LendUp, an online startup based in San Francisco, launched in late 2012 with a whole new model for a financial business. Pitching itself as something between a short-term lender and a credit-improvement service for people with bad or no credit history, it offered small-dollar loans on the promise that borrowers could improve their credit scores by paying them back on time and taking online financial education courses. Compliant borrowers would get progressively better terms on their loans, and eventually become eligible for LendUp to send their credit information and payment history to credit agencies.
At least, that’s how it was supposed to work. On Tuesday, the Consumer Financial Protection Bureau leveled a $3.63 million fine against LendUp’s parent company, Flurish, arguing that, among other infractions, LendUp collected data as borrowers repaid their loans but never delivered that information to agencies until February, 2014. California’s Department of Business Oversight fined the company an additional $2.68 million in a separate but concurrent settlement.
The CFPB’s enforcement action was its first against a new breed of lenders, known as financial technology lending startups, that are eager to blow up the stodgy old banking business, forging quick and easy connections with customers, and in the process re-imagining what the financial sector could look like. Consumers are flocking to lenders that promise quick mortgages over an iPhone; banks, intrigued, are looking at technology themselves, and in some cases partnering with the new firms to help them find clients.
As LendUp suggests, this fast-growing industry offers some intriguing new promises—and also poses totally new risks. Mingling credit improvement with small lending is a novel idea that really could work, and provides a service that under-served borrowers don’t get from either their local banks or predatory “payday lenders.” But it also opens the door for new kinds of trouble that you wouldn’t encounter at a bank. (LendUp bills itself as an alternative to payday lending, although its APRs can approach those of traditional payday lenders.) The company, which received a new round of $150 million in venture funding in January, says the CFPB complaint was based on problems from its early days in 2012 and 2013. “In those days we didn't have a fully built out compliance department,” the company said in an apologetic statement. “We should have.”
Online lending is just one corner of a whole new world of tech-driven financial businesses often lumped together under the shorthand term “fintech.” And as fintech grows, transforming lending, payments, and even money management, it's raising a huge question for Washington: how the nation's banking laws, which reach back decades or more, can keep up with a business changing so fast that even people who use it haven’t yet heard its name. “Most of the consumer protection fair credit laws were written in the 1970s, in the age of punch-card computers—and trying to apply them into a world of iPhone and wearable technology and Big Data is very challenging,” said Aaron Klein, a fellow at the Brookings Institution who previously worked in the Treasury Department. “There are serious gaps forming in how our consumer protection laws work.”
The total value of loans financed through online fintech lending range from $20 billion to nearly $40 billion in 2015, up from just a few billion dollars in 2013 and could hit $90 billion by 2020, according to one recent estimate. That would be a 300 percent increase in just five years. On the upside, experts think it has huge potential to make lending quicker and more open, making more money available to more people who need it. Lenders also say they’ll better be able to reach historically underserved borrowers—the type of customers who'd ordinarily turn to high-interest payday lenders. On the downside, consumer advocates and regulators are already warning that the unusual new structures of fintech companies could enable them to skirt the important rules that prevent discriminatory and unfair lending. They worry that algorithms could invisibly “redline” homeowners in the wrong neighborhoods; that small businesses could be hurt; and personal data restricted.
Complicating the problem, the regulators minding this store work in an alphabet soup of at least 10 federal agencies, along with another 50-plus state and territorial regulators and industry self-regulatory bodies. In an era when a man in Maine can quickly receive a $1,000 loan from a website like Lending Club through its bank affiliate in Utah, just determining who has jurisdiction over a transaction is challenging. It’s harder still for the thousands of fintech startups themselves, many of which are small and inexperienced in regulatory compliance and are looking for clarity. “It takes a lot of effort and resources to ensure compliance with a system that does provide that kind of a patchwork approach,” said Daniel Gorfine, associate general counsel at OnDeck, an online small-business lender.
For now, both sides are still in "learn-and-grow" mode: fintech itself, though expanding fast, remains just a small component of the overall lending industry. In 2015, the two largest online peer-to-peer lenders together originated just over $10 billion in consumer credit, compared with the $3.5 trillion consumer lending market. Regulators, for their part, are moving slowly and deliberately, asking questions and seeking input from interested parties before creating new rules. Even the most skeptical of consumer advocates remains optimistic that fintech will extend credit to historically underserved communities, ultimately helping minorities and boosting the economy. But those benefits will never develop without the proper safeguards in place. The question is how to structure them without suffocating a young industry in the process.
