In early August an Assurance of Discontinuance (the “AOD”) was entered into by all parties in the actions brought by the Colorado Attorney General and the Colorado Uniform Consumer Credit Code Commissioner against Avant of Colorado, LLC and Marlette Funding, LLC.[1] While the AOD resolved the specific underlying issues and allegations raised in the matter, the AOD importantly establishes a conclusive “safe harbor” framework to apply when determining who is the “true lender” in a partnership between a bank and a non-bank lender/fintech in Colorado.

Though not law or formal regulation, the AOD creates a safe harbor for other banks and FinTechs operating FinTech partnerships in Colorado. The settlement comes on the heels of a June 9, 2020 Colorado District Court Order that had determined that Marlette was the “true lender” of the loans and disregarded federal rate preemption. The Court similarly rejected the concept of “valid when made” finding that assignees of loans are not allowed to collect the same interest rate as the original lender. The Defendants in the original case filed a parallel case in federal court, however the federal courts abstained from weighing in on the matter until the state concluded its investigation. In parallel, the State of Colorado brought in numerous trustees and trusts containing the loans. In its opinion, the Colorado courts have expressly denied any application of the “valid when made” doctrine and chose to ignore (then) pending FDIC and OCC[2] rulemaking in support of the “valid when made” concept. This decision and the settlement are part of an overall, ongoing fight between state regulators and federal banking regulators over bank-FinTech partnerships.[3]

This settlement is likely another step in the ongoing battle between federal banking regulators seeking the expansion of banking partnerships and the role of banks in modern, technology-driven financial services and the state financial regulators fighting to maintain powers over non-bank entities that were previously subject to a fragmented, disjointed state regulatory regimes. Both banks and FinTechs will likely continue their efforts to find workable, nationwide lending and payment platforms that avoid 50 statutes, 50 regulatory regimes, dozens of annual exams, and the inability to unify and market product offerings 21st century consumers that seek financial products online or through mobile devices. If anything, the current COVID-19 pandemic has reinforced the need for modernization and unification in lending and payments in a digital economy—an ongoing problem faced by state-licensed lenders and payment providers (setting aside the extreme compliance costs of operating a multi-state lending or payments platform).

If you are a party to a bank partnership serving consumers within the state of Colorado and wish to fall within the safe harbor, it is imperative that you review your program for compliance with these elements. The AOD breaks down the mandatory requirements for safe harbor into five sections: (1) Oversight Structure (2) Disclosures and Funding (3) Licensure (4) Limitations on Consumer Terms and (5) Structural Requirements.

1. Oversight Structure

• Loans must be subject to oversight by bank’s prudential regulators.
• The bank must provide its regulators with access to examine, review, and audit the FinTech.
• The bank maintains approval authority over all loan origination services provided by the FinTech.
• The bank maintains approval authority over all marketing content related to the loans.
• The FinTech must retain all bank marketing approvals for a reasonable period of time (but at least as long as required by the bank’s applicable regulators).
• The bank maintains approval authority over all content displayed on websites.
• The bank maintains control of all terms of credit either: (i) through a written credit policy or (ii) other approval mechanisms. This includes:
  • The bank has the absolute right to approve, deny, or modify the credit policy.
  • Changes to the credit policy must only be effective once approved.
  • All credit decisions must comply with the policy unless subject to bank-communicated exception.
  • All exception approvals must be maintained by the FinTech for a reasonable period of time.
  • The bank oversees any credit models (except third-party models like FICO).
• The bank may change marketing or credit approvals at any time.
• The bank may require the FinTech to revise or implement new policies or procedures at any time.
• The bank approves the FinTech’s third-party risk management and oversight programs.
• The FinTech must retain these approvals for a reasonable period of time.
• The FinTech must maintain a Compliance Management System (CMS) approved by the bank.
• The bank (or the bank’s third-party agent) conducts an annual compliance audit of the FinTech.
• The FinTech must maintain a complaint management system that:
  • Provides reporting to the bank of complaints.
  • Institutes a process for the FinTech and Bank to respond to complaints as directed by the bank.
• The FinTech discloses to the bank compliance gaps and the bank approves and oversees corrective action, as appropriate.

2. Disclosures and Funding

• The loan must identify the bank as the lender.
• Website content and consumer disclosures must identify the bank as the lender.
• The bank must fund loans from its account. Funds may not be provided to the bank by the FinTech for the purpose of funding loans.
• The bank may require the FinTech to maintain a deposit account at the bank to secure the FinTech’s obligations (subject to the restrictions on security interests, below).

3. Licensure

• If the program: (i) offers supervised loans in Colorado and (ii) the FinTech takes assignment of the loans and undertakes direct collection of the loans, the FinTech must obtain a license from the Colorado Credit Administrator.
• A FinTech subject to this licensure must submit an annual compliance report as part of its Supervised Lender Annual Report containing:
  • A list of every loan originated under the authorization;
  • A statement of compliance and explanation of compliance with this determination.
• The bank must cease originations if it is notified that the FinTech has not provide this compliance report to the Administrator.
• The Administrator cannot refuse to renew a supervised lender license based on participation in these safe harbors.

4. Limitation on Consumer Terms

• Specified Loans may not have an APR greater than 36%.
• Under the Programs, a “Specified Loan” is a loan: (i) to a Colorado resident, (ii) through a Program between a bank and FinTech, and (iii) with an APR that exceeds the Supervised Loan Rate in Colorado (generally 21%, although some increase for smaller-balance loans). Thus, these restrictions will generally apply to loans between 21% and 36% APR.[4]
• The loans must contain Colorado choice of law provisions except that the loans may reference that federal law will apply where it preempts Colorado law or where it would regulate “interest” in terms contemplated by the federal statutes addressing rate exportation.

5. Structural Requirements

The program must comply with at least one of the following requirements: