WASHINGTON — New York State Department of Financial Services Superintendent Maria T. Vullo has lost no time imposing her vision for the financial services industry since she took the helm of Wall Street’s top state cop last summer.

In a wide-ranging interview with American Banker, Vullo discussed the department's newly enacted cybersecurity requirements, a proposal to banish “bad actors” from the state’s financial industry, and the Office of the Comptroller of the Currency’s fintech charter initiative, which has drawn strong condemnation from many state regulators.

“You can't just try to get something passed that's not appropriate for consumers or for the industry as a whole by using this fintech term, which is really an effort to suggest that you're ahead of the game on innovation,” said Vullo. “I think that's just a label.”

The New York agency is widely regarded as a leader among states when it comes to developing strong financial regulation. And Vullo said her federal counterparts too might want to take a leaf out of her book.

Maria T. Vullo, superintendent of the New York State Department of Financial Services
"You can't just try to get something passed that's not appropriate for consumers or for the industry as a whole by using this fintech term," said Maria T. Vullo, superintendent of the New York State Department of Financial Services.

“The federal regulators at issue should adopt our cyber reg,” she said. “And then we'll be very, very consistent.”

Following is an edited transcript of the Q&A.

What are your main concerns with the OCC fintech charter?

First and foremost, from a state regulator’s perspective, and particularly in New York, we already regulate money transmitters and other licensed financial services. Any proposed charter which has as a concept the preemption of what I do for New Yorkers and New York consumers is going to be met with significant resistance.

Second, the usury requirements that could be evaded by an OCC charter are of extreme concern to me. In New York, we have our statutes that protect consumers from very, very high interest rates and we ban payday loans.

To the extent this charter would seek to permit applicants who might gain such a charter to then seek to loan to New Yorkers in violation of New York's rates, with some federal preemption idea, we would definitely fight that.

Third, I have significant concerns about the potential for the OCC to charter nondepository institutions under the current statutory authority that exists for the OCC to charter banks, and that's the National Bank Act.

I think there are very, very significant questions about the OCC's ability to do this without congressional authorization. And to do it without even regulations that would be subject to a comment period.

How do you plan to fight it?

We are in constant consultation with other state banking supervisors across the country, through our association, the Conference of State Bank Supervisors, which also opposes this charter. As to what the appropriate steps would be if they actually go forward, we hope that given the comments that they've received, that they will think twice about the proposal.

We have some concerns also about the impact that something like this would have on our local community and regional banks, and their competitive advantage or disadvantage, as the case may be with this.

We have concerns about money laundering and terrorist financing controls for institutions that might be subject to the charter. We have concerns about "too big to fail" issues with some so-called national charter that would be light on regulation and preempt the states.

I am not in any way adverse to what exists in the United States which is a dual banking world. But a proposal that preempts state authority is not actually dual banking particularly when the states that have in this area been at the forefront of on-the-ground consumer protections, for these types of companies.

The other thing that I'll say is it's unclear what exactly fintech means in the context of a bank charter.

There are companies in all different industries that use financial technology. But the OCC is a bank regulator. The National Bank Act gives the OCC its authority.

You can't just try to get something passed that's not appropriate for consumers or for the industry as a whole by using this fintech term, which is really an effort to suggest that you're ahead of the game on innovation. I think that's just a label.

Certainly on the nondepository level, the consumer protection and compliance requirements, the states really are better positioned. I don't think that the OCC has demonstrated a history of being ahead of the game on these types of issues.

What history are you referring to?

They don't have a history of actually regulating nondepository institutions, money transmitters, online entities, small institutions that arise, startup companies. That's a very local and a state-based function.

They have not had the best record on compliance. The 2008 financial crisis was caused by a number of institutions that were regulated by the OCC. The Wells Fargo scenario was troubling on consumer protection, as well.

[Fintech is] something that the states have been on the ground with and certainly on compliance have been on top of. And I just don't think that the OCC has the experience. It's not a criticism, it's just a fact that they haven't done it before.

What can states do to make the licensing system simpler?

We've been doing this for some time through the CSBS.

We have collaboration and coordination with other state banking supervisors such that … [for] an institution that has its charter from one state, and then seeks to, for example in the bricks-and-mortar world, open a branch in another state.

There is a process for doing that that's collaborative among the state regulators such that there is one state that is the lead wherever the domiciliary state would be and the other states basically look to the lead state to do, for example, the main application process as well as the examination of the entity in terms of safety and soundness.

And the other states then have their own independent autonomy of course, but that coordination happens as well.

Would you consider pursuing additional initiatives?

We're always working to try to improve processes and ensure the … promotion of business opportunities, and certainly innovative ones. There are many things that we can do and we're certainly open to suggestions.

I think it's really important that whenever this question is asked, to step back and say, “OK, what companies are we talking about?”

[There are] great, innovative companies that want to do great work, and have easy access and comply with consumer protection laws and [don’t] take advantage of consumers.

[But] we are very concerned about this proposal … because of the predatory actors that exist out there.

The online lenders that are actually not serving the public in any way, because all they're doing is taking advantage of people at their vulnerable moments.

And that’s creating a debt spiral for consumers, and we saw that in mortgages, and we should not allow that to happen again in another way.

I'm not saying that it is the objective of this charter, the OCC’s objective, but this is a way for those entities to be able to further abuse and affect the lives of consumers.

As DFS superintendent, I am protecting New Yorkers. And every state regulator is there to protect the citizens of that state and that's why deference to the states on issues like this is so critical.

That's our real concern with this federal charter concept, particularly with these types of institutions, where there won't be another regulator of them.

And, of course, they're not depository, so even the FDIC won't be involved, will it? Will there be Community Reinvestment Act exams, CRA exams that our institutions have to go through, will they go through them too? Will they have anti-money-laundering and Bank Secrecy Act compliance requirements? What are they going to do about cybersecurity? All those things. This hasn't been laid out. That's the real risk.

If New York keeps getting tough on banks, by enforcing tough cybersecurity rules or banning bad actors, are you concerned that they could move on to the federal system?

There's two separate issues.

I haven't heard a single person say that we in the United States or anyplace else should not be ever-vigilant about the risks of cybersecurity. That's a given. The question is what can we do to prevent cyberattacks?

Many of our institutions have already been doing a lot of work in this area. I just think you can't have weak links because the terrorist will find the weak link. The foreign government seeking to find further information will find the weak link.

We need to be vigilant on that and with our cyber-regulation, we went through an extensive comment process, two comment periods. We made significant changes when we received those comments, because they were good suggestions.

We think that's it's a step forward to protecting our industry as well as our people from what really is one of the greatest threats that faces us today. I don't think somebody is going to leave New York because they have to have a cyber program or policy.

The banks say they already have to comply with numerous overlapping cybersecurity requirements at the state and federal level

The federal regulators at issue should adopt our cyber reg. And then we'll be very, very consistent. There isn't another one, right? So there's no overlap.

The federal banking regulators are currently working on a big-bank cybersecurity rule.

Understood, but they've been working on that for a long time.

We hear all the time that there are overlapping regulations and I'm very sensitive to that. And if there are things that I can do to work through questions about what our regulation means versus another regulator that regulates the same institution, I am very open about all those things.

But on cyber, there's no one else that's actually done it.

How about the measure to ban bad actors?

The bad actors bill is pretty straightforward. It says that if we learn of misconduct by an individual who works at an institution in the financial services industry in New York, then I should have the power to suspend them or ban them from engaging in the financial services industry in New York — with due process, administrative hearing, right to appeal in court, all those things are in the law as it is.

My authority allows me to actually revoke a license or suspend a license. This is about individuals who may be the bad actor in an institution that's been abused by that individual. The institution is in some of these scenarios, and its shareholders, the victim of a bad actor.

It's helpful to industry — they don't want someone who has been found to have lied to a regulator, for example, or have committed some misconduct or not to follow the law in some way. It’s only for those serious offenses that actually impair the institution in some way, where the person really has not demonstrated the ethics to be able to be in the industry. The proposed statute is very narrow in the provisions for disqualification.

The financial crisis and other events taught us that individuals actually can make very grave mistakes, and we need to make sure that people that are responsible can't do it again.

It shouldn't be viewed as earth-shattering that a regulator has this authority, because so many have it.

What are your thoughts on the Dodd-Frank rollback efforts?

I’m not averse to the review of existing regulations. I'm doing it here — determining which regulations fit modern times versus whatever circumstances that led to the regulation at a particular point in time in the first place.

What I think is not a good idea is to come out and say, “If you're going to do a regulation, you have to get rid of two regulations.” There's no substance to that.

Reviewing regulations is what a regulator should do and that's good. Dodd-Frank came about — and it was bipartisan — because of the financial crisis. If you were to tell me repeal Dodd-Frank, I'd be opposed to that.

Like any law, there may be tweaks, but these things are complicated. You need to really think about messages that are sent and what ramifications there could be to our markets.

What led to the financial crisis was a culture of deregulation that didn’t turn out very well, and I think Dodd-Frank's objective was to prevent that. We haven't seen anything that leads me to think that it went off the rails somewhere.

I think the Consumer Financial Protection Bureau should stay as it is. I think it's done a tremendous job for consumers and for markets. I think it's protected us. I think it's made clear that people who abuse the law and engage in deceptive or abusive practices have a watchdog there that makes sure that that doesn't happen.

And I think that the structure is intended to maintain its independence, and I think that's a good thing.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.

Lalita Clozel

Lalita Clozel covers fintech regulation, anti-money-laundering, cybersecurity and the Federal Deposit Insurance Corp. in American Banker's Washington bureau.