InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
North Dakota trade associations sue Fed over debit-card interchange fees
On April 29, two North Dakota trade associations filed a complaint against the Federal Reserve Board, claiming the Fed has “failed to properly follow Congress’s instructions to ensure that debit-card processing fees are reasonable and proportional to the costs of debit-card transactions.” The plaintiffs’ suit revolves around interchange fees—currently capped at 21 cents—paid by merchants to card issuer banks to process debit-card transactions. The interchange fees are intended to compensate issuers for their costs in a transaction, but the plaintiffs contend that the fees have become a “lush profit center for issuers.” Among other things, the plaintiffs allege that the Fed has failed to enforce provisions under Dodd-Frank’s “Durbin Amendment,” which amended the EFTA and limited the interchange fees paid to large issuers to an amount “that is ‘reasonable and proportional to the cost incurred by the issuer with respect to the transaction.’” The amendment also directed the Fed to distinguish between incremental, processing costs and other costs “not specific to a particular electronic debit transaction”—a requirement the plaintiffs argue is not reflected in the Fed’s final rule. Moreover, the plaintiffs contend that the Fed’s final rule, Regulation II, creates “a one-size-fits-all fee” that does not tie the maximum allowable fee to a specific transaction, and allows all covered issuers to charge up to 21 cents for any debit-card transaction regardless of the issuer’s actual processing costs (as well as .05 percent of each transaction “to compensate the issuers for fraud losses”). The plaintiffs claim the Fed’s actions are arbitrary and capricious and exceed the Fed’s statutory authority and ask the court to vacate the rule at issue.
OCC counters CSBS’s arguments in fintech charter challenge
On April 29, the OCC responded to the Conference of State Bank Supervisors’ (CSBS) most recent challenge to the OCC’s authority to issue Special Purpose National Bank Charters (SPNB). As previously covered by InfoBytes, CSBS filed a complaint last December opposing the OCC’s alleged impending approval of an SPNB for a financial services provider, arguing that the OCC is exceeding its chartering authority.
The OCC countered, however, that the same fatal flaws that pervaded CSBS’s prior challenges (covered by InfoBytes here), i.e., that its challenge is unripe and CSBS lacks standing, still remain. According to the OCC, the cited application (purportedly curing CSBS’s prior ripeness issues) is not for an SPNB—the proposed bank would conduct a full range of services, including deposit taking. Further, the OCC stated, even it if was an application for a SPNB charter, there are multiple additional steps that need to occur prior to the OCC issuing the charter, which made the challenge unripe. As to standing, the OCC asserted that any alleged injury to CSBS or its members is purely speculative. Finally, the OCC contended that CSBS’s challenge fails on the merits because the challenge relies on the premise that the company’s application must be for a SPNB, not a national bank, because the company is not going to apply for deposit insurance but there is no requirement in the National Bank Act, the Federal Deposit Insurance Act, or the Federal Reserve Act that requires all national banks to acquire FDIC insurance.
OCC updates Credit Card Lending booklet
On April 29, the OCC issued Bulletin 2021-22 announcing the revision of the Credit Card Lending booklet of the Comptroller’s Handbook. The booklet rescinds OCC Bulletin 2015-14 and replaces version 1.2 of the “Credit Card Lending” booklet that was issued on January 6, 2017. Among other things, the revised booklet (i) discusses the adoption of current expected credit loss methodology and the increased use of such modeling in credit card origination and risk management; (ii) reflects changes to OCC issuances; (iii) includes refining edits regarding supervisory guidance, sound risk management practices, and legal language; and (iv) includes revisions for clarity.
FDIC releases March enforcement actions
On April 30, the FDIC released a list of administrative enforcement actions taken against banks and individuals in March. During the month, the FDIC issued 10 orders consisting of “five Prohibition Orders, three Orders to Pay Civil Money Penalties, two Section 19 Applications, one Order to Correct Conditions, and one Order Terminating Consent Order.” Among the orders is a civil money penalty imposed against a Puerto Rico bank related to alleged violations of the Flood Disaster Protection Act for failing to “timely force place insurance in connection with loans secured by a dwelling located within a special flood hazard area” on 27 occasions. The order requires the payment of a $40,500 civil money penalty.
The FDIC also imposed a civil money penalty against a Tennessee bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claims that the bank (i) failed to obtain flood insurance at or before the origination, increase, renewal, or extension of loans in 61 instances; (ii) failed to maintain an adequate amount of flood insurance in 88 instances; (iii) failed to provide required lender-placed flood insurance notices to borrowers within 45-days of force placement in 10 instances; (iv) provided an incomplete lender-placed flood insurance notice to a borrower; and (v) failed to provide timely notice of special flood hazards and the availability of federal disaster relief assistance in 37 instances. The order requires the payment of a $172,500 civil money penalty.
FDIC announces Kentucky and Alabama disaster relief
On April 30, the FDIC issued FIL-31-2021 and FIL-32-2021 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Kentucky and Alabama affected by severe storms. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things, (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.
