Saturday, May 25, 2024

March 2012 Legal Briefs

• Overdrafts and UDAP
• MLO Compensation Issues
• FDIC Helps with Understanding Cards
• Mortgage Fraud Update
• SAR Confidentiality
• Playing with your Regulatory Numbers
• Deposit Insurance Coverage Training
• Payment Processor Relationships
 

By Andy Zavoina

Overdrafts and UDAP

Overdraft programs have been in the news a lot lately.  One facet of overdraft programs that has been discussed has been FDIC enforcement actions against banks under UDAP. Banks without formal overdraft programs covering card transactions solicited opt-ins from consumers under under Reg E (12 CFR 1005.17 and model form A-9) and some customers agreed. The problem is that, without a formal card transaction overdraft program, opt-in customers could be charged OD fees for ATM and POS transactions that the bank is forced to pay, and opt-out customers would not be. The overdrafts are paid in both cases so there is no benefit to those paying the NSF fees.

The FDIC has maintained this is a deceptive practice even with use of the model form, partly because the disclosures provided failed to explain the banks’ "no pay" policy or the "forced-pay" nature of ATM and one-time debit card transactions.  Banks which were being cited were required to refund applicable NSF fees back to July 1, 2010.
Various groups representing the banking industry met with officials from the FRB, OCC, CFPB and the FDIC.  The FDIC was the only agency wielding the UDAP cudgel, and the other agencies showed no sign of agreement with the FDIC’s position.  The FDIC has changed its stance but we don’t know if this will soften actions already taken against some banks. Going forward, the FDIC will require those banks without a formal overdraft program to stop charging NSF fees on ATM and POS overdrafts (voiding the opt-ins they obtained) or face UDAP citations in their exam reports. Banks who discontinue charging fees on a going-forward basis will be encouraged to refund fees back to July 1, 2010, but will not be required to do so.  This new position means the FDIC will not seek restitution, but it does plan to warn affected banks to consider the reputational and litigation risks before deciding not to make reimbursement. The FDIC has stated it currently has no plans to publish its interpretation of the Reg E or UDAP requirements as they pertain to overdraft services.

Although a key element in the FDIC’s stance is the failure to explain a bank’s "no pay" policy or the "forced-pay" nature of affected card transactions in the §1005.17 disclosures, we think it would be a mistake for a bank to infer that adding that information to the disclosure will guarantee a "pass" from the FDIC.

Related to this topic, the CFPB has published a request for information on overdraft programs.  In an email to users of the CFPB’s website, they asked about checking account overdrafts saying “we want to know more about how well consumers like you understand these practices.” The original request was for consumers to post feedback on Facebook and Twitter. Many bankers voiced objections on bank forums because this methodology will pull more disgruntled comments than well thought out ones.  The philosophy is that the person who is unhappy will complain to ten people while the satisfied person will promote it to only one. The response base is also limited and there is anonymity to hide behind. Fortunately, a week later a more formal request was posted in the Federal Register, http://www.bankersonline.com/topstory/77fedreg/77FR12031.pdf

This request is a series of a dozen questions on the cost of overdrafts, alerts available to the consumer, opt-in rates, operating policies of banks, the economics and long term impact of having overdrafts. Unlike social networking sites, this request has more accountability and should result in fewer flippant comments. Banks are encouraged to submit comments and your bank should seriously consider making its voice heard on this issue. Comments are due by April 30, 2012.

MLO compensation Issues

Another updated hot topic this month deals with Mortgage Loan Officers and compensation issues. In the new Reg Z § 1026.36 – Prohibited acts or practices in connection with credit secured by a dwelling. This section now contains a prohibition relating to certain practices where payments are made to compensate mortgage brokers and other loan originators. The goal of the amendments is to protect consumers in the mortgage market from unfair practices involving compensation paid to loan originators. Three prohibitions relating to MLO compensation include steering a consumer to a transaction because the MLO can receive greater compensation, being compensated more than once on the transaction and being paid compensation based on the loans terms or conditions.

Two key definitions deal with who is an MLO, and what is included in “compensation?” A person who for compensation or other monetary gain, or in expectation of compensation or other monetary gain, arranges, negotiates, or otherwise obtains an extension of credit for another person is an MLO.  And compensation includes salary, commissions, "Processing fees" assessed by loan originator, and any financial or similar incentive which include an annual or other periodic bonus or an award of merchandise, services, trips, or similar prizes.

