Ex-N.Y. regulator Maria Vullo on fintech fight, Facebook's crypto plan
What are the best ways to regulate fintechs, manage tensions in the dual banking system, or respond to Facebook’s Libra? Few people have had a better vantage point on those issues than Maria Vullo.
In her three years as superintendent of the New York State Department of Financial Services, which ended in February, Vullo licensed cryptocurrency companies to work in the state, wrote a cybersecurity law for financial services and was involved in anti-money-laundering enforcement actions.
She also filed a complaint that seeks to invalidate the Office of the Comptroller of the Currency's new fintech charter; a federal judged ruled in May that the department's lawsuit could proceed after it had encountered some initial hurdles, saying that granting OCC charters to nonbanks may be "an exercise of authority that exceeds what Congress may have contemplated" in the National Bank Act.
Before becoming New York’s top bank cop, she was a compliance attorney at Paul, Weiss, Rifkind, Wharton & Garrison for 20 years.
Last week, Vullo joined the board of Emigrant Bank, a New York-chartered bank that was founded by Irish immigrants in the 1800s and has $6 billion in assets. She is serving as regulator in residence for the Fintech Innovation Lab, a fintech accelerator run by the Partnership Fund for New York City and Accenture, with participation from scores of New York banks..
And she recently formed an independent advisory firm, Vullo Advisory Services, which advises banks, fintechs and insurance companies about data privacy, cybersecurity, cryptocurrency and other compliance matters.
In a recent interview, Vullo shared some of her views on the need to enforce strong regulation while encouraging fintech innovation.
How do you feel about the current regulatory environment for fintech? Obviously there's tension between state and national regulators.
MARIA VULLO: The tension between federal and state regulators in the banking world has been the case since the beginning of the dual banking system. That's not new. I was opposed to the OCC's fintech charter [on the grounds that it violated] the preeminence of the state regulatory system for nondepository companies. We can be innovative and have innovation thrive. But the state system has always been where innovation thrives and where oversight of nondepository companies best resides. The field of cryptocurrency is another area where there's innovation.
Why do you feel states are so much better qualified for this kind of oversight?
Because states have always been the laboratories of innovation and the places that are most focused on consumer protection within the state's own borders. That has just been traditionally the case in our country. No matter what the overarching political environment, the states protect consumers. The federal government has never [been the primary regulator of] nondepository companies. They regulate banks. And we have a dual banking system where you have some very large national banks regulated at the federal level, and you have the community banking system mostly regulated at the state level. But in the nondepository area, meaning money transmitters, licensed lenders, the sort of nonbanks that are performing certain types of financial services functions, they have always been regulated by the state and not the federal government.
And so not only are the states the best place for that, but the law doesn't permit the federal government to do it unless Congress chooses to pass a new law. The National Bank Act does not give the federal government authority over that space. It just gives it the authority over banks, and banks take deposits.
Does that outlook apply to Facebook and its Libra project?
That's a whole separate question because Facebook is a different kind of company. I'm watching this very closely. I think the attention that a number of different federal and state regulators and Congress are placing on it is appropriate. It’s also appropriate to look at the question of all of this private data that any company has and how they're utilizing that data and whether they are utilizing that data for the benefit of the consumer. The fact that a company is a technology company doesn't excuse it from the application of law.
What is your gravest concern about Facebook Libra? The idea of a network of nonbanks building apps for moving money around using a quasi-dollar-based cryptocurrency?
That raises a number of concerns. Our banking system has very strong and important protections. The banks have strong transaction-monitoring programs and systems to prevent illicit transactions and money laundering. Our banking institutions are very well versed in all of those laws and regulations. So concern No. 1 is that a new player in that area really needs to have that kind of knowledge and demonstrate the ability to be compliant and to protect from illicit transactions, money laundering and the like.
Another real concern that anything like that presents is, we have had in this country a real separation between commerce and banking. Commercial enterprises are not supposed to also be a bank. When consumers are engaging in commercial transactions with the same entity providing a banking type payment system, you're creating not only inappropriate and unfair competition for our banks, but also creating a risk to the consumer of having all that in the same place. We have laws and the Federal Reserve has been very strong on this historically. When a payment system, using U.S. dollars or digital assets, is connected to consumer data and consumer commercialization, that's when you have some real concerns.
These are very big and difficult issues, but I think the divide between banking and commerce needs to remain. In this circumstance, you also have the concern about data privacy and the amount of data that certain social media platforms have. Having that on the same platform for the payment of transactions really does create an issue for both the privacy of the consumer's data as well as the protection of the consumer from predatory actors.
Data privacy issues are paramount right now in this country, and they should be. Consumers are starting to look at what's happening with their personal information. Obviously the Equifax settlement brought that to light.
A lot of banks also share consumers’ personal data with partners for various purposes without necessarily asking for consent. Do you anticipate some new rules coming around some of that, that might affect banks as well as the tech companies?
I don't really know. I think that's a much bigger question. Obviously Europe with [the General Data Protection Regulation] has stronger views on the use of data. If you're comparing banks to other kinds of companies like Facebook, there's a very significant difference, and that is financial institutions are regulated. So there is at least one if not more than one regulator looking at and having access to all the information on an ongoing basis.
And regulation does provide additional protections both for the economic and the financial markets as well as for the data privacy and the consumer issues.
Do you think any policy changes are needed to encourage innovation among traditional financial institutions and fintechs? If so, what might that policy change look like?
Fintech only stands for financial technology, so I don't know what policy change needs to happen. The fact that you're utilizing technology doesn't excuse anyone from the laws and regulations.
Where we do need significant action taken on a national level is cybersecurity. Cybersecurity is the biggest threat that we face as a nation. And the federal government needs to do something very strong about it. That's where maybe the fintech companies can help us with improved defenses and protections.
What would you like to see in cybersecurity — would you like to see the law that you wrote for New York banks become national law? And what do you think are the most important security protections you put in that law that need to be enforced nationwide?
The federal government could take the cybersecurity regulation that I wrote in New York and deploy it more broadly. The centerpiece of my cybersecurity regulation is the call for periodic risk assessments, and then to tailor and develop cybersecurity programs that match that risk. Those programs have to address multifactor authentication, encryption, continuous monitoring, penetration testing, ongoing training, and competent personnel, as well as incident-response requirements, so that if there is a breach, the company knows what to do because there could be business interruption.
But the point is prevention and detection of cybersecurity incidents and breaches for the safety of our economy and the protection of our consumers. We have nation-state actors that are seeking to damage the United States in many different ways. And the government should ensure that businesses are doing everything that they can to be up to date on cybersecurity protection and prevention programs.
When you think about your dual interest in innovation and appropriate oversight and regulation, what do you think about the fact that banks have mostly shied away from cryptocurrency, from even banking a company that has anything to do with cryptocurrency, like an exchange? Do you think banks are right to be so distant? Or do you think there could be prudent ways of getting more involved, for instance, in custodial services or things of that nature?
There are financial institutions that are involved. When I was superintendent of NYDFS, I promoted a strong regulatory environment for firms that engage, including exchanges that engaged in bitcoin and in other cryptocurrencies.
People who say that cryptocurrency could be utilized for illicit activity are correct. People who say that cryptocurrency could be an advancement that allows for greater transmission and globalization of payments are also correct. But you need to bring those things together and ensure that things are being done in a compliant way, in a strong regulatory environment. So we should not be jumping so fast at anything.
The word innovation is just a word. And it’s a word that can be used to mask predatory behavior. Innovation can be used in a good way, to develop and increase processes and make things more efficient and reach more people. It can also be used in a very bad way. Payday lenders who use technology are predatory. They are not innovative just because they use technology. They may use their lobbyists to advocate that they're innovative. They're not.
But if you can use technology to further educate and create greater financial health for your customers and reach more people and charge appropriate interest rates and give them education and help them with their saving, more power to you. That's how we should be thinking about it.
But you've got various people talking about this and then convincing people that somehow they're being stifled because regulators and other people are looking at what they're doing. High-interest loans that are securitized and bundled are not innovative. We saw that in the mortgage crisis.