Is It OK for FinTechs To Use Regulatory Arbitrage To Avoid Consolidated Supervision?

Recent developments have re-energized the conversation about whether technology companies should be permitted to engage in banking in the United States and, if so, whether they should enjoy a light-touch regulatory framework or instead be subject to the same legal and supervisory framework as ordinary banks, particularly with respect to consolidated supervision.

The developments revolve around three kinds of special “bank” charters: (1) state-chartered industrial loan companies (ILCs), for which the FDIC earlier this year resumed approving deposit insurance applications after a 13-year hiatus; (2) national bank charters for companies that provide payments (but not deposit-taking) services, a new idea recently announced by the Office of the Comptroller of the Currency’s Acting Comptroller; and (3) special purpose depository institution charters issued by select states to cryptocurrency and other FinTech firms.

These three types of special charters share one core feature – an opportunity for tech companies to engage in regulatory arbitrage to avoid federal consolidated supervision at the parent company level. We think consolidated supervision of organizations engaged in the business of banking makes good sense, as bad things tend to happen without it.

In this post, we will describe how consolidated federal supervision of banking organizations works in the United States (along with the benefits of such supervision), how the three types of special entities identified above avoid it and why we should be concerned about it.

Consolidated Supervision of Banking Organizations

Consolidated oversight of banking organizations has been a core feature of U.S. banking supervision since the Bank Holding Company Act (“BHC Act”) was enacted in 1956. As the country continued to grow during the early 20th century, so too did the nation’s banking system; what was once a largely state-based system began to take on a national footprint. This growth raised concerns about the potential development of financial-industrial monopolies and consolidation of commercial bank credit in a concentrated number of banking institutions. To address these concerns, Congress enacted the BHC Act,[1] laying the groundwork for consolidated supervision by requiring companies that control banks to register as bank holding companies (BHCs) with the Federal Reserve. The Fed would then be responsible for regulation and supervision of these firms, a framework still in place today. To promote a healthy and fair banking system, the BHC Act also effectively prohibited BHCs from controlling companies engaged in commercial activities. This separation of banking and commerce also remains in place today.

Congress has reaffirmed the need for consolidated supervision many times over the last several decades, most recently through passage of the Dodd-Frank Act in 2010, which included the model of BHC regulation as a core element of systemic risk regulation.[2] Each time, Congress was motivated by similar and reoccurring threats to the financial system and consumer protections, and the benefits of consolidated supervision were clear. These include the prevention of large conglomerates which straddle banking and commerce, fair access to credit for all corporations and the prevention of operational, reputational or financial risks that could harm a single large firm. Through consolidated supervision, regulators can ensure that financial distress in one part of an organization does not metastasize throughout the entire firm, with the ability to isolate operational, managerial or capital and liquidity risks within a BHC and address these concerns with a targeted approach. Moreover, consolidated supervision allows for the establishment and enforcement of capital requirements, which importantly means that a BHC can serve as a source of financial strength for any of its subsidiaries should they fall into troubled condition. Consolidated supervision also ensures strict enforcement of consumer financial and data protection laws on an enterprise-wide basis.

Special Entities That Avoid Consolidated Supervision

The BHC Act provides that the parent companies of entities defined as “banks” are subject to consolidated supervision in the United States. A bank is defined as (1) an insured bank or (2) an institution organized in the United States or its territories that both accepts demand deposits and makes commercial loans.[3] Every major bank operating in the United States, as well as the almost 5,000 community banks, falls under this definition. There are a few notable types of banks that aren’t covered (credit card banks, limited purpose trust companies, credit unions, certain types of savings banks), either for sound policy reasons or simply due to a favored political status. ILCs, for example, enjoy a specific exemption just for themselves, codified into the law with to the enactment of the Competitive Equality in Banking Act (“CEBA”) in 1987 and largely a result of the fact that a powerful Utah senator chaired the Senate Banking Committee at the time and was acting to protect Utah’s ILCs. Utah is by far the dominant state of choice for ILCs.[4]

ILCs, companies that receive the proposed OCC payments charter and SPDIs are not banks under the BHC Act. As noted above, ILCs are specifically exempt from the definition, while companies with the proposed OCC payments charter and the state SPDIs are neither insured banks nor do they both accept demand deposits and make commercial loans. As a result, companies that own these special entities are not deemed to be BHCs and therefore avoid consolidated supervision. More detail on each is below.

