards credits, fees and finance charges, and verification information necessary to confirm account ownership (e.g., name, address, email address and phone number).

Q: How does the Open Banking Rule impact a person’s obligations or duties under the Gramm-Leach-Bliley Act and Regulation P?

A: Data providers are required to maintain a “developer interface”, which is a functionality through which it receives requests for covered data and makes the data available to authorized third parties.  Data providers are required to have an information security program for their developer interface that meets the requirements of the Safeguards Framework under the Gramm-Leach-Bliley Act (“GLBA”).  If the data provider is not subject to the GLBA’s Safeguards Framework, they must have an information security program that meets the standards under the FTC’s Standards for Safeguarding Customer Information.  Third parties must also have an information security program for their own systems for the collection, use, and retention of covered data that meets these requirements.

Q: How does the Open Banking Rule impact a person’s obligations or duties under the Fair Credit Reporting Act?

A: The obligations of the Open Banking Rule creates overlap with the Fair Credit Reporting Act. A third-party data aggregator or other financial service provider may be classified as a credit reporting agency if it handles covered data that could be used for credit decisions, i.e., in a manner that the Fair Credit Reporting Act deems to be “credit report” like information. This regulatory overlap will impose obligations on fintech and data aggregation companies to comply with the requirements of the Fair Credit Reporting Act for data accuracy, privacy, limitations on use of data, and data security.

Q: When are the mandatory compliance dates? 

A: Compliance dates are staggered, based on the calculation of a data provider’s total assets or total receipts.  Larger entities have a shorter timeframe for compliance.  April 1, 2026 is the compliance deadline for depository institutions with at least $250 billion in total assets, and non-depository institutions that generated at least $10 billion in total receipts in either of the years 2023 or 2024, while April 1, 2030 is the compliance deadline for depository institutions that hold less than $1.5 billion but more than $850 million in total assets.

Taft continues evaluating the Final Rule and is available to assist in analyzing the impact it may have on your new or existing operations and contractual agreements.

Fraud in the payments space is nothing new. In fact, it is fairly pervasive across the (now numerous) available payment systems. And despite the clear benefits of faster payments, the advent of faster, more easily accessible methods of payment has given rise to new opportunities for fraudsters.

From bill payment and payroll to the “behind the scenes” funds settlement mechanisms of various payment applications we use daily, one of the primary payment systems used by consumers and businesses alike is the ACH network. The National Automated Clearing House Association (“Nacha”) establishes the rules governing the ACH network (“Rules”). In March of 2024, Nacha voted on and approved 15 amendments to the Rules, including several revisions that are intended to strengthen the ACH network participants’ ability to detect potential fraud and to efficiently recover funds in the event that fraud does take place (collectively, the “Risk Management Topics”). Several of these Risk Management Topics go into effect on October 1, 2024, while others that may require more lead time from a technical perspective have staggered effective dates over the next few years. Understanding the requirements, and the opportunities, presented by these new Risk Management Topics is critical for financial institutions and corporations, alike. Below is a high-level summary of the new Risk Management Topics for your consideration.

1. Expanded Use Cases of the R17 and R06 Return Reason Codes. When a financial institution receives a debit or credit entry from another financial institution through the ACH network, the Rules permit the Receiving Depository Financial Institution (“RDFI”) to return that entry to the Originating Depository Financial Institution (“ODFI”). The RDFI must follow explicit parameters set forth in the Rules surrounding the return of these ACH entries, including that a Return Reason Code, identifying the reason for the return, be attached to the returned entry. The new revisions to the R06 and R17 Return Reason Codes provide both ODFIs and RDFIs with more discretion with respect to the return of entries they suspect to be fraudulent.

Prior to October 1, 2024, the R06 Return Reason Code was used by ODFIs to request that the RDFI return an entry that was either an “Erroneous Entry” (which is narrowly defined) or that was a credit entry initiated without the authorization of the Originator. The new revision allows ODFIs to use R06 to request a return from the RDFI for any reason.

The R17 Return Reason Code was previously used by RDFIs to return entries that: (a) it could not process; (b) contained an invalid account number and which the RDFI suspected was initiated under questionable circumstances; or (c) the RDFI or the account holder (“Receiver”) identified as being an improper reversal of an entry. As revised, RDFIs can use R17 to return entries they believe to be initiated under “questionable circumstances” without requiring that there also be an error with the account number. This include entries transmitted without an Originator’s authorization and entries that are originated under False Pretenses (as defined below).

