InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden signs bills providing 10-year SOL on PPP and EIDL fraud
On August 5, President Biden signed the Paycheck Protection Program and Bank Fraud Enforcement Harmonization Act (see H.R. 7352) and the COVID-19 Economic Injury Disaster Loan Fraud Statute of Limitations Act (see H.R. 7334). H.R. 7352 provides a 10-year statute of limitations for fraud by borrowers under the SBA’s Paycheck Protection Program, while H.R. 7334 establishes a 10-year statute of limitations for fraud by borrowers under the SBA’s Covid-19 Economic Injury Disaster Loan programs.
CFPB receives rulemaking petition seeking validation of credit score models for credit unions
Recently, the CFPB received a rulemaking petition seeking validation of credit score models for credit unions. The petition, which seeks “a rule governing the requirement to periodically validate credit scores for all lending or financing entities,” argues that validation is necessary to measure the effectiveness of credit scores being used to measure credit risk. Claiming that general letters of compliance from credit reporting agencies are inadequate, the petitioner explains that these letters do not “address the misapplication of credit scores by banks, credit card issuers, auto financing groups or individual credit unions that are the primary cause of errors and financial exclusion.” According to the petitioner, “[o]nly a statistically valid empirically derived study based on funded and declined loans will resolve many of the issues in consumer lending today.” The petitioner points out that validation reports “provide the information necessary to measure the efficiency of the credit score being used to measure credit risk,” and that “[d]emographic comparisons of funded and declined applicants can also be used to identify if the underwriting guidelines used in the application of credit scores result in acceptable percentages of financial inclusion for minorities or protected consumer groups.”
CFPB highlights risks associated with BNPL products
On August 4, the CFPB released a report highlighting risks associated with new product offerings that the agency claimed blur the line between payments and commerce. The report examined the development of new capabilities—like “super apps,” buy now, pay later (BNPL), and embedded commerce—that have the potential to streamline payments, facilitate commerce, and enhance user experience, but may also create opportunities for companies to aggregate and monetize consumer financial data. With respect to “super apps,” the Bureau warned that these services have “morphed” into a “bank in an app” model, providing a “wide array of financial, payment and commerce functions within a single app.” These financial services super apps may seem to be more convenient than having multiple relationships with different organizations, the Bureau said, but cautioned that using these products may limit consumer product and service choice. “While consumers can opt to use a payment offering outside an app, such super apps create the potential for providers to steer consumers to specific solutions and/or limit access to some products.”
The report also raised concerns about tech firms offering their own lending or BNPL products. The Bureau pointed out that BNPL options, which provide unsecured short-term credit allowing consumers to split purchases into four equal interest-free payments at the point of sale, have “soared in recent years” as a popular alternative to credit cards. The Bureau noted it is “carefully focused on the shift toward real-time payments in the United States,” and is “seeking to mitigate the potential consequences of large technology firms moving into this space.”
The Bureau further stressed it is “carefully monitoring the payments ecosystem as part of a multifaceted effort to promote fair, transparent, and competitive markets for consumer financial services,” and said it is currently working on Dodd-Frank Act rules that would give consumers more control over the personal financial data that they choose to share with finance and payment apps. The Bureau also stated that it is “assessing new models of lending integrated with payments and ecommerce, such as BNPL,” and plans to issue a report on its findings and make a determination as to whether any regulatory interventions are appropriate. Last year, the Bureau issued a series of orders to five companies seeking information regarding the risks and benefits of the BNPL credit model (covered by InfoBytes here).
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
Class certification granted in TCPA suit against satellite provider
On August 1, the U.S. District Court for the Northern District of West Virginia granted a plaintiff’s motion for class certification in an action against a satellite TV company (defendant) for allegedly placing unwanted telemarketing robocalls. According to the order, the plaintiffs alleged that the defendant retained a communications company to sell the defendant’s services and that the communications company purchased a list of leads and phone numbers from a third party to make telemarketing calls. According to the plaintiffs, the communications company failed to scrub the list for numbers on the national do-not-call list and called those numbers in violation of the TCPA. The district court noted that “[t]here are two overriding questions in this case: (1) whether [the communications company] contacted class members listed on the do-not-call registry; and (2) whether [the defendant] is liable for [the communication company’s] actions.” The district court further noted that “[a]ny individual issues or defenses are limited and easily resolved with aggregate data from defendant []." In agreeing with the “plaintiffs’ contention that this is a ‘model case for the application of the class action mechanism,’” the district court certified a nationwide class of nearly 114,000 individuals whose telephone numbers were listed on the do-not-call list and who received more than one telemarketing call within any 12-month period at any time from the communications company to promote the defendant.
