This article originally was published in The Business Lawyer, Vol. 74, Winter 2018-2019

By Steve Middlebrook, Sarah Jane Hughes & Tom Kierner


This survey reports on developments in the law relating to electronic payments.

Part II addresses legal challenges to federal and state regulation of e-payments products. Part III discusses the amendment (again) of federal rules regulating prepaid accounts and a state court decision regarding New York’s payroll card regulation, which decision has resulted in chaos. Part IV discusses federal and state authorities’ articulation of ethical standards for lawyers working in the cryptocurrency space. Part V addresses regulatory enforcement actions that allege unfair and deceptive practices against financial technology (“FinTech”) companies. Part VI discusses enforcement actions by the Securities and Exchange Commission (“SEC”) concerning two Initial Coin Offerings (“ICOs”). Finally, Part VII addresses litigation against cryptocurrency intermediaries, which demonstrates the need for uniform legislation defining their obligations.





Although the Office of the Comptroller of the Currency (“OCC”) did not issue any non-depository, FinTech bank charters (“FinTech charters”) since our last survey [1] , the prospect of FinTech charters remains alive—with a report on chartering apparently in progress as of May 2018. [2]

Since last year’s survey, two challenges to the OCC’s FinTech-charter plans have been dismissed. The challenge brought by the New York State Department of Financial Services (“DFS”) was dismissed on December 12, 2017, for lack of standing and ripeness. [3] The challenge brought by the Conference of State Bank Supervisors was dismissed on April 30, 2018, also on standing and ripeness grounds. [4] Neither dismissal was with prejudice, so we expect that the plaintiffs will refile when the OCC issues a charter.


The DFS continues to grant BitLicenses to virtual-currency businesses based on its June 2015 regulation. [5] Among the most recent recipients of a BitLicense is Genesis Global Trading, whose application was granted in May 2018. [6] Critics of DFS’s pace of granting BitLicenses continue to charge that the BitLicense regulator favors better-funded applicants over start-ups. [7] As of May 25, 2018, only five businesses have received a BitLicense: Circle, Ripple, Coinbase, BitFlyer, and Genesis Global Trading. [8]

On December 27, 2017, the New York Supreme Court granted a motion to dismiss a lawsuit brought by Theo Chino that had challenged New York’s authority to regulate virtual currencies. [9] No other challenge to the BitLicense or to any other state regulation of virtual-currency businesses was pending during the survey year.


The Consumer Financial Protection Bureau [10] (“CFPB”) issued prepaid accounts regulations in 2016 [11] , amended the regulations in 2017 [12] , and modified them again in 2018. [13] Among the most recent changes, CFPB amended the regulations to provide that the error resolution and limited liability requirements of Regulation E do not apply to prepaid accounts that have not successfully completed the financial institution’s customer identification and verification processes. [14] In addition, for accounts where the consumer’s identity is later verified, the issuer does not have to provide error resolution or limited liability protections for transactions that occurred prior to identity verification. [15] These changes will prevent fraudsters from obtaining cards on which the underlying funds have already been spent and then claiming the spending transactions were unauthorized.

Last year’s survey discussed the invalidation of the New York Department of Labor’s (“DOL”) regulation of payroll cards by the state’s Industrial Board of Appeals (“IBA”). [16] Subsequently, the DOL appealed the ruling, and a state court “annulled” the IBA’s decision. [17] The court noted that the IBA’s decision was based upon a finding that the DOL had exceeded its authority and intruded into the regulation of banking and that the IBA had urged DOL to consult with the DFS. [18] Relying on documents not included in the administrative record before the IBA, the court found that the DOL had consulted with the DFS and that the financial services regulator did not object to the payroll card rules. [19]


In early 2018, the Chairman of the SEC and the Chairman of the Commodity Futures Trading Commission put the world on notice that their agencies were closely monitoring cryptocurrency and, in particular, were concerned by the role some participants, including lawyers, were playing in the developing market. “[W]e are disturbed by many examples of form being elevated over substance, with form-based arguments depriving investors of mandatory protections.” [20]

SEC Chairman Clayton spoke more specifically about the ICOs that some virtual currency companies use to raise capital from investors:

[M]ost disturbing to me, there are ICOs where the lawyers involved appear to be, on the one hand, assisting promoters in structuring offerings of products that have many of the key features of a securities offering, but call it an “ICO,” which sounds pretty close to an “IPO.” On the other hand, those lawyers claim the products are not securities, and the promoters proceed without compliance with the securities laws, which deprives investors of the substantive and procedural investor protection requirements of our securities laws. [21]

Lawyers advising cryptocurrency clients, especially regarding securities and commodities issues, should heed the agencies’ warning and be sure their advice is substantive and appropriate.