Financial institutions should ensure their internal procedures reflect the new use cases of R06 and R17, and corporates should be educated in their additional avenues for requesting/ initiating returns through their financial institution.

Risk Management Topic Key Takeaways Effective Date
Expanded Use of ODFI Request for Return (R06) An ODFI may now request that an RDFI return any entry for any reason at all, including suspected fraud. The RDFI still maintains sole discretion in deciding whether to honor the requested return, but now it must give the ODFI a response within 10 banking days. Importantly, the ODFI will still need to indemnify the RDFI for such requested returns.

Phase 1 – October 1, 2024: ODFIs may begin using R06.

 

Phase 2 – April 1, 2025: RDFIs will need to have procedures in place to respond timely to an R06 request.

 

Codifying Expanded Use (R17)

An RDFI may (but is not required to) return any entry it believes, in its sole discretion, is fraudulent. RDFIs exercising this right to return must do so within the 2 banking day time frame and must include the descriptor “QUESTIONABLE” in the return addenda.

 

October 1, 2024

2. Additional Funds Availability Exceptions. Previously, the Rules allowed an RDFI to delay funds availability of ACH credits to a Receiver if the RDFI reasonably believed it was an unauthorized credit entry (e.g. in the event of an account takeover of an Originator’s account). As revised, the Rules will now also allow an RDFI to delay funds availability if it reasonably believes that a credit was unlawful, suspicious, or otherwise sent under False Pretenses. The revised Rules define “False Pretenses” as “the inducement of a payment by a Person misrepresenting: (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.” This definition is intended to cover common fraud scenarios like business email compromise, vendor impersonation, and other payee impersonations where the Originator is induced by a third party to authorize an entry. Identifying what is, and what is not, an instance of False Pretenses is nuanced; for example, while a business email compromise or vendor impersonation that induces someone to make a payment to a fraudster would constitute False Pretenses, a corporate account takeover or a payment intentionally made to a legitimate Receiver who then uses the funds for something other than for the Originator’s intended purpose would not. RDFIs will need to review their internal policies and procedures with respect to monitoring potential unauthorized credits and credits initiated under False Pretenses.

Risk Management Topic Key Takeaways Effective Date
Additional Funds Availability Exceptions

An RDFI may, but is not required to, delay funds availability (subject to applicable law, including Regulation CC) if it suspects it was originated under False Pretenses, not only if it was unauthorized.

 

October 1, 2024

3. Timing of Written Statements of Unauthorized Debit (“WSUDs”) and Prompt Return of Unauthorized Debits. The existing Rules require that an RDFI receive a WSUD from consumers on or after the Settlement Date (as defined in the Rules) of an unauthorized debit in order to return it as unauthorized. However, technological developments have created an environment where a Receiver may become aware of a pending unauthorized debit before its actual Settlement Date. The new revisions to the Rules allow for more flexibility in the timing of a consumer completing a WSUD. The existing Rules were also silent as to exactly how quickly an RDFI was required to take action based on a WSUD it received from a consumer Receiver; it merely required that entries returned as unauthorized be transmitted to the ODFI within a certain timeframe. Now, there is a requirement that RDFIs return such unauthorized entries no later than the opening of business on the sixth (6th) banking day following the completion of their review of the Receiver’s signed WSUD. The revisions related to consumer WSUDs and unauthorized debits are designed to allow Receivers and RDFIs to more quickly respond to potential unauthorized debits, thus mitigating risk of additional fraudulent transactions and helping make the affected parties whole more quickly. RDFIs will need to review their internal policies and procedures associated with the handling of WSUDs and returning entries as unauthorized.

Risk Management Topic Key Takeaways Effective Date
Timing of WSUDs

WSUDs may be completed by a consumer Receiver on or after the date on which the entry is presented to the Receiver, even if that is prior to the debit posting to their account.

 

October 1, 2024
Prompt Return of Unauthorized Debits

An RDFI must return a consumer Receiver’s unauthorized debit for which it has received a WSUD no later than the 6th banking day following the completion of the RDFI’s review of the completed WSUD, but in no case later than the 60th calendar day following the settlement date of the original debit.

 

October 1, 2024

4. Fraud Monitoring by Non-Consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs. The current Rules require non-consumer Originators to, among other things, use commercially reasonable fraudulent transaction detection systems when originating WEB debits and also when originating Micro-Entries. However, there was no corresponding requirement with respect to other SEC codes or to credits other than Micro-Entries. The revised Rules will require non-consumer Originators and ODFIs, as well as Third-Party Senders and Third-Party Service Providers (as each are defined in the Rules), to develop risk-based policies and procedures to identify fraudulent transactions more broadly. Importantly, a risk-based analysis cannot be used to conclude that no monitoring is needed on a going-forward basis. All non-consumer Originators, Third-Party Senders, Third-Party Service Providers and ODFIs should, at a minimum, conduct risk assessments to identify, qualify, and quantify the risks they face. All impacted parties should also evaluate their current policies and procedures, update them accordingly, and continue to review them on an annual basis and update as needed.

Risk Management Topic Key Takeaways Effective Date
Fraud Monitoring by Non-Consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs.

Non-Consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs must implement fraud detection systems to detect and prevent fraud for both debits and credits in general, including:

 

(a) establishing/ implementing risk-based processes and procedures relevant to the role it plays in the authorization or transmission of entries that are reasonably intended to identify entries that are suspected of being unauthorized or authorized under False Pretenses; and

 

(b) reviewing such processes and procedures at least annually and making appropriate updates to address evolving risks.

 

Phase 1 – March 20, 2026: All ODFIs and certain Third-Party Senders, Third-Party Service Providers, and non-consumer Originators with annual origination volume in 2023 that exceeded 6 million entries will need to have these processes in place.

 

Phase 2 – June 19, 2026: All other Third-Party Senders, Third-Party Service Providers, and non-Consumer Originators will need to be compliant with the new Rule.

5. Credit Monitoring by RDFIs. Historically, the onus has been on Originators and ODFIs to safeguard against fraudulent credit entries entering the ACH network, with the RDFIs having been largely omitted from that responsibility. However, RDFIs are in the unique position of being able to recognize when a Receiver’s account is receiving atypical credit entries (for example, based on their typical account balance, or the age of the account). Thus, under the revised Rules, RDFIs will now be required to establish and implement processes and procedures to help identify and mitigate fraudulent credit entries. RDFIs should update their internal policies and procedures to include this new monitoring obligation, and should ensure staff is appropriately trained to perform whatever monitoring the RDFI decides to implement.

Risk Management Topic Key Takeaways Effective Date
RDFI ACH Credit Monitoring

RDFIs will need to implement processes and procedures to identify unauthorized credit entries as well as credit entries initiated under False Pretenses, and to annually review their processes and procedures and make any indicated updates. The addition of this monitoring responsibility does not modify or supersede the ODFI’s warranty that the entries it introduces to the network are authorized, nor does it reallocate liability between ODFIs and RDFIs.

 

Phase 1 – March 20, 2026: RDFIs with receipt volume exceeded 10 million entries in 2023 will need to be compliant with the new Rule.

 

Phase 2 – June 19, 2026: All other RDFIs will need to be compliant with the new Rule.

 

6. Standard Company Entry Descriptions: PAYROLL and PURCHASE. The Company Entry Description field of ACH files already exists under the Rules; it is a 10-character field and is used to identify batches containing certain types of entries, including for reversals (“REVERSAL”) and for reinitiated entries (“RETRY PYMT”). The new updates to the Rules will require that non-consumer Originators, ODFIs, Third-Party Senders and Third-Party Service Providers to also use two new Company Entry Descriptions: (a) PPD credits for the payment of wages or other similar compensation must include the Company Enty Description of “PAYROLL”; and (b) e-commerce purchases, which are debits authorized by a consumer online for the online purchase of goods, must include the Company Entry Description of “PURCHASE.” The goal in adding these qualifiers is to help all of the network participants more readily identify, and monitor, transaction types that are frequently associated with fraudulent transactions. Non-consumer Originators, ODFIs, Third-Party Senders and Third-Party Service Providers (as applicable) will need to ensure they are categorizing their payments and using these new Company Entry Descriptions in creating their files.

Risk Management Topic Key Takeaways Effective Date
Standard Company Entry Descriptions Certain transactions will require the use of PAYROLL and PURCHASE Company Entry Description field of the ACH file. March 20, 2026, but Originators may begin using these codes prior to the Effective Date.

While the above Risk Management Topics may require substantial changes to the policies and procedures of the affected participants, the overarching result is expected to be a more secure network that is more readily able to stave off, combat, and ultimately remedy fraud.

Please contact us if you have any questions or concerns about how the Risk Management Topics will affect your institution.

For years, “FBO” has been one the payments industry’s favorite buzz words. The FBO account structure has been a common “best practice” by payments providers seeking to remove themselves from the flow of funds to reduce their risk of being regulated as a money transmitter. As a foundational matter, FBO accounts are merely custodial depository accounts maintained at financial institutions and established “for the benefit of” (FBO) intended beneficiaries of funds in the accounts. The structures of such accounts can vary. Typically, in the payments space, these accounts are structured to be bank-owned and held for the benefit of the payments provider’s customer (often a merchant or sub-merchant), rather than for the payments provider itself, to maximize the protections afforded by removing the payments provider from the flow of funds. Under this model, the payments provider can instruct the bank to move funds in and out of the FBO account as authorized by the payments provider’s customer, without ever taking actual possession or control over the funds.

While this structure remains foundational to countless arrangements between banks and their fintech partners, the risks created by the misuse of this structure has led the Federal Deposit Insurance Corporation (FDIC) to issue a proposed rule which would impose extensive requirements on FDIC insured depository institutions (IDI) with respect to “custodial deposit accounts with transactional features” – FBO accounts included. This proposed rule comes amid heighted scrutiny of bank and fintech arrangements by the federal banking regulators. The requirements set forth in this proposed rule would not only impact the IDIs but would also have a substantial impact on payments providers whose business models and operations rely upon the availability of these types of account structures.

The proposed rule is complex and technical. So, we’ve boiled down the basics here in an FAQ format to demystify the implications this proposed rule would have on the payments industry.

Q:  What prompted the proposed rule?

A:   The proposed rule was ultimately prompted by consumer confusion about whether funds placed with IDIs through arrangements with non-bank payments providers qualify for FDIC protection and concern for their ability to access and recover such funds. In particular, the FDIC cites the bankruptcy of Synapse Financial Technologies, Inc. (Synapse), a technology company that worked with several IDIs and numerous fintechs. The Synapse bankruptcy affected consumers’ ability to access funds placed at IDIs in FBO and custodial accounts for a number of months. In some instances, it was advertised that the funds were FDIC insured. Following the bankruptcy, the IDIs that were holding customer funds had difficulty obtaining, reviewing, and reconciling Synapse’s records to determine the ownership of those funds. This caused detrimental harm to many customers who were unable to receive funds needed to cover daily expenses.

The Synapse bankruptcy was just one prime example provided by the FDIC. It highlighted that the use of “custodial accounts with transactional features” presents significant hurdles and corresponding delays in the FDIC’s ability to make deposit insurance determinations. In recent months, the FDIC has taken action against a number of IDIs seeking to address concerns related to bank/fintech partnerships and now seeks to address the issues it has identified consistently among all IDIs through the proposed rule.

Q: What are the FDIC’s objectives and intentions for the proposed rule?

A:   The FDIC seeks to:

  • Strengthen IDI recordkeeping requirements for “custodial deposit accounts with transactional features” (which includes FBO accounts);
  • Preserve beneficial owners’ and depositors’ entitlement to the protections afforded by federal deposit insurance;
  • Promote the FDIC’s ability to promptly make deposit insurance determinations;
  • Enable the FDIC to pay deposit insurance claims “as soon as possible” in the event of a failure of an IDI holding custodial accounts with transactional features; and
  • Promote timely access to funds (even in the absence of an IDI failure).

Q: Who does the proposed rule apply to?

A: The proposed rule directly applies to all IDIs, regardless of size, who offer custodial accounts with transactional features (subject to exemptions for specific types of custodial accounts). The proposed rule would apply regardless of how many custodial accounts with transactional features are held at the IDI and regardless of how many beneficial owners funds’ are held within such accounts. The FDIC seeks comment on whether there should be a minimum threshold for applying the requirements of the proposed rule.

If made final, fintechs and other-non bank payments providers will be impacted through operational and contractual changes in their relationships with IDI partners that will be required as a result of the proposed rule. 

Q: What is a “custodial deposit account” under the proposed rule?

A: A “custodial deposit account” for purposes of the proposed rule is a relationship where one party is responsible for opening a deposit account at an IDI on behalf of others who may own the funds but do not have a direct relationship with the bank. 

Q: What are “custodial accounts with transactional features” under the proposed rule?

