Saturday, July 20, 2024

April 2022 OBA Legal Briefs

  • Nacha warranties and old unauthorized ACH debits
  • P2P complaints
  • Fair banking

Nacha warranties and old unauthorized ACH debits

By John S. Burnett

Your bank just wrapped up its investigation of a consumer’s Regulation E claim involving a series of unauthorized ACH debits made by a gymnasium. Your customer, Sam, got a notice that the gym was being closed “temporarily” on August 10, 2019, for some major renovation work. He assumed the gym would suspend charging his account for his monthly membership fee, but the regular $39.95 charge showed up on his account on August 26, 2019. So, Sam emailed the gym’s owner/manager on August 27, 2019, to cancel the authorization for the monthly changes  and got an emailed response that no further charges would be made to his account, and the August 26 charge would be credited to his membership for the first month when the gym was allowed to reopen.

For whatever reason, Sam didn’t check his account again until March 10, 2022, when he wasn’t able to withdraw $50 at the bank’s ATM. Those of you who are used to handling Reg E claims know what he found – the gym didn’t stop charging his account, and there was a series of 30 monthly debits from September 25, 2019, through February 25, 2022, that he was not expecting to see.  On March 11, Sam, rightfully embarrassed by his lack of attention to his account, brought copies of his statements (which had been made available to him on the bank’s online banking portal on the last day of each month) into his local bank branch, each with a $39.95 ACH debit from the gym circled in red, along with a copy of his August 27, 2019, email to the gym manager and the manager’s response, and asked what the bank could do about getting his money back.

Your branch manager checked with the bank’s deposit operations manager, who suggested that Sam could get back the January 25 and February 25, 2022, debits quickly if the branch manager got him to complete and sign a Written Statement of Unauthorized Debit (WUSD) on those two transactions, but Operations would need to handle the Reg E claim on the earlier debits. Sam signed two WSUDs while the branch manager was copying the statements Sam had brought in. One WSUD covered the two most recent debits (totaling $79.90), as requested by the operations manager, and the other covered the 28 earlier debits (which totaled $1,118.60).

Sam’s documentation made it easy for Operations to complete a speedy investigation, and they agreed that all 30 of the ACH debits were unauthorized. Then they plugged the dates and amounts into their Regulation E Consumer Liability Calculation spreadsheet and determined that Sam should be reimbursed for the unauthorized transactions that posted to his account on or before November 29, 2019 (60 days after the September 2019 statement was available). That would include the September 25, October 25, and November 25, 2019, debits, for a total of 3 times $39.95, or $119.85. Operations also returned the ACH debits that hit Sam’s account on January 25 and February 25, 2022. Within three business days of filing his claims, Sam received credits of $119.85 and $79.90 to his account, and a couple of days later he got a letter explaining that the bank agreed that all thirty of the disputed debits were unauthorized, the bank had refunded only $119.85 for the first three debits, and Sam was responsible for the rest of them because he had failed to review his account statements and promptly notify the bank of the unauthorized debits. The letter then explained that, because he had provided the WSUD covering the two transactions that were less than 60 days old, the bank had been able to return them, and had credited him with $79.90. That leaves Sam with a loss of $998.75 due to his lack of attention to his account.

Using Nacha’s authorization warranty to recover more

The operations manager had done some further research and discovered that Nacha rules include a warranty of authorization that’s given by the Originating Depository Financial Institution (ODFI) in favor of the Receiving Depository Financial Institution (RDFI). That warranty covers two periods for consumer accounts — (11) the first 95 days from the settlement date of the first unauthorized entry to the consumer’s account (which generally corresponds to the period of time the RDFI would be responsible for unauthorized entries under Regulation E § 1005.6(b)(3)); and (2) after the first 95 days but with settlement dates less than two years old. [For non-consumer accounts, the Nacha warranty covers entries with Settlement Dates no more than one year old.]

Buoyed by what she found, the operations manager checked with the bank’s legal department, which suggested she:

  1. Identify the ODFI and its head office address.
  2. Compose a letter stating a claim for breach of warranties under section of Nacha Rules (Warranty that the entry is authorized by the Originator and Receiver) with respect to the unauthorized entries on September 25, 2019, and during the 95 days following that date (that would include the transactions through December 29, 2019), and the entries with Settlement Dates later than two years ago but before January 1, 2022 (the two entries occurring later than January 1, 2022, had been returned).
  3. Include a schedule of the posting dates and amounts of the entries covered by the claim.
  4. Include a statement in the claim letter that the Receiver (Sam, your customer) revoked the authorization and the Originator had acknowledged and accepted that revocation on August 27, 2019.
  5. Include copies of the August 27, 2019, emails between Sam and the gym owner/manager.

