Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 13, the FDIC released a new publication, Consumer Compliance Supervisory Highlights, intended to provide information and observations related to the FDIC’s consumer compliance supervision activities in 2018. Specifically, the report covers approximately 1,200 consumer compliance examinations conducted by the FDIC in 2018. Overall, the FDIC noted that, “supervised institutions demonstrated strong and effective management of consumer compliance responsibilities.” The report identifies some of the most salient compliance issues identified by the FDIC during 2018, including (i) overdraft programs, which were found to be potentially unfair or deceptive when an institution used an “available balance method,” sometimes resulting in more overdraft fees than were appropriate because the institution assessed a fee when the transaction did not overdraw the account; (ii) RESPA anti-kickback violations, which concerned payments “disguised as above-market payments for lead generation, marketing services, and office space or desk rentals” or as marketing and advertising agreements; and (iii) Regulation E, where certain institutions were found to have incorrectly calculated consumer liability for unauthorized transfers, failed to resolve errors properly, or discouraged consumers from filing error resolution requests. The report also covers issues with skip-a-payment loan programs and the calculation of finance charges and disclosures related to lines of credit.
On June 3, the Federal Reserve Board issued supervisory letter SR 19-9 to provide guidance on its enhanced process for determining the scope of safety-and-soundness examinations of community and regional state member banks (SMB). Under the “Bank Exams Tailored to Risk” (BETR) process, the Fed intends to “gauge the risk of a bank’s various activities [and] facilitate a more data-driven approach to the risk tailoring of supervisory work.” A SMB’s level of risk within individual risk dimensions—such as credit, liquidity, and operational risk—will be derived from a combination of surveillance metrics and examiner judgment.
Among other things, BETR’s objectives are to (i) apply appropriately streamlined examination work programs to identified low-risk activities, in order to conserve supervisory staff resources and minimize regulatory burden; (ii) direct enhanced supervisory resources and attention to identified high-risk activities; and (iii) implement average intensity examination work programs to moderate-risk activities. Examiners are to tailor examination procedures to the size, complexity, and risk profile of an SMB, with examiners focusing on “developing an appropriate assessment of bank management’s ability to identify, measure, monitor, and control risk.”
On April 22, the Oklahoma governor signed HB 1387 to permit the state’s Administrator of Consumer Credit to enter into certain cooperative, coordinating, information-sharing agreements with other agencies in place of conducting a separate examination or investigation. According to the Act, the information-sharing agreements apply to any agency that has “supervisory or regulatory responsibility over any entity that has been or may be licensed by the Department of Consumer Credit or any organization affiliated with or representing one or more” such agency, as well as the Oklahoma State Banking Department. The Act is effective November 1.
On April 24, the OCC published a notice of proposed rulemaking (NPRM) and request for comment on a proposal to clarify and to streamline its other real estate owned (OREO) regulations for supervised national banks and to apply the same regulatory framework to federal savings associations. Specifically, the OCC seeks public comment on questions relating to its proposals regarding OREO holding periods, OREO disposition, and permissible OREO expenditures. The NPRM also addresses OREO appraisal requirements. Finally, the NPRM proposes technical amendments to remove certain outdated capital rules for national banks and federal savings associations, including provisions relating to treatment of OREO held by Federal savings associations that are no longer in effect. According to the OCC, this proposal would be the first significant revision to OREO regulations in more than 20 years. Comments on the NPRM are due by June 24.
On April 17, Kathy Kraninger, Director of the CFPB, spoke before the Bipartisan Policy Center where she reiterated the Bureau’s focus on prevention of harm and announced a symposium that will explore the meaning of “abusive acts or practices” under Section 1031 of the Dodd-Frank Act. In her remarks, Kraninger touched on the four “tools” the Bureau has at its disposal to execute its mission: education, rulemaking, supervision, and enforcement.
- Education. The Bureau wants to help consumers protect their own interests and choose the right products and service to help themselves. Specifically, the Bureau is focusing on ensuring that American consumers learn to save to be able to absorb a financial shock.
- Rulemaking. The Bureau will comply with Congressional mandates to promulgate rules or address specific issues through rulemaking, but when the Bureau has discretion, it will focus on “preventing consumer harm by maximizing informed consumer choice, and prohibiting acts or practices which undermine the ability of consumers to choose the products and services that are best for them.” In the coming weeks, the Bureau will release its proposed rules to implement the FDCPA, which will include (i) bright line limits on the number of calls consumers can receive from debt collectors on a weekly basis; (ii) clarity on how collectors may communicate through new technology such as, email and text messages; and (iii) requiring more information at the outset of collection to help consumers better identify debts and understand payment and dispute options. Kraninger stated, “the CFPB must acknowledge that the costs imposed on regulated entities absolutely affect access to, and the availability of, credit to consumers.”
- Supervision. This tool is the “heart of the agency,” according to Kraninger, as it helps to prevent violations of laws and regulations from happening in the first place. The Bureau will keep in mind that it is not the only regulator examining most entities and will focus on coordination and collaboration with the other regulators so as not to impose unmanageable burdens in examinations.
- Enforcement. The Bureau will continue to enforce against bad actors that do not comply with the law, as enforcement is “an essential tool that Congress gave the Bureau.” The Bureau will have a “purposeful enforcement regime” to foster compliance and help prevent consumer wrongs. Kraninger is “committed to ensuring that enforcement investigations proceed carefully and purposefully to ensure a fair and thorough evaluation of the facts and law… [and ensuring they] move as expeditiously as possible to resolve enforcement matters, whether through public action or a determination that a particular investigation should be closed.”
Kraninger also touched on how the Bureau plans to measure success going forward. Kraninger noted that in the past, the Bureau touted its outgoing statistics as a measurement, such as amount of consumer redress and number of complaints handled. However, according to Kraninger, if the Bureau succeeds in fostering a goal of prevention of harm, certain outputs like meritorious complaints would actually be lower. Therefore, the Bureau’s success should be based on how it uses all of its tools. Lastly, Kraninger announced a symposia series that would convene to discuss consumer protections in “today’s dynamic financial services marketplace.” The first will explore the meaning of “abusive acts or practices” under Section 1031 of the Dodd-Frank Act, specifically, to address issues with the “reasonableness” standard. There are no additional details on the date for the symposium but Kraninger noted that this would be the next step in exploring future rulemaking on the issue. The series will also have future events discussing behavioral law and economics, small business loan data collection, disparate impact and the Equal Credit Opportunity Act, cost-benefit analysis, and consumer authorized financial data sharing.
Additionally, on April 9, acting Deputy Director, Brian Johnson, spoke at the George Mason University Law & Economics Center's Ninth Annual Financial Services Symposium. In his prepared remarks, Johnson emphasized that regulatory rules should be “as simple as possible” when dealing with complex markets as they are easier for a greater portion of actors to understand and adapt to and also promote compliance, “which has the ancillary benefit of making it easier for consumers (not to mention regulators) to distinguish between good and bad actors.” Johnson argued that regulators should not try and dictate specific outcomes in rulemaking. Instead, Johnson stated that “financial regulators should recognize that complex market systems are not a means to accomplish their specific goals” and should “narrowly-tailor rules to address a discrete market failure.” Johnson also touched on the Bureau’s new Office of Innovation, noting that the Bureau’s proposed No Action Letter Program and Product Sandbox will offer firms “the opportunity to expand credit while still preserving important consumer protections,” while assisting the Bureau in learning about new technologies and potential consumer risks. As for the Bureau’s cost-benefit analysis, Johnson said that this activity will not be limited to future actions, but will also be used for “periodic retrospective analysis” because financial markets are “constantly changing, requiring constant reappraisal and verification of the rules that govern the system.”
CFPB and Federal Reserve update HMDA examination procedures; CFPB updates ECOA baseline review procedures
On April 1, the CFPB and the Federal Reserve Board (Federal Reserve) issued revisions to the HMDA examination procedures covering data collected since January 1, 2018, under the HMDA amendments issued by the Bureau in October 2015 and August 2017, as well as section 104(a) of the Economic Growth, Regulatory Relief, and Consumer Protection Act (implemented and clarified by the 2018 HMDA Rule, which was covered by InfoBytes in August 2018 here.) According to the Federal Reserve’s CA 19-5, the HMDA examination updates include, (i) Narrative, Examination Objectives, and Examination Procedure sections that were developed by the Task Force on Consumer Compliance of the FFIEC; (ii) Review of Compliance Management System, Examination Conclusions and Wrap-Up, and Examination Checklist sections that were developed in consultation with the FDIC and the OCC; and (iii) sampling, verification, and resubmission procedures. With regard to HMDA data collected prior to January 1, 2018, institutions will continue to be examined according to the interagency HMDA examination procedures “transmitted with CA 09-10 and the HMDA sampling and resubmission procedures transmitted with CA 04-4.”
Additionally, in April, the CFPB also released updated ECOA baseline review procedures. The procedures consist of five modules: (i) Fair Lending Supervisory History; (ii) Fair Lending Compliance Management System (CMS); (iii) Fair Lending Risks Related to Origination; (iv) Fair Lending Risks Related to Servicing; and (v) Fair Lending Risks Related to Models. According to the Bureau, all exams will cover the Fair Lending CMS module and additional modules will be assigned depending on the scope of examination.
On April 2, the FDIC issued Financial Institution Letter FIL-19-2019 (Technology Service Provider Contracts), which describes examiner observations about gaps in financial institutions’ contracts with technology service providers (TSPs) that may require financial institutions to take additional steps to manage business continuity and incident response. Although not specifically referenced in FIL-19-2019, this latest FDIC guidance echoes themes set forth in the FDIC’s Office of Inspector General (OIG) Audit Report released in 2017 (covered in Infobytes here). Specifically, examiners noted contractual deficiencies in recent reports of examination, including failing to: (i) adequately define rights and responsibilities regarding business continuity and incident response, or provide sufficient detail to allow financial institutions to manage those processes and risks; (ii) consistently require TSPs to maintain a business continuity plan, establish data recovery standards, and commit to contractual remedies if the TSP missed a data recovery standard; (iii) sufficiently detail the TSP’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement; and (iv) clearly define key terms used in contractual provisions relating to business continuity and incident response.
FIL-19-2019 further stresses that supervised institutions are required to comply with the Interagency Guidelines Establishing Information Security Standards promulgated pursuant to the GLBA, which among other things sets forth expectations for managing TSP relationships through contractual terms and ongoing monitoring. The FDIC references prior guidance establishing regulatory expectations, including: (i) Guidance for Managing Third-Party Risk (FIL-44-2008, issued June 6, 2008); and (ii) the Business Continuity Booklet set forth in the FFIEC IT Examination Handbook, which was updated in February 2015 to include a new appendix specific to managing service provider risks (Appendix J: Strengthening the Resilience of Outsourced Technology Services). FIL-19-2019 also contains a reminder to depository institutions that the Bank Service Company Act requires depository institutions to provide written notice to their respective federal banking agency of contracts or relationships with TSPs that provide certain services, including check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services.
On March 26, the OCC released Bulletin 2019-16, which announces that the FFIEC Task Force on Consumer Compliance developed new interagency examination procedures to reflect the amendments to Regulations Z and E under the CFPB’s Prepaid Accounts Rule (covered by InfoBytes here), which go into effect on April 1. Specifically, the examination procedures reflect (i) Regulation E requirements covering disclosures, limited liability and error resolution, periodic statement, and posting of account agreements; and (ii) Regulation Z requirements covering overdraft credit features with prepaid accounts.
In March, the CFPB updated its examination procedures for short-term, small-dollar lending (payday lending) in its Supervision and Examinations Manual. The procedures are comprised of modules and each examination will cover one more module. Prior to using the procedures, examiners will complete a risk assessment and examination scope memorandum, which will assist in determining which of the five modules the exam will cover: (i) marketing; (ii) application and origination; (iii) payment processing and sustained use; (iv) collections, accounts in default, and consumer reporting; and (v) service provider relationships. The examinations will review for potential violations of TILA, EFTA, FDCPA, FCRA, ECOA, UDAAP, and Gramm-Leach-Bliley Act (GLBA), all of which apply to payday lending.
On March 15, the OCC announced an update to the Recovery Planning booklet of the Comptroller’s Handbook. Among other things, the revised booklet explains the purpose of effective recovery planning and provides guidance for OCC examiners to use when assessing the “appropriateness and adequacy of [a] covered bank’s recovery planning process and the integration of that process into the covered bank’s overall risk governance framework.” The updates reflect revisions made to the agency’s rule on enforceable guidelines, published December 27, 2018, which increased the average total consolidated assets threshold from $50 billion to $250 billion for covered insured national banks, federal savings associations, and federal branches that are required to comply, unless determined otherwise. Additionally, a bank must now comply with the guidelines within 12 months after it first becomes subject to the guidelines.
- Buckley Webcast: Hot topics in debt collection — An analysis of recent federal FDCPA litigation
- Jonice Gray Tucker to discuss "How to succeed in law school" at the SEO Law DC Panel Discussions
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Summer Regulatory Compliance School
- Warren W. Traiger to discuss "CRA modernization" at the National Association of Industrial Bankers and the Utah Association of Financial Services Annual Convention
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Henry Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates an Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference