Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 16, the CFPB published the results of a report that found, on average, larger banks charged higher credit card interest rates than smaller banks and credit unions. The CFPB’s data suggested larger banks charge interest rates eight to 10 points higher than non-large banks. If a consumer were to pick a large bank credit card over a smaller bank, the consumer would see an estimated difference of “$400 to $500” in additional annual interest.
Other findings from the report suggested that large issuers offered higher rates across credit scores: e.g., the median interest rate for people with scores between 620 and 719 was 28.20 percent for large banks and 18.15 percent for small ones. The CFPB also found that 15 bank-issued credit cards with interest rates above 30 percent: nine of the largest issuers reported at least one product over that rate. Lastly, the report found that large banks were more likely to charge annual fees, with 27 percent of large banks charging an annual fee, compared to 9.5 percent of small banks. The CFPB published a table between large and small banks that showed median purchase APR by credit tier.
Recently, the National Credit Union Administration (NCUA) announced it will reinstate assessing civil money penalties for credit unions that fail to submit a call report (NCUA Form 5300) in a timely manner. The call report program was suspended after December 2019 during the Covid-19 pandemic. “The December 2023 Call Report will be the first reporting cycle under the reinstated program and will be due by 11:59:59 p.m. Eastern time, January 30, 2024.” The NCUA states it will send a reminder to credit unions with outstanding call reports a week before their deadline. The NCUA will also consider extenuating circumstances, including the size and good faith of the credit union, the gravity of the violation, the history of previous violations, and other matters like natural disasters or incapacitation of key employees.
On July 28, the OCC, FDIC, NCUA and Fed issued an addendum to the Interagency Policy Statement on Funding and Liquidity Risk Management, issued in 2010. The update on liquidity risks and contingency planning emphasizes that depository institutions should regularly evaluate and update their contingency funding plans, referencing the unprecedented deposit outflows resulting from the early 2023 bank failures. According to the addendum, depository institutions should assess the stability of their funding, keep a range of funding sources, and regularly test any contingency borrowing lines in order to prepare staff in the case of adverse circumstances. Additionally, the addendum states that if contingency funding arrangements include discount windows, the depository institutions should ensure they can borrow from the discount window by (i) establishing borrowing arrangements; (ii) confirming that collateral is available to borrow in an appropriate amount; (iii) conduct small value transactions regularly to create familiarity with discount window operations; (iv) establish familiarity with the pledging process for collateral types; and (v) be aware that pre-pledging collateral can be useful in case liquidity needs arise quickly. The agencies also state that federal and state-chartered credit unions can access the Central Liquidity Facility, which provides a contingent federally sourced backup liquidity where a credit union’s liquidity and market funding sources prove inadequate.
On June 28, the NCUA released its annual report on cybersecurity and credit union system resilience to the House and Senate banking committees. The report outlines measures the agency has taken to strengthen cybersecurity within the credit union system, outlines significant risks and challenges facing the financial system due to the NCUA’s lack of authority over third-party vendors, and addresses current and emerging threats. Explaining that cybersecurity is one of the NCUA’s top supervisory priorities with cyberattacks being a top-tier risk under the agency’s enterprise risk management program, the report discusses ways the NCUA continues to enhance the cybersecurity resilience of federally insured credit unions (FICUs). Measures include continually improving the agency’s examination program, providing training and support, and implementing a final rule in February, which requires FICUs to report any cyberattacks that disrupt its business operations, vital member services, or a member information system as soon as possible (and no later than 72 hours) after the FICU’s “reasonable belief that it has experienced a cyberattack.” The final rule takes effect September 1. (Covered by InfoBytes here.) The report also raises concerns regarding the NCUA’s lack of authority over third-party vendors that provide services to FICUs. Calling this a “regulatory blind spot” with the potential to create significant risks and challenges, the agency stresses that one of its top requests to Congress is to restore the authority that permits the agency to examine third-party vendors.
On June 27, the U.S. District Court for the Northern District of New York granted final approval of a class action settlement, resulting in a defendant credit union paying approximately $5.2 million to settle allegations concerning illegal overdraft/non-sufficient funds (NSF) fees and inadequate disclosure practices. As described in plaintiffs’ unopposed motion for preliminary approval, the defendant was sued in 2020 for violating the EFTA (Regulation E) and New York General Business Law (NY GBL) § 349. According to plaintiffs, defendant charged overdraft fees and NSF fees that were not permitted under its contracts with its members or Regulation E. Plaintiffs’ Regulation E and NY GBL liability theories are premised on the argument that defendant’s “opt-in form did not inform members that these fees were charged under the ‘available balance’ metric, rather than the ‘actual’ or ‘ledger’ balance metric”—a violation of Regulation E and NY GBL § 349. The plaintiffs’ liability theory was that defendant’s “contracts did not authorize charging overdraft fees when the ledger or actual balance was positive.”
Under the terms of the settlement, defendant is required to pay $2 million, for which 25 percent of the settlement fund will be allocated to class members’ Regulation E overdraft fees, 62.5 percent will go to class members’ GBL overdraft fees, and 12.5 percent will be allocated to class members’ breach of contract overdraft fees. Defendant is also required to pay $948,812 in attorney’s fees, plus costs, and $10,000 service awards to the two named plaintiffs. Additionally, the defendant has agreed to change its disclosures and will “forgive and release any claims it may have to collect any at-issue fees which were assessed by [defendant] but not collected and subsequently charged-off, totaling approximately $2,300,000.”
On March 23, the Virginia governor signed HB 1727, which amends the Virginia code to allow credit unions operating in the commonwealth to engage in virtual currency custody services, provided the credit union “has adequate protocols in place to effectively manage risks and comply with applicable laws and, prior to offering virtual currency custody services, the credit union has carefully examined the risks in offering such services through a methodical self-assessment process.” The amendments stipulate that in order to engage in such services, a credit union must implement effective risk management systems and controls, confirm adequate insurance coverage, and maintain a service provider oversight program.
The amendments further provide that a credit union may offer such services in a fiduciary or nonfiduciary capacity; however, in order to provide virtual currency custody services in a fiduciary capacity, the credit union must first obtain approval from the State Corporation Commission. Commission approval is contingent upon a credit union having sufficient capital structure to support providing such services, credit union personnel being adequately trained to ensure compliance with governing laws and regulations, and that granting such authority is in the public interest. The amendments are effective July 1.
On February 16, the NCUA approved a final rule that requires federally-insured credit unions (FICUs) to notify the agency as soon as possible (and no later than 72 hours) after a FICU “reasonably believes that a reportable cyber incident has occurred.” Specifically, the rule requires FICUs to report cyber incidents that lead “to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.” Under the rule, FICUs must report any cyberattacks that disrupt their business operations, vital member services, or a member information system within 72 hours of the FICU’s “reasonable belief that it has experienced a cyberattack.” The NCUA explained that the 72-hour notification requirement provides an early alert to the agency but that the rule does not require the submission of a detailed incident assessment within this time frame. The final rule takes effect September 1. Additional reporting guidance will be provided prior to the effective date.
“Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” NCUA Chairman Todd M. Harper said. Harper further explained that “[t]his final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”
On January 27, the NCUA board unanimously voted to maintain the current temporary 18 percent interest rate ceiling for loans made by federal credit unions (FCUs) for another 18 months. The extension starts after the current period ends March 10. According to the announcement, the National Association of Federally-Insured Credit Unions (NAFCU) urged the NCUA to immediately raise the interest rate ceiling to 21 percent in order to help mitigate interest rate-related risks facing FCUs. Recognizing that the NAFCU “has consistently advocated for a floating permissible interest rate ceiling to address constraints of the 15 percent ceiling set by the FCU Act,” NCUA Chairman Todd Harper said the agency is conducting an analysis of a floating interest rate ceiling that should be completed by the April board meeting.
On October 25, the U.S. Court of Appeals for the Seventh Circuit affirmed a district court’s ruling dismissing a putative class action alleging an internet credit union improperly charged account holders non-sufficient funds (NSF) fees. Plaintiff claimed she signed an account agreement with the credit union, which required the use of a ledger-balance method when assessing NSF fees, and that only one NSF fee is permitted per transaction. According to the plaintiff, the credit union breached its contract by charging her a $25 NSF fee when she attempted to pay a $6,000 bill, even though her account’s ledger balance was $6,670.94 at the time. She further claimed the credit union charged multiple NSF fees for the same item. The credit union maintained, however, that the contract allowed it to use the “available-balance method” to assess such fees instead. The opinion explained that the ledger-balance method calculates a balance based on posted debits and deposits (and does not incorporate transactions until they are settled), whereas the available-balance method considers holds on deposits and transactions that have been authorized but not yet settled when calculating a customer’s balance. The district court granted the credit union’s motion to dismiss, rejecting the plaintiff's account balance theory by “explaining that ‘the plain, unambiguous language states that a member needs sufficient available funds’ and reasoning that [plaintiff’s] proposed reading would render [the contract’s] use of the word ‘available’ meaningless.” The district court also maintained that the plural use of the word “fees” permitted the credit union to charge multiple fees when a merchant presented the same transaction more than once.
On appeal, the 7th Circuit agreed with the district court that the agreement did not prohibit the credit union from “charging multiple NSF fees for a transaction that is presented and rejected several times.” While recognizing that the credit union “could have drafted the [a]greement more clearly than it did,” the appellate court determined that the credit union never promised “not to use the available-balance method to assess NSF fees or not to charge multiple fees when a transaction is presented to it multiple times,” and upheld the dismissal of plaintiff’s breach-of-contract claim.
On August 22, the U.S. District Court for the District of Nevada granted a defendant credit union’s motion to compel arbitration regarding a consumer’s signature on bank-owned equipment. According to the order, the plaintiff alleged that the defendant violated 42 U.S.C. § 407 by transferring Social Security benefits from his savings account to his checking account to pay a debt. In March, a magistrate judge determined “that given ‘the liberal construction courts are to afford pro se complaints, it appears Plaintiff states a claim against [the defendant] at least for purposes of surviving screening’ and ordered that the case would proceed against [the defendant]” who filed the motion to compel arbitration. The order further noted that in support of their assertion, defendant provided documentation evidencing the plaintiff’s agreement to arbitrate all claims regarding his account. The defendant submitted an affidavit, a copy of the signature card that the plaintiff executed when he opened his account with the credit union, all subsequent signature cards executed by the plaintiff, and a copy of the “Important Account Information for Our Members,” among other things. According to the affidavit, the signature card the plaintiff executed when he opened his account included the “agreement to the terms and conditions outlined in the Important Account Information for Our Members,” and further indicated that the “[w]ritten notice we give you is effective when it is deposited in the United States Mail with proper postage and addressed to your mailing address we have on file.” The order noted that the “Notice of Change to the Terms and Conditions of Your Account was provided,” and “[t]hat document included a mandatory arbitration provision and the ability to opt out of arbitration.” The defendant argued “that by not exercising his right to opt-out, the agreement necessitates the action be moved into arbitration.” The plaintiff asserted that his signature was collected on an electronic device and because the signature was collected electronically, it was incorporated by fraud. The plaintiff also contended that he did not explicitly sign a document setting forth an arbitration clause because he only electronically input his signature to obtain a debit card.
According to the district court, the plaintiff “does not assert that he did not sign the signature card when he initially opened his account and received the debit card. He asserts that he never agreed to arbitrate his claims because he never received or signed an arbitration agreement.” The district court granted the defendant’s motion to compel arbitration determining that a valid arbitration agreement existed between the parties and that the agreement encompasses the plaintiff’s claims. Among other things, the district court explained that “a valid arbitration agreement exists,” because the “signature card signed by [the plaintiff] certifies ‘[a]greement to the terms and conditions outlined in the Important Account Information For Our Members disclosure and any other material pertaining to the account.’” The district court further wrote that such “statement plainly refers to an external document, and plainly states that the [plaintiff] agreed to be bound by the terms contained therein. Moreover, [the plaintiff’s] assertion that he did not actually receive the Important Account Information For Our Members disclosure does not defeat the signature card’s statement that [the plaintiff] bound himself to the terms contained therein.” Additionally, by signing the signature card, the plaintiff agreed to arbitrate every claim arising from or relating in any way to his account.