FOR ANYONE WHO'S been frustrated by the sclerotic banking system, fintech has the potential to be a godsend. People who aren't wealthy often lose valuable money and time on simple transactions like cashing checks; people of means have different headaches with payments and money management. Fintech promises to cut through all of that in different ways, revolutionizing how Americans interact with money and make their financial decisions. It has already made huge strides among the tech-savvy young, who use payment apps to transfer money among friends, and may live their lives without ever visiting a physical bank, or signing a check.
The fintech firms that have emerged in the past few years are basically stripping out the different function of big banks and offering them faster and more easily. The popular money site Mint.com offers users a simple tool to manage their money and set budgets. Payment companies like Venmo allow users to immediately transfer money between accounts instead of waiting days for checks to clear. For investors, so-called robo-advisors like Betterment are now competing with traditional financial advisers, while Digit allows its users to automatically save for retirement.
As they expand and proliferate, fintech companies are hitting a regulatory system built to supervise whole banks, not just their parts—and one that is already notorious for being complex and fragmented. Bank-holding companies are regulated by the Federal Reserve, but banks themselves are regulated by the Office of the Comptroller of the Currency, or the Federal Deposit Insurance Corporation, or—in some cases—the Fed itself. Credit unions are yet another matter, and the Securities and Exchange Commission, the Federal Housing Finance Agency, the Federal Trade Commission and state regulators all have roles as well. And, since 2011, there's also the CFPB, the agency created to police the entire system on consumers' behalf. (Though the CFPB now sets all rules relating to consumer protection, enforcement is dispersed among numerous agencies.)
The explosion of new ideas plus a tangle of supervisors has left both sides uneasy, and observers are already foreseeing trouble. “The World Bank has a statistic out that by 2025, every adult in the world will have a bank account in their mobile phone,” said Jo Ann Barefoot, a senior fellow at Harvard University who studies fintech and was the deputy comptroller of the currency from 1978 to 1982. “That's a lot of change. The regulatory system is just not prepared for that even in the U.S., not prepared to guide that in a healthy direction and prevent disastrous problems at the same time.”
What are the hot spots? As fintech grows, a handful of areas of concern have emerged—holes where new firms can easily slip through existing safety nets. Three areas in particular have stood out: lending discrimination against consumers; disclosure requirements for small businesses, which tend to be vulnerable and in need of cash; and the sharing of consumer data – which fuels whole swaths of the industry, but is proving hard to manage well.
Discrimination
As Americans began buying billions of dollars worth of goods on credit in the 1950s and 1960s, driving a new and faster consumer economy, Congress realized lending was fraught with discrimination: mortgage lenders would often discount a wife’s earnings by 50 percent or more, for instance. In 1974, it passed the Equal Credit Opportunity Act, which prohibits lenders from discriminating against borrowers on the basis of race, gender and other specified characteristics. In 1977, lawmakers passed the Community Reinvestment Act in response to rampant "redlining" against African-American families by mortgage lenders—the systematic denial of mortgages to certain geographic areas based on ethnicity. The CRA imposes an affirmative obligation on banks to meet the credit needs of the communities in which they operate.
While the Equal Credit Opportunity Act applies to all lenders, including those solely in the digital space, the CRA is more limited: it applies only to FDIC-insured banks, and looks at lending geographically, neighborhood by neighborhood. Online lenders, which aren’t insured by the FDIC, aren’t covered. They often use computer algorithms to make decisions, lessening the chance for biased case-by-case decisions—but raising the prospect, according to consumer advocates, of a “black box” problem in which de facto redlining occurs without any human intervention. “Just because we think it’s a computer making the decisions, doesn’t mean that there isn’t hidden bias,” said Jennifer Tescher, president of the Center for Financial Services and Innovation. “Because somewhere along the line a human had to write the code.”
Online lenders, for their part, dismiss these fears about data-driven discrimination, and stress that what they are doing isn’t exactly new: Lenders have long used models and different data sources to assess credit risk. Consumer advocates often cite the use of social media data in underwriting decisions as a cause for concern, such as using a person’s Facebook friends in a credit decision. But people at fintech companies say that consumer advocates have this wrong; that data, they said, are generally not used in the underwriting process, but instead are used for identity verification.