A: A deposit account that:

  • Is established for the benefit of beneficial owner(s);
  • Holds commingled deposits of multiple beneficial owners; and
  • The beneficial owner(s) may authorize or direct a transfer from to a party other than the account holder or the beneficial owner(s) (e.g. to make a purchase or pay a bill).

If funds in the custodial account are only returned to either the beneficial owner or the account holder, and would not be transferred to third parties, the account would fall outside the scope of the types of accounts covered by the proposed rule. However, the FDIC questions whether it should apply the proposed rule’s recordkeeping requirements to all custodial deposit accounts, and not just those with “transactional features.”

Q: How does the proposed rule differentiate between a “beneficial owner” and an “account holder”?

A: A “beneficial owner” would be defined as “a person or entity that owns, under applicable law, the funds in a custodial account.” An “account holder” would be “the person or entity who opens or establishes a custodial account with transactional features with an insured depository institution.” So, in the case of a fintech or other non-bank payments provider that establishes an account at an IDI for the benefit of its customers, even if the account is titled in the name of the IDI itself for the benefit of the fintech’s customers, the fintech would be the “account holder” under the proposed rule because it contracted with the IDI to establish the account.

Q: What types of custodial deposit accounts are exempt from the rule?

A:   The proposed rule exempts certain custodial deposit accounts that already have stringent recordkeeping requirements under applicable law, including custodial deposit accounts which are:

  • Only used to hold trust deposits;
  • Established by government depositors, such as accounts maintained for the payment of government benefits;
  • Established by brokers or dealers under the Securities and Exchange Act of 1934, and investment advisers under the Investment Advisers Act of 1940;
  • Established by attorneys or law firms on behalf of clients, commonly known as interest on lawyers trust accounts (IOLTA accounts);
  • Used in connection with employee benefit plans and retirement plans;
  • Maintained by real estate brokers, real estate agents, title companies, and qualified intermediaries under the Internal Revenue Code;
  • Maintained by mortgage servicers in a custodial or other fiduciary capacity;
  • Protected by applicable federal or state law prohibiting the disclosure of the identities of the beneficial owners of the deposits;
  • Maintained by virtue of agreements to allocate/distribute deposits among participating IDIs in a network for purposes other than payment transactions of customers of the IDI or participating IDIs; or
  • Used to hold security deposits tied to property owners for a homeownership, condominium, or other similar housing association governed by state law, and accounts holding security deposits tied to residential or commercial leasehold interests.

The FDIC invites comments on whether there are other categories of custodial deposit accounts that should be exempt from the proposed rule.

Q: Can IDIs still contract with third parties to maintain the beneficial ownership records relating to the custodial account?

A: Yes, an IDI would still be able to contract with a third party (such as, for example, a vendor, processor, software or service provider or similar entity), provided that enhanced requirements are satisfied. These include:

  • The IDI having direct, continuous and unrestricted access to the beneficial owner records maintained by the third party, including in the event of the business interruption, insolvency or bankruptcy of the third party;
  • The IDI having a business continuity plan in place, including backup recordkeeping for the required beneficial ownership records and technical capabilities to ensure compliance with the proposal’s requirements;
  • The IDI implementing appropriate internal controls to:

(a) accurately determine the respective beneficial ownership interests associated with the custodial deposit account with transactional features; and

(b) conduct reconciliations against the beneficial ownership records no less frequently than the close of business daily;

  • Annually validating the third party’s records, where such validation is performed by persons or entities independent of the third party, in order to assess and verify that the third party is maintaining accurate and complete records consistent with the proposal’s provisions;
  • The third party maintaining the records in a specific electronic file format (as must the IDI if it maintains the records itself); and
  • The IDI having a direct contractual relationship with the third party that includes risk mitigation measures.

The additional requirements are intended to promote the integrity of the records and ensure that the IDI has continued access.

Q: What actions would IDIs need to take if the proposed rule is adopted?

A:   The proposed rule would require that IDIs holding custodial accounts with transactional features implement the following:

  • Recordkeeping. Maintain records relating to the account using a specific file format. The records would need to identify:
    • The beneficial owners of the custodial account;
    • The balance attributable to each beneficial owner; and
    • The ownership category in which the beneficial owner holds the deposited funds.

Records would also need to be maintained in a specific electronic file format with required fields for records of beneficial owners and their interests in the deposited funds. The specific format is described in Appendix A of the proposed rule.

  • Internal Controls. Implement and maintain internal controls to ensure that account balances are accurate. Such internal controls should be tailored to the individual IDI based on its unique circumstances, including its size and the scope of its risk appetite, but must include:
    • Maintaining accurate account balances, including the respective individual beneficial ownership interests associated with the custodial deposit account; and
    • Reconciling account balances against beneficial ownership records no less frequently than as of the close of business daily.
  • Written Policies and Procedures. Establish written policies and procedures to achieve compliance with the proposed rule’s requirements.
  • Annual Certification and Report. Annually complete and submit to the FDIC and to the IDI’s primary regulator:
    • A certification confirming the institution’s compliance with, and testing of, the proposed requirements
    • A report that:
      • Describes material changes to information technology systems relevant to compliance with the rule;
      • Lists account holders that maintain custodial deposit accounts with transactional features, total balance of the custodial deposit accounts and the total number of beneficial owners;
      • Sets forth the results of the institution testing of its recordkeeping requirements; and
      • Provides results of independent validation of any records maintained by third parties.

As a result of actions required by the proposed rule, the IDI would also need to review and update its contracts with its existing fintech partners.

Q: What happens if an IDI does not comply with the proposed rule, if adopted?

A: IDIs would be subject to examination by their primary federal regulator and enforcement actions for failures to comply that could result in cease-and-desist orders and civil money penalties. 

Q: What does the proposed rule mean for the IDIs’ non-bank partners?

A: Fintechs and other non-bank partners that contract with IDIs and assume the recordkeeping responsibilities of the IDI will need to provide the IDI with additional and continuous access to records and submit to review and verification by an outside, independent entity on an annual basis. IDIs will increase scrutiny on fintechs and other non-bank partners and make these types of accounts available to a fewer number of well-established fintech and non-bank partners. The costs associated with these account types will also likely increase.

Q: Would the rule apply retroactively to FBO accounts that were established before the proposed rule became effective?

A: Yes. The proposed rule would apply to custodial deposit accounts with transactional features regardless of when the account was established (before or after the proposed rule’s effective date). Thus, current agreements between IDIs and their fintech partners with respect to these types of accounts would need to be updated accordingly.

Q: What should IDIs do now in anticipation of the proposed rule becoming final?

A: IDIs can prepare by:

  • Reviewing the nature of their relationships with non-bank companies to determine whether such non-bank companies have custodial deposit accounts at the IDIs that fall under the scope of the proposed rule;
  • Analyzing the anticipated costs and benefits of accepting and maintaining custodial deposit account relationships with non-bank companies if the proposed rule is adopted;
  • Investigating the technical requirements of having data transmitted from account holders in the format required by the proposed rule;
  • Developing a recordkeeping system for maintaining required data;
  • Assessing capabilities of existing platforms or core processing systems to satisfy the requirements of the proposed rule;
  • Developing or procuring data interface systems, where necessary;
  • Submitting comments to the proposed rule, if desired, before the deadline;
  • Collecting agreements with third parties in anticipation of updating obligations and responsibilities if the proposed rule is adopted; and
  • Identifying which existing policies and procedures may be impacted.

Q: What should IDI partners do now in anticipation of the proposed rule becoming final?

A: IDI partners relying on FBO accounts at IDIs should:

  • Consider whether to submit a response to the proposed rule;
  • Identify any gaps between current operations, processes, and technical capabilities against the requirements of the proposed rule;
  • Evaluate existing internal systems, policies or procedures; and
  • Review business arrangements with other partners and fintechs.

Q: What is the future of FBO Accounts?

A: Regardless of whether this proposed rule becomes final, we can anticipate that there will be changes to FBO and custodial account models given recent events that put a magnifying glass on risks that can arise. While there will certainly be more hoops to jump through for many of the FBO account structures in use today, if the rule becomes final, the use of FBO and custodial accounts in IDI and fintech relationships will still be viable. However, we can reasonably anticipate that as the regulators increase scrutiny of these account structures (and bank-fintech arrangements, generally), IDIs will follow suit and further limit the availability of these products and increase costs to fintech partners as part of their own risk mitigation.

Q: What does this proposed rule mean for you?

A: Whether you are an IDI, fintech, or non-bank payments provider that leverages an FBO or custodial account as part of your operations, this proposed rule will have significant impact on you if made final. If you would like to understand the impact to your specific operations or if you are looking for guidance on the comment letter process, please reach out to a member of Taft’s Paytech and Payment Systems Team directly.

