InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB releases regulatory agenda
The Office of Information and Regulatory Affairs recently released the CFPB’s spring 2023 regulatory agenda. Key rulemaking initiatives that the agency expects to initiate or continue include:
- Overdraft fees. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation Z with respect to special rules for determining whether overdraft fees are considered finance charges.
- FCRA rulemaking. The Bureau is considering whether to engage in pre-rulemaking activity in November to amend Regulation V, which implements the FCRA. In January, the Bureau issued its annual report covering information gathered by the Bureau regarding certain consumer complaints on the three largest nationwide consumer reporting agencies (CRAs). CFPB Director Rohit Chopra noted that the Bureau “will be exploring new rules to ensure that [the CRAs] are following the law, rather than cutting corners to fuel their profit model.” (Covered by InfoBytes here.)
- Insufficient funds fees. The Bureau is considering whether to engage in pre-rulemaking activity in November regarding non-sufficient fund (NSF) fees. The Bureau commented that while NSF fees have been a significant source of fee revenue for depository institutions, recently some institutions have voluntarily stopped charging such fees.
- Amendments to FIRREA concerning automated valuation models. On June 1, the Bureau issued a joint notice of proposed rulemaking (NPRM) with the Federal Reserve Board, OCC, FDIC, NCUA, and FHFA to develop regulations to implement quality control standards mandated by the Dodd-Frank Act concerning automated valuation models used by mortgage originators and secondary market issuers. (Covered by InfoBytes here.) Previously, the Bureau released a Small Business Regulatory Enforcement Fairness Act (SBREFA) outline and report in February and May 2022 respectively. (Covered by InfoBytes here.)
- Section 1033 rulemaking. Section 1033 of Dodd-Frank provides that covered entities, such as banks, must make available to consumers, upon request, transaction data and other information concerning consumer financial products or services that the consumer obtains from the covered entity. Over the past several years, the Bureau has engaged in a series of rulemaking steps to prescribe standards for this requirement, including the release of a 71-page outline of proposals and alternatives in advance of convening a panel under the SBREFA and the issuance of a final report examining the impact of the Bureau’s proposals to address consumers’ personal financial data rights. (Covered by InfoBytes here.) Proposed rulemaking may be issued in October.
- Property Assessed Clean Energy (PACE) financing. The Bureau issued an NPRM last month to extend TILA’s ability-to-repay requirements to PACE transactions. (Covered by InfoBytes here.) The proposed effective date is at least one year after the final rule is published in the Federal Register (“but no earlier than the October 1 which follows by at least six months Federal Register publication”), with the possibility of a further extension to ensure compliance with a TILA timing requirement.
- Supervision of Larger Participants in Consumer Payment Markets. The Bureau is considering whether to engage in pre-rulemaking activity next month to define larger participants in consumer payment markets and further the scope of the agency’s nonbank supervision program.
- Nonbank registration. The Bureau announced its intention to identify repeat financial law offenders by establishing a database of enforcement actions taken against certain nonbank covered entities. (Covered by InfoBytes here.) The Bureau anticipates issuing a final rule later this year.
- Terms and conditions registry for supervised nonbanks. At the beginning of the year, the Bureau issued an NPRM that would create a public registry of terms and conditions used in non-negotiable, “take it or leave it” nonbank form contracts that “claim to waive or limit consumer rights and protections.” Under the proposal, supervised nonbank companies would be required to report annually to the Bureau on their use of standard-form contract terms that “seek to waive consumer rights or other legal protections or limit the ability of consumers to enforce or exercise their rights” and would appear in a publicly accessible registry. (Covered by InfoBytes here.) The Bureau anticipates issuing a final rule later this year.
- Credit card penalty fees. The Bureau issued an NPRM in February to solicit public feedback on proposed changes to credit card late fees and late payments and card issuers’ revenue and expenses. (Covered by InfoBytes here.) Under the CARD Act rules inherited by the Bureau from the Fed, credit card late fees must be “reasonable and proportional” to the costs incurred by the issuer as a result of a late payment. A final rule may be issued later this year.
- LIBOR transition. In April, the Bureau issued an interim final rule, amending Regulation Z, which implements TILA, to update various provisions related to the LIBOR transition. Effective May 15, the interim final rule further addresses LIBOR’s sunset on June 30, by incorporating references to the SOFR-based replacement—the Fed-selected benchmark replacement for the 12-month LIBOR index—into Regulation Z. (Covered by InfoBytes here.)
Agencies finalize guidance on managing third parties
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here.) The joint guidance, final as of June 6, replaces each agency’s existing general guidance on third-party risk management and is directed to all supervised banking organizations. Designed to streamline government guidance on mitigating risks when working with third parties, the final guidance establishes principles for banking organizations to consider when implementing risks management practices. Banking organizations are advised to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
After considering public comments received on proposed guidance issued in July 2021 (covered by InfoBytes here), the final guidance provides directions and expectations for oversight at all stages in the life cycle of a third-party relationship, including topics relating to planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, and termination. Guidance on conducting independent reviews, maintaining documentation, and reporting is also included. The agencies advised banking organizations, particularly community banks, to review illustrative examples to help align risk management practices with the scope and risk profile of their third-party relationships. Additionally, banking organizations should maintain a complete inventory of their third-party relationships, identify higher-risk and critical activities, periodically conduct reviews to determine whether risks have changed over time, and update risk management practices accordingly, the agencies said.
The final guidance emphasizes that the agencies will review a banking organization’s third-party risk management practices as part of the standard supervisory process. When assessing whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, examiners will, among other things, (i) evaluate a banking organization’s ability to oversee and manage third party relationships; (ii) assess the effects of those relationships on a banking organization’s risk profile and operational performance; (iii) perform transaction testing to evaluate whether activities performed by a third party comply with applicable laws and regulations; (iv) conduct conversations relating to any identified material risks and deficiencies with senior management and board of directors; (v) review how a banking organization remediates any deficiencies; and (vi) consider supervisory findings when rating a banking organization.
The agencies stressed that they may take corrective measures, including enforcement actions, to address identified violations or unsafe or unsound banking practices by the banking organization or its third party. The agencies further announced that they plan to immediately engage with community banks and will develop additional resources in the future to help these organizations manage relevant third-party risks.
OCC’s new enforcement policy targets banks with “persistent weaknesses”
On May 25, the OCC announced revisions to its Policies and Procedures Manual (PPM) for bank enforcement actions. According to OCC Bulletin 2023-16, the recently revised version of PPM 5310-3 replaces and rescinds a version issued in November 2018 (covered by InfoBytes here), and now includes “Appendix C: Actions Against Banks With Persistent Weaknesses” to provide increased transparency and clarity on how the OCC determines whether a bank has persistent weaknesses and how the agency considers what actions may be needed to address these issues. The OCC explained that “persistent weaknesses” may include “composite or management component ratings that are 3 or worse, or three or more weak or insufficient quality of risk management assessments, for more than three years; failure by the bank to adopt, implement, and adhere to all the corrective actions required by a formal enforcement action in a timely manner; or multiple enforcement actions against the bank executed or outstanding during a three-year period.”
Possible actions taken against a bank that exhibits persistent weaknesses may include additional requirements and restrictions, such as requirements that a bank improve “composite or component ratings or quality of risk management assessments,” as well as restrictions on the bank’s growth, business activities, or payments of dividends. A bank may also be required “to take affirmative actions, including making or increasing investments targeted to aspects of its operations or acquiring or holding additional capital or liquidity.”
“Should a bank fail to correct its persistent weaknesses in response to prior enforcement actions or other measures . . . the OCC will consider further action to require the bank to remediate the weaknesses,” the agency said. “Such action could require the bank to simplify or reduce its operations, including that the bank reduce its asset size, divest subsidiaries or business lines, or exit from one or more markets of operation.” PPM 5310-3 also incorporates additional clarifications and updates legal and regulatory citations.
The same day, the OCC issued updates to its “Liquidity” booklet of the Comptroller’s Handbook used by examiners when assessing the quantity of a bank’s liquidity risk and the quality of its liquidity risk management. The booklet replaces an August 2021 version and reflects changes in regulations, makes clarifying edits, and addresses OCC issuances published since the last update.
FSOC seeks feedback on risk framework, nonbank determinations
On April 21, the Financial Stability Oversight Council (FSOC) released a proposed analytic framework for financial stability risks, “intended to provide greater transparency to the public about how [FSOC] identifies, assesses, and addresses potential risks to financial stability, regardless of whether the risk stems from activities or firms.” FSOC explained in a fact sheet that the proposed framework would not impose any obligations on any entity, but is instead designed to provide guidance on how FSOC expects to perform certain duties. This includes: (i) identifying potential risks covering a broad range of asset classes, institutions, and activities, including new and evolving financial products and practices as well as developments affecting financial resiliency such as cybersecurity and climate-related financial risks; (ii) assessing certain vulnerabilities that most commonly contribute to financial stability risk and considering how adverse effects stemming from these risks could be transmitted to financial markets/market participants, including what impact this can have on the financial system; and (iii) responding to potential risks to U.S. financial stability, which may involve interagency coordination and information sharing, recommendations to financial regulators or Congress, nonbank financial company determinations, and designations relating to financial market utility/payment, clearing, and settlement activities that are, or are likely to become, systemically important.
The same day, FSOC also released for public comment proposed interpretive guidance relating to procedures for designating systemically important nonbank financial companies for Federal Reserve supervision and enhanced prudential standards. (See also FSOC fact sheet here.) The guidance would revise and update previous guidance from 2019, and “is intended to enhance [FSOC’s] ability to address risks to financial stability, provide transparency to the public, and ensure a rigorous and clear designation process.” FSOC explained that the proposed guidance would include a two-stage evaluation and analysis process for making a designation, during which time companies under review would engage in significant communication with FSOC and be provided an opportunity to request a hearing, among other things. Designated companies will be subject to annual reevaluations and may have their designations rescinded should FSOC determine that the company no longer meets the statutory standards for designation.
Comments on both proposals are due 60 days after publication in the Federal Register.
Both CFPB Director Rohit Chopra and OCC acting Comptroller Michael J. Hsu issued statements supporting the issuance of the proposed interpretive guidance. Chopra commented that, if finalized, the proposed guidance “will create a clear path for the FSOC to identify and designate systemically important nonbank financial institutions” and “will accelerate efforts to identify potential shadow banks to be candidates for designation.” Hsu also noted that sharing additional details to improve the balance and transparency of FSOC’s work “would both make it easier for [FSOC] to explain its analysis of potential risks and create an opportunity for richer public input on the analysis.”
NYDFS to impose supervision fees on virtual currency licensees
On April 17, NYDFS announced the adoption of a final regulation establishing how certain licensed virtual currency businesses will be assessed for supervision and examination costs. Under 23 NYCRR Part 102, licensed virtual currency companies holding a Bitlicense will be assessed for their supervisory costs, similar to other licensees regulated by the Department. Last year, NYDFS first proposed a provision in the state budget authorizing the Department to collect supervisory costs from virtual currency businesses licensed pursuant to the Financial Services Law in order to add talent to its virtual currency regulatory team. (Covered by InfoBytes here.) NYDFS explained that the regulation will only apply to licensed virtual currency businesses and that the fees will only cover the costs and expenses associated with the Department’s oversight of a licensee’s virtual currency business activities. A licensee’s total annual assessment fee will be the sum of its supervisory component and its regulatory component, as defined in the regulation, and will be billed five times per fiscal year, once per quarter and a final true-up at the end of the fiscal year. The background to the final regulation notes that to the extent that a person holds multiple licenses to engage in virtual currency business activities, or concurrently acts as a money transmitter, such person will be billed separately for each license, adding that “[p]ersons who engage in virtual currency business activities as a limited purpose trust company or a banking organization will continue to be assessed under 23 NYCRR Part 101.” The final regulation takes effect upon publication of the Notice of Adoption in the New York State Register.
Treasury recommends stronger DeFi supervision
On April 6, the U.S. Treasury Department published a report on illicit finance risks in the decentralized finance (DeFi) sector, building upon Treasury’s other risk assessments, and continuing the work outlined in Executive Order 14067, Ensuring Responsible Development of Digital Assets (covered by InfoBytes here).
Written by Treasury’s Office of Terrorist Financing and Financial Crimes, in consultation with numerous federal agencies, the Illicit Finance Risk Assessment of Decentralized Finance is the first report of its kind in the world. The report explained that, while there is no generally accepted definition of DeFi, the term has broadly referred to virtual asset protocols and services that allow for automated peer-to-peer transactions through the use of blockchain technology. Used by a host of illicit actors to transfer and launder funds, the report found that “the most significant current illicit finance risk in this domain is from DeFi services that are not compliant with existing AML/CFT [anti-money laundering and countering the financing of terrorism] obligations.” These obligations include establishing effective AML programs, assessing illicit finance risks, and reporting suspicious activity, the report said.
The report made several recommendations for strengthening AML/CFT supervision and regulation of DeFi services, such as “closing any identified gaps in the [Bank Secrecy Act (BSA)] to the extent that they allow certain DeFi services to fall outside the scope of the BSA’s definition of financial institutions.” The report also recommended, “when relevant,” the “enforcement of virtual asset activities, including DeFi services, to increase compliance by virtual asset firms with BSA obligations,” and suggested continued research and engagement with the private sector on this subject.
In addition, the report pointed to a lack of implementation of international AML/CFT standards by foreign countries, “which enables illicit actors to use DeFi services with impunity in jurisdictions that lack AML/CFT requirements,” and commented that “poor cybersecurity practices by DeFi services, which enable theft and fraud of consumer assets, also present risks for national security, consumers, and the virtual asset industry.” To address these concerns, the report recommended “stepping up engagements with foreign partners to push for stronger implementation of international AML/CFT standards and advocating for improved cybersecurity practices by virtual asset firms to mitigate these vulnerabilities.” The report seeks input from the public sector to inform next steps.
FDIC issues 2023 Consumer Compliance Supervisory Highlights
On April 5, the FDIC released the March 2023 edition of the Consumer Compliance Supervisory Highlights, which is intended to “enhance transparency regarding the FDIC’s consumer compliance supervisory activities and to provide a high-level overview of consumer compliance issues identified in 2022 through the FDIC’s supervision of state non-member banks and thrifts.” In 2022, the FDIC conducted approximately 1,000 consumer compliance examinations and noted that “[o]verall, supervised institutions demonstrated effective management of their consumer compliance responsibilities.” The agency also initiated 21 formal enforcement actions and 10 informal enforcement actions addressing consumer compliance examination observations and issued civil money penalties totaling $1.3 million against institutions to address violations of the Flood Disaster Protection Act (FDPA), RESPA Section 8, FCRA, and Section 5 of the FTC Act, with an additional $13.6 million in voluntary restitutions to consumers. Additionally, the FDIC referred 12 fair lending matters to the DOJ in 2022. Covered topics include:
- An overview of the most frequently cited violations, with approximately 73 percent of total violations involving TILA, Reg Z, Section 5 of the FTC Act, the FDPA, EFTA, and the Truth in Savings Act, with violations of Section 5 of the FTC (which prohibits unfair or deceptive acts or practices) moving up as a top-five violation.
- An overview of issues found during examinations involving institutions that purchased “trigger leads” but did not provide consumers with a firm offer of credit. Among other things, examiners identified occurrences where representatives failed to comply with FCRA disclosure requirements during sales calls by not communicating, among other things, that an offer of credit was being made.
- Findings where institutions “unilaterally applied excess interest to the servicemember’s principal loan balance without giving the servicemember an option of how to receive the funds”—a violation of the SCRA’s anti-acceleration provision.
- Information on regulatory developments, including recent FDIC actions and efforts to (i) address appraisal bias; (ii) modernize the Community Reinvestment Act; (iii) remind creditors that they may establish special purpose credit programs under ECOA to meet the credit needs of certain classes of persons; (iv) implement a supervisory approach, consistent with the CFPB’s approach, for FDIC-supervised institutions with respect to reporting HMDA data; (v) provide revised information on flood insurance compliance responsibilities; (vi) address occurrences where persons misuse the FDIC’s name or logo, or make false or misleading representations about deposit insurance; (vii) assess crypto-asset-related activities; (viii) adopt revised guidelines for appeals of material supervisory determinations; and (ix) address compliance risks associated with multiple re-presentment of NSF fees.
- A summary of consumer compliance resources available to financial institutions.
- An overview of consumer complaint trends.
Hsu says OCC focused on fairness in banking
On March 30, acting Comptroller of the Currency Michael J. Hsu commented that the safety and soundness of the federal banking system continues to be a top agency priority, as is improving fairness in banking. Speaking at a conference, Hsu discussed several measures taken by the OCC to elevate and advance fairness, particularly for the underserved and financially vulnerable. Explaining that OCC examiners are encouraging bank management to review existing overdraft protection programs and consider adopting pro-consumer reforms, Hsu referred to CFPB guidance issued last October to address unfair, deceptive, and abusive practices associated with “so-called ‘surprise overdraft’ fees.” (Covered by InfoBytes here.) He also commented that both the Federal Reserve Board and the FDIC have cited the risk of violating UDAP in connection with the certain overdraft practices. Hsu noted that not all overdraft practices are equal, stating that “authorize positive, settle negative” and “representment” fees both present heightened risks.
Recognizing the recent decline in banks’ reliance on overdraft fees, Hsu emphasized that most bankers he has spoken to “understand the importance of treating their customers fairly and have been open to learning about best practices.” He noted that “[t]hese bankers are committed to being there for their customers and providing them with short-term, small dollar liquidity when it is needed most. Many customers tell their banks, as well as groups that have studied overdraft practices, that this banking service helps them meet payments when they come due.” Hsu added that the OCC’s intended goal is to “improve the fairness of these programs by making them more pro-consumer, not to eliminate them,” and that “[m]ore fairness means more financially healthy communities, which means more trust in banking.” Hsu also discussed efforts taken by the OCC to combat discriminatory lending practices, including working to enhance supervisory methods for identifying appraisal discrimination.
OCC establishes Office of Financial Technology
On March 30, the OCC announced the establishment of the Office of Financial Technology, and selected Prashant Bhardwaj to lead the office as Deputy Comptroller and Chief Financial Technology Officer beginning April 10. As previously covered by InfoBytes, last October the OCC said the new office will build on and incorporate the agency’s Office of Innovation (established in 2016 and covered by InfoBytes here), and will strengthen the OCC’s expertise and ability to adapt to a rapidly evolving banking landscape. The Office of Financial Technology will “enhance the OCC’s expertise on matters regarding digital assets, fintech partnerships, and other changing technologies and business models within and that affect OCC-supervised banks,” the OCC said in its announcement, noting that Bhardwaj will lead a team responsible for analyzing, evaluating, and discussing relevant fintech trends, emerging and potential risks, and the potential implications for OCC supervision.
CFPB scrutinizes discharged private student loan billing and collection practices
On March 16, the CFPB released a compliance bulletin discussing student loan servicers’ practice of collecting on private student loans discharged in bankruptcy. The bulletin also notified regulated entities on how the Bureau intends to exercise its enforcement and supervisory authorities on this issue. Bulletin 2023-01: Unfair Billing and Collection Practices After Bankruptcy Discharges of Certain Student Loan Debts addressed the treatment of certain private student loans following bankruptcy discharge. The Bureau explained that in order to secure a discharge of a qualified education loan in bankruptcy, a borrower must demonstrate that the loan would impose an undue hardship if not discharged. Loans that do not meet this qualification (“non-qualified student loans”) can be discharged under standard bankruptcy discharge orders, the Bureau said.
Bureau examiners found, however, that several servicers failed to determine whether a borrower’s loan was qualified or non-qualified. As a result, non-qualified student loans were returned to repayment after a bankruptcy concluded, wherein servicers continued to bill and collect payments on the loans even through the borrower was released from this debt through the bankruptcy discharge. According to the Bureau, many borrowers, when faced with collection activities in violation of a bankruptcy court order, continued to make payments on debts they no longer owed.
The Bureau explained that servicers who collected on student loans that were discharged by a bankruptcy court violate the prohibition on unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. The bulletin described unfair practices observed by examiners, such as servicers relying entirely on loan holders to distinguish among the loans and not ensuring that such holders had in fact done so. The bulletin also provided examples of student loans that are eligible for standard bankruptcy discharge, including loans made to students attending schools that are ineligible for federal student aid and loans made to students attending school less than half time. Bureau examiners instructed servicers to immediately stop collecting on discharged loans and take remedial action, including conducting a multi-year lookback and issuing refunds to affected borrowers.