InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC releases enforcement actions for April 2024
On April 18, the OCC released a list of recent enforcement actions against national banks, federal savings associations, and individuals affiliated with such entities (defined as institution-affiliated parties, or IAPs). The actions against banks include two formal agreements and one cease and desist order against three individual banks. In each instance, the OCC alleged that the banks engaged in unsafe or unsound practices related to some combination of board oversight, liquidity management, capital requirements, or credit risk. With respect to IAPs, the announcement included four enforcement actions against IAPs to “deter, encourage correction, or prevent violations, unsafe or unsound practices, or breaches of fiduciary duty,” The OCC issued prohibition orders, which prohibit the IAP from any participation in affairs of a bank or other institution), for all four IAPs and assessed civil money penalties ranging from $40,000 to $400,000 against three of them. The announcement also included two more prohibition orders against two additional IAPs for criminal activities. More information on the OCC’s enforcement action types can be found here.
Fed releases enforcement action against Wyoming-based bank holding company
On April 4, the Federal Reserve released an enforcement action against a Wyoming-based bank holding company as part of a September 2023 inspection that found alleged deficiencies related to the “fintech business strategy, board oversight, capital, earnings, liquidity, risk management, and compliance.” The consent order with the bank holding company requires the holding company to: (i) serve as a source of strength to its bank subsidiary; (ii) submit a written plan to strengthen board oversight, including a staffing assessment and succession plan; (iii) submit a written plan to strengthen its risk management program, including adopting written policies and procedures to manage compliance and fraud risks; (iv) submit an enhanced liquidity risk management program, a capital plan, and a written business plan to improve earnings; and (v) ensure compliance with regulations governing affiliate transactions. The consent order additionally placed limits on the holding company’s fintech activities and required the holding company to submit a wind-down plan for fintech-related business. According to the consent order, following the September 2023 inspection, the holding company had voluntarily stopped pursuing its fintech business strategy and had been winding down all related activities.
District Court grants full remedies to CFPB, State AGs
On March 31, the U.S. District Court for the Western District of Virginia entered an order granting the plaintiff state attorneys general and CFPB’s requested remedies in full against a defendant accused of violating consumer protection laws in administering “immigration bonds” for indigent consumers facing deportation. As previously covered by InfoBytes, in 2021 the CFPB, and the Massachusetts, New York, and Virginia State Attorneys General filed a 17-count complaint against the defendant, a subsidiary of a bond service for non-English speaking U.S. Immigration and Customs Enforcement (ICE) detainees. The complaint accused the defendant of misrepresenting the cost of immigration bond services and deceiving migrants into continuing to pay monthly fees by making false threats of deportation for failure to pay. Last May, the court entered default judgment against defendants (covered by InfoBytes here). In the court’s most recent order, it granted the plaintiff’s request for injunctive relief, stating that the CFPB met the standard for injunctive relief under the CFPA, and it would “undoubtedly serve the public interest.” The court also noted that the plaintiffs’ claims supported injunctive relief under state laws as well. The order also included (i) $230.9 million in restitution to the CFPB; (ii) a $111 million civil money penalty to the CFPB; (iii) a $7.1 million civil money penalty to Virginia; (iv) a $3.4 million civil money penalty to Massachusetts; and (v) a $13.89 million civil money penalty to New York.
FDIC’s Consumer Compliance report outlines most frequently cited violations and observations
On March 28, the FDIC released its March 2024 version of the Consumer Compliance Supervisory Highlights from the previous year, a report that enhanced transparency regarding the FDIC’s consumer compliance supervisory activities. The FDIC reported 16 formal enforcement actions and another 16 informal enforcement actions to address consumer compliance examination findings. The report highlighted how the FDIC conducted almost 900 consumer compliance examinations. The top five most frequently cited violations of moderate severity (levels two and three out of five of supervisory concern), which represented 74 percent of the total violations, included, in order from most frequently cited to least: TILA, and its implementing regulation, Regulation Z; the Flood Disaster Protection Act (FDPA) and its implementing regulation, Part 339; EFTA, and its implementing regulation, Regulation E; TISA, and its implementing regulation, Regulation DD; and Section 5 of the FTC Act. The report noted how Section 5 of the FTC Act dropped from the second most frequently cited to the fifth.
