Skip to Main Content
Our Commitment to Diversity

Certain Compliance Risks in Marketplace/Peer-to-Peer/Online Lending

Date: 9 February 2016
FinTech Alert
By: Anthony R.G. Nolan, Joseph A. Valenti, Christopher H. Bell

The tragic terrorist shootings in San Bernardino on December 2, 2015 shed light on serious risks associated with online marketplace lending.  The attackers obtained $28,500 from an online marketplace lender under a pretext, but then allegedly used the funds to reimburse their arms dealer.[1]  This apparent link between the money lent and the mass murders led public officials to re-examine the risks associated with this new and increasingly popular method of lending.

Online marketplace lending represents a chance for investors to realize greater returns and for borrowers to refinance expensive debt and pay less interest, as technology and peer-to-peer matching/evaluation greatly reduces the overhead of the business model.  Given both the widespread interest in and the potential for the misuse of such online lending platforms, federal and state lawmakers and regulators are increasing scrutiny of the industry. 

What is Marketplace Lending?
The U.S. Treasury Department defines “Marketplace Lending” as “the segment of the financial services industry that uses investment capital and data-driven online platforms to lend to small businesses and consumers[.]”[2]  These internet-based platforms reduce costs by eliminating many operational expenses associated with traditional bank loans to consumers, such as the cost of maintaining and staffing physical branches.  Cost reduction, in turn, makes relatively minor loans to small businesses and individuals economically feasible for all parties involved.

The role of the marketplace lender is to provide an efficient platform to link an applicant seeking a loan with a party (or parties) willing to fund it.  After the loan applicant submits an application, the platform obtains a credit report on the applicant and other data in a proprietary model to assign a risk grade to the proposed loan and set an interest rate corresponding to the assigned risk grade.  Under the original practice of marketplace lending—sometimes distinguished by the term “peer-to-peer” lending—these loans would then be funded by a series of smaller investors who find the risk/return ratio effective.  The platform makes a profit by charging a fee on the loan, as well as origination and servicing fees. 

More recently, some online marketplace lenders (particularly the larger platforms) have partnered with banks and institutional investors to fund the loans they offer.  A hedge or private-equity fund, for example, might fund loans made through an online platform or purchase loans that have been bundled and securitized.  Securitizing these loans into a larger package allows for larger institutional players, such as pension funds and insurance companies, to enter the fast-growing field of online lending on a scale that makes it worth their efforts.[3]  It was for this reason that the San Bernardino terrorists’ loan, though issued by the online marketplace lender Prosper, was actually funded by a global bank.[4]

Rapid Growth of Online Marketplace Lending Industry
Marketplace lending’s share of the U.S. and global lending market is increasing quickly.  The United States reported $5 billion in new small- and medium-sized entity lending issued on marketplace platforms in 2014, while a volume of $12 billion is projected for 2015.[5]  Globally, marketplace lending accounted for $60 billion to $70 billion in outstanding loan volumes in 2014.  Marketplace lending’s share of total bank lending on a global scale is still less than 1%.  Yet, growth rates are high and are expected to increase in the future.  Thus, hundreds of billions of dollars could soon be moving through these online marketplace platforms.

Increased Regulatory Focus
Until recently, discussions of marketplace lending by regulators and lawmakers focused on understanding and assisting the industry, rather than addressing the compliance risks it poses.  For example, on May 13, 2015, the U.S. House Committee on Small Business held the first-ever hearing on Marketplace Lending, titled “Bridging the Small Business Capital Gap:  Peer-to-Peer Lending.”[6]  While at least one lawmaker expressed concerns about increased investor risks underscored by the higher default rates on peer-to-peer loans, lawmakers generally focused on how they could promote and expand the new and growing industry.[7] 

On July 16, 2015, the U.S. Treasury sought public comment via a Request For Information in an effort to better understand the impact of online marketplace lending on small businesses, consumers, and the broader economy.[8]  The comment period closed September 30, 2015.[9]  Since that time, the Treasury has made no definitive statement on what actions, if any, it may take in regard to the fledgling industry.  On October 29, 2015, a Treasury official stated it was “too soon to tell” if alternative underwriting methods used by marketplace lenders are better at assessing creditworthiness than traditional models.[10]

In recent months, public agencies appear to be focusing much more acutely on the risks posed by this emerging and relatively unregulated financial services sector.  In particular, on November 6, 2015, the FDIC issued a Financial Institution Letter (FIL492015) cautioning banks about the risks of purchasing loans and participating in shared credit facilities originated by “alternative” lenders and imposing additional requirements on banks purchasing interests in such loans that have been originated by non-bank, peer-to-peer, or marketplace lenders.[11]  The FDIC followed up on this letter with an article dedicated to marketplace lending risks for banks in its most recent edition of “Supervisory Insights.”[12]  Both documents build on a letter issued in 2008 (FIL442008) that provided guidance for managing third-party risk, including up-front due diligence and the overseeing of third-party activities.[13]  These FDIC documents, discussed further below, may serve as a useful guide in helping banks understand the challenges in meeting their compliance obligations when they partner with marketplace lenders. 

In December 2015, the commissioner of the California Department of Business Oversight (“DBO”) launched a public inquiry into marketplace lending, asking 14 online lending firms to provide five years of data about their businesses.[14]  Even though this inquiry was announced shortly after the San Bernardino terrorist attack, that timing was apparently a coincidence, as the inquiry had been planned well in advance of that dastardly event.  According to the DBO’s announcement, the two primary objectives of the inquiry are to assess the industry’s size in California (and how many consumers and businesses it touches) and to understand better the various loan and investor funding programs used by marketplace lenders.  The ultimate objective is to tailor the state’s licensing and regulatory regime to the new market.[15]

While U.S. regulators continue to take stock of the new landscape, other countries have moved ahead with regulations specifically tailored to the marketplace lending industry.  The United Kingdom’s Financial Conduct Authority implemented new regulations for the peer-to-peer lending industry in April 2014.  To date, well over 100 peer-to-peer lending companies have sought full authorization to operate under this new regime.[16]  More recently, on December 28, 2015, China’s banking regulator released draft rules for peer-to-peer lending platforms in a bid to promote their development as a solution to small-business financing difficulties.[17]  In Europe, the European Commission’s Capital Markets Union Action Plan has begun a dialogue about FinTech regulation that will impact this market.[18]  This issue may come in tighter focus when the European Commission publishes its expected Report on Crowdfunding later this year. 

The Existing Regulatory Regime in the United States
While currently there is no comprehensive regulation of online marketplace lending in the United States, lenders are subject to various federal and state laws and regulations.  They include federal and state consumer-protection statutes and regulations, lender and broker licensing and usury laws,[19] data-privacy laws, and securities regulation.[20] 

In light of the San Bernardino attacks, some regulatory schemes that relate specifically to counter-terrorism and national security concerns are of particular relevance.  Notably, marketplace lending is subject to anti-money-laundering (“AML”) laws and regulations.  These laws apply to the financial institutions that partner with marketplace lenders, and possibly to the online platforms themselves. 

The Bank Secrecy Act (“BSA”) requires “financial institutions” to file Suspicious Activity Reports (“SARs”) for “suspicious” activity appearing to (1) be designed to avoid BSA reporting requirements (i.e., structuring), (2) launder money, (3) facilitate criminal activity, (4) violate federal law, or (5) serve no lawful purpose. 

The USA PATRIOT Act strengthened the BSA by requiring financial institutions to establish AML programs (including policies, procedures, and controls) to prevent money laundering.  It also requires institutions to verify a borrower’s identity and to determine whether a borrower is on relevant sanctions lists of known or suspected terrorists, terrorist organizations, or other sanctioned entities issued by federal agencies such as the Office of Foreign Assets Control (“OFAC”).

Non-bank online lending platforms may not be directly subject to these obligations, but depending on their structure and services offered, a particular platform may be subject to regulation as a money-services business, a money transfer system, an investment company, an investment advisor, or a securities broker-dealer.  In addition, they may be subject to a discretionary designation by the Secretary of the Treasury because of the type of activities in which they engage or the usefulness of their potential SARs and related reports.[21]  Indeed, unless a platform is making the loan with its own funds, these platforms are generally obligated by agreement to assist the originating bank in fulfilling its AML and counter-terrorist-financing obligations.

The application of these laws to marketplace lending is yet to be tested.  However, there exists an enforcement precedent affecting emerging online financial-services businesses that may be significant to the consumer online lending industry.  For instance, the Financial Crimes Enforcement Network (“FinCEN”) recently imposed a $700,000 civil monetary penalty (and remedial compliance obligations) against Ripple Labs Inc. (a virtual currency exchanger) in May 2015 for various violations of the BSA.[22]  In addition to failing to register its virtual currency, Ripple Labs was accused of failing to implement and maintain an adequate AML program designed to protect its products from use by money launderers or terrorist financiers.  Further, in November 2015, the Consumer Financial Protection Bureau (“CFPB”) brought an unsettled enforcement action against an online lender for engaging in deceptive consumer practices that is currently being briefed for trial before an administrative law judge.[23]  While the case is fundamentally about allegedly deceptive payday lending practices, the fact that the CFPB chose to characterize the target of the action as an “Online Lender” suggests the agency wants to be seen as active in the online credit space.  Moving forward, scrutiny of these online operators is only likely to increase.

A New Set of Risks
The outsourcing of lending to marketplace lenders and online banks presents a new set of risks to the banks that ultimately fund or purchase these loans.  First, the relative anonymity and remoteness of the online transaction (relative to a physical bank branch setting) may make it easier for criminals to secure loans.  A criminal may be able to hide his or her physical location in a high-risk geographic area, and complying with ID verification requirements may be more challenging in this context.  Second, given that the business model is dependent on minimizing costs to make small-scale (but often high-volume) loans profitable, comprehensive compliance programs may be unattractive for online/marketplace lenders seeking to maximize profits and render services to individuals typically excluded from the traditional financial system.  Indeed, at least one major online bank has previously been cited by the FDIC for “unsafe or unsound” banking practices that required restitution and remedial compliance measures.[24]  That same online bank was recently described by a former employee as “a very stripped down operation[.]”[25]

In the wake of the San Bernardino shooting, Prosper was quick to emphasize its own proactive efforts to ensure AML compliance.  In a public statement, the company noted that

“all loans originated through the Prosper platform are subject to all identity verification and screening procedures required by law, including U.S. antiterrorism and anti-money-laundering laws.  As part of our standard procedures, we also confirm that all loan funds are disbursed into a verified U.S. bank account in the borrower’s name.”[26] 

Assuming that Prosper indeed had effective AML controls, the fact that a loan to the San Bernardino attackers was made in spite of these procedures underscores the fundamental challenge of AML compliance in this online context.

While marketplace lending is a growing industry and a potential new profit center for banks, profits cannot come at the expense of appropriate compliance levels, regardless of whether banks choose to operate online platforms themselves or purchase the loans put together by others.  This theme permeated the FDIC’s recent advisory letter, which warned of “purchasing banks’ over-reliance on lead institutions,” such as non-bank third parties.  In addition to recommendations focused on the profitability of such loans (such as a profit analysis, independent credit and collateral analysis, etc.), the letter explicitly noted that “[i]nstitutions should ensure compliance with outstanding BSA/AML requirements and should consider purchased loans and participation portfolios for the institution’s BSA/AML risk assessment.”[27]  These requirements typically include an effective BSA/AML compliance program designed to detect and report on suspicious activity by learning and analyzing both the lender’s and the borrower’s identification information, source/purpose of funds, and related data; robust policies and training in support of the program; a designated officer responsible for overseeing these efforts; and independent audits to ensure their effectiveness.

Relying on the BSA/AML diligence done by business partners comes with its own risks if that third-party is not itself effectively implementing BSA/AML controls.  Under the heading “Due Diligence of Third Parties,” the FDIC letter also recommended “a review of the third party’s business reputation, experience, and compliance with federal and state laws, rules, and regulations (such as consumer protection and anti-money-laundering requirements).”  In the most recent edition of Supervisory Insights, published periodically by the FDIC, Angela M. Herrboldt, Senior Examination Specialist in the Division of Risk Management Supervision, noted that banks’ due diligence of third parties engaged in marketplace lending should include

“compliance with applicable federal laws such as lending laws, consumer protection requirements, anti-money laundering rules, and fair credit responsibilities along with adherence to any applicable state laws, licensing, or required registrations.  As with any third-party arrangement, banks should monitor marketplace activities and expect marketplace servicers to undergo independent audits and take corrective action on audit exceptions as warranted.  Failure to do so could expose a bank to substantial financial loss and an unacceptable level of risk.”[28]

Banks are well-advised to conduct this due diligence on their potential partners.  Where banks fail to conduct their own due diligence, bank regulators themselves may investigate the platforms under their existing regulatory authority.[29] 

Thus, in the words of the FDIC, banks must take ownership over the BSA/AML compliance of their marketplace lending partners and programs. 

Potential Future Regulation
In December 2015, the U.S. House Financial Services Committee voted to re-establish its Task Force to Investigate Terrorism Financing, which then requested information from the U.S. Department of the Treasury about the regulation of online lenders in the wake of the San Bernardino attack.[30]  Committee Chairman Jeb Hensarling (R-TX) has announced that he plans to propose legislation addressing terrorist financing.  In addition, the ranking Democrat, Rep. Maxine Waters (D-CA), has proposed legislation instituting personal criminal liability for banking executives for violations of AML and BSA provisions.[31]

In addition, it is widely expected that the CFPB will eventually become active in this area and that the FTC may become active to the extent that small business lending falls outside the CFPB’s jurisdiction.  A report by the U.S. Government Accounting Office (“GAO”) in 2011 explored potential future approaches for regulating marketplace lending.[32]  The GAO report identified two approaches.  The first, an SEC-centered approach, would focus on protecting investors in connection with the purchase of federally regulated securities.  The second, a CFPB-centered approach, would place the CFPB in charge of regulating marketplace lending loans as “consumer financial products.”[33]  The CFPB’s supervisory and enforcement authority extends to certain banks and non-bank entities that offer or provide financial products or services, including any “larger participants” in markets for consumer financial products and services that the CFPB defines by rule.[34]  While the CFPB has so far declined to exercise its rulemaking authority in this area, the agency’s fall 2015 Rulemaking Agenda suggests that it plans to issue a proposed larger participant rule to cover “consumer installment loans” later this year.[35]  Whether the definition of “consumer installment loans” will be broad enough to cover some, or even all, marketplace loan participants remains to be seen.  Still, if the industry continues to grow, the CFPB may find it harder to resist acting in this arena.

Furthermore, there are signs that the SEC may also become more involved in marketplace lending.  On October 30, 2015, the SEC adopted final rules regarding the regulation of crowdfunding.[36]  This may signal a desire by the agency to take the lead in the regulation of these emerging online financial technologies.

In short, regulators are likely to take an increasingly hard look at the risks posed by marketplace lenders and their banking partners.  Financial institutions should carefully consider the risks these new platforms pose from a compliance perspective, particularly for BSA/AML issues.  In addition, actions by the FDIC, the U.S. Treasury, the CFPB, or any number of state agencies may change the profit equation for those entities seeking to expand into this sector in the future.  K&L Gates will continue to monitor this evolving industry.


[2] Public Input on Expanding Access to Credit Through Online Marketplace Lending, 80 Fed. Reg. 42866 (July 20, 2015).

[3] For an overview of the challenges and opportunities presented by securitization of marketplace loans, see

[5] Statistics from World Economic Forum report: The Future of FinTech: A Paradigm Shift in Small Business Finance (Oct. 2015).

[12] Angela M. Herrboldt, Marketplace Lending, 12 Supervisory Insights 12, Winter 2015.


[19] An alert on these issues is forthcoming.

[21] See 31 U.S.C. § 5312(a)(2)(Y) (defining “financial institution” as—and thus applying the BSA to—“any business or agency which engages in any activity which the Secretary of the Treasury determines, by regulation, to be an activity which is similar to, related to, or a substitute for any activity in which any business described in this paragraph [such as a commercial bank] is authorized to engage“) and 31 U.S.C. § 5312(a)(2)(Z) (defining “financial institution” as, among other things, “any other business designated by the Secretary whose cash transactions have a high degree of usefulness in criminal, tax, or regulatory matters”).

[23]  Specifically, the action pursues claims related to (1) hiding the total cost of loans, (2) requiring repayment by pre-authorized electronic funds transfers, and (3) continuing to debit borrowers' accounts after consumers canceled the authorization.

[28] Angela M. Herrboldt, Marketplace Lending, 12 Supervisory Insights 12, 16, Winter 2015.

[29] For instance, the Office of the Comptroller of the Currency has confirmed its own authority to investigate businesses that operate as service companies to banks.  “Third Party Relationships,” OCC Bulletin 2013-29 (October 30, 2013). 

[33] Id. at 36-37.

[34] 12 U.S.C. § 5514.

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel