Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 20, the OCC announced in Bulletin 2013-34 that as part of its ongoing implementation of the Dodd-Frank Act’s mandate that the OCC integrate Office of Thrift Supervision (OTS) policies with existing OCC policies, the OCC is rescinding the OTS compliance documents listed in an appendix provided with the announcement. A second appendix lists OCC policy guidance that the OCC is applying to federal savings associations in cases where policy guidance did not already exist. The announcement does not cover OTS policies and guidance related to the FCRA, the CRA, UDAP, or mortgage regulations, which the OCC plans to address at a later date.
On November 15, the Federal Reserve Board, the FDIC, and the OCC finalized revisions to the “Interagency Questions and Answers Regarding Community Reinvestment” (Q&As). The agencies adopted the revisions largely as proposed, with some minor changes in response to comments. The new Q&As, which include revisions to five questions and answers and two new questions, generally are intended to: (i) clarify how the agencies consider community development activities that benefit a broader statewide or regional area that includes an institution’s assessment area; (ii) provide guidance related to CRA consideration of, and documentation associated with, investments in nationwide funds; (iii) clarify the consideration of certain community development services, such as service on a community development organization’s board of directors; (iv) address the treatment of loans or investments to organizations that, in turn, invest those funds and use only a portion of the income from their investment to support a community development purpose; and (v) clarify that community development lending performance is always a factor considered in a large institution’s lending test rating. The new Q&As take effect when they are published in the Federal Register.
On November 12, the OCC issued Bulletin 2013-33, which establishes the standards the OCC uses when it requires banks to employ independent consultants as part of an enforcement action. The Bulletin explains that when conducting its initial assessment of the need for an independent consultant, the OCC considers, among other factors: (i) the severity of the violations; (ii) the criticality of the function requiring remediation; (iii) confidence in bank management’s ability to identify violations and take corrective action in a timely manner; (iv) the expertise, staffing, and resources of the bank to perform the necessary actions; (v) actions already taken by the bank to address the violations or issues; and (vi) the services to be provided by an independent consultant. The bulletin outlines the OCC’s process for reviewing a consultant selected by a bank, including its expectations for a bank’s due diligence process when retaining an independent consultant. The bulletin also describes the OCC’s oversight of the performance of the consultant, the nature of which can be impacted by, among other things: (i) the nature of deficiencies or violations the independent consultant is engaged to identify, including with respect to recommendations regarding remediation; (ii) the scope and duration of work; and (iii) the potential for and materiality of harm to consumers and the bank.
On November 6, the CFPB announced an advance notice of proposed rulemaking (ANPR) to solicit input on a wide array of issues related to consumer protection in the debt collection market. With the release of the ANPR, the CFPB also announced the publication of approximately 5,000 debt collection complaints in its consumer complaint database.
The ANPR marks the Bureau’s first step toward exercising its rulemaking authority under the Fair Debt Collection Practices Act (FDCPA). Notably, although the FDCPA generally applies only to third-party debt collectors, the CFPB’s regulations could extend to original creditors as well. In addition to the CFPB’s express authority to make substantive rules under the FDCPA, the Bureau made all creditors subject to debt collection guidance issued earlier this year pursuant to its general authority to regulate unfair, deceptive, and abusive practices.
The 162 questions contained in the ANPR focus primarily on the accuracy of information used by debt collectors, how to ensure consumers know their rights, and the communication tactics collectors employ to recover debts.
- Information Accuracy—Due to concern over how information is transferred, the CFPB seeks input on current processes for transferring records and ensuring the integrity of information transmitted. Specifically, the CFPB inquires about how account holders are identified and verified, how claims of improper identification are handled, how amounts of indebtedness are confirmed, and how claims of indebtedness are supported.
- Informed Consumers—Based on its belief that consumers may not sufficiently understand debt collection processes, the CFPB seeks input on the quality of information and disclosures provided to debtors. Specifically, the CFPB inquires about the information and disclosures provided with respect to the specific debt being collected and the debtors’ legal rights, including the rights to dispute debt and limit certain communications.