  1. ILCs

ILCs are essentially banks by a different name. An ILC can do everything an ordinary bank can do, except many ILCs are not permitted to offer demand deposits (i.e., checking accounts).[5] ILC charters confer numerous privileges, including FDIC insurance for deposits (which grants ILCs access to cheap and stable funding) and access to the Federal Reserve’s payments system and discount window. When CEBA was enacted, most ILCs were small, locally owned institutions that had only limited deposit-taking and lending capabilities under state law. By the end of 1987, the average ILC asset size was less than $45 million and Utah had only 11 total ILCs chartered, with a moratorium on any new charters.[6] Further, interstate banking restrictions and technological limitations made it difficult for institutions grandfathered under CEBA to operate a retail bank regionally or nationally and they were not permitted to call themselves a “bank”.[7]

In the mid-2000s, Walmart and Home Depot submitted deposit insurance and charter applications for ILCs. At the time, these companies were among the largest retailers in the United States, and so the applications garnered significant attention as they took the sleepy ILC charter and expanded it to new proportions, raising concerns about novel and unchecked risks and violating the U.S. policy of separating banking and commerce.[8] Walmart and Home Depot would go on to withdraw their applications, which was supported at the time by a broad coalition of lawmakers, community groups and labor unions, as well as then-FDIC Chairman Sheila Bair, who called the Walmart withdrawal a “wise choice.”[9] Subsequently, in 2006, the FDIC announced a moratorium on granting deposit insurance applications for ILCs, which was extended in 2007 for certain companies.[10] In 2010, Congress imposed a three-year statutory moratorium in the Dodd-Frank Act.[11]

Notwithstanding this history, Jelena McWilliams, the current chairman of the FDIC, indicated as early as during her Senate confirmation hearing in 2018 her view that the FDIC had a statutory responsibility to accept and review ILC applications.[12] In March of this year, the FDIC approved deposit insurance applications for two ILC applicants.[13] To its credit, the agency swiftly followed with a Notice of Proposed Rulemaking (“NPR”) to codify the standards and commitments it would apply to ILCs and their parent companies.[14] Under the NPR, the FDIC purportedly would exercise supervisory oversight over the parent companies via contractual agreements.

While the NPR is a good first step, it does not go far enough in its supervision of parent companies as it does not offer the level of protection that would be applicable if the ILC parents were subject to consolidated supervision under the BHC Act. The proposal would still allow for large national, or international, commercial firms to acquire and integrate ILCs into their business models, without needing to limit their engagement in commercial activities. The proposal does not establish sufficiently stringent safeguards in order to mitigate risks from ILC parent companies and lacks the cornerstones of Federal Reserve supervision of reporting, examinations and affiliate transaction restrictions. Further, under the NPR parent companies of ILCs would not be subject to capital and liquidity standards and would not have to comply with consumer privacy and data protection requirements applicable to banks under federal law.

One particularly concerning ILC deposit insurance application is that filed by Rakuten, known as the Japanese Amazon.[15] (While Rakuten has withdrawn its application, its CEO has indicated intent to refile.[16]) If the FDIC approves Rakuten’s application, it will set a precedent for every other Big Tech company (Amazon, Facebook, Google, etc.) to enter banking through an ILC charter without consolidated supervision. Perhaps even more concerning is that Rakuten is a foreign-owned firm. Following the collapse of the Bank of Credit and Commerce International (“BCCI”) in 1991, Congress amended the BHC Act to require foreign-owned banks to demonstrate that they are subject to consolidated comprehensive supervision in their home country before they can acquire control of a U.S. bank or open a U.S. banking branch or agency office.[17] As a non-financial firm, Rakuten is not subject to any kind of comprehensive or consolidated supervision in its home country of Japan. By acquiring an ILC instead of an ordinary bank in the U.S., Rakuten will be able to side-step the important “comprehensive consolidated supervision” considerations written into law by Congress for other foreign entities that want to conduct banking operations in the U.S. This kind of regulatory arbitrage opportunity is available to any foreign-owned commercial companies that seek to charter or acquire an ILC.

  1. OCC special purpose national bank charters for payments companies

Recently, the Acting Comptroller of the Currency Brian Brooks has expressed an intention for the OCC to issue special purpose national bank charters to payments companies.[18] Traditionally, the OCC has only granted federal bank charters to institutions that accept deposits and subsequently are eligible for deposit insurance from the FDIC.[19] The special purpose charters being proposed by the OCC would allow for non-depository institutions, in this case primarily payments companies, to be granted a national bank charter, without the requirement for deposit insurance. The intent as stated by the Acting Comptroller is for these institutions to be granted access to the Federal Reserve’s accounts and payments system. A Fed account and payments system access is the holy grail for these payment tech firms; without it, all the OCC is offering them is a federal money transmitter license that preempts them from having to comply with a patchwork of state money transmitter licensing laws.

