InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB distributes nearly $6 million in relief payment to veterans harmed by bad-faith lenders
On January 2, the CFPB reported it had sent nearly $6 million to consumers harmed by illegal lending practices that specifically targeted veterans. Between 2019 and 2020, the CFPB filed four suits against several loan brokers, which InfoBytes previously covered. In 2019, the CFPB entered into a settlement with an online loan broker that promised to connect veterans with companies offering high-interest loans in exchange for the assignment of some or all of their military pension payments. Again in 2019, InfoBytes covered another settlement between the CFPB and a pension-advance broker for allegedly misrepresenting the contracts offered to veterans and other consumers between 2011 and 2016. In 2020, the CFPB entered into a settlement with and a loan broker who offered high-interest loans to veterans in exchange for assignment of some of their monthly pension or disability payments. Lastly, and again in 2020, InfoBytes covered a complaint brought by the South Carolina Department of Consumer Affairs against a pension-advance scheme in violation of the CFPA for brokering contracts offering high-interest credit to disabled veterans and other consumers in exchange for the assignment of some of the consumers’ unpaid earnings, monthly pensions, or disability payments.
The recent payments totaled $5.1 million from the CFPB’s victims’ relief fund and over $720,000 from money paid by the defendants. The CFPB sent checks in December to certain customers, but an individual who believes they are eligible can submit a claim for a refund.
NYDFS releases guidance on risk management
On December 21, 2023, NYDFS released guidance for managing significant financial and operational risks associated with climate change for New York State-regulated banking and mortgage institutions. The guidance emphasized the importance of ensuring operational resiliency which is “the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard.” Regulated organizations are encouraged to consider three key areas: 1) understanding climate-related financial risks; 2) prioritizing operational resilience; 3) and complying with consumer protection laws when adjusting risk frameworks for climate-related risks. The NYDFS categorizes climate-related financial risks as either physical risks, like hurricanes, floods, and wildfires, or transition risks from policy, regulations, adoption of new technologies, consumer, and investor preferences, and changing liability risks which can directly and indirectly affect financial institutions.
Regulated organizations are urged to consider potential impacts on at-risk communities while adapting their risk management approaches. NYDFS suggests they maintain reasonable, risk-based business strategies to prevent unnecessary market disruptions and comply with consumer protection laws and fair lending considerations at all times. The guidance suggests institutions also maintain fair lending practices while managing climate-related financial risks, and further suggests not divesting from low-income communities to manage risk.
The NYDFS has not set a timeline for implementation of the Guidance expectations as it would like “to provide regulated organizations with sufficient opportunity to integrate consideration of climate-related financial and operational risks into their governance frameworks, organizational structures, business strategies and risk management processes in a proportionate manner.” To offer an overview of these documents and highlight key feedback themes, NYDFS has scheduled a webinar for January 11, 2024, at 11:30 am ET. Interested parties can register for the webinar via the provided link. The Department also made additional resources available to aid organizations in implementing measures to tackle climate-related risks.
Agencies update the Uniform Rules of Practice and Procedure
On December 28, 2023, the Fed, OCC, FDIC, and NCUA published a final rule amending the Uniform Rules of Practice and Procedure to recognize the use of electronic communications and enhance the efficiency and equity of administrative hearings. The agencies have implemented measures recognizing the role of electronic communications across all facets of administrative proceedings. Among other things, the final rule (i) defines “electronic signature” in the Uniform Rules; (ii) codifies permitting electronic service and filings for administrative actions; (iii) allows for remote depositions; (iv) includes Equal Access to Justice Act procedures based on the 2019 Administrative Conference of the United States Model Rule; (v) adds provisions on when parties must pay civil money penalties; (vi) adds specific provisions pertaining to the forfeiture of a national bank, federal savings association, or federal branch or agency charter or franchise due to certain money laundering or cash transaction violations; (vii) modifies the discovery rules to recognize electronic documents and allow for electronic production; (viii) establishes new rules for expert and hybrid fact-expert witnesses; and (ix) consolidates the Uniform Rules and Local Rules for national banks and federal savings associations.
Additionally, the OCC has revised its specific administrative practice and procedure regulations to harmonize rules for national banks and federal savings associations. Furthermore, adjustments were made to the OCC’s regulations on organization and operations to encompass service of process considerations.
The rule is effective April 1, 2024.
IOSCO publishes nine recommendations on decentralized finance
On December 19, 2023, the International Organization of Securities Commissions (IOSCO) published a report on decentralized finance to address market integrity and investor protection. The report includes nine policy recommendations for decentralized financial regulators to follow. Decentralized finance structures include financial products and arrangements that use a distributed ledger or blockchain technology. IOSCO’s policy recommendations on decentralized finance complement a similar report on crypto and digital asset markets, as written about on InfoBytes, here. The policy recommendations are as follows: (i) regulators should analyze decentralized finance products, services, and activities in its jurisdiction; (ii) regulators should identify the persons or entities that could be subject to its regulatory framework; (iii) regulators should use frameworks to regulate and address risks arising from decentralized finance consistent with IOSCO standards; (iv) regulators should require responsible persons to address conflicts of interest; (v) regulators should require responsible persons to address material risks, including operational and technological ones; (vi) regulators should require responsible persons to disclose information clearly to users and investors; (vii) regulators should apply comprehensive powers to decentralized financial services to detect and enforce violations under law; (viii) regulators should cooperate and share information with other regulators and authorities; and (ix) regulators should seek to understand how decentralized finance products are linked to the crypto-asset market as well as traditional finance markets. The final section of the report summarized the feedback garnered from 45 stakeholders on eight categories.
FTC sues for-profit university for deceptive and illegal practices
On December 27, 2023, the FTC filed a suit in the U.S. District Court of Arizona against a for-profit university for allegedly deceiving students, misrepresenting the university as a nonprofit entity, and committing telemarking abuses. The FTC sued under the FTC Act and Telemarketing Sales Rule (TSR). The complaint alleges that the university in question is a for-profit institution operating as a publicly traded entity, but nonetheless marketed itself as a “nonprofit” university. The complaint further alleges that the university misled students about the cost of its “accelerated” doctoral programs and used abusive telemarketing calls to try to boost enrollment. According to the FTC, the university called those who requested not to be called by the university, as well as consumers on the National Do Not Call Registry. The FTC asserts five claims against the university. The first two counts allege violations of Section 5(a) of the FTC Act for deceptive representations about its non-profit status and for falsely advertising its doctoral programs. The last three counts allege violations of the TSR predicated on deceptive telemarketing acts or practices, contacting those who have requested to not be contacted, and calling people on the National Do Not Call Registry.
FCC adopts updated data breach notification rules
On December 21, 2023, the FCC announced it adopted an updated data breach notifications rule. The rule was formerly designed to protect consumers against pretexting, “a practice in which a scammer pretends to be a particular customer or other authorized person to obtain access to that customer’s call detail or other private communications records.” As previously covered by InfoBytes, the FCC promulgated its notice of proposed rulemaking in January 2023. The rule has been updated to expand the data breach notification requirements to, among other things: (i) cover different categories of personally identifiable information that carriers hold; (ii) expand the definition of “breach” to cover unintended disclosures of consumer information, except in situations where such information is obtained in good faith by an employee or representative of a carrier or telecommunications relay service (“TRS”) provider, and where there’s no improper use or further disclosure of that information; (iii) require TRS providers and carriers to notify the FCC, FBI, and U.S. Secret Service as soon as practicable and no later than seven business days after the reasonable determination of a breach; (iv) no longer require TRS providers and carriers to notify consumers of a data breach if they reasonably determine no harm to consumers is reasonably likely; and (v) no longer require carriers to follow a mandatory waiting period to notify consumers of a breach. FCC Chairwoman Jessica Rosenworcel said in her statement that the update to the data breach policy is the first in 16 years and that under the Communications Act, “carriers have a duty to protect the privacy and security of consumer data.” The rule was adopted on December 13, 2023.
FDIC issues advisory on managing commercial real estate concentrations
On December 18, the FDIC issued an advisory to institutions with commercial real estate (CRE) concentrations. The advisory, among other things, reminds insured state non-member banks and savings associations (FDIC-supervised institutions) of the importance of “strong capital, appropriate credit loss allowance levels, and robust credit risk-management practices” when managing CRE concentrations. The advisory notes that “[r]ecent weaknesses in the economic environment and fundamentals related to various CRE sectors have increased the FDIC’s overall concern for state nonmember institutions with concentrations of CRE loans.” The FDIC said that “CRE investment property capitalization rates have not kept pace with recent rapid increases in long-term interest rates, which leads to concerns about general over-valuation of underlying collateral.” For institutions with concentrated CRE exposures, the agency “strongly recommended” that “as market conditions warrant, institutions with CRE concentrations (particularly in office lending) increase capital to provide ample protection from unexpected losses if market conditions deteriorate further.” The agency also outlined key risk-management measures for financial institutions with significant concentrations in CRE and real estate construction and development (C&D) to manage through changing market conditions: (i) “maintain strong capital levels;” (ii) “ensure that credit loss allowances are appropriate;” (iii) “manage C&D and CRE loan portfolios closely;” (iv) “maintain updated financial and analytical information;” (v) “bolster the loan workout infrastructure;” and (vi) “maintain adequate liquidity and diverse funding sources.”
NCUA to reinstate civil money penalties for late call reports
Recently, the National Credit Union Administration (NCUA) announced it will reinstate assessing civil money penalties for credit unions that fail to submit a call report (NCUA Form 5300) in a timely manner. The call report program was suspended after December 2019 during the Covid-19 pandemic. “The December 2023 Call Report will be the first reporting cycle under the reinstated program and will be due by 11:59:59 p.m. Eastern time, January 30, 2024.” The NCUA states it will send a reminder to credit unions with outstanding call reports a week before their deadline. The NCUA will also consider extenuating circumstances, including the size and good faith of the credit union, the gravity of the violation, the history of previous violations, and other matters like natural disasters or incapacitation of key employees.
Fed enters into written agreement with Ohio bank
On December 19, the Federal Reserve Board announced a written agreement with an Ohio state-chartered bank and its holding company to address certain deficiencies identified during a recent examination of the bank. Under the agreement, the bank and its holding company agreed to: (i) use the bank’s resources as a “source of strength”; (ii) submit a written plan to enhance board oversight and management; (iii) conduct a third-party assessment of the bank’s staff; (iv) submit an enhanced written investment policy that includes “periodic analysis of the investment portfolio, including, but not limited to the assessment of market risk, credit risk, interest rate risk, and liquidity risk of the underlying investments”; (v) improve the bank’s investment portfolio management and interest rate risk management practices; (vi) implement an enhanced liquidity risk management program; and (vii) submit a written plan regarding sufficient capital (among other corrective actions).
OCC issues cease-and-desist order to NY bank
On December 14, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals that are or were affiliated with such entities. Included is a cease-and-desist order against an upstate New York bank for allegedly engaging in unsafe or unsound practices, including on the bank’s corporate governance, capital planning, interest rate risk management, liquidity risk management, and reports of condition.
Under the order, the bank must appoint a compliance committee to take corrective action, submit a three-year strategic plan to establish objectives for the bank’s risk profile, earnings performance, growth, and balance sheet mix, among other areas, and maintain a capital ratio of at least 15 percent, a common equity tier 1 capital of at least equal to 14 percent, and a leverage ratio of at least ten percent. The order also requires the bank to create an interest rate risk program and a third-party risk management program.