InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB’s Summer Edition of Supervisory Highlights Discloses Findings Across Many Financial Services Areas
On September 12, the CFPB released its summer 2017 Supervisory Highlights, which outlines its supervisory and oversight actions in areas such as auto loan servicing, credit card account management, debt collection, deposit account supervision, mortgage origination and servicing, remittances, service provider programs, short-term small-dollar lending, and fair lending. According to the Supervisory Highlights, recent supervisory resolutions have “resulted in total restitution payments of approximately $14 million to more than 104,000 consumers during the review period” between January 2017 and June 2017.
As examples, in the area of auto loan servicing, examiners discovered vehicles were being repossessed even though the repossession should have been cancelled. Coding errors, document mishandling, and failure to timely cancel the repossession order were cited causes. Regarding fair lending examination findings, the CFPB discovered, in general, “deficiencies in oversight by board and senior management, monitoring and corrective action processes, compliance audits, and oversight of third-party service providers.” Examiners also conducted ECOA Baseline Reviews on mortgage servicers and discovered weaknesses in servicers’ fair lending compliance management systems. Findings in other areas include the following:
- consumers were provided inaccurate information about when bank checking account service fees would be waived, and banks misrepresented overdraft protection;
- debt collectors engaged in improper debt collection practices related to short-term, small-dollar loans, including attempts to collect debts owed by a different person or contacting third parties about consumers’ debts;
- companies overcharged mortgage closing fees or wrongly charged application fees that are prohibited by the Bureau’s Know Before You Owe mortgage disclosure rules; and
- borrowers were denied the opportunity to take full advantage of the mortgage loss mitigation options, and mortgage servicers failed to “exercise reasonable diligence in collecting information needed to complete the borrower’s application.”
The Bureau also set forth new examination procedures for HMDA data collection and reporting requirements as well as student loan servicers, in addition to providing guidance for covered persons and service providers regarding pay-by-phone fee assessments.
NYDFS Issues Reminder on Cybersecurity Regulation Compliance Effective August 28
On August 28, the New York Department of Financial Services (NYDFS) issued an announcement reminding all NYDFS-regulated banks, insurance companies, and other financial services institutions that they must now begin complying with the state’s “first-in-nation cybersecurity regulation.” As previously covered in Infobytes, the regulation took effect March 1, 2017, but August 28 was the first compliance date. Covered entities are now required to implement the following: (i) a cybersecurity program designed to protect consumers’ private data; (ii) board/senior officer-approved written policy or policies; (iii) a designated Chief Information Security Officer to help protect an entity’s data and systems; and (iv) “controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.” Furthermore, covered entities must begin reporting cybersecurity events through NYDFS’ online cybersecurity portal. (See previous InfoBytes coverage here.) Notices of exemption may be filed within “30 days of the determination that the covered entity is exempt,” and covered entities must file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018. NYDFS also released a series of frequently asked questions to provide assistance to institutions when complying with the regulation’s requirements.
OCC Announces Recent Enforcement Actions and Terminations
On August 18, the OCC released a list of new enforcement actions taken against national banks, federal savings associations, and institution-affiliated parties as well as a list of existing enforcement actions that were terminated recently. The actions include cease and desist orders, civil money penalties, removal/prohibition orders and restitution orders.
Cease and Desist Order. On July 18, the OCC issued a consent order against a Florida-based bank for deficiencies related to its Bank Secrecy Act (BSA) rules and regulations. The consent order, among other things, requires the bank to: (i) appoint a compliance committee responsible for ensuring the bank adheres to the order; (ii) appoint a BSA officer who will “ensure compliance with the requirements of the [BSA] . . . and regulations of the Office of Foreign Assets Control (OFAC)”; (iii) acquire an independent third-party consultant to conduct a formal written assessment of the bank’s BSA oversight infrastructure to determine BSA/Anti-Money Laundering (AML) compliance; (iv) review and update a comprehensive BSA/AML compliance action plan and monitoring system, including implementing processes to timely identify and analyze suspicious activity and file suspicious activity reports (SARs); (v) create a comprehensive training program for “appropriate operational and supervisory personnel to ensure their awareness of their specific assigned responsibilities for compliance with” the BSA; (vi) develop policies and procedures related to the collection of customer due diligence and enhanced due diligence; (vii) monitor accounts for “high-risk customers/transactions”; (viii) implement an independent BSA/AML audit program and written risk assessment program; and (ix) conduct a “Look-Back” plan to determine whether suspicious activity was timely identified and reported by the bank and whether additional SARs should be filed for unreported suspicious activity. The bank, while agreeing to the terms of the consent order, has not admitted or denied any wrongdoing.
OCC Updates Bank Accounting Guidance
On August 15, the Office of the Comptroller of the Currency (OCC) released the annual update to its long-running Bank Accounting Advisory Series (BAAS). Intended to “promote[] consistent application of accounting standards among OCC-supervised banks and federal savings associations,” the BAAS “represents the OCC’s Office of the Chief Accountant’s interpretations of generally accepted accounting principles and regulatory guidance.” The 2017 edition of the BAAS updates guidance on a range of accounting standards issued by the Financial Accounting Standards Board (FASB), and “includes recent answers to frequently asked questions from the industry and examiners.” Several FAQs are updated or deleted, and new FAQs cover the following topics: investments in debt and equity securities; lessee classification and accounting; and transfers of financial assets and servicing.
This edition of the BAAS also introduces a new approach to recently issued accounting standards. Previous editions covered new accounting standards only after they became effective. But since many FASB Accounting Standard Updates (ASUs) now have different effective dates for public business entities (PBEs) and private companies, this edition also covers ASUs issued through March 31, 2017 that (i) “while not yet effective for all institutions, must be adopted by PBEs beginning in 2018 and may be adopted early by other institutions”; or (ii) “are not yet effective for any institutions but early adoption is allowed.” Accordingly, lavender text boxes include alternative content for both PBEs and early adopters, and gold text boxes include alternative content for early adopters only.
Oregon Governor Enacts Law Regarding Compliance Requirements for Debt Collection Licensees
On August 2, Oregon Governor Kate Brown signed into law House Bill 2356 (HB 2356), which establishes provisions relating to debt collection practices in the state. Among other things, the law (i) details the practices a debt buyer, or debt collector acting on behalf of a debt buyer, is required to follow to legally collect debt; (ii) specifies the type of notice and documents that a debt buyer must provide to a debtor; (iii) requires persons engaged in debt buying to obtain or renew their licenses through the Department of Consumer and Business Services; and (iv) specifies duties of licensees, outlines prohibited conduct, and identifies unlawful collection practices. The law takes effect January 1, 2018.
FINRA to Host AML Seminars
On August 2, the Financial Industry Regulatory Authority (FINRA) announced that it will host a series of anti-money laundering (AML) seminars for compliance professionals, led by managers of the FINRA AML Unit. The seminars on October 19 (Dallas, Texas), November 7 (Boca Raton, Florida), and November 13 (New York, NY) will discuss money laundering fundamentals and typologies, applicable rules and regulations, and guidelines for monitoring for suspicious activity.
NYDFS Launches New Cybersecurity Portal, Sets Compliance Deadlines
On July 31, the New York Department of Financial Services (NYDFS) announced the launch of an online cybersecurity portal for businesses to securely report cybersecurity events as required by the state’s cybersecurity regulation that took effect March 1. (See previous InfoBytes summary here.) The regulation, Cybersecurity Requirements for Financial Services Companies, requires all banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain cybersecurity programs to safeguard consumers’ private data. The cyber portal is designed to facilitate easy reporting of cybersecurity events and will allow regulated entities to file compliance certifications. Starting August 28, 2017, all entities required to comply with NYDFS cybersecurity regulations “must file certain notifications to the [Financial Services] Superintendent including notices of certain cybersecurity events within 72 hours from a determination that a reportable event has occurred.” A cybersecurity event is reportable if it: (i) “impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body”; or (ii) “has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.” Additionally, covered entities are required to file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018.
FTC Approves Modifications to COPPA Safe Harbor Program
On July 31, the FTC announced it has approved TRUSTe’s proposed modifications to its Children’s Online Privacy Protection Rule's (COPPA) safe harbor program. As previously covered in InfoBytes, COPPA regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. The safe harbor program allows the FTC to review and approve “self-regulatory guidelines” submitted by industry groups that implement “the same or greater protections for children” as those contained in the COPPA Rule, and subjects approved groups to safe harbor review and disciplinary procedures instead of formal enforcement action. Among the approved modifications is a change which requires all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services.
Regulators Coordinate Review of Volcker Rule Application to Foreign Funds
On July 21, five U.S. financial regulators announced that they would not take action against foreign banks for qualifying foreign excluded funds, subject to certain conditions, under the Volcker Rule for a period of one year as they review the treatment of these types of funds under current implementing regulations. The regulators, which include the Federal Reserve Board, FDIC, OCC, SEC, and Commodity Futures Trading Commission, issued a joint statement to address concerns raised as to whether certain foreign excluded funds may fall within the definition of “banking entity” under the Bank Holding Company Act and therefore be subject to the Volcker Rule.
“A number of foreign banking entities, foreign government officials, and other market participants have expressed concern about the possible unintended consequences and extraterritorial impact of the Volcker Rule and implementing regulations for certain foreign funds,” according to the joint statement. The regulators noted that the review will allow time to consider the appropriate course of action to address these concerns, including whether congressional action may be necessary.In addition, the regulators stressed that the joint statement “does not otherwise modify the rules implementing section 619 [of the Dodd-Frank Act] and is limited to certain foreign excluded funds that may be subject to the Volcker Rule and implementing regulations due to their relationships with or investments by foreign banking entities.”
Connecticut Governor Enacts Law Regarding Compliance Requirements for Mortgage Licensees
On July 11, Connecticut Governor Dannel Malloy signed into law Public Act No. 17-233 (H.B. 7141), which makes various revisions to the state’s banking laws. Among other things, the law (i) applies certain mortgage servicers’ and student loan servicers’ prohibited acts to other licensees; (ii) requires non-depository licensees to maintain and enforce compliance policies and procedures; (iii) allows the banking commissioner to require the use of electronic bonds for licensed or registered individuals to participate in the Nationwide Mortgage Licensing System; (iv) reduces pre-licensing education requirements for mortgage loan originators, loan processors, and underwriters; and (v) sets limits for money transmitters regarding virtual currency transactions and timeframes for transmitting money. The law takes effect October 1, 2017, with provisions relating to compliance policies and procedures taking effect July 1, 2018, and pre-licensing education requirements taking effect January 1, 2019.