A timely problem many banks are having right now is that under the bank adopted Employee Retirement Income Security Act of 1974 (ERISA) plan, designated employees participate in an annual bonus program which is in part, based on the bank’s profitability. That profitability is in part based on the income from the mortgage loans and the terms and conditions of those loans. As a point of order remember the definition of an MLO and ask yourself who in your bank makes these applicable mortgage loans to bank officers and directors? Likely it is the president and or CEO. That means they too will have issues collecting a bonus based on profitability. A decision may be required then to violate Reg Z or ERISA.

The FDIC rescheduled a webcast on this topic from last December to February. In the interim the CFPB published their version of Reg Z in the Federal Register on December 22, 2011, effective December 30, 2011. There is a correction in this new version which states:

The Board’s existing comment 36(a) – 4 contains a typographical error that inadvertently misstates the test for whether a person is a loan originator subject to the rules governing compensation paid to loan originators. Under existing § 226.36(a)(1), a loan originator is defined as a person who, for compensation or other monetary gain, or in expectation of compensation or other monetary gain, arranges, negotiates, or otherwise obtains an extension of consumer credit for another person. Thus, the test essentially has two components, both of which must be present for a person to be a loan originator: (i) compensation or monetary gain; and (ii) the arranging, negotiating, or otherwise obtaining of consumer credit.

The comment discusses this test in the context of managers and administrative staff, who generally are not loan originators under the definition, but it frames the discussion in the negative. The comment provides that such persons are not loan originators if they do not arrange, negotiate, or otherwise obtain an extension of credit for a consumer, and their compensation is not based on whether any particular loan is originated. Thus, as written, the comment could be read to require that, to be excluded from coverage as loan originators, managers and administrative staff must both not arrange extensions of consumer credit and not receive compensation that depends on a particular loan being originated. Such a reading would be contrary to the definition in the regulation, which covers a person only if both components are present. For this reason, the Bureau’s comment 36(a)–4 reads ‘‘or’’ where the Board’s existing comment reads ‘‘and,’’ thus ensuring that the comment is consistent with the regulatory provision.
Therefore, clerical staff and managers who do not take applications or otherwise arrange, negotiate, or obtain an extension of credit for a consumer may be paid a bonus or other compensation for referrals to lenders without being subject to the compensation restrictions of §1026.36.

Page 80012 of that Federal Register (Vol. 76, no 246) clarifies these positions by stating:

4. Managers and administrative staff. For purposes of § 1026.36, managers, administrative staff, and similar individuals who are employed by a creditor or loan originator but do not arrange, negotiate, or otherwise obtain an extension of credit for a consumer, or whose compensation is not based on whether any particular loan is originated, are not loan originators.
Compensation which is not based on terms and conditions includes:
• Compensating on overall loan volume
• Compensating on tiers of overall loan volume
• Compensation based on long-term loan performance
• Overall loan volume
• Long-term performance
• Hourly rate
• Existing customer or a new customer
• Fixed payment for each loan
• Percentage of applications that resulted in consummated transactions
• Quality of loan files
• Legitimate business expense such as fixed overhead costs
• Based on amount of credit extended, if a fixed amount.

Here are some bullet points from the FDIC presentation:
1. If compensation comes from the consumer, then it can be based on the terms of the loan. However, the MLO cannot be compensated by both the consumer and the bank.

2. If compensation comes from the bank it cannot be directly or indirectly based on a loan or portfolio of loans terms and conditions. Terms and conditions includes the:
a. Interest rate
b. APR
c. Loan-to-value ratio
d. Existence of a prepayment penalty
e. A proxy for terms and conditions (such as the consumer’s debt-to-income ratio as it is not one of the transaction’s terms or conditions, but if compensation varies in whole or in part based on this, then these serve as a proxy for loan terms or conditions on which MLO compensation is based.)

3. Compensation to MLOs based upon profit or profitability is not permitted because profit is impacted by a loan’s terms and conditions. It was suggested that if an employee benefit plan includes payments based upon profitability, the bank should consult an attorney about modifying the benefit plan to ensure compliance with Reg Z MLO requirements. MLO bonuses can be based upon overall profit, if the profit contribution from mortgage-related activity can be removed from the calculation. This ties to the ERISA comments, above. Some listed examples of compensation (or a proxy for it) which are generally prohibited include:
• Profit Sharing
• Bonuses Based on Profits
• 401 K Contributions Based on Profits (other 401 K contributions may be permissible)
• Income Goal
• ESOP Plan
• Retirement Plan Contributions Based on Profits

4. There was no clarification for the terms “arranges,” “negotiates,” or “otherwise obtains” as part of the definition of MLO. However, the CFPB correction in Reg Z noted above does help define who may be exempt.

5. Does the president or teller referring an applicant to a MLO meet the definition of “MLO?” Straight referrals that do not include negotiating or arranging would not meet the definition and would not exclude these employees from year-end bonus based upon profit. But documentation of the “referral” activity is going to be the key here. The bank will need to be able to demonstrate that the employee simply provided a contact for a MLO to the customer and did not take any additional action in the process for any covered loans. 

6. Compensation variation based upon the census tract of a property cannot be used.

7. Can the bank lower compensation when the MLO lowers fees/rates in order to meet competition? No. That would mean compensation is based upon the terms of the loan – even though it’s to the customer’s benefit. The fear here is that the bank would establish artificially higher rates and fees that could be reduced as necessary on a case-by-case basis. Also, if your MLO has an error and there are refundable fees, the bank may be prohibited from collecting all or a part of these as that is related to the terms and conditions of the loan.

8. Can a bank pay greater compensation for “CRA” loans? No. However, if the compensation is based upon the time and costs to originate, that factor can be built into the compensation program.

9. Can compensation for various MLOs differ? Yes. Each MLO can be compensated at the bank’s discretion, as long as the compensation is not based on terms and conditions of the loan.

10. Can compensation for portfolio loans be different than compensation for loans to be sold? Yes, as long as the difference is not based upon the “value” of the loan (e.g. fees collected, rate spread, etc.).

11. Can compensation for credit insurance features be included in the MLO compensation? Yes, but it cannot be based upon terms and conditions of the loan. Other issues still apply such as and compensation restrictions, and Reg Z “voluntary vs. mandatory” considerations.

12. Do secondary market transactions impact MLO compensation? No. True secondary market transactions are not covered by the MLO compensation rule.
There may be other discrepancies here based on the definitions. In the section addressing servicing practices (§ 1026.36(c)) refer to a consumer’s “principal dwelling,” while the Prohibited Payments section (d) uses the term “dwelling.” Do not assume these rules apply only to principal dwelling loans. These rules are new and we are just now entering the first period in which annual bonuses will be paid. Stay tuned.
 

By Mary Beth Guard

FDIC helps with understanding cards

To help celebrate National Consumer Protection Week, the FDIC issued a Quick Guide to help consumers understand the differences between credit cards, debit cards, and prepaid cards.    The Quick Guide describes how each type of card works, explains liability for unauthorized transactions, and spells out what the customer will receive, in terms of disclosures, periodic statements, and changes in terms.  As the use of noncash forms of payment continue to increase, it is important for customers to understand how their rights and responsibilities differ, depending upon the type of card.

While the Guide was written for consumers, it would also be useful for bank employees to provide a big picture view in plain English.

Mortgage fraud update

FinCEN issued its report on mortgage loan fraud-related Suspicious Activity Reports from the Third Quarter 2011.  The numbers are up again, but it is a relief to note that Oklahoma was not among the top 20 states reporting suspicious activity of this type.  Nonetheless, you should make sure your employees can spot it if it does occur. 

Here are some of the notable activities reported:
• Borrower attempted to prove hardship to qualify for a loan modification on the grounds that she couldn’t really afford her payments because she had misrepresented her income on her original loan!  (Oh, yeah.  That qualifies her for customer of the year.)• Borrowers falsely claimed ID theft, including claims of forgery or elder exploitation.   (Next, they’ll claim “The Devil made me do it.”)

• There were a few fraudulent claims under the Servicemembers Civil Relief Act (SCRA), where applicants submitted fraudulent claims and documents, despite never having been in the military.   (Don’t you think they should get to enjoy a week in Afghanistan for this kind of fraud?  It would make them understand why servicemembers are entitled to those protections.

Then there were the false home inspections that indicated allegedly defective drywall manufactured in China.   What was the goal?  To deflate the home’s value and enable a fraudulent short sale.  In at least one case, the SAR detailed a suspicion that several parties colluded in a lease-to-buy foreclosure bailout scam, including a recently licensed mold and drywall home inspector, a drywall contractor, and buyer and seller.  (Makes you hope there’s a little of that toxic drywall in whatever cell they get sent to.)
 

SAR confidentiality

FinCEN regulations used to say you could not notify “any person involved in the transaction” that a Suspicious Activity Report has been filed.  The wording was changed in 2011, so that Section 1020.320(3)(e)(1)(i) now states:
“No bank, and no director, officer or employee or agent of any bank, shall disclose a SAR or any information that would disclose the existence of a SAR.”  The new wording substantially tightens up the restrictions on disclosure.

FinCEN is concerned that there are still some loose lips out there, so they recently issued FIN-2012-A002 to remind internal and external counsel of financial institutions of the obligation to maintain the confidentiality of SARs.

Apparently, what has sparked the issuance is the increase in requests from private parties for SARs for use in civil litigation and other matters.  The last thing a bank attorney should be saying in response to such requests is “We can’t give you a copy of that.”  Why?  Because that lets the cat out of the bag and confirms the belief there was a SAR filed.

Repeat after me:  “Under federal law, we are never allowed to divulge whether a SAR has been filed.” 

Reinforce to all your employees and agents and individuals who are entrusted with SAR information the obligation to maintain confidentiality.  Not only does the obligation extent to the SAR itself, but also to information that would reveal the existence – or even the NON-existence – of the SAR.

If you haven’t been stressing the duty of confidentiality in your training, you need to do so.  Plus, you should be limiting access on a “need-to-know” basis, allowing SARs to be reviewed only in restricted areas, keeping a log of who has accessed a SAR, applying cover sheets to the SARs to inhibit even casual glimpses.

The issuance details the serious penalties that can result to the individual and/or the institution for unauthorized disclosures.  Trust me, you don’t want to risk getting personal with them.

Playing with your regulatory numbers

The Consumer Financial Protection Bureau has moved expeditiously to republish the various regulations that now fall within its jurisdiction.  As it does so, the old citations to the Federal Reserve Regulations that you know by heart are being changed.  The Federal Reserve’s Regulations are within the 200+ series of 12 CFR.  There are still a few that the FRB will continue to be responsible for, such as Regulation O.  Most of the consumer protection regulations, however, are not under the CFPB and will be found in the 1000 series of 12 CFR.

Fortunately, most of the final digits remain the same.  For example, instead of Reg Z being found at 12 CFR Part 226, it now lives at 12 CFR 1026.  Rather than Reg E being 12 CFR Part 205, it is 12 CFR Part 1005.

So, what does that mean to you?  A change in the way you cite to the various regulatory requirements and prohibitions.  Whether you’re doing documentation exceptions on a loan, completing an internal audit, or doing a memo to staff, you need to get with the program and ensure your citations are accurate and up to date for Regs B, C, E, G, M, P, (parts of) V, Z, and DD.

Also, if your policies and procedures reflect the “old” citations, they’ll need to be updated as well.  That may be a huge project.  If so, don’t stress.  As an interim measure, you may want to simply have your board adopt a resolution stating that the board intends for any citation to any rule that is now outdated by virtue of the CFPB’s takeover to be read as the new citation.  Then, amend the actual policies and procedures as you have an opportunity to do so.

Deposit insurance coverage training

No, in case you’re wondering, the FDIC never did finalize its rule that would have mandated training on deposit insurance coverage.   Nonetheless, such training is important and the FDIC is moving full steam ahead to ensure bank employees and officers know what they need to know about the coverage rules.  It has scheduled 15 free telephone seminars on the subject, going up all the way to December 6, 2012.  Three of the sessions will focus specifically on the rules for revocable trusts coverage for formal revocable trust accountholders whose trust deposits at one bank exceed $1,250,000.  Make sure your institution participates in both presentations.

Payment processor relationships

The FDIC recently issued FIL3-2012 to provide revised guidance on financial institution relationships with third-party payment processors.  These types of entities have even gotten banks into trouble under the Bank Secrecy Act as the bank failed to detect and report suspicious activity.  We asked one of our OCU law externs, Zachary Gregory, to summarize the guidance for you.  His analysis is below.

Certain payment processors have a heightened risk of fraud or illegal conduct. Examples of  those are: telemarketing, online businesses, credit repair services, debt consolidation and forgiveness programs, online gambling-related operations, government grant or will-writing kits, payday or subprime loans, pornography, online tobacco or firearms sales, pharmaceutical sales, sweepstakes, and magazine subscriptions.

In order to adequately protect themselves from becoming involved in possible illegal activities financial institutions should ensure that their contractual agreements with these payment processors provide them with access to necessary information.  The contracts should also protect the financial institutions by providing for immediate account closure, contract termination, or similar action, as well as establishing adequate reserve requirements to cover anticipated charge backs. The FDIC expects financial institutions to perform due diligence and adequately oversee all transactions, even third-party processors.

Potential risks arising from payment processor relationships

Deposit relationships with payment processors expose financial institutions to risks not customarily present in relationships with other commercial customers. Financial institutions that fail to adequately manage these relationships may be viewed as facilitating a payment processor’s or merchant client’s fraudulent or unlawful activity and, thus, may be liable for such acts or practices. The financial institution may be liable for aiding and abetting consumer unfairness or deception under section 5 of the FTCA. Under Section 8 of the Federal Deposit Insurance Act, the FDIC has authority to enforce the prohibitions against Unfair or Deceptive Acts or Practices (UDAP) in the Federal Trade Commission Act. UDAP violations can result in unsatisfactory Community Reinvestment Act ratings, compliance rating downgrades, restitution to consumers, and the pursuit of civil money penalties.

These types of processor relationships can be discovered by an increase in consumer complaints and the financial institution should be alert to any processor who has a high number of complaints or an increase in the amount of returns or charge backs. 

Risk mitigation

When a financial institution is alerted to a possible consumer harm involving fraud the appropriate actions include filing a Suspicious Activity Report (SAR) requiring the payment processor to cease processing for a specific merchant, freezing certain deposit account balances to cover anticipated charge backs, and/or terminating the financial institution’s relationship with the payment processor. Generally, the financial institution, when dealing with such processors, should engage in enhanced due diligence.

Due diligence and underwriting

The financial institution should be very clear in its policies and procedures when maintaining relationships with payment processors. For instance, the policies should explain the thresholds for unauthorized returns and the possible actions that may be levied against them. Within these policies and procedures the financial institution should develop a processor approval program that is more extensive than just credit risk management. The program should include a background check of the payment processor, its principal owners, and its merchant clients. The risk will be significantly elevated if the processor plans on processing payments from other payment processors, as nested payment processors are much harder to monitor.

Controls and due diligence requirements should be robust for payment processors and their merchant clients. At a minimum, the policies and procedures should authenticate the processor’s business operations and assess the entity’s risk level. An assessment should include: 
 • Identifying the major lines of business and volume for the processor’s customers;
 • Reviewing the processor’s policies, procedures, and processes to determine the adequacy of due diligence standards for new merchants;
 • Reviewing corporate documentation, including independent reporting services and, if  applicable, documentation on principal owners;
 • Reviewing the processor’s promotional materials, including its Web site, to determine the target clientele;
 • Determining if the processor re-sells its services to a third party that may be referred to as an agent or provider of “Independent Sales Organization opportunities” or a “gateway arrangement”5 and whether due diligence procedures applied to those entities are sufficient;
 • Visiting the processor’s business operations center;
 • Reviewing appropriate databases to ensure that the processor and its principal owners and operators have not been subject to law enforcement actions; and,
 • Determining whether any conflicts of interest exist between management and insiders of the financial institution. 

Ongoing monitoring

The financial institution must have a plan for ongoing monitoring of payment processors. Institutions should be aware of complaints and high rates of returns. Also they should have a formalized process for periodically auditing the third-party payment processors.

BSA e-filing

It’s official.  FinCEN has published its notice mandating the e-filing of most BSA reports, effective July 1, 2012.  If you’re not e-filing, the good news is that those who do say it is easier and has many benefits – including virtually instant feedback about errors.  The new SAR and CTR forms can be used as of that time, but their use doesn’t become mandatory until March 31, 2013.

Get on the test site to play around with the current version of the new SAR and CTR (there may be some changes between now and March 31st of next year, or at least that’s what we suspect).   What you’re going to see with the new forms is that they are moderately different, but it’s going to be crucial to read the instructions because there are some fields that would be easy to screw up.

The new forms are filled out in different sequence and they ask for more information, but they aren’t substantially different and don’t ask new questions.

What’s he up to?

At a recent BankersOnline AML/BSA conference, Maurice Clark, former head of the IRS SAR Review teams in Washington, D.C., inspired the crowd by recounting tales of investigations and successful prosecutions spawned by Suspicious Activity Reports.  Often, banks worry that their work is in vain and that the filings are merely going into a governmental black hole somewhere.  Other times, a report is filed when the activity is suspicious, but there’s a lot of head scratching going on trying to figure out what the customer might be involved in.  Folks from the SAR Review teams can attest to the fact that your reports truly make a difference and can lead to arrests that never would have occurred without those filings.

Maurice’s summaries were all interesting, but there was one I am not likely to ever forget.  I want to share it with you.

A bank’s customer deposited $9800 checks, one at a time over a period of several days, each one for the same dollar amount. It looked like an obvious case of structuring.  The customer was being quite careful to avoid the Currency Transaction Report filing threshold, so the deposits warranted a closer look.

Upon further inspection, the bank discovered that the checks were all written to the customer by a particular precious metals dealer.  Hmmmmmm.  And they were all dated the same date.  Hmmmmmm.  And they had consecutive check numbers.  Hmmmmm. It was enough to prompt a visit to the precious metals guy.

“Why were you writing checks to this man?” they asked.  “And why did you break what you were paying him into separate increments of $9800?”
“Well, he sold me a large amount of gold jewelry.  I owed him a bundle.  He asked if I would mind writing the checks this way, and I didn’t care.  It all totaled up the same,” replied the dealer.

Further questioning didn’t elicit any additional information, but the feds had enough to get a warrant to search the depositor’s residence to get answers to the questions:  “What’s he up to?”  “Where’d he get the jewelry he was selling?”

A search of the premises turned up much more jewelry and the investigators were able to identify it as being stolen in recent jewelry store heists.  As it turned out, the fellow was a master burglar, responsible for an entire string of unsolved jewelry store burglaries.  He had honed his techniques well and had escaped detection by never leaving clues behind.  He cut through the roofs of places selling beautiful, shiny baubles, lowered himself down by a rope, cut off the side of each safe, and plundered the contents inside, carefully picking and choosing what he wanted to take and vanishing without a trace.

This master burglar had managed to disarm each store’s security system with ease.  His mask and clothing concealed his identity from even the most secret surveillance cameras.  His gloves prevented him from leaving even a single fingerprint behind.  All those burglaries and not a single suspect.  Ever.  They were perfect crimes . . . until it came to dealing with the ill-gotten gains from his felonious pursuits.  That’s where he had an epic fail.

A single bank’s SAR helped lead to the solving of the entire string of crimes.   One bank, with an effective BSA program, had spotted structuring.  One bank, with well-trained staff, knew precisely what to look for.  The bank had no idea that the customer was a jewelry store thief, but it knew, because of the structuring, that he was up to something.

So, here’s the part I like the best.  The feds were there at the bandit’s premises, looking in every nook and cranny for evidence of his crimes.  Besides the stolen jewelry, they made another discovery that surprised even the jaded law officers:  In the carpet of the living room, they discovered 250 diamonds.  Yes, diamonds, in the carpet!

As it turned out, the old boy figured he could only get ten cents on the dollar for those sparkly faceted gems.  On the other hand, the gold could be sold for its spot price, minus a small fee.  The diamonds needed to be removed before he took the jewelry to be sold for scrap value, so he simply just took a screwdriver and popped the diamonds out, discarding them like old maid kernels in a batch of popcorn.  I’m picturing the dufus sitting in his recliner, watching reruns of Dukes of Hazzard, having his own little diamond-popping party, and probably downing a few brewskis while he was at it.  He didn’t care where the diamonds went, or what happened to them.  As far as he was concerned, they had little value.  It seems he also wanted a bit of a tan.  The investigators also found diamonds scattered about his pool deck.

So, next time you’re filing a SAR and wondering whether it really matters, take heart and think of all those orphaned diamonds and smile.