InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Trade groups sue Colorado Attorney General to block enforcement of law limiting out-of-state bank charges on consumer credit
On March 25, three trade groups filed a lawsuit in the U.S. District Court for the District of Colorado, against the Colorado Attorney General and the Administrator of the Colorado Uniform Consumer Credit Code to prevent enforcement of Section 3 of House Bill 23-1229, which was signed into law last year to limit out-of-state bank charges on consumer credit (the “Act”). As previously covered by InfoBytes, the Act amended the state’s Uniform Consumer Credit Code to opt out of the Depository Institutions Deregulation and Monetary Control Act (DIDMCA) provision that allowed state-chartered banks to charge the interest allowed by the state where they are located, regardless of the location of the borrower and regardless of conflicting out-of-state law. The Act would go into effect on July 1.
According to the complaint, the Act “far exceed[s]” the authority Congress granted Colorado under DIDMCA and would be deemed “invalid on its face.” Plaintiffs alleged that Colorado ignored the federal definition of where a loan was deemed to be “made,” imposing “its state interest-rate caps on any ‘consumer credit transaction[] in’ Colorado,” including “any loan to a Colorado consumer by any state-chartered bank that advertises on the internet in Colorado.” Plaintiffs further alleged that the Act’s opt out “is preempted by DIDMCA and violates the Supremacy Clause of the U.S. Constitution by attempting to expand the federally granted opt-out right to loans not actually ‘made in’ Colorado under federal law,” and “violates the Commerce Clause because it will impede the flow of interstate commerce and subject state-chartered banks to inconsistent obligations across different states.” The Plaintiffs also alleged that Colorado’s stated goal of combatting “predatory, payday-style lending” will not be accomplished through the opt out, as plaintiffs’ members are not payday lenders and offer “a wide variety of useful, familiar, everyday credit products” that “are provided at a range of rate and fee options, which sometimes—to account for credit risk—are above Colorado’s rate and fee caps, but within the rate caps allowed by DIDMCA.” Furthermore, plaintiffs warn that the Act “will prevent Plaintiffs’ members from offering these mainstream products to many Colorado consumers,” while “national banks will still offer these very same loan products to Colorado residents at interest rates in excess of Colorado’s interest-rate and fee caps.” Plaintiffs urged the court to issue a ruling stating that the Act “is void with respect to loans not ‘made in’ Colorado as defined by applicable federal law” and to enjoin Colorado from enforcing or implementing the Act with respect to those loans.
Nacha’s new rules intends to reduce business fraud that uses credit-push payments
On March 18, Nacha announced rule amendments intended to reduce the incidence of frauds that leverage credit-push payments, such as vendor impersonation and business email compromise (BEC). While, importantly, the rules will not shift liability for ACH payments as between the parties, they will establish obligations on originating financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) to monitor the sending and receipt of payments for potential fraud, and they will empower the same to flag potentially fraudulent payments for action. Specifically, the rule amendments will allow “the originating financial institution (ODFI) to request the return of the payment for any reason, the RDFI to delay funds availability (within the limits of Regulation CC) to examine the payment more closely, and the RDFI to return a suspicious transaction on its own initiative without waiting for a request or a customer claim.”
As part of the amendment announcement, NACHA cited the FBI’s Internet Crime Complaint Center’s 2023 annual report, noting that BEC, vendor impersonation, and payroll impersonation are examples of fraudulent activities “that result in payments being ‘pushed’ from a payer’s account to the account of a fraudster,” and that there were 21,489 BEC complaints totaling $2.9 billion in reported losses in 2023, making BEC the second-costliest cybercrime category.
The first set of rule amendments are effective October 1, which, among other things, allow an RDFI to use return code R17 for potential fraud, including for “false pretenses,” and an ODFI to request a return from an RDFI for any reason, including fraud. The first set of amendments also provided RDFIs “with an additional exemption from the funds availability requirements to include credit entries that the RDFI suspects are originated under false pretenses,” subject to Regulation CC. Finally, the RDFI will be required to promptly return any unauthorized consumer debit by the 6th banking day after it reviewed a consumer’s signed Written Statement of Unauthorized Debit.
The first set of rule amendments will be followed by subsequent (phase 1 and phase 2) amendments. The phase 1 amendments, effective March 20, 2026, will, among other things, require ODFIs, and non-consumer originators, third party providers, and third party senders with an annual ACH origination volume of six million or more to implement or enhance appropriate risk-based process and procedures to identify fraudulent transfers. Under phase 1, NACHA will also require RDFIs with ACH receipt volumes of 10 million or more to establish risk-based processes and procedures to identify fraudulent activity. The second phase, effective June 19, 2026, will require fraud risk monitoring for the remaining non-consumer originators, third party providers, and third-party senders.