  1. Uninsured state-chartered deposit institutions for FinTech and crypto firms

Similar to the ILC charters of Utah and Nevada, other states have recently begun creating special purpose depository institution charters to serve the needs of specific niches in the financial market. The best current example is the Special Purpose Depository Institution (“SPDI”) charter offered by the Wyoming Division of Banking. Recently, Wyoming granted the first of these charters to Kraken Financial.[20] Kraken Financial will be the newest member of the larger Kraken conglomerate, which includes Kraken’s exchange, a cryptocurrency exchange. Kraken’s new bank will “provide comprehensive deposit taking, custody and fiduciary services for digital assets”, including, “paying bills, receiving salaries in cryptocurrency to incorporation digital assets into investment and trading portfolios,…”[21]

As with the OCC’s payments charter, the holy grail for these institutions is to obtain access to a master account at the Federal Reserve and access to the Fed’s payments system.[22] We’ve previously opined about the frailties of Kraken’s business model.[23]

Lack of Consolidated Supervision in the Real World

Why does any of this matter? Why should policymakers care whether or not ILCs, OCC “payments” banks or SPDIs are subject to consolidated supervision? The short answer is that banking relies on trust and confidence, and a lack of consolidated supervision means the shortcuts, shenanigans and fraud will have a place to hide and grow, until they spill over into the regulated entity and into the light. At which point the damage will be done, the recriminations will commence and we’ll all wonder (some more genuinely than others): how did we let this obviously flawed approach take root in our banking system, where trust and confidence is known to be so critical? How could we have been so short-sighted, we’ll wonder.

We need look no further than Europe earlier this year for an example. As a direct competitor of U.S. corollaries PayPal and Square, Wirecard AG was at the forefront of the payments industry in Europe, claiming to process upwards of $140 billion worth of transactions per year on behalf of its customers. Yet, on June 18, it was revealed that nearly $2 billion that the company claimed to be holding in a pair of banks in the Philippines was missing, or perhaps never existed in the first place. The missing funds would have accounted for the entire corporation’s profits over the last decade. Wirecard quickly crumbled. Its market cap, which was once nearly $30 billion, now hovers around $75 million.[24]

Wirecard had chartered banking entities in Germany and the UK. However, it was not subject to consolidated supervision anywhere. In Germany, Wirecard AG, the top-tier company, was not a “bank” and, as Deputy President of BaFin Elisabeth Roegele noted, “[a]s a listed company, Wirecard AG is not subject to BaFin’s ongoing supervision…”,[25] which meant that BaFin was not supervising the major operations of the company, nor any of its affiliates. BaFin only had true supervisory authority over Wirecard’s main bank subsidiary, Wirecard Bank AG. This lack of holistic supervision was not simply a blind spot that Wirecard took advantage of, but rather representative of an industry-wide issue, as was made evident by a 2017 report from the European Banking Authority, which found that 31 percent of surveyed FinTech companies were not subject to any regulatory regime under EU or national law.[26]

Wirecard’s U.K. subsidiary, Wirecard Card Solutions, has an e-money license, which permits the company to handle digital cash without becoming a deposit-taking bank.[27] The entity can also issue credit cards under the Visa and Mastercard brands. In addition, FinTech startups have used Wirecard as a way to offer digital wallets, money transfers and widely accepted payment cards. In response to the events concerning Wirecard AG and in an attempt to protect consumer funds in the U.K., in June, the U.K.’s Financial Conduct Authority (“FCA”) temporarily imposed restrictions on Wirecard’s operations including a prohibition on disposition of assets and cessation of regulated activities, which caused millions of customers to lose access to their accounts.[28] The FCA later issued guidance to strengthen payment and e-money companies’ risk management and arrangements for safeguarding customer funds.[29]

It is not hard to see the parallels between Wirecard and the current debate in the U.S. financial system. It also becomes increasingly difficult to ignore the cascading and systemic effects this failure caused not only to larger financial system, but also consumers. Hundreds of thousands of individual customers and small businesses were left without access to their funds or ability to process payments for days. Many of these customers transacted with third-party affiliates dependent on Wirecard’s infrastructure and many others are still facing uncertainty related to the future of the corporation and technology which they have integrated into their own business operations.[30] Further impacts are still being uncovered across the financial system, with Commerzbank alone writing off €175 million in loans made to Wirecard, a greater loss from the scandal than from all COVID-19-related economic fallout, along with multiple other banks and institutions writing off multimillion-dollar losses for the second quarter.[31] These impacts are not just limited to Europe. With Wirecard subsidiaries operating across the world, including partnerships in the U.S., the systemic impacts on the global financial system are still being realized.

