InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC issues annual federal banking report for 2023
On December 11, the OCC published its 2023 Annual Report, which provides a comprehensive overview of the current state of the federal banking system, outlines the OCC’s strategic priorities and initiatives, and details the agency’s financial management and condition.
The OCC restated its supervisory priorities for the year, summarized proposed rules, guidance and other publications issued in FY 2023, reported on its licensing activities and summarized the results of enforcement actions against institutions and individuals, which netted over $100 million in civil money penalties. The report also highlighted the OCC’s efforts in “guarding against complacency, reducing inequality, adapting to digitalization, and acting on climate-related financial risks—which collectively focus the OCC’s efforts on maintaining the public’s trust in banking.” According to the “comptroller’s viewpoint” within the report, Acting Comptroller Michael J. Hsu proposed an annual survey to gauge the American public’s trust in banks and banking supervision over time. The survey will aim to collect diverse data on consumer trends to aid policymakers, regulators, and community groups in better understanding and enhancing trust in the banking system. Hsu also highlighted some actions he believes will help restore trust in the banking system: (i) bank supervisors acting in a timely and efficient manner; (ii) the strengthening of large bank resilience and resolvability regulations; (iii) updates to deposit insurance coverage; and (iv) preserving “the diversity of the banking system… as the industry evolves.” Among other points of the annual report, as part of its emphasis on climate-related financial risk, the OCC reported that it is conducting exploratory reviews of banks with $100 billion or note in assets, in an attempt to establish a baseline understanding of how banks manage financial risks related to climate change.
Illinois adopts regulatory changes as part of its Collection Agency Act
On December 1, the State of Illinois’s Department of Financial and Professional Regulation promulgated final regulations implementing provisions of the Illinois Collection Agency Act. As previously covered by InfoBytes, Illinois transferred oversight of collection agencies from the Division of Professional Regulation to the Division of Financial Institutions under Public Act 102-975 in November.
Illinois proposed the new rules to “help the Division of Financial Institutions fulfill its newly-granted statutory responsibility and align these rules with regulatory requirements” set forth by the Illinois Collection Agency Act. Adoption of the new rules will not result in any substantive changes for Illinois Collection Agency licensees but will mirror the previous rules governing collection agencies at 68 Ill. Admin. Code 1210; additionally, the new rules have been adjusted to bring collection agencies in alignment with other industries regulated by the Division of Financial Institutions. Specifically, the new rules adjust the previous collection agency rules “regarding definitions, officers, applications for or changes to licensure, communications, pseudonyms, changes in ownership, recordkeeping, fees, payments, and the granting of variances to better reflect the standards of the Division of Financial Institutions.”
Lastly, the rules add three new sections: (i) Administration and Enforcement of the Act, which grants the director administrative and enforcement power over collection agencies; (ii) Reports, which requires licensees to file written reports (upon at least 45-day notice by the Division); and, (iii) Investigations and Examinations, which generally states that licensees may be “examined from time to time” to ensure compliance. The rules went into effect on November 20, 2023.
EU-U.S. releases statement from Joint Financial Regulatory Forum
On December 8, participants in the EU-U.S. Joint Financial Regulatory Forum met, including officials from the Treasury Department, Fed, CFTC, FDIC, SEC, and OCC, and issued a joint statement. The statement regarded ongoing dialogues from December 4-5 and focused on six themes: “(1) market developments and financial stability; (2) regulatory developments in banking and insurance; (3) anti-money laundering and countering the financing of terrorism…; (4) sustainable finance; (5) regulatory and supervisory cooperation in capital markets; and (6) operational resilience and digital finance.”
The joint statement acknowledged how risks to the EU and U.S. financial sectors have been mitigated in recent months, e.g., inflation risks, although lingering concerns remain regarding the impact of increased interest rates, high levels of private and public sector debt, and the ongoing geopolitical situations. Participants reaffirmed the significance of strong prudential standards for banks, effective resolution frameworks—particularly across borders—and robust supervisory practices, along with effective macroprudential policies. Finally, the conversations covered recent cryptoasset market changes and updates on regulatory and enforcement initiatives in the U.S.
White House convenes on reducing medical debt
On December 8, President Biden met with over 80 federal and state officials to discuss reducing medical debts for Americans. The Biden-Harris administration desires to address medical payment products, unfair debt collection practices, surprise billing and facility fees, and charity care. This roundtable was one of several actions taken by the administration to lower Americans’ healthcare costs, in addition to (i) the CFPB’s report on how medical debt collectors pursue debts under the FDCPA, such as through misattributed billing and billing consumers without contacting them (previously covered by InfoBytes, here); and (ii) the CFPB’s proposed rule to remove medical bills from credit reports (also previously covered by InfoBytes, here). The roundtable featured speakers from the president’s council, the CFPB, the Center for Medicare and Medicaid Services, DHHS, the Treasury, and representatives from California, Colorado, and Washington.
House Financial Services Committee questions financial agency representatives on technological implementations
On December 5, the U.S. House Financial Services Subcommittee on Digital Assets, Financial Technology and Inclusion held a hearing on “Fostering Financial Innovation: How Agencies Can Leverage Technology to Shape the Future of Financial Services.” The Committee invited representatives to testify from the SEC, OCC, FDIC, CFPB, NCUA, and the Federal Reserve. The representatives fielded an array of questions focused on artificial intelligence, cryptocurrencies, and central bank digital currencies (CBDCs), and broadly focused on the need to balance technological innovation within the financial sector with managing risk.
On cryptocurrencies, congressional representatives posed questions on the nature of criminal activity among other risks. The discussion addressed bank risks related to crypto assets—while banks do not hold crypto assets, the representative from the Federal Reserve noted how banks may face liquidity risks when holding deposits from crypto-related companies. On CBDCs, the Committee asked for an update on the U.S. CBDC; the Federal Reserve representative mentioned the Fed’s current research on CBDC technologies but noted that the agency is still “a long way off from thinking about the implementation of anything related to a CBDC.”
On the topic of artificial intelligence, agency representatives discussed how banks are using the technology for fraud monitoring and customer service. The discussion addressed how artificial intelligence technology can create deepfakes using generative models to mimic an individual’s appearance or voice, and thus help scammers bypass traditional security checks. In response, some countries have implemented a secure digital ID that biometrically syncs to one’s smartphone, and the NCUA noted that it is currently evaluating this technology.
CFPB orders bank to pay $6.2 million; alleges overdraft fees violate CFPA, EFTA
On December 7, the CFPB announced a consent order against a Virginia-based bank, alleging it engaged in deceptive acts and practices and failed to comply with Regulation E. According to the CFPB, the bank did not comply with Regulation E because it did not provide appropriate written disclosures before enrolling customers in its overdraft service and imposing overdraft fees. The CFPB alleged that under the bank’s procedures, branch employees would provide oral disclosures and obtain oral consent but did not provide customers with the required written consent form under Regulation E until the end of the account-opening process. According to the CFPB, while the bank changed its practices partway through the period covered by the consent order, the disclosures it provided were still inadequate. The bank allegedly “requested that new customers orally specify their enrollment decision before providing them with adequate written notice describing the [opt-in] service,” which thereby allegedly breached the Electronic Fund Transfer Act.
The CFPB also alleged the bank committed deceptive actions or practices when marketing opt-in overdraft services to consumers via telephone. Specifically, the CFPB alleged that the bank did not provide its customer service representatives with a script, which resulted in representatives failing to clearly differentiate between transactions covered by the bank’s standard versus its opt-in overdraft protection service. The CFPB asserted that these statements qualified as “representations and omissions of key information were likely to mislead consumers,” and that as a result, the Bank did not comply with the CFPA and Regulation E.
The consent order imposes a $1.2 million civil money penalty and requires the bank to refund at least $5 million to affected consumers. The consent order also requires the bank to obtain a new overdraft enrollment decision from affected consumers before charging overdraft fees. Moreover, the bank must also create and implement a comprehensive compliance plan to ensure its overdraft program complies with all applicable laws. Finally, the consent order requires the bank to monitor compliance, maintain records, and inform the CFPB of any changes or developments that could impact its compliance responsibilities in the consent order.
NY AG and others demand cooperation and accountability from big banks; write to CFPB and OCC
On December 7, the Attorney General for the State of New York, Letitia James, led a group of 20 attorneys general in submitting letters to the OCC and the CFPB urging the agencies to ensure that national banks cooperate with state attorneys’ general investigations into violations of state laws. The letters state that in the beginning of the 2000s, banks began to claim immunity from state oversight. The attorneys general argue that this position was furthered by a 2002 OCC advisory letter directing states to refer potential violations of state law to the OCC, and a 2004 rule which expanded the test for when national banks were exempted from state laws. The attorneys general allege that states’ have been limited “in their ability to address a wide range of unfair and deceptive practices that affect their citizens, including bait-and-switch practices and the failure to clearly and conspicuously disclose rate changes, late fees and overdraft fees.” As a result, the attorneys general ask the OCC to “issue supervisory guidance… advising that it is unsafe and unsound, and that it creates a material risk of unfair or abusive acts or practices, for any [b]ank to refuse to cooperate with State AG information requests that seek to further enforcement of applicable state laws.”
Illinois Collection Agency Act oversight transferred to the Division of Financial Institutions
Effective November 20, 2023, the Illinois Department of Financial and Professional Regulation adopted provisions regarding the Illinois Collection Agency Act. According to the Notice of Adopted Repealer, Public Act 102-975 has transferred the oversight of collection agencies from the Division of Professional Regulation to the Division of Financial Institutions. With the Division of Financial Institutions planning to introduce new regulations to align them to the agency’s standards, the Department proposes to repeal the existing regulations from the Division of Professional Regulation.
EU court clarifies conditions for imposing GDPR fines
On December 5, the Court of Justice of the European Union (CJEU) issued a judgment clarifying the conditions under which a General Data Protection Regulation (GDPR) fine can be imposed on data controllers. The judgment is in response to two cases involving GDPR fines: (i) a German case in which a real estate company was fined for allegedly storing personal data for tenants for longer than necessary, and (ii) a Lithuanian case in which a government health center was fined in connection to the creation of an app that registered and tracked people exposed to Covid-19.
In the judgment, the CJEU clarified that a data controller can only face an administrative fine under the GDPR for intentional or negligent violations—that is, violations for which a data controller was aware or should have been aware of “the infringing nature of its conduct,” regardless of their knowledge of the specific violation. The judgment also held that for a legal person, it is not necessary for the violation to be committed by its “management body,” nor does that body need to have knowledge of the specific violation. Instead, the legal person is accountable for violations committed by its representatives, directors, or managers, and those acting on their behalf within the business scope. Additionally, imposing an administrative fine on a legal entity as a data controller does not require prior identification of a specific person responsible for the violation.
The judgment also addressed administrative fines for operations involving multiple entities. The CJEU noted that a controller may have a fine imposed upon it for actions undertaken by its processor. The court also clarified that a joint controller relationship arises from the two or more entities participating in determining the purpose and means for processing, and “does not require that there be a formal arrangement between the entities in question.”
To calculate the amount of an administrative fine under the GDPR, the supervisory authority must consider the notion of an “undertaking” under competition law. The maximum fine must be based on the percentage of the total worldwide annual turnover of the particular undertaking in the preceding business year.
OCC issues guidance on BNPL loans
On December 6, the OCC posted Bulletin 2023-37 to provide banks with guidance on Buy Now, Pay Later (BNPL) loans. The OCC defined BNPL as point-of-sale or “pay-in-4” installment loan products. The OCC noted that, if BNPL products are used responsibly, they “can provide consumers with a low-cost, short-term, small-dollar financing alternative to manage cash flow.”
The OCC emphasized that the banks should offer BNPL loans in accordance with standards for safety and soundness, treat customers fairly, provide fair access to financial services, and act in compliance with applicable laws and regulations. In the bulletin, the OCC highlighted the risks to banks associated with offering BNPL lending, including credit, compliance, operational, strategic, and reputational risks to banks. In particular, the bulletin also underscores the risks that borrowers may not fully understand their BNPL repayment obligations, the challenges of underwriting BNPL applicants who have limited or no credit history, the lack of standardized disclosure language, and the risks of merchant disputes, among other risks.
The OCC recommended banks consider risk management practices, such as maintaining “underwriting, repayment terms, pricing, and safeguards that minimize adverse customer outcomes” tailored to the unique characteristics and risks of BNPL loans. The bulletin also advised banks to pay close attention to “the delivery method, timing, and appropriateness of marketing, advertising, and consumer disclosures,” in particular to ensure that all such documents clearly disclose the borrower’s obligations and any fees that may apply.