Borrower’s RESPA claim stays afloat in District Court
The U.S. District Court for the Southern District of Ohio, Eastern Division, granted in part and denied in part defendant mortgage servicer’s motion to dismiss claims for RESPA Qualified Written Requests violations. Defendant approved plaintiffs for a trial payment plan for their mortgage loan. After plaintiffs completed that plan, defendants sent an initial modification agreement with a misspelled plaintiff name. Plaintiffs notified defendant of the error but continued making payments pursuant to the initial modification agreement. Defendant then sent a corrected version which plaintiffs signed, and defendants recorded with the Delaware County Recorder’s office. However, defendants did not update the new terms in its billing system and, after realizing the agreement contained terms different from what it intended, sent a third version of the modification agreement to plaintiffs with an adjusted principal balance and interest rate. Plaintiffs refused to sign the third modified agreement, and defendants refused to honor the recorded version or accept payments, stating that plaintiffs were in default on their mortgage.
In making its judgement, the court considered how defendant handled plaintiffs’ qualified written requests (QWR). Regarding defendant’s response to plaintiffs’ notice of error, plaintiffs claimed defendant did not conduct a reasonable investigation, inadequately explained the discrepancy between the modification agreements’ interest rates and fee charges to their account, and entirely ignored the change in principal balances between the initial and the recorded modification agreements. Defendant argued that its conclusion, that no enforceable loan modification existed, would not change had it conducted the investigation. The court found that defendant could not bypass its responsibility to conduct a reasonable investigation, and that defendant did not address the difference in principal balance between the initial and recorded modification agreements.
On the issue of defendant’s response to plaintiffs’ request for information (RFI), plaintiffs claimed defendant’s response did not address their claims of missing records, nor did it mention that such records were unavailable. Plaintiffs also claimed defendant failed to produce requested documents. Refuting defendant’s argument that plaintiffs did not “even hint” that they suffered damages from the RFI portion of the QWR, the court found that plaintiffs’ damages were legally cognizable. However, the court dismissed plaintiffs’ claim as to the RFI because it did not satisfy the necessary standing requirements.
Washington State Attorney General obtains civil penalties against debt collection agency for medical debt collection practices
On March 19, the Washington State Attorney General (AG) obtained an order from the King County Superior Court providing that a debt collection agency must pay civil penalties for allegedly failing to comply with the Washington Collection Agency Act and Consumer Protection Act when collecting medical debts, specifically by failing to provide the required disclosures in its consumer communications. The court found that the debt collection agency sent 82,729 debt collection notices to medical debtors without the necessary disclosures, which included notification of the debtor’s right to request the original or redacted account number assigned to the debt, the date of last payment, and an itemized statement. The notices also did not inform the debtor that the debtor may be eligible for charity care from the hospital or provided contact information for the hospital. According to the AG’s Office, the collection agency “unlawfully collected payments from … patients without providing critical information about their rights when faced with medical debt. By excluding the legally required disclosures about financial assistance in its collection letters, [the collection agency] created barriers that kept patients who likely qualified for financial assistance from learning about and accessing help with their hospital bills.”
The court ordered a civil penalty of $10 per violation for the debt collection agency’s 82,729 alleged violations of the state Consumer Protection Act, totaling $827,290. Additionally, the court ordered the debt collection agency to reimburse the AG’s office for the costs of bringing the case, which is estimated to exceed $400,000 and to update its practices to comply with Washington law. In determining the civil penalty amount, the court found, among other things, that the debt collection agency acted in bad faith by “fail[ing] to take basic compliance steps,” and “fail[ing] to obtain the correct license … maintain an office in the state, and … include the mandatory disclosures on medical and hospital debt.”
As previously covered by InfoBytes, the AG successfully sued the nonprofit health system in early February, entering a consent decree pursuant to which the health system must pay $158 million in patient refunds, debt forgiveness, and AG costs.
5th Circuit reverses judgment in FDCPA case
Recently, the U.S. Court of Appeals for the Fifth Circuit ordered an FDCPA case to be reversed and remanded after the U.S. District Court for the Eastern District of Louisiana granted a motion for summary judgment. The plaintiffs filed a putative class action alleging that the defendant law firm violated the FDCPA for misrepresenting judicial enforceability of a debt in their dunning letters. The case concerned Congress’s “Road Home” grant program, which was created to provide grants to repair and rebuild homes in the aftermath of Hurricanes Katrina and Rita. All Road Home grant recipients were required to disclose repair benefits previously received. The named plaintiffs in this case applied for and received Road Home grants but failed to disclose repair benefits previously received from FEMA or a privacy insurance carrier. In March 2008, the State’s contractor, ICF, noticed the potential double payments to the two named plaintiffs and placed an internal flag on their accounts in the Road Home database. After a decade, the defendant law firm was engaged to help recover these double payments. The defendants sent a dunning letter demanding repayment in 90 days or the defendants “may proceed with further action against you, including legal action.” The dunning letter further stated that “you may be responsible for legal interest from judicial demand, court costs, and attorneys fees if it is necessary to bring legal action against you.” The plaintiffs filed suit under Section 1692e of the FDCPA and, in an amended complaint, alleged the defendants collected or attempted to collect time-barred debts, failed to itemize the alleged debts, and threatened to assess attorneys’ fees without determining if that right existed. The district court granted summary judgment to the defendants.
The 5th Circuit reversed on appeal. Concerning the first allegation of collecting or attempting to collect a time-barred debt, the court reasoned that while it does not violate the FDCPA to collect on a time-barred debt, a debt-collector “can run afoul of the FDCPA by threatening judicial action while completely failing to mention that a limitations period might affect judicial enforceability.” Further, the appellate court found the dunning letters were “untimely even under the most liberal, 10-year time window” as the plaintiffs breached their agreements when they closed on their Road Home grants or when the State of Louisiana was provided actual notice of the alleged duplicative payments, both of which occurred more than 10 years before the dunning letters were received. The court also found that the defendants mischaracterized one plaintiff’s debt as the dunning letter said the amount owed was for insurance proceeds when it included a 30 percent penalty for lack of flood insurance. Finally, the court explained that because there was no lawful basis to recover attorneys fees, the defendants violated the FDCPA.
OCC’s Hsu discusses bank fairness and effective compliance risk management
On March 25, the Acting Comptroller of the Currency, Michael J. Hsu, released a transcript of a speech on fairness and effective compliance risk management in banking, delivered at a banking association meeting. The speech focused on how bank fairness can be used as a “guide and input to effective compliance risk management,” and how Hsu believed banks could develop more fairness in banking. Hsu noted that deploying more resources and adopting modern technologies will be only part of the challenge in improving a bank’s compliance risk programs; the other part of the challenge is “adapting and anticipating” where compliance risks could arise.
While speaking on the challenges of bank consumer compliance, Hsu discussed rapid changes in product offerings, such as the growth of credit cards, BNPL products, and Earned Wage Access. Hsu discussed how the increase in the digitalization of banking has aligned with third-party arrangements, fraud, and cyber risks in finance. On fairness, Hsu discussed the increased prevalence of overdraft charges and how a “well developed sense of fairness” can guide banks in connection with such areas. Hsu stated that fairness is not unidimensional, and when a bank develops an internal sense of fairness, it should be aware of how multiple notions of fairness interact. For example, he noted that “disparate treatment and disparate impact” provide the foundations for fair lending laws, and to comply with fair lending laws, a bank must mitigate both disparities.
FDIC OIG confirms board oversight and liquidity issues led to a bank’s failure
On March 25, the Office for the Inspector General (OIG) for the FDIC issued a report on a 2023 bank failure, finding that the bank’s failure netted a $14.8 million estimated loss to the Deposit Insurance Fund (“DIF”), but that the failure did not warrant a formal evaluation of the FDIC’s supervision of the failed bank in the form of an In-Depth Review. As defined by the FDIC, the DIF was created to ensure deposits, protect depositors, and resolve failed banks. Any DIF loss incurred under $50 million would require the OIG to review and determine if any unusual circumstances exist that may warrant an In-Depth Review; the OIG did not find any unusual circumstances here.
In November 2023, the FDIC was appointed as a receiver of a bank after its closure by the Iowa Division of Banking. The OIG noted that the bank failed after “significant deterioration” of the bank’s loan portfolio and operating losses stressed its liquidity as a result of bank board issues and management lax lending practices, as well as the failure to properly administer large commercial trucking relationships.
While conducting the bank review, the OIG considered four factors. First, the OIG considered the magnitude of the DIF loss in relation to the total assets of the failed bank. The OIG found the relative loss was 23 percent (noted as consistent in the last five years). Second, the OIG reviewed how effective the FDIC’s supervision addressed the issues. The OIG found the FDIC’s supervision “identified and effectively addressed” the issues that led to the bank’s failure. Third, the OIG considered any indicators of fraudulent activities that contributed to the DIF loss. The OIG found that while the examiners identified conflicts of interest in bank loans, they did not “significantly contribute” to the DIF loss. Last and fourth, the OIG reviewed any other relevant conditions contributing to the bank’s failure and found none.
FDIC opens comment period on proposed Statement of Policy regarding bank merger transactions, highlights “added scrutiny” for $100+ billion mergers
On March 21, the FDIC issued a request for comment on its proposed Statement of Policy (SOP) on bank merger transactions, which will aim to update, strengthen, and clarify the FDIC’s approach to bank merger evaluation. The proposed SOP does note that transactions in excess of $100 billion are more likely to present financial stability concerns and will be “subject to added scrutiny.” The new SOP will replace the FDIC’s current SOP on its responsibilities under the Bank Merger Act (BMA) or Section 18(c) of the FDI Act. Both the heads of the CFPB and OCC issued statements on this review, with the Acting Comptroller of the Currency offering his explicit support.
Broadly speaking, the proposed SOP aims to make the process more principles based, communicate the FDIC’s expectations in its evaluation of merger applications, and describe which merger transactions are under the FDIC’s domain. The proposed SOP will include separate discussions for each statutory factor as set forth in the BMA, including the effects on competition, financial resources, future prospects, CRA, financial and banking stability risk, and AML considerations. Further, this will not be an exhaustive list, as the FDIC will claim jurisdiction over any other elements that could present a risk to financial stability. Of note, the proposed SOP will not include any “bright lines or specific metrics” on what transaction would be considered anti-competitive, as the FDIC wishes to maintain its flexibility to appropriately evaluate the circumstances of each merger application.
This new comment period will begin after the FDIC reviewed 33 comment letters received during the previous comment period, about three-fourths of which were in favor of at least some changes to the FDIC’s merger review process. Six commenters were against such changes and two commenters were neither in favor of nor against the changes. The comments against argued that the current framework was “sound,” and any revisions could harm the sector by making the bank merger process more difficult and disproportionally impacting community, mid-size, and regional banks. Comments must be received by 60 days from the date of the SOP’s publication in the Federal Register.
OCC releases Q4 report on first-lien mortgage performance
On March 19, the OCC released a report on the performance of first-lien mortgages in the federal banking system during the fourth quarter of 2023. According to the report, 97.2 percent of mortgages included in the report were current and performing at the end of the quarter, which is a slight improvement from the fourth quarter of 2022, but also a minor decline from the third quarter of 2023. The report also shows
- a rise in the percentage of seriously delinquent mortgages compared to the previous quarter (1.2 percent in the fourth quarter compared to 1.1 percent in the third quarter), but this percentage has trended down since the fourth quarter of 2021 (when it was 2.3 percent);
- a decline in new foreclosures, with 8,320 new foreclosures in the fourth quarter of 2023, compared to 8,965 new foreclosures the previous quarter and a high of 19,524 new foreclosures in the first quarter of 2022;
- finalization of 7,382 loan modifications, which was less than the 7,436 modifications completed in the prior quarter. Eighty-seven percent of the modifications were “combination modifications,” which are modifications that incorporate more than one type of modification action to improve the loan’s affordability, such as an interest rate reduction and a loan term extension.
First-lien mortgages account for 22.2 percent of the total outstanding residential mortgage debt in the country, representing approximately 11.7 million loans with a combined principal balance of $2.9 trillion.
Agencies extend applicability date of certain provisions of their Community Reinvestment Act final rule
On March 21, the FDIC, Fed, and OCC jointly issued an interim final rule to extend the applicability date of certain provisions of the Community Reinvestment Act (CRA) final rule and requested comments on the extension. As previously covered by InfoBytes, the final rule was intended to modernize how banks comply with the CRA, a law that encouraged banks to help meet the credit needs of low- and moderate-income communities.
Stated “[t]o promote clarity and consistency,” the agencies have postponed the applicability date of the facility-based assessment areas and public file provisions from April 1, 2024, to January 1, 2026. As a result, banks would not be required to modify their assessment areas or public files in response to the final rule until the new 2026 date. This extension would put these elements on the same timeline as other components of the 2023 CRA final rule that also would take effect on January 1, 2026, including the performance tests and geographic area provisions.
The agencies also made technical, non-substantive updates to the CRA final rule and related agency regulations that reference it. One of these technical adjustments specified that banks are not required to update their public CRA Notices until January 1, 2026. Public comments on the postponed implementation date must be received 45 days following the rule's publication in the Federal Register.