InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB’s Supervisory Highlights targets student loan servicers
On September 29, the CFPB released a special edition of its Supervisory Highlights focusing on recent examination findings related to practices by student loan servicers and schools that directly lend to students. Highlights of the supervisory findings include:
- Transcript withholding. The Bureau found several instances where in-house lenders (i.e., where the schools themselves are the lender) are withholding transcripts as a debt collection practice. According to the Bureau, many post-secondary institutions choose to withhold official transcripts from borrowers as an attempt to collect education-related debts. The Supervisory Highlights states the position that the blanket withholding of transcripts to coerce borrowers into making payments is an “abusive” practice under the Consumer Financial Protection Act.
- Supervision of federal student loan transfers. The Bureau identified certain consumer risks linked to the transfer of nine million borrower account records to different servicers after two student loan servicers ended their contracts with the Department of Education (DOE). The review, which was handled in partnership with the DOE and other state regulators, identified several concerns, such as (i) the information received during the transfer was insufficient to accurately service the loan; (ii) transferee and transferor servicers reported different numbers of total payments that count toward income-driven repayment forgiveness for some borrowers; (iii) information inaccurately stated the borrower’s next due date; (iv) certain accounts were placed into transfer-related forbearances following the transfer, instead of in more advantageous CARES Act forbearances; and (v) multiple servicers experienced significant operational challenges.
- Payment relief programs. The Bureau found occurrences where federal student loan servicers allegedly engaged in unfair acts or practices when they improperly denied a borrower’s application for loan cancellation through Teacher Loan Forgiveness or Public Service Loan Forgiveness. The Bureau claimed that many servicers “illegally misrepresented borrowers’ eligibility dates and the number of payments the borrower needed to make to qualify for relief,” and “provided misinformation about borrowers’ entitlement to progress toward loan forgiveness during the pandemic payment suspension.” The Bureau said it will continue to monitor servicers’ practices to ensure borrowers receive the relief for which they are entitled, and directed servicers to address consumer harm caused by these actions.
The Bureau issued a reminder that it will continue to supervise student loan servicers and lenders within its supervisory jurisdiction regardless of institution type. Student loan servicers, originators, and loan holders are advised to review the supervisory findings and take any necessary measures to ensure their operations address these risks.
Republicans take issue with CFPB agenda
On September 12, several Republican senators sent a letter to CFPB Director Rohit Chopra expressing concerns that the Bureau is again pursuing “a radical and highly-politicized agenda unbounded by statutory limits.” In particular, the letter took issue with recent Bureau reports on the use of overdraft fees (covered by InfoBytes here and here), calling the agency’s actions a “relentless smear campaign” against banks. “Charging fees that customers chose to pay should not be disturbing or illegal, and yet, the CFPB appears to have developed a particular disdain for banks charging their customers for services, pejoratively calling overdraft protection ‘junk fees,’” the letter stated. Additionally, the letter claimed that the Bureau is changing its rules in order to publish previously confidential information about financial institutions to make it easier to threaten them with reputational harm (covered by InfoBytes here), without affording the financial institution the similar ability to, for example, disclose the existence of a CFPB examination. Among other things, the new procedural rule establishes a disclosure mechanism intended to increase transparency of the Bureau’s risk-determination process that will exempt final decisions and orders by the CFPB director from being considered confidential supervisory information, allowing the Bureau to publish the decisions on their website. According to the senators, the rule requires nonbanks to keep confidential information relating to a decision issued by the Bureau, including facts that could question the decision or raise procedural concerns. “The one-sided nature of the CFPB’s rule change gives the agency the ability to publicly tarnish an institution’s name without affording the firm the power to defend itself,” the letter said. The letter also decries a recent change to the agency’s rules of adjudication to make it more difficult for companies to defend themselves against novel enforcement theories by bypassing an administrative law judge and permitting the director to rule directly on the validity of the legal basis for the enforcement action.
FDIC updates risk management, consumer compliance examination policies
Recently, the FDIC updated Section 2.1 of its Risk Management Manual of Examination Policies related to capital. The FDIC noted that since capital adequacy assessments are central to the supervisory process, examination staff “evaluate all aspects of a financial institution’s risk profile and activities to determine whether its capital levels are appropriate and in compliance with minimum regulatory requirements.” This includes examining a financial institution’s capital ratios, risk-weighted assets, regulatory capital requirements, community bank leverage ratios, capital adequacy (including liquidity, earnings, and market risk), and adherence to laws and regulations. The FDIC also announced updates to the Privacy—Telephone Consumer Protection Act section within its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff evaluating financial institutions’ compliance with federal consumer protection laws and regulations.
CSBS releases nonbank cybersecurity examination tools
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program provide nonbanks the opportunity to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners. The “Baseline” program is geared toward exams of “smaller, noncomplex, low-risk institutions,” and “is targeted for use by examiners with or without specialized IT and cybersecurity knowledge.” The “Enhanced” program includes all of the Baseline procedures as well as additional procedures to provide a “more in-depth review for larger, more complex institutions or for those where concerns are raised during exams.” The program is intended for use by examiners with specialized IT and cybersecurity knowledge.
“Supervisory clarity is essential to increasing industry awareness and making our financial system more resilient to cyber-attacks,” CSBS Senior Vice President of Nonbank Supervision Chuck Cross said in the announcement. “The Nonbank Cybersecurity Exam Procedures released today provide nonbank institutions additional optional tools to guard against cyber-attacks, data breaches or lapses in management oversight in this crucial area.”
CSBS announced that it intends to provide additional tools tailored to the needs of smaller nonbank financial institutions in the coming months.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
Fed discusses cybersecurity risk management and emerging threats
On July 7, the Federal Reserve Board published its 2022 Cybersecurity and Financial System Resilience Report. Issued pursuant to the Consolidated Appropriations Act, the Fed’s report described measures it has taken to strengthen cybersecurity in the financial services sector. The report identified cybersecurity as a high priority for the Federal Reserve System and Board-supervised institutions and recognized the increasing and evolving nature of cybersecurity threats to the financial system. It delivered an overview of the Fed’s supervisory policies and procedures, which, among other things, require supervised institutions to implement internal controls and information systems appropriate to the size of the institution and to the nature, scope, and risk of its activities. The report explained that examiners’ cybersecurity evaluations consider “the business model and activities conducted by supervised institutions as part of a principles-based supervision program.” According to the Fed, an examination’s scope “is set as part of a multiyear supervisory plan that considers key cybersecurity risks, the industry landscape, and other factors such as emerging technologies.” The Fed explained that as part of these evaluations, “examiners consider business-line controls, risk-management practices, assurance functions, and governance activities performed by the firm’s senior management and board of directors.”
The report also outlined intergovernmental, international, and public and private sector coordination activities, and included a list of recent actions taken by the Fed and other agencies to promote cybersecurity. Additionally, the report discussed current or emerging threats to financial institutions’ ability to operate and protect customer data, including ransomware, sophisticated distributed denial of service threats, increasing geopolitical tensions, and attacks to supply chains or third parties. Other emerging technology-related cybersecurity threats are also discussed including “[p]otential cybersecurity vulnerabilities in fintech applications,” such as cryptocurrency exchanges, banking applications, and other platforms that provide “threat actors an opportunity to steal funds or data by compromising victims’ computer systems or technology infrastructure used to interact with the products or services.”
Halperin discusses invoking UDAAP under CFPA
On June 29, the American University Washington College of Law held a symposium centered in part around the CFPB’s new approach for examining institutions for unfair conduct. During the CFPB’s New Approach to Discrimination: Invoking UDAAP symposium, CFPB Assistant Director for the Office of Enforcement Eric Halperin answered questions related to updates recently made to the Bureau’s Unfair, Deceptive, or Abusive Acts or Practices Examination Manual. These updates detail the agency’s view that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service as an unfair act or practice. (Covered by a Buckley Special Alert here.) The Bureau published a separate blog post by its enforcement and supervision heads explaining that they were “cracking down on discrimination in the financial sector,” and that the new procedures would guide examiners to look “beyond discrimination directly connected to fair lending laws” and “to review any policies or practices that exclude individuals from products and services, or offer products or services with different terms, in an unfairly discriminatory manner.”
Assistant Director Halperin’s remarks were followed by a discussion of the Bureau’s revisions to its Examination Manual by a panel that consisted of David Silberman of the Center for Responsible Lending, Kitty Ryan of the American Bankers Association, and John Coleman of Buckley LLP, which was moderated by Jerry Buckley. Topics covered included a June 28 letter that trade associations sent to the CFPB urging recission of revisions to the Examination Manual.
In his interview with American University Law School Professor V. Gerard Comizio, Halperin stated that the CFPB’s Examination Manual updates provide guidance on how examiners will implement the Bureau’s statutory authority to examine whether an act or practice is unfair because it may cause or is likely to cause substantial injury to consumers that is not reasonably avoidable and not outweighed by countervailing benefits to consumers or competition. He stressed that the update does not create a new legal standard under the three prongs of the unfairness standard. Halperin also discussed how the Bureau’s UDAAP authority interacts with laws enacted specifically to prevent discriminatory conduct such as ECOA and the Fair Housing Act, and touched on steps institutions should consider taking to ensure compliance. Notably, when asked whether the Bureau intends to pursue disparate impact claims under the CFPA, Halperin stated that disparate impact, along with disparate treatment, are wholly distinct concepts from Dodd-Frank’s prohibition on unfair acts and practices. He added that in assessing an unfair act and practice, the key is to examine the substantial injury prong and then assess the reasonable avoidability and the countervailing benefits prongs. He further explained that the unfairness test does not contain an intentional standard and noted that there have been cases brought by both the FTC and the Bureau where there was injurious conduct that was not intentional or specifically known to the party engaging in this practice. According to Halperin, substantial injury alone is not sufficient to prove unfairness and using disparate impact as the mechanism of proof is not what the Bureau uses to prove an unfairness claim.
Halperin reiterated that the CFPB Examination Manual is designed to provide transparency to financial institutions about the types of issues that examiners will be inquiring about in furtherance of determining whether there has been an unfair act or practice under the current framework, and does not extend or create new law. In terms of practical compliance implications, Halperin said most financial institutions should already have robust UDAAP compliance systems in place and should already be looking for potential unfair acts or practices and examining patterns and group characteristics to identify the root cause of any issues, and to avoid substantial injury to consumers. With respect to a white paper recently sent to CFPB Director Rohit Chopra from several industry groups and the U.S Chamber of Commerce urging the Bureau to rescind the UDAAP exam manual (covered by InfoBytes here), Halperin commented that he has not had time to fully digest the white paper in detail but hoped that some of what was discussed during the symposium, particularly on the legal principles that will be used both in the exam manual and in any supervision and enforcement actions, clarifies that the Bureau is looking for conduct that violates the unfairness test.
Industry groups urge CFPB to rescind UDAAP anti-discrimination policy
On June 28, industry groups and the U.S Chamber of Commerce (collectively, “groups”) released a White Paper, Unfairness and Discrimination: Examining the CFPB’s Conflation of Distinct Statutory Concepts, urging the CFPB to rescind the recently released unfair, deceptive and abusive acts or practices (UDAAP) examination manual. As previously covered by a Buckley Special Alert, in March, the CFPB announced significant revisions to its UDAAP exam manual, in particular highlighting the CFPB’s view that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service. The White Paper, among other things, explained the groups’ position that the Bureau’s UDAAP authority cannot be used to extend the fair lending laws beyond the limits of existing statutory law. The White Paper stated that the Bureau “conflated” concepts of “unfairness” and “discrimination” “by announcing, via a UDAAP exam manual ‘update,’ that it would examine financial institutions for alleged discriminatory conduct that it deemed to be ‘unfair’ under its UDAAP authority.” The groups stated that the agency has “taken the law into its own hand” arguing that “the Bureau did not follow Administrative Procedure Act requirements for notice-and-comment rulemaking.” The groups said the change in the examination manual is “contrary to law and subject to legal challenge” as well as legislative repeal under the Congressional Review Act. Additionally, the groups argued that the Bureau’s interpretation exceeds the agency’s statutory authority, and that the Bureau’s “action should be held unlawful and set aside.” The groups further stated that “[c]hanges that alter the legal duties of so many are the proper province of Congress, not of independent regulatory agencies, and the CFPB cannot ignore the requirements of the Administrative Procedures Act and Congressional Review Act. The CFPB may well wish to fill gaps it perceives in federal antidiscrimination law. But Congress has simply not authorized the CFPB to fill those gaps.”
In a letter sent to CFPB Director Rohit Chopra, the groups conveyed that Congress did not intend for the Bureau to “fill gaps” between the clearly articulated boundaries of antidiscrimination statutes with its UDAAP authority. The groups urged Director Chopra to rescind the exam manual update and stated that “[s]hould [he] believe additional authority is necessary to address alleged discriminatory conduct, we stand ready to work with Congress and the CFPB to explore that possibility and to ensure the just administration of the law.
FDIC updates Consumer Compliance Examination Manual’s UDAAP provisions
On June 17, the FDIC announced updates to its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff when evaluating financial institutions’ compliance with federal consumer protection laws and regulations. The June update modifies Section VII Unfair, Deceptive, or Abusive Acts or Practices to reflect the FDIC’s existing supervisory authority regarding UDAP and UDAAP under Section 5 of the FTC Act, and Sections 1031 and 1036 of the Dodd-Frank Act, respectively. Among other updates, the new Section VII changes language related to the Equal Credit Opportunity Act and Fair Housing Act to add a reference to Dodd-Frank UDAAP provisions. The updated section provides the following:
ECOA prohibits discrimination in any aspect of a credit transaction against persons on the basis of race, color, religion, national origin, sex, marital status, age (provided the applicant has the capacity to contract), the fact that an applicant’s income derives from any public assistance program, and the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act. The FHA prohibits creditors involved in residential real estate transactions from discriminating against any person on the basis of race, color, religion, sex, handicap, familial status, or national origin. FTC UDAPs and Dodd-Frank UDAAPs that target or have a disparate impact on consumers in one of these prohibited basis groups may violate the ECOA or the FHA, as well as the FTC Act or the Dodd-Frank Act. Moreover, some state and local laws address discrimination against additional protected classes, e.g., handicap in non-housing transactions, or sexual orientation. Such conduct may also violate the FTC Act or the Dodd-Frank Act.
With respect to the legal standards for “unfair” and “deceptive” under the FTC Act and Dodd-Frank, Section VII notes that these standards are “substantially similar.”
CFPB exposes private loan servicers’ unfair practices
On May 5, the CFPB discussed examination findings related to private student loan servicers’ alleged failure to follow through with promised loan offers or modifications. The Bureau directed servicers found to have breached their commitments to make “significant remediation amounts” for failing to make promised payments to customers. The Bureau found some servicers offered financial incentives to recruit new customers, but then failed to make the promised payments. In certain instances, servicers’ systems failed to identify customers who earned incentives, and in others, payments were denied based on terms that were not included in the original deal, the Bureau claimed. The Bureau also found that while many servicers offered payment relief options to pause or reduce payments to customers impacted by the Covid-19 pandemic, at least one servicer failed to deliver promised refunds to customers who modified their agreements to allow them to backdate forbearance after making a payment. The Bureau documented two examples of servicers committing unfair acts or practices in this space in its recent spring Supervisory Highlights (covered by InfoBytes here) and warned servicers that it is “closely monitoring” companies that break the law.