Consumer advocates believe there is an easy but politically challenging fix to these issues: Reform the Community Reinvestment Act so it applies to online lenders. In a speech in September, Thomas Curry, head of the Office of the Comptroller of the Currency, a key banking regulator, broached the idea. It delighted financial reformers; later this year, the OCC is expected to release its proposal for a special charter that allows fintech companies to operate nationally, without the need to partner with a bank or seek charters in every state, and the industry and advocates are both holding their breaths to see what it might include. As POLITICO’s Colin Wilhelm explains, the lobbying war is on for what types of rules will apply to fintechs under this new charter, and consumer advocates are pushing for that charter to include these strong anti-discrimination statutes. “That could be a game-changer,” said Klein of the Brookings Institution.
Small-business lending
Traditionally, small businesses have fallen through the cracks of the financial system: Banks don’t like lending them money, since small commercial loans are just as costly to issue as big ones, but much less lucrative. So for capital, they fall back either on a personal credit card or a home equity line of credit. They may also turn to friends or family, or use their own savings.
Enter online lenders: Through automated underwriting and improved credit models, a new breed of tech-driven small-business lenders has emerged since the financial crisis offering small-dollar loans to small businesses. This development excited nearly everyone I spoke with. But almost everyone also agreed that a real gap exists in borrower protections if the borrower is a small business. Karen Mills, the former administrator of the Small Business Administration, and Brayden McCarthy, a former SBA staffer under Mills, pointed out in a much-discussed 2014 paper that many consumer protections don’t apply to small businesses. That includes the Truth in Lending Act, a 1968 law which requires creditors to disclose certain features of consumer credit.
The online small-business lending industry is clearly pocked with problems: A recent Federal Reserve survey found that online small-business lenders had a dismal satisfaction score, far below customers’ satisfaction with large banks, credit unions and small banks. Loan brokers are also increasingly becoming a problem in the small-business lending industry, McCarthy said; these middlemen find new borrowers, who often pay exorbitant fees, and may steer them to loans that are better for the broker than the cash-strapped small business. “We see them as a significant problem,” said Gina Harman, the head of Accion U.S. Network, a nonprofit focusing on improving financial inclusion that has worked with brokers.
Imposing new regulations on the brokerage industry will require an act of Congress. The same goes with extending the Truth in Lending Act to cover small-business lenders. But the CFPB has signaled it wants to improve our understanding of small business lending through Section 1071 of Dodd-Frank, under which the agency can require small-business lenders to collect loan data on women-owned and minority-owned businesses. The CFPB has yet to begin its formal rule-making process on that, but listed it in the spring as part of its upcoming agenda and already lenders are worried that the CFPB will not only collect the data but also use it for enforcement purposes. (When I mentioned that fear to McCarthy, he looked perplexed and said, “Well, I mean, that's the point of the data.”)
In May, the Treasury Department largely sided with consumer advocates when it proposed in a white paper to regulate small-business loans like consumer loans—treating the borrowers, who are often just single-person businesses, more like vulnerable individual consumers than sophisticated corporate clients. That possibility frightens lenders, who believe that small businesses are far more capable of understanding loan terms than individual consumers. Small-business lenders are also collaborating on private-sector efforts to improve transparency through a Small Business Borrowers’ Bill of Rights and other “disclosure boxes,” which allow consumers to easily compare loan products across online lenders.
In the coming years, the battle over the regulation of small-business lending will shift to Congress, where it’s unclear how things will shake out. McCarthy, now the vice president for strategy at Fundera, an online credit marketplace for small businesses, and Mills are set to release a new paper in early October which will contain policy recommendations for regulating online small-business lenders. Both are optimistic about the possibility for technology to pry open the once-forgotten market of small-business lending and deliver fast-turnaround loans with real transparency. Or, as Mills put it, “small-business utopia.”
Consumer data
One of the great potential benefits of fintech also carries its biggest risks: sharing data. Already, money-management tools like Mint are household names and help millions better track their finances. Others like Digit help consumers automatically save money. The accounting website Xero helps small businesses better manage their books. But all of these new products depend on having access to their customers’ financial data. “I can’t stress enough how important it is for not only Xero but for the industry as a whole,” said Ryan Himmel, who joined Xero earlier this year to establish relationships with financial institutions. But right now, the process for consumers and small businesses to share their data with third parties can be cumbersome and even insecure.
