Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 17, Kathy Kraninger, Director of the CFPB, spoke before the Bipartisan Policy Center where she reiterated the Bureau’s focus on prevention of harm and announced a symposium that will explore the meaning of “abusive acts or practices” under Section 1031 of the Dodd-Frank Act. In her remarks, Kraninger touched on the four “tools” the Bureau has at its disposal to execute its mission: education, rulemaking, supervision, and enforcement.
- Education. The Bureau wants to help consumers protect their own interests and choose the right products and service to help themselves. Specifically, the Bureau is focusing on ensuring that American consumers learn to save to be able to absorb a financial shock.
- Rulemaking. The Bureau will comply with Congressional mandates to promulgate rules or address specific issues through rulemaking, but when the Bureau has discretion, it will focus on “preventing consumer harm by maximizing informed consumer choice, and prohibiting acts or practices which undermine the ability of consumers to choose the products and services that are best for them.” In the coming weeks, the Bureau will release its proposed rules to implement the FDCPA, which will include (i) bright line limits on the number of calls consumers can receive from debt collectors on a weekly basis; (ii) clarity on how collectors may communicate through new technology such as, email and text messages; and (iii) requiring more information at the outset of collection to help consumers better identify debts and understand payment and dispute options. Kraninger stated, “the CFPB must acknowledge that the costs imposed on regulated entities absolutely affect access to, and the availability of, credit to consumers.”
- Supervision. This tool is the “heart of the agency,” according to Kraninger, as it helps to prevent violations of laws and regulations from happening in the first place. The Bureau will keep in mind that it is not the only regulator examining most entities and will focus on coordination and collaboration with the other regulators so as not to impose unmanageable burdens in examinations.
- Enforcement. The Bureau will continue to enforce against bad actors that do not comply with the law, as enforcement is “an essential tool that Congress gave the Bureau.” The Bureau will have a “purposeful enforcement regime” to foster compliance and help prevent consumer wrongs. Kraninger is “committed to ensuring that enforcement investigations proceed carefully and purposefully to ensure a fair and thorough evaluation of the facts and law… [and ensuring they] move as expeditiously as possible to resolve enforcement matters, whether through public action or a determination that a particular investigation should be closed.”
Kraninger also touched on how the Bureau plans to measure success going forward. Kraninger noted that in the past, the Bureau touted its outgoing statistics as a measurement, such as amount of consumer redress and number of complaints handled. However, according to Kraninger, if the Bureau succeeds in fostering a goal of prevention of harm, certain outputs like meritorious complaints would actually be lower. Therefore, the Bureau’s success should be based on how it uses all of its tools. Lastly, Kraninger announced a symposia series that would convene to discuss consumer protections in “today’s dynamic financial services marketplace.” The first will explore the meaning of “abusive acts or practices” under Section 1031 of the Dodd-Frank Act, specifically, to address issues with the “reasonableness” standard. There are no additional details on the date for the symposium but Kraninger noted that this would be the next step in exploring future rulemaking on the issue. The series will also have future events discussing behavioral law and economics, small business loan data collection, disparate impact and the Equal Credit Opportunity Act, cost-benefit analysis, and consumer authorized financial data sharing.
Additionally, on April 9, acting Deputy Director, Brian Johnson, spoke at the George Mason University Law & Economics Center's Ninth Annual Financial Services Symposium. In his prepared remarks, Johnson emphasized that regulatory rules should be “as simple as possible” when dealing with complex markets as they are easier for a greater portion of actors to understand and adapt to and also promote compliance, “which has the ancillary benefit of making it easier for consumers (not to mention regulators) to distinguish between good and bad actors.” Johnson argued that regulators should not try and dictate specific outcomes in rulemaking. Instead, Johnson stated that “financial regulators should recognize that complex market systems are not a means to accomplish their specific goals” and should “narrowly-tailor rules to address a discrete market failure.” Johnson also touched on the Bureau’s new Office of Innovation, noting that the Bureau’s proposed No Action Letter Program and Product Sandbox will offer firms “the opportunity to expand credit while still preserving important consumer protections,” while assisting the Bureau in learning about new technologies and potential consumer risks. As for the Bureau’s cost-benefit analysis, Johnson said that this activity will not be limited to future actions, but will also be used for “periodic retrospective analysis” because financial markets are “constantly changing, requiring constant reappraisal and verification of the rules that govern the system.”
CFPB and Federal Reserve update HMDA examination procedures; CFPB updates ECOA baseline review procedures
On April 1, the CFPB and the Federal Reserve Board (Federal Reserve) issued revisions to the HMDA examination procedures covering data collected since January 1, 2018, under the HMDA amendments issued by the Bureau in October 2015 and August 2017, as well as section 104(a) of the Economic Growth, Regulatory Relief, and Consumer Protection Act (implemented and clarified by the 2018 HMDA Rule, which was covered by InfoBytes in August 2018 here.) According to the Federal Reserve’s CA 19-5, the HMDA examination updates include, (i) Narrative, Examination Objectives, and Examination Procedure sections that were developed by the Task Force on Consumer Compliance of the FFIEC; (ii) Review of Compliance Management System, Examination Conclusions and Wrap-Up, and Examination Checklist sections that were developed in consultation with the FDIC and the OCC; and (iii) sampling, verification, and resubmission procedures. With regard to HMDA data collected prior to January 1, 2018, institutions will continue to be examined according to the interagency HMDA examination procedures “transmitted with CA 09-10 and the HMDA sampling and resubmission procedures transmitted with CA 04-4.”
Additionally, in April, the CFPB also released updated ECOA baseline review procedures. The procedures consist of five modules: (i) Fair Lending Supervisory History; (ii) Fair Lending Compliance Management System (CMS); (iii) Fair Lending Risks Related to Origination; (iv) Fair Lending Risks Related to Servicing; and (v) Fair Lending Risks Related to Models. According to the Bureau, all exams will cover the Fair Lending CMS module and additional modules will be assigned depending on the scope of examination.
On April 2, the FDIC issued Financial Institution Letter FIL-19-2019 (Technology Service Provider Contracts), which describes examiner observations about gaps in financial institutions’ contracts with technology service providers (TSPs) that may require financial institutions to take additional steps to manage business continuity and incident response. Although not specifically referenced in FIL-19-2019, this latest FDIC guidance echoes themes set forth in the FDIC’s Office of Inspector General (OIG) Audit Report released in 2017 (covered in Infobytes here). Specifically, examiners noted contractual deficiencies in recent reports of examination, including failing to: (i) adequately define rights and responsibilities regarding business continuity and incident response, or provide sufficient detail to allow financial institutions to manage those processes and risks; (ii) consistently require TSPs to maintain a business continuity plan, establish data recovery standards, and commit to contractual remedies if the TSP missed a data recovery standard; (iii) sufficiently detail the TSP’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement; and (iv) clearly define key terms used in contractual provisions relating to business continuity and incident response.
FIL-19-2019 further stresses that supervised institutions are required to comply with the Interagency Guidelines Establishing Information Security Standards promulgated pursuant to the GLBA, which among other things sets forth expectations for managing TSP relationships through contractual terms and ongoing monitoring. The FDIC references prior guidance establishing regulatory expectations, including: (i) Guidance for Managing Third-Party Risk (FIL-44-2008, issued June 6, 2008); and (ii) the Business Continuity Booklet set forth in the FFIEC IT Examination Handbook, which was updated in February 2015 to include a new appendix specific to managing service provider risks (Appendix J: Strengthening the Resilience of Outsourced Technology Services). FIL-19-2019 also contains a reminder to depository institutions that the Bank Service Company Act requires depository institutions to provide written notice to their respective federal banking agency of contracts or relationships with TSPs that provide certain services, including check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services.
On March 26, the OCC released Bulletin 2019-16, which announces that the FFIEC Task Force on Consumer Compliance developed new interagency examination procedures to reflect the amendments to Regulations Z and E under the CFPB’s Prepaid Accounts Rule (covered by InfoBytes here), which go into effect on April 1. Specifically, the examination procedures reflect (i) Regulation E requirements covering disclosures, limited liability and error resolution, periodic statement, and posting of account agreements; and (ii) Regulation Z requirements covering overdraft credit features with prepaid accounts.
In March, the CFPB updated its examination procedures for short-term, small-dollar lending (payday lending) in its Supervision and Examinations Manual. The procedures are comprised of modules and each examination will cover one more module. Prior to using the procedures, examiners will complete a risk assessment and examination scope memorandum, which will assist in determining which of the five modules the exam will cover: (i) marketing; (ii) application and origination; (iii) payment processing and sustained use; (iv) collections, accounts in default, and consumer reporting; and (v) service provider relationships. The examinations will review for potential violations of TILA, EFTA, FDCPA, FCRA, ECOA, UDAAP, and Gramm-Leach-Bliley Act (GLBA), all of which apply to payday lending.
On March 15, the OCC announced an update to the Recovery Planning booklet of the Comptroller’s Handbook. Among other things, the revised booklet explains the purpose of effective recovery planning and provides guidance for OCC examiners to use when assessing the “appropriateness and adequacy of [a] covered bank’s recovery planning process and the integration of that process into the covered bank’s overall risk governance framework.” The updates reflect revisions made to the agency’s rule on enforceable guidelines, published December 27, 2018, which increased the average total consolidated assets threshold from $50 billion to $250 billion for covered insured national banks, federal savings associations, and federal branches that are required to comply, unless determined otherwise. Additionally, a bank must now comply with the guidelines within 12 months after it first becomes subject to the guidelines.
On March 6, the Federal Financial Institutions Examinations Council (FFIEC) announced it adopted a Policy Statement on the Report of Examination, which documents the findings and conclusions of an examination conducted by a FFIEC member agency. The Policy Statement is a principles-based approach for completing the report of examination (ROE) in order to promote consistency among the FFIEC members while allowing flexibility for individual supervisors to document exam assessments of financial institutions of different sizes, risk profiles, and other conditions. The policy provides a short outline that instructs all ROEs to, among other things: (i) include identifying information; (ii) convey that the ROEs contain confidential supervisory information; (iii) present conclusions and issues in order of importance; and (iv) document the institution’s risk profile and discuss the institution’s risk management practices. The new policy statement rescinds an interagency policy statement from 1993.
On March 5, U.S. Senate Democrats issued a letter urging CFPB Director, Kathy Kraninger, to resume reviews for compliance with the Military Lending Act (MLA) during routine lender examinations. The Senators argue that the existing statutory authorities for the Bureau “are more than sufficient to justify including MLA compliance in routine examinations,” in an apparent response to Kraninger’s January request to Congress to grant the Bureau “clear authority” to conduct the examinations. (Covered by InfoBytes here.) The Senators cite to Section 1024(b)(1)(C) of the Dodd-Frank Act, which states that the Bureau “shall require reports and conduct examinations on a periodic basis . . . for purposes of . . . detecting and assessing risks to consumers and to markets for consumer financial products and services,” and asserts that charging servicemembers and their families more than 36 percent in violation of the MLA is “clearly a risk” to consumers. Concluding that the CFPB has all the authority it needs to include the MLA in routine examinations, the Senators request the Bureau provide a full justification of the leadership’s decision to not review for compliance with the MLA by March 8.
In February, the CFPB released an updated version of the Supervision and Examination Manual, which includes changes to the examination and targeted reviews section of the manual. The Bureau noted that the purpose of a risk-focused review is to direct Bureau resources toward the areas with higher risk. The updated manual section covers the review process from start to finish, beginning with the pre-review planning and concluding with the transmission of the final report or letter. The February updates also include the release of new examination report and supervisory letter templates.
On February 22, the FDIC issued FIL-9-2019, which announces revisions to interagency examination procedures for evaluating compliance with the CFPB’s Prepaid Accounts Rule. The Rule was originally finalized in October 2016 and expands coverage under Regulation E to provide consumers, among other things, additional federal protections on prepaid financial products, person-to-person payment products, and other electronic accounts with the ability to store funds. (Covered by InfoBytes here.) In January 2018, the CFPB finalized updates to the Rule and delayed the effective date until April 1, 2019. (Covered by InfoBytes here.) The FIL contains a link to the interagency procedures listed in the FDIC Compliance Examination Manual and confirms that after April 1 the examination staff will begin supervising institutions for compliance with the rule.
- Buckley Webcast: Maintaining privilege in cross-border internal investigations
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Daniel P. Stipano to discuss "The state of the BSA 2019: What’s working, what’s not, and how to improve it" at the West Coast Anti Money-Laundering Forum
- Buckley Webcast: The future of the Community Reinvestment Act
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Buckley Webcast: Amendments to the CFPB's proposed debt collection
- Brandy A. Hood to discuss "Flood NFIP in the age of extreme weather events" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "UDAAP compliance" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Benjamin K. Olson to discuss "LO compensation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Major state law developments" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State examination/enforcement trends" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- APPROVED Webcast: State and SAFE Act licensing requirements for banks
- John C. Redding to discuss "TCPA compliance in the era of mobile" at the Auto Finance Risk Summit
- Buckley Webcast: The next consumer litigation frontier? Assessing the consumer privacy litigation and enforcement landscape in 2019 and beyond
- Buckley Webcast: Data breach litigation and biometric legislation
- Buckley Webcast: Trends in e-discovery technology and case law
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Douglas F. Gansler to discuss "Role of state AGs in consumer protection" at a George Mason University Law & Economics Center symposium