The FDIC’s report outlined the most significant consumer compliance examination observations including the misuse of the FDIC’s logo, advertising of credit builder products, electronic fund transfer (EFT) error resolutions by third parties, mortgage broker relationships, and fair lending compliance. On the misuse of the FDIC’s logo, the FDIC found “a number of third parties” misrepresented the FDIC’s deposit insurance in violation of Section 18(a)(4) of the FDI Act. On substantiating claims in the advertising of credit builder products, the FDIC found that institutions collaborated with fintech companies on credit builder products and falsely advertised “these products would improve” one’s credit score, in violation of Section 5 of the FTC Act. On EFTs handled by third parties, the FDIC identified an issue with a security program in validating customer transactions in violation of Regulation E of EFTA. On payments for mortgage brokerage services, the FDIC found RESPA Section 8 violations involving mortgage broker relationships. On oversight of third parties, the FDIC identified issues with an institution that partnered with third-party lenders to offer unsecured consumer loans, finding the institution violated Section 39 of the FDI Act. Last and on fair lending, the FDIC found that most of the DOJ’s referral matters pertinent to discrimination related to redlining, automobile financing, and credit underwriting.
FDIC issues February enforcement action against New York bank for lack of effective third-party oversight
On March 29, the FDIC released its list of February 2024 enforcement actions, which included a consent order against a New York digital bank in which the FDIC alleged a lack of sufficient oversight of the bank’s third-party relationships. According to the consent order, the bank allegedly engaged in unsafe and unsound banking practices due to a lack of internal controls appropriate to the bank’s size and risk of its third-party relationships, and weaknesses in board oversight of asset growth and management, among other issues. The FDIC further alleged that the bank violated several laws including BSA, EFTA, and TISA.
The FDIC ordered the bank’s board to increase its oversight of the bank’s management and the bank’s financial condition commensurate with the size of the bank and the risk of its third-party relationships. Further, the FDIC ordered the board to correct or eliminate any unsafe banking practices or violations of the law. On data and systems, the FDIC ordered the bank to conduct a data and systems review and develop a written action plan to address any deficiencies or weaknesses. Notably for the bank’s third-party relationships, the FDIC ordered that the bank’s procedures, data, and systems include “clear lines of authority” responsible for monitoring bank procedures and effective risk assessments. Finally, among other things, the FDIC ordered the bank to implement look-back reviews and have its board review the bank’s program to ensure compliance with consumer-related laws.
Trusts are covered persons subject to the CFPA, 3rd Circuit upholds CFPB FDCPA case
On March 19, the U.S. Court of Appeals for the Third Circuit filed an opinion remanding a case between the CFPB and defendant statutory trusts to the District Court. After issuing a civil investigative demand in 2014, the CFPB initiated an enforcement action in September 2017 against a collection of 15 Delaware statutory trusts that furnished over 800,000 private loans and their debt collector for, among other things, allegedly filing lawsuits against consumers for private student loan debt that they could not prove was owed or was outside the applicable statute of limitations (covered by InfoBytes here). Then, early last year, the parties settled and asked the court to enter a consent judgment, which was denied (covered by InfoBytes here).
The 3rd Circuit addressed two questions: (i) whether the trusts are covered persons subject to the CFPA; and (ii) whether the CFPB was required to ratify the underlying action that questioned a constitutional deficiency within the Bureau. On the statutory issue, the court found that the trusts fell within the purview of the CFPA because trusts “engage” in offering or providing a consumer financial product or service, specifically student loan servicing and debt collection, as explicitly stated in the trust agreements each trust entered. Regarding the constitutional question, the defendants argued that the Bureau needed to ratify the underlying suit because it was initiated while the agency head was improperly insulated, and since the Bureau ratified it after the statute of limitations had run, the suit was untimely. The court disagreed and found that the defendants’ analysis of the here-and-now injury “doesn’t go far enough,” therefore the CFPB did not need to ratify this action before the statute of limitations had run because the impermissible insulation provision does not, on its own, cause harm.
FTC fines two fintech firms $59 million for PPP loan practices
On March 18, the FTC announced enforcement actions against two companies that allegedly made “false promises” to small businesses seeking Paycheck Protection Program (PPP) loans. Both companies have agreed to settle with the FTC to resolve alleged violations of the Covid-19 Consumer Protection Act and the FTC Act.
According to the FTC’s complaint on the first company—a company that offers online financing products to small businesses—and its subsidiary allegedly engaged in a pattern of deceptive and unfair conduct by quoting shorter processing times for consumers’ applications, despite being aware of the significant delays. The companies also allegedly ignored consumers’ requests to withdraw their pending applications frequently. The FTC further alleged that roughly 40 percent of the companies’ consumers had their applications canceled or rejected. The proposed stipulated order included a prohibition against misrepresentations, an injunction concerning the companies’ application practices (which had prohibited them from failing to allow consumers to promptly withdraw their applications), and a $33 million judgment for monetary relief. The companies must also comply with reporting requirements detailed in the settlement.
The FTC’s complaint against the second company—an online platform offering PPP financing services to small businesses—and its CEO, alleged that respondents made deceptive claims to consumers, many of whom were eligible but never received funding because the respondents failed to fix known technical issues with their system or provide consumers with assistance. According to the complaint, the company claimed that processing a loan would only take 24 hours through the “fast lane” service, but the company’s chat support was slow, as were its review and processing times. The FTC noted that the time-sensitive nature of PPP funding meant any delays had significant impacts on consumers. In addition to the $26 million monetary judgment, the settlement with the company and its CEO prohibited them from making any deceptive, false, or unsubstantiated claims about financial services or products.
CFPB limits examiner term limits to five years after concurring with OIG recommendations
On February 26, the Office of Inspector General for the CFPB (OIG) released a report entitled, “The CFPB Can Enhance Certain Practices to Mitigate the Risk of Conflicts of Interest for Division of Supervision, Enforcement and Fair Lending Employees.” The report found that the CFPB’s Office of Supervision Examinations (OSE) does not have a formal policy that requires bank examiners to rotate assignments in a specified time frame, which increases potential conflicts of interest. The OSE examines banks to check for compliance failures in federal consumer financial law and is based out of four regional offices: New York (Northeast), Atlanta (Southeast), Chicago (Midwest), and San Francisco (West). The OIG argued that a formal policy adopted by the OSE would more effectively monitor examiner rotations, promoting “objectivity, cross-training, and broader expertise” and reducing the risk of regulatory capture – or subjecting the same regulated entity to the same examiner and subsequently risking independence and objectivity of exams. The OIG’s report posited two recommendations: (i) that the CFPB implement a formal examiner rotation policy; and (ii) that the CFPB track and document assignments for examiners and its members.
The OIG found that while some OSE offices have informal examiner rotation policies in place, there is no global system in place to track examiner assignments to ensure regular rotation. For example, OSE’s Northeast and West regional offices have written policies that require certain staff members to rotate every five years. However, the Southeast and Midwest offices do not have any written policies in place and stated having a “natural” turnover process based on needs and availability, among others.
The CFPB concurred with both OIG recommendations, stating that it will limit the time for lead examiners and field managers to five years and develop a tool for tracking these assignments.
CFPB warns lead generators, digital comparison-shopping tool operators of potential CFPA violations
On February 29, the CFPB issued a circular to law enforcement agencies and regulators explaining how operators of digital comparison-shopping tools or lead generators can potentially violate the CFPA’s prohibition on abusive acts or practices by steering consumers towards options that best serve the operator or the lead generator. The circular further discussed “how law enforcement agencies and regulators can evaluate operators of comparison-shopping tools… to manipulate results” to appease consumer preferences.
The Bureau explained that while consumers often use these tools to research, compare, and select financial products, some intermediaries also functioned as lead generators that sold consumer information to lenders. These intermediaries may have received compensation, the CFPB said, often termed as “bounties,” from financial providers for preferential treatment or lead generation. The circular recognized that operators of these tools may have engaged in commercial arrangements with financial providers and may have received compensation based on user actions or bids.
The CFPB stated that both digital comparison-shopping tool operators and lead generators can qualify as “covered persons” under CFPA section 1031(d)(2)(C) which prohibits them from engaging in unfair, deceptive, or abusive acts or practices, particularly those that “take unreasonable advantage” of consumers so they may act in the “covered person’s” best interests. The circular outlined elements of CFPA Section 1031(d)(2)(C) and applied the elements including reasonable reliance by consumers on covered entities to act in their interests, to an evaluation of the operator or lead generator activities. Notably, the circular warned that reasonable consumer reliance could be created based on the representations of the tool operator or lead generator, as well as implicit or explicit communications. Further, the Bureau added that steering consumers towards certain products or providers for the financial benefit of the operator or lead generator, rather than consumer interest, constituted unreasonable advantage-taking.
Finally, the circular included a non-exhaustive list of examples of preferencing or steering arrangements and advised law enforcement agencies and regulators to scrutinize bounty or bidding schemes and decision-making processes to identify abusive conduct.
FDIC orders bank to plan termination of relationships with “significant” fintech partners
Recently, the FDIC released a consent order against a Tennessee bank as part of its release of January Enforcement Decisions and Orders. The FDIC stated that within sixty days of the effective date of the consent order, the bank must “submit a general contingency plan to the Regional Director… [on] how the [b]ank will administer an effective and orderly termination with significant third-party FinTech partners,” as part of its Third-Party Risk Management program for the bank. The Program must assess and manage the risks posed by all fintech firms associated with the bank. It will include policies related to due diligence and risk assessment criteria that are appropriate to the products and services provided by the fintech partner. The bank must also engage an independent firm for completion of a comprehensive Banking-as-a-Service Risk Assessment Report.
The bank further consented, without admitting or denying any charges of unsafe or unsound banking practices, to board supervision of the bank’s management and approval of the bank’s policies and objectives, qualified management, the Regional Director’s prior consent for new or expanded lines of business that would result in an annual 10 percent growth in total assets or liabilities, and a comprehensive strategic plan.