October 28, 2016

There Is No On-Ramp – Lessons for FinTech from the CFPB

7 min

"But we're just a software company!"

Many FinTech firms have a similar reaction upon learning of the compliance obligations applicable to the financial services solution they are developing. Unfortunately, when those services are used by individuals for personal, family, or household purposes, such companies have crossed the threshold from software and tech to the highly regulated world of consumer finance. And although multiple federal regulators have discussed developing "safe spaces" for financial innovation, there is no on-ramp, beta testing, or grace period permitted for compliance with consumer financial protection laws. As demonstrated in recent enforcement actions, the CFPB not only expects full compliance on day one, but is also specifically targeting statements by FinTech companies about products, services, or features that may be more aspirational than accurate.

This article discusses two recent CFPB enforcement actions, against LendUp and Dwolla, and how those actions illustrate the conflict between FinTech companies' need to attract users through speed to market and aggressive product narratives and the need to develop appropriate compliance procedures.


On September 27, 2016, the CFPB announced a consent order against online lender Flurish, Inc., which was doing business as LendUp, for multiple violations of federal consumer financial protection laws. LendUp, a FinTech company working to disrupt the payday and short-term loan industry, was required to refund more than 50,000 customers approximately $1.83 million and pay a civil penalty of $1.8 million. Among other allegations, the CFPB claimed that LendUp failed to make required disclosures about the APR on its loans and additional fees associated with certain repayment methods. For the purposes of this discussion, however, we will focus on the CFPB's allegations that LendUp failed to deliver on the more innovative aspects of its service.

LendUp's business model revolves around the "LendUp Ladder," which is advertised as a way to reward its customers for paying off their loans on time by offering them access to improved credit terms. LendUp offers four loan classes, Silver, Gold, Platinum, and Prime. At each step up the LendUp Ladder, the company offers improved loan terms, including lower interest rates and larger loan amounts. Customers are initially offered access to Silver or Gold loans, but after building points through successful repayments and financial responsibility courses offered by LendUp, customers are able to "climb" the LendUp Ladder. At Platinum and Prime status, LendUp offers the option of longer-term installment loans instead of payday loans, and offers to help customers build credit by reporting repayment to a consumer reporting agency. According to news articles, LendUp's CEO has stated that LendUp aimed to "change the [payday loan] system from the inside" and "provide an actionable path for customers to access more money at lower cost."

According to the CFPB, however, from the time LendUp was founded in 2012 until 2015, Platinum or Prime loans were not available to customers outside of California. The CFPB stated that by advertising loans and other benefits that were not actually available to all customers, LendUp engaged in deceptive practices in violation of the Consumer Financial Protection Act.

In general, nonbank fintech companies that are lenders are typically required to obtain one or more licenses from the financial regulatory agency in each state where borrowers reside. Many online lenders trip over these requirements by lending to borrowers in states where they have not obtained a license to make loans. LendUp appears to have avoided this by deliberately taking a state-by-state approach to rolling out its product. Based on public records and statements by the company, LendUp did not expand its services outside of California until late 2013, around the same time that it began obtaining additional lending licenses. Indeed, the CFPB did not allege that LendUp violated federal laws by attempting to collect on loans it was not authorized to make, as it did in its recent case against CashCall.

Thus, LendUp's problem was not that it made loans it was not authorized to make, but that it advertised loans and features that it did not provide.


Dwolla, Inc. is an online payments platform that allows consumers to transfer funds from their Dwolla account to the Dwolla account of another consumer or merchant. In its first enforcement action related to data security issues, the CFPB announced a consent order with Dwolla on February 27, 2016, related to statements Dwolla made about the security of consumer information on its platform. Dwolla was required to pay a $100,000 civil monetary penalty. We also discussed the Dwolla enforcement action here.

According to the CFPB, during the period from January 2011 to March 2014, Dwolla made various representations to consumers about the safety and security of transactions on its platform. Dwolla stated that its data security practices "exceed industry standards" and set "a new precedent for the industry for safety and security." The company claimed that it encrypted all information received from consumers, complied with standards promulgated by the Payment Card Industry Security Standards Council (PCI-DSS), and maintained consumer information "in a bank-level hosting and security environment."

Notwithstanding these representations, the CFPB alleged that Dwolla had not adopted and implemented appropriate written data security policies and procedures, did not encrypt sensitive consumer information in all instances, and was not PCI-DSS compliant. Despite these findings, the CFPB did not allege that Dwolla violated any particular data security-related laws, such as Title V of the Gramm-Leach-Bliley Act, and did not identify any consumer harm that resulted from Dwolla's data security practices. Rather, the CFPB stated that by misrepresenting the level of security it maintained, Dwolla had engaged in deceptive acts and practices in violation of the Consumer Financial Protection Act.

Whatever the reality of Dwolla's security practices at the time, Dwolla's mistake was in touting its service in overly aggressive terms that attracted regulatory attention. As Dwolla noted in a statement following the consent order, "at the time, we may not have chosen the best language and comparisons to describe some of our capabilities."



As participants in the software and technology industry have noted, an exclusive focus on speed and innovation at the expense of legal and regulatory compliance is not an effective long-term strategy, and with the CFPB penalizing companies for activities stretching back to the day they opened their doors, it's an ineffective short-term strategy as well.


  • Marketing: FinTech companies must resist the urge to describe their services in an aspirational manner. Online advertising, traditional marketing materials, and public statements and blog posts cannot describe products, features, or services that have not been built out as if they already exist. As discussed above, deceptive statements, such as advertising products available in only a few states on a nationwide basis or describing services in an overly aggrandizing or misleading way, can form the basis for a CFPB enforcement action even where there is no consumer harm.
  • Licensing: Start-up companies seldom have the funds or time to obtain the licenses necessary for an immediate nationwide rollout. Determining the appropriate state-by-state approach, based on factors such as market size, licensing exemptions, and cost and timeline to obtain licenses, is an important aspect of developing a FinTech business.
  • Website Functionality: Where specific services or terms are available on a state-by-state basis, as is almost always the case with nonbank companies, the website must require a potential customer to identify his or her state of residence early in the process in order to accurately disclose the services and terms available in that state.

Venable understands that comprehensive compliance is difficult and expensive, especially for early-stage companies. As LendUp noted following the announcement of its consent order, many of the issues the CFPB cited date back to LendUp's early days, when it had limited resources, as few as five employees, and a limited compliance department.

FinTech companies need an informed, risk-based approach that focuses on the issues most likely to attract regulatory attention, including statements to avoid. For information on these issues, please contact Venable's CFPB Task Force.