InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
HUD issues mortgagee letter extending interim procedures relating to FHA Section 232 approved mortgages
On May 28, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 2020-15 to all FHA Section 232 Approved Mortgagees regarding the extension of interim procedures issued in Mortgagee Letter 20-10 to address site access issues during the Covid-19 pandemic. The guidance provides temporary modifications pertaining to third-party site inspections for Section 232 FHA-insured healthcare facilities with effective dates within 60 days of the issuance of the mortgagee letter. The letter also provides guidance on other aspects relating to Section 232 properties, including regarding Property Capital Needs Assessments, appraisals, Section 232 Phase 1 Environmental Site Assessments, asbestos surveys, and radon testing, among other things.
Texas regulator urges credit access businesses to consider emergency measures, extends reporting deadlines
On May 15, the Texas Office of the Consumer Credit Commissioner revised an advisory bulletin to credit access businesses, extending the deadline to file 2020 first quarter reports until May 31, 2020 (previously covered here). The office also encouraged credit access businesses to work with third-party lenders to provide relief to consumers negatively impacted by the Covid-19 pandemic.
Utah amends consumer lending requirements
On March 24, the Utah governor signed HB 319, which modifies provisions related to consumer lending in the state, including registration, reporting, and operational requirements for deferred deposit lenders. Among other things, the provisions require deferred deposit lenders to provide borrowers at least 30 days’ notice of default before initiating a civil action, allowing a borrower the opportunity to remedy the default. HB 319 also requires deferred deposit lenders seeking to renew a registration to report, for the immediately preceding calendar year, the total number of loans extended, the total dollar amount loaned, the number of borrowers who were extended loans, and the percentage of loans that were not repaid based on the terms of the loan, among other items. HB 319 further allows third party debt collection agencies to charge a “convenience fee” when debtors use a credit or debit card for the transaction of business, provided the convenience fee amount is disclosed prior to being charged and the debtor is given an alternative payment method that does not carry a fee. The amendments take effect 60 days following adjournment of the legislature.
OCC updates FAQs on third-party risk management
On March 5, the OCC released Bulletin 2020-10, which provides answers to frequently asked questions (FAQs) concerning its existing guidance on management of third-party relationships, including relationships with fintech firms and data aggregators. This bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” rescinds (but incorporates the substance of) OCC Bulletin 2017-21 (covered by InfoBytes here). Key topics addressed in the new FAQs include:
- clarifying the definition of “third-party relationships” and “business arrangements”;
- outlining expectations for banks that have third-party relationships with cloud computing providers or data aggregators;
- addressing a bank’s reliance on and use of third party-provided reports, certificates of compliance, and independent audits;
- discussing risk management when a third party—such as a less established fintech firm, start-up, or other small business—has limited ability to provide the same level of financial information or other due diligence-related information as a more established third party;
- suggesting approaches for due diligence and ongoing monitoring in instances where the bank has limited negotiating power;
- addressing ways banks can offer products or services to underbanked/underserved populations through fintech third-party relationships;
- discussing considerations for banks when entering into a marketplace lending arrangement with a nonbank entity; and
- outlining measures to address risk management when obtaining alternative data from a third party that may be used by or on behalf of a bank.
The bulletin also reiterates that banks are expected “to practice effective risk management regardless of whether the bank performs an activity internally or through a third party,” and that a “bank’s use of third parties does not diminish the bank’s responsibility to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations.”
Fed governor discusses modernizing payment systems for community banks
On February 27, Federal Reserve (Fed) Governor Michelle W. Bowman spoke before the Banking Outlook Conference held at the Federal Reserve Bank of Atlanta on ways the Fed can increase transparency and modernize payment services for community banks. Bowman stated that the Fed is “uniquely positioned as a provider of payment services and as a supervisor of banks to ensure that our nation’s evolving financial system works for community banks.” Bowman discussed how the Fed can achieve this objective by, among other things, (i) adopting an additional same-day automated clearinghouse (ACH) window, which “will allow banks and their customers, particularly those located outside the eastern time zone, to use same-day ACH services during a greater portion of the business day”; (ii) implementing FedNow, which would, as previously covered by InfoBytes, “facilitate end-to-end faster payment services, increase competition, and ensure equitable and ubiquitous access to banks of all sizes nationwide”; and (iii) encouraging partnerships between community banks and fintech firms to “leverage the latest technology to provide customer-first, community-focused financial services and provide customers with efficiencies, such as easy-to-use online applications or rapid loan decisionmaking.” Bowman highlighted the Fed’s fintech innovation office hours, as well as the Fed’s recently launched fintech innovation webpage (covered by InfoBytes here), and emphasized the Fed’s desire to hear directly from banks and fintech companies on innovation challenges.
With respect to third-party service providers, Bowman proposed several important initiatives for the Fed to help community banks effectively manage their third-party relationships and access innovative new technology. These include providing clear, consistent due diligence guidance on third-party relationships to provide uniform standards that are aligned with guidance issued by the OCC and other banking agencies. Bowman also suggested increasing the transparency of its third-party supervisory program by releasing information that may be useful about key service providers to community banks, and tailoring regulatory burdens for community banks with assets under $1 billion.
FDIC guide encourages fintech/bank partnerships
On February 24, the FDIC’s technology lab, FDiTech, announced the release of a new guide intended to assist fintech companies and other third parties with bank partnerships. Conducting Business with Banks: A Guide for Fintechs and Third Parties identifies several areas for third parties to consider when exploring potential partnerships with banks relevant to navigating regulatory requirements and due diligence processes. These include being able to: (i) “[u]nderstand the framework of laws and regulations” applicable to banks, such as those “related to consumer protection, privacy and data security, . . . the Bank Secrecy Act[,] and federal anti-money laundering laws”; (ii) “[m]aintain a well-managed and financially strong business”; (iii) respond to requests for information from potential partners that demonstrate “product integrity, risk management mitigation, and consumer protection”; and (iv) demonstrate the ability to ensure ongoing compliance with applicable laws and regulations and that appropriate monitoring systems have been implemented. In addition, the guide also outlines special considerations for modelers, and emphasizes that banks will expect to understand a third party’s use of models and algorithms or other automated decision-making systems.
As previously covered by InfoBytes, FDiTech was established in 2019 to encourage innovation within the banking industry, support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.
Fed governor identifies community banks' fintech challenges
On February 10, Federal Reserve (Fed) Governor Michelle W. Bowman spoke before the Conference for Community Bankers on the interaction between innovation and regulation for community banks. In discussing her “vision for creating pathways to responsible community bank innovation,” Bowman identified particular challenges facing smaller banks when identifying and integrating new technologies and offered suggestions for ways the Fed can assist these banks in managing relationships with third-party service providers. Acknowledging that responsible innovation requires community banks to identify goals and pinpoint products and services to implement their strategies, Bowman recognized that compliance costs can create an outsized and undue burden on smaller banks and stated that federal regulations should be tailored to bank size, risk, and complexity. Among other things, Bowman stated that the Fed could align its third-party service provider guidance with the OCC and other banking agencies to provide uniform standards to banks. “It is incredibly inefficient to have banks and their potential fintech partners and other vendors try to navigate unnecessary differences and inconsistencies in guidance across agencies,” Bowman noted. Regulators and supervisors have a role in easing the burden for community banks, she added, noting that third-party guidance should allow banks to conduct shared due diligence on potential partners and pool resources to avoid duplicating work. In addition, Bowman commented that the Fed could help banks make this choice by publishing a list of service providers subject to regulatory supervision and increasing transparency around “who and what” the Fed evaluates. Bowman further stated that any guidance should also explain what due diligence looks like for potential fintech partners, since standards applied to other third parties may not be universally applicable. Giving community banks a better vision of what success in due diligence looks like, Bowman stated, will require releasing more information on its necessary elements.
Bowman also highlighted the Fed’s upcoming fintech innovation office hours, as well as the Fed’s recently launched fintech website section, (both covered by InfoBytes here), which are designed to help provide access to Fed staff, highlight supervisory observations regarding fintech, provide a hub of information for interested stakeholders on innovation-related matters, and deliver practical tips for banks and other companies interested in engaging in fintech activity.
District Court: Michigan privacy law covers out-of-state residents
On January 16, the U.S. District Court for the Eastern District of Michigan denied a publishing company’s motion to dismiss putative class allegations that it disclosed subscribers’ personal information to third parties, ruling that the subscribers did not need to live in Michigan in order to bring claims under the state’s Personal Privacy Protection Act (PPPA). According to the plaintiff, the company allegedly disclosed magazine subscribers’ personal reading information (PRI) to data aggregators that would then supplement it with additional information (including age, gender, income, and employer names) in order to create detailed customer profiles. The company then allowed “almost any organization to rent a customer list containing numerous categories of detailed customer information,” the plaintiff alleged. The company argued, however, that the plaintiff, who resides in Virginia, lacked standing to bring claims under the PPPA because the law protects only Michigan residents. The company also contended that the plaintiff failed to demonstrate concrete injury suffered as a result of the company’s alleged disclosure of PRI to third parties without consent.
The court disagreed with both arguments, stating that the company’s argument “rests solely on the fact that a non-Michigan resident has never brought suit under the PPPA,” which is “unpersuasive and contravened by the language of the statute and case law.” The PPPA does not impose a residency requirement in order for customers to qualify for protections under the statute, the court stated, noting that “[i]f the Michigan legislature intended to limit the statute to Michigan residents, it could have done so explicitly.” Among other things, the court also concluded that the plaintiff satisfied the injury-in-fact element for Article III standing because “the alleged economic harm caused by the disclosure of PRI provides support to conclude [the plaintiff] suffered a concrete injury.”
OCC highlights key risks affecting the federal banking system in semiannual risk report
On December 9, the OCC released its Semiannual Risk Perspective for Fall 2019, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations, including credit, operational, and interest rate risks. While the OCC commented that “bank financial performance is sound,” it also advised that “[b]anks should prepare for a cyclical change while credit performance is strong,” emphasizing that “[c]redit risk has accumulated in many portfolios.” The OCC also highlighted that competition with nonbank mortgage and commercial lending could pose a risk as well.
Specific areas of concern that the OCC described include: elevation of operational risk as advances in technology and innovation in core banking systems result in a changing and increasingly complex operating environment; increased use of third-party service providers that contribute to continued threats of fraud; need for prudent credit risk management practices that include “identifying borrowers that are most vulnerable to reduced cash flows from slower than anticipated economic growth”; “volatility in market rates [leading] to increasing levels of interest rate risk”; LIBOR’s anticipated cessation and whether banks have started to determine the potential impact of cessation and develop risk management strategies; and strategic risks facing banks as non-depository financial institutions (NDFI) use evolving technology and expand data analysis abilities (the OCC commented that NDFIs “are strong competitors to bank lending models”). The OCC also noted that there is increased interest from banks in sharing utilities with NDFIs to implement Bank Secrecy Act/anti-money laundering compliance programs and sanctions processes and controls.
District Court denies request to enforce modified CID, says CFPB can issue third-party CID
On October 18, the U.S. District Court for the District of Columbia denied defendants’ request to enforce a modified Civil Investigative Demand (CID) and prevent the CFPB from obtaining personal information about the defendants’ clients via CIDs to third parties. In August 2017, the CFPB issued a CID to the defendants requesting various documents and information. The defendants challenged the scope of the original CID and, following mediation, the parties stipulated to a modified CID that no longer sought personal information of the defendants’ clients who obtained products or services related to immigration bonds. The CFPB subsequently issued third party CIDs and requested the personal information of the defendants’ clients from certain other parties. In March 2019, the defendants moved to enforce the modified CID, claiming that the CFPB “reneged on its stipulation and [acted] in bad faith” by seeking this personal information from third parties. The court, however, denied the defendants’ request to enforce the modified CID, ruling that “the modified CID makes no mention of CIDs issued to other parties,” and that the parties’ stipulation did not “preclude the CFPB from acquiring any type of information from third parties.” The court also explained that it was unclear whether the defendants had standing to contest the CFPB’s CID to a third party, noting that the defendants failed to state how they would suffer an injury if the pertinent information was disclosed by a third party.