FDIC announces FDItech virtual ‘Office Hours’
On April 29, the FDIC’s technology lab, FDiTech, announced that it will host a series of virtual “office hours” to hear from a variety of stakeholders in the business of banking concerning current and evolving technological innovations. The office hours will be hour-long, one-on-one sessions that will provide insight into the contributions that innovation has made in reshaping banks and enabling regulators to manage their oversight efficiently. According to the FDIC, “FDiTech seeks to evaluate and promote the adoption of innovative and transformative technologies in the financial services sector and to improve the efficiency, effectiveness, and stability of U.S. banking operations, services, and products; to support access to financial institutions, products, and services; and to better serve consumers.” FDiTech’s goal is to contribute to the transformation of banking by supporting “the adoption of technological innovations through increased collaboration with market participants.” In the first series of office hour sessions, the FDIC and FDiTech are seeking participants’ outlook on artificial intelligence and machine learning related to: (i) automation of back office processes; (ii) Bank Secrecy Act/Anti-Money Laundering compliance; (iii) credit underwriting decisions; and (iv) cybersecurity.
FDiTech anticipates hosting approximately 15 one-hour sessions each quarter. Interested parties seeking to participate in these sessions must contact the FDIC by May 24.
NYDFS tells industry to tighten third-party risk management
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”
The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.
Fed reports on banks’ resiliency during Covid-19
On April 30, the Federal Reserve Board released a Supervision and Regulation Report noting that banks’ “strong capital and liquidity positions” have aided in the Covid-19 pandemic recovery. The report observed that, during the Covid-19 pandemic, banks were able to raise supplementary capital, liquidity strengthened from an influx of deposits, and capital ratios at most firms remained above regulatory minimums at the end of the year. The report also highlighted that large firms showed operational resilience through the pandemic by “[d]igitization of banking activities allow[ing] firms to continue these operations in the remote work environment.”
FDIC proposal would prohibit misuse of its name or logo
On April 22, the FDIC proposed a rule implementing its authority to prohibit “making misrepresentations about deposit insurance or misusing the FDIC’s name or logo.” The proposed rule is intended to promote transparency on the FDIC’s processes for inspecting and enforcing potential breaches of prohibitions under the FDIC Act by “further clarify[ing] [] procedures for identifying, investigating, and where necessary taking formal and informal action to address potential violations of Section 18(a)(4).” Additionally, the proposed rule would establish a primary point of contact for the public to report or inquire about potential violations. The FDIC specified that the proposed rule is in response to the “increasing number of instances where financial services providers or other entities or individuals have misused the FDIC’s name or logo.”
Comments on the proposed rule will be accepted for 60 days after publication in the Federal Register.
State AGs urge Congress to rescind OCC’s “true lender” rule
On April 21, a coalition of 26 state attorneys general sent a letter urging Congress to exercise its authority under the Congressional Review Act (CRA) and rescind the OCC’s “True Lender Rule” in order to “safeguard states’ fundamental sovereign rights to protect their citizens from financial abuse.” As previously covered by InfoBytes, the OCC’s final rule amended 12 CFR Part 7 to state that a bank makes a loan when, as of the date of origination, it either (i) is named as the lender in the loan agreement or (ii) funds the loan. The final rule also clarified that if “one bank is named as the lender in the loan agreement and another bank funds the loan, the bank that is named as the lender in the loan agreement makes the loan.” In their letter, the AGs expressed concern that the final rule “establishes a simplistic standard to redefine the meaning of ‘true lender,’” enabling predatory lenders to “circumvent” state interest-rate caps through “rent-a-bank” schemes, which would in turn allow banks to act as lenders in name only while passing state law exemptions for banks to non-bank entities. The letter references a complaint filed by eight state AGs against the OCC in January challenging the final rule (covered by InfoBytes here) and argues that in finalizing the rule the OCC “acted in a manner contrary to centuries of case law [and] the OCC’s own prior interpretation of the law,” and seeks to preempt state usury law and “infringe on the States’ historical police powers and facilitate predatory lending.”
In March, both House and Senate Democrats introduced CRA resolutions (see H.J. Res. 35 and S.J. Res. 15) intended to provide for congressional disapproval and invalidation of the OCC’s final rule. The OCC responded on April 14, arguing that “disapproval of the rule would return bank lending relationships to the previous state of legal and regulatory uncertainty, which. . . adversely affects the function of secondary markets and restricts the availability of credit.” The OCC further stated that the final rule is intended to enhance the agency’s ability to supervise bank lending and “does not change bank’s authority to export interest rates” nor does it “permit national banks to charge whatever rate they like” as both federal and state-chartered banks are required to conform to applicable interest rate limits. “Disparities of interest rates from state to state result from differences in the state laws that impose these caps, not OCC rules or actions,” the OCC stressed, adding that “[s]tates retain the authority to set interest rates.” However, the Conference of State Bank Supervisors sent a letter to Congress in support of S.J. Res. 15, disagreeing with the OCC and noting that the final rule, if it stands, would “eviscerate the power of state interest rate caps and rid state regulators of the most effective tool to protect consumers from such predatory lending.”