- Communication Tactics—Based on its concern that harmful communication tactics continue in the debt collection market, the CFPB seeks input on tactics not addressed by the FDCPA. Specifically, the CFPB inquires about frequency of contact with debtors, the means of communication employed, and the use and prevalence of threats by collectors.
The deadline for comments is 90 days from publication of the ANPR in the Federal Register.
On November 1, the CFPB announced a field hearing on “Know Before You Owe: Mortgages,” to be held on Wednesday, November 20 at 11 a.m. EST in Boston. In conjunction with the hearing, the Bureau is expected to release its long-awaited final rule combining the Good Faith Estimate and HUD-1 with the mortgage disclosures under the Truth in Lending Act.
The CFPB has stated that the event will feature remarks from CFPB Director Richard Cordray, as well as testimony from consumer groups, industry representatives, and members of the public. The final rule, which was originally expected in October, will not only replace the forms that consumers receive during the mortgage origination process but will also fundamentally alter the regulations governing the preparation and provision of – and liability for – those disclosures. As a result, lenders, settlement agents, and service providers will be required to make extensive changes to their systems, compliance programs, and contractual relationships.
In September, BuckleySandler hosted a webinar covering the key issues in this rulemaking and discussing what industry can do to start preparing now. The webinar featured a discussion with Jeff Naimon, who has spent years assisting the industry with the existing forms. Please contact Jeff for a copy of the webinar materials or with any questions about the expected rule.
On October 30, the OCC issued Bulletin 2013-29 to update guidance relating to third-party risk management. The Bulletin, which rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, including joint ventures, affiliates or subsidiaries, and payment processors. It is substantially more prescriptive than CFPB Bulletin 2012-3, and incorporates third-party relationship management principles underlying recent OCC enforcement actions.
The Bulletin warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” It outlines a “life cycle” approach and provides detailed descriptions of steps that a bank should consider taking at five important stages:
Planning: A third party relationship should begin with an internal assessment of risks relating to third parties in general, and to the intended third party in particular. Such planning should focus on both the potential impact to the bank and the bank’s customers, as well as potential security, regulatory, and legal ramifications.
Due Diligence and Third Party Selection: The Bulletin requires that the bank conduct an adequate due diligence review of the third party prior to entering a contract. Proper due diligence includes a thorough evaluation of all potential third parties, and the degree of diligence should be commensurate with the level of risk and complexity. In particular, banks should look to external organizations such as trade associations, the Better Business Bureau, the FTC, and state regulators when performing diligence on consumer-facing third parties. While prior Bulletin 2001-47 contained a list of potential items for due diligence review, Bulletin 2013-29 describes them in more detail and adds to the specific areas that due diligence should focus on, including:
- Legal and regulatory compliance: The bank should “evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes and controls to enable the bank to remain compliant with domestic and international laws and regulations;”
- Fee structure and incentives: The bank should determine if the fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank;
- Risk management systems: The bank should have adequate policies, procedures, and internal controls, as well as processes to escalate, remediate, and hold management accountable for audit and independent testing reviews;
- Human resource management: The bank should review the third party’s training program and processes to hold employees accountable for compliance with policies and procedures; and
- Conflicting contractual arrangements: The bank should check a third-party vendor’s contractual arrangements with other third parties, which may indemnify the vendor and may therefore expose the bank to additional risk.
Contract Negotiation: All relationships should be documented by a written contract that clearly defines the responsibilities of both the bank and the third party. Among other things, the contract should provide for performance benchmarks, information retention, the right to perform an audit, and OCC supervision. Bulletin 2013-29 expands upon Bulletin 2001-47 with respect to the following areas:
- Legal and regulatory compliance: Contracts should require compliance with applicable laws and regulations, including GLBA, BSA/AML, OFAC, and fair lending, as well as other consumer protection laws and regulations;
- Audits and remediation: Contracts should provide for the bank’s right to conduct audits and periodic regulatory compliance reviews, and to require remediation of issues identified;
- Indemnification: Contracts should include indemnification as appropriate for noncompliance with applicable law, and for failure to obtain any necessary intellectual property licenses;
- Consumer complaints: The bank should specifically require the third party to submit “sufficient, timely, and usable information on consumer complaints to enable the bank to analyze customer complaint activity and trends for risk management purposes;” and
- Subcontractor management: The bank should incorporate provisions specific to the third party’s own use of subcontractors, including obligations to report on conformance with performance measures and compliance with laws and regulations, and should reserve the right to terminate the contract if the subcontractors do not meet the third party’s obligations to the bank.
Ongoing Monitoring: The bank should dedicate sufficient staff to monitor the third party’s activities throughout the relationship as it may change over time. Bulletin 2013-29 expands upon Bulletin 2001-47 in the following notable ways:
- Legal and regulatory compliance: The bank should monitor third-party vendors for compliance with all applicable laws and regulations;
- Early identification of issues: The bank should consider whether the third party has the ability to effectively manage risk by self-identifying and addressing issues;
- Subcontractor management: The bank should continuously monitor a third-party vendor’s reliance on or exposure to subcontractors and perform ongoing monitoring and testing of subcontractors; and
- Consumer complaints: The bank should monitor the “volume, nature, and trends” of consumer complaints relating to the actions of third-party vendors, particularly those that may indicate compliance or risk management deficiencies.
Termination: The Bulletin specifies for the first time a termination “stage” in the third-party relationship management life cycle. Banks should develop a contingency plan for the end of the relationship, either through the normal course or in response to default. The contingency plan may transfer functions to a different third party or in-house.
The Bulletin defines as “critical” any activities involving significant bank functions (payments, clearing, settlements, and contingency planning); significant shared services (information technology); or other activities that (i) could cause a bank to face significant risk as a result of third-party failures, (ii) could have significant customer impacts, (iii) involve relationships that require significant investments in resources to implement and manage, and (iv) could have a major impact on bank operations if an alternate third party is required or if the outsourced activity must be brought in-house.
These “critical” activities should be the focus of special, enhanced risk management processes. Specifically, the bank should conduct more extensive due diligence on the front end, provide summaries of due diligence to the board of directors, ensure that the board of directors reviews and approves third-party contracts, engage in more comprehensive ongoing monitoring of the third party’s performance and financial condition (including, potentially, a look comparable to the analysis the bank would perform when extending credit), ensure that the board of directors reviews the results of ongoing monitoring, and periodically arrange for independent testing of the bank’s risk controls.
Finally, the Bulletin sets forth obligations and responsibilities relating to third-party relationships from the bank employees who manage them to the board of directors, including retention of due diligence results, findings, and recommendations, as well as regular reports to the board and senior management relating to the bank’s overall risk management process.
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
- Christopher M. Witeck, (202) 349-8051
- Jonice Gray Tucker, (202) 349-8005
- Valerie L. Hletko, (202) 349-8054
- Michelle L. Rogers, (202) 349-8013
- Jon David Langlois, (202) 349-8045
Prudential Regulators Issue Joint Agreement On Classification And Appraisal Of Securities Held By Financial Institutions
On October 29, the FDIC, the Federal Reserve Board, and the OCC issued a joint agreement to update and revise the 2004 Uniform Agreement on the Classification of Assets and Appraisal of Securities Held by Banks and Thrifts. The updated agreement reiterates the importance of a robust investment analysis process and the agencies' longstanding asset classification definitions. It also replaces references to credit ratings with alternative standards of creditworthiness consistent with sections 939 and 939A of the Dodd-Frank Act, which directed the agencies to remove any reference to or requirement of reliance on credit ratings in the regulations and replace them with appropriate standards of creditworthiness. The agencies adopted those new standards in 2012 (see, e.g., the OCC’s final rule). The joint agreement provides examples to demonstrate the appropriate application of the new standards to the classification of securities.
Last week, the Federal Reserve Board, the FDIC, the NCUA, and the OCC released interagency guidance related to the accounting treatment and regulatory credit risk grade or classification of commercial and residential real estate loans that have undergone troubled debt restructurings (TDRs). The guidance clarifies the definition of collateral-dependent loans and states that impaired collateral-dependent loans should be measured for impairment based on the fair value of the collateral rather than the present value of expected future cash flows.
On October 22, the CFPB, the OCC, the FDIC, the Federal Reserve Board, and the NCUA (collectively, the Agencies) issued a joint statement (Interagency Statement) in response to inquiries from creditors concerning their liability under the disparate impact doctrine of the Equal Credit Opportunity Act (ECOA) and its implementing regulation, Regulation B by originating only “qualified mortgages.” Qualified mortgages are defined under the CFPB’s January 2013 Ability-to-Repay/Qualified Mortgage Rule (ATR/QM Rule). The DOJ and HUD did not participate in the Interagency Statement.
The Interagency Statement describes some general principles that will guide the Agencies’ supervisory and enforcement activities with respect to entities within their jurisdiction as the ATR/QM Rule takes effect in January 2014. The Interagency Statement does not state that a creditor’s choice to limit its offerings to qualified mortgage loans or qualified mortgage “safe harbor” loans would comply with ECOA; rather, the Agencies state that they “do not anticipate that a creditor’s decision to offer only qualified mortgages would, absent other factors, elevate a supervised institution’s fair lending risk.” Furthermore, the Interagency Statement will not necessarily preclude civil actions.
The Agencies acknowledge that although there are several ways to satisfy the ATR/QM Rule, some creditors may be inclined to originate all or predominantly qualified mortgages, particularly when the ATR/QM Rule first becomes effective. In selecting business models and product offerings, the Agencies “expect that creditors would consider and balance demonstrable factors that may include credit risk, secondary market opportunities, capital requirements, and liability risk.” The Agencies further understand that creditors may have a “legitimate business need” to fine-tune their product offerings over the next few years in response to the impact of the ATR/QM Rule, just as they have in response to other significant regulatory changes that have occurred in the past.
The Agencies advise creditors to continue to evaluate fair lending risk as they would for other types of product selections, including by carefully monitoring their policies and practices and implementing effective compliance management systems. Nonetheless, the Agencies state that individual cases will be evaluated on their own merits.
The Agencies state that they “believe that the same principles…apply in supervising institutions for compliance with the Fair Housing Act.” However, because neither DOJ nor HUD participated in issuing the Interagency Statement, it remains to be seen how those agencies would view this issue.
It is noteworthy that the standard articulated in the Interagency Statement (“legitimate business needs”) differs from HUD’s disparate impact rule relating to the Fair Housing Act. In its rule, HUD codified a three-step burden-shifting approach to determine liability under a disparate impact claim. Once a practice has been shown by the plaintiff to have a disparate impact on a protected class, the rule states that the defendant would have the burden of showing that the challenged practice “is necessary to achieve one or more substantial, legitimate, nondiscriminatory interests of the respondent…or defendant…A legally sufficient justification must be supported by evidence and may not be hypothetical or speculative.” (Emphasis added.)
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
On October 9, the CFPB (or Bureau) announced it had assessed civil money penalties totaling $459,000 against two financial institutions—one bank and one nonbank—after examinations identified significant data errors in mortgage loans reported pursuant to the Home Mortgage Disclosure Act (HMDA). The Bureau simultaneously issued a HMDA bulletin to all mortgage lenders regarding the elements of an effective HMDA compliance management system, resubmission thresholds, and factors the Bureau may consider when evaluating whether to pursue a public HMDA enforcement action and related civil money penalties.
According to the consent orders (available here and here), both financial institutions maintained inadequate HMDA compliance systems that resulted in the reporting of “severely compromised mortgage lending data.” The nonbank, which reported 21,015 applications in its 2011 HMDA Loan Application Register (LAR), agreed to pay a penalty of $425,000. The consent order notes previous violations identified by the state regulator and states that the Bureau sampled 32 loans and concluded that the sample error rate unreasonably exceeded the Bureau’s resubmission threshold, although the error rate was not disclosed. The investigation of the nonbank was conducted in cooperation with the Massachusetts Division of Banks, which announced its own consent order imposing a $50,000 administrative fine at the same time that the CFPB announced its order. The bank, which reported 5,785 applications in its 2011 HMDA LAR, agreed to pay a penalty of $34,000. The consent order against the bank states that the bank’s sample error rate was 38 percent but does not disclose the size of the sample. Both institutions will be required to correct and resubmit their 2011 HMDA data and develop and implement an effective HMDA compliance management system to prevent future violations. Neither of the orders reveals the specific deficiencies in the institutions’ HMDA compliance programs.
