Should the States or Federal Government Regulate Fintech?

From lending to payment processing, the core functions of banks are increasingly performed by financial technology (fintech) firms. But U.S. law has struggled to accommodate the rise of fintech. To catch up to the market, state and federal officials have undertaken a diverse array of regulatory initiatives. Numerous regulators have relied on the prevailing paradigm of the past century, seeking to extend its already stretched logic into the realm of fintech and exacerbating its many shortcomings in the process. But several regulatory initiatives of the past decade have broken with prior thinking and charted a different path, one that redefines the realm of federal and state government, and promises a legal regime suited to the technological realities of twenty-first century finance.

This emergent paradigm—which I call the New Fintech Federalism in a recent paper forthcoming in the Yale Journal of Law and Technology—constitutes a radical reversal of the prior division of authority between state and federal actors. Through both cooperative and unilateral initiatives, the states are increasingly adopting an entity-based approach rooted in interstate reciprocity that inures the benefits of jurisdictional competition and reduces the costs of redundant mandates. Meanwhile, by focusing on financial activities, the federal government is pursuing a consumer protection framework less prone to arbitrage and a view of prudential risk suited to the fragmentation of fintech.

The Traditional Paradigm and Its Flawed Extensions to Fintech

Activity-Based State Law

            Under longstanding tenets of U.S. financial federalism, the states possess primary legal authority over non-banks like fintech firms. Each state has enacted a different combination of laws regulating a variety of statutorily defined financial activities, including issuing loans (from consumer and payday loans to automobile debt and mortgages), servicing debts, and transmitting money. These statutes require non-banks to acquire a license from the state financial regulator before offering specified services within the state. Because licensing statutes apply only to firms that perform specific financial functions, they embody an activities-based as opposed to entity-based regime.

            In addition to licensing requirements, state laws impose a variety of consumer protection obligations on non-banks. The foremost of these protections are usury limits, which cap the interest rates that lenders can charge. Today, every state has a usury statute, but they vary considerably in their terms.

Finally, states regulate the safety-and-soundness of licensed non-banks. Most significantly, firms typically must post surety bonds with the regulator of each state in which they operate.

The activities-based framework that dominates state regulation of non-banks is no longer viable in the fintech era. Even in isolation, each state’s statutes inflict significant compliance costs on fintech firms—requiring them to determine which of the overlapping licensing laws they fall under, parse exemption-riddled consumer protection codes, and expend scarce capital on surety bonds. Because fintech firms operate online and therefore are inherently cross-jurisdictional, these already severe compliance costs are multiplied many times over as each jurisdiction’s rules are idiosyncratic. While large incumbent firms might possess the resources to satisfy the diverging mandates of state financial regulators, fintech startups are poorly positioned to shoulder this burden given their limited capital. These state laws harm not only fintech firms but also consumers, who are deprived of the benefits of vigorous competition in the financial sector, and the United States as a whole, which suffers from a less innovative and globally competitive economy.

But in recent years, states have intentionally extended the traditional state law framework to fintech firms. The most prominent attempt to repurpose the longstanding levers of state non-bank financial regulation for fintech companies is New York’s BitLicense program. In 2015, the New York Department of Financial Services promulgated a regulation providing: “No Person shall, without a license obtained from the superintendent . . . engage in any Virtual Currency Business Activity.” Accordingly, any fintech firm that receives, stores, or trades cryptocurrencies and does business in New York must comply with the BitLicense regime. Despite the initiative’s sleek branding, the substantive requirements of the BitLicense program are instantly recognizable as a continuation of the traditional activities-based approach: BitLicensees must secure a license, comply with consumer protection rules, and post hefty surety bonds.

Extending the pervasive activities-based approach to fintech firms is undesirable. Although the various aims of state statutes—such as oversight, consumer protection, and safety and soundness—are worthwhile, the territorial application of divergent state laws has produced onerous compliance costs.

Entity-Based Federal Law

The federal approach to financial regulation has traditionally been rooted in entity-based designations. This strategy is most evident in the federal government’s use of preemption, which occurs when federal law overrides contrary state law commands. Congress relied on preemption to create a national market and avoid the morass of differing state laws when it enacted the National Bank Act, a statute that created the Office of the Comptroller of the Currency (OCC) and empowered the new agency to charter national banks. 

As creatures of federal law, national banks are immune from a variety of state laws, most importantly usury restrictions. In the landmark case of Marquette National Bank v. First of Omaha Service Corp. (1978), the Supreme Court unanimously decided that national banks could “export” the usury laws of the state in which they were organized, even when extending loans to debtors in other states. As a result, banks reorganized en masse to states like South Dakota, Utah, and Delaware with minimal usury restrictions.

But this entity-based federal preemption strategy placed fintech firms, which still must comply with usury caps, at a competitive disadvantage. Accordingly, many fintech firms have entered into “rent-a-bank” partnerships with banks, under which the fintech firm underwrites and markets the loan but the bank technically originates it, before quickly selling the loan back to the fintech lender. The result is regulatory arbitrage, since the fintech firms act as the lender in substance but get the formal benefits of bank preemption without the correlative burdens of bank regulation. Rent-a-bank arrangements are troubling because they undermine state consumer financial protection laws and allow banks to push predatory lending activities beyond the limits of the OCC’s oversight.

Rather than address these problems, the OCC attempted to extend entity-based preemption further still through its controversial fintech chartering program. To be eligible, fintech firms had to lend money or process payments. Chartered fintech firms would qualify as banks under the National Bank Act, so they could export interest rates and preempt state licensing laws. Although many commentators decried the OCC’s fintech charter as “unprecedented,” an appreciation of the dominant federal paradigm reveals that this initiative is in fact woefully traditional. The initiative will exacerbate regulatory arbitrage, since chartered fintech firms can engage in rent-seeking by selling their exportation privileges to non-chartered firms, just as banks currently do. As a result, companies even farther from the heartland of strict bank regulation could exploit the benefits of aggressive preemption.

Federal law’s problematic preoccupation with entities instead of activities also defines systemic risk regulation. Following the collapse of large non-banks like AIG and Lehman Brothers, Congress responded by creating a new federal systemic risk regulator: the Financial Stability Oversight Council (FSOC). To police systemic fragility, Congress empowered the FSOC to designate large non-banks as systemically important financial institutions (SIFIs) and subject them to bank-like regulation by the Federal Reserve. But this binary approach to systemic risk overlooks the macroeconomic risks from small, densely interconnected fintech firms. Because fintech firms often specialize in one step in the lending process, they have replaced single banks with a multiplicity of mutually reliant firms. A failure at one of these firms, for example due to a cybersecurity breach, could therefore propagate shocks throughout the fintech ecosystem, threatening the stability of the economy as a whole.

The New Fintech Federalism

   In the past decade, several state and federal initiatives have rejected this longstanding approach in a manner that reduces costs of the prior paradigm. This New Fintech Federalism reverses the core responsibilities of the state and federal governments: states embrace an entity-based regime to structure fintech governance, and the federal government regulates activities in the externality-heavy areas of consumer protection and prudential risk.

Entity-Based, Reciprocal State Law

     Rather than focusing exclusively on intrastate financial activities, state officials have moved towards a framework of reciprocal recognition that allows fintech firms authorized to operate in one state to seamlessly offer services in other jurisdictions. By regulating at the level of mutually acknowledged firms, state initiatives are entity-based in a manner analogous to chartering.

     The first major act of coordination in non-bank regulation was the creation of the Nationwide Mortgage Licensing System (NMLS), a regulatory technology platform that allows examiners to share their findings, thereby reducing information costs and service fees. By 2008, regulators in every state adopted the NMLS. The NMLS was so successful that CSBS renamed it the National Multistate Licensing System and expanded it to money transmitters, consumer lenders, and debt collectors.

