RegFi Episode 59: Don’t Sleep on the States: Financial Regulatory, Compliance & Enforcement Trends
25 min listen
RegFi co-hosts Jerry Buckley and Sherry Safchuk welcome fellow Orrick partner Katy Ryan to discuss the state financial regulatory landscape. Katy provides an overview of how federal agencies and states interact in our dual-regulatory system, benefits and limitations of the Nationwide Multistate Licensing System (NMLS), and the importance of maintaining constructive relationships with state regulators. The conversation also covers state regulatory and enforcement trends, including increasing coordination among state regulators and attorneys general and the potential for states to play a more active role in areas such as consumer protection, BSA/AML and data privacy.
- CFPB Pause: Where to From Here?
- The Post-Election Outlook for State Financial Regulation
- Orrick Financial & Fintech Advisory
- RegFiPodcast.com
-
Jerry Buckley:
Hello, this is Jerry Buckley, and I am here with RegFi co-host Sherry Safchuk. Our guest today is our partner, Katy Ryan. Katy co-leads the Financial & Fintech Advisory practice at Orrick. We’ve asked her to join us to take a deep dive into what’s happening in financial regulation at the state level.
There’s a lot of media focus right now on what might happen with respect to federal regulation of consumer finance. But it’s important to understand that a large part of our financial services industry is licensed and overseen at the state financial services regulator level. Just one example: the process of launching a fintech startup often begins with getting licenses in all the states where the company wants to operate. Often that’s 50 states.
Katy, to get our listeners oriented, could you set the stage by walking us through what is involved in launching a state-licensed financial services company? And maybe it would be good to begin by describing briefly where financial services regulators fit in the overall state regulatory regime and how licenses to engage in financial services differ from licenses issued by the secretary of state to engage in business in the state.Katy Ryan: Yeah, thanks for having me, Jerry. I’m a longtime listener, first time interviewee, so I’m really excited to be here. Before we dive into kind of the state regulatory regime, and I think you just touched on it a bit, I think it’s important just to remind folks that we have and continue to have a dual-regulatory system. We’re a federalist society. For financial institutions, that means both federal and state laws that are shaping the operations. And I think that’s extremely important right now, just given the current administration and changes.
And as we talk through, there’s kind of an undercurrent that we hear that the states are stepping up or somehow indicating that state authority is somehow new, but it’s not. It’s been there. I think it’s just now it’s different because the focus is a little different. If we were on webinar Zoom, which we’re not, this is what I would normally bring up, kind of this slide that essentially shows like a huge spider web of the different state financial regulators and institutions and banking divisions, the attorney generals, secretaries of state, securities divisions, and the other agencies that all kind of come together that make up the state financial regulatory regime.
It’s really sprawling. It’s complicated. And to your question of how do we differentiate between financial services divisions to secretaries of state? I mean, secretary of state could actually be the regulator in one sense. But more likely, we’re talking about getting an ability to do business in the state, which we refer to more generically as a foreign qualification. And that can be actually just a component of the broader license that you need.
So, you can see that there’s a lot of different components in how they all tie together. Secretary of state and foreign qualifications can really be tied more to taxation and assessments, having access to the state courts, versus those broader authorities that we’ll talk about that a fintech may be trying to obtain in order to actually be able to move money, be a payments company, to make loans, or to otherwise conduct the specific activity that they may be looking to embark on.
So as we think about kind of those first steps or even launching, I think about them more as a new product, expanding existing businesses that may require state licenses. I actually think the first step is learning how to navigate such a complex space. And it really does take having an internal or external resource that’s familiar with the state landscape to even understand, “What licenses do I even need to apply for? Do I have the right structure?” You know, there’s generally a huge conversation of, “Do I want to form a new company? Use an existing company? How do I even get licensed? What are the components?” Many folks have never even heard of what a surety bond is.
And the planning and the upfront work that goes into understanding not only, “What license do I need? How do I get licensed?” But then, the ultimate portion of, “How do I then, once I’m licensed, operate in a compliant manner with respect to the new state regulations that I’m going to need to comply with?”Jerry: Katy, you referenced that there’s a lot going on. Sometimes the CEOs of big companies are surprised that they are roped into this process too and their fingerprints. Could you just go over a little bit of that just to give people a feel for what might be involved? Katy: Yeah, happy to. People are very surprised about the amount of information that may be necessary from what we generically call control persons, which normally are going to include CEOs, individuals who are making day-to-day decisions around the operations of a company. But it can also include direct and indirect owners of the chain. So, individuals that may not be as involved in day-to-day management but ultimately either have control through voting stock or other rights, those individuals are often going to go through a vetting process, which unfortunately still varies largely state by state.
But what it does encompass are fingerprints that will be vetted, some amount of a personal biographical background. So, you know, where you’ve lived, regulatory history, employment history, as well as in certain states, and this is usually the one that really gives people pause, personal financial statements. So depending on the jurisdictions and depending on the license that you’re applying for, there can be pretty specific and burdensome requirements on some of the more important individuals within a company.Jerry: I think that comes as a surprise often, doesn't it? Katy: It comes as a surprise, but I try to provide it with a smile. Jerry: That's great. Sherry, come on in and join us. Sherry Safchuk: Katy, thanks so much for joining us. You outlined the efforts that go into product creation and determining what licenses are needed to engage in the business desired. In my experience, that’s like a great chunk of time.
And so, while securing a license is the first interaction a company will have with a state regulator, could you outline for our listeners kind of what is the ongoing interactions that licensees have with their state regulators? What does that relationship look like?Katy: Yeah, and actually, I’m happy to. And if I could take one step back, instead of it being like the first interaction, sometimes getting the license, often it’s actually just talking about, “Do I need the license?” We spend a lot of time, and I think companies spend a lot of time in interactions with the state to say, “I see that there’s this exemption,” or “Does this really mean what we think it means?”
Because I think, Sherry, as you know, there’s such gray in a lot of these laws that we do spend a fair amount of time there. And I guess I want to raise that because there’s often an expectation that we should be able to get very clear answers from the states. And like, that’s just not going to happen everywhere. Some states are really very willing to engage with informal conversations. Some are not. Some want to see, you know, a formal request. Some of them, even if they have the formal request, will not kind of engage. So I’d just like to point out that as we’re thinking about how we get licensed, that’s kind of the step.
And then you’re absolutely right. You enter into the interactions around getting licensed, right? Because they said, “No, really, you do!” And once you have the license, there is an ongoing discussion, right? You’re going to be entering into at that phase the relationship with your regulator. And it’s extremely important for the relationship to really be between the company and to the states, because the more the states are obviously viewing this as a relationship, and being close to those who are making the decisions ultimately is just helpful to build trust.
Those conversations can be through just normal maintenance. So examinations, there will be ongoing examination schedules. If you’re licensed in a lot of different states, you can expect to have kind of a rolling basis. But you’re also going to be having conversations when you have changes at the company, right? If you have different reporting obligations that are coming up. You know, Jerry mentioned the CEOs getting licensed. If you have changes in control persons or if you have other things that are happening within the company, that’s generally another place where you’re interacting with your regulator.
And then there are places that you’re going to interact with them that aren’t as much fun, where you may start to look for kind of outside counsel or other assistance where you’re, maybe through the course of your compliance and review, you’ve identified that you have something that is either: was an issue that you have fixed, was an issue that’s systemic, or where you have some requirement where you need to report to your regulators.
Breaches are an excellent example. I know you deal on those quite often where you have existing requirements of having to tell the state that something’s happened. And ensuring that, you know, you’ve built up that good communication with your regulator in order to know, one, you have the obligation and how to actually go about reporting them.
So, it’s an ongoing relationship throughout the lifecycle of these state-licensed clients, and it really can kind of depend on where they are within the business for what those communications can look like.Jerry: You know, if I could intervene just a second, Katy. What you’ve described just brings to mind that occasionally we encounter people who didn’t realize they needed a license. And they’ve been operating for a while, and all of a sudden they realize that, “Uh-oh, I probably should find out whether I need a license!” Could you just describe that situation and what has to be done with that kind of a situation? Katy: Yeah. Ultimately, what happens is, you’re exactly right, that I either needed a license and it’s come to my attention. Look, we generally talk about transparency, like transparency with the state. And certainly if you’re expecting or wanting to get licensed, largely what you’ll find from states, even if you end up with some type of consent order because you have a violation, an unlicensed activity violation, is the ultimate goal is to get the company licensed in order to continue operating. There’s really not a huge press to shut down operations unless it’s particularly egregious.
So often it will be either engaging directly or getting counsel to help kind of navigate and to put together a strategy, which can also be very state-specific. Some states, and I think we’ll talk about this a little later, some states are just more aggressive than others. And having counsel or having someone to help you understand what your risks are going to be going into that conversation, I think, is generally the first step for anyone who’s sort of identified, “Oh, I think I have unlicensed activity.” Or, “I took a strategic risk to operate this way, understanding that I may need to get licensed.” And needing to talk through how to best approach that on a go forward basis.Jerry: Thank you. Sherry: Katy, you just returned from Georgia, where there is a meeting of all state financial regulators who participate in what is called the Nationwide Multistate Licensing System and Registry. Mouthful, I know. Or NMLS.
Again, for the benefit of our listeners, could you describe the NMLS, why it was set up, how it functions? And what were the major issues that you heard state regulators discussing?Katy: Yeah. So, going back just a little bit, what is the NMLS? I mean, we love our acronyms here, so I won’t go back to define that one again. But essentially, NMLS is closely tied to Secure and Fair Enforcement for Mortgage Licensing Act, affectionately known as the SAFE Act. It was part of Housing and Economic Recovery Act back in 2008. And really what it aimed to do was regulation around mortgage industry. So trying to protect consumers and ensure financial stability, and a lot of that was being focused on getting mortgage licensing and mortgage loan originators really into kind of a central repository.
So CSBS, the Conference of State Bank Supervisors, were pivotal within the development of NMLS. So they’re the organization that represents the state regulators of the financial institutions, and they essentially helped to work with the states, work with industry to create this system that has essentially become kind of a universal, as universal as we can be, system where you can apply for, have your licenses otherwise regulated, and all of your information essentially in one place.
That went live in 2008 and since then has expanded exponentially to also cover consumer finance licensing, money transmission, debt collection, and a whole array of other licenses as regulators became more comfortable with it. I give that background because many folks focus in on and talk about the NMLS and CSBS.
I think it’s important to remember NMLS is a system and CSBS is not a regulator. They are a trade group, and they ultimately share responsibility for ensuring that the NMLS is compliant, but it still goes back to all of the states, right? It is incumbent upon the states to ensure that their correct information is there, and it’s incumbent upon them to ensure that the system is functioning in a way that meets their requirements.
So, what’s important to remember from the NMLS conference last week and going through this is that NMLS has been kind of functioning since 2008. And one of the big topics is really around innovation of NMLS, really needing to get to kind of NMLS 2.0, working with the states around how we actually transform the system, working with industry around system enhancements and how we utilize the system.
One of the issues that also came up, not necessarily just through regulators but also through industry, is around the confidentiality of the information that may be stored within that system and how the states view treatment — and confidential treatment — of information that may be shared. So that was one issue that was really raised.
Otherwise, things that you would expect. There were a lot of panels on AI, other emerging issues. But not surprisingly, given recent events and certainly recent events with respect to what I think we refer to as sort of the CFPB pause, a lot of discussion around how the states were viewing that and what the states were expecting to do more broadly from an examination enforcement perspective and whether it was changing kind of mindset for any of the regulators that were in attendance.Jerry: Did you have a sense that it was changing the mindset? Or is it too early to tell? Katy: It’s too early to tell in one respect, because I think there was a wait-and-see sort of feel around what does it actually mean for the CFPB. I don’t think states were really willing to sort of start saying, “Oh, well, we’re going to take over CFPB cases.” Or kind of really making statements along those lines. They felt like they were more of in a wait-and-see anyway.
But on a separate note, states have been preparing even since the first Trump administration until now. They’re better prepared than they were in the first Trump administration in terms of examination, enforcement, supervision. And there is a real atmosphere of, “States have been here.” So going back to my first statement, the states have been here, and the states are, from their perspective, responsible for consumer protection. And there’s a real emphasis on kind of continuation and coordination amongst the states to be really continuing to assert themselves within that space.Jerry: As we all know, the Dodd-Frank Act does give states the ability to enforce the laws that are under the jurisdiction of the CFPB. And of course, it’d be interesting to think about in light of this discussion about, “Well, what if there is a void? Will the states be stepping in?”
What is the relationship between the state financial regulator, who licenses and oversees the companies that are under their jurisdiction, and the attorneys general, who have legal enforcement authority? How did it work when there wasn’t as much enthusiasm at the federal level for enforcing the law, maybe I’d say?Katy: I would say it’s complicated and it depends. So historically, there’s a couple of different ways that I’ve seen interaction between the divisions of financial institutions and the AGs. In some instances, they don’t actually work very well together. They may be regulating over similar areas. So, the attorney general may have oversight over UDAP. The division of banks may also have something similar, but they don’t really talk, and therefore they may be pursuing different strategies.
There are other states where they’re very aligned. And in fact, the attorney general’s office may be where the enforcement attorneys sit for a particular financial services division. So that if we’re moving from examination and supervision into enforcement, there’s extreme coordination because they’re then essentially bringing in attorneys general and the AGs to actually do those enforcement actions.