This week, New York’s new surcharging law went into effect, replacing the prior surcharge ban which had been attacked at the U.S. Supreme Court (as discussed here). The old law was simply a wholesale ban on credit card surcharges, although since being reinterpreted by the New York Court of Appeals in 2018, it has not been enforced categorically. The new statutory language appears to be an attempt to codify the Court of Appeals’ interpretation under which surcharge programs are permitted so long as certain disclosures are made. Even the law’s title has been changed from the harsh “Credit Card Surcharge Prohibited” to the more reasonable sounding “Credit Card Surcharge Notice Requirement.” But do not be deceived by the seemingly innocuous updates. Merchants have begun to worry about the amendments and their concerns appear to be justified, particularly in light of regulatory guidance published this week by the New York Department of State (NYDOS), Consumer Protection division. The NYDOS’s Credit Card Surcharge Guidance goes far beyond current industry standards, prohibiting surcharge practices that the card brands and other regulators sanction and deem compliant.

Under the new law effective as of February 11, 2024, any seller in any sales transaction imposing a surcharge on a customer who elects to use a credit card in lieu of payment by cash, check, or similar means shall clearly and conspicuously post the total price for using a credit card in such transaction, inclusive of surcharge. Furthermore, any such surcharge may “not exceed the amount of the surcharge charged to the business by the credit card company for such credit card use.”  That provision itself is vague as merchants are not charged “surcharges” by credit card companies for credit card use.  In any event, the law continues by stating: “The final sales price of any such sales transaction, inclusive of such surcharge, shall not amount to a price greater than the posted price for such sales transaction.”

The statute expressly states that merchants are not prohibited from offering a “two-tier pricing system,” described as “the tagging or posting of two different prices in which the credit card price, inclusive of any surcharge, is posted alongside the cash price.” The problem with this formulation—and with the NYDOS’s guidance on implementation—is that it treats dual pricing as a permitted way to do surcharging rather than how dual pricing is generally understood (including by the card brands), in the context of cash discounting.

In short, the statute conflates surcharges with the generally understood cash discount model. To be clear: although the law purports to permit surcharges in certain circumstances with the proper disclosures, New York’s surcharge law does not permit the charging of surcharges as that term is commonly understood in the payments industry. And what it does allow as a permissible “surcharge” (i.e., posting the highest credit card price and offering a discount or utilizing a dual pricing model) is not really a surcharge at all, but is what is generally recognized as permitted under the cash discount rubric, independent of any surcharge regulation.

Under Visa and Mastercard rules, if a merchant wishes to implement a traditional surcharge, among other requirements, the merchant must clearly and prominently disclose the fee with signage at the point of entry and point of sale, and list the surcharge as a separate line item on the receipt. However, these actions are now explicitly labeled as “ILLEGAL” in the flyers included with the NYDOS guidance (available here and here). Similarly, posting a sign identifying a surcharge percentage amount to be added to the cost of the good/service (a practice generally recognized as compliant by the card brands) is touted as “ILLEGAL” by NYDOS. The guidance is clear that the only way to comply with the new NY surcharge law is to list or post the HIGHER credit card price inclusive of the surcharge in dollar and cents alongside a posted discount for cash purchase. This throws into question the ability for Merchants operating in New York to comply with both the card brands rules on surcharging and NY’s new surcharging law and certainly creates operational challenges for merchants that have built technology and systems around traditional surcharging practices.

Another consequence of conflating surcharges and cash discounts in New York is that it potentially opens up true (and otherwise compliant) cash discount programs and dual price models (which have historically not been subject to the rules and laws governing surcharges) to being regulated as a surcharge. Contrast New York’s guidance with Visa’s position that a discounted cash or debit price that is clearly displayed next to the higher credit price does not constitute an additional fee or surcharge that is removed when the customer pays with cash or a debit card. Yet, the New York law describes the difference between two prices presented on equal footing as “inclusive of any surcharge.” An aggressive reading of the surcharge law may allow regulators to subject these two-tier pricing systems to the limitations now applicable to surcharges in New York.