Nebraska issued an ethics advisory opinion allowing an attorney to receive digital currencies as payment for legal services if the attorney follows certain guidelines. [22] The opinion requires the attorney to convert the digital currency to U.S. dollars at market rates upon receipt in order to “mitigate the risk of volatility and possible unconscionable overpayment.” [23] An attorney also may hold Bitcoin and other digital currency in escrow or trust for a client, as long as the virtual currency is held separate from the attorney’s property and kept with commercially reasonable safeguards. [24]

The U.S. Office of Government Ethics (“OGE”) issued guidance for executive-branch employees on reporting holdings in virtual currency on their annual financial disclosure forms. [25] The OGE concluded that virtual currencies were property held for income or investment purposes and, consequently, such holdings must be included on a federal employee’s disclosure report if they meet reporting thresholds. [26] OGE also noted that some virtual currencies may be securities, and, given that transactions in securities are reportable, purchases and sales of such virtual currencies also should be reported. [27] The Committee on Ethics of the U.S. House of Representatives issued a memorandum offering similar guidance to House employees, concluding that cryptocurrencies should be treated as “other forms of securities” for purposes of congressional reporting requirements. [28] The guidance noted that the Stop Trading on Congressional Knowledge Act restricts congressional employees’ participation in an initial public offering (“IPO”) of securities. [29] Because it is “unclear” whether an ICO falls within the IPO prohibition, the Committee “strongly encouraged” employees to contact ethics staff before participating in one. [30] The memorandum also concluded that revenue derived from cryptocurrency mining activity would constitute “outside earned income,” which is subject to certain limitations and reporting requirements. [31]



In November 2017, the CFPB entered into a consent order with Conduent Business Services, LLC (“Conduent”) settling charges that software errors caused inaccurate information about more than a million consumers to be reported to credit reporting agencies (“CRAs”). [32] Conduent operates and customizes software that automates many of the processes needed to service auto loans, including the furnishing of consumer information to CRAs. [33] However, loan-servicing software defects caused Conduent’s five auto lender clients to furnish inaccurate information, including the date on which a borrower first became delinquent and whether a consumer’s car was voluntarily surrendered or involuntarily repossessed. [34] The CFPB found that Conduent failed to timely fix defects identified by its clients. [35] Furthermore, when defects were identified and fixed for one client, Conduent did not notify its other clients about known defects, causing erroneous reporting to persist for years longer than it would have otherwise. [36]

Asserting its jurisdiction over “service providers” of “covered persons,” [37] the CFPB assessed a $1.1 million civil money penalty, [38] and imposed conduct provisions to remediate harm and prevent similar issues in the future. [39] This outcome should remind attorneys of the broad jurisdiction of the CFPB and the value of robust change-management policies and procedures.


In May 2018, the Federal Trade Commission (“FTC”) finalized a settlement with PayPal, Inc. regarding its privacy, security, and disclosure practices related to its popular peer-to-peer payment service, Venmo. [40] Capping a multi-year investigation into some of the same practices that resulted in a 2016 settlement with the State of Texas, [41] the FTC complaint alleged that PayPal engaged in deceptive acts or practices in violation of the FTC Act and violated the Gramm-Leach-Bliley Act’s (“GLBA”) Privacy and Safeguards Rules. [42]

The FTC alleged that PayPal violated the FTC Act by engaging in deceptive acts in three ways. First, PayPal allegedly misrepresented a consumer’s ability to transfer money from a Venmo account to an external bank account. [43] When a Venmo user sent money, the recipient would receive a notification of the transfer: “Money credited to your Venmo balance. Transfer to your bank overnight.” [44] However, the speed of transfer was not as advertised. PayPal waited until consumers attempted to transfer funds to a bank account before reviewing the transfer they received for fraud, insufficient funds, or other problems—reviews that resulted in unexpected delays for consumers. [45] In addition, PayPal would sometimes determine there were problems with the underlying transaction and debit the user’s balance—even after PayPal had alerted the user that funds were already credited. [46]

Second, the FTC took issue with the way that PayPal administered and disclosed its privacy settings. By default, the names of the payer and the payee, the transaction date and time, and a message written by the payer were displayed publicly on the Venmo social news feed and each user’s personal page. [47] PayPal allowed users to opt out of these default settings and restrict transaction information to their “Friends” or “Participants [in the transaction] only.” [48] However, to accomplish this, users had to change their privacy settings in two different places: once to restrict their own sharing of transaction data, and once to restrict the sharing of transaction data by the other user. [49] Toggling the former setting, while failing to toggle the latter, would result in one user’s less restrictive privacy settings overriding another user’s more restrictive privacy settings—something that PayPal did not adequately disclose. [50]

Third, the FTC alleged that PayPal misled consumers about security. PayPal represented that Venmo employed “bank-grade security systems” and used “data encryption to protect [consumers] and guard against unauthorized transactions.” [51] However, until approximately March 2015, the Venmo platform failed to provide security notifications regarding changes to account settings, resulting in third-party account takeovers and unauthorized withdrawals without alerting affected users. [52]

The FTC also alleged that PayPal violated the GLBA Privacy Rule and Regulation P by failing to (1) provide customers with a clear and conspicuous initial privacy notice; (2) accurately reflect its privacy policies in such notice; and (3) deliver notice so that each customer could reasonably be expected to receive actual notice. [53]

Finally, the FTC alleged that PayPal violated the GLBA Safeguards Rule by failing to (1) have a comprehensive written information security program; (2) assess reasonably foreseeable risks to consumer information; and (3) implement basic safeguards to protect that information. [54]

The consent order did not assess a civil money penalty for any of PayPal’s alleged violations. Instead, it prohibits PayPal from making similar misrepresentations in the future and requires PayPal to undertake certain security, reporting, and compliance obligations. [55]


In March 2018, the Federal Deposit Insurance Corporation (“FDIC”) settled claims with The Bancorp Bank (“Bancorp”) related to its Excella prepaid card program. [56] The FDIC alleged Bancorp engaged in unfair and deceptive practices by improperly assessing transaction fees for certain point-of-sale, signature-based transactions. [57] The FDIC order provides scant details on what led to cardholders’ being overcharged, but Excella cardholder agreements disclose a $1 fee for signature-based (i.e., authorized without the use of a personal identification number, or PIN) transactions and a $2 fee for PIN-based transactions, [58] suggesting that PIN-less transactions were, in some instances, processed as PIN-based transactions, and cardholders were assessed the higher fee.

The FDIC also stated that it “has reason to believe that the Bank violated” the Electronic Funds Transfer Act, the Truth in Savings Act, and the Electronic Signatures in Global and National Commerce Act. [59] The settlement agreement ordered Bancorp to pay restitution of $1.3 million to affected consumers and assessed a civil money penalty of $2 million. [60]


On April 25, 2018, the FTC filed suit against Lending Club, a peer-to-peer lending company that allows borrowers to create unsecured personal loans, alleging that the company engaged in unfair and deceptive business practices in violation of the FTC Act. [61]

Lending Club advertised that it charged no hidden fees, but the FTC alleged that Lending Club charged borrowers a hidden up-front fee. [62] Lending Club first performs a front-end review of consumers’ applications to determine credit worthiness. [63] Consumers who pass this initial front-end review are presented an offer, [64] with the loan amount, monthly payment, interest rate, and annual percentage rate (“APR”). [65] Only if a consumer clicked on a small green question mark next to the term “APR” did Lending Club disclose—through a pop-up bubble—that the APR is inclusive of an up-front origination fee that is automatically deducted from the loan amount. [66] For example, if a consumer had applied for a $20,000 loan, an up-front origination loan of $1,000 may factor into the APR, and only $19,000 would be disbursed to the borrower.

The FTC alleged FTC Act violations when Lending Club told consumer applicants that the “loan is on the way.” [67] In fact, Lending Club would not disburse proceeds until and unless applications passed a more stringent back-end credit review and received sufficient investor backing. [68] The FTC also alleged that Lending Club’s process and representations resulted in borrower confusion as to the status of their loans. [69]

The FTC finally claimed that Lending Club unfairly debited borrowers’ personal bank accounts by, for example, erroneously processing monthly payments twice, resulting in borrowers’ bank accounts being overdrawn. [70] Lending Club also continued to debit borrowers’ bank accounts after the loan had already been paid off. [71]

In June 2018, Lending Club filed a motion to dismiss, arguing that its origination fee is prominently disclosed in multiple locations and that it utilizes the model Truth in Lending Act disclosure form provided by the CFPB—facts, it asserts, that should defeat the government’s first deception claim. [72] Lending Club disputes the FTC’s unfairness count by arguing that the FTC presented no evidence that unauthorized withdrawals were anything more than a rare occurrence among millions of ACH transactions it processes every year. [73]

FinTech lawyers—and their less tech-y colleagues—would be well-advised to follow this case with interest, as some of the alleged deceptive practices, including the use of pop-up bubbles and “no hidden fees” claims, are not unique to Lending Club.


During 2017 and the first half of 2018, investors have poured over a billion dollars into ICOs despite obvious red flags suggesting some of the projects were fraudulent. [74] In early 2018, the SEC sued AriseBank, Jared Rice Sr., and Stanley Ford, [75] alleging their ICO was an illegal offering of unregistered securities. [76] The complaint also alleged that the offering materials “use many materially false statements and omissions to induce investment in the ICO,” [77] and that Arise-Bank’s claim to have FDIC insurance for its customers was false. [78] The SEC sought temporary restraining orders, asset freezes, and a receiver for AriseBank. [79]

On April 2, 2018, the SEC charged Centra Tech., Inc. and its co-founders with making a fraudulent ICO that raised more than $32 million from thousands of investors in 2017. [80] The SEC charged that the defendants falsely claimed that the coin offering, called “CTR Tokens” or “Centra Tokens,” would raise funds to build a number of financial products, and that they would offer coin holders a Visa or MasterCard debit card to facilitate conversion of cryptocurrencies into U.S. dollars or other legal tender. [81]

These two actions reveal a determination by the SEC to enforce the registration and disclosure requirements and measures of federal securities laws to deter materially deceptive or fraudulent statements made in ICOs. It is telling that of the many possible enforcement actions the SEC could have brought against ICOs, it focused its resources on two offerings that claimed business relationships with banks and payment networks operating in the traditional financial services environment. These actions suggest the SEC will not tolerate violations of key securities laws by innovators.


Although cryptocurrency users frequently rely on wallet providers and exchanges to manage their holdings, legal obligations of these intermediaries are not well defined. Complaints about exchanges and other services providers are increasing and are starting to generate litigation. [82]

Our 2017 survey covered the fight between the Internal Revenue Service and Coinbase, the largest U.S. Bitcoin exchange and wallet service, over a so-called “John Doe” subpoena seeking information on every single customer of the company who engaged in a virtual currency transaction during the years 2013–2015. [83] The court resolved the dispute by ordering Coinbase to turn over a limited amount of information about a significantly smaller group of customers. [84] The exchange must provide information on customers who annually engaged in transactions totaling at least $20,000, reducing the number of pertinent customers from millions to 14,355. [85] In addition, the information provided will be limited to name, address, date of birth, taxpayer identification number, and account activity records and statements. [86]

Coinbase suffered another legal setback related to the enforceability of its user agreement in a dispute where the exchange was sued for failure to identify and prevent fraudulent transactions. The Eleventh Circuit affirmed a district court decision [87] that Coinbase could not enforce the mandatory arbitration provisions of its agreement to stop litigation involving the failed cryptocurrency exchange Cryptsy. [88] When Cryptsy’s founder fled the country with his customers’ cash, certain users initiated a class action against the company and its founder, and the court appointed a receiver. The class and the receiver then initiated an action against Coinbase, alleging it had aided and abetted the fraud at Cryptsy and was negligent in performing certain statutorily mandated duties. [89] Thus, the district court will have to decide what, if any, responsibility a cryptocurrency exchange has to identify and stop fraud committed by its client against consumers with which the exchange has no direct relationship.

In February 2018, Ezra Sultan sued Coinbase, alleging a violation of the cybersecurity requirements under New York law. [90] Sultan alleged he gave his confidential account information to someone he thought was Coinbase’s customer service employee, but who turned out to be a hacker who used his account information to transfer cryptocurrency out of his account. [91] Sultan also alleged that the exchange processed the transfers without the “Two-Factor Authentication” code required by Coinbase policy. [92]

A March 2018 class action lawsuit alleged that Coinbase engaged in unfair business practices related to the new cryptocurrency Bitcoin Cash, which was created as a result of the hard fork of the Bitcoin blockchain, and which should have been distributed to all current holders of Bitcoin. [93] Plaintiffs contend that Coinbase wavered on whether it would support Bitcoin Cash, but then with little warning, processed some Bitcoin Cash transactions in late December 2017. [94]

Another March 2018 class action lawsuit alleged that Coinbase did not comply with California’s unclaimed property statute and that it was engaged in unfair business practices, including keeping cryptocurrency that users intended to send to third parties if the third parties never created Coinbase accounts, rather than transferring the abandoned property to the state. [95]

The lawsuits described above demonstrate that the obligations of virtual currency intermediaries are still unclear. While it does not address all of the duty issues that may apply to providers of cryptocurrency products and services discussed above, the Uniform Regulation of Virtual-Currency Businesses Act (“URVCBA”) does create a framework for regulating intermediaries engaged in holding, exchanging, or transferring virtual currencies. [96] It was approved by the Uniform Law Commission and the ABA House of Delegates as appropriate for states seeking to adopt substantive regulation of virtual-currency businesses. [97] The URVCBA requires licensure of entities engaged in virtual-currency business activity and sets out financial and operational standards, minimum security, anti-money laundering, and consumer protection requirements for such entities.


In the prior survey year, there were relatively clear steps forwards and backwards. This year’s developments affecting e-payments and e-financial services reveal the issues that regulators have with emerging products and providers’ compliance with federal and state laws without showing a clear path forward.