FDIC issues 2022 Supervisory Insights
On August 3, the FDIC released its summer 2022 issue of Supervisory Insights, which contains an article discussing financial performance and examination observations about commercial real estate (CRE) lending risk management practices and an article describing the application of capital, investment, and financial reporting requirements for the issuance of and investment in subordinated debt. The article, Commercial Real Estate: An Update on Bank Lending Amid the Evolving Pandemic Backdrop, discusses the financial performance of banks concentrated in CRE lending as well as examination observations about CRE lending risk management practices. The article also describes the FDIC’s forward-looking supervisory focus for banks with significant exposure in this sector. The FDIC noted that inflation, rising interest rates, and supply chain challenges are possible determinants of increased risk. The article, Subordinated Debt: Issuance and Investment Considerations, “is intended to help financial institutions better understand the applicable capital, investment, and financial reporting requirements for the issuance of and investment in subordinated debt.” According to the FDIC, a key takeaway of Subordinated Debt Investments is that “[i]nstitutions may generally only purchase investment grade subordinated debt securities that are permissible investments for national banks.”
FDIC, OCC announce disaster relief
On August 3, the FDIC issued FIL-38-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Kentucky affected by severe storms, flooding, landslides and mudslides that began July 26 and is ongoing. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” The FDIC noted that institutions may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery. The agency will also consider relief from certain reporting and publishing requirements.
The same week the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices affected by flooding in Kentucky “for as long as deemed necessary for bank operation or public safety.” The proclamation directed institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close, and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.
Trade groups petition CFPB to supervise data aggregators
On August 2, several bank and credit union trade groups petitioned the CFPB asking the Bureau to create regulations that would allow the agency to conduct routine exams and supervise data aggregators and their customers. While the Bureau is currently considering rulemaking under Section 1033 of the Dodd-Frank Act with respect to consumer access to financial records and has “affirmed its commitment to ‘monitoring the aggregation services market and ensuring consumer protection and safety,’” the petition argued that there is a “supervisory imbalance” between banks and nonbanks in terms of data oversight. “[A]mong the participants in the market for aggregation services, typically, data holders, such as banks and credit unions, are regularly supervised and examined by the CFPB, whereas nondepository institutions such as data aggregators and data users are not examined by the CFPB,” the petition stated, adding that this “creates both an unsustainable model as the aggregation services market grows and the risk that the laws applicable to the activities of those larger participants in this market will be enforced inconsistently.” As a result, the petition warned that potential consumer harm attributed to data aggregator and data user activity may not be identified and remedied in a timely manner. The trade groups called for the Bureau to create a rule that would add a definition for “larger participants of a market” for aggregation services, as well as define the term “aggregation services” to mean a “financial product or service” under Title X of Dodd-Frank. Doing so would ensure that “all providers of comparable financial products and services” are subject to similar levels of accountability, the petition said.
OFAC sanctions Russian companies and other entities
On August 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced several new sanctions in response to Russia’s invasion of Ukraine. The new sanctions, issued pursuant to Executive Order 14024, target elites, a major multinational company, a sanctions evasion operation, and a yacht used by a sanctioned individual. The action was taken together with the U.S. Department of State, which imposed additional sanctions on entities and individuals, as well as visa restrictions. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned, directly or indirectly, 50 percent or more” by the targeted persons are blocked and must be reported to OFAC. Additionally, U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
The following day, OFAC issued several new Russia-related General Licenses (GLs). OFAC also published three frequently asked questions regarding “Russian Harmful Foreign Sanctions.”
Hsu discusses cybersecurity risks to financial sector
On August 2, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the Joint Meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council focusing on cybersecurity risks to the financial services sector. Hsu called for collaboration among public and private sector stakeholders to safeguard the financial services sector. Hsu noted that the financial services sector has done “a good job of building cyber defenses and working with law enforcement and the regulatory community to guard against attacks,” but warned that “we cannot be complacent.” He noted that the OCC has recently observed increases in cyberattack frequency and severity against financial institutions and service providers, and that cyberattacks, such as ransomware, have risks beyond financial loss. Hsu added that “disruption to financial services can significantly impact banks’ abilities to deliver critical services to their customers and has the potential to affect the broader economy.” He also stressed that banks “need to assess both the potential impact cyber incidents may have on their own institution and the impact a cyber disruption may have on the broader financial system.” He also stated that cybersecurity breaches have been caused or intensified by the failure to have effective controls in three areas: (i) authentication; (ii) systems configuration and patch management; and (iii) cyber response and resilience capabilities. Hsu concluded by emphasizing the OCC’s commitment “to working with CISA, our financial sector counterparts, and other sectors to ensure that we have strong partnerships across the government.”