The penalty for violating New York’s surcharging law can be steep and includes liability for a civil penalty up to $500 dollars for each violation. Significantly, the enforcement mechanisms have also changed, as the law can now be enforced concurrently by the director or commissioner of a municipal consumer affairs office, or by the town attorney, city corporation counsel, or other lawful designee of a municipality or local government. What’s more, all monies collected from such enforcement will be retained by the municipality or local government, which incentivizes local governments to police surcharge compliance (including in borderline cases or where there are questions regarding interpretation). For many merchants, business as usual could quickly lead to unwanted attention by state regulators or local and municipal governments.

Several years ago the Supreme Court’s favorable opinion regarding the merchant challenge to New York’s anti-surcharge law kicked off a series of lawsuits nationwide in which lower federal courts stepped in to invalidate similar surcharge bans in other states. This, in turn, led the attorneys general and consumer protection agencies of other states to preemptively cease enforcement of their own state surcharge bans even if the law remained on the books. Based on these events, Visa removed the majority of states (New York included) from their list of states where surcharging is prohibited.  However, in light of the new surcharging law and the guidance issued this week, it seems that the “surcharging,” as that practice is understood and generally implemented across the payments industry, is once again prohibited in New York. Merchants implementing surcharge and cash discount programs in New York should reevaluate their programs in light of the new law and guidance.

As a corporation that handles ACH transactions on behalf of others, you may have heard your financial institution refer to you as a “Third-Party Sender.” Common examples of Third-Party Senders include payroll processing companies, rent payment companies, and other bill pay providers. If an entity is designated as a Third-Party Sender, it is subject to certain duties under the Nacha Operating Rules (“ACH Rules”), such as the requirements to have an annual ACH Audit conducted and to enter into specific agreements with its clients (the “Originators”). Continue Reading Third-Party Senders: Are you a Money Transmitter?

On January 19, 2021, several federal banking regulators including FinCEN, the Federal Reserve, the FDIC, NCUA, and the OCC jointly issued answers to several frequently asked questions (FAQs) regarding suspicious activity reports (SARs) and other anti-money laundering (AML) considerations for financial institutions covered by SAR rules.  As used below, the term “financial institution” includes money services businesses.

Importantly, the FAQs do not alter existing BSA/AML legal or regulatory requirements, nor do they establish new supervisory expectations.  Instead, they are intended to clarify the regulatory requirements related to SARs to assist financial institutions with their compliance obligations. Continue Reading New Joint Regulatory FAQs Regarding Suspicious Activity Reporting and other AML Considerations

The commercial slowdown wrought by the global pandemic COVID-19 has left many in the payments industry wondering how the virus will affect their existing processing agreements. Depending on which side of an agreement you are on, you may be worried about breaching your contractual obligations or about the other party not being able to perform its end of the agreement. Likewise, you may be looking for a way to get out of the contract without being in breach, or, alternatively, nervous that COVID-19 will present an opportunity for the other side to legally terminate. Continue Reading Payment Processing Contracts and COVID-19

In light of the significant increase in chargebacks resulting from COVID-19, Visa, Mastercard and American Express recently issued guidance to assist acquirers, issuers, and merchants in navigating the dispute process. Below is a summary of that guidance. Visa On March 27, 2020, Visa released a bulletin titled “Managing Disputes Through COVID-19: Programs, Best Practices and FAQs to Help Clients” in which it provides guidance about managing and responding to disputes as a result of COVID-19. Continue Reading Card Brand Guidance for Managing COVID-19 Related Chargebacks

The Taft Paytech & Payment Systems team has prepared the following tips for ISOs, processors, payment facilitators, ISVs, money services businesses, and banks in light of COVID-19 developments.

  • Review Termination Rights and Implications. Contracts often include a force majeure clause that excuses nonperformance when it is caused by unforeseen events beyond the control of the parties. An evaluation of whether the current circumstances qualify as a force majeure event should be conducted. If the contract does not contain such a provision, there may be other remedies if you are unable to perform. Continue Reading Legal Impacts of COVID-19 on the Payments Industry

As of January 1, 2020, the California Consumer Privacy Act (CCPA) is now in effect. As we explained here, the CCPA imposes requirements on merchants and payment processors to protect personal information of California residents.

Enforcement of the law does not begin until July 1, 2020, which is good because the regulations interpreting the law have not even been finalized yet. The draft regulations, published this past October by California’s Attorney General, propose rules relating to consumer disclosures, processing consumer requests, and other implementation details. Final rules will be issued before the July 1, 2020 enforcement date. Continue Reading California Consumer Privacy Act (CCPA) Goes into Effect