Most fintech companies connect to a user’s bank account to retrieve their real-time financial data. They often do so by a surprisingly crude mechanism called “screen-scraping”—literally logging into the user’s bank account and collecting the data displayed on the screen. Far preferable would be a more direct connection through an application programming interface (API) which allows for real-time data transmission. Everyone agrees screen-scraping is an insecure process for transmitting financial data. However, banks claiming security concerns have been slow to allow consumers to share their data with third parties over APIs. This has angered consumer advocates, who believe that data is rightfully owned by the consumers and that banks should have no authority to act as a gatekeeper. “We definitely think the consumer ought to be in control of their information,” said Gerron Levi, the director for policy and government affairs at the National Community Reinvestment Coalition.
However, simply requiring banks to allow consumers to share their data with any third party carries significant liabilities for the bank. If a consumer shares their data with a third party that is hacked and the hacker uses that data in a nefarious way, who is liable? That question has yet to be answered, but everyone I spoke with agreed that banks would likely be at fault. It’s not hard to see why they’d resist opening their systems via an API. “Right now, one could interpret the rules as saying that since these are all third-party providers to banks that banks have the liability all the way through the chain,” said Tescher. Banks are also nervous about sharing their customers’ confidential information.
“First and foremost, the banks’ responsibility is to their customer to keep their funds and personally identifiable information safe,” said Rob Morgan, vice president for emerging technologies at the American Bankers Association. “Any move they do towards this has to be very carefully thought out. If you think of startups, the model is move fast and break things. Frankly, that’s not what I want from my bank.”
There's one agency that does have the authority to force banks to grant consumers access to their financial information: The CFPB, which is empowered by Dodd-Frank to require banks to give consumers access to information on their use of financial products and services, including transaction, account data and usage information. Whether this means the agency can literally force banks to move to an open API system isn't clear: experts I spoke to for the story were uncertain, and the Bureau declined to comment.
If the agency does force banks' hand, the U.S. will still be behind Britain, where financial regulators are already implementing such a policy. It could have wide benefits, ensuring everyone is using the same technology and won't have to negotiate individual agreements between every two firms that want to share data. But experts also said that the U.S. financial system is far more complex than Britain’s and cautioned that a top-down regulatory approach could prove equally, if not more, damaging for the nascent industry.
“The choice that we face is who will be at the table as a standard for access to account-level information is drafted,” said Thomas Brown, a partner at the law firm Paul Hastings. “Will it be drafted in closed sessions by financial institutions for financial institutions? Or will it be developed with additional constituents at the table including developers, consumer groups and regulators?”
THOUGH MANY OF these arguments are taking place behind closed doors, there are signs that Washington is starting to pay more public attention. In March, the OCC put out an 11-page paper on responsible innovation and asked for comments; in May, the Treasury Department published its own 39-page white paper on online lending. The CFPB's Project Catalyst is earning high marks among fintech firms for engaging with the private sector and supporting innovation. The FTC, White House and OCC all held events—some public, some private—on the issue as well, inviting leading experts and innovators to talk about fintech regulation.
In Congress, Rep. Patrick McHenry has been speaking frequently about the industry. And Sens. Sherrod Brown and Jeff Merkley sent a letter in July to the top banking regulators demanding to know how they were addressing the changes in the financial industry—though the letter was chiefly a demand to know what, if anything, was going on.
Few industries welcome the government sniffing around, and indeed some fintech companies are nervous about the potential for new burdensome regulations. But they're also eager for some kind of regulatory clarity. The patchwork nature of financial regulations—a system built over decades to handle big institutional players with a wide mix of banking practices—has been a major challenge to the growth of an industry trying to move at the speed of tech.
“There is a lot of talk to what extent are we going to be regulated,” said Richard Neiman, head of government affairs at Lending Club. “I’d say the current and future regulatory landscape is a net positive for the industry.”
Everyone involved in the fintech world is genuinely excited about its possibilities. Americans can save more money and make more responsible financial decisions. Small businesses can have better access to credit, allowing them to grow and spurring more economic growth. Consumers can get loans quickly without having to go to a high-cost payday lender. The potential benefits are numerous—but they will happen only if policymakers construct the right safeguards to protect consumers and borrowers while not imposing regulations that are too costly for companies. It’s the age-old regulatory problem of finding the right balance. Given the fragmented financial regulatory system that exists right now, many doubt that it is capable of addressing these new challenges in a positive manner.
“We've been trying for decades, for like 40 or 50 years, to promote financial protection and financial inclusion through regulation,” said Barefoot, the senior fellow at Harvard. “And it hasn't worked very well. Suddenly, we have technology that can accomplish both on a scale we never could have imagined — but it will only happen if we regulate it well.”