Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
House Financial Services Committee questions financial agency representatives on technological implementations
On December 5, the U.S. House Financial Services Subcommittee on Digital Assets, Financial Technology and Inclusion held a hearing on “Fostering Financial Innovation: How Agencies Can Leverage Technology to Shape the Future of Financial Services.” The Committee invited representatives to testify from the SEC, OCC, FDIC, CFPB, NCUA, and the Federal Reserve. The representatives fielded an array of questions focused on artificial intelligence, cryptocurrencies, and central bank digital currencies (CBDCs), and broadly focused on the need to balance technological innovation within the financial sector with managing risk.
On cryptocurrencies, congressional representatives posed questions on the nature of criminal activity among other risks. The discussion addressed bank risks related to crypto assets—while banks do not hold crypto assets, the representative from the Federal Reserve noted how banks may face liquidity risks when holding deposits from crypto-related companies. On CBDCs, the Committee asked for an update on the U.S. CBDC; the Federal Reserve representative mentioned the Fed’s current research on CBDC technologies but noted that the agency is still “a long way off from thinking about the implementation of anything related to a CBDC.”
On the topic of artificial intelligence, agency representatives discussed how banks are using the technology for fraud monitoring and customer service. The discussion addressed how artificial intelligence technology can create deepfakes using generative models to mimic an individual’s appearance or voice, and thus help scammers bypass traditional security checks. In response, some countries have implemented a secure digital ID that biometrically syncs to one’s smartphone, and the NCUA noted that it is currently evaluating this technology.
On December 7, the CFPB announced a consent order against a Virginia-based bank, alleging it engaged in deceptive acts and practices and failed to comply with Regulation E. According to the CFPB, the bank did not comply with Regulation E because it did not provide appropriate written disclosures before enrolling customers in its overdraft service and imposing overdraft fees. The CFPB alleged that under the bank’s procedures, branch employees would provide oral disclosures and obtain oral consent but did not provide customers with the required written consent form under Regulation E until the end of the account-opening process. According to the CFPB, while the bank changed its practices partway through the period covered by the consent order, the disclosures it provided were still inadequate. The bank allegedly “requested that new customers orally specify their enrollment decision before providing them with adequate written notice describing the [opt-in] service,” which thereby allegedly breached the Electronic Fund Transfer Act.
The CFPB also alleged the bank committed deceptive actions or practices when marketing opt-in overdraft services to consumers via telephone. Specifically, the CFPB alleged that the bank did not provide its customer service representatives with a script, which resulted in representatives failing to clearly differentiate between transactions covered by the bank’s standard versus its opt-in overdraft protection service. The CFPB asserted that these statements qualified as “representations and omissions of key information were likely to mislead consumers,” and that as a result, the Bank did not comply with the CFPA and Regulation E.
The consent order imposes a $1.2 million civil money penalty and requires the bank to refund at least $5 million to affected consumers. The consent order also requires the bank to obtain a new overdraft enrollment decision from affected consumers before charging overdraft fees. Moreover, the bank must also create and implement a comprehensive compliance plan to ensure its overdraft program complies with all applicable laws. Finally, the consent order requires the bank to monitor compliance, maintain records, and inform the CFPB of any changes or developments that could impact its compliance responsibilities in the consent order.
On December 7, the Attorney General for the State of New York, Letitia James, led a group of 20 attorneys general in submitting letters to the OCC and the CFPB urging the agencies to ensure that national banks cooperate with state attorneys’ general investigations into violations of state laws. The letters state that in the beginning of the 2000s, banks began to claim immunity from state oversight. The attorneys general argue that this position was furthered by a 2002 OCC advisory letter directing states to refer potential violations of state law to the OCC, and a 2004 rule which expanded the test for when national banks were exempted from state laws. The attorneys general allege that states’ have been limited “in their ability to address a wide range of unfair and deceptive practices that affect their citizens, including bait-and-switch practices and the failure to clearly and conspicuously disclose rate changes, late fees and overdraft fees.” As a result, the attorneys general ask the OCC to “issue supervisory guidance… advising that it is unsafe and unsound, and that it creates a material risk of unfair or abusive acts or practices, for any [b]ank to refuse to cooperate with State AG information requests that seek to further enforcement of applicable state laws.”
Effective November 20, 2023, the Illinois Department of Financial and Professional Regulation adopted provisions regarding the Illinois Collection Agency Act. According to the Notice of Adopted Repealer, Public Act 102-975 has transferred the oversight of collection agencies from the Division of Professional Regulation to the Division of Financial Institutions. With the Division of Financial Institutions planning to introduce new regulations to align them to the agency’s standards, the Department proposes to repeal the existing regulations from the Division of Professional Regulation.
On December 5, the Court of Justice of the European Union (CJEU) issued a judgment clarifying the conditions under which a General Data Protection Regulation (GDPR) fine can be imposed on data controllers. The judgment is in response to two cases involving GDPR fines: (i) a German case in which a real estate company was fined for allegedly storing personal data for tenants for longer than necessary, and (ii) a Lithuanian case in which a government health center was fined in connection to the creation of an app that registered and tracked people exposed to Covid-19.
In the judgment, the CJEU clarified that a data controller can only face an administrative fine under the GDPR for intentional or negligent violations—that is, violations for which a data controller was aware or should have been aware of “the infringing nature of its conduct,” regardless of their knowledge of the specific violation. The judgment also held that for a legal person, it is not necessary for the violation to be committed by its “management body,” nor does that body need to have knowledge of the specific violation. Instead, the legal person is accountable for violations committed by its representatives, directors, or managers, and those acting on their behalf within the business scope. Additionally, imposing an administrative fine on a legal entity as a data controller does not require prior identification of a specific person responsible for the violation.
The judgment also addressed administrative fines for operations involving multiple entities. The CJEU noted that a controller may have a fine imposed upon it for actions undertaken by its processor. The court also clarified that a joint controller relationship arises from the two or more entities participating in determining the purpose and means for processing, and “does not require that there be a formal arrangement between the entities in question.”
To calculate the amount of an administrative fine under the GDPR, the supervisory authority must consider the notion of an “undertaking” under competition law. The maximum fine must be based on the percentage of the total worldwide annual turnover of the particular undertaking in the preceding business year.
On December 6, the OCC posted Bulletin 2023-37 to provide banks with guidance on Buy Now, Pay Later (BNPL) loans. The OCC defined BNPL as point-of-sale or “pay-in-4” installment loan products. The OCC noted that, if BNPL products are used responsibly, they “can provide consumers with a low-cost, short-term, small-dollar financing alternative to manage cash flow.”
The OCC emphasized that the banks should offer BNPL loans in accordance with standards for safety and soundness, treat customers fairly, provide fair access to financial services, and act in compliance with applicable laws and regulations. In the bulletin, the OCC highlighted the risks to banks associated with offering BNPL lending, including credit, compliance, operational, strategic, and reputational risks to banks. In particular, the bulletin also underscores the risks that borrowers may not fully understand their BNPL repayment obligations, the challenges of underwriting BNPL applicants who have limited or no credit history, the lack of standardized disclosure language, and the risks of merchant disputes, among other risks.
The OCC recommended banks consider risk management practices, such as maintaining “underwriting, repayment terms, pricing, and safeguards that minimize adverse customer outcomes” tailored to the unique characteristics and risks of BNPL loans. The bulletin also advised banks to pay close attention to “the delivery method, timing, and appropriateness of marketing, advertising, and consumer disclosures,” in particular to ensure that all such documents clearly disclose the borrower’s obligations and any fees that may apply.
On November 17, the Maryland Commissioner of Financial Regulation recently adopted edits to proposed regulations, Code Md. Code Regs. 09.03.14.01, .03-.18, bringing Maryland generally in alignment with the CSBS Money Transmitter Model Law which has been recently adopted by several other states (covered by InfoBytes here, here, and here). Some provisions in the new regulation conform with the model law, while a few stand out as unique additions in Maryland.
For example, among the newly adopted regulations, amended Regulation .03 provides an exemption for persons appointed as an agent of the payee if (i) there is a written agreement between the payee and agent for payment processing, aligning with Maryland law; (ii) there is public recognition of the agent collecting payments on behalf of the payee; (iii) upon the agent’s receipt of payment, the payor’s obligation ends without risk; (iv) the agent is not serving in an escrow capacity; (v) the agent is not acting as an agent to more than one party; and (vi) the agent mandates prompt, unconditional payment without tying it to future events or performances. This agent of the payee exemption deviates from the model law’s version of the same exemption.
Additionally, amended Regulation .08 establishes corporate governance standards that require money transmitter licensees to maintain a framework that is commensurate with the size, operational complexity, and overall risk profile of the licensee. This standard also sets expectations around internal audit, external audit, and risk management functions of a license. While this concept is not provided for in the model money transmission law, it aligns with the CSBS model state regulatory prudential standards for nonbank mortgage servicers (covered by InfoBytes here).
The final regulation will be effective December 11, 2023.
On December 7, the OCC reported key issues facing the federal banking system in its Semiannual Risk Perspective for Fall 2023. In evaluating the overall soundness of the federal banking system, the OCC emphasized the need for banks to maintain prudent risk management practices. The key themes that the OCC underscored in the report included (i) credit risk due to high interest rates, commercial real estate lending, and inflation; (ii) market risks from rising deposit rates, liquidity contraction, and reliance on wholesale funding; (iii) operational risks from cyber threats, increased digitization, and fraud; and (iv) compliance risks from equal access to credit, fair treatment of consumers, fintech partnerships, and BSA/AML risk. The OCC noted that deposit and liquid asset trends stabilized in the latter half of 2023, and the stability was sustained through a greater dependence on wholesale funding.
The report included a special discussion of emerging risks linked to artificial intelligence (AI) in banking. The OCC noted the potential benefits of widespread AI adoption, which could reduce costs, improve products, strengthen risk management, and expand access to credit. At the same time, the OCC cautioned that AI use can create risk and banks must manage its use carefully.
The OCC recently published redacted Interpretive Letter #1181, in which the OCC granted a national bank’s application for exemption from the quantitative limits under Section 23A to allow the bank to purchase an affiliate LLC that owns the premises on which the bank’s headquarters and main office are located. According to the letter, the affiliate transaction would exceed ten percent of the bank’s capital stock and surplus and would cause the aggregate amount of the bank's covered transactions with all affiliates beyond 20 percent of the bank’s capital stock and surplus. Exceeding either of these thresholds would requires an exemption, but the OCC believed a waiver was appropriate given the anticipated reduction in the bank's operating costs. Moreover, the OCC reasoned that the exemption would fortify the bank's financial standing, enhancing its ability to improve the services it provides to customers and communities. The FDIC agreed and determined that an exemption would not pose an unacceptable risk to the Deposit Insurance Fund. For these reasons, the OCC approved the exception and permitted the purchase to move forward.
On December 4, Freddie Mac announced new, standardized mortgage documents aimed at of making down payment assistance (DPA) programs more accessible nationwide. According to Freddie Mac, the subordinate lien programs for DPA programs have been specific to particular housing finance agencies which created confusion. By standardizing these documents, Freddie Mac hopes to benefit lenders by making DPA programs more efficient.
To create the standardized documents, Freddie Mac partnered with Fannie Mae and state housing finance agencies. These documents will initially be available for 19 states, and eventually for all 50 states and the District of Columbia. These changes come in tandem with Freddie Mac’s new tool, DPA One®, to aggregate and showcase down payment assistance programs on a single platform.