As noted above, the Bureau also issued a bulletin regarding HMDA compliance along with HMDA resubmission guidelines. The bulletin discusses the components of an effective HMDA compliance management system, including: (i) comprehensive policies, procedures, and internal controls; (ii) comprehensive and regular internal, pre-submission HMDA audits; (iii) a process for reviewing regulatory changes; (iv) reporting systems commensurate with lending volume; (v) one or more individuals responsible for oversight, data entry, and data updates, including timely and accurate reporting; (vi) appropriate, sufficient, and periodic employee training on HMDA, Regulation C, and reporting requirements; (vii) a process for effective corrective action in response to deficiencies identified; and (viii) appropriate board and management oversight.
In addition, the bulletin announces the Bureau’s new HMDA Resubmission Schedule and Guidelines, which sets forth thresholds that will apply when determining whether resubmission is required when errors are discovered in a HMDA data integrity examination. The new resubmission schedule creates a two-tier system in which resubmission thresholds are lower for institutions reporting fewer than 100,000 entries on the HMDA LAR. Under the guidance, institutions that report 100,000 or more entries on their LAR should correct and resubmit their entire HMDA LAR if the error rate exceeds four percent of the total sample (or two percent in any individual data field), while institutions with fewer than 100,000 entries on their LAR should correct and resubmit their LAR if the error rate exceeds ten percent in the total sample (or five percent in any individual data field). The guidance states that resubmission for error rates below the applicable thresholds may be called for if “the errors prevent an accurate analysis of the institution’s lending.” Under the Bureau’s current standards, institutions, regardless of size, must resubmit a corrected LAR if any “key fields” have an error rate of five percent, or if at least ten percent of the institution’s records have an error in at least one of the key fields. The new resubmission schedule and guidelines will apply to all HMDA data integrity reviews initiated on or after January 18, 2014.
Finally, the bulletin provides a non-exclusive list of factors the Bureau may consider when evaluating whether to pursue a public HMDA enforcement action, including: (i) size of the institution’s HMDA LAR and observed error rates; (ii) whether errors were self-identified and independently corrected outside of an examination; and (iii) history of previous HMDA errors that exceed the permissible threshold. In addition, the guidance states that the Bureau may seek civil money penalties for HMDA violations depending on such factors as (i) size of financial resources and good faith effort of compliance by the institution; (ii) gravity of the violations or failure to pay; (iii) severity of harm to consumers; (iv) history of previous violations; and (v) such other matters as justice may require.
These recent CFPB announcements reinforce BuckleySandler’s experience to date that the CFPB is stepping up scrutiny of HMDA practices both at banks and nonbanks. These examination and enforcement initiatives dovetail with the CFPB’s other recent HMDA-related activities. The CFPB recently launched new tools to allow the public—including consumer and housing advocates—to leverage HMDA data to attempt to identify lending patterns. The CFPB also has started internally drafting a proposed rule to implement changes to HMDA data collection requirements, as required by the Dodd-Frank Act. Though a final rule is a distant prospect, once finalized the CFPB may require institutions to report, among other things: (i) ages of loan applicants and mortgagors; (ii) the difference between the annual percentage rate associated with the loan and benchmark rates for all loans; (iii) the term of any prepayment penalty; (iv) the term of the loan and of any introductory interest rate for the loan; (v) the origination channel; and (vi) the credit scores of applicants and mortgagors.
All of these developments suggest bank and nonbank mortgage originators should review their HMDA practices and processes to ensure they are reporting data that are accurate or at least within the CFPB’s revised tolerances.
- Jonice Gray Tucker to discuss “How the new administration sets the tone for 2021” at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable