InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies finalize guidance on managing third parties
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here.) The joint guidance, final as of June 6, replaces each agency’s existing general guidance on third-party risk management and is directed to all supervised banking organizations. Designed to streamline government guidance on mitigating risks when working with third parties, the final guidance establishes principles for banking organizations to consider when implementing risks management practices. Banking organizations are advised to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
After considering public comments received on proposed guidance issued in July 2021 (covered by InfoBytes here), the final guidance provides directions and expectations for oversight at all stages in the life cycle of a third-party relationship, including topics relating to planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, and termination. Guidance on conducting independent reviews, maintaining documentation, and reporting is also included. The agencies advised banking organizations, particularly community banks, to review illustrative examples to help align risk management practices with the scope and risk profile of their third-party relationships. Additionally, banking organizations should maintain a complete inventory of their third-party relationships, identify higher-risk and critical activities, periodically conduct reviews to determine whether risks have changed over time, and update risk management practices accordingly, the agencies said.
The final guidance emphasizes that the agencies will review a banking organization’s third-party risk management practices as part of the standard supervisory process. When assessing whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, examiners will, among other things, (i) evaluate a banking organization’s ability to oversee and manage third party relationships; (ii) assess the effects of those relationships on a banking organization’s risk profile and operational performance; (iii) perform transaction testing to evaluate whether activities performed by a third party comply with applicable laws and regulations; (iv) conduct conversations relating to any identified material risks and deficiencies with senior management and board of directors; (v) review how a banking organization remediates any deficiencies; and (vi) consider supervisory findings when rating a banking organization.
The agencies stressed that they may take corrective measures, including enforcement actions, to address identified violations or unsafe or unsound banking practices by the banking organization or its third party. The agencies further announced that they plan to immediately engage with community banks and will develop additional resources in the future to help these organizations manage relevant third-party risks.
OCC’s new enforcement policy targets banks with “persistent weaknesses”
On May 25, the OCC announced revisions to its Policies and Procedures Manual (PPM) for bank enforcement actions. According to OCC Bulletin 2023-16, the recently revised version of PPM 5310-3 replaces and rescinds a version issued in November 2018 (covered by InfoBytes here), and now includes “Appendix C: Actions Against Banks With Persistent Weaknesses” to provide increased transparency and clarity on how the OCC determines whether a bank has persistent weaknesses and how the agency considers what actions may be needed to address these issues. The OCC explained that “persistent weaknesses” may include “composite or management component ratings that are 3 or worse, or three or more weak or insufficient quality of risk management assessments, for more than three years; failure by the bank to adopt, implement, and adhere to all the corrective actions required by a formal enforcement action in a timely manner; or multiple enforcement actions against the bank executed or outstanding during a three-year period.”
Possible actions taken against a bank that exhibits persistent weaknesses may include additional requirements and restrictions, such as requirements that a bank improve “composite or component ratings or quality of risk management assessments,” as well as restrictions on the bank’s growth, business activities, or payments of dividends. A bank may also be required “to take affirmative actions, including making or increasing investments targeted to aspects of its operations or acquiring or holding additional capital or liquidity.”
“Should a bank fail to correct its persistent weaknesses in response to prior enforcement actions or other measures . . . the OCC will consider further action to require the bank to remediate the weaknesses,” the agency said. “Such action could require the bank to simplify or reduce its operations, including that the bank reduce its asset size, divest subsidiaries or business lines, or exit from one or more markets of operation.” PPM 5310-3 also incorporates additional clarifications and updates legal and regulatory citations.
The same day, the OCC issued updates to its “Liquidity” booklet of the Comptroller’s Handbook used by examiners when assessing the quantity of a bank’s liquidity risk and the quality of its liquidity risk management. The booklet replaces an August 2021 version and reflects changes in regulations, makes clarifying edits, and addresses OCC issuances published since the last update.
FSOC seeks feedback on risk framework, nonbank determinations
On April 21, the Financial Stability Oversight Council (FSOC) released a proposed analytic framework for financial stability risks, “intended to provide greater transparency to the public about how [FSOC] identifies, assesses, and addresses potential risks to financial stability, regardless of whether the risk stems from activities or firms.” FSOC explained in a fact sheet that the proposed framework would not impose any obligations on any entity, but is instead designed to provide guidance on how FSOC expects to perform certain duties. This includes: (i) identifying potential risks covering a broad range of asset classes, institutions, and activities, including new and evolving financial products and practices as well as developments affecting financial resiliency such as cybersecurity and climate-related financial risks; (ii) assessing certain vulnerabilities that most commonly contribute to financial stability risk and considering how adverse effects stemming from these risks could be transmitted to financial markets/market participants, including what impact this can have on the financial system; and (iii) responding to potential risks to U.S. financial stability, which may involve interagency coordination and information sharing, recommendations to financial regulators or Congress, nonbank financial company determinations, and designations relating to financial market utility/payment, clearing, and settlement activities that are, or are likely to become, systemically important.
The same day, FSOC also released for public comment proposed interpretive guidance relating to procedures for designating systemically important nonbank financial companies for Federal Reserve supervision and enhanced prudential standards. (See also FSOC fact sheet here.) The guidance would revise and update previous guidance from 2019, and “is intended to enhance [FSOC’s] ability to address risks to financial stability, provide transparency to the public, and ensure a rigorous and clear designation process.” FSOC explained that the proposed guidance would include a two-stage evaluation and analysis process for making a designation, during which time companies under review would engage in significant communication with FSOC and be provided an opportunity to request a hearing, among other things. Designated companies will be subject to annual reevaluations and may have their designations rescinded should FSOC determine that the company no longer meets the statutory standards for designation.
Comments on both proposals are due 60 days after publication in the Federal Register.
Both CFPB Director Rohit Chopra and OCC acting Comptroller Michael J. Hsu issued statements supporting the issuance of the proposed interpretive guidance. Chopra commented that, if finalized, the proposed guidance “will create a clear path for the FSOC to identify and designate systemically important nonbank financial institutions” and “will accelerate efforts to identify potential shadow banks to be candidates for designation.” Hsu also noted that sharing additional details to improve the balance and transparency of FSOC’s work “would both make it easier for [FSOC] to explain its analysis of potential risks and create an opportunity for richer public input on the analysis.”
NYDFS to impose supervision fees on virtual currency licensees
On April 17, NYDFS announced the adoption of a final regulation establishing how certain licensed virtual currency businesses will be assessed for supervision and examination costs. Under 23 NYCRR Part 102, licensed virtual currency companies holding a Bitlicense will be assessed for their supervisory costs, similar to other licensees regulated by the Department. Last year, NYDFS first proposed a provision in the state budget authorizing the Department to collect supervisory costs from virtual currency businesses licensed pursuant to the Financial Services Law in order to add talent to its virtual currency regulatory team. (Covered by InfoBytes here.) NYDFS explained that the regulation will only apply to licensed virtual currency businesses and that the fees will only cover the costs and expenses associated with the Department’s oversight of a licensee’s virtual currency business activities. A licensee’s total annual assessment fee will be the sum of its supervisory component and its regulatory component, as defined in the regulation, and will be billed five times per fiscal year, once per quarter and a final true-up at the end of the fiscal year. The background to the final regulation notes that to the extent that a person holds multiple licenses to engage in virtual currency business activities, or concurrently acts as a money transmitter, such person will be billed separately for each license, adding that “[p]ersons who engage in virtual currency business activities as a limited purpose trust company or a banking organization will continue to be assessed under 23 NYCRR Part 101.” The final regulation takes effect upon publication of the Notice of Adoption in the New York State Register.
Treasury recommends stronger DeFi supervision
On April 6, the U.S. Treasury Department published a report on illicit finance risks in the decentralized finance (DeFi) sector, building upon Treasury’s other risk assessments, and continuing the work outlined in Executive Order 14067, Ensuring Responsible Development of Digital Assets (covered by InfoBytes here).
Written by Treasury’s Office of Terrorist Financing and Financial Crimes, in consultation with numerous federal agencies, the Illicit Finance Risk Assessment of Decentralized Finance is the first report of its kind in the world. The report explained that, while there is no generally accepted definition of DeFi, the term has broadly referred to virtual asset protocols and services that allow for automated peer-to-peer transactions through the use of blockchain technology. Used by a host of illicit actors to transfer and launder funds, the report found that “the most significant current illicit finance risk in this domain is from DeFi services that are not compliant with existing AML/CFT [anti-money laundering and countering the financing of terrorism] obligations.” These obligations include establishing effective AML programs, assessing illicit finance risks, and reporting suspicious activity, the report said.
The report made several recommendations for strengthening AML/CFT supervision and regulation of DeFi services, such as “closing any identified gaps in the [Bank Secrecy Act (BSA)] to the extent that they allow certain DeFi services to fall outside the scope of the BSA’s definition of financial institutions.” The report also recommended, “when relevant,” the “enforcement of virtual asset activities, including DeFi services, to increase compliance by virtual asset firms with BSA obligations,” and suggested continued research and engagement with the private sector on this subject.
In addition, the report pointed to a lack of implementation of international AML/CFT standards by foreign countries, “which enables illicit actors to use DeFi services with impunity in jurisdictions that lack AML/CFT requirements,” and commented that “poor cybersecurity practices by DeFi services, which enable theft and fraud of consumer assets, also present risks for national security, consumers, and the virtual asset industry.” To address these concerns, the report recommended “stepping up engagements with foreign partners to push for stronger implementation of international AML/CFT standards and advocating for improved cybersecurity practices by virtual asset firms to mitigate these vulnerabilities.” The report seeks input from the public sector to inform next steps.
FDIC issues 2023 Consumer Compliance Supervisory Highlights
On April 5, the FDIC released the March 2023 edition of the Consumer Compliance Supervisory Highlights, which is intended to “enhance transparency regarding the FDIC’s consumer compliance supervisory activities and to provide a high-level overview of consumer compliance issues identified in 2022 through the FDIC’s supervision of state non-member banks and thrifts.” In 2022, the FDIC conducted approximately 1,000 consumer compliance examinations and noted that “[o]verall, supervised institutions demonstrated effective management of their consumer compliance responsibilities.” The agency also initiated 21 formal enforcement actions and 10 informal enforcement actions addressing consumer compliance examination observations and issued civil money penalties totaling $1.3 million against institutions to address violations of the Flood Disaster Protection Act (FDPA), RESPA Section 8, FCRA, and Section 5 of the FTC Act, with an additional $13.6 million in voluntary restitutions to consumers. Additionally, the FDIC referred 12 fair lending matters to the DOJ in 2022. Covered topics include:
- An overview of the most frequently cited violations, with approximately 73 percent of total violations involving TILA, Reg Z, Section 5 of the FTC Act, the FDPA, EFTA, and the Truth in Savings Act, with violations of Section 5 of the FTC (which prohibits unfair or deceptive acts or practices) moving up as a top-five violation.
- An overview of issues found during examinations involving institutions that purchased “trigger leads” but did not provide consumers with a firm offer of credit. Among other things, examiners identified occurrences where representatives failed to comply with FCRA disclosure requirements during sales calls by not communicating, among other things, that an offer of credit was being made.
- Findings where institutions “unilaterally applied excess interest to the servicemember’s principal loan balance without giving the servicemember an option of how to receive the funds”—a violation of the SCRA’s anti-acceleration provision.
- Information on regulatory developments, including recent FDIC actions and efforts to (i) address appraisal bias; (ii) modernize the Community Reinvestment Act; (iii) remind creditors that they may establish special purpose credit programs under ECOA to meet the credit needs of certain classes of persons; (iv) implement a supervisory approach, consistent with the CFPB’s approach, for FDIC-supervised institutions with respect to reporting HMDA data; (v) provide revised information on flood insurance compliance responsibilities; (vi) address occurrences where persons misuse the FDIC’s name or logo, or make false or misleading representations about deposit insurance; (vii) assess crypto-asset-related activities; (viii) adopt revised guidelines for appeals of material supervisory determinations; and (ix) address compliance risks associated with multiple re-presentment of NSF fees.
- A summary of consumer compliance resources available to financial institutions.
- An overview of consumer complaint trends.
Hsu says OCC focused on fairness in banking
On March 30, acting Comptroller of the Currency Michael J. Hsu commented that the safety and soundness of the federal banking system continues to be a top agency priority, as is improving fairness in banking. Speaking at a conference, Hsu discussed several measures taken by the OCC to elevate and advance fairness, particularly for the underserved and financially vulnerable. Explaining that OCC examiners are encouraging bank management to review existing overdraft protection programs and consider adopting pro-consumer reforms, Hsu referred to CFPB guidance issued last October to address unfair, deceptive, and abusive practices associated with “so-called ‘surprise overdraft’ fees.” (Covered by InfoBytes here.) He also commented that both the Federal Reserve Board and the FDIC have cited the risk of violating UDAP in connection with the certain overdraft practices. Hsu noted that not all overdraft practices are equal, stating that “authorize positive, settle negative” and “representment” fees both present heightened risks.
Recognizing the recent decline in banks’ reliance on overdraft fees, Hsu emphasized that most bankers he has spoken to “understand the importance of treating their customers fairly and have been open to learning about best practices.” He noted that “[t]hese bankers are committed to being there for their customers and providing them with short-term, small dollar liquidity when it is needed most. Many customers tell their banks, as well as groups that have studied overdraft practices, that this banking service helps them meet payments when they come due.” Hsu added that the OCC’s intended goal is to “improve the fairness of these programs by making them more pro-consumer, not to eliminate them,” and that “[m]ore fairness means more financially healthy communities, which means more trust in banking.” Hsu also discussed efforts taken by the OCC to combat discriminatory lending practices, including working to enhance supervisory methods for identifying appraisal discrimination.
OCC establishes Office of Financial Technology
On March 30, the OCC announced the establishment of the Office of Financial Technology, and selected Prashant Bhardwaj to lead the office as Deputy Comptroller and Chief Financial Technology Officer beginning April 10. As previously covered by InfoBytes, last October the OCC said the new office will build on and incorporate the agency’s Office of Innovation (established in 2016 and covered by InfoBytes here), and will strengthen the OCC’s expertise and ability to adapt to a rapidly evolving banking landscape. The Office of Financial Technology will “enhance the OCC’s expertise on matters regarding digital assets, fintech partnerships, and other changing technologies and business models within and that affect OCC-supervised banks,” the OCC said in its announcement, noting that Bhardwaj will lead a team responsible for analyzing, evaluating, and discussing relevant fintech trends, emerging and potential risks, and the potential implications for OCC supervision.
CFPB scrutinizes discharged private student loan billing and collection practices
On March 16, the CFPB released a compliance bulletin discussing student loan servicers’ practice of collecting on private student loans discharged in bankruptcy. The bulletin also notified regulated entities on how the Bureau intends to exercise its enforcement and supervisory authorities on this issue. Bulletin 2023-01: Unfair Billing and Collection Practices After Bankruptcy Discharges of Certain Student Loan Debts addressed the treatment of certain private student loans following bankruptcy discharge. The Bureau explained that in order to secure a discharge of a qualified education loan in bankruptcy, a borrower must demonstrate that the loan would impose an undue hardship if not discharged. Loans that do not meet this qualification (“non-qualified student loans”) can be discharged under standard bankruptcy discharge orders, the Bureau said.
Bureau examiners found, however, that several servicers failed to determine whether a borrower’s loan was qualified or non-qualified. As a result, non-qualified student loans were returned to repayment after a bankruptcy concluded, wherein servicers continued to bill and collect payments on the loans even through the borrower was released from this debt through the bankruptcy discharge. According to the Bureau, many borrowers, when faced with collection activities in violation of a bankruptcy court order, continued to make payments on debts they no longer owed.
The Bureau explained that servicers who collected on student loans that were discharged by a bankruptcy court violate the prohibition on unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. The bulletin described unfair practices observed by examiners, such as servicers relying entirely on loan holders to distinguish among the loans and not ensuring that such holders had in fact done so. The bulletin also provided examples of student loans that are eligible for standard bankruptcy discharge, including loans made to students attending schools that are ineligible for federal student aid and loans made to students attending school less than half time. Bureau examiners instructed servicers to immediately stop collecting on discharged loans and take remedial action, including conducting a multi-year lookback and issuing refunds to affected borrowers.
CFPB report looks at junk fees; official says they remain agency focus
On March 8, the CFPB released a special edition of its Supervisory Highlights focusing on junk fees uncovered in deposit accounts and the auto, mortgage, student, and payday loan servicing markets. The findings in the report cover examinations completed between July 1, 2022 and February 1, 2023. Highlights of the supervisory findings include:
- Deposit accounts. Examiners found occurrences where depository institutions charged unanticipated overdraft fees where, according to the Bureau, consumers could not reasonably avoid these fees, “irrespective of account-opening disclosures.” Examiners also found that while some institutions unfairly assessed multiple non-sufficient (NSF) fees for a single item, institutions have agreed to refund consumers appropriately, with many planning to stop charging NSF fees entirely.
- Auto loan servicing. Recently examiners identified illegal servicing practices centered around the charging of unfair and abusive payment fees, including out-of-bounds and fake late fees, inflated estimated repossession fees, and pay-to-pay payment fees, and kickback payments. Among other things, examiners found that some auto loan servicers charged “payment processing fees that far exceeded the servicers’ costs for processing payments” after a borrower was locked into a relationship with a servicer selected by the dealer. Third-party payment processors collected the inflated fees, the Bureau said, and servicers then profited through kickbacks.
- Mortgage loan servicing. Examiners identified occurrences where mortgage servicers overcharged late fees, as well as repeated fees for unnecessary property inspections. The Bureau claimed that some servicers also included monthly private mortgage insurance premiums in homeowners’ monthly statements, and failed to waive fees or other changes for homeowners entering into certain types of loss mitigation options.
- Payday and title lending. Examiners found that lenders, in connection with payday, installment, title, and line-of-credit loans, would split and re-present missed payments without authorization, thus causing consumers to incur multiple overdraft fees and loss of funds. Some short-term, high-cost payday and title loan lenders also charged borrowers repossession-related fees and property retrieval fees that were not authorized in a borrower’s title loan contract. The Bureau noted that in some instances, lenders failed to timely stop repossessions and charged fees and forced consumers to refinance their debts despite prior payment arrangements.
- Student loan servicing. Examiners found that servicers sometimes charged borrowers late fees and interest despite payments being made on time. According to the Bureau, if a servicer’s policy did not allow loan payments to be made by credit card and a customer representative accidentally accepted a credit card payment, the servicer, in certain instances, would manually reverse the payment, not provide the borrower another opportunity for paying, and charge late fees and additional interest.
CFPB Deputy Director Zixta Martinez recently spoke at the Consumer Law Scholars Conference, where she focused on the Bureau’s goal of reigning in junk fees. She highlighted guidance issued by the Bureau last October concerning banks’ overdraft fee practices, (covered by InfoBytes here), and commented that, in addition to enforcement actions taken against two banks related to their overdraft practices, the Bureau intends to continue to monitor how overdrafts are used and enforce against certain practices. The Bureau noted that currently 20 of the largest banks in the country no longer charge surprise overdraft fees. Martinez also discussed a notice of proposed rulemaking issued last month related to credit card late fees (covered by InfoBytes here), in which the Bureau is proposing to adjust the safe harbor dollar amount for late fees to $8 for any missed payment—issuers are currently able to charge late fees of up to $41—and eliminate a higher safe harbor dollar amount for late fees for subsequent violations of the same type. Martinez further described supervision and enforcement efforts to identify junk fee practices and commented that the Bureau will continue to target egregious and unlawful activities or practices.