Technology companies are attempting to offer banking products and services without being subject to the same oversight as banks. Most recently, Facebook announced it was launching a digital currency and money transfer business without addressing basic consumer protections, privacy concerns or law enforcement requirements. In addition to “fintech” charters, Bigtech companies are also pursuing access to the banking system through a historical quirk in the banking laws known as the “ILC loophole.”
ILCs are state-chartered institutions that can engage in the full range of banking activities, like taking deposits and making loans. But unlike banks, they are generally not subject to the federal Bank Holding Company Act, which means their parent company is not subject to any federal supervision, regulations or standards. For this reason, there has historically been considerable opposition to the charter, and that is why Congress has often decided to place limits on ILCs. Consumer groups like the National Consumer Law Center and the Consumer Federation of America have also traditionally opposed the ILC charter due to concerns about risk to the Deposit Insurance Fund. Bigtech company ownership of an ILC introduces a new concern: that consumer data, including sensitive personal financial information, will be inadequately safeguarded and used in inappropriate and unauthorized ways.
BPI is concerned about Bigtech firms’ attempt to exploit loopholes to gain access to consumers’ financial data, in addition to the personal data that they already control. Additionally, BPI is concerned that a lack of regulatory oversight could pose systemic risks.
Consumer privacy & data security at risk
Bigtech firms owning ILCs raise serious concerns about the use, privacy, and security of customer information. The unprecedented scale of customer information—central to the economic relationship between a Bigtech firm and its ILC—will have significant implications for consumers currently protected under federal banking law. And this reliance could lead to discriminatory pricing and provisioning of both banking services and consumer products based on data flowing between the ILC and non-financial affiliates. For information-based commercial firms that rely upon data to grow their businesses, this reliance could also impair an arm’s length relationship between a commercially-owned ILC and its parent firm, creating conflicts of interest. Banks have a strong and lengthy record of abiding by a robust and strict consumer data protection law, the Gramm-Leach-Bliley Act. Conversely, commercial firms with data-driven business models have often fallen short in prioritizing privacy best practices.
Systemic risk also a concern
Large non-financial corporations would also pose challenges to state regulators’ ability to supervise a sprawling commercial parent firm, which could undermine the safety and soundness of the financial system, especially given ILCs’ access to the Fed’s payment system. Bank holding companies, supervised by the Federal Reserve Board, are subject to a panoply of regulations and robust oversight. ILCs are not, and therefore:
- not subject to prohibitions on conducting nonfinancial activities that can expose the financial system to risk
- not subject to Federal Reserve regulation (capital, liquidity, stress testing, etc.) for the parent company or affiliates
- not subject to on- and off-site examinations or enforcement
Recognizing that many financial institutions already operate through an ILC, the most effective policy would be to re-impose the (expired) regulatory moratorium on new ILC charter issuance that was included in Dodd-Frank. As a matter of fairness, Congress should ensure that any restrictions on Bigtech firms owning ILCs do not undermine the ability of existing ILCs to continue to operate their business.