In other instances, it’s a little more hit-and-miss in terms of where an AG may be focusing their time. I think what we’re seeing, and what we’ve even seen before administration change, is that we’re seeing a more coordinated effort amongst attorneys general themselves focusing on consumer finance and other issues. There is sharing, and there are sharing agreements, not only between AGs to the financial institutions, but there are sharing agreements between the states, the CFPB, FDIC, all the different agencies. So, they’re all sharing information. And that’s something that they’ve become particularly good at over the last several years. So even if it’s not a coordinated investigation, information that is obtained within an AG investigation, you should expect as being shared back into your prudential financial services regulators at the state level.
Going forward, we’ve always known that there are a number of them that have been particularly active. I don’t think it’s any surprise to say Massachusetts, California, Washington has a particularly active, regardless of kind of administration. I do think there’s some question, and we certainly have other colleagues, Jerry, as you know, that are very deep within how AGs may be responding and starting to look in the coming year or two and whether there will be deviations between different states.
But from my perspective, the biggest thing we can expect, like I said, is the sharing of information and the expectation that the consumer focus and certainly areas like UDAP and those are either under Dodd-Frank and other areas that the states are prepared to enforce around and the AGs have been doing in various ways, before we kind of saw the CFPB giving any type of roadmap.Sherry: Katy, we’ve seen an influx of state coordination with enforcement actions. Do you anticipate this to increase? And was there anything from Georgia that was insightful? Katy: It will increase. It will increase. There are specific areas, and I think even just recent multi-state actions that have been coming out that show where states in particular have been focusing. I think you know recently with some BSA/AML, cyber, other areas that we should expect there to continue to be coordinated efforts as well as potential enforcement.
With respect to the conversations from last week, I think the way it really comes out, Sherry, is that they’re more talking about coordination in general, right? They really talk more about one company, one exam. We’re going to be doing more one company, one exam, where you have a number of regulators that are essentially banding together to do coordinated examinations, as well as that then playing out through sort of the state, multi-state examination, and enforcement construct that they’ve created where we can expect coordinated exams would lead to coordinated enforcement.
And a lot of that is around leveraging resources, right? Some states don’t have as many resources that they can devote. Some states have been, you know, frankly, in a hiring mode. You know, California has been hiring. New York is hiring, continues to hire. So that coordinated effort is just as much around the sharing information as it is sharing resources.Sherry: From a practical perspective, is it one state kind of taking the lead and doing all the work, and then the other states are joining in? Or is it more of a collaborative where several states are kind of looking at the information and they’re deciding amongst themselves on how to proceed? Katy: Depends on the multi-state, I would say. I mean, the experience is you’re going to have an examiner in charge. So you have a single point of contact, and that’s generally the state that takes the laboring oar within examinations in particular. And then you have other states that may be joining in. In terms of how they then coordinate the work and the back end, again, I think it can vary in terms of the scope and the depth of the examination they’re conducting.
What does happen once you’re into enforcement, and this can happen in a mortgage context, a money transmitter context? It is essentially a coordinated agreement amongst the states to have a smaller number of states in the room that you’re actively negotiating or working through an enforcement. And they’re the ones who are working through the decision process. They will do the not only negotiating essentially with the companies, but then on the back end, their jobs are to take the information and then coordinate amongst all of the states to see if you’re in an enforcement context, how many states would like to join in? What are the issues a state may have that could keep them from being able to join into a coordinated effort? And really kind of trying to leverage the initial group to be able to bring together a broader settlement, which ultimately can be beneficial to the licensee as well as to the state, because then you’re not dealing with one-off administrative actions with every single jurisdiction. There is a coordinated process. And that process actually is largely handled through something that was constructed through CSBS. So it’s through agreements with the states versus any type of formal process that requires it to be this coordinated effort.Jerry: Katy, we’re drawing near the end of our time. And obviously, no matter what happens, it appears that there is going to be a larger role for states with respect to regulation of financial services participants.
We really appreciate your joining us and bringing our listeners up to date on what’s happening. But do you have any last observations you’d like to share with our listeners?Katy: Yeah, I’ll keep it short and sweet. Don’t sleep on the states. I think that’s the biggest thing that we can point out. Jerry: Well, that’s great advice. And it’s so good to have you as a guest. You’ve been a leader in this area, respected by both the state regulators, whom you’ve gotten to know so well over the years through the constant interaction with them, as well as by a lot of people in the industry. So, thank you. It’s great to have an expert on this. Katy: Thank you, Jerry. I've been happy to be here. Sherry: Thank you.