Fortunately, the Europeans are learning from their mistakes. In response to the Wirecard scandal, the European Union’s financial services chief announced that the European Securities and Markets Authority (“ESMA”) would conduct a review into regulation of FinTech firms to assess how supervision of these firms could be improved so that these cases could be detected.[32] Possible changes identified may involve transparency requirements for listed firms as well as accounting rules and market abuses standards. In addition to reviewing the rules, ESMA will also review supervision by regulators. In addition, the European Commission adopted a retail payments strategy in September to further develop the European payments markets.[33] Among other things, this payments strategy aims to create safe payment solutions where risks are monitored and mitigated effectively and notes that the Commission will evaluate risks from unregulated services and assess how to mitigate, including by subjecting providers to direct supervision. The Commission will also ensure proper linkages between the supervision of payment services and the oversight of payment systems, schemes and instruments.

China offers another example. On Sept. 13, the People’s Bank of China announced new regulations aimed at imposing consolidated supervision on large Chinese financial conglomerates, including FinTech behemoths Ant Financial and Tencent Holdings, which through Alipay and WeChat operate the dominant payments platforms in China. These conglomerates also provide online lending and investment products and services, and Ant operates the world’s largest prime money fund. Under the new regulations, each conglomerate’s parent company is required to register as a Financial Holding Company and will be subject to capital and risk management requirements, as well as direct supervision by the Chinese central bank.[34]

The Chinese are clearly waking up to the risks to financial stability and consumers posed by FinTech firms and are taking steps to ensure there is an appropriate supervisory framework in place to monitor and mitigate those risks. The reforms are likely to present meaningful challenges to the Chinese FinTechs. For example, as of the date of this writing, Ant Group’s $37 billion IPO was put on hold at the last minute as the company struggles to publicly disclose how it will meet its new regulatory obligations.[35]

*             *             *

In the United States, it’s clearly favorable for FinTech and Big Tech companies to seek special entity charters: doing so allows them to enjoy the benefits of owning a bank without having to contend with the full set of duties, responsibilities and accountability that go along with it. It’s good for them because it keeps costs down and profits high, and they shouldn’t necessarily be faulted for trying to exploit the regulatory arbitrage opportunities available. However, the loopholes created by these special entity charters will be bad for U.S. consumers and financial stability. Let’s not wait for our Wirecard here; let’s avoid the problem at the outset by calling out these regulatory arbitrage opportunities for what they are, and bring the special entity charters into the consolidated supervision framework.


[1] Omarova, Saule T. and Margaret E. Tahyar, “That Which We Call a Bank: Revisiting the History of Bank Holding Company Regulations in the United States” (2012). Cornell Law Faculty Publications. Paper 1012. Page 121. Retrieved from:

[2] Id. at 114.

[3] 12 U.S.C. § 1841(c)(1).

[4] See 133 Cong. Rec. S3810 (March 25, 1987). Sens. Jake Garn (R-UT) and William Proxmire (D-WI) co-sponsored the ILC exemption.

[5] Five states currently offer ILC charters, with the majority issued by Utah and Nevada. Where permitted by state law, an ILC may offer demand deposits if the ILCs assets are less than $100 million or if the ILC has not been acquired after Aug. 10, 1987.

[6] See Johnson, Christian & George S. Kaufman, “A Bank by Any Other Name.” Federal Reserve Bank of Chicago Economic Perspectives. 4Q2007. Retrieved from: Utah implemented a moratorium on new ILC charters after a number of ILCs in the state experienced significant financial difficulties, resulting in the need for $45 million of state assistance to meet depositor claims.

[7] Changes in both federal law and technology now permit an FDIC-insured ILC chartered in certain states, such as Utah, to open branches and offer its products to consumers and businesses throughout the country.

[8] At the time Walmart and Home Depot submitted their applications, there were 58 ILCs operating in seven states.

[9] Hudson, K., & Wells, R. (2007, March 17). Wal-Mart Cancels Its Bank Plan. Retrieved from: Zimmerman, A. & Paletta, D. (2008, January 24). Home Depot Has Withdrawn Application to Buy a Utah Bank. Retrieved from:

[10] See 71 Fed. Reg. 43,482 (Aug. 1, 2006) and 72 Fed. Reg. 5,290 (Feb. 5, 2007).

