InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies issue final rule to modernize Community Reinvestment Act regulations
On October 24, the Fed, FDIC, and OCC issued an interagency announcement regarding the modernization of their rules under the Community Reinvestment Act (CRA), a law enacted in 1977 to encourage banks to help meet the credit needs of their communities, especially low- and moderate-income (LMI) neighborhoods, in a safe and sound manner. The new rule overhauls the existing regulatory scheme that was first implemented in the mid-1990s.
For banks with assets of at least $2 billion (Large Banks), the final rule adds a new category of assessment area to the existing facility based assessment area (FBAA). Large Banks that do more than 20 percent of their CRA-related lending outside their FBAAs will have that lending evaluated in retail lending assessment areas, i.e., MSAs or states where it originated at least 150 closed-end home mortgage loans or 400 small business loans in both of the previous two years. All Large Banks will be subject to two new lending and two new community development tests, with lending and community development activities each counting for half a bank’s overall CRA rating. Banks with assets between $600 million and $2 billion will be subject to a new lending test. Large Banks with assets greater than $10 billion will also have special reporting requirements.
Additionally, the rule (i) implements a standardized scoring system for performance ratings; (ii) revises community development definitions and creates a list of community development activities eligible for CRA consideration, regardless of location; (iii) permits regulators to evaluate “impact and responsiveness factors” of community development activities; (iii) continues to make strategic plans available as an alternative option for evaluation; (iv) revises the definition of limited purpose bank so that it includes both existing limited purpose and wholesale banks and subjects those banks to a new community development financing test; and (v) considers online banking in the bank’s evaluations.
Most of the rule’s requirements will be effective January 1, 2026. The remaining requirements, including the data reporting requirements, will apply on January 1, 2027.
FTC reports on efforts to combat cross-border fraud and ransomware attacks
On October 20, the FTC published two reports outlining its efforts to protect consumers against cross-border fraud and ransomware attacks.
In the first report, the FTC described the US SAFE Web Act (SAFE WEB), passed in 2006, as an “indispensable” tool to combat cross-border fraud and protect consumers in an increasingly global and digital economy. For example, the report noted that since SAFE WEB was passed, the FTC has used the law in myriad ways: issuing more than 140 civil investigative demands on behalf of 21 foreign agencies from eight countries; engaging in 148 staff exchanges to build cooperation with foreign counterparts; and sharing confidential information from FTC files with 43 law enforcement agencies in twenty different countries. The report also indicated that SAFE WEB has allowed the FTC to pursue and stop harmful conduct in the US and defend against challenges to its jurisdictional authority over foreign companies targeting American consumers. Notably, SAFE WEB helped the FTC (i) shut down a real estate investment scam that took in more than $100 million (the largest such scheme the FTC has ever targeted); (ii) cooperate with privacy authorities in Canada and the United Kingdom to pursue actions against an online dating site that deceived consumers and failed to protect the account and profile information of more than 36 million individuals; (iii) and work with foreign law enforcement agencies to stop fraudulent money transfers to certain money transfer companies located in Spain in connection with a Nigerian email scam. The FTC recommends that Congress permanently reauthorize SAFE WEB to preserve the agency’s ability to fight cross-border fraud.
In the second report, the FTC discussed its work to target ransomware and other cyber-attacks. The FTC highlighted its longstanding data security enforcement program, which seeks to ensure that businesses engage in reasonable practices to protect the data of their customers. Moreover, the RANSOMWARE Act refers specifically to China, Russia, North Korea, and Iran. The report stated that although the FTC has taken data security-related enforcement actions involving connections to China and Russia, the FTC has had limited interactions with government agencies in China, Russia, North Korea, and Iran. The report included several recommendations for Congress, including making SAFE WEB permanent, amending a provision in the FTC act which would restore the FTC’s ability to provide refunds to harmed consumers, and enacting privacy and data security legislation which would be enforceable by the FTC. The FTC also urged businesses to take steps to safeguard customer data, including retaining information only so long as there is a legitimate business need, restricting access to sensitive data, and storing personal information securely and protecting it during transmission.
CFPB releases education ombudsman’s annual report
On October 20, the CFPB Education Loan Ombudsman published its annual report on consumer complaints submitted between September 1, 2022, and August 31, 2023. The report is based on approximately 9,284 student loan complaints received by CFPB regarding federal and private student loans. Roughly 75 percent of complaints were related to federal student loans while the remaining 25 percent concerned private student loans. Overall, the report found underlying issues in student loan servicing that threaten borrowers’ ability to make payments, achieve loan cancellation, or receive other protections to which they are entitled under federal law. The report indicated that challenges and risks facing federal student loan borrowers include customer service problems, errors related to basic loan administration, and problems accessing loan cancellation programs. Similarly, private borrowers face issues accessing loan cancellation options, misleading origination tactics, and coercive debt collection practices related to private student loans.
The Ombudsman’s report advised policymakers, law enforcement, and industry participants to consider several recommendations: (i) ensuring that federal student loan borrowers can access all protections intended for them under the law; (ii) ensuring that loan holders and servicers of private student loans do not collect debt where it may no longer be legally owed or previously discharged; and (iii) using consumer complaints to develop policies and procedures when they reveal systemic problems.
Bank to pay Fed, NYDFS almost $30 million for deficient third-party risk management practices
On October 19, the Fed and NYDFS announced an enforcement action against a New York-based bank for alleged violations of consumer identification rules and deficient third-party risk management practices. NYDFS Superintendent Adrienne A. Harris stated that the bank failed to prevent a “massive, ongoing fraud” related to its prepaid card program. According to the Fed’s cease-and-desist order, illicit actors managed to open prepaid card accounts through a third-party, and moved hundreds of millions of dollars of direct deposit payroll payments and state unemployment benefits through the accounts. The Fed’s order requires the bank to, among other things, improve its oversight, create a new product review program, enhance its customer identification program, and submit a plan to enhance its third-party risk management program. The bank’s plan must include (i) policies and procedures to ensure third-party service providers are complying with federal and state law; (ii) a third-party risk management oversight program; (iii) policies and procedures to ensure the bank’s Chief Compliance Officer has sufficient resources to properly access the bank’s prepaid card program and is adequately staffed; and (iv) a comprehensive identity theft prevention program. The Fed also requires the bank to pay a civil money penalty of approximately $14.5 million. Under NYDFS’s consent order, the bank agreed to pay an additional $15 million civil monetary penalty, and to submit remediation and program reporting.
CSBS offers guidance for licensees to prepare for NMLS renewal
On October 24, CSBS released tips for licensees to prepare for NMLS renewal. As previously covered by InfoBytes, NMLS announced it will be rolling out a new version of its mortgage call report which will include new requirements for many licensees. Kelly O'Sullivan, the chair of the NMLS Policy Committee and deputy commissioner of the Montana Division of Banking and Financial Institutions, advises licensees to proactively update their information in NMLS and make use of available training and resources to address their queries before the renewal period begins. This is particularly crucial for those individuals who typically only engage with NMLS during the license renewal phase.
CSBS recommended five essential tips for licensees:
- Licensees should log into NMLS and thoroughly review and update their profile record to ensure accuracy;
- Licensees should reset their NMLS password in advance to have a current password ready for accessing NMLS when needed;
- Licensees should provide and maintain a current email address to receive essential updates from NMLS during the renewal process;
- Licensees should review state-specific renewal requirements, as state agencies typically begin publishing details, including deadlines and fees, in September;
- Licensees are encouraged to take advantage of the free, on-demand renewal training resources provided by CSBS to become familiar with the renewal process.
CFPB announces civil money penalty against nonbank, alleges EFTA and CFPA violations
On October 17, the CFPB announced an enforcement action against a nonbank international money transfer provider for alleged deceptive practices and illegal consumer waivers. According to the consent order, the company facilitated remittance transfers through its app that required consumers to sign a “remittance services agreement,” which included a clause protecting the company from liability for negligence over $1,000. The Bureau alleged that such waiver violated the Electronic Fund Transfer Act (EFTA) and its implementing Regulation E, including Subpart B, known as the Remittance Transfer Rule, by (i) requiring consumers sign an improper limited liability clause to waive their rights; (ii) failing to provide contact and cancellation information in disclosures, and other required terms; (iii) failing to provide a timely receipt when payment is made for a transfer; (iv) failing to develop and maintain required policies and procedures for error resolution; (v) failing to investigate and determine whether an error occurred, possibly preventing consumers from receiving refunds or other remedies they were entitled to; and (vi) failing to accurately disclose exchange rates and the date of fund availability. The CFPB further alleged that the company’s representations regarding the speed (“instantly” or “within seconds”) and cost (“with no fees”) of its remittance transfers to consumers were inaccurate and constituted violations of CFPA. The order requires the company to pay a $1.5 million civil money penalty and provide an additional $1.5 in consumer redress. The company must also take measures to ensure future compliance.
FDIC’s crypto risk oversight criticized in OIG report
On October 18, the FDIC Office of Inspector General released a report on the FDIC’s strategies addressing the risks posed by crypto assets. According to the report, the FDIC has started to develop and implement strategies that address crypto risks but has not assessed the significance and potential impact of the risks. Additionally, although the FDIC requested that financial institutions provide information pertaining to their crypto‑related activities, its process for providing supervisory feedback is unclear. Between March 2022 and May 2023, the FDIC sent pause letters to several institutions related to their crypto activities, but it had not provided supervisory feedback to all of those institutions, it did not have an expected timeline for reviewing information and responding to institutions, and its procedures did not describe what constitutes the end of the review process for supervised institutions that received a pause letter.
The OIG report recommends that the FDIC set a timeframe for assessing risks pertaining to related activities and update and clarify the supervisory feedback process related to its review of supervised institutions’ crypto-related activities. The FDIC agreed with both recommendations and plans to complete corrective actions by January 30, 2024.
CFPB proposes rule to accelerate a shift toward open banking
On October 19, the CFPB announced a proposed rule that it said would accelerate a shift toward open banking, would give consumers more control over their financial data, and would offer new protections against companies misusing consumer data. The proposed Personal Financial Data Rights rule activates a dormant provision of law enacted by Congress more than a decade ago, Section 1033 of the Consumer Financial Protection Act. According to the CFPB, the rule would “jumpstart competition” by prohibiting financial institutions from “hoarding” a person’s data and requiring companies to share data with other companies at the consumer’s direction about their use of checking and prepaid accounts, credit cards, and digital wallets. This would allow consumers to access competing products and services while ensuring that their data would be used only for their own preferred purpose. Among other things, the proposed rule would ensure that consumers: (i) can obtain their personal financial data at no cost; (ii) have a legal right to grant third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts; and (iii) can walk away from bad service. Comments on the proposed rule must be received on or before December 29, 2023.
Fed governor speaks on responsible innovation in money and payments
On October 17, Federal Reserve Board Governor Michelle Bowman provided remarks on innovation in money and payments, including crypto assets, central bank digital currency (CBDC), and the development of instant payments, in which she laid out her vision for “responsible innovation,” which recognizes the important role of private-sector innovation and leverages the U.S. banking system supported by clear prudential supervision and regulation. With respect to CBDC, Bowman said that she has yet to see a compelling argument that CBDC could address frictions within the payment system, promote financial inclusion, or provide the public with access to safe central bank money any more effectively or efficiently than alternatives. She explained that, given that the U.S. has a safe and well-functioning banking system, the potential uses of a U.S. CBDC remain unclear and, at the same time, could introduce significant risks and tradeoffs. Bowman also expressed skepticism over stablecoins, stating that in practice they have been less secure, less stable, and less regulated than traditional forms of money. Finally, Bowman discussed technological innovations in wholesale payments, which are large-value, interbank transactions. Bowman said that the Fed is researching emerging technologies that could enable or be supported by future Fed-operated payment infrastructures, including depository institutions transacting with “tokenized” forms of digital central bank money. Bowman noted that banks and other eligible institutions already hold central bank money as digital balances at the Fed. She also stressed that wholesale payment infrastructures operated by the Fed “underpin domestic and international financial activities” by serving as a “foundation” for payments and the broader financial system. Because these wholesale systems function “safely and efficiently” today, it is necessary to investigate and understand the potential opportunities, risks, and tradeoffs for wholesale payment innovation to support a safe and efficient U.S. payment system.
Find continuing InfoBytes coverage on CBDCs here.
FHFA revises policies for Covid-19 forbearance on GSE mortgages
On October 16, the Federal Housing Finance Agency (FHFA) announced it will revise how Fannie Mae and Freddie Mac (GSE) single-family mortgages are treated for borrowers who have entered Covid-19 forbearance under the GSEs’ representations and warranties framework. Under the revised policies, loans for which borrowers elected Covid-19 forbearance will be treated similarly to loans for which borrowers obtained forbearance due to a natural disaster. The GSEs’ current representations and warranties framework for natural disaster forbearance allows for consideration of the period during which a borrower is in forbearance as part of their demonstrated satisfactory payment history for the initial 36 months after the loan's origination. This framework will now be extended to loans with Covid-19 forbearance. FHFA Director Sandra L. Thompson said, "Servicers went to great lengths to implement forbearance quickly amid a national emergency, and the loans they service should not be subject to greater repurchase risk simply because a borrower was impacted by the pandemic."
The updates will be effective on October 31.