- Cooked books put bank in hot water
- RESPA penalties get personal
- FDIC hits Missouri bank with RESPA violations
- Regulators tout inprovements
- More call report changes coming
- Guides for assisted living and nursing home staff
- Current account takeover cases — lessons learned
- Section 3-508A amended
- But is the U3C applicable?
Cooked books put bank in hot water
by John S. Burnett
Fed and state order $51 million in penalties
The Federal Reserve Board (Board) and the Alabama Department of Banking (Department) issued an order that Regions Bank, of Birmingham, pay a total of $51 million in penalties for “misconduct related to the process followed by the bank in the first quarter of 2009 for identifying and reporting non-accrual loans.”
A study of the orders attached to the Board’s press release reveals the details behind the severity of the penalty imposed on the bank. As the financial collapse that began in 2008 began to spread, several of the bank’s business borrowers began to suffer significant reversals. In a domino effect, those borrowers found it harder to make their loan payments, and the businesses’ financial statements began to reflect deterioration of income and cash flow. In the period leading up to and during the first quarter of 2009, several significant credits at the bank (totaling $168 million) began to slide into “non-performing” status and should have been classified as “non-accrual” loans. The Board and Department determined that the bank failed to place those loans in non-accrual status, thereby misstating the bank’s asset quality and income in its regulatory reports (including the first quarter 2009 Call Report). The Order said the Board and Department found deficient controls and procedures were in place “for identifying loans for non-accrual status and for assuring that accurate and complete information was provided to Federal Reserve and Department of Banking examiners in connection with an examination focused on the bank’s non-accrual process.”
Proper non-accrual controls and procedures are required as safety and soundness measures and to provide regulators with appropriate information to make them aware of safety and soundness problems that could result in major losses and eventual bank failure. They are also of concern to investors in publicly-held companies, who can be impacted by swings in a bank’s stock price or a bank failure.
The Board and Department’s actions in the Regions Bank matter don’t end with their penalties against the bank. The Federal Reserve has begun administrative proceedings against the bank’s former senior commercial credit executive, seeking an order prohibiting him from the banking industry, and has separately assessed a $2.4 million civil money penalty against him. According to the Board’s order, this executive benefited financially from his actions resulting in the failure of the bank to properly classify and report the non-accrual loans. The Board and Department also issued separate consent prohibition orders to the bank’s former chief credit officer and the former head of the bank’s problem loan workout department. These orders against the individuals are based both on their participation in the deficient non-accrual loan process and on their providing inaccurate, incomplete and misleading information to examiners about that process.
Plus, the SEC has announced fraud charges against the three individuals for intentional misclassification of loans, which resulting in overstatement of the bank’s holding company’s income and earnings per share in financial statements. The Commission also entered into a deferred prosecution agreement with Regions Financial Corp., on the strength of the penalties to be paid to the Board and Department. The holding company, notes the SEC, substantially cooperated with the SEC’s investigation and took “extensive remedial action.” The two junior officers of the three charged agreed to settle the SEC’s charges by paying $70,000 each and consenting to bans on their service as officers or directors of public companies.
The Regions Bank case appears to be egregious in that knowing misrepresentations of the health of the bank’s loan portfolio were made and one of the individuals involved appears to have personally profited from those false reports. In this case, three individuals in particular have been cited as culpable, but others in the organization – accounting and finance managers, for example — ought to have detected and prevented the fraudulent reporting. Clearly, control deficiencies were part of the problem. The case is also another good example of regulators taking action against individuals implicated in a bank’s infractions.
RESPA penalties get personal
by John S. Burnett
There’s an old story that comes up from time to time when bank compliance officers talk about who’s responsible for a bank’s compliance with laws and regulations. It starts with a call from the regional chief examiner for the bank’s regulator. He (or she) asks the bank to set up a time for the exam team to meet with the bank’s directors, and adds, “Tell them to bring their checkbooks.”
Board members of a Utah bank had to write individual personal checks to the Comptroller of the Currency for failure “to take appropriate actions in response to previous criticisms and violations relating to the Bank’s compliance with the Real Estate Settlement Procedures Act.” The penalties were not harsh – twelve of the directors were ordered to pay $1,000 each and the bank’s president had to write his check for $1,500 – and the specifics of the infractions aren’t provided, but the significance of these orders, issued late in May of this year, is that they illustrate that regulators are reminding those directors – and all of us – who is ultimately responsible for a bank’s compliance program.
FDIC hits Missouri bank with RESPA violations
by John S. Burnett
RESPA violations were also behind a May FDIC enforcement action against a Missouri bank, announced by the agency on June 27. The order cited violations of RESPA section 8 and section 1024.14 (Prohibition against kickbacks and unearned fees) of Regulation X. The bank was ordered to pay a civil money penalty of $70,000 to the U.S. Treasury. In addition, the bank was ordered to submit a plan to pay restitution of at least $400 to each eligible consumer (identified in an unspecified report of examination). That provision of the order suggests that the violations involved the collection of unearned fees (these infractions usually involve a lender’s fee-splitting or “marking up” a third party’s fee for a settlement service and retaining the difference, without itself adding any value to the service).
Regulators tout improvements
by John S. Burnett
It’s been all about improving their outreach to their constituents and clients in the last several weeks, as three Federal agencies announced improvements to make access to information easier and more productive.
Let’s start with the FDIC, which announced improvements to its deposit insurance education resources, available at www.fdic.gov/deposit/. These enhancements are meant to improve both the accessibility and the presentation of deposit insurance information for the general public through organizational changes and through expanded use of explanatory videos and interactive graphics. The agency continues to offer in-depth and comprehensive deposit insurance information for banker training needs. Curious customers (and bankers) will find the enhanced presentation more user-friendly. Bankers should take a look at the updated page and kick the tires a bit to know what customers will see.
Treasury’s Office of Foreign Assets Control (OFAC) announced an improvement, but it is minor, and only affects the few banks (and many non-banks) who use OFAC’s search tools to check names against OFAC’s Specially Designated Nationals (SDN) List or Foreign Sanctions Evaders (FSE) List. OFAC combined what were two tools (one for each list) into a single facility that can be used to search either list or both lists at once. For those who use the OFAC tools, this may save some time and effort.
The FFIEC (Federal Financial Institutions Examination Council) has launched a new Cybersecurity Awareness webpage at http://www.ffiec.gov/cybersecurity.htm. It includes some background information on regulatory initiatives to raise the awareness of financial institutions and their third-party service providers of cybersecurity risks and the need to identify, assess and mitigate those risks even as cyber threats grow both in numbers and in sophistication.
The Cybersecurity Awareness page is also designed to be a “one-stop” location for links to FFIEC and other resources related to the challenge of maintaining cybersecurity, along with statements and alerts concerning threats and vulnerabilities.
More call report changes coming
by John S. Burnett
On June 23, the FDIC, OCC and Federal Reserve published a notice for public comment with proposed changes to two Call Report schedules. When finalized, the changes would affect the March 31, 2015 Call Report. They are designed for consistency with the agencies’ revised regulatory capital rules. To be affected are the risk-weighted assets portion of Schedule RC-R (Regulatory Capital), and the line items related to securities that are lent and borrowed in Schedule RC-L (Derivatives and Off-Balance Sheet Items). You’ll want to call this proposal to the attention of those in your bank who are involved in Call Report preparation (or responsible for creating or compiling data used in the Call Report). Point them to the June 23, 2014, edition of the Federal Register, page 35634. Comments on this proposal are open through August 22.
Guides for assisted living and nursing home staff
by John S. Burnett
We have all heard sad stories about older individuals who have been financially victimized, and the utter helplessness those victims experience in the wake of that abuse. Often the abusers are con artists, family members, fiduciaries and professional advisers who have succumbed to temptation and taken advantage of vulnerable adults who are either too trusting or otherwise unable to protect themselves.
The Consumer Financial Protection Bureau has issued helpful guide in its effort to provide tools that can help protect elders from financial exploitation. Designed to equip assisted living and nursing facility staff with the knowledge and ability to prevent and identify the warning signs of elder financial abuse, Protecting residents from financial exploitation offers tools to:
- educate staff, residents and family members about warning signs and precautions;
- recognize, record and report financial abuse as early as possible using a model protocol and a team approach;
- get help from a community’s first responders.
If your bank has vulnerable elder customers – what bank doesn’t? — or counts a nursing home or assisted living among its customers or neighbors, consider ordering a supply of the CFPB’s guide to contribute to the growing awareness of the problem and perhaps help prevent victimization of the elderly in your community. Much of the information in the guide can help your bank’s staff become more aware of the growing problem of elder financial exploitation, too.
Current account takeover cases – lessons learned
By Andy Zavoina
There have not been a lot of headlines about corporate account takeovers in the last year, but that changed recently. First, let’s be clear I’m not referring to data breaches as those have been in the news, a lot, but thankfully not with banks being at fault. According to the Identity Theft Resource Center there have been 368 breaches so far in 2014, up almost 19 percent for the same period a year ago. New issues on account takeovers plus an increase on data breaches equals a red flag rising up and a bigger blip on your radar screen. Expect more attention here from your regulator.
While a common term is CATO or Corporate Account Takeover, “account takeover” is a more appropriate description as thieves will take anyone’s money they can get access to (not just corporations’). When discussing security procedures and loss prevention the general term is most appropriate to focus on protecting all the dollars in your deposit accounts. But our focus here is about corporate accounts because these deposits do not have the protections that Reg E provides consumers for accounts used for personal, family or household purposes.
The case that has brought account takeovers back into the press is Choice Escrow and Land Title LLC v BancorpSouth Bank. The loss itself dates back to March 2009 when the Mississippi based bank received wire transfer instructions for $440,000 supposedly from Missouri based Choice. The funds were from Choice’s trust account and were sent first to an intermediate account at the Bank of New York and then on to the Republic of Cypress for “Brolaw Services, Ltd.”
BancorpSouth received the instructions through an internet request that properly used Choice’s password and user ID. Even though there were insufficient funds in that account, the bank proceeded with the wire. Choice contended in court that that it “has never heard of, done business with, or held money in escrow for Brolaw,” and that it did not initiate, approve, or authorize, the wire transfer. Choice maintained that BancorpSouth’s security was not sufficient and did not meet the 2005 FFIEC guidance. The bank did offer several levels of security including its highest level “dual control,” whereby two different people with two different sets of logon credentials would be involved. One would have to request the transfer and the other would actually approve it. A lower level of security required only one person to both request and approve of a transfer. Choice said that since both used only a password and user identifier and had essentially the same level of security, each was just single-factor authentication. The FFIEC warned in 2005 that that single-factor authentication as the only control mechanism was inadequate for high-risk transactions.
In March 2013 the U.S. District Court for the Western District of Missouri focused on the fact that Choice was offered options and they explicitly declined the higher level of security BancorpSouth offered. The fact that the bank offered this and retained the declination in writing is important to this case. Choice was also offered the ability to set a daily limit on the amount of transfers wired out and declined this as well.
When the valid logon credentials of Choice were used and the $444,000 transfer was requested, the bank complied with the request. The amount was not uncommon for Choice. The UCC (Article 4A-202) for both Mississippi and Missouri state that a payment order received by the bank is " effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer."
This case was unlike several that were litigated and settled before it as the focus was on the UCC and the fact that the customer declined a higher level of security. The bank argued that by default its security procedures were commercially reasonable. The focus in this case was more on the fact that the customer had an option and refused, not whether the bank’s procedure was or was not reasonable. Since the Choice theft, the FFIEC has issued guidance (June 28, 2011 “Supplemental Guidance on Internet Banking Authentication”) whereby banks should do more to prepare for and prevent account takeovers including performing risk assessments, implementing effective strategies for mitigating identified risks, and raising customer awareness of potential risks.
The "dual control" offered by BancorpSouth which required two separate approvals may have been sufficient in 2009 and it was certainly better than a single control. But it’s lacking by today’s standards and customers need education and warnings about the bigger picture. As an example, discuss with the customer when there are multiple users who has what authority within the company and with the bank.
FYI, to illustrate how dual control isn’t bulletproof, consider the takeover theft of $415,000 from the account of Bullitt County, Kentucky. In that case the county treasurer had to make a transfer request and a county judge had to approve it. But when the treasurer’s computer was compromised, the thieves used the access the treasurer had to change the contact information for the judge at the bank. Approval requests for transfers then went to the thieves who confirmed the transfers in place of the judge.
The Choice case progressed to the 8th Circuit Court of Appeals that in June 2014 found essentially the same as the lower court, but in fact favored the bank a little more. BancorpSouth demonstrated that its contract with Choice indemnified it against paying legal fees in a dispute such as this. While the trial court dismissed this, the appeals court ruled that the bank could recover its costs from Choice. So now, with a carefully worded contract a customer may have the burden of payment for its own legal fees plus that of the bank if it loses its case. Might this have a chilling effect on the next customer wanting to sue a bank over an internet banking loss?
Key takeaways here are that the bank offered a higher level of security than the customer opted for. In fact, the bank had documentation that the customer opted out of that and chose not to cap the daily transfer amounts. The contract between the bank and the customer then put the cost burden on the customer.
While this case has progressed through the courts, most others get settled. Such was the case recently between United Security Bank of Fresno and TRC Operating Co., an oil production company from Taft, California.
In that case $3.5 million was fraudulently wired out of TRC’s account in November 2011. United Security and TRC just settled their case as the bank agreed to pay $350,000 to TRC. Actually the bank’s insurance company reached the settlement rather than go through protracted litigation. United Security’s CEO Dennis Woods said there was no merit to the case and he would have liked to have seen a ruling on the case. He said the bank did stop nine of the twelve fraudulent transfers and in fact only one actually got through. The bank maintains TRC fell victim to a phishing attack and that the bank should not be liable for losses. The security procedures employed by United Security were not disclosed and details of the theft are sketchy.
The new FFIEC Cybersecurity Awareness web page mentioned in a previous article was launched along with the announcement of a Cybersecurity pilot program in which more than 500 community banks with less than $1 billion in assets were selected to participate. Banks with examinations between June 16 and July 11, 2014 will have a baseline assessment done including reviews of cyber risks, bank preparedness and exposure to vendors. The results will not influence the ratings for those banks, but the data accumulated may result in changed examination procedures in the future.
Expect more attention to cyberthreats. The time to begin preparation is now. Reviewing your education programs, security procedures, contracts with customers and vendors, how would you rate your bank? Perhaps if you don’t have an exam between the pilot program dates, this is an excellent time to do a self-evaluation.
Section 3-508A amended
By Pauli D. Loeffler
3-508A Loans. 3-508A is the section of the Oklahoma Consumer Credit Code (the “U3C”) that contains provisions for the maximum annual percentage rate for certain loans made by “supervised lenders.” (The definition includes banks.) Section 3-508A provides for “blended” rates on unpaid principal balances by tiers subject to annual adjustment by the Administrator of the Oklahoma Department of Consumer Credit as well as an alternative maximum annual percentage rate. I covered the changes in the tier amounts effective July 1, 2014, in the June 2014 Legal Briefs. The maximum interest rate permitted as calculated by use of the tiers for a “blended” rate or by using of the alternative maximum interest rate remains effective for loans made on July 1 through August 21, 2014; however, for loans made under §3-508A on and after August 22, 2014, the maximum permitted interest rates will change.
The statute as amended still provides for “blended rates” and an alternative maximum annual percentage rate, but there have been important changes with regard to changes in maximum APR for each tier, the unpaid balance amount under each tier, the alternative maximum APR, and the minimum loan term under this section. The statute as amended is set out below.
Maximum Rates by Tier Amounts. §3-508A as amended permits a maximum interest rate on unpaid principal balance of $2,910.00 or less is 27%. The maximum interest on the unpaid principal balance of $2,910.01 but not exceeding $6,200.00 is subject to a maximum annual percentage rate of 23%. The unpaid principal balance of $6,200.01 and above is subject to a maximum rate of 20%.
While the maximum APR for the first tier decreased from 30% to 27%, the unpaid principal balance subject to this maximum rate has increased from $1,470.00. The maximum APR for the second tier increased from 21% to 23% as well as the amount of the unpaid principal balance subject to this rate which was $1,470.01 – $4,900.00. The maximum APR for the third tier also increased from 15% to 20%.
The Dollar Amounts Of §3-508A Loans Will NOT Adjust Annually! Under §1-106 of the U3C the dollar amounts for loans under §3-508A have been subject to annual adjustment for inflation as provided by rules of the Administrator of the Oklahoma Department of Consumer Credit. §1-106 was amended to delete §3-508A loans, so the dollar amounts can only be changed in the future by enacted legislation.
Alternative Maximum Rate. §3-508A as amended continues to provide for an alternative to these “blended” rates: a maximum annual percentage rate of 25% on unpaid balances.
Minimum Loan Term. Prior to the amendment, §3-508A did not have any minimum term for loans made under this section, and it was not uncommon for these small dollar loans to be repayable in 4, 6 or 12 months. A significant change has been made under the amended statute: Any loan made under §3-508A cannot have a repayment term of less than 12 months from the date the loan is made.
14A O.S. §3-508A
1) With respect to a supervised loan, including a loan pursuant to a revolving loan account, a supervised lender may contract for and receive a loan finance charge not exceeding that permitted by this section.
(2) The loan finance charge, calculated according to the actuarial method, may not exceed the equivalent of the greater of either of the following:
(a) the total of:
(i) twenty-seven percent (27%) per year on that part of the unpaid balances of the principal which is Two Thousand Nine Hundred Ten Dollars ($2,910.00) or less;
(ii) twenty-three percent (23%) per year on that part of the unpaid balances of the principal which is more than Two Thousand Nine Hundred Ten Dollars ($2,910.00) but does not exceed Six Thousand Two Hundred Dollars ($6,200.00); and
(iii) twenty percent (20%) per year on that part of the unpaid balances of the principal which is more than Six Thousand Two Hundred Dollars ($6,200.00); or
(b) twenty-five percent (25%) per year on the unpaid balances of the principal.
(3) This section does not limit or restrict the manner of contracting for the loan finance charge, whether by way of add-on, discount, or otherwise, so long as the rate of the loan finance charge does not exceed that permitted by this section. If the loan is precomputed:
(a) the loan finance charge may be calculated on the assumption that all scheduled payments will be made when due; and
(b) the effect of prepayment is governed by the provisions on rebate upon prepayment (Section 3-210).
(4) The term of a loan, for the purpose of this section, commences on the date the loan is made. Differences in the lengths of months are disregarded and a day may be counted as one-thirtieth (1/30) of a month. Subject to classifications and differentiations the lender may reasonably establish, a part of a month in excess of fifteen (15) days may be treated as a full month if periods of fifteen (15) days or less are disregarded and if that procedure is not consistently used to obtain a greater yield than would otherwise be permitted. A loan made under this section shall not be repayable in fewer than twelve (12) months.
(5) Subject to classifications and differentiations the lender may reasonably establish, he may make the same loan finance charge on all principal amounts within a specified range. A loan finance charge so made does not violate subsection (2) of this section if:
(a) when applied to the median amount within each range, it does not exceed the maximum permitted in subsection (2) of this section; and
(b) when applied to the lowest amount within each range, it does not produce a rate of loan finance charge exceeding the rate calculated according to paragraph (a) of this subsection by more than eight percent (8%) of the rate calculated according to paragraph (a) of this subsection.
But Is the U3C applicable?
By Mary Beth Guard
Pauli’s June article dealt with late fees under the Oklahoma U3C. Before you apply any of that Code’s provisions, however, you always want to make a threshold determination of whether the U3C will even come into play. Jay Bruce from American Bank Systems and I took a little jaunt through U3C-land the other day on the phone as I, like many of you, tore my hair out over its circuitousness.
As you know, for the most part, the rules of the Administrator of the Consumer Credit Department attempt to mirror the provisions of TILA/Reg Z to the extent pertinent, but the U3C deals with some matters Reg Z barely touches. For example, TILA/Reg Z only has a late fee limit for HOEPA (Section 1026.32) loans. The limit on a delinquency fee for such High Cost Mortgage Loans (not HPMLs – don’t get confused!) is 4% of the total payment past due. Other than saying you can’t pyramid late charges and the 4% rule for HCMLs just mentioned, Reg Z doesn’t really talk about late fees. The U3C does. But is your loan covered?
The U3C in Oklahoma states in Section 1-202 that it does not cover real estate loans if the purpose of the loan is to build or purchase the residence or refinance such loan — unless the parties agree by contract to make the loan subject to the U3C. That’s a big exclusion.
Plus, under 3-105, the U3C does not apply if it is a "loan primarily secured by an interest in land." That’s one where, at the time the loan is made the value of the land collateral is substantial in relation to the amount of the loan – and the finance charge isn’t over 13% per year. (Again, the parties may, by contract, make the U3C applicable.)
If you have a consumer loan that doesn’t appear to be excluded under U3C 1-202 or 3-105, click over to 3-203 and look at subparagraph (5). That’s where you find the late fee provision for a non-precomputed consumer loan, refinancing or consolidation. So, if the loan is not covered by the U3C via contract, it’s not to finance the building or purchasing of a residence (or a refinance of such), it is not a loan that falls under the 3-105 provisions as a loan primarily secured by an interest in land, then the late fees in 3-203(5) would apply if it is otherwise a consumer loan.