Melissa Baal Guidorizzi

Partner

Washington, D.C.

Read full biography at www.orrick.com

Drawing on nearly two decades in enforcement at the Consumer Financial Protection Bureau (CFPB) and in-house at a global diversified financial services corporation, Melissa Baal Guidorizzi advises traditional financial institutions and emerging financial technology (fintech) companies on consumer financial services compliance, regulatory investigations and enforcement actions and litigation.

During Melissa's tenure at the CFPB's Office of Enforcement, she developed supervision and enforcement priorities, identifying subjects for examinations and investigations. She also shaped federal consumer financial laws that impact cryptocurrency markets, new payment technologies, and established financial institutions, including the Electronic Fund Transfer Act (EFTA), the Truth in Lending Act (TILA), Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) and the Fair Credit Reporting Act.

Melissa also spent nearly a decade in-house at a large multinational financial institution, where she was responsible for implementing regulatory compliance initiatives, defending enforcement actions and managing regulatory examinations.

Posts by: Melissa Baal Guidorizzi

CFPB Makes an Entrance: Crypto Products Targeted

Melissa Baal Guidorizzi, Daniel Forester and Taylor Sullivan

Ending doubts regarding its interest in the space, the Consumer Financial Protection Bureau (CFPB) has for the first time publicly acknowledged its investigation of a crypto company — and it’s likely a sign of things to come.

The agency hinted at increased enforcement in a summary of consumer crypto complaints in November 2022. The CFPB acknowledged an investigation for the first time that same month, when it published a decision in the case.

Crypto companies with direct-to-consumer products should take note — and consider steps to mitigate risk.

What Happened?

The CFPB sent a Civil Investigative Demand (CID) for testimony in December 2021 to Nexo, a cryptocurrency platform that offers an earned-interest product and lets customers make deposits.

The CID focused on whether Nexo made “false or misleading representations to consumers” about its safeguards used to protect crypto assets. The CFPB also stated that the investigation included potential violations of the Electronic Funds Transfer Act, confirming its view that the law applies to crypto assets.

Nexo filed a petition to set aside or modify the CID. It argued that the SEC views interest-bearing crypto accounts as securities that are subject to SEC regulation and exempt from CFPB jurisdiction.

CFPB Director Rohit Chopra denied the petition. He noted that Nexo had been unwilling to fully concede that its product was a security subject to SEC regulation and that “it [was] too early to tell whether Nexo … was required to be registered with the SEC,” and exempt from the CFPB’s jurisdiction.

Since then, Nexo announced it had made “the regrettable but necessary decision” to phase out its products and services in the U.S. after “inconsistent and changing positions among state and federal regulators.”

What does this mean?

Though this is the first publicly identified CFPB crypto investigation, there are likely more on its docket.

This matter also reveals that CFPB crypto investigations have been ongoing since at least the fourth quarter of 2021. Less than two weeks before issuing the Nexo decision, the CFPB issued a Crypto-asset Complaint Bulletin. The CFPB typically uses these bulletins to notify a market of its plans to address certain types of consumer harm. Three top crypto complaint themes likely to trigger CFPB interest include:

Fraud: 40% of consumer complaints in the bulletin were a result of having been victimized by fraudulent activity or scams in the crypto ecosystem.
Access to Funds: Many consumers reported struggling to access their funds due to issues with crypto platforms and the freezing of funds before filing for bankruptcy protection.
Poor Customer Service: A major issue cited in the complaint bulletin was the inherent lack of customer service provided to consumers in the crypto market. Consumers described company customer service as non-responsive or non-existent. The CFPB launched an initiative to improve customer service this year with Director Chopra’s stated goal “to ensure the legally enshrined right to obtain basic customer service.”

Looking Forward

We expect increased enforcement action aimed at addressing the themes in the Crypto-asset Complaint Bulletin. Crypto companies that have not affirmatively subjected themselves to SEC or CFTC authority may be more vulnerable to CFPB scrutiny. In an environment of increased regulatory risk, we recommend that crypto companies review their products and services from a consumer/end user perspective and pay attention to customer complaints.

Contact Melissa Baal Guidorizzi and Daniel Forester if you have any questions regarding recent regulatory trends and best practices for building compliance programs if your company is subject to the CFPB’s enforcement and examination powers.

European Crypto Regulation on the Verge of Enactment

Daniel Jones, Melissa Baal Guidorizzi, Daniel Forester and Guy Stevenson

The EU’s Markets in Crypto-Assets (MiCA) regulations are now all but final and may take effect this year. MiCA will provide new regulatory frameworks, including licensing and disclosure obligations, for participants in the cryptocurrency ecosystem, including token issuers, financial intermediaries (exchanges, brokers, etc.) and custodians.

What Happened

The Economic and Monetary Affairs Committee of the European Parliament gave its approval to MiCA on October 10, 2022, the latest step in a process that has lasted more than two years.

What’s Next

This paves the way for the larger European Parliament plenary to approve the regulations, a step that often is merely procedural. Once the plenary approves MiCA, it will become effective and mark the beginning of 18 months in which firms must become compliant, with the regulations coming into full effect in the second or third quarter of 2024.

While the text of MiCA helps provide regulatory certainty for crypto-asset businesses and consumers in the EU, additional practical guidelines for implementation will also be drafted to further elaborate MiCA.

MiCA’s Goals

MiCA’s main objective is to provide a level of regulatory and economic harmonization to crypto-asset businesses and consumers across Europe. Guiding principles of MiCA include:

Providing legal certainty through clear definitions of crypto assets and activities in relation to those crypto assets that are in scope;
Providing for consumer protection and market integrity alongside financial stability of crypto-asset businesses; and
Encouraging innovation and fair competition in the European crypto-assets markets and avoiding regulatory arbitrage between member states.

Businesses engaged in activities that are within the scope of MiCA will, at a minimum, be required to register with the competent regulatory authorities and produce a detailed white paper for their business, in a form and content specified by MiCA.

MiCA will not apply in the United Kingdom or Switzerland as they are not member states of the European Union. While similar principles of regulation may apply in these two jurisdictions, separate analysis is needed to understand what crypto-asset businesses must do to achieve compliance with local regulation.

What MiCA Missed

The final text of MiCA omits treatment of Non-Fungible Tokens, Decentralised Finance, Decentralized Autonomous Organizations and Proof of Work consensus mechanisms. European regulators are expected, however, to treat fractionalized NFTs as utility tokens governed by MiCA.

How Will MiCA Impact the U.S. Market?

MiCA reflects the EU’s acknowledgement that digital assets are a persistent part of a modern financial system. Whether the EU’s steps to define and regulate digital assets will influence U.S. regulators remains to be seen.

The Biden Administration’s March 2022 Executive Order on Ensuring Responsible Development of Digital Assets remains the most comprehensive U.S. policy statement on the topic. While there are numerous proposed legislative efforts in the U.S. Congress, the U.S. has yet to produce comprehensive legislation or regulatory guidance. Instead, regulators have relied on enforcement actions and individual agency guidance to inform market participants. We expect the U.S. regulatory regime to continue, at least in the short term, to take coordinated but separate action aligned with the Executive Order’s primary objectives of protecting consumers and investors.

The Orrick fintech team takes an international approach to digital asset markets. We will continue to monitor regulatory developments in both the U.S. and Europe to support our clients and innovation in crypto.

Federal Reserve Requires Banks to Provide Notice Regarding Crypto-Asset-Related Activities

Darrell Cafasso, Daniel Forester, Melissa Baal Guidorizzi, Joseph Perkins and Brittany Roehrs

Federal Reserve Requires Banks to Provide Notice Regarding Crypto-Asset-Related Activities

The Federal Reserve Board (“FRB”) announced a significant shift requiring FRB-supervised banking organizations to disclose any current crypto-asset-related activity and to notify FRB in advance of entering into any such business activities in the future. This notification requirement may add some friction to the bank adoption of crypto-asset activities. This announcement follows the OCC’s previous direction to its supervised entities to “notify its supervisory office, in writing of its intention to engage in a range of crypto related activities.” With similar direction aimed at Federal Reserve banks that more regularly interact with crypto projects, legal and regulatory compliance diligence will be even more important.

What Happened

On August 16, 2022, FRB issued a letter to all of its supervised banking organizations requiring those institutions to notify their lead FRB supervisory point of contact if such banking organization is engaged in or intend to engage in “crypto-asset-related activities” in order to “ensure such activity is legally permissible and determine whether any filings are required under applicable federal or state laws.”
“Crypto-asset-related activities” include crypto-asset safekeeping and traditional custody services; ancillary custody services; facilitation of customer purchases and sales of crypto-assets; loans collateralized by crypto-assets; and issuance and distribution of stablecoins.
The letter also specifically referenced stablecoins as potentially posing risks to financial stability if adopted at large scale.

How Will This Affect Banking Organizations?

Supervised banking organizations must:

Ensure the Activities Are Legally Permissible
- Supervised banking organizations must assess the legality of the proposed crypto-asset-related activities under state and federal laws and determine whether any filings are required under federal banking laws, including The Bank Holding Company Act, Home Owners’ Loan Act, Federal Reserve Act, and Federal Deposit Insurance Act.
- If permissibility is not clear, supervised banking organizations are directed to consult their point of contact at the FRB prior to the commencement of such activities.
Notify the Federal Reserve
- If a supervised banking organization is already engaged in crypto-asset-related activity, it should disclose all activities to its lead supervisory point of contact promptly.
- Supervised banking organizations must notify their lead supervisory point of contact prior to engaging in crypto-asset-related activity.
Enact and Maintain Proper Controls
- FRB’s letter emphasizes the importance of supervised banking organizations enacting and maintaining adequate risk management and controls related to crypto-asset-related activities, including:
  - Having adequate systems in place to identify, measure, monitor, and control the risks associated with crypto-related activities on an ongoing basis; and
  - Ensuring that these systems cover “operational risks (for example, the risks of new, evolving technologies; the risk of hacking, fraud and theft; and the risk of third-party relationships), financial risk, legal risk, compliance risk (including, but not limited to, compliance with the Bank Secrecy Act, anti-money laundering requirements, and sanctions requirements), and any other risk necessary to ensure the activities are conducted in a manner that is consistent with safe and sound banking and in compliance with applicable law, including applicable consumer protection statutes and regulations.”
- Consider Notifying State Regulators
  - FRB encourages state member banks to also notify their state regulators prior to engaging in crypto-asset-related activity.

Why Does This Matter?

If you are a supervised banking organization that is currently involved in active crypto-asset activities, re-confirm that your activities are compliant and take another look at your service providers to ensure their compliance;
If you are a potential partner of a supervised banking organization, expect an even more robust diligence process, time to execution may be extended, and you may face increased ongoing reporting and information disclosure requirements; and
For all participants in the crypto-asset space, this is another example of the growing all-hands on deck approach to the regulation of crypto spurred by the Executive Order from earlier this year. The Executive Order’s first objective was to “protect consumer, investors, and businesses,” and we expect to see further action from the FRB and other regulators.