With the close of business on Jan. 3, banking regulators had a reasonably good idea of just where things stood with relation to the vaunted Year 2000 date change. But it will be another month or two, perhaps, before Y2K-related concerns will be whittled to the point where regulators can put renewed focus on the Internet, where many of banking's biggest new technology initiatives are underway. For the federal banking agencies, it's largely uncharted territory. Transactional Web sites are mushrooming, and the issues they raise haven't been standard material on examiners' crib sheets. The Internet has often been referred to as a kind of Wild West, where almost anything goes and new frontiers are broached every day. For a tightly regulated industry like banking, uncertainty and galloping change creates anxiety, for both institutions and the regulators doing the policing.The Internet also adds a new dimension to ongoing power struggles between state and federal regulators and power blocs such as the United States and the European Union.
Cyberspace renders the idea of a bank's geographic operating area meaningless, even though the laws that banks operate under address physically circumscribed areas. "It used to be that interstate banking was the Holy Grail. The next Holy Grail is Internet banking," says Mark Plotkin, a partner in the Washington, D.C., law firm of Covington & Burling. "The ultimate battleground will be international."
Domestically, the first and, so far, only agency to require depositories to include information on their Web sites in their quarterly call reports is the Office of Thrift Supervision, which started early last year. However, many observers expect this year to be one of unprecedented regulatory focus on the Internet. Once Y2K's shadow has passed, freeing technical examinations staff around February or March, their attention is expected to turn to Web transactions.
Many regulators are publicly loath to support that view, reluctant to appear less than fully vigilant or to stifle e-commerce by inducing fear. However, Cynthia Bonnette, an examination specialist with the Federal Deposit Insurance Corp. who has become the agencies' guru on Web-related matters, agrees that regulators weren't ignoring the Internet, but were tied up with Y2K. "The attention needs to fall where the priorities are," she says.
Bank Sites Boom
Regulators' increasing attention to the 'Net is a reflection of banks' own burgeoning activity. Many of the biggest banks created Internet-only divisions in 1999, while others turned mere informational sites into transactional ones. Of the 3,500 known bank and thrift Web sites in mid-December, 1,121 were transactional, up from just 460 at the end of March.The numbers are rising quickly: There were 1,096 known transactional bank Web sites on Nov. 30, and 25 more by Dec. 16. "I hear of additional transactional sites almost every day," says Bonnette, who is credited by colleagues at other banking agencies as being the first regulator to try to get a handle on transactional banking. Now the Federal Reserve and the Office of the Comptroller of the Currency feed their data to her, and she combines it with Web searches, news releases and vendor reports to try to gauge industrywide activity.Bonnette's numbers don't include credit unions, but a mid-1999 report by the General Accounting Office, which did, said bank, thrift and credit union transactional sites totaled 2,100. The latest figures suggest that 8.7% of community banks and thrifts (with less than $1 billion in assets) now have transactional sites, up from 3% in mid-1998.
A transactional site is universally defined as one where the customer can move money-usually transferring funds between accounts and paying bills, occasionally making purchases or applying for loans. The stakes rise with an e-commerce site. A static advertising site raised regulatory concern at the outset, with the thought that it might function as a doorway from a public network (the Internet) into the banks' internal systems.Transactional sites heighten those security concerns because they require exchanges of information from inside and outside the bank. Also, they bring a slew of new concerns, such as authenticating parties to the transaction, ensuring continuity of service, privacy of customer information, and compliance with state and federal banking and consumer regulation.A radio ad from E-Loan, the largest online mortgage originator, provides a sign of things to come. It ends with, "E-Loan is ... not licensed in every state. This ad should not be construed as a solicitation to offer loans in every state."
Several compliance sources who heard the ad presumed that the high-profile lender, which made an estimated $2 billion in Web-generated mortgages last year, had been reprimanded by one of its several regulators, such as the Federal Trade Commission. (The FTC could not be reached for comment on this, or other aspects of how it is enforcing compliance among nonbank financial services providers on the Web, who are widely viewed as less likely to be compliant.)
However, E-Loan president Chris Larsen said the Palo Alto, Calif.-based mortgage bank and broker was merely playing it safe. "There are about four states in which we're not licensed," he said, explaining that sometimes that's because a physical branch is required for a mortgage license. To avoid any claims of false advertising, E-Loan's national ad, which first aired last summer, had to give relatively substantial air time to the legal disclaimer.
Attorney Plotkin foresees a major clash between bank regulators at the state and federal levels over the Internet (see "Sheriffs vs. Marshals," page 47). Plotkin, a consultant to federal bank regulators on examiner training, said, "Two different federal regulators told me they are convinced that state regulators will use the fact that banks aren't observing jurisdictional niceties as an opportunity to reclaim territory they lost through interstate banking."
To ensure that banks don't play into such a plan, federal regulators are urging banks to "pull back a bit until the law is more settled," Plotkin says. "There has been a quiet campaign within the federal government to tell banks doing business over the Internet not to get sued."
Asked about this, the OCC offered no response. An OTS spokesperson scoffed, "I don't know where this guy's coming from." The OTS, more than any other agency, has pushed the envelope by granting broad, national thrift powers to 20-plus nonbanks, and by chartering a disproportionate five of the eight pure Internet banks. However, Jennifer Dickerson, OTS director of technical risk management, said she didn't think these cautionary claims really applied to the OTS.
Two recent legal actions against banks touch on the issue of state versus federal governance. The higher-profile one, in which U.S. Bancorp was sued last summer by Minnesota's attorney general for privacy abuses-spawning a national privacy task force of states' attorney generals-probably is a case of the states seizing an opportunity, says Brian Smith, policy director of America's Community Bankers.
While the case concerned telemarketing practices rather than the Internet, Smith sees Web banking compliance as but an element of the bigger compliance issue: privacy. "U.S. Bancorp brought us Pearl Harbor in privacy actions," he said, suggesting that the privacy provisions in the financial modernization bill were "bulls-eyed" at the bank, which is paying $500,000 to the state of Minnesota and $2.5 million to charities to settle its case. (U.S. Bancorp has insisted that it did not sell customer information and admitted to no wrongdoing.)
The other known action relevant to Internet banking was also settled in September. Compass Bancshares Inc., Atlanta, agreed to pay a $100,000 fine to the OTS for moving outside its designated area without approval. Compass received permission in late 1998 to operate an Internet bank in a couple of counties surrounding Atlanta. "We learned via the media that the bank had changed its name and planned to extend its reach nationwide," says an OTS spokesperson.
Plotkin says banks have made several "missteps" on the Internet, and "some money center banks have been criticized for overstepping their authority by marketing services in states where the banks don't have jurisdiction or state law doesn't allow such services." Other compliance experts also see faux pas, but nobody's naming names.
Two consumer groups contacted say they have no reports of misconduct besides privacy-related matters. Ed Mierzwinski, consumer program director of the U.S. Public Interest Research Group, believes "it's just a matter of time." Jean Ann Fox, director of consumer protection at the Consumers' Federation of America, observes that "payday loans are being offered in states that don't allow them."
The first federal-state banking forum expected to thrash out Internet governance was scheduled a few weeks ago, and the first Internet training sessions designed for state examiners start this month. Compliance experts say they are increasingly in demand for Web-banking training and research firms, such as Meridien, say federal regulators have consulted with them lately.
There have recently been a number of regulatory and legal developments around Internet banking. Starting last August, regulators began to examine Internet banking vendors, which, by previous measures, were deemed too small to merit their attention. Recognizing that there's a burgeoning niche of small, often unprofitable and poorly capitalized vendors providing Web banking systems-with potentially material impact on banks-regulators are starting to subject them to interagency exams. So far, they have reviewed five unnamed vendors that are significant players in the community banking sector, along with 26 extremely large data processors that are traditionally reviewed, some of which have entered Web banking. In October, the OCC issued its most comprehensive discussion of Internet banking in the form of an examiner handbook.
In November, Congress passed a federal law approving the use of electronic signatures to identify parties to e-commerce transactions. (See USB, February 1999, "Conferring Certainty In Cyberspace.")
The financial modernization bill, also signed into law in November, includes privacy regulations that give banking agencies new powers to enforce better practices online and off-line, noted the FDIC's Bonnette. Its broader thrust, allowing banking, securities and insurance to combine, is expected to present far greater compliance challenges for banks. That's especially true on the Web, where areas subject to different regulations are just a hyperlink away, and there must be no confusion in the consumer's mind between insured and uninsured products.
Also last November, the Securities and Exchange Commission reported on its investigation of online trading, the fastest-growing financial service on the Web, bringing with it concerns over service disruptions and losses by consumers not entirely aware of what they were doing. Meanwhile, a Federal Reserve proposal to allow deposit and lending disclosures and consumers' statements to be presented in electronic form is out for comment. A final ruling on these key facilitators of electronic commerce is expected in March or April. The National Automated Clearing House Association also is formulating guidelines for electronically presented and paid bills. The fact that this is now one of the less-regulated services is probably a factor in the growth of e-billing, notes one compliance expert."The credit and deposit compliance regulations are unbelievably complicated, and there are hundreds, if not thousands, of pages of them," says Joann Barefoot, a partner in KPMG Peat Marwick. Setting aside the issue of screening investors for suitability for different investments, there's the fact that consumer disclosures must be provided within specified periods. That may be within three days of taking an application, which is a problem, since most banks take several days to respond to customer e-mails and most disclosures must still be made by mail.
Despite these challenges, regulators seem to be more focused on safety and soundness than on compliance. For example, they automatically present technical security experts as interviewees on the topic of Internet regulation. "Safety and soundness is still the bottom line," says OTS' Dickerson.Last year, the OTS began requiring that banks with transactional Web sites stage attempted break-ins. That seems like a good idea, considering that a unit of IBM Corp. hired out for such work says it has yet to fail. Clifford Wilke, the OCC's director of bank technology, recalls, "One bank technology officer at a major bank thanked me for bringing out an Internet guidance handbook because he was having a hard time getting management support for necessary security upgrades."
However, agency sources are reluctant to characterize compliance as a secondary issue, noting that it can become a safety and soundness matter when it results in reputational risk or fines that impair the institution's profitability.
The FDIC's Bonnette says that, besides privacy, bank regulators' primary concerns about Internet banking are that it is often not properly planned and that banks are overly reliant on Web vendors. Shockingly, a study by the Bank Administration Institute last spring found that most of the banks analyzed had no business plans for their Web sites. More significantly, the GAO's July report suggested that banks are not properly managing the risks associated with Internet banking, and regulators have been ineffective in examining them. From its analysis of bank exams between mid-1997 and mid-1998, the GAO faulted them on: insufficient audits (36%); lack of security/operating procedures (32%); planning lapses (25%); and inadequate contract arrangements with vendors (18%). Smaller institutions (those with less than $1 billion in assets) had more problems, the GAO added.
"There's too little control of sensitive information," Bonnette says. "For example, some banks take online loan applications without encrypting the data the consumer sends, potentially exposing their personal financial information." Commenting on a multi-regulator study published last November showing that just 48% of bank sites reviewed disclosed their privacy policies, Bonnette adds, "Privacy should be improved on."
Regulators' traditional yardsticks are being applied to entities distinct in many ways from traditional banks. Internet-only banks "usually require more start-up capital because they spend so much on marketing," notes Neil Milner, president and chief executive of the Conference of State Bank Supervisors. Technical operating costs are higher because Internet banks must be able to handle an exceptionally high level of customer service queries today, and the prospect of entirely electronic transactions tomorrow.
"We're not even at 10% capacity," says Tripp Rackley, recently named president of merging Web-banking service bureau providers nFront and Digital Insight. Each has invested about $4 million in back-up centers, says Rackley, whose firm, nFront, was reviewed (satisfactorily) by federal regulators for the first time last year. By contrast, Rackley says, some banks don't even have a second telephone line supporting their transactional Internet banking.
"Internet banking falls into each one of the CAMELS [a standard measure of bank safety and soundness] components," which are all affected by virtual banks' particular composition of assets and liabilities, OTS' Dickerson says. A cyberbank is likely to have an abnormally high ratio of liabilities to assets, and to need extra capital to pay for the loans. On top of that, with its customers keenly shopping for the best rates, its deposits are considered "hot money," Dickerson says, "more like money in a brokerage account."
Cyberbanks draw depositors by paying above-market rates, notes Texas Banking Commissioner Randall James. However, he adds, "The market for consumer loans is too competitive to allow them charge equally high rates on loans-not unless they do something illegal or get into high-risk subprime loans." As James puts it: "It's pretty hard to picture 'core deposits' in an Internet bank," though these effects are muted in the Internet banking operations of traditional banks.
Security First National Bank, the first virtual bank-chartered by the OTS in October 1995 and now owned by Royal Bank of Canada-currently pays 6% on checking, some 2% to 2.5% above market rates (see Technology, page 25). It hopes this marketing hook will create loyal customers with more accounts, but wouldn't supply information on cross-selling or its asset/liability mix. However, a spokesperson notes that the bank is rated satisfactory.
Although SFNB has customers nationwide, it issues mortgages only off-line near its home office in Atlanta. Otherwise, it would find itself in possible contravention of the Community Reinvestment Act. A bank must extend credit wherever it takes deposits, but how do you circumscribe that deposit-taking zone when it's in cyberspace? Ellen Seidman, director of the OTS, discussed that issue at length in a June 17 speech available on the agency's Web site, www.ots.treas.gov.
E-Loan is also subject to CRA. It's required to give applicants the opportunity to report their race for inclusion in the Home Mortgage Disclosure Act (HMDA) database. Moreover, it's subject to the Real Estate Settlement and Procedures Act, which Plotkin jokingly refers to as the "Full Employment for Attorneys Act." RESPA prohibits the referral fees so common in cyberspace. It makes it illegal for E-Loan to pay another site operator every time one of its customers comes to E-Loan and consummates a transaction.
RESPA also requires E-Loan to provide a "good faith estimate" of closing costs within three days. Ditto for mortgage rate and points information under Regulation Z (the Truth in Lending Act). There's also a disclosure on the likelihood of the loan being sold, a statement on the consumer's right to a copy of the appraisal and, in some states, one on the consumer's rights regarding how the rate is "locked in." With all that, E-Loan has become something of a compliance pioneer. For example, it provides borrowers with a personalized page on the status of their applications, as well as e-mailing and mailing them disclosures.Ads Trigger More Disclosure
Even sites that merely advertise are subject to compliance rules, notes Alan Dombrow, a regulatory expert with Concentrex Inc., the leading supplier of compliance forms to banks that is now taking its product set to the Web. "'APR' [annual percentage rate] in a credit card ad is a triggering term under Reg Z," he notes, meaning that other fees must be disclosed. For closed-end credits, the disclosures and their timing differ-and the form of those disclosures hasn't yet been agreed on.
Richard Insley, a compliance expert and president of APR Systems Inc., Richmond, Va., frequently does training sessions for bank trade associations that point out common violations, which include failing to retain compliance evidence from Web sites. "Record retention rules vary from two to five years," he notes.
KPMG's Barefoot reckons that more mistakes are on the lending side than on the deposit side. "I frequently hear of people being refused credit cards on line who know they are highly qualified. It seems, with the volume of inquiries and the speed of decisions, mistakes are being made." And, she notes, "The Web environment makes it much easier for consumer activists and regulators to find examples of noncompliance."
Globalization will only magnify Internet-related issues. Plotkin points to what he considers a hugely significant but largely overlooked treaty that takes effect this month. TRIPS, the Trade Related Intellectual Property Rights Treaty, ratified over the course of the past several years by members of the World Trade Organization, "is a gate to U.S. banking institutions offering deposits worldwide."
Randall James tells of a small-town Texas friend being offered deposits-the last bank bastion-by an overseas bank, while CSBS' Milner tells of a community bank receiving a loan application from Russia.
James' state has resisted change, dating from Andrew Jackson's day and carrying to more recent prohibitions on credit card and home-equity lending. "Texans like to feel that they can control their own destiny, but the reality is that we do business in a global world," James says. When it comes to consumers, "The rub is that one locale has laws that are lender-friendly, while another has laws that are consumer-friendly, and people don't know what to expect."
The battle lines are drawn on several fronts. "While there may be turf issues between state commissioners and the Comptroller, there are substantial turf issues between the Comptroller and the Federal Reserve," James notes.
Then there are disagreements between the U.S. and the E.U., which is holding businesses to stricter standards on matters central to e-commerce, such as privacy and digital certificates. Says Plotkin, "Whether the U.S. will dictate standards is really important for U.S. banks looking to go overseas."Sheriffs vs. Marshals
Back in the days of the Wild West, there was often a jurisdictional struggle between the local sheriff and the nearest federal marshal, who might be a day's ride or more away. For the sheriff, there was often confusion: When he brought a bad guy in, just whose prisoner was he?
Well, some of those jurisdictional disputes may soon be playing out with respect to the Internet. Federal banking regulators have been making their pronouncements, and so have some state authorities. Texas Banking Commissioner Randall James, for instance, is one of a couple of state commissioners who is "aggressive" on the cyber-jursidiction front, says Covington & Burling attorney Mark Plotkin.
Indeed, James is among a number of state commissioners who have been encouraging a mobilization through the Conference of State Bank Supervisors. In advance of a CSBS symposium held in mid-December in San Antonio, James was expecting representatives of all the federal banking agencies to attend. "They'll come, and we'll beat each other up for a while and see what happens," he quipped. "We don't want to see a state charter nipped in the bud by federal legislation addressing this issue in some way we haven't thought of." James adds that there has been more than one attempt by the OCC to "slide something in that diminishes the strength of the state charter relative to the national charter."
As of the end of November, state and federal regulators hadn't even sat down to discuss governing Internet banking, James said. But "a couple of us [state commissioners] are on the front edge of dealing through CSBS to see if the states can do this, or if it's better handled at the federal level." He is one of several regulators who voices concern over banks' diminishing share of the financial services business. He attributes that to "regulations at the federal level that apply to banks and not to other businesses [entering financial services]."
Neil Milner, president of CSBS, says, "Our preliminary research indicates that a state charter can operate an Internet bank." Asked if that's not simply a claim by state regulators for broader jurisdiction, he says, "No, it just might increase state regulators' involvement as there is increased Internet activity."
As for why it's advisable to retain state-level governance in a global economy, Milner says, "Most federal legislation is restrictive and stifling. Sometimes the state law is, too, but it's easier to change." He describes the dual system of regulation as "one of the great strengths of the banking industry." To attorney Plotkin, on the other hand, it's just "terribly inefficient."