     In a further step towards interstate mutuality, officials pioneered the Money Services Business (MSB) Licensing Agreement. This multistate agreement provides that each signatory will accept other signatories’ determinations of key elements in MSBs’ licensing applications, such as the quality of their business plans, cybersecurity infrastructure, and anti-money laundering controls. Today, 29 states have joined the initiative, ranging from major markets like California and Texas to smaller states as divergent as South Dakota and Connecticut. Though each state retains final say over whether to grant an MSB license, the program eliminates the unnecessary repetition of basic investigations by each state regulator and reduces the delays fintech firms experience when applying for licenses in multiple states.

Finally, state officials recently launched a single, comprehensive MSB examination that satisfies supervision requirements in 40 states. Because the program remains in its pilot phase, CSBS offers the examination only to large payment firms. Nevertheless, 13 MSBs have enrolled in the program and a PayPal executive praised the initiative as “transformative.” By extending a single jurisdiction’s authorization across the vast majority of states, the “One Company, One Exam” program represents the closest the United States has ever come to reciprocity in non-bank financial regulation.

A handful of state officials have instead undertaken unilateral measures to achieve reciprocity in fintech regulation. This nascent strategy is most evident in the growing field of cryptocurrency law. The Louisiana Virtual Currency Businesses Act of 2020 largely resembles New York’s BitLicense program, as it requires firms engaged in specified cryptocurrency activities to procure licenses and undergo regular examinations. However, the statute also “authorize[s] reciprocity of licensure” by empowering the state’s Office of Financial Institutions to enter “arrangement[s] between the department and the appropriate licensing agency of another state which permit[s] a licensee operating under a license granted by the other state to engage in virtual currency business activity with or on behalf of a [Louisiana] resident.” Though the statute is still in its earliest days of implementation, Louisiana’s reform represents another legal innovation designed to defy the prevailing approach and create a more unified, entity-based regime for fintech firms.

   Mutual recognition among the states eases the daunting compliance burden on fintech firms, freeing up their scarce startup capital to fund product development and other growth areas. Reducing the barrier to entry posed by inconsistent state laws also bolsters competition in the U.S. financial sector, empowering new entrants to challenge incumbent banks with better products and services.

Finally, reciprocal fintech regulation creates a salutary competition among the states for superior legal regimes to attract fintech charters. As long as externality-intensive activities are policed by the federal government, states can vie for dominance in the domains in which the states are well situated to weigh the full costs and benefits of their rules—namely, governance rules chosen by fintech entrepreneurs seeking to maximize the value of their firms to attract outside capital. This competition provides fertile ground for state experimentation and generates diverse legal solutions to pressing problems.

Activity-Based Federal Law

            Federal officials have demonstrated a growing willingness to regulate financial activities directly, rather than merely the entities that traditionally performed them.

With Dodd-Frank, Congress cut at the very fabric of our financial federalism by federalizing a field long considered the heartland of state authority: consumer financial protection. The Act created the Consumer Financial Protection Bureau (CFPB), which enjoys a distinctively activities-based jurisdiction. Indeed, the CFPB’s authority extends to any entity that “engages in offering or providing a consumer financial product or service.” Businesses as disparate as pawn shops, major financial institutions, and fintech firms fall within the CFPB’s statutory scope.

The CFPB has provided a much-needed backstop against fintech firms’ regulatory arbitrage. In recent years, the CFPB has challenged fintech firms’ partnerships in court, arguing that their attempts to circumvent usury and other state consumer protections violate Dodd-Frank. Policing rent-a-bank arrangements through federal enforcement is commendable because it reduces the rents that a state can earn from cutting consumer protections and externalizing costs onto consumers across the country by enabling banks to “export” its rules nationwide.

In safety and soundness regulations, federal officials have similarly departed from their traditionally exclusive focus on banks, federalizing an area of law long dominated by states. This remarkable shift went almost entirely unnoticed because it arose in the OCC’s otherwise traditional fintech chartering initiative. When announcing the program, the OCC explained that chartered fintech firms would fall under the OCC’s prudential supervision.

Shifting the safety-and-soundness oversight of fintech firms to the federal level is sensible on several fronts. The OCC’s national scope gives it a high-level view of the entire U.S. financial services industry. This wider field of vision and central vantage point make the OCC an ideal nerve center for a field as evolving and uncertain as fintech prudential regulation. The OCC has also developed sophisticated tools for assessing safety and soundness that it can deploy in this new arena. By contrast, state governments have overwhelmingly resorted to the brute force tactic of bond-posting requirements. Finally, establishing prudential requirements at the federal level prevents state officials from externalizing the risks of fintech firms’ failures onto the rest of the country. Safety-and-soundness rules are rife with spillovers, since a jurisdiction can scale back these rules to attract chartering fees, knowing that it will not bear the full costs of the firm’s insolvency. Elevating prudential policy questions to the federal level ensures that national standards reflect popular priorities, rather than just the preferences of self-interested states.

Federal officials have likewise broken away from the narrowly entity-based approach of the prior paradigm in systemic risk regulation. In 2017, the Treasury Department called on the FSOC to replace the Council’s former readiness to designate SIFIs with a three-step process: (1) review macroprudential risks from financial activities; (2) propose activity-specific regulations to address those risks; and, only if those regulations prove inadequate, (3) consider designating SIFIs. The FSOC adopted the Treasury Department’s framework in formal guidance that expressly endorsed an “activities-based approach” to systemic risk.

Less preoccupied with SIFIs, the FSOC undertook a broader investigation of which activities introduced macroprudential fragility into the U.S. economy. The FSOC’s newfound interest in smaller firms enabled it to recognize the emergent risks from fintech. In 2017, the Council hosted a conference at the University of Michigan Law School on “balancing the benefits of FinTech against its potential risks.” These discussions eventually crystalized into the FSOC’s official statement that fintech’s disaggregating and disintermediating effects created the potential for cascading failures: 

Financial firms’ rapid adoption of fintech innovations in recent years may increase operational risks associated with financial institutions’ use of third-party service providers; if critical services are outsourced, operational failures or faults at a key service provider could disrupt the activities of multiple financial institutions or financial markets.

     With its widened perspective, the FSOC is now positioned to investigate the nature and severity of fintech firms’ counterparty and cybersecurity vulnerabilities. Just understanding these threats is not sufficient to restrain them, but it is necessary to do so. The FSOC’s activities-based framework therefore marks a positive development in the search for a systemic risk framework that grasps the technological realities of today’s financial sector.

Hastening the Transformation Through Legislation

            These reforms tread a path towards a financial sector that is fairer, safer, and more innovative. But Congressional intervention would shore up these achievements and protect them from faltering against an entrenched status quo. I therefore propose a bill to codify the New Fintech Federalism in four core areas of fintech law—chartering, usury caps, safety and soundness, and systemic risk.

State Chartering

To achieve jurisdictional competition for fintech charters, my bill would create a centralized digital platform, modelled off the successes of the NMLS, to track the fintech firms enrolled in a national registry. Fintech firms can only enroll in the national registry if they possess a charter from a state with a qualifying chartering program. This qualification requirement would allow Congress to limit the registry to firms that use technology to perform lending services and payment processing, rather than opening the floodgates to the entire non-banking financial sector. Fintech firms enrolled in the registry would receive nationwide reciprocity as a matter of federal law, since federal law will preempt any licensing, consumer protection, or safety and soundness laws from jurisdictions that did not grant the company’s charter. But rather than replacing these regimes entirely with federal rules, the FTMA would incorporate the chartering jurisdiction’s governance provisions and project them across the nation using federal preemption.

By inaugurating a massive federal-state partnership, my bill would produce a national market for fintech firms, easing their compliance burden from inconsistent state laws and allowing them to offer products even in smaller states. Freeing up startup capital to focus on product development would promote innovation and competition in the financial sector, ultimately benefitting consumers. Finally, the FTMA’s targeted use of federal preemption would preserve the benefits of decentralized deliberation.

Federal Usury Law

Dodd-Frank refused to intervene in the most fundamental of consumer protection laws, namely usury rates. Indeed, Dodd-Frank expressly prohibited the CFPB from imposing a national interest rate cap.

My bill would extend a thirty-six percent usury cap to any loans offered to consumers in the United States, whether offered by fintech firms or other non-banks. Notably, a group of twelve Democratic Senators recently introduced a bill to federalize usury law. Implementation of the new federal interest rate limit would fall to the CFPB, which already has ample expertise in consumer finance. As a national usury law, this usury cap would preempt state usury laws.

Subjecting fintech firms to an exclusively federal consumer protection regime and imposing a usury limit of thirty-six percent on all consumer lending activities would eliminate many of the prevailing paradigm’s worst vices. For fintech firms and other non-banks alike, my bill would replace the polyphonic confusion of the current state-by-state approach to usury with a single, authoritative standard announced by the CFPB. Since every firm would be subject to a uniform usury rate, interest rate exportation would cease to exist, obviating the need for transactions-costly rent-a-bank schemes.

National Safety and Soundness

Building off the OCC’s safety-and-soundness research for its fintech chartering initiative, my bill would require enrolled fintech firms to submit to prudential oversight by the OCC. Replacing the current state-by-state regime with OCC oversight would ensure that capital reserve requirements are proportionate with fintech firms’ overall risk profiles. Additionally, fintech firms that currently flout state statutes by falling through the cracks of various jurisdictions would no longer have any excuse to avoid prudential regulation. My bill would therefore empower the OCC to reduce the risk of fintech firm failures and avoid the inefficiencies of the currently decentralized approach.

Systemic Risk Controls for Fintech

Retreating from its entity-based designation authority, the FSOC has taken up its second statutory power—to issue nonbinding recommendations to other federal regulators on how to curb systemic risk. Because the Council’s recommendation power is purely precatory, it must rely on a primary regulator to enact its proposed reforms. However, there is no federal regulator directly responsible for policing fintech firms’ systemically risky activities. Thus, while the FSOC is currently in the information-gathering stage, without legal reform it will inevitably remain there, leaving macroprudential regulation for fintech in a holding pattern.

To fill this gap in U.S. financial regulation, my bill would grant the FSOC’s Office of Financial Research (OFR) rulemaking, supervisory, and enforcement authority over enrolled fintech firms to prevent them from subverting stability. Since expert understanding of the systemic risk implications of fintech remains embryonic, the FSOC would likely stay its course for the time being, continuing to monitor and investigate the issue before intervening directly. But once the OFR has a working framework for fintech’s systemic risks, it should proceed with stress tests. Though the first stress tests of enrolled fintech firms would likely be irregular and qualitative, in time the OFR could deploy quantitatively rigorous and enforcement-backed oversight techniques.

The FTMA would enable the FSOC’s OFR to police systemically risky fintech activities, rather than merely study them. If Congress waits until the macroprudential threat of fintech suffuses the U.S. financial system before they craft a legislative response, the opportunity for preparedness will have already passed.


     New challenges require new solutions. As the ascendency of fintech has transformed the U.S. financials sector, the costs of the current legal landscape for entrepreneurs, consumers, and the economy have become abundantly clear. But through several policy initiatives, state and federal officials have pioneered a new division of authority between these two levels of government that comports with the interjurisdictional nature of fintech. This New Fintech Federalism promotes interstate competition for governance rules, while federalizing issues that produce externalities. 

By passing my proposed bill, Congress would show global leadership in the realm of financial regulation, elevating the best initiatives around the country into a national policy bold enough to resolve the fintech industry’s most glaring issues.

Benjamin T. Seymour is a law clerk at Covington & Burling LLP and recent graduate of Yale Law School.

This post is adapted from his paper, “The New FinTech Federalism,” forthcoming in the Yale Journal of Law and Technology and available on SSRN.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *