InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies finalize guidance on managing third parties
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here.) The joint guidance, final as of June 6, replaces each agency’s existing general guidance on third-party risk management and is directed to all supervised banking organizations. Designed to streamline government guidance on mitigating risks when working with third parties, the final guidance establishes principles for banking organizations to consider when implementing risks management practices. Banking organizations are advised to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
After considering public comments received on proposed guidance issued in July 2021 (covered by InfoBytes here), the final guidance provides directions and expectations for oversight at all stages in the life cycle of a third-party relationship, including topics relating to planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, and termination. Guidance on conducting independent reviews, maintaining documentation, and reporting is also included. The agencies advised banking organizations, particularly community banks, to review illustrative examples to help align risk management practices with the scope and risk profile of their third-party relationships. Additionally, banking organizations should maintain a complete inventory of their third-party relationships, identify higher-risk and critical activities, periodically conduct reviews to determine whether risks have changed over time, and update risk management practices accordingly, the agencies said.
The final guidance emphasizes that the agencies will review a banking organization’s third-party risk management practices as part of the standard supervisory process. When assessing whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, examiners will, among other things, (i) evaluate a banking organization’s ability to oversee and manage third party relationships; (ii) assess the effects of those relationships on a banking organization’s risk profile and operational performance; (iii) perform transaction testing to evaluate whether activities performed by a third party comply with applicable laws and regulations; (iv) conduct conversations relating to any identified material risks and deficiencies with senior management and board of directors; (v) review how a banking organization remediates any deficiencies; and (vi) consider supervisory findings when rating a banking organization.
The agencies stressed that they may take corrective measures, including enforcement actions, to address identified violations or unsafe or unsound banking practices by the banking organization or its third party. The agencies further announced that they plan to immediately engage with community banks and will develop additional resources in the future to help these organizations manage relevant third-party risks.
FTC seeks to work with states on combatting fraud
On June 7, the FTC announced it is soliciting public comments on how the Commission can work more effectively with state attorneys general to prevent and inform consumers about potential fraud. The FTC said in its announcement that the agency and the AGs share a common mission to protect the public from “deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.” The request for public comments comes as a result of the FTC Collaboration Act of 2021 (the “Act”), which requires the Commission to not only solicit public comments, but also to consult directly with interested stakeholders. Signed into law last year, the Act directs the FTC to conduct a study on how to streamline and leverage the relationship between the Commission and the AGs to better protect Americans from fraud and hold those committing malicious acts accountable. The FTC requests comments specifically regarding: (i) the roles and responsibilities of the Commission and AGs that best advance collaboration and consumer protection; (ii) how resources should be dedicated to further such collaboration and consumer protection; and (iii) the accountability mechanisms that should be implemented to promote collaboration and consumer protection between the FTC and AGs.
The completed report will be submitted to the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation. Comments are due 60 days after publication in the Federal Register.
CFPB revises supervision and examination manual
On June 5, the CFPB revised its Supervision and Examinations Manual to incorporate minor changes for larger participants under “Module 7 - Consumer Alerts, Identity Theft, and
Human Trafficking Provisions.” The updates specifically included FCRA and Regulation V requirements that prohibit credit reporting agencies (CRAs) from including information in consumer reporting in cases of human trafficking. Notably, the final rule regarding credit reporting on human trafficking victims was issued in 2022 (previously covered by InfoBytes here). The CFPB also stated that all CRAs must “establish and maintain written policies and procedures reasonably designed to ensure and monitor the compliance of the consumer reporting agency and its employees with the requirements of 12 CFR 1022.142.”
CFPB: ECOA, Reg B and small-biz rule apply to franchise finance
The CFPB recently published a letter clarifying the extent to which ECOA and Regulation B apply to franchise financing. The letter also examines how the Bureau’s small business lending rule (finalized in March and covered by InfoBytes here) applies to franchise financing. The Bureau explained that franchisees generally obtain credit either directly from the franchisor or from a third-party finance company. ECOA and Regulation B, the Bureau said, generally apply to business credit (defined as “extensions of credit primarily for business or commercial (including agricultural) purposes,” with limited exclusions), as well as to other credit extended primarily for personal, family, and household use, and that, as such, creditors, including franchisors that provide financing to franchisees are subject to ECOA and Regulation B’s core prohibitions against discrimination. The small business lending rule also covers business credit, the Bureau said, commenting that entities providing credit to franchisees “would generally be financial institutions subject to the rule’s data collection and reporting requirements to the same extent as any other provider of business credit, unless they are subject to one of the narrow exclusions from coverage.”
The Bureau added that it also “anticipates that third-party entities providing credit to franchisees that meet the origination threshold for coverage will be required to collect and report data under the small business lending rule regardless of whether that company is affiliated with the franchisor.” A possible “trade credit” exemption may apply in certain circumstances where a franchisor directly provides credit to a franchisee (trade credit is defined under the small business lending rule “as a ‘financing arrangement wherein a business acquires goods or services from another business without making immediate payment in full to the business providing the goods or services.’”). However, even if the franchisor is covered by the trade credit exemption it still must comply with ECOA and Regulation B’s prohibitions against discrimination.
CFPB highlights problems with chatbots in banking
On June 6, the CFPB released an Issue Spotlight exploring the adoption and use of chatbots by financial institutions. According to the report, financial institutions implement chatbots to reduce the costs of customer service, which is sometimes poorly deployed and can lead to customer frustration, reduced trust, and even violations of the law.
The report found that the use of chatbots raised several risks including: (i) noncompliance with federal consumer financial protection laws; (ii) diminished customer service and trust; and (iii) harm to customers. The Bureau said it has received several complaints from customers who claimed they cannot get the answers they need from such chatbots. The agency reported that about 37 percent of the U.S. population has interacted with chatbots, which is a figure projected to grow, and cautioned that chatbots should not be the primary source of customer service delivery when it is reasonably clear that a chatbot is unable to meet customer needs.
The Bureau said it will continue to monitor the market and encourages people who are having trouble getting the answers they need due to lack of human interaction to submit their complaints to the agency. It also encourages financial institutions to ensure new technology is increasing the quality of customer care.
DFPI, Fed to oversee bank’s self-liquidation
On June 1, the California Department of Financial Protection and Innovation (DFPI) announced that it issued a joint cease-and-desist order with the Federal Reserve Board to fulfill the voluntary liquidation of a crypto-friendly bank. Focusing on providing financial services in the crypto-asset industry, the bank began operating in 2013. In 2023, however, the bank announced its voluntary liquidation, following a mass exodus of high-profile clients. In the fourth quarter of 2022, the bank experienced a sudden drop in deposits, triggered by the collapse of a crypto-exchange company in the previous quarter. DFPI noted that in its most recent examinations of the bank, the bank showed deficits in security and compliance with regulations. Within 10 days of the order, the bank must submit a voluntary self-liquidation plan acceptable to DFPI and upon approval, must implement that plan to wind down its operations “in a safe and sound manner and in compliance with all applicable federal and state laws, rules, and regulations.” The bank has advised that the liquidation will include full repayment of all of its deposits.
OFAC sanctions entities in China and Mexico tied to illicit drugs
On May 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 14059, against 17 individuals and entities for their involvement in the rapid increase of equipment used to make illicit drugs. OFAC detailed the impact of the drugs the equipment produces and explained that the counterfeit pills are often laced with fentanyl and ultimately end up in U.S. markets. Targeting every stage of the pill production process, OFAC designated seven entities and six individuals based in China and three individuals based in Mexico for perpetuating the trafficking of illicit drugs through the sale, manufacturing, and/or shipment of pill press equipment.
As a result of these sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons unless authorized by a general or specific license or exempt. Further, financial institutions and persons that engage in certain transactions with the designated persons may themselves be exposed to sanctions or subject to enforcement.
Florida tightens restrictions on phone and text solicitations
On May 25, the Florida governor signed HB 761 (the “Act”) to clarify notice requirements relating to telephone and text message solicitations and to outline conditions under which certain civil actions may be brought. Specifically, the amendments provide that “unsolicited” telephone sales calls involving an automated system used to select and dial numbers or one that plays a recorded message cannot be made without the prior express written consent of the called party. Consent may now be obtained by a consumer “checking a box indicating consent or responding affirmatively to receiving text messages, to an advertising campaign, or to an e-mail solicitation.”
The Act also clarifies that before the commencement of a civil action for damages for text message solicitations, the called party must reply “STOP” to the number that sent the message. The called party may bring an action only if consent is not given and the telephone solicitor continues to send text messages 15 days after being told to cease. The new requirements apply to any suit filed on or after the Act’s immediate effective date, as well as to any putative class action not certified on or before the effective date of the Act. The Act became effective immediately.
District Court preliminarily approves $2.7 million FCRA settlement
On June 1, the U.S. District Court for the Eastern District of California preliminarily approved a class action settlement, which would require a corporate defendant to pay $2.7 million to resolve allegations that it provided false information on credit reports to auto dealers. The defendant sells credit reports to auto dealers to help dealers manage their regulatory compliance obligations, the order explained, noting that one of these obligations prohibits dealers from engaging in business with anyone designated on the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) list. The SDN list is comprised of persons and entities owned or controlled by (or acting for or on behalf of) a targeted company, or non-country specific persons, who are prohibited from conducting business in the U.S. The defendant would flag a consumer as an “OFAC Hit” if it matched a name on the SDN list.
The order explained that when using a “similar name” algorithm script to run the consumer’s name against the SDN list to check for a match, the defendant only ran first and last names and did not input other available information such as birth dates and addresses. The lead plaintiff filed a putative class action pleading claims under the FCRA and California’s Consumer Credit Reporting Agencies Act, alleging his name inaccurately came up as an OFAC hit on a credit report sold to an auto dealer. In turn, the plaintiff was denied credit and suffered emotionally, later learning that the defendant incorrectly matched him with an SDN. According to class members, the defendant failed to follow reasonable procedures to assure maximum possible accuracy when matching consumer information and failed to provide, upon request, all information listed in a consumer’s file. Moreover, the lead plaintiff claimed the defendant failed to investigate the disputed OFAC-related information sold to the dealer. The defendant moved for summary judgment on the premise that it was not acting as a consumer reporting agency and that OFAC check documents were not consumer reports, but the court denied the motion and later certified the class. If finalized, the settlement would provide $1,000 to each of the class members, attorneys fees and costs, and a service award to the lead plaintiff.
FDIC announces Guam disaster relief
On June 2, the FDIC issued FIL-27-2023 to provide regulatory relief to financial institutions and facilitate recovery in areas of Guam affected by Typhoon Mawar. The FDIC acknowledged the unusual circumstances faced by affected financial institutions and encouraged those institutions to work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that financial institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements and instructed financial institutions to contact their regional community affairs officer.