She completed the claim letter and faxed it to the ODFI on March 24, 2022.

What happens next depends on how the ODFI treats the warranty claim. This is, of course, a contrived story designed to illustrate the fact that the ability to make an “extended return” of an unauthorized ACH debit up to 60 days after its Settlement Date is not the “last resort” attempt at recovering funds for the bank or its depositor. Nacha Rules warranty provisions provide this additional tool. In fact, Nacha has a handy tool to explain its warranty at

Let’s suppose the ODFI honors the claim and sends full payment for 4 unauthorized debits during the 95-day period (9/25/19 through 12/29/19) and 22 debits covered under the two-year period (3/24/20 through 3/24/22, but the January and February 25, 2022, debits aren’t part of the claim because they had been successfully returned earlier). What should the operations manager do with the $1,038.70 check?

The RDFI gets reimbursed for the three early debits that it had to return to Sam. And, because the RDFI can’t profit from the warranty claim, it credits the remaining $918.85 to Sam’s account, which covers most of his loss. He’s still out $79.90 for the January and February 2020 debits, which fall into the gap between the two Nacha warranty periods.

Of course, not every ODFI would honor such a claim. If the claim is denied, the RDFI can file a rules violation case with Nacha or press the claim in a civil court suit after weighing the cost/benefit of such a course. In our contrived example, however, the ODFI reviewed a strong claim that the debits were clearly unauthorized and decided not to fight it.

P2P complaints

By Andy Zavoina

In December 2021, the Consumer Financial Protection Bureau released an updated Compliance Aid for Reg. E, in the form of FAQs. We wrote about the FAQs extensively this last January and February. Central to these FAQs were P2P, or Peer-to-Peer payment programs from companies like Venmo, Zelle and Cash App. About a week after the updated FAQs were released 33 state attorneys general wrote to CFPB Director Rohit Chopra wanting stronger safeguards for consumers using these P2P apps. Oklahoma’s Attorney General was not on the letter.

It is estimated that in 2023 more than $1 trillion in transactions will happen using these apps. Usage has increased during the pandemic and the public seems to have accepted these programs for many uses. Some people see them as an extension of their bank accounts and it makes it easy to split a dinner bill, pay for a Pampered Chef order or pay a vendor for services rendered.

But when a transaction goes south, whom do they call? It could be your bank, who will refer them to the P2P vendor for customer service. With the updated FAQs we now know that the concerns of the attorneys general were partially answered in the FAQs as the CFPB opined that in many cases banks will have to shoulder the burden of handling claims, however. We covered that in January and February but as a short recap, if a bank has an agreement with a P2P vendor handling transactions the bank cannot deflect a claim for unauthorized use to the vendor. The CFPB opined that if the bank and P2P vendor share a credit card agreement such as both accept Visa or Mastercard, that constitutes “an agreement.”

Aside from banks now shouldering the claims burden, the letter to the CFPB complained that the P2P vendors have poor customer service. It was noted that reaching an actual person was difficult and usually included long hold times. It was also difficult to email or use a chat program to work out problems. Consumers found an inability to use their funds at times without warning when the P2P vendor held them. Restricted use could include paychecks from an employer or government benefits. Likely many of these people were unbanked and using the P2P service for banking. Lastly there were scammers stealing funds with various ruses. “Grandma, I was in an accident. I’m OK but we came to Mexico on spring break. Mom and dad can’t know, but I need $500 to get out of this jam,” is an example.

The CFPB’s mission is to protect consumers. Certainly, after reading about the three common complaints from consumers cited by the attorneys general, you will agree that banks strive not to have such issues and perform better than the P2P vendors. It was noted in the letter to the CFPB that the unbanked were often the more damaged consumers. Regardless, the claims problem has largely been handed to banks and that may be viewed a spart of the solution to the problem.

Some takeaways include banking the unbanked when they are qualified to have a bank account. While banks do not typically have rigorous qualification criteria for deposit accounts, some of these consumers may have burned their bridges with banks with charge-offs or poorly handled accounts. Still, there are some good consumer relationships out there that banks can market to and experience a win-win relationship with. These new and existing customers need to be reminded of security issues. We’ve expanded on some BBB tips for using a P2P payment app safely:

  • Only use it with someone you know and trust. Consider sending a test transfer of say $1 before sending the other $99 for that purchase. Scammers do this to see if an account is good and our customers can learn from this.
  • Take your time entering payment information and double-check it before hitting send. It is usually possible to talk to a person and get the instructions as the data is being entered.
  • Enable security settings and other measures offered by the app, including multifactor authentication that requires another form of verification besides just a username and password. And use a unique password.
  • Remember that public Wi-Fi at places like coffee shops or libraries may not be secure for use in conducting financial transactions.
  • Be wary of any business that only accepts P2P payment apps.
  • When using a mobile device like a smartphone or tablet, lock the device when not in use and do not lend the device to someone to make a call who may then be able to access a P2P app and conduct any transfer using the owners account.
  • When any device, be it a smartphone, tablet, game console or similar device has financial data stored on it, wipe the device before it is sold, donated or otherwise repurposed.

These tips need to be given repeatedly to bank customers just as they should be routinely reminded not to write a PIN on their debit card. Drive the point home. The dollars saved may be the bank’s money.

The last item here is a deliverable to bank management. Whoever is best suited to review Reg E claims for the last year or two should analyze the claims, both approved and denied (including those referred to a P2P vendor). Use this information to estimate what increase the bank may see based on the CFPB’s FAQs and the placement of responsibility on the bank for many of the P2P claims you would not have paid in the past. Management should be aware if this will be substantial. Some banks have reported seeing a significant increase and we can now assume that the pressure is on for banks to make up for these vendors’ shortcomings.

Any time bank management has the ear of a legislative influencer, it may be worth asking why, based on the above, Reg E cannot require the P2P vendors to be responsible for claims they are involved in. It is that vendor who has all the transaction information pertinent to a claim and who profited from the transaction, not your bank. And that vendor doesn’t even have to assist in any investigation. The CFPB should have the ability to police those vendors, not to shift the vendors’ responsibilities to banks.

Fair banking

By Andy Zavoina

In March, the CFPB announced it would be targeting unfair discrimination in consumer finance. “Consumer finance” seems like a broad term and it is. It takes in all types of consumer financial products, not just those involving credit. Banks will certainly be included in the Bureau’s reach, as we have the lion’s share of deposit accounts, and it is important to recognize how these changes will apply.

For years we have been asked questions related to deposit accounts. A customer complained and said the bank was discriminating based on race or gender but only had a savings account, or Marketing was asking if ads for new checking accounts needed to have the same pictorial diversification as home loan ads, showing both men and women and with various racial characteristics. Often the safe answer was “there is no fair lending equivalent for deposits.” While that is true, I and others have argued for years that “fair banking” should always be considered, and I believe most banks do keep that in mind. But under the heading of “what gets checked, gets done” this fair banking procedure will be going to a much higher level.

What the CFPB said was, “In the course of examining banks’ and other companies’ compliance with consumer protection rules, the CFPB will scrutinize discriminatory conduct that violates the federal prohibition against unfair practices. The CFPB will closely examine financial institutions’ decision-making in advertising, pricing, and other areas to ensure that companies are appropriately testing for and eliminating illegal discrimination.”

Note what that statement said — the CFPB will examine for discriminatory conduct, as this would be an unfair practice. Unfair is the “U” in UDAAP — Unfair, Deceptive or Abusive Acts or Practices. We have seen large UDAAP penalties, and because there is no statute of limitations, we have seen enforcement orders that went back for many years. While we often associate UDAAP enforcement actions with the CFPB, the prudential agencies still enforce UDAP as was the case in 2021 when the FDIC penalized Umpqua Bank. The FDIC determined that Umpqua Bank engaged in Section 5 violations (that’s UDAP in the FTC Act) related to collection practices involving commercial equipment financing through its wholly owned subsidiary, Financial Pacific Leasing, Inc. (FinPac).  The FDIC determined that FinPac’s collection fee practices were unfair and deceptive.  Specifically, FinPac charged various undisclosed collection fees to 17,000 borrowers whose accounts were past due, such as collection call and letter fees and third-party collection fees. So, the bank was fined for what its subsidiary was doing and paid restitution of $1.7 million and a civil money penalty of $1.8 million. (FDIC-20-0156k)

From July to October 2020 there were nine separate advertising enforcement actions against mortgage lenders totaling $4.446 million. Triggering terms were missed, ads were poorly arranged which made them misleading and in some cases the numbers were just wrong, or payments quoted were not obtainable.  There were also instances of products being offered which were not being made at the time they were advertised.

While UDAAP and UDAP can bring a high dollar penalty and restitution amounts, this is in part based on how many consumers were disadvantaged and to what dollar amounts. As an example, a 2018 enforcement action included Community Trust Bank, Inc. of Pikesville, Kentucky, as it was hit with a UDAP penalty. Key points in this Federal Reserve enforcement action are that the bank would pay at least $4.75 million in penalties and restitution. The penalty arises from add-on products of a minimal cost, but it reached back to 1994. That was 24 years prior to the action taken. If there is a product and it has a UDAAP/UDAP defect since inception, the next question is when did it launch? From that date forward consumers with that product were harmed and compensation must be paid to the consumer harmed, reimbursements for unfair charges, and civil money penalties to the agency.

We have seen UDAAP used as an enforcement tool on other regulatory requirements such as Reg E where disclosures were made but additional requirements imposed, like requiring a police report to file a claim. Banks are not permitted to add requirements like that and UDAAP has more severe consequences that Reg E itself, so it became the enforcement tool of choice.

(1) CFPB Director Rohit Chopra stated, “When a person is denied access to a bank account because of their religion or race, this is unambiguously unfair,” and “We will be expanding our anti-discrimination efforts to combat discriminatory practices across the board in consumer finance.” So, no time limit and high dollar penalty amounts are associated with UDAAP actions. With this announcement of discriminatory practices on non-loan issues the CFPB released its revised UDAAP section of its exam manual. []

The Equal Credit Opportunity Act (ECOA) and its implementing Regulation B, along with the Fair Housing Act and data gathering requirements under the OCC’s Fair Housing Home Loan Data System and the Home Mortgage Disclosure Act have long been bundled together as anti-discrimination requirements for general loan and home mortgage loans. The revisions to the UDAAP examination manual coupled with a definitive tying of “unfair” to any discrimination, even involving non-loan related products and services, adds an enforcement tool.

The March 2022 Legal Briefs looked at UDAAP in some detail. That was published before this action by the CFPB. We refer you back to that edition for the details, but here I will point out that under the section of some act or practice “causing substantial harm” to a consumer, we find in the exam procedures that this, “may result from discriminatory behavior.”

Discrimination or discriminatory behavior is referenced 25 times in this 19-page document. It is used as an example under collections activities, under the section where a consumer cannot avoid an injury, such as a discriminatory practice, and elsewhere. With a discriminatory practice being unfair, both unintentional discriminatory practices and practices that fall outside  the scope of ECOA now meet the test for being unfair. So, there is a longer reach. It also notes that what is discriminatory may be unfair, violating UDAAP, and at the same time violate other laws such as ECOA. Remember the CFPB does not have to pick one or the other of these laws to use for enforcement action, it can compound them and cite both as each is being violated if you have a loan or home mortgage product.

The revised UDAAP section states, “A discriminatory act or practice is not shielded from the possibility of being unfair, deceptive or abusive even when fair lending laws do not apply to the conduct. For example, not allowing African-American consumers to open deposit accounts or subjecting African-American consumers to different requirements to open deposit accounts, may be an unfair practice even in those instances when ECOA does not apply to this type of transaction.” This brings us to a new awareness level of UDAAP.

When Compliance or Legal has been involved in the development or revision of a product or service, UDAAP and risks have been examined from many perspectives. Traditionally ECOA and Reg B were included in a mindset when a loan was mentioned — Who does it appeal to? Where will it be offered? How will it be advertised? — and the focus was on marital status, race, gender, gender identification and similar topics. Those demographics were considered for loans while deposit products and services would have considered different demographics, potential deposit product appeal based on income, balances on deposit, services required to support the deposit relationship, etc. Now the latter requires the same mindset, or perspective if you will, as the loan discussions.

When reviewing loan products, the bank has demographic information for its lending area and on its home mortgages. The bank can easily review HMDA and other data points to determine if there are any disparities in where applications are coming from, for homes in certain areas, from applicants based on gender, race, marital status and other key categories. This is not as easy when the bank wants to know if there are any discriminatory concerns on auto loans, unsecured loans or other products which exclude the gathering of any demographics.

If the bank wants to generate a fair lending or fair banking analysis it will have to use a proxy for that information that it does not specifically have. This is not a new technique, but it may be one the bank wants to employ against various loan and deposit products as well as complaints. Here is an excerpt from a 2013 CFPB blog post on the topic.

Let’s say a responsible auto lender wanted to make sure that their female customers are not paying more for a loan than similarly situated men. Before analyzing the pricing patterns, the lender needs to calculate the likelihood that a borrower is male or female. Without actually recording the gender of each borrower, to substitute, or “proxy,” for gender, responsible lenders often rely on a first name database  from the Social Security Administration. The public database contains counts of individuals by gender and birth year for first names occurring at least five times for a particular gender in a birth year. Using statistics, they can determine a probability that a particular applicant is male or female based on the distribution of the population across gender categories for the applicant’s first name. []

The above cites a first name database that should be available at minimal or no cost. There may well be others or established programs available complete with databases for various checks and verifications. The CFPB published a 37-page booklet in 2014, “Using publicly available information to proxy for unidentified race and ethnicity – A methodology and assessment” [] which may also help control costs while accomplishing a large project.

The CFPB has used this methodology many times in the past on the files it has from banks and consumers. If the bank can extract certain field from its CIF files, once that process is established many different products and services could be analyzed. Having multiple uses for the one-time costs of establishing the program can prove beneficial. The results of this analysis may prove useful for fair lending, fair banking and have a positive impact on the Community Reinvestment Act file and exams as well. The methodology should be well documented and proven for accuracy.

Naturally if there are shortcomings the bank would need a strategy to correct them. Any corrective actions would be based on the specific product or service and the results of the bank’s analysis. This could be any solution from adjusting marketing media, to community outreach, to a branch or mobile branch serving an under-banked area. Similar to some fair lending strategies, the bank may also consider using bank counsel to facilitate some of this analysis for confidentiality and discovery reasons. That is obviously at the bank’s discretion. It may also be something to only explore at this point and to commit to as fair banking issues develop and mature within regulatory agencies and the industry. It should be worth exploring at this point to know what the time and cost requirements would be, and how it might integrate with future expansion and strategic plans of the bank.

Your bank may not have the CFPB examining it. But as a lead agency, and with other agency’s following it, this is something all banks should prepare for.  The CFPB manual has redefined “unfair acts or practices” and this is the mindset banks should begin adopting across the board.

Borrowing from UDAAP, one element of an unfair act or practice is whether a consumer is “reasonably able to avoid the injury. “ As noted above, this includes examples that the “consumer cannot reasonably avoid discrimination” and “typically cannot avoid the harms of discrimination.” Expect that as the CFPB expands its scope of exams that it will find and address cases of “unfairness” when it feels a consumer was harmed, or could be harmed by such a practice, product or service. Think outside the loan box. Examiners have new marching orders, and your bank should also, to ensure that:

  • The bank has a process to prevent discrimination in relation to all aspects of consumer products or services it offers. Evaluate all policies, procedures and processes for discrimination prior to implementation or making changes and continue monitoring for discrimination after implementation.
  • The bank’s compliance management program includes an established process for periodic analysis and monitoring of all decision-making processes used in connection with consumer products or services and a process to take corrective action to address any potential UDAAP concerns including discrimination.
  • The bank has established policies and procedures to review, test, and monitor any decision-making processes used for potential UDAAP concerns, including discrimination.
  • The bank has established policies and procedures to mitigate potential UDAAP concerns, including discrimination.
  • The bank’s policies, procedures and practices do not target or exclude consumers from products and services, or offer different terms and conditions, in any discriminatory way.
  • The bank has appropriate training for customer service personnel to prevent all forms of illegal discrimination.

Banks should be proactive in internal audits and test, as examiners will, to:

  • Evaluate any product targeted to particular demographics to ensure the marketing, disclosures, and other materials are designed for the target market and will be understood by that market. Appropriateness of the product or service to a consumer is a key.
  • Ensure there is equal treatment among qualified consumers as to terms and conditions of products and services offered without bias based on demographics.
  • Avoid offering or provide more products or services to one customer demographic as compared to another.
  • Customer service representatives should treat all customers the same meaning they provide the same level of assistance and service to all. In the past, paired testing used for loan discrimination cases included criticisms when one applicant was offered beverages while another was not.
  • Review all targeted advertising for potential discrimination.
  • Determine whether the bank uses any decision-making processes to determine eligibility, underwriting, pricing, servicing or collection actions which could result in illegal discrimination.
  • See whether the bank periodically evaluates for, and takes corrective actions to prevent, illegal discrimination.