OCC FinTech Efforts in Legal Crosshairs, While GDPR Still Lags

The battle over FinTechs and national banking charters is about to get a bit more heated.

New York state is suing the United States.  Or to put it a bit more specifically, the Conference of State Bank Supervisors sued the Office of the Comptroller of the Currency.

The suit is one alleging that the OCC does not have the authority to provide such licenses under the FinTech charter that has been proposed. A national charter would allow FinTech firms to sidestep current practices which mandate they gain regulatory approval from each state where they operate.

As reported by Bloomberg, the suit by Maria Vullo, superintendent of the Department of Financial Services, alleges the move by the OCC is “lawless” and “ill conceived” with the possibility that it will destabilize financial markets.  The banking sector, argues the suit, is more efficiently regulated at the state level.

The OCC has been accepting applications since the end of July.  The Conference had issued a legal challenge earlier this year, now since abandoned.  Some opponents of the charter contend that it would open the door to non-traditional finance companies holding deposits, according to reports.

In response, the OCC said by e-mail, “the agency is confident in its authority to grant national bank charters including special purpose national bank charters to companies that are engaged in the business of banking, meet the qualifications for becoming a national bank, and apply to conduct business as part of the federal banking system. The agency will vigorously defend that authority, but will not comment on pending or potential litigation.”

The GDPR’s Compliance Laggards

The data continues to show a lagging effect when it comes to compliance with the General Data Protection Regulation.

This time around, research from Talend, a firm that develops cloud data integration solutions, shows that 70 percent of businesses worldwide have failed to address the requests made from individuals who have asked for a copy of their personal data. As widely reported, providing that data on requests is a mandate of GDPR, which took effect in May of this year.

The research stems from personal data requests that had been made to 103 companies with presence in Europe.  As reported by, those firms operate in verticals as far flung as travel, media and tech, as well as the public sector.   The research was conducted between June and September of this year and found that just 35 percent of Europe-based firms provided the data that had been requested.

Breaking down the data a bit more, compliance rates were better for firms that were not based in Europe.  But by vertical, an eye-opening 76 percent of retail companies failed to provide the data requested, said Talend.

Of those companies that did respond, about 65 percent of them took more than 10 days to provide the requested data, and the average response time was 21 days.  Of the quickest responses, with a single day turnaround, media and tech-centered companies shone.

The Talend data, of course, follows reports seen last month that had estimated compliance rates to be a dismal 20 percent.

Separately but still in the GDPR arena, Brave, a blockchain browser developed by Mozilla co-founder Brendan Eich, has filed privacy complaints against Google in the U.K. and in Ireland, charging that the tech giant and some of its peers are sharing consumer browsing data with advertisers without consumers’ consent.  That should trigger article 62 of GDPR, said the complaint, and launch an investigation spanning the EU into such digital ad industry practices.

“Every time a person visits a website and is shown a ‘behavioral’ ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies,” Brave wrote in a blog post. “Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.”

Google’s own response to Brave’s charges state, “We build privacy and security into all our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation. We provide users with meaningful data transparency and controls across all the services that we provide in the EU, including for personalized advertising.”

Upon an investigation, if the EU finds against Google, there might be fines of as much as four percent of the company’s total global turnover.


Featured PYMNTS Study:

More than 63 percent of merchant service providers (MSPs) want to overhaul their core payment processing systems so they can up their value-added services (VAS) game. It’s tough, though, since many of these systems date back to the pre-digital era. In the January 2020 Optimizing Merchant Services Playbook, PYMNTS unpacks what 200 MSPs say is key to delivering the VAS agenda that is critical to their success.