[11] Section 603 of Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 603, 124 Stat. 1376, 1597 (2010).

[12] Clozel, L. (2018, January 23). Trump’s FDIC Nominee Promises Relief for Small Banks. Retrieved from:

[13] On March 17, the FDIC approved applications by Square Financial Services, Inc., a U.S. based fintech payments company, and Nelnet Bank, a U.S. student loan provider. See FDIC, Approval Order for Deposit Insurance of Square Financial Services, Inc., Salt Lake City, Utah (March 17, 2020) and FDIC, Approval Order of Deposit Insurance of Nelnet Bank, Salt Lake City, Utah (March 17, 2020).

[14] 85 Fed. Reg. 17,771 (March 31, 2020). The FDIC’s NPR would not apply to parent companies of ILCs that are otherwise subject to consolidated supervision by the Federal Reserve.

[15] Hrushka, A. (2020, August 26). Rakuten to continue ILC charter pursuit, subsidiary CEO says. Retrieved from:

[16] Rakuten first filed in July 2019 and again in March 2020. This pattern of filing, withdrawing and refiling has ultimately been successful for other ILC applicants, such as Square and Nelnet.

[17] 12 U.S.C. § 1842(c)(3)(B) and 12 U.S.C. § 3105(d)(2)(A).

[18] Sparks, E & Kern, S. (American Bankers Association). (2020, June 25). OCC’s Brooks Plans to Unveil ‘Payments Charter 1.0’ This Fall [Audio podcast] Retrieved from:

[19] In 2003, the OCC adopted a rule providing that a special purpose bank had to provide at least one of the following three core banking functions: receiving deposits; paying checks; or lending money. In other words, it could choose not to receive deposits – something that all prior national banks had done and was generally understood as a requirement. However, the OCC never approved a special purpose charter under its 2003 rule. See 68 Fed. Reg. 70,122 (Dec. 17, 2003).

[20] See Announcement by KrakenFX “Kraken Wins Bank Charter Approval (Sept. 16, 2020) (“Kraken Announcement”). Retrieved from:

[21] Id. It is our understanding that Kraken Financial takes the position that it is eligible to accept insured deposits; however, it has not applied for nor received approval from the FDIC to do so.

[22] Note that the Federal Reserve has yet to publicly opine on these charters and still maintains decision making authority as to whether or not to allow such charters access to Federal Reserve accounts and systems.

[23] BPI Staff, Beware the Kraken, Oct. 21, 2020. Retrieved from:

[24] DAX. (2020, October 10). Wirecard AG. Bloomberg. Retrieved from:

[25] Federal Financial Supervisory Authority. (June, 6, 2020) “Blind Reckless? No!”. Retrieved from:

[26] European Banking Agency. (2017) Discussion Paper on the EBA’s approach to financial technology (FinTech) (EBA/DP/2017/02).

[27] Laurent, L. (2020, July 3). Your Wirecard E-Cash Was Safe Until It Wasn’t. Retrieved from:

[28] Financial Conduct Authority. (2020, June 26). Wirecard can resume regulated activity. Retrieved from:

[29] Financial Conduct Authority. (2020, July 9). Coronavirus and safeguarding customers’ funds: guidance for payment and e-money firms. Retrieved from:

[30] Megaw, N. (2020, June 29). UK consumers dragged in Wirecard’s collapse. Retrieved from:

[31] Storbeck, O. (2020, August 5). Commerzbank takes greater loan loss from Wirecard than Covid-19 debt. Retrieved from:

[32] Jones, Huw. (2020, July 24). Wirecard scandal brings overhaul of EU fintech rules into sharper focus. Retrieved from:

[33] European Commission (2020, September 24). Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on a Retail Payments Strategy for the EU. Retrieved from:

[34] Xie, S. (September 13, 2020) China’s New Financial Rules to Cover Jack Ma’s Ant Group. Retrieved from: In adopting the new regulations, the Chinese central bank said that “FHCs tend to be large in size, with diverse and connected businesses across different institutions, markets, industries and regions, and thus are related to the country’s financial security and public interests which call for the regulation of their market access.”

[35] FT Reporters. (Nov. 4, 2020). Beijing says it halted $37bn Ant IPO to protect market stability. Retrieved from: Chinese regulators halted Ant Group’s IPO in an effort to “better maintain the stability of the capital markets and to protect investors’ interests” and will force Ant to, among other things, increase their capital levels in its micro-lending units.” Bloomberg News. (Nov. 3, 2020). China Tells Ant It Can’t Go Public Until Capital Shortfall Fixed. Retrieved from: