August 2014 Legal Briefs

• Bureau issues overdrafts reports
• FDIC: You misunderstood what we said
• When your OFAC tools aren’t working
• What’s up with those old Fed regulations
• Marriage equals marriage
• HELOC guidance
• Speaking of risk management
• Social media checkup
• 4.1M CMP for deceptive practices
• Apps from new parents
• ITIN experiations
• ATR interpretive rule
• SAR stats & other BSA matters
• Watch those cards!
• HMDA reg proposal
• SCRA

Bureau issues overdrafts report

By John S. Burnett

It’s not yet time to get worried
In the waning hours of July the Consumer Financial Protection Bureau make a big to-do over issuing yet another "Data Point" report on checking account overdrafts. This time around, the focus of the Bureau’s "concern" about the fees being paid by consumers who have opted-in, under Regulation E, to a bank’s overdraft service (and fees) for ATM and one-time debit card transactions.

It’s important to note, before getting worked up over the numbers delivered by the CFPB report, these three important facts:

First, the Bureau hasn’t taken any action in coordination with the report, and hasn’t made any change to its stated goal of issuing some form of regulation addressing overdraft practices next year. And second, the data reported in Data Point: Checking account overdraft is gleaned only from the financial institutions over $10 billion in total assets that the Bureau supervises for purposes of consumer protection law and regulation compliance. And finally, remember that the focus of this report is the fees paid by consumers who opted in under Regulation E. If your bank doesn’t offer overdraft service for ATM and one-time debit card transactions, the report will have little relevance for you.

There is no doubt that the large banks whose data are reflected in the report hold a significant portion of the consumer checking accounts in the U.S. However, the data studied by the Bureau for the report include random samples of account transactions over 30 months from January 2010 through June 2012. In other words, the information doesn’t reflect what smaller, community banks’ customers experience or activity that is less than two years old. It would be a mistake, I think, for the CFPB to generalize and assume that the data it has studied reflect the reality of consumer experience across the country. As the Bureau itself put it, "As these samples come from a small number of large banks, they cannot be considered fully representative of the checking account market as a whole."

If the Bureau’s source data aren’t "fully representative of the checking account market as a whole," what can we learn from the findings that the Bureau has published? One way to look at the findings is to check each against what you know about your bank and its customers’ experience with overdrafts. Another perspective is to assume that the findings represent areas of concern for the Bureau as it continues to evaluate whether additional rules are warranted in this area, but no more than that. Clearly, these are only hints of things the Bureau may decide need further regulation; they should not be taken as harbingers of what will develop.

A summary of the key findings in the report:

1. OD fees represent the majority of total checking account fees that consumers pay, and opted-in consumers they are about 75% of total account fees, averaging over $250 a year.
    
2. In a variation of the old "80/20" rule, the Bureau reports that its samplings show that 8% of customers pay nearly three-quarters of all OD fees.
    
3. Younger customers are more likely to overdraw their accounts than seniors.
    
4. Opted-in accounts (under Regulation E) are three times as likely to be overdraft more than 10 times a year as accounts that have not been opted-in, and opted-in accounts have seven times as many ODs resulting in fees as accounts that aren’t opted-in. Note that the Bureau isn’t ready yet to say there’s a cause-and-effect relationship there.
    
5. Transactions overdrawing an opted-in account are often smaller than for accounts that aren’t opted-in. The Bureau reported the median debit card transaction amount leading to an OD fee was $24 and the median amount of all debits leading to an OD fee is $50.
    
6. More than half of the consumers who overdraft bring their accounts positive within 3 days and three-quarters within one week. With a typical OD fee of $34 for an overdraft balance of under $24, the "borrowing" cost to the consumer can exceed 17,000 percent!

As noted earlier, the focus of the Bureau’s report is the consumer account that’s been opted in for overdraft service of ATM and one-time debit card transactions. If you offer such overdraft services and have substantial numbers of opted-in accounts, you should consider the observations the Bureau has made in its report. If your bank has adopted a de minimis overdraft amount or tiered its fees so that smaller overdrafts result in smaller per item fees, you have probably already addressed much of the report’s "message."

FDIC: You misunderstood what we said

By John S. Burnett

In September 2013, the FDIC issued a Financial Institution Letter (FIL-43-2013) to explain its Supervisory Approach to Payment Processing Relationships with Merchant Customers That Engage in Higher-Risk Activities. In conjunction with the September guidance on its expectations, the FDIC referred to a 2011 informational article with lists of examples of merchant categories that had been associated with high-risk activity at that time. The FDIC now believes that a number of banks interpreted those lists as examples of merchant categories with which the agency prohibited or discouraged banks from doing business.

On July 28, 2014, the FDIC issued FIL-41-2014 to clarify its supervisory approach. The lists have been removed and replaced with a statement of policy that "insured institutions that properly manage customer relationships are neither prohibited nor discouraged from providing services to any customer operating in compliance with applicable law." Instead, states the current FIL, the "focus of the FDIC’s supervisory approach to institutions establishing account relationships with TPPPs [third-party payment processors] is to ensure institutions have adequate procedures for conducting due diligence, underwriting, and ongoing monitoring of these relationships. When an institution is following the outstanding guidance, it will not be criticized for establishing and maintaining relationships with TPPPs."

In its second bite of this apple, the FDIC is saying that banks should decide on their own which account relationships they will establish, keeping in mind the increased risks that may be involved in relationships with some types of businesses, with particular emphasis on assessing the increases in risk that some businesses may involve. As part of its "clarification," the FDIC has reissued guidance (FIL-127-2008, Guidance on Payment Processor Relationships; FIL-3-2012, Payment Processor Relationships, Revised Guidance; and FIL-43-2013, FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities) and an informational article, "Managing Risks in Third-Party Payment Processor Relationships," Summer 2011, Supervisory Insights, to remove lists of examples of merchant categories.

When your OFAC tools aren’t working

By John S Burnett

I cannot tell you how many times I have heard or repeated the wise counsel that "it is far better to learn from others’ mistakes than from your own." Last month’s hefty $16.6 million settlement between Bank of America, N.A. and OFAC provides a perfect illustration. It is truly an object lesson that other bankers ought to pay attention to.

The problem appears to have been with an OFAC filter used by the bank for at least three-and-a-half years ending in March 2009. The bank allegedly knew for more than two years the filter was deficient in its checking of multi-part or multiple surnames. In a span of about 40 months, the bank processed 208 transactions totaling about $91,000 on behalf of, and failed to properly block five accounts owned by, 10 individuals on OFAC’s SDN list. Because the bank failed to self-report the violations, and 79 of the transactions were determined to form an egregious case, OFAC initially set the penalty at over $83 million. The bank had to have done some hard bargaining to get the number reduced by about 80%. Even at $16.6 million, though, the penalty was over 180 times the value of the transactions involved.

There are two key lessons in this case. First, it’s never a good idea to try hiding an OFAC violation or error. These sorts of slips – intended or innocent – tend to get "found out" one way or another. Contacting OFAC to "fess up" is usually a good start toward reducing whatever penalty is finally agreed to. And the more important lesson is to never allow a known systemic problem, such as the faulty OFAC filter at the center of this problem, to go unaddressed. Ignoring such a problem can only make matters much worse.

What’s up with those old Fed regulations?

By John S. Burnett

It has been almost two and a half years since the Consumer Financial Protection Bureau published Interim Final Rules codifying a series of consumer protection regulations that became part of its purview under the Dodd-Frank Act (the Bureau published the series of rules in December 2011). In the months since then, many of us have been caught up in the CFPB’s actions to implement amendments made by the Dodd-Frank Act that have impacted Regulations B, X and Z, to name a few. Somewhere in the middle of all that activity, the Fed did repeal Regulation Q, Interest on Deposits (it’s since been replaced by a new Regulation Q, on Capital Adequacy Requirements). And just in the last several days, the Fed published a final rule repealing its Regulations P (Privacy of Consumer Financial Information) and DD (Truth in Savings) effective June 30, 2014.

Regulations P and DD were two of the rules taken over by the Bureau. Now that the hubbub over implementation of the huge lending changes brought about by Dodd-Frank has subsides somewhat, the Fed took the time to review these two regulations, determined that in its view the Bureau had appropriately taken them over, and made one other determination— that automobile dealers are most unlikely to ever be subject to either Truth in Savings or the portions of the Gramm-Leach-Bliley Act dealing with privacy of consumer financial information. Once those decisions were made, the Fed Board was willing to vote to repeal its Regs P and DD.

What do auto dealers have to do with all of this? In one of the many compromises and maneuvers made as the Dodd-Frank Act was being crafted, Congress declared (in section 1029 of the Act) that the Fed should retain authority to issue rules for certain motor vehicle dealers that offer consumer financial services and are not subject to the Bureau’s regulations. As noted above, the Board of Governors determined that provision didn’t apply to the two regulations it has repealed.

Since auto dealerships often extend credit and lease vehicles, it’s highly unlikely we’ll ever see the demise of the Fed’s Regulations Z and M (although it’s possible that the scope of the Fed’s Regulation Z could be reduced greatly). For the same reason, the Fed’s Regulations B (ECOA) and V (FCRA) are likely to be retained in spite of the fact their clones have been issued by the CFPB. So what does that leave that might be repealed? If the Board of Governors determines that auto dealers aren’t likely to dabble in home mortgages, the Board’s Regulation C might get removed, along with Regulation E if the Board decides there aren’t car dealers to regulate under the Electronic Fund Transfer Act. And finally, the subsection of FRB Regulation H dealing with SAFE Act registration will probably get the axe eventually, too. But there’s no deadline looming by which the Board has to finalize these decisions, so don’t be looking for changes right around the corner.

In the meantime, remember that the Bureau’s rules on consumer protection apply to your bank now, even though the other agencies haven’t cleaned house to sweep defunct rules out the door yet.

Marriage equals marriage

Lauren Tobin, OCU Law J.D. Candidate 2015

Banks are now required to treat same-sex married couples in the same manner as heterosexual married couples. Pursuant to the U.S. v. Windsor decision of the U.S. Supreme Court last year, the Attorney General instructed all departments to include married same-sex spouses whenever allowable when interpreting the terms related to family or marital status in statutes, regulations, and policies administered by the Department. Regulations and policies that are administered by the Consumer Financial Protection Bureau, including the Equal Credit Opportunity Act, Regulation B, Fair Debt Collection Practices Act, Truth in Lending Act, and Regulation Z will be affected. CFPB Director Cordray issued a memo to staff on July 8, 2014 to clarify the impact.

Currently, 20 states have legalized same-sex marriage. Banks should now consider customers who were married to an individual of the same-sex in one of these states or Washington D.C. as “married” when banks are acting under federal statute or regulation, including the specific banking regulations listed in the paragraph above. Banks should interpret the terms “spouse,” “marriage,” “married,” “husband,” “wife, and any other similar terms related to family or marital status to include lawful same-sex marriage and lawfully married same-sex marriages. Even though some of the regulations, statutes, and their commentary use gender-specific language like “husband and wife”, the CFPB states that banks are now required to apply this language gender-neutrally. Note, however, that the CFPB memo says customers in civil unions, domestic partnerships and other relationships not designated by law will be considered “unmarried” within Regulation B. The full memo can be accessed on the CFPB site.

HELOC guidance

By Mary Beth Guard

One of my favorite TV shows (should I be admitting this?) is Big Brother. The reality show’s tagline is “Expect the unexpected” and viewers and contestants stay on edge, waiting for the latest twist in the game to be revealed. That is exactly the opposite of what the regulators want consumers to experience with Home Equity Lines of Credit that involve a draw period, followed by a time period when the principal amount of the HELOC must begin to be repaid. Instead, the regulators want lenders to help borrowers avoid payment shock. To that end, Interagency Guidance has been issued by the OCC, FRB, FDIC and NCUA, in connection with the Conference of State Bank Supervisors (CSBS).

Under the new guidance, the following three expectations are set forth for lenders in connection with these end-of-draw period HELOCs:

1. Manage risks in a disciplined, prudent manner;
    
2. Work with troubled borrowers to avoid unnecessary defaults;
    
3. Engage in appropriate risk recognition.

In case you hadn’t noticed, the regulatory environment revolves around risk management these days. Don’t have an end-of-draw risk management program in connection with providing HELOCs? You need one. The guidance says the examiners will be looking to see that it addresses these five risk management principles:

1. Prudent underwriting for renewals, extensions, and rewrites.
    
2. Compliance with pertinent existing guidance, including but not limited to the Credit Risk Management Guidance for Home Equity Lending and the Interagency Guidelines for Real Estate Lending Policies.
    
3. Use of well-structured and sustainable modification terms.
    
4. Appropriate accounting, reporting, and disclosure of troubled debt restructurings.
    
5. Appropriate segmentation and analysis of end-of-draw exposure in allowance for loan and lease losses (ALLL) estimation processes.

Also, policies and procedures and procedures are needed for managing HELOCs nearing their end-of-draw periods. One size doesn’t fit all. Your policies and procedures should be commensurate with the size and complexity of your portfolio of these types of loans, but there are ten components regulators say prudent risk management expectations generally include. They are:

1. Developing a clear picture of scheduled end-of-draw period exposures.
    
2. Ensuring a full understanding of end-of-draw contract provisions.
    
3. Evaluating near-term risks.
    
4. Contacting borrowers through outreach programs.
    
5. Ensuring that refinancing, renewal, workout, and modification programs are consistent with regulatory guidance and expectations, including consumer protection laws and regulations.
    
6. Establishing clear internal guidelines, criteria, and processes for end-of-draw actions and alternatives (renewals, extensions, and modifications).
    
7. Providing practical information to higher-risk borrowers.
8. Establishing end-of-draw reporting that tracks actions taken and subsequent performance.
    
9. Documenting the link between ALLL methodologies and end-of-draw performance.
    
10. Ensuring that control systems provide adequate scope and coverage of the full end-of-draw period exposure.

The guidance document is quite detailed and it provides a solid core around which to formulate your risk management program for HELOCs so that customers won’t have to “expect the unexpected” but will instead receive effective communication from you about the reset.

Speaking of risk management

By Mary Beth Guard

If you are seeking to get a handle on how institutions are expected to assess and manage compliance risk, there is an excellent article in the Consumer Compliance Outlook publication from the Philadelphia Federal Reserve Bank for the Second Quarter 2014. While its focus is on an overview of the FRB’s new consumer compliance risk-focused examination program for community banks, the principles translate well to banks with primary federal supervisory agencies other than the Federal Reserve as well. We recommend reviewing the entire article and the Q&As that appear in the same issue of the publication.

Social media checkup

By Mary Beth Guard

In the same Second Quarter 2014 edition of Consumer Compliance Outlook, the coordinator of fair lending and UDAP compliance risk for the FRB San Francisco wrote an article which does a great job of not only summarizing the FFIEC’s guidance on consumer compliance risk management in the social media arena, but also providing context for it.

If your bank plays in the social media arena, keep in mind the following strategies suggested by the regulators for managing your social media compliance risk:

____ Create a governance structure.
____ Develop policies and procedures.
____ Manage third-party relationships.
____ Provide employee training.
____ Institute audit and compliance monitoring.
____ Listen to your customers.
____ Report to the top.

4.1M CMP for deceptive practices

By Mary Beth Guard

When it comes to UDAP violations, one thing to keep in mind is the notion that regulators are going to be paying particular attention to how you are dealing with what they see as financially vulnerable customers. In the case of a recent C&D and civil money penalty assessments of more than $4 million imposed against a Chicago bank, the vulnerable customers were students and the alleged deceptive practices involved misleading students at various points in the financial and refund selection process about a deposit account and debit card produce known as OneAccount.

There did not appear to be any allegation that Cole Taylor Bank and its agent made false statements. Instead, the Federal Reserve pointed to three areas where material information was omitted. Also criticized was the prominent display of the school logo in a way that may have erroneously implied the school endorsed the OneAccount product.

This consent order illustrates that it is not sufficient for statements made in marketing materials and product-related documents to be true; they must also tell the whole story. Important information cannot be omitted or concealed. If the information is not both accurate and complete, it’s a UDAP violation waiting to be cited.

Apps from new parents

By Mary Beth Guard

When I read about a California lender that entered into a settlement with HUD for Fair Housing Act violations, I found myself thinking “Again?!?” The $48,000 settlement paid by Greenlight Financial Services is the latest to emerge from a string of actions against financial institutions that have denied or delayed mortgage loans to women because they were on maternity leave or to couples where the woman was on maternity leave.

Have a discussion with your lenders. Make sure they understand that if a woman who is pregnant or on maternity leave (or a couple) applies for a loan or applies to refinance an existing loan, it is unlawful to take the position that the bank wants to wait to process the application or approve the credit until the woman or man has returned to work. The same holds true for paternity leave as well.

The Fair Housing Act makes it unlawful to discriminate in the terms, conditions, or privileges associated with the sale or rental of a dwelling on the basis sex, including denying a mortgage loan or mortgage insurance because a woman is pregnant or on family leave. A HUD spokesman said "HUD will continue to enforce fair housing laws to ensure that no otherwise qualified applicant is illegally denied the home financing they need only because they take maternity, paternity or parental leave."

ITIN expiration

By Mary Beth Guard

Individual Taxpayer Identification Numbers (ITINs) are issued to individuals who are not eligible to obtain a Social Security Number but who had tax filing or payment obligations under U.S. law – typically foreign nationals and nonresident aliens. Under a new IRS policy, beginning in 2016, the IRS will deactivate an ITIN unless it has been used on a federal income tax return for any year during a period of five consecutive years. Previously, the IRS had announced in January, 2013 that all ITINs issued after 1/1/13 would expire automatically after five years. This new policy supercedes that announcement.

Additional information will be released prior to the first wave of deactivations in 2016 so financial institutions will know what action, if any, they need to take with respect to deactivated ITINs currently being used in connection with customer accounts.

ATR interpretive rule

By Mary Beth Guard

Clyde has a home loan with you. Clyde dies. His widow or his grown child, who was not on the original loan, is heir to the property and wants to just keep paying on the loan and has agreed to sign the paperwork to be personally obligated. You want to help. The CFPB has issued a new interpretive rule that frees you from the application of the Ability to Repay rule in such a circumstance. The new interpretive rule, which became effective July 11, 2014, also helps in a variety of other transfer situations.

The rule says that because an heir has already acquired the title to the home, adding the heir as a borrower on the mortgage does not trigger the Ability-to-Repay requirements. That means the creditor is not required to determine the heir’s ability to repay the mortgage before formally recognizing the heir as the borrower. That benefits the heir significantly, because as the named borrower, the heir may more easily be able to obtain account information, pay off the loan, or seek a loan modification.

The interpretive rule can also apply to other transfers, including transfers to living trusts, transfers during life from parents to children, transfers resulting from divorce or legal separation, and other family-related transfers.

Good call, CFPB!

SAR stats & other BSA matters

By Mary Beth Guard

The July, 2014 edition of SAR Stats is out. It’s recommended reading for BSA Officers because it highlights trends in suspicious activity and allows us to read about the emergence of new illicit schemes. Of note is the fact that new threat themes reflect the rise in cyber security threats.

In this issue’s SAR Narrative Spotlight, the focus is on Bitcoin and other virtual currencies. The number of SARs that have flagged virtual currencies as a component of suspicious activity is on the rise, so the article provides information to help bankers understand virtual currencies, particularly Bitcoin, which dominates the field at this time.

Not in SAR Stats but still BSA-related is the consent order for a $500,000 Civil Money Penalty against a Wisconsin bank for deficiencies in the bank’s BSA-related internal controls, independent testing, day-to-day monitoring and coordination and training. One of the specific findings was that the Bank’s BSA officer and staff lacked the necessary resources and expertise, including knowledge of regulatory requirements. If you are your bank’s BSA officer and you feel you’re in over your head, you need to shore up your knowledge, expertise, and resources ASAP. Read the Consent Order for further details.

As this issue goes to press, FinCEN issued its Notice of Proposed Rulemaking to clarify and strength customer due diligence obligations. In our next issue, we’ll summarize it for you and let you know whether FinCEN’s proposed requirements for ascertaining and verifying the identities of beneficial owners are likely to be workable.

Watch those cards!

By Mary Beth Guard

A Kentucky bank president and chairman is now a former bank president and chairman following the OCC’s assessment of $40,000 in Civil Money Penalties against him and the issuance of an order prohibiting him from being involved in the banking industry. His trouble stemmed from misuse of bank credit cards that were issued to him for use with bank-related expenses. Personal expenses go on your personal card. Bank expenses go on the card the bank issued in your name. Got it? Thought you did.

Three directors were each hit with $10,000 in CMPs for failing to implement and enforce adequate internal controls over the use of the bank’s credit cards and accounts as well as Reg O and Reg W violations. I found myself gasping at a couple of the statements in the enforcement order, such as this one against one of the Respondent Directors:

“Two affiliates of the Bank under Respondent’s control overdraw their accounts on hundreds of occasions over a four month period in an aggregate amount exceeding $3 million in violation of Regulation W.”

And this one:

“Despite notification by auditors from 2006 until 2009 regarding the misuse of Bank and Holding Company credit cards for personal expenses by the former Chairman of the Board and other Bank officers, Respondent failed to implement and enforce adequate internal controls over the use of the Bank’s credit cards and accounts.”

If this is a problem at your bank (or other findings of your auditors have gone unaddressed for a period of time), pull up these enforcement orders to see up close and personal the consequences of failure to take appropriate corrective action.

HMDA Reg Proposal

By Mary Beth Guard

Perhaps you don’t typically read proposals. We understand. But the proposed changes to Regulation C deserve your attention. There are even some aspects of the proposal you might like, such as the fact that unsecured home improvement loans would no longer be reported. Prior to formulating the proposal, the CFPB convened a Small Business Review Panel. The proposed rules are significantly better than they could have been due to input from that panel . You can help shape the final rule by filing a comment by October 22, 2014.

SCRA

By Andy Zavoina

For a couple of years we have warned banks that the SCRA was going to be reviewed more than in the past. Servicemembers are for practical purposes now a protected class. Just read any article where a lender “abused” a servicemembers rights and the reputational risks will stand out. In fact, at a press conference to announce this enforcement action, Attorney General Eric Holder said, “We are sending a clear message to all lenders and servicers who would deprive our service members of the basic benefits and protections to which they are entitled: This type of conduct is more than just inappropriate, it is inexcusable. And it will not be tolerated.” So expect even more SCRA emphasis and that applies whether you have had any SCRA protection requests or none at all. You need to know personnel are trained in recognizing when the SCRA may apply, how to handle requests, that inquiries are not being denied to avoid the issue, and that procedures are in place and working for any cases you do have. The new requirements on Sallie Mae (discussed in a prior edition of Legal Briefs) will help you identify issues and redesign your procedures, if need be, to work with the customer and avoid compliant resolution issues and DOJ referrals.