Legal Briefs

OBA Legal Briefs – January 2005 – May 2024

May 2024 OBA Legal Briefs

Military Customers – A Protected Class?

By Andy Zavoina

For starters, service members are not a protected class under Reg B or ECOA, but note I added a question mark in the title of this article. The question is, do you want to treat them as a protected class? In my opinion, a bank often mitigates risks most effectively by putting service members in the same category as the Reg B protected categories of race, color, religion, national origin, sex, marital status, age (provided that the applicant has the capacity to enter into a binding contract), the fact that all or part of the applicant’s income derives from any public assistance program, or the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act.

I remind you of these prohibited basis categories for two reasons: to drive home the point that violations of a service member’s rights can yield severe consequences similar to those of Reg B violations, and the fact that if your bank has a fair lending violation (Reg B included), the Department of Justice (DOJ) is the government agency that will enforce it, and the DOJ is the same agency that will enforce the Service members Civil Relief Act (SCRA) as well. Under the SCRA, the Attorney General is authorized to file a federal lawsuit against any person, or entity, who engages in a pattern or practice of violating this law. Does “a pattern or practice” remind you of a term you have heard in fair lending training? For clarity, the DOJ is directly responsible for enforcing the SCRA, whereas the CFPB monitors complaints and can enforce unfair, deceptive, or abusive practices against banks for mistreating service members.

Often, we hear about the homeless problem and there is a subcategory of those who are veterans and that seems to get more attention because it seems more wrong when a veteran is involved. If there is an action against a debt collector, a repossession agent, or a bank charging overdraft fees, it sounds bad in the media, and then they add, “and this included veterans and service members,” because that garners more attention as well. This is both a reputation risk issue and one compounded by the fact that the SCRA may have been violated and because it carries the same weight as the Reg B consumer categories that are mentioned above. Yes, service members and veterans have given up a lot to defend our country and way of life. But as to salary, service members are also paid for what they do, and unlike many years ago when the draft helped ensure the armed services had the required manpower that was needed, today many service members make as much or more in the military as they would in the civilian sector, so compensation is not necessarily lower, especially when the entire compensation and benefits package is considered. The pay and benefits are competitive as to regular duties, but certainly those making the ultimate sacrifice could never be paid enough.

Putting aside the original spirit and intent of this law, while a part of that is still intact, a big part of it is not, and has been replaced with the idea that the SCRA is a benefit of military service. That is how it is explained to many service members. The Consumer Financial Protection Bureau (CFPB) explains that “The SCRA is a law created to provide extra protections for service members in the event that legal or financial transactions adversely affect their rights during military or uniformed service. These protections enable service members to devote their entire energy to the defense needs of the Nation.” So, while there is little obligation on a service member to validate any financial hardship that adversely affects them, they do need to be able to focus on their mission and the defense of our country.

While this is not an educational substitute for a class in lending to the military or the SCRA, I would be remiss not to remind you that, in addition to service members, the SCRA also protects commissioned officers in active service of the Public Health Service (PHS) and the National Oceanic and Atmospheric Administration (NOAA). While the key focus of the SCRA is military, as we discuss this group, read it with the PHS and NOAA included.

As more support for informally adding service members to the Reg B protected bases, the CFPB has a separate department just for these matters, the Office of Service member Affairs (OSA). Annually the CFPB also provides separate reports on service members, including how this group fares in the submission and resolution of consumer complaints. They are specifically separated so that they may be evaluated as a sole category separate from all others. What you do and how you serve your military customers is under a microscope.

In June 2023 the CFPB published “The Office of Servicemember Affairs: Annual Report” for 2022. Complaints submitted by service members serve as a key initial indicator of emerging issues and continuing trends. The report provides data and analysis around the most common complaints submitted by service members.

The Bureau received approximately 66,400 complaints from military consumers in 2022. This was a 55.5 percent increase over 2021. Reviewing the complaints handled by the OSA allows us the opportunity to examine internal procedures for responding to complaints and to improve communication and training to avoid similar complaints in your bank.

This brings me back to the DOJ. In July 2022 the DOJ issued a joint letter with the CFPB that was not directed to banks, but to the auto industry. That absolutely does not mean banks could not learn from the message, and it absolutely does not mean banks have not been penalized for violating these guidance items since 2022. The message is as pertinent today as it was two years ago.

In that letter there are three main provisions they wanted auto lenders to be aware of. Banks make auto loans, and other loans might be applicable as well. The three issues that were addressed included:

Wrongful Vehicle repossessions

The SCRA prohibits repossession of a vehicle during a period of military service unless you (the lender) have a court order or that vehicle loan was made before the period of service, making the loan not covered by the SCRA. There is no notice requirement from your borrower to have this protection, because the burden of determining whether the borrower is protected is on you, the lender. Verification is easiest via the Defense Manpower Data Center (DMDC) website, and I recommend checking that before any repossession order is issued. It may be wise to check it again if you have any reason to believe the borrower may become protected and/or check it again after the repossession to ensure the borrower is not protected at that point. That does not cancel out the fact that the vehicle of a covered borrower was repossessed, but if you verified the DMDC database prior to repossession you should be able to claim a safe harbor from fault. And if you check right after the repossession you can proceed with the return of personal items and a commercially reasonable private sale or auction on the vehicle knowing you will not receive a claim of protection and have to “un-do” that sale, which can be difficult. The DMDC has no separate hard cost, so it is a minimal investment of an employee’s time for peace of mind.2. Failure to terminate vehicle leases without penalty

Failure to terminate vehicle leases without penalty

Under the SCRA, a service member can terminate motor vehicle leases early without penalty after entering service or upon receiving qualifying permanent change of station (PCS) or deployment orders. When service members terminate motor vehicle leases, the SCRA requires that they be refunded all lease amounts paid in advance after the effective date, including “capitalized cost reduction” amounts. This has been a major bone of contention for several larger leasing institutions. The lesson learned here for banks is that upfront fees and costs that are considered part of the overall loan, like a rate buy down, should be amortized and not considered “one and done” as a cost of the loan or lease.

Interest rate benefits

If a loan was incurred prior to military service, the SCRA limits the interest rate to 6 percent upon a proper request from the service member. A proper request should include a formal request and a copy of their orders. The CFPB encourages lenders to use the DMDC checks as proof by itself and to provide rate reductions based on that information. A service member’s commander could also write a letter confirming the service member’s status, and that would satisfy the requirement for any verification. The amount above 6 percent must be forgiven and not deferred or added to the final payment, and it must be effective as of the date of SCRA eligibility, not the date of the request. Remember too, when the borrower is on active duty or the reservist receives their activation orders, they are a covered borrower. This provision allows the service member to make their request during the period of service or within 180 days after leaving the service.

Are banks or other financial institutions better than the auto industry and not deserving of such guidance? Of course not. And to go a step farther, I would point out that another form of enforcement comes not from the regulators or DOJ, but from the courts. So, there are several fronts that pose a compliance enforcement risk on your bank.

DOJ cases

Let’s start with a few DOJ cases and then look in detail at class action lawsuits which can take years to resolve and result in highly expensive litigation. All of this should be considered in a risk assessment concerning loan products. I want to ensure you are aware of some of these cases because they are not typically in mainstream media.

In March 2023, the DOJ filed two statements of interest for cases involving arbitration. The first was Espin v. Citibank, N.A. and the second was Padao v. American Express National Bank. Both cases were in the U.S. District Court for the Eastern District of North Carolina and were concerned with the right of the service members to bring class action litigation under the SCRA instead of being forced into private arbitration proceedings on their own.

The service members were disputing adherence to the 6 percent interest rate rule and were seeking to bring class actions against the banks on behalf of themselves and other service members who may have been affected by violations of this requirement. The complaint alleged that Citibank failed to comply with Section 3937 of the SCRA, requiring lenders to limit the interest rate charged to covered service members to 6 percent during periods of military service. Citibank and American Express were seeking to have the cases dismissed and to require each service member to bring their own individual claim in private arbitration. The DOJ’s statements of interest urged the court to deny each bank’s motion and allow the plaintiffs’ SCRA class claims to proceed.

On September 29, 2023, the court denied Citibank’s motion to compel arbitration in Espin v. Citibank. This class action lawsuit brought by four service members who held credit cards issued by, or had other interest-bearing obligations to, Citibank. In its statement, the DOJ argued that the SCRA gives service members pursuing SCRA claims the right to participate in a class action case in federal court even where a defendant seeks to enforce a contract clause mandating individual arbitration. The DOJ also argued that the relevant portion of the SCRA applies even where the arbitration agreements were executed before the change in law in 2019. The court’s opinion adopted the position advocated by the DOJ.

The Padao case was a class action lawsuit brought under the SCRA by a single service member on behalf of a class of service members who held credit cards issued by, or had other interest-bearing obligations to, the bank. While this was a different lender and plaintiff, the dispute was the same as was the specific Section 3937 reference to the 6 percent rate. The difference here is that this case was based on a single service member’s complaint and expanded to a class. The Padao case is still pending.

In these two cases, the banks are both large. Oftentimes a small community bank sees these very large banks as all-knowing. They have plenty of legal staff to understand all the requirements and react to them. But case after case shows that is not always true. Some like to push the limits or rely on their own interpretations of a requirement. What is your bank’s appetite for risk?

I want to draw attention to the fact that similar to other SCRA cases, especially involving repossessed collateral, significant actions are brought against a bank because of its actions with a single borrower. Just one person starts a snowball that turns into an avalanche. Some readers will be of the opinion that their bank has many military customers, and they know how to handle them as to SCRA compliance. Others may believe they have no military customers and do not need to know SCRA requirements, as they have yet to be an issue. The reality is, you should not be complacent, but be compliant. Evaluate risk, evaluate training, test your procedures, and verify all of it with controls and audits.

At any time, a civilian borrower could enlist in the service and suddenly you find you have an SCRA request. You could also have a reservist called up to active duty who would then be protected. The bank needs to have personnel trained on how to handle these accounts and evaluate the requests. It needs to look not just at loan records, but at overdrafts and safe deposit boxes because after all, a safe deposit box is a lease and the SCRA has a section just for leases. Just as the bank should train everybody in the bank in some basics, where is the Public File for CRA, how do I file a claim for an unauthorized withdrawal from my deposit account, what should they do in event of a robbery, they should recognize “I’m now in the military” as a key phrase that deserves immediate attention of the bank.

You may be surprised if an examiner, or a DOJ lawyer, asks you how many borrowers you have under SCRA protections, especially taking advantage of the 6 percent rate. Regardless of your answer, none, one, or one thousand, the next question may be asking how many were denied SCRA protections? Natural follow-ups to that will be how do you know, how do you track it, who makes the decision, and what factors are involved in that decision. Then, what controls are in place for quality assurance. When there is one complaint, they will look for other cases where the person accepted your answer but did not complain to a regulatory agency or the DOJ.

I do not know of any bankers who want DOJ lawyers in their banks asking questions about loan files. Lawyers are neither lenders nor bankers, and you could find yourself explaining every form and the reasons for every action taken on every loan made in the last five years. You do not want to spend your days doing that and catching up on your regular work at night and on the weekends.

In 2023, I found only four civil money penalties under the SCRA. Two were against towing companies and two were for lease termination problems involving homes. The penalties totaled only $53,000. Not that you would want to justify to your board any civil money penalty as being fair. Fortunately, these were not banks. But that does not mean all banks are getting it all right. The two arbitration cases mentioned earlier are examples even though one is still pending. There are costs incurred already; should we expect a different outcome from the same court for the same complaint?

Let’s revisit a few basic requirements of the Military Lending Act (MLA) and the SCRA, which I have indicated as “M” and “S” below. You can find each of these at www.BankersOnline.com/regulations, near the bottom of the page under the “Other” section. As a general rule the MLA applies to new loans made to service members and the SCRA applies to loans made to people who later became service members. (Please take note that the service member can include dependents, and some SCRA protections are not dependent on this pre-service test.)

M1 – Under the MLA your rate is capped at 36 percent. This applies to a covered borrower with a covered loan.

M2 – The 36 percent is calculated using the Military Annual Percentage Rate, which is like an all-in Reg Z APR. That is, it includes many more finance charge components such as any credit insurance premium or fee, any charge for single premium credit insurance, any fee for a debt cancellation contract, or any fee for a debt suspension and credit-related ancillary products sold in connection with the credit transaction for closed-end credit or an account for open-end credit; (exception bona fide fees). This can make 36 percent easily reachable.

M3 – You are not required by law to verify the applicant’s military status, but if you do not and violate the MLA, the first issue on the borrower’s list of cures is that the loan contract becomes void.

M4 – To obtain a safe harbor, the bank needs to verify the military status before the loan is consummated, by either checking with the MLA database at the DMDC or by obtaining that verification on the credit report. The source for the credit report is the DMDC so that is the sole resource for verification.

[Prior to a change in the MLA rules banks would obtain a signed statement from the applicant as to their military status. Very recently I mentioned in live training that this method is no longer acceptable and banks should have ceased using the form years ago. I almost did not mention it as I also said I think all banks have done away with it. Then during the next break, a banker verified with me that the form they were getting signed was of no use. All it does is create a document the bank creates, has signed, verifies it is signed, and then it is filed away until that file is involved in an audit or quality control check when more time is spent checking it. It provides no safe harbor and only costs the bank time and money and demonstrates that it does not understand the current MLA requirements. Check that your bank’s policy and procedures is updated if you have any doubts. And if your policy does require an MLA verification, it should be completed for that reason with an approved source.]

S1 – Generally, the maximum rate of interest for an SCRA-covered borrower on a covered SCRA loan is 6 percent. This rate can be requested up to 180 days after the service member is released from the service and it is retroactive to the date they were covered, not the date of the request.

S2 – Late fees are considered “interest” for the SCRA. If the bank reduces the interest rate to 6 percent, the maximum rate allowed, turn off late fee accruals or you could be usurious.

S3 – The rate caps apply when a person is on active duty, or a reservist receives their orders. What about National Guard? Title 32 outlines the role of the United States National Guard; normally Title 32 members are not covered under SCRA. To be considered for SCRA coverage a Title 32 member must be called “…to active service authorized by the President or the Secretary of Defense for a period of more than 30 consecutive days under section 502(f) of title 32, United States Code, for purposes of responding to a national emergency declared by the President and supported by Federal funds.” Also, this protection is afforded to joint loans with both the service member and their spouse.

S4 – The CFPB published a report in December 2022 that service members have paid millions of dollars in interest needlessly and that regardless of the law’s requirement that they request protections and provide documentation such as orders, banks should be proactive. This includes not waiting for a service member to make a claim for the interest rate reduction and proactively looking for signs that they may qualify. One way to accomplish this is verification through the DMDC database mentioned above. It has been fine-tuned more and more for accuracy and to reduce update latency. Banks can verify individual service members as well as batch process requests. Many banks adopted the batch processing method and would check the banks CIF records against the database on a monthly or other basis. New hits could be shown on the bank’s records as on active duty immediately and individual verifications could be initiated with the customer if desired.

Another case example

Now let’s turn to a very recent and newly filed class action case involving the SCRA. The case is Nowlin et al v Wells Fargo Bank, N.A., and it was filed in the U.S. District Court for the Eastern District of North Carolina on March 20, 2024. What the suit alleges that the bank “…illegally and negligently charged thousands of American service members and military families excessive interest rates and fees and compound interest on principal balances that were improperly inflated due to the bank’s misconduct.” We only have the plaintiff’s 29-page lawsuit because the filing is so recent and Wells Fargo has not yet replied to it.

The lawsuit notes that Wells Fargo heavily markets itself as being dedicated to the military. Yet even after claiming this, the bank has charged covered borrowers, with covered loans, in excess of the 6 percent interest rate limit, and that it must forgive that interest difference because it cannot be deferred or added to the loan, and that the bank is not waiving all fees as required. As identified above late fees would be considered interest but we do not have a specific description in the reports available as to what those fees are.

By way of background, the service members discovered the problem in 2022. Actually, Wells Fargo appears to have discovered the problem before that. The bank attempted to correct the issue at least with some of the service members by sending them a check and a letter explaining why the check was issued. However, rather than just being grateful for the unexpected checks, some service members questioned the “misleading correspondence” that explained it. These customers began investigating the issues on their own and determined there were “wholesale violations” and that the bank, in fact. has improperly damaged thousands of military families in this process.

The suit accuses Wells Fargo of failing to reduce the interest rates on service members’ accounts, waive fees, comply with the SCRA’s requirement that interest rate deductions are effective on the date military orders are received, and forgive incurred interest. It also criticizes Wells Fargo’s internal systems and then indicates that there is a miscalculation of principal, interest, and payoff amounts. Anyone who has ever manually calculated loan disclosures or done a series of calculations where one is dependent on the next understands that if one of those calculations is incorrect, all those that follow and rely on the first will be incorrect. They have to be. Again, these are all from the plaintiffs’ filing.

In addition to the miscalculations, they accuse Wells Fargo of imposing more interest, fees and other charges than is allowed. And that makes sense if the bank was not providing the reductions of interest in a timely manner or subsequently waiving fees and other charges. There seems to be a bit of piling on in this filing, but I suppose they need to paint a picture of an incompetent bank that already has a soiled reputation.

It is particularly stated that the bank’s internal audit (or compliance) program discovered the errors, and the bank was aware it both violated the SCRA and the bank’s own military benefits program. In the correspondence the bank has not admitted to any violations. Wells Fargo issued reimbursement checks but failed to adequately describe the methodology used to calculate those refunds.

Since the suit mentions the separate Wells Fargo Military Benefits program, there should be discussion as to whether or not such a program is actually a contract with the service members who relied on it. Since a contract is not a federal issue, the contract side of the discussion would be based on state law, but then again, could this be elevated to an unfair, deceptive, or abusive act or practice which may be punishable under federal UDAAP regulations? The suit alleges that without this special program, many of those service members would have banked elsewhere. A comment such as this, compounded with allegedly not reducing interest and not waiving fees demonstrates financial harm. That should immediately raise UDAAP red flags.

Lastly, the suit, in my opinion, piles on to the claims of illegal activity as it states Wells Fargo is, “still in possession of certain funds belonging to” impacted service members. The suit seeks to define the class of plaintiffs as those service members banking at Wells Fargo as far back as January 1, 2006. That means the bank is potentially responsible for more than 19 years of records reviews, calculations and statements, etc.

As you read this, reflect on any comparable situation your bank has been involved with. As a preventive measure, consider your bank’s position if a similar claim was made. Has training been adequate? Could the bank have been more transparent without admitting guilt in the letters explaining what transpired? Should the method of calculating the reimbursements been better defined to those with a need to know? Would that transparency and clear math alone have prevented what could be a lengthy and costly litigation? And will the examiners immediately demand to know what happened and why, because this could elevate the risk to the bank in the case even more? Remember, according to Andy Z, a service member is as good as a protected class.

Legislation to watch

In closing, I will point out that on April 17, 2024, Florida’s Senator Rick Scott and Georgia’s Senator Jon Ossoff introduced a bipartisan bill to lower costs for service members and their families through their bipartisan SCRA Benefit Utilization Act to expand access to financial protections and benefits. According to a post by Senator Scott, “The bipartisan bill would expand existing financial literacy programs to include information about these protections; require the Department of Defense’s annual survey to include information about these programs; include benefit information on all activation orders; and require creditors to apply a 6 percent cap to all eligible accounts under their jurisdiction once a service member invokes their SCRA rights.” Companion legislation was introduced in the U.S. House of Representatives by Pennsylvania’s Congressman Matt Cartwright.

Expect more claims.

 

April 2024 OBA Legal Briefs

  • Update on the new CRA regulations
  • FDIC rule affects ATMs, websites, apps and more
  • Personal liability

Update on the new CRA regulations

By John S. Burnett

You know that the Federal Reserve Board, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation announced final revisions to their Community Reinvestment Act regulations in October 2023, and those rules were finally published on February 1, 2024, at 89 FR 6574 [https://www.federalregister.gov/d/2023-25797] in the Federal Register. You also probably heard that, although the new regulations will be effective April 1, 2024, most of the changes in the regulations are not applicable until January 1, 2026, and one provision on reporting data under the new rules won’t be applicable until January 1, 2027. There are also some amendments in the rule that will not have an effective date unless and until the CFPB’s “1071” Small Business Lending Reporting rule is given a “green light” by the courts.

Three provisions delayed at the 11th hour

If your bank has been racing to add its CRA Public File to its website, you can relax a bit. The agencies have issued, just a few days before April 1, a supplemental interim final rule that postpones the applicability of revised section ___.43 until January 1, 2026. That postponement includes the requirements in revised section __.43 requiring that the written comments from the public, the list of bank branches, and those opened or closed be updated quarterly, as well as the quarterly progress update required in new section __.43(b)(5) for banks with less than “Satisfactory” CRA evaluation ratings.

Also postponed to January 1, 2026, is the applicability date of the facility-based assessment area provision in section __.16.

The third change clears up confusion on which CRA Notice version banks need to post. It will allow banks to continue to use the CRA Notice in the agencies’ “legacy” regulations — the notice they posted before April 1, 2024 — until January 1, 2026.

These three changes were made because they all include requirements based in part on other sections of the updated CRA regulations that will not be applicable until January 1, 2026.

Where your Public File must be available

Because the applicability date for the changes to the Public File requirement has been postponed to January 1, 2026, banks should continue to have their full Public File available at their main office and, if they have offices in more than one state, at one office in each state. The reduced-content Public File can continue to be maintained at other offices.

Banks with public websites can also post their Public Files on their public websites before January 1, 2026, but they will have to continue to make the information in their Public File available to the public, upon request and at no cost from either the website or a physical file, from now until January 1, 2026, and from their public websites on and after that date.

Other developments relating to the new CRA rules

You may also have heard that a number of banking and business trade groups filed a civil suit in the U.S. District Court for the Northern District of Texas challenging the final CRA rules and will request a preliminary injunction to enjoin the agencies from implementing and enforcing the final rules while the suit is pending. In the meantime, the agencies have shown no sign of relenting in their support for the rules, and there has been no news (as of this writing) that an injunction has been issued.

The court issued a preliminary injunction just before the April 1, 2024, effective date, enjoining the Fed, OCC, and FDIC from enforcing the revised CRA regulations, and pushing back the April 1 effective day and each applicability date (such as the January 1, 2026, and January 1, 2027, dates mentioned above) one day for each day the injunction remains in place.

FDIC rule affects ATMs, websites, apps and more

By John S. Burnett

There is another regulatory change with an effective day of April 1, 2024, with compliance required by January 1, 2025, that all FDIC banks should be working on. The FDIC re-wrote subpart A of its regulation on “Advertisement of Membership, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo (12 C.F.R. Part 328), and it affects every FDIC-insured bank in the nation.

While all of subpart A was re-issued, not everything is changing. Parts of the current rule were simply reorganized and shifted around to group similar topics. For example, current section 328.3 (“Official advertising statement requirements”) has been reissued as section 328.6 and otherwise largely untouched.

Paragraph 328.6(b)(1) in the new version adds “FDIC-insured” as a new optional short title that can be used in place of the official advertising statement “Member of the Federal Deposit Insurance Corporation,” joining the old standbys “Member FDIC” and “Member of FDIC” that have been approved for decades.

The current section 328.3(d) list of ten types of advertisements that do not require use of the official advertising statement or its alternate short form statements has not been changed in new section 328.6(d), except for the dollar amount in item 10 that was mistakenly not changed from $100,000 to $250,000 when the standard maximum deposit insurance amount (SMDIA) was officially changed in 2010. The new version of that paragraph, in section 328.6(d)(10) reads:

“(10) Advertisements which contain a statement to the effect that the depository institution is a member of the Federal Deposit Insurance Corporation, or that the depository institution is insured by the Federal Deposit Insurance Corporation, or that its deposits or depositors are insured by the Federal Deposit Insurance Corporation to at least the standard maximum deposit insurance amount (as defined in § 330.1(o)) for each depositor.”

Comment: One of the “frequent flyer questions” we get from bankers is a variation on “Do we have to include ‘Member FDIC’ on a [banner/business card/deposit receipt/signature card …]. The FDIC has not updated this list of “non-advertisements” in decades, and did not do so this time, either.

And, just to wrap up this discussion of new section 328.6, paragraph (f) reads the same as the version in current section 328.3—You can use a non-English equivalent of the official advertising statement in any advertisement, provided that the translations has been given prior written approval by the FDIC. To my knowledge, there is no list of accepted translations that can be accessed by banks. Instead, if your bank wants to use a translation, submit it in writing to the FDIC to obtain approval.

What is changing?

So, what in the rule IS changing? Here’s the short list. Explanations will follow:

  1. Banks have new flexibility in placement of the FDIC official sign
  2. New rules on signage in areas of bank offices in which non-deposit products are offered have been added
  3. There are new areas where the official sign must be placed, such as on ATMs and similar machines
  4. There are new requirements when deposit products are offered or accessible by consumers affecting a bank’s website, online banking portal, and mobile banking apps
  5. New requirements for written policies and procedures

Flexibility in placement of the FDIC official sign. If insured deposits are usually and normally received at teller windows or statements, the insured depository institution (IDI) must display at each such teller window or station in its standard 7” by 3” size or larger, with black lettering on a gold background. Other color combinations are acceptable as long as the logo and text are in the same color and the background in a contrasting color. No change from the prescribed wording is allowed. So far, no change.

Here’s the first flexible requirement: If the IDI does not offer non-deposit products on the premises, one or more official signs can be placed at one or more locations visible from the teller windows or stations in a manner that ensures a copy of the official sign is large enough to be legible from anywhere in that area, in lieu of placing a sign at each station or window. Stretching this to the ridiculous, I suppose you could replace all the FDIC signs at your teller windows/stations with a single much larger version hung or painted high on the wall behind the tellers.

Another placement option is available for non-traditional deposit reception. If insured deposits are usually and normally received in areas of the premises other than teller windows or stations (customer service desks or other arrangements, such as café style banking like what you may have seen on some Capital One TV ads), the official FDIC sign must be displayed in one or more locations such that a copy of the official sign is large enough to be legible from anywhere in those areas.

An IDI may also display the official sign in other areas, except where non-deposit products are offered.

Non-deposit products offered on an IDI’s premises

In general, non-deposit products must be offered only in areas physically segregated from areas where deposit products are usually and normally accepted. The IDI must identify areas where activities related to the sale of non-deposit products occur and clearly delineate and distinguish those areas from the areas where insured deposit-taking activities occur.

At each non-deposit offering area, the IDI must continuously, clearly, and conspicuously display signage indicating that the non-deposit products:

  • Are not insured by the FDIC
  • Are not deposits
  • May lose value

Such signs may not be in close proximity to the FDIC’s official sign. The FDIC did not specify design or size requirements for the non-deposit sign (other than it be clear and conspicuous).

In limited situations where physical considerations present challenges to offering non-deposit products in a distinct area, an IDI must take prudent and reasonable steps to minimize customer confusion.

Signage on ATMs and similar machines

In the current rule, the phrase “automated teller machine” appears only once, as an example of a “Remote Service Facility,” on which an IDI may, but is not required to, place the official FDIC sign, with certain restrictions. The abbreviation “ATM” does not appear at all. These rules have been around for a long time, after all.

The new rule includes a new section 328.4 that “governs signage for insured depository institutions’ automated teller machines or other remote electronic facilities that receive deposits.” There are separate requirements (1) for these facilities that are placed in service before January 1, 2025, and receive insured deposits but do not offer access to non-deposit products; (2) for ATMs and similar facilities that receive insured deposits and offer access to non-deposit products; and (3) for ATMs placed in service on or after January 1, 2025.

Deposit products only, in service before 1/1/2025: An IDI may comply with the official sign requirement by doing either of the following:

  1. Placing a physical official sign (the version placed at teller windows/stations) on the machine. Such signs are placed on the face of the machine or its enclosure, conspicuously visible to a user, and must be replaced if removed, degraded, or defaced to remain displayed “clearly, continuously, and conspicuously.” This option continues to be available for these machines after 1/1/2025 as long as they do not offer access to non-deposit products.
  2. Displaying the “FDIC official digital sign” [see below] on appropriate screens of the ATM or similar facility as described below for machines placed in service after 1/1/2025.

Deposit products, with access to non-deposit products: By 1/1/2025, an IDI’s ATM or similar machine must clearly, continuously, and conspicuously display disclosures indicating that non-deposit products are not insured by the FDIC, are not deposits, and may lose value, on each transaction page or screen relating to non-deposit products. This disclosure may not be displayed in close proximity to the FDIC digital sign.

ATMs and similar devices placed in service after 1/1/2025: An IDI’s ATM or similar device that receives deposits for an IDI and does not offer access to non-deposit products and is placed into service after January 1, 2025, must display the official digital sign on its home page or screen and on each transaction page or screen relating to deposits.

The FDIC official digital sign

New section 328.5 (Signs for digital deposit-taking channels) introduces a new official sign to be used only in digital deposit-taking channels such as ATMs and similar devices [see above] and IDIs’ websites and web-based or mobile applications that offer the ability to make deposits electronically and provide access to deposits at IDIs. It looks like this:

When on a contrasting light background, the letters FDIC are in navy blue and the text to the right is black.  If displayed on a dark background, the FDIC and text will both be in white. There are font and size parameters in paragraph (b) of section 328.5.

Requirements for use of the official digital sign on ATM screens were listed earlier. For other IDI deposit-taking channels as listed in the previous paragraph, the official digital sign must, after 1/1/2025, appear on

  1. Initial or homepage of the website or application
  2. Landing or login pages
  3. Pages where the customer may transact with deposits

The official digital sign must be clearly legible across all IDI deposit-taking channels. [NOTE: This will be difficult on mobile banking apps displayed on most cell phones. It may require displaying the official digital sign with text wrapped on two (or more?) lines. I wrote to the FDIC about this problem over a month ago and have not yet had the courtesy of a response. In the prefatory text that accompanied the final rule at publication, the FDIC said it is reviewing options to provide IDIs with technical assistance or guidance to assist in implementing the FDIC official digital sign requirements.]

When placed on a web or app page, the official digital sign should be continuously displayed near the top of the relevant page or screen and in close proximity to the IDI’s name.

Displaying non-deposit signage on digital deposit channels

If a digital deposit-taking channel offers both access to deposits at an IDI and non-deposit products, the IDI must clearly and conspicuously display signage indicating that the non-deposit products: are not insured by the FDIC; are not deposits; and may lose value. This signage must be displayed continuously on each page relating to non-deposit products but may not be displayed in close proximity to the official digital sign.

One-time notice for customers related to third-party non-deposit products

If a digital deposit-taking channel offers access to non-deposit products from a non-bank third party’s online platform, and a logged-in bank customer attempts to access such non-deposit products, the insured depository institution must provide a one-time per web session notification (sometimes referred to as a “speed bump”) on the insured depository institution’s deposit-taking channel before the customer leaves the insured depository institution’s digital deposit-taking channel. The notification must be dismissed by an action of the bank customer before initially accessing the third party’s online platform and it must clearly, conspicuously indicate that the third party’s non-deposit products: are not insured by the FDIC; are not deposits; and may lose value. Nothing in this paragraph shall be read to limit an insured depository institution’s ability to include additional disclosures in the notification that may help prevent consumer confusion, including, for example, that the bank customer is leaving the insured depository institution’s website.

Written policies and procedures

Of course, your bank has a policy requiring compliance with regulations and procedures to implement the policy.

For the first time, the FDIC is now requiring that IDIs establish by January 1, 2025, and maintain written policies and procedures for compliance with this regulation. Such policies and procedures must be commensurate with the nature, size, complexity, scope, and potential risk of the deposit-taking activities of the IDI and must include, as appropriate, provisions related to monitoring and evaluating activities of third parties that provide deposit-related services to the IDI or offer the IDI’s deposit-related products or services to other parties.

Personal liability

By Andy Zavoina

Many years ago, I learned a valuable compliance lesson while making a presentation to my bank’s board. I always liked to tell them I was the conduit between the board and the examiners. Compliance information I provided management and the board flowed regularly and this allowed me to provide two-way communication with the examiners and the bank as a whole, and to insulate the board from ever getting a notice from our examiners asking them to attend a special meeting after an exam, and to bring with them their personal checkbooks as the monetary penalty that was owed had to come from them and not the bank.

In this particular meeting I was discussing Money Market Deposit Accounts. Like many banks before the Reg D amendments in early 2020, we had customers writing more than the allowed number of checks during a statement cycle. Remember the customer could make no more than six transfers or withdrawals, three of which could be by check, draft, debit card or similar order. We used to apply the “couch potato” rule that if they had to get off the couch to make the transfer and it was not convenient to do so, it likely did not count as one of the restricted transfers. If it was convenient, like writing a check, it counted. And those were days when lots and lots of payments were made by check.

Very often the New Accounts folks wanted an exception to the number of transfers rule because this was a good customer with large deposits. But Reg D defined this rule in the definition of a savings account and the money market deposits were savings accounts. There were no exceptions built in and while guidance was that they could have three inadvertent errors in a rolling twelve-month period, that wasn’t set in stone and a habitual violator had little room for exception. I regularly audited the accounts with excessive transfers and Operations had controls to always review them. We also had customers that business development and lenders had persuaded to move to our bank and these deposit accounts and the large balances were factored into the profitability of the relationship. According to most of those exception requests, the customers’ old banks never enforced that rule, so why should we? For the historical record, the requirement was that the following was allowed:

Up to 6 transfers and withdrawals per calendar month or statement period of at least four weeks:

  1. to another account of the depositor at the same financial institution, or to a third party
  2. by automatic or preauthorized transfer
  3. by telephonic agreement (including FAX and data transmission) order or instruction

No more than 3 of these 6 can be by the following and payable to third parties

  1. check
  2. draft
  3. debit card (Point of Sale)
  4. similar orders

Most ACH debits are included in the 6/month limit.

Now you can understand what the requirement was and that these were “good” customers because “good” meant more digits in the average balance. The directors of the bank liked to consider themselves “good customers,” as well, and because of the close relationship and their position, they were better than the average “good customer.” Well, I had one director, as he explained it, several times, whose wife just picked up the wrong checkbook when she went shopping and I will tell you that any time that was the case, six was a very lonely number.

Back to my presentation. I had this problem with some accounts and officers wanting to grant exceptions in addition to the directors’ accounts. I’d recently read an article that I shared with the board. It was about a bank that chose to openly ignore the transfer limitation rule and it was going to accept the risk. The examiners in this article, at this point, were discussing the potential penalties. One of the examiners followed the train of thought that the board sets the direction of the bank. In this case the examiners considered going back to when the problems started and calculate the interest paid on all the money market accounts. The entire category was up to being reclassified as demand deposits. That means interest should not have been paid on those balances for that entire period [this predated the Dodd-Frank Act, which has since made interest on demand deposits legal] and the directors personally could be held responsible to repay the bank the interest that was paid on these accounts. That possibility raised every eyebrow in our board room, and I was assured of complete support and cooperation as I managed the money market accounts audits and my compliance program. My problem director also found a way to color code the checkbooks and there were no problems from his account after that.

The key issue that resonated with the board was individual liability. So often we bankers do not realize that we can often be held accountable for our own actions. That can include monetary penalties and some violations can warrant incarceration – jail time. That is a big step away from the status quo, cushy and prestigious positions some aspire to because they see less responsibility than there actually is. So, I like to provide reminders from time to time to directors, management, officers, and even lower-level employees that they must be aware that if their actions are poorly chosen, regardless of the reason, they are responsible for what they do. This helps with buy-in for the compliance program overall and in getting the resources necessary to do your job. It is not intended to be a scare tactic, but instead a reason to listen, to learn and to perform.

It never helps the bank or the employees, officers or directors to ignore the rules. Good compliance is good for the customers, the bank, and those who carry out those compliance rules with every disclosure they provide, and every Reg E claim they process and every account they service. People need to understand that they may think they are helping the bank by denying a valid Reg E claim, as an example, but they are not, and if they are truly violating the Electronic Fund Transfer Act, they may be putting themselves at risk.

Succinctly, violations, especially “willful” ones, are first the responsibility of the bank as it is the provider of services and the other party in the agreement with the depositor. But if an employee is acting outside the scope of their duties, they may have individual liability. You must ask, what training and education on the topic did the employee have? What was their motivation to do what they are accused of doing? This may be one reason Wells Fargo employees other than management were not held personally responsible for much of the “8 is great” new accounts production requirements and falsely opening new accounts under customers’ names without permission.

Examiners have focused more in the last few years on direct responsibility. When an entity like a bank keeps getting penalized, it has less personal meaning and the entity never went to jail and the people working there never pay out of pocket. So, let’s start a discussion based on a hot item, the Bank Secrecy Act. The law says, “willful violations of the statute or its implementing regulations by an institution and any of its partners, directors, officers, or employees are punishable by a civil penalty of $25,000 (or the amount of the transaction at issue, up to $100,000) per day for each day the violation continues and at each office or location where it occurs or continues.” The BSA is not new and has been a requirement since 1970. But it has been just the last few years that regulators have begun using the personal liability portion of the regulation. While this personal responsibility mindset is happening in other countries as well, in 2015 “the Yates Memo” from Deputy Attorney General Sally Yates announced a call to action for the Department of Justice (DOJ) to increase its efforts to hold executives personally accountable for corporate misdeeds. The Yates Memo stated it was “seeking accountability from the individuals who perpetrated the wrongdoing” as “it deters future illegal activity, it incentivizes changes in corporate behavior, it ensures that the proper parties are held responsible for their actions, and it promotes the public’s confidence in our justice system.” Has this been the case? Just a few months ago, on January 31, FinCEN assessed a $100,000 penalty against Gyanendra Kumar Asre. According to the press release, “Asre allowed millions of dollars in high-risk transactions to be processed without required anti-money laundering controls or reporting to FinCEN,” said FinCEN Director Andrea Gacki. “Today’s action serves as a reminder that FinCEN will not hesitate to take action against individuals when their conduct jeopardizes the integrity of our financial system.” In addition to the fine, Asre has a five-year ban on working at any institution subject to the BSA rules. There is more to this than just a bad BSA officer.  As the BSA Officer at a credit union, Asre was responsible for detecting and preventing money laundering activities. But it gets more personal, and the credit union should have increased oversight because of this relationship. Asre had his own money services business and failed to register it with FinCEN. That violation was compounded by inadequate AML program management that allowed millions of dollars in high-risk transactions to be conducted through the system.

And I did mention incarceration as a penalty available to the DOJ and regulators. Two of the earlier actions go back to 2015 when a then former BSA officer was sentenced to two years in prison and forfeited almost $1 million and another was fined $1 million and threatened with a permanent ban from working in our industry. FinCEN assessed a civil money penalty against Thomas E. Haider. It was alleged that over a five-year period at MoneyGram, he failed to implement and maintain an effective AML program and neglected to comply with BSA requirements to report suspicious activity despite complaints about scams being operated through the MoneyGram system. In the second case, again it was not a banker, but Charlie Shrem, who was both Founder and BSA Officer for BitInstant. This was a Bitcoin exchange and Shrem did correctly register his company as a MSB, but he was allegedly helping another unregistered company in its operations. While Shrem had implemented an AML compliance program, he allegedly failed to file SARs on the illegal activity being conducted by the company he was aiding and abetting. And not related to these, but to personal liability, at the end of March 2024 Sam Bankman-Fried, the former CEO of cryptocurrency exchange FTX, was sentenced to 25 years in prison for crimes of fraud and conspiracy.

Now let’s look at nine separate actions involving personal liability actions against employees of the Bank of England – in England, Arkansas, just for clarity. These were FDIC actions in January 2024. The nine employees actually worked for the Bank of England loan production office in a Detroit suburb. They were accused of using bait and switch tactics among other methods to deceive mortgage applicants. The violations were charged for actions going back to 2018 until 2020. Examples of the deceptive techniques used included misrepresenting actually available loan pricing for mortgage loans, misrepresenting to consumers that they could skip two months of their mortgage payments, and further misrepresenting the loan production office’s affiliation with the Department of Veterans Affairs. These were considered unsafe and unsound practices and were done in part for personal gain. One might assume this was based on loan production but that was not specified in the orders.

The (now former) branch manager was penalized for failing to ensure those working for him were not violating Section 5 of the FTC Act and were not committing the misrepresentations expressed above. He was fined $100,000 and banned from banking. The former sales manager was also banned for the same misrepresentations and fined $12,000. Five other employees were fined a total of $163,500 in amounts ranging from $1,000 to $110,000. The actions they were accused of included luring consumers to apply for mortgage loans with low, unavailable loan prices that would not be honored and subsequently increasing the price before closing the loan, and misrepresenting to consumers that they could skip two months of mortgage payments and by misrepresenting to consumers the bank’s affiliation with the Department of Veteran’s Affairs. Two others were not fined but were recognized for their roles and required remedial training. The fines totaling $275,500 cannot be paid or reimbursed by the bank. These are personal fines.

While employees have personal liability for their own actions, the bank has the responsibility, the obligation, to ensure they understand the requirements of what they do and why. “This is the way we’ve always done it” is not good enough. If you are interested in reading more on these last enforcement actions, links may be found in the BankersOnline Top Stories pages, on February 26, 2024, under the heading of the FDIC January enforcement actions.

 

March 2024 OBA Legal Briefs

  • OBA Feedback
  • FCRA and HR
  • Employees, Social Media, and Ownership
  • Federal Preemption in Question

OBA Feedback

By Andy Zavoina

The OBA has had numerous requests about what can be done when a credit report is accessed on a consumer and that consumer becomes inundated with calls from other lenders competing for the loan or to offer ancillary services. The consumers tend to blame the bank and it is not your fault, but what can be done?

The calls are not new or innovative – just more prevalent in today’s market. This practice known as “event-based trigger marketing,” is legal under the Fair Credit Reporting Act (FCRA) even though it is often an annoyance to the borrower and then to the bank when you have to field complaints. The relationship between the bank and its customer can be harmed because the customer associates the unwanted solicitations with the bank. Bank customers across the country have reported a sharp increase in recent years in various unwanted calls, text messages, emails and other solicitations originating this way.

Based on my personal recent experience after a credit inquiry, many competitors immediately contacted me, the applicant, in hopes they could offer better terms than I already had pending, and the offers continued even after consummation. Further, vendors offering complimentary products began contacting me with references specifically to that recent mortgage loan. In my case it was a mortgage, and the offers (even a year later) are for a home warranty and specifically reference the XYZ Bank’s mortgage. In other cases, the offer may be for an extended car warranty for a recent car loan or a refi with emphasis on skipping a payment or lowering the monthly payment. The solicitations attempt to co-brand off the lender’s good name by referencing the lender and in some cases using the lender’s logo or font style. Unless the reader looks at the fine print, they don’t see the “not affiliated with…” disclaimer to avoid Unfair or Deceptive Acts or Practices (UDAP) or other issues.

We recommend advising your customers it is through no fault of the bank that this is happening and the best way to avoid the contacts is to opt-out at the credit bureau. Banks may even want to be proactive as the advice does little once the horse has left the barn.

There is a website consumers can visit, www.optoutprescreen.com or they can call 1-888-5-OPT-OUT (1-888-567-8688) that allows individuals to opt out from receiving these calls. The major credit bureaus operate the phone number and website and the standard opt-out is for five years. Using the same contact methods, they can opt out permanently but to do so must sign and return the Permanent Opt-Out Election form (which they get online). Your consumer may be advised to consider that as an option. Calling the opt-out line or visiting the site will only stop prescreened offers that are based on lists supplied by the major credit bureaus. Consumers could continue to receive offers for things like credit and insurance based on lists from other sources. Opting out also won’t end mail from local merchants, religious groups, charities, professional and alumni associations, and companies that the consumer already does business with. To stop mail from groups they must contact each sender directly.

On a related note, in August 2023, the White House announced a crackdown to protect consumers from third party data brokers. CFPB Director Chopra announced plans for new rules that would strictly limit the types of consumer data that may be sold by businesses and ensure that data brokers comply with the FCRA. Note that the recent complaints our bankers have been receiving will not directly benefit from this as the activity is not out of compliance with the FCRA, but it is a start.

There were actually two proposals being discussed. The first of the new rules would make a data broker that sells certain types of consumer data as a “consumer reporting agency.” The CFPB is considering a proposal that would generally treat a data broker’s sale of data regarding, for example, a consumer’s payment history, income, and criminal records as a consumer report, because that type of data is typically used for credit, employment, and certain other determinations. This would trigger requirements under the FCRA for ensuring accuracy and handling disputes of inaccurate information. It would also prohibit misuse of the information.

The second proposal addresses confusion about what is referred to as “credit header data” on a consumer report. The use of personally identifiable information is a necessity to data brokers and this credit header data is on reports sold by the big three bureaus, Equifax, Experian, and TransUnion. This header information includes key identifiers of the consumer, such as their name, date of birth, and Social Security number. The CFPB wants to clarify the extent to which credit header data constitutes a consumer report, reducing the ability of credit bureaus to impermissibly disclose this sensitive contact information that can be used to identify people who don’t want to be contacted. This is viewed as especially important to survivors of abuse.

And going full circle back to the original issue of event-based trigger marketing, in February 2024 the ABA Banking Journal reported that the ABA urged Congress to pass legislation to ban the sale of the consumer contact information to lenders who then inundate the consumers with unwanted solicitations. The ABA expressed support for S. 3502 (which was introduced and referred to the Senate Banking Committee) and H.R. 7297 (which has only been introduced so far), both of which would eliminate abusive event-based trigger marketing and limit prescreened credit offers to consumers who actually consent or who have a preexisting relationship with a bank.

So, what can you do today as we await proposals and bills to become effective? In addition to the www.optoutprescreen.com or call 1-888-5-OPT-OUT (1-888-567-8688) referral which the Federal Trade Commission recommends, the bank can take a proactive posture. If the customer is not looking for new credit or insurance from other than your bank, they may want to opt out for the five-year period or permanently. Again, these apply to prescreening solicitations only.

Additional resources the consumer may consider include the Do Not Call (DNC) list and the Direct Marketing Association (DMA). The National Do Not Call Registry was created to stop unwanted sales calls. It’s free. Consumers can register their home or cell phone number. They need to go to DoNotCall.gov or call 1-888-382-1222 from the phone they want to register.

Consumers may also register at the DMA website, DMAchoice.org to reduce promotional mail from marketers. It won’t stop all promotional mail, however, and they will have to pay a $4 processing fee, but the registration will last for 10 years.

DMAchoice.org also has an Email Preference Service that lets people get fewer marketing emails. Registration is free and will last for six years. Bear in mind none of these actually stop scammers and marketers who ignore the laws and the opt-outs, DNC list or DMA exclusions.

Banks with these complaints may want to produce a brochure, or web page they make available and can refer customers to, explaining what is happening. If I were creating such a consumer resource, I would hit these thoughts as I have highlighted them here. Certainly, you would want to elaborate on the points below based in whole or in part on the information above to meet your taste.

  1. Why am I getting these calls after applying for a mortgage?
    When a consumer applies for a mortgage, the lender accesses the credit report for the applicants. Because the lender has to have a valid reason to get that credit report, the credit bureau now knows this consumer is looking for a new loan. Credit bureaus have to make money. One way to do this is to sell your contact information to other lenders who make loans similar to what you are applying for. Those lenders approach the credit bureaus and agree to buy a list of prospects on a very regular basis. This allows those other lenders to strike while the iron is hot. This may also facilitate the consumer getting the best deal available if they want to compare terms and pricing. Unfortunately, the lenders buying the lists often do not have a better deal, but go into a hard sale posture. To make matters worse, there may be multiple lenders with the same agreement, which reduces the ability to comparison shop and frustrates you with all the calls, emails and text messages followed by snail mail offers.
  2. I like the terms I’m getting. How do I stop these multiple offers from pestering me?
    Unfortunately the credit bureaus want to make money and legally selling personal data is one way they accomplish that. By getting on the Do Not Call list, the Opt-Out Prescreen list and the Direct Marketing Association opt-out list, you can reduce future contacts. But what is done now, is done. Using voicemail and other filters on the media you use may help reduce the bother, but it will not eliminate it. In some cases, several types of solicitations may be forthcoming for a year or more, so actually getting on the opt-outs now can still help.

FCRA and HR      

By Andy Zavoina

It isn’t common that we in compliance get involved with Human Resources (HR) to check on the controls they use for compliance, but it is time to ensure the checks and balances are all in place. Both of these departments are highly regulated, and, in this case, Compliance should have a stronger grasp of the Fair Credit Reporting Act (FCRA), which is a key crossover regulation between Compliance and HR. I will provide the basic requirements here in the event Compliance has not yet but needs to incorporate HR into its risk assessment and audit calendar. I will say that a part of my FCRA annual audit included a review of the credit bureau bill. It was separated by terminal, so I knew which departments accessed the files. Then it was a case of finding the approved, denied, or withdrawn loan or employment file. One year, I discovered that HR was routinely accessing credit reports for employees being considered for promotion, and this was done without any notice to the employee before or after the decision was made. I considered it adverse if an employee was taken out of the promotable list due to information from the credit report or worse, if action was taken to demote or terminate employment. That had not happened, but the procedure adopted was simply wrong.

The FCRA imposes several restrictions and disclosure requirements on HR, just as it does loan staff, as to accessing, use and the impact of decisions made based on credit report data. Before HR obtains a credit report, it must give notice to an applicant or employee that it plans to pull a consumer report on them, and that it might use the consumer report information in its employment decisions. HR must also get the applicant or employee’s written approval to obtain the consumer report. The notice and authorization can be on the same page and must be in stand-alone format and not part of an employment application or other document, and it may not include any other authorizations or waivers.

If the bank uses information from the consumer report in its decision to take adverse action against an applicant or employee such as deciding not to hire, or to terminate or demote them, the bank must provide the applicant or employee with a disclosure before the adverse action occurs. This disclosure must contain:

  1. A) A notice that the bank is contemplating adverse action;
  2. B) A copy of the consumer report; and
  3. C) A copy of the publication, “A Summary of your Rights Under the Fair Credit Reporting Act.”

    In addition, the bank must give the applicant or employee a reasonable period of time to respond to the notice of contemplated adverse action. Typically, five business days is the minimum period that is recommended. During this time, the bank should not fill the open job position or take other action that would constitute an adverse employment action against the applicant or employee. If the applicant or employee provides additional information, the bank must consider it, but is not required to reverse the decision. Much like a Reg B Adverse Action is intended to inform an applicant of the reasons for denial so they can correct the deficiencies over time and reapply, this is intended to provide time to correct a deficiency and secure that position which obviously cannot be held open indefinitely. It provides a short window for the applicant to explain or correct obvious errors.

After HR takes adverse action based on a Consumer Report, it must give the applicant or employee notice of the actual adverse employment action. This notice should be in writing and must include:

1) The name, address, and telephone number of the Consumer Reporting Agency that provided the Consumer Report;

2) A statement that the Consumer Reporting Agency did not make the adverse employment decision and cannot give specific reasons for it; and

3) Notice of the applicant or employee’s right to dispute the accuracy or completeness of the information the Consumer Reporting Agency provided, and the applicant or employee’s right to get a free copy of the report from the Consumer Reporting Agency if the applicant or employee asks for it within 60 days.

HR may contend that the necessary forms and disclosures above are all provided by a vendor or the Credit Reporting Agency itself. But these forms could still contain errors or be outdated and therefore should be reviewed for compliance just as loan forms are all reviewed for compliance and accuracy. The bank is still the one liable for deficiencies.

In this particular case the form in question, “A Summary of Your Rights Under the Fair Credit Reporting Act,” which is often referred to as a “Summary of Your Rights” disclosure is in Reg V, 12 CFR Part 1022 from the CFPB under Appendix K. The bank must provide the employee or applicant with a Summary of Your Rights in the form prescribed by the CFPB. We all know forms change from time to time.

In March 2023, the CFPB published an updated “A Summary of Your Rights Under the Fair Credit Reporting Act” form and the required usage begins March 20, 2024. The updated form added verbiage designed to alert the applicant or employee to his or her rights to place a “security freeze” on their credit report from a consumer reporting agency and the contact addresses for certain agencies such as the OCC were updated. This security freeze will prohibit the consumer reporting agency from releasing information in the job applicant’s or employee’s frozen credit report without their express authorization, and the OCC address was changed to include P.O. Box 53570, Houston, TX 77052 instead of the street address at 1301 McKinney. That is one way to know you have the current form; just look for the section using the term “Security Freeze.”

In researching the form for this article, I found many instances of the old form first. Because the new form (linked below) was optional for the last year but is soon to be mandatory (again as of March 20, 2024) it is a last opportunity to ensure your HR department is using the correct version.

New Summary Form linked from the BOL Regulations pages: https://www.bankersonline.com/regulations/12-1022-appk

Employees, Social Media, and Ownership

By Andy Zavoina

Does your bank outsource its social media work or have one or two enthusiastic employees who just “get it” and love posting on social media on behalf of the bank? If so, this brief article is for you because the bank needs to worry about work product and copyright and ownership of these accounts. If there isn’t a clear path on who owns these social media accounts, there needs to be.

JLM Couture is a company dealing in bridal gowns, bridesmaid dresses and the like. Like a bank or any other business, JLM sees value in a social media following. In this case JLM had a contract employee who managed, among other things, social media for the company. In JLM Couture, Inc. v. Gutman, the company and the designer had an employment contract. This contract was detailed and addressed most of their relationship, but not social media accounts. As you will imagine, there was a parting of the ways and a lawsuit that has gone on for over two years.

The case has gone from federal district court to the 2nd Circuit and back again. One issue was for work product and who owned the social media the employee was doing for JLM.

When the relationship ended, JLM claimed ownership of the designer’s Instagram, TikTok and Pinterest accounts. They argued that she created them in her capacity as an employee and it was a work product. Gutman argued that she created them in her personal capacity, they were registered in her name, and she did not pass ownership to JLM by agreeing to use her accounts to market JLM’s products. Part of JLM’s argument was that ownership passed because a provision in their contract with Gutman which provided that all “designs, drawings, notes, patterns, sketches, prototypes, samples, improvements to existing works, and any other works conceived of or developed by [the designer] in connection with her employment with the Company involving bridal clothing, bridal accessories and related bridal or wedding items,” are works for hire and the exclusive property of JLM.

Originally, the federal district court gave JLM control and created a six-factor test that it developed specifically for social media ownership disputes. On appeal, the 2nd Circuit disagreed with this methodology and ruled that traditional property law principles would apply. The 2nd Circuit noted that if Gutman created the accounts using her personal information and for her personal use, then she is the owner of the accounts. Gutman could have transferred ownership to JLM by contract but noted that transferring rights to content posted on the account is different from transferring ownership.

Some lawyers would potentially read this differently, as the 2nd Circuit did when it said the social media did not qualify as “other works” because under the general principle of contract interpretation “the ordinary meaning of general terms at the end of a list must be interpreted to embrace only objects similar in nature to those objects enumerated by the preceding specific words.” In this case, the items listed are closely related to fashion design and are things that might be sold to the public, but social media accounts are far separate from those.

My read on the case is that one party felt it could broadly interpret the agreement it had with an employee and say the company owned these accounts. But legally that was not as clearly stated as JLM believed. More than two years of lawyer costs and court fees have been billed and the case goes on. Social media accounts your bank feels it owns have value and should be in the bank’s name and tied to bank-owned email accounts and paid for (as necessary) by the bank. They should not be in an employee’s name just because that employee opened the account. Postings should not be mixed between personal and business purposes unless they are the same.

In my area, a successful high school athletic director and head football coach enjoyed many years of success with his team. Early on in these successful seasons he convinced the school board that they needed a new identity, and they became known as the “Bulldawgs” or the “Dawgs” for short, they play at Bulldawg Stadium, and he tweaked the logo that is virtually everywhere. But winning seasons don’t last forever, and the coach and school have parted ways. As he collected his severance, he reminded them that he would be generous and allow them to use the name and logo he copyrighted but only for a brief time. After that they could change it or license the rights from him. We will have to see how that goes, but years of litigation are not really an option and should not be for your bank either.

Federal Preemption in Question

By Andy Zavoina

The dual banking system we enjoy provides that banks can, in general, choose to be chartered as a national or a state bank. This choice leads to determining who a bank’s primary regulator will be and what laws and regulations will apply to it. National banks still have to follow some state laws and state banks still have to follow some federal laws, so it is never “all or nothing” but there are advantages to and disadvantages to each.

National banks are still subject to many applicable state laws such as those affecting contracts, property rights, and debt collection, when those state laws do not conflict with the purpose of a federal law. Nonetheless, federal law preempts state laws that interfere with the powers of national banks. The doctrine of federal preemption is grounded in the Supremacy Clause of Article VI of the Constitution and the Supreme Court has held that, “under the Supremacy Clause . . . any state law, however clearly within a State’s acknowledged power, which interferes with or is contrary to federal law, must yield.” The Supreme Court held that the National Bank Act of 1864 (NBA) preempts state laws that “significantly interfere” with a “national bank’s exercise of its powers.” In some cases, a federal law explicitly says it will preempt others and in some cases this is implied. The Office of the Comptroller of the Currency (OCC) is the primary regulatory agency to oversee national banks and it has taken a broad view of the preemptive effects of the NBA.

One question that is currently being posed is to what degree does a state’s law have to “significantly interfere” to  be overridden by a federal law?

In a case with the decision still pending, Bank of America N.A v. Riffard is one of two we will discuss arguing preemption. In this case, Bank of America believed the Wisconsin Consumer Act (WCA) did not apply to it. Jean-Pierre Riffard had two separate credit cards from Bank of America and defaulted on the monthly payments on each account. Bank of America sued Riffard for breach of contract due to his nonpayment. Riffard argued the case should be dismissed because Bank of America never provided him with notice of his right to cure before accelerating his debt and suing him, as required by the WCA. Bank of America argued the NBA preempts the WCA.

The WCA is a state law that regulates consumer credit transactions and debt collection. Under section 425 of the WCA, a creditor must give a consumer notice of any default on a credit account and an opportunity to cure the default.

The Wisconsin circuit court hearing the case agreed with Bank of America but noted there are differing results from the court on this matter. The Eastern District of Wisconsin held the WCA provision is not preempted in Boerner v. LVNV Funding LLC (2019). Contrary to this the Western District of Wisconsin held the WCA is preempted in Lako v. Portfolio Recovery Associates (2021). In Lako, the district court concluded “the WCA goes beyond debt collection and sets conditions on the lending relationship between the creditor and the borrower.” The court also noted in Lako the WCA not only prohibits the debt collection, but also acceleration of the debt until state required notices are made.

Last November the case was heard by the Wisconsin Court of Appeals. Riffard characterized the WCA’s notice-to-cure provisions as debt collection rules that are not preempted while briefs in support of Bank of America argued that applying cure notice requirements to national banks would subject them to each state’s regulatory requirements and defeat the NBA’s purpose of having a uniform regulation for national banks.

On February 27, 2024, the Supreme Court of the United States (SCOTUS) heard oral argument in Cantero v. Bank of America, N.A. In this case the question is whether the NBA preempts a New York statute requiring banks to pay interest on mortgage escrow accounts. The 2nd Circuit ruled that the application of the New York statute to national banks is preempted by the NBA, and this reversed a lower district court ruling.

The OCC has provided preemption regulations for the benefit of national banks so that each can rely on these rules and choose not to comply with many of a state’s consumer protection regulations. As SCOTUS contemplates this Cantero case, if it does not believe the NBA preemption applies to the New York law, it will directly call into question the validity of the OCC’s preemption regulations. This would mean that all national banks should then reconsider any preemption laws it is taking advantage of which could also be questioned and determine whether the bank must now comply with those state consumer protection laws and regulations. If SCOTUS provides an adverse ruling to Bank of America, it could be adverse to all national banks and trigger a wave of actions by state Attorneys General as well as private litigation against national banks based on violations of state consumer protection laws and regulations, as in the Riffard case. Would these actions be limited to a SCOTUS decision date forward, or be retroactive and open to many class action cases? There is no crystal ball that could force the probable causes and effects of such an action, but in researching this article I did come upon an October 12, 2000, article in The Oklahoman addressing one charter switch by the then new Peoples Bank of Oklahoma. The article stated, “Within 30 days, the bank… had virtually doubled its monthly income. Its lending limit had climbed from 15 percent to 30 percent of its capital. In addition, the bank’s annual regulatory fees had dropped significantly.

“We’ll save six or seven thousand dollars a year just on the fees we pay,” board member Randy Wright said. “That’s almost a month’s income. With a small bank like ours, every dime counts.” The article went on to point out, “For Peoples Bank, the decision to convert was purely financial.”

For other banks, like Arvest – which converted four banks this summer – the change had less to do with economics. “We eliminated two regulators. We did it to simplify things,” said Neil Schemmer, chief executive officer of the recently converted Arvest Bank in Norman. “Until this summer, all but five of the 16 banks in Arvest’s holding company were state-chartered banks,” Schemmer said. “Now, all but one are.” There may be many reasons for banks to make charter choices. If there are fewer NBA protections, that may affect banks’ consideration of a national bank charter choice.

February 2024 OBA Legal Briefs

  • CFPB Proposes New NSF Fee Rule
  • Overdrafts — Comments Requested

Editor’s Note: We do not usually write about proposed rules in Legal Briefs because so much can change between publication of a proposal and issuance of a final rule. However, we believe that Oklahoma’s bankers need to know about both of the recent CFPB proposals discussed in this edition.

CFPB Proposes New NSF Fee Rule

By John Burnett

On January 24, 2024, The Consumer Financial Protection Bureau announced a proposal for a new regulation on non-sufficient funds (NSF) fees. That should not have been a surprise, because the CFPB mentioned the possibility of a rule on NSF fees at least as long ago as 2022, when its Fall Regulatory Agenda indicated the Bureau was considering whether to issue new rules regarding them.

Now, the “other shoe” has dropped. Perhaps we should call it “a mismatched shoe,” because the new regulation proposal does not reference current financial institution practices regarding NSF fees. Instead, it anticipates that a bank or credit union might just be looking for a new fee income source, and the Bureau proposes to “nip it in the bud” before the idea can become a reality.

In short, the Bureau wants to ban something that almost no one (that the Bureau knows of) practices, but someone might try in the future. Here is what the proposal is all about.

It happens all the time — Someone taps their debit card on a POS terminal at Walmart to pay for a cartload of groceries, and the terminal displays “denied” or provides some gentler negative response because the cardholder’s bank account isn’t up to the task, the well is dry, or, in banker-speak, the account balance is “non-sufficient,” and the bank will not approve a transaction that would overdraw the account. The same result can be seen at an ATM, and in some peer-to-peer transfer networks.

The Bureau thinks that there might be a bank, credit union, or P2P network out there looking for ways to replace some of the fee income it has given up (perhaps in the current campaign against “junk fees”), and counting the number of NSF responses it sends back on ATM, POS and transfer authorization requests to see if they might be leaving some fee income on the table.

So, in a remarkably short (only 68 pages in all, with just over one page devoted to the words of the regulation) Federal Register document, the Bureau has proposed as new regulation (Part 1042) to say, in essence, “Don’t you even THINK about doing that!” by borrowing the definitions of “account” and “covered financial institution” from Regulation E and defining a “covered transaction” as “an attempt by a consumer to withdraw, debit, pay, or transfer funds from their account that is declined instantaneously or near-instantaneously [sic] by a covered financial institution due to insufficient funds.”

That’s followed by a definition of “nonsufficient funds fee” as “a charge that is assessed by a covered financial institution for declining an attempt by a consumer to withdraw, debit, pay, or transfer funds from their account due to insufficient funds” regardless of how the financial institution labels the fee. Then the proposed rule declares the charging of such a fee to be an abusive practice and prohibits it. A short little regulation with three little sections, about 270 words (including headings), and no official interpretations (as proposed).

I will not ask whether your bank has been thinking about imposing these “real-time” NSF fees, or whether, after reading the proposed rule, your bank changed its mind.

Comments are due by March 25, 2024. If you have a comment to offer, check out the guidance for commenters at the end of Andy’s article below.

Overdrafts – Comments Requested

By Andy Zavoina

In late 2023 there were a reported 4,645 commercial banks, 574 savings and loan associations and 4,994 credit unions in the United States. That is 10,213 financial institutions if you do not want to do the math. This gives you an idea of the “universe” which can be impacted by a new rule or interpretation. But some rules and interpretations do not actually affect all financial institutions.

When a new proposal or rule is published, the first things I would do is determine the impact of the proposal on my bank based on a general description, and if it will apply to me, when is it going to be effective? Well, on January 17, 2024, the CFPB released its proposal to “close the overdraft loophole that costs Americans billions each year in junk fees.” How will it accomplish this? With a tweak of a few words in a few regulations in certain conditions overdraft fees will be considered finance charges under Reg Z and Truth in Lending. Now my head begins to spin as I fear making APR disclosures, usury limits, periodic statements and those things associated with loan closings and lines of credit. But am I getting ahead of myself? To be clear, this rule will impact only the largest banks, those at or over $10 billion in assets.

If your bank is not in that category, please DO NOT STOP reading now and move on to more meaningful issues affecting your bank. While the CFPB estimates only 175 financial institutions will be impacted, and the math tells us that this amounts to a mere 1.71 percent of all financial institutions, there are some people who believe this rule could trickle down to smaller, community banks. According to the FDIC, Oklahoma has 178 banks with main offices in Oklahoma. Only a small percentage of these will be in the larger bank category and subject to the new rule, when and if approved.

Think about the process involved in a Notice of Proposed Rulemaking (NPRM). A proposal is made, and comments are requested. In a proposal that will relieve the American public of paying “billions of dollars” each year in non-sufficient funds – junk fees – charged by “banks” (meaning the financial institutions referenced above) where will the comment letters in support of, and against, all or some of the proposed rule come from? Will more come from the consumer protection organizations and the American public, or from those 175 banks? And will the final rule indicate overwhelming support for the proposal based on the comment letters, or that thoughtful comments indicated that overdraft fees are not always bad, these serve a purpose, and help in controlling fees in general charged by banks, they act as a deterrent for writing bad checks and should not be mischaracterized as “junk fees.” Would you be surprised to read that “based on overwhelming support of the proposal” it is approved? And do not forget the political aspects of this in an election year. The president and his staff have dwelled on junk fees and the large dollars collected by banks from consumers.

I want to explore the concept of “consumer protections” and the intent of these rules and contrast this to rules applicable to larger banks as compared to smaller banks. Using the Home Mortgage Disclosure Act (HMDA) as an example, when reporting is limited to larger institutions, the amount of data gathered is proportional to the size of those lending institutions. By limiting the application of the rule to the larger volume lenders the public gets the vast majority of the lending data gathered. Having such a rule excluding the smaller lenders makes review and analysis of trends much easier and it is cost effective, especially for those smaller lenders who have the same data gathering burden but far few resources and less technology to meet the requirements. Having the smaller lenders exempt from reporting takes away little data. In years past the CFPB did increase the reporting threshold for HMDA applicable loans. This increased the number of exempt lenders and therefore took away a small amount of data. It worked just as planned. The public and regulatory agencies received useful data and the smaller lenders were able to still make loans supporting the housing efforts of their communities yet deploy funds and assets elsewhere to facilitate an overall more effective community bank.

But no good deed goes unpunished. There was a court case which argued that data was necessary to properly evaluate the housing efforts of even the smaller lenders and the action was successful. The argument that less data still accomplished the goals of HMDA was not enough and the CFPB did not appeal the decision. The threshold dropped to its prior limit. Now a larger segment of smaller volume lenders is once again recording and reporting HMDA information. My point is, the objectives were met even with the higher limit, but the argument that a more microscopic application better meets the needs for more finite reviews prevailed. At the end of the day, consumer protections against discrimination were deemed better met by applying the rules uniformly down to smaller lenders and eliminating only the smallest of low-volume lenders.

Contrast this HMDA example to a true consumer protection regulation. The former is based on a bulk of transactions and analysis using a broad brush, and the latter is based on individual transactions. The overview of the proposed overdraft fee rule includes three important points.

  1. The proposal would require very large banks to treat commonly used overdraft protection as credit, making it subject to Reg Z disclosure requirements and other protections that apply to credit cards and loans.
  2. The proposed rule provides those banks subject to the rule two options on how to approach handling overdrafts. The bank could offer overdraft loans, officially offering lines of credit and triggering a multitude of disclosures and statements (e., processing) meaning potentially systems improvements and all that comes with such an undertaking. Alternatively, the bank could offer overdrafts as a courtesy service where fees do not exceed costs and losses, using a “breakeven standard” calculation or, optionally, a “benchmark fee.” Currently these benchmark fees being proposed are $3, $6, $7, or $14. The CFPB estimates the average fee is currently $35.
  3. The new rules would apply to banks and credit unions with $10 billion or more in assets and, if finalized as proposed, would go into effect in October 2025. That provides nearly two years to prepare from the publication of the NPRM.

Under a data gathering rule, there is the broad brush used to effect protections and these take extended periods to provide substantive information to act on. In this proposal it is individual transactions which will be impacted. Which is truly the most effective form of consumer protection? There is no denying that individuals who are protected at each transaction receive the most benefit and more quickly than is derived from data which takes years to accumulate and analyze. How can any regulatory agency that is responsible for consumer protection actions justify applying such a rule based on the asset size of the lender when all banks are subject to Reg Z already? A depositor with an overdraft at a smaller community bank would not be entitled to the same protections afforded a similar consumer at a larger bank even when both banks are subject to the same regulation that provides the protections.

If you are keeping a tally of the impact this rule poses and are comforted by the fact that your bank is under the $10 billion threshold, do not take that sigh of relief too soon. The CFPB has hinted at potentially applying this rule to smaller banks, stating that the CFPB intends to “monitor the market’s response” before deciding whether to expand the scope to smaller banks in the future. In the future it would be quite easy to justify expanding this proposal to all banks.

I ask you, what is the “market’s response” to this proposal if fewer than 175 banks comment? Certainly, banking organizations will respond but I would add that thoughtful comments from the smaller and as of yet unaffected banks need to be made to better protect those who do not want the options described above in their future. I would add that once the larger banks have adapted to the new rule and vendors have worked through the technological hurdles, it will be deemed a much easier process for smaller banks to adopt the same rules.

As a brief background, Congress gave us the TILA in 1969 and the Federal Reserve then gave us Reg Z to implement it. As to the use of currency, checks were frequently used by consumers to send money and pay bills. Zelle and similar programs were not invented. Check volume was huge and growing annually. It was recognized at that time that check processing was labor intensive. The processing technologies banks have used for decades did not exist then. Checks were manually encoded, and the items were compared to account balances. They were typically manually reviewed, account analysis was completed, and someone made a decision to pay or return an item. The bank had policies that would have included considering how long the bank has had the account, the average deposit balance, when deposits were made (direct deposit was not required  or even highly encouraged until the 1970s) and how often the account had checks presented that exceeded the available balance. It was a costly and manually intensive process. The Fed exempted overdraft=related costs from Reg Z requirements if the bank honored a check when its depositor “inadvertently” overdrew their account. Over recent years banks have been careful not to confuse inadvertent overdrafts with lines of credit because the costs of disclosing the latter can be high and smaller banks may not even have the technology to meet the Reg Z disclosure requirements. Overdrafts were not nearly as frequent in 1969 as today, and banks imposed fees to cover these processing costs as well to incentivize the depositor to not overdraw their account.

Banking technology has come a long way, and these costs are now greatly reduced and may be deemed truly minimal, other than the costs of the technology used and the cost of funds. Reg Z has retained this exemption, but this is what is now being considered for removal. This intentional exemption is the loophole in question.

The loophole is in the definition of “finance charge” at 1026.4(c)(3). Paraphrasing from the NPRM, page 64, “These proposed changes require compliance with not only Reg Z when providing higher than breakeven overdraft credit services described below, but would allow those banks to continue to comply with Regs DD and E when providing non-covered overdraft credit services at or below breakeven pricing. This means the banks that have invested in compliance with Regs DD and E could maintain their current processes for providing consumers with non-covered overdraft credit so long as it priced such credit at or below breakeven pricing.” Reg E will require some tweaking as well to allow complete compliance with this proposal and as credit products, banks may start reporting these overdraft lines to credit bureaus.

Reg Z would have new key terms and definitions that would become commonplace in discussions as operations and lending bridge these overdraft gaps, terms like, overdraft credit, above breakeven overdraft credit, covered asset credit account, covered overdraft credit, covered overdraft credit account, and hybrid debit-credit card.

I also find it interesting that it is never mentioned that in most cases writing a check against non-sufficient funds is typically a misdemeanor, a crime. Neither banks nor regulatory agencies should encourage such an act. Providing both payment options, the approval of an inadvertent item and a line of credit cause the items to be paid rather than returned, avoiding misdemeanors and fees from those on the receiving ends of the checks. This protection ends when banks begin returning the items because they cannot pay the items due to cost inefficiencies. These inefficiencies will be based on the lower income derived from overdrafts, potentially increased costs due to losses and the cost of technology to support lines of credit if that is what banks opt to offer.

While banks can continue to provide courtesy overdraft credit as is often done now, the fees which will be regulated would be assessed against a breakeven calculation or a benchmark amount. If the fees are equal to or less than these metrics, the overdraft credit provided would not be subject to Reg Z. Using this low-cost approach will exempt the bank.

  1. To use a breakeven standard the CFPB would require the bank to determine its total direct costs and charge-off losses for providing overdraft credit to all accounts open at any point during the previous 12 months. This amount would then be divided by the total number of overdraft transactions attributable to those accounts occurring in the previous 12 months. The proposal includes guidance on the types of costs and charge-off losses that a bank may consider when making this calculation.
  2. The CFPB proposes to set this alternative fee, a breakeven fee at $3, $6, $7 or $14, and the Bureau believes this would create a “simple bright-line method” for the very large banks to use when assessing whether the overdraft credit they provide is below or above the breakeven threshold. The CFPB reached each of the benchmark fees by applying different calculations to relevant data collected from eight of the large banks.

The alternative to use of the breakeven or benchmark fees is overdraft lines of credit. Overdraft credit can be provided at a cost higher than the breakeven standard or the benchmark fees described above, but the cost to the bank is that these would be subject to Reg Z.

This compliance would require treating transfer fees (line of credit to overdrawn account) as finance charges, or the bank can eliminate those fees altogether. This line of credit then offers consumers a means of repaying their overdrafts other than by preauthorized EFTs. This line of credit facility also means compliance with the regulatory provisions in Reg Z that apply to credit cards that would newly apply to certain types of covered overdraft credit. This requires systems and new skillsets for your staff.

Banks would then be required to make mandatory disclosures to consumers disclosing the cost of credit and more. Hybrid debit-credit cards used by consumers to access overdraft credit would be subject under the proposal to the Credit Card Accountability Responsibility and Disclosure (CARD) Act-related sections of Reg Z. These would include, but are not limited to, ability-to-pay underwriting requirements and limitations on penalty fees.

The proposal also requires that overdraft credit be structured as a separate credit account, not a negative balance on a checking or other type of transaction account. The underlying checking or transaction account would be considered the asset account and tied to the separate credit account created for the overdraft credit. This separate credit facility would have its own due date at the same time for each period. That means that if a $100 item is paid on the first against a deposit balance of $40, the $60 goes to the credit facility. If a deposit of $100 to the deposit account is received on the second, there is no setoff available. The $60 owed is under the credit line and is not owed until the billing is due, possibly at the month end, as an example. The billing dates will have to be on the same day of each billing cycle.

The banks subject to the proposed new rule would also be prohibited from compelling consumers to use automatic payments to repay overdraft credit, which would effectively require them to provide consumers with at least one alternative repayment option.

One point I have not seen addressed yet includes those consumers subject to the Military Lending Act (MLA). The bank would need to know who these consumers are in order to meet the disclosure requirements of the MLA. Currently the MLA is moot. In the FAQs published in the Federal Register, Vol. 81, No. 166, Friday, August 26, 2016, under Section II, question 1, it asks, “What types of overdraft products are within the scope of 32 CFR 232.3(f) defining ‘‘consumer credit’’?” The answer includes, “The MLA regulation generally directs creditors to look to provisions of TILA and its implementing regulation, Regulation Z, in determining whether a product or service is considered “consumer credit” for purposes of the MLA. Also, the supplementary information to the July 2015 Final Rule discusses coverage of overdraft products.

The MLA regulation defines “consumer credit” as credit offered or extended to a covered borrower primarily for personal, family or household purposes that is either subject to a finance charge or payable by a written agreement in more than four installments, with some exceptions. The exceptions include “residential mortgage transactions; purchase-money credit for a vehicle or personal property that is secured by the purchased vehicle or personal property; certain transactions exempt from Regulation Z (not including transactions exempt under 12 CFR 1026.29); and credit extended to non-covered borrowers consistent with 32 CFR 232.5(b).”

If overdrafts are paid from a line of credit and are subject to Reg Z, in addition to the CARD Act and ATR, there will be MLA requirements. The bank will have to know if it is dealing with a covered borrower at the time the credit is offered. This includes dependents. There are written and oral disclosures required as well as a Military Annual Percentage Rate.

Most banks are aware of the “all in fee” nature that the MAPR has resulting in a higher rate than Reg Z APR. But the open-end MAPR is different still. From the CFPB exam manual — “…the MAPR for open-end credit should be calculated following the rules for calculating the effective APR for a billing cycle as set forth in 12 CFR 1026.14(c) and (d) of Regulation Z (as if a creditor must comply with that section) based on the charges listed above. Even if a fee is otherwise eligible to be excluded under 12 CFR 1026.14(c) and (d), the amount of charges related to opening, renewing, or continuing an account must be included in the calculation of the MAPR to the extent those charges are among those in the above Types of Fees to Include in MAPR Calculation.” While the MAPR will still be capped at 36 percent and presumably all the fees will be compliant and reasonable, the minimum fees will have to be weighed against the amount of the credit and the date of the payment due from the consumer. How close to 36 percent could possible scenarios get? When and how often will banks be required to verify with the DMDC database that their overdrawing consumers are covered or not?

There are many questions, and I believe that every banker who reads the 211-page proposal will ask themselves similar questions, but also a few unique ones. Comment letters that all banks are encouraged to submit should pose these questions so that guidance can be included in a final rule and not offered in the distant future when the questions are real and not hypothetical.

While this article is not intended to serve as a how-to on writing a comment letter, I am asking all banks with an interest in the overdraft topic now or in the future to seriously consider sending one. Therefore, I will include points common to comment letters though few comment letters would ever be considered wrongly sent.

  1. Read the entire proposal to best understand the requirements and ask meaningful questions supported by realistic and factual scenarios to support them.
  2. Where any questions are asked in the NPRM of those submitting comments, answer them. This increases the usefulness of the process especially in those which ask, “what is the impact of…” on a bank or consumer.
  3. Use facts and refrain from personal comments such as “the proposal is unfair because…” or in this case, “the consumer wrote the check, and we disclosed the fee and that’s all that matters.” That would take the process nowhere and is often just subjective. Cite facts and conditions which support the bank’s position that this is a cost-effective option when considered overall. If more checks are being returned the consumer will suffer more costs, especially from merchants not obligated to keep fees low for returned payments, and for consumers who later find it harder to bank anywhere due to poor management of checking accounts in the past.
  4. Specifically quote the proposal where appropriate so the reader knows exactly what your comment pertains to.
  5. Some banking organizations may prepare comment letter templates. These are useful as to providing guidance on topics and formats. But the regurgitation verbatim of someone else’s comment letter is nothing better than a tick mark for, or against something as the comments have already been stated and read. It will add to support your position, but in a less meaningful way.
  6. Offer suggestions on issues that are realistic and meet the goals of both your bank and the consumer’s needs for protection. After reading the proposal, you will read about issues such as, “For example, CFPB research found that in 2012 the median overdraft fee was $34, the median size of a debit card transaction incurring an overdraft fee was $24, and that the majority of non-covered overdraft credit transactions were repaid within three days. Putting these figures in lending terms, the annual percentage rate (APR) for such a non-covered overdraft credit transaction would be 17,000 percent (if transaction fees were included in the APR calculation).” This is where the cost to actually process a transaction comes into play, as well as losses and collection expenses. I see the APR as less of an issue when the fees are reasonable. It is not enough to say an APR is not reasonable when the actual fee is only a matter of a few dollars. Expressing that minimal fee as an annual rate provides an unbalanced calculation.
  7. Balance your comment letter based on the bank’s experience as a whole. That is, consider the side of the loan department as well as operations for the big picture.
  8. The pounds test is not a goal to be met here. Do not add comments that go on and on so that if printed, you will have the longer document. Succinct and meaningful comments that convey valid points will be held in higher regard as being productive for all. You don’t need to address every issue raised in the proposal. Focus on the elements most important to you and your bank.
  9. If you read other comment letters or reports in the press, you will understand those who disagree with your position. With this understanding you can better offer intelligent counterpoints.
  10. The comment period for this proposal ends April 1, 2024. You should have your letter in by that date. Sending it electronically is the fastest and easiest way to make a submission. Prior to sending yours, you can read others that have been submitted and remember your comment letter will also be publicly available. For this reason, bank management and/or counsel may want to be involved in the process. The NPRM itself contains instructions for all this.

 

January 2024 OBA Legal Briefs

  • ’Tis Still the Season — Security and Fraud Losses
  • MLOs Hirable Now — Changes in Section 19
  • AI in Banking

’Tis Still the Season

By Andy Zavoina

Security and Fraud Losses

The holiday season has ended and now it is all about the returns. Side note – it is a great time not to be working at Amazon. What does all this have to do with banking? Money. Your depositors have it and there are thieves out there who want it even more than the retailers. When a retailer is paid by your customer, it is because your customer spent their money at that store. It is an honest buyer and seller relationship. But there are thieves out there waiting to scam and steal from your customer. In many cases, when the thieves steal your customer’s money, they are really stealing from the bank by using the weakest link, the customer, to get access to it. Some of these customers may be negligent and others fall for a good story filled with deception and technology tricks. The type of customer and type of loss will influence whether the customer or the bank will be taking this loss.

We have all seen check fraud increase even as the overall use of checks has declined by 7 percent according to the Federal Reserve. One report indicated that 70 percent of banks have experienced an increase in fraud over 2021. Fraud losses are increasing by about 65 percent from $2.3 million in 2022 to $3.8 million in 2023.
One barometer to see what is happening on this front is the growth in the numbers of Suspicious Activity Reports (SARs) for check fraud cases filed by banks. According to Financial Crimes Enforcement Network (FinCEN) data, it is up 201.2 percent between 2018 and 2022. With 447,525 SAR check fraud reports in 2023 through October, the year was on track to beat the 2022. Check fraud SARs have increased more for personal and business checks than for any other financial instrument. Check fraud accounts for one-third of all the fraud banks are experiencing, excluding mortgage fraud.

The Federal Trade Commission (FTC) estimates Americans lost $330 million to text scams in 2022. That is up from $86 million in 2020. Text messages are fast, cheap, and easy to send from anywhere. The median loss in cases like these is $1,000.

Your consumer customers are often the main target of these thieves, especially during peak sales seasons such as the holidays we are now recovering from. You may not have heard of all the fraud committed yet, as many customers will not be aware until they have their latest statements – that is, if they actually review them.
Scams accounted for 12 percent of the fraud transactions, with two key scams standing out. The first is a thief impersonating a bank security or support person and the other is an IRS scam. The former instills a fear of immediate loss with the hopes of an immediate recovery if they act fast, and the latter one of red tape and a never-ending issue of audit, collections and threats of arrest.

Let’s look at business customers. Say your business customer “A” regularly pays business “B” for services rendered. One day an employee in accounting receives an email from a person at “B” they frequently correspond with. The message says they have changed banks and provides new payment routing information. What is the proper procedure here? Should “A” verify these changes with a trusted source at “B” or make the changes and move on? Business email compromise (BEC) happens, and if that email is not questioned and verified, future payments will go to a thief and the payor will not be aware until “B” contacts them about the past due status. As soon as funds reach the thief’s account, they are almost immediately wired out and unrecoverable. If either the payor or payee is aware of the payment within a day, there is a chance for a recovery. In instances like this the payor still has to make a payment, and “B” may be having cash flow problems while this is figured out. The payor’s procedures will be questioned, and the bank may be held to blame if its customer is the payor in this scenario. Why the bank? Because it has deep pockets. and customers who demand privacy also believe the bank knows this payment is uncharacteristic for one or more reasons.

BECs often take the form of fake invoices from real vendors or business partners, fake requests from upper management to transfer funds to a bank account that actually belongs to the attacker, and fake notifications from real vendors and business partners of changes in banking account information. These bank customers are not protected by Reg E and the Electronic Fund Transfer Act, but they may be under the Uniform Commercial Code (UCC). That is their hope, and the bank may be their best chance for recovery. The fact that the bank followed the payment order it was given is a moot point. But there is hope for the bank. Review UCC 4A-207 in situations like this. This section provides that if a payment order (including wire transfers) received by the payee’s bank includes the payee’s name and a different account number than the payee’s real account number, the bank is not liable for the misdirected wire unless the bank had “actual knowledge” that the payee’s name and account number referred to different persons or entities. The bank does not need to affirmatively determine whether the name and number refer to the same person. UCC 4A-207(b)(1). But if someone in your wire room is keying in information on incoming transfers and your system displays the account owner name before the input date is checked and “enter” is clicked, it will be hard to claim the bank was not aware of a mismatched name and account number.

Much of the loss prevention effort employed by banks today is older technology dating back to the 1990s. Those banks experiencing sizable amounts of check fraud losses should invest in newer technology and these banks should see a significant return on the investment as losses are curtailed. Artificial Intelligence (AI) can be employed and will make it easier, for example, to detect unusual transactions in a customer’s account and immediately confirm those transactions with the consumer. This technology can play a dual role to both reduce fraud and indicate Bank Secrecy Act red flags on transactions and account relationships.

The customers can take another preventative measure themselves as banks tout the security of using electronic payments over paper. Businesses have many cost-effective options such as automated cash management services. At the end of the day, their loss exposure is lessened with each check they do not write.

Banks must do a more effective job of educating customers about security. A recent survey by PYMNTS.com indicated customers prefer multifactor authentication (MFA) each time they access their accounts and send or receive funds. According to the poll, eighty-three percent of respondents said they want MFA for riskier transactions, such as accessing a bank account from an unknown device, changing personal information in a bank account, and spending or sending larger sums of money electronically. Sixty-two percent wanted MFA for routine transactions such as accessing a bank account from any device or transferring money to family and friends. More than half said they prefer MFA for low-risk transactions such as paying bills, rent or loans. Smartphones are making this easier than ever with biometrics such as fingerprint and facial recognition to act as their MFA.

When I was in the military there was always the same lesson plan to be followed when teaching, which is what the bank should be doing here. Tell them what you’ll tell them, tell them, and tell them what you told them. It is difficult to get the attention of customers and to convince them that security of their access information is everyone’s job. So, you must constantly remind them and mix your messages about security protocols. Marketing needs to work with compliance, security and those who investigate fraud and other losses to deliver the message.

1. Does your bank encourage customers to review their statements or at least regularly review their balances and transactions online? Perhaps customers can be incented to do either or Marketing can make doing so fun in one way or another. But customers need to be reminded of this important responsibility.

2. When sending One Time Passwords (OTP), think of those six-digit codes to verify the device and access authorization to the account as the same, and ensure that each one clearly says, we will never ask you for this code. That is a very common technique for that thief to get access after sending thousands of text messages like “XYZ bank – we need to verify your $5,026 transaction at Big Box, reply “Y” to accept the charge and “N” to deny it. If you have a question, call the bank at 623-387-6862.” All the customer wants is to refuse the charge. The thief will get a verification that this a fish is ready to take the bait when they reply “N,” or the customer will call, and the hook will be set. The thief discusses how this happened and what needs to be done to save the customer their money and part of that is verifying they have the right customer. To do that the bank (thief) will send a six-digit code and the customer needs to give them that number back. That is when the customer must have had positive reinforcement TO NEVER GIVE THAT OTP CODE OUT. Even when the security officer says it is OK this time. The security officer/thief will immediately change that password to the account and clear out the balance. The bank is then carefully reviewing Reg E to see who is liable for the losses — the bank or the consumer. And by the way, the “bank’s phone number” above translates on the phone touch pad to “MAD EUP NMBR” and if your customer is calling the bank, they should look for a known number. That “direct” line is not to the bank in any way.

3. Check washing is very popular again. Blue or black gel pens are preferred for checks as that ink is much harder to remove. Like yard signs that tout protection services, they may be real or not, but it is easier to move to the next house than find out. Skipping the gel inked check for the next one is a logical move as even for thieves, time is money.” And remind customers to avoid dropping outbound mail in those blue boxes or leaving it in their mailbox with the flag up. Have it picked up by postal personnel or drop in a lobby slot at the Post Office.

4. Use the internet banking bill pay services when checks are needed for recurring payments.

5. If the customer transfers money using Zelle, PayPal and the like, have they verified who they are sending that money to? Sending $1 and getting verification that it was received with a call or verified text and then sending the rest can save money when there is a thief or just a wrong number.

6. When it comes to passwords, four-digit numerical PINs are terrible security even though there are 10,000 possible combinations. Hackers who steal phones are not sitting at the table trying 0 – 0 – 0 – 0, then 0 – 0 – 0 – 1, and so on until it works. A four-digit PIN can be cracked by a computer in less than a second. Six-digits are better but ‘real” passwords are better yet, and biometrics are best. If the desired security is “something they have” and biometrics is not acceptable to customers or is one part of a verification process, another option is a security key. These cost about $50, and a device will not unlock or a site requiring logon credentials will not work without the physical key. The less expensive way to accomplish this is with a OTP generator so the customer has to know where to go and to sign in to get the OTP.

Good security is a pain in wallet area, but also a great preventer of another pain in the wallet when a customer finds out their accounts have been drained, that lines of credit were accessed automatically to cure overdrafts, and that they still have to replace the phone they lost.

7. Teach customers not to click on links or respond to text messages from an unknown source. When a text comes in asking, “This is Tina. Are we still on for lunch tomorrow at 1?” They are setting that hook and looking for a sucker. If they find that elderly, lonely customer with a savings account, suddenly the thief is a caring and good person who is willing to talk and spend time with them. Have no doubt money is the motive and that thief has no remorse as to the effects of what they do. When such a text comes in, either block the number and delete the message, or reply, “wrong number” and then block and delete. If interested, the FTC asks that suspicious texts be reported to ReportFraud.ftc.gov or forwarded to 7726 (SPAM).

8. Remind commercial depositors about BEC and account takeover thefts and encourage them to protect themselves.

Customers, all customers, should be reminded with paper statements, e-statements, when they log on to internet banking and when they receive an email or text message from the bank. In some cases, just email or text the reminder solo, without any other message. Just like for scammers, email and text messages are easy to send in bulk and inexpensive.

Another common scam is the undeliverable package. Here is one from my spam box as I write this article.

“ZAVOINA, you have (1) package pending in our warehouse.

Unfortunately, we could not deliver your postal parcel on time because your address is not correct.

Please reply to us with the correct delivery address. ___ here ____

Best regards,

Track & Trace Rewards”

There were various emojis in this HTML email and the thieves wanted the receiver to click the HTML link. They will attempt to get more information, especially banking info, or infect the computer. When was the last time you received a computer-generated message like that from Fed Ex, UPS or another professional company? My old home, in the city limits and to which packages are regularly delivered, is not difficult to find. Yet the only reason the scam is being run is because it works. In a recent cybersecurity presentation I attended, one session discussed when law enforcement recovered the original mailing list from a thief. The police contacted those on the list and found that 18 percent of the recipients had responded favorably to the thief. Your Marketing department would be ecstatic to have a near 20 percent response to a mass mailing.

I recently taught on my own experience where my Apple password, then 10 characters long, had been cracked. MFA prevented the thieves from getting into my accounts. I simply added a character to what I had and went on with my business. Not 12 hours later they were at it again. I had not outsmarted anyone. Long story short I made painful changes, and that logon password is now 23 characters long and I have more security protocols in place. Are they problematic when I need quick access to something? Yes, but it is all less problematic than losing everything and having some or all financial liability on top of it.

If you really want your customer’s attention, ask them if they are using cloud services from a provider tied to their phone. In the case of the Apple ecosystem things just work seamlessly and life is good. But if a thief shoulder-surfs and sees that easy to remember four-digit code and then grabs the phone and runs, they can change that person’s security code and even their main password to their Apple accounts. The thief does not need the current password to change it and the real owner can be locked out forever in minutes. That includes email, photos and Apple TV. Emphasize “photos” to your customer. If they do not have a separate backup of those photos, there may be years and years of photos and videos documenting births, deaths, weddings, holidays, and general memories only in the cloud. When your customer is locked out of their own account because of the thief, Apple will tell them there is nothing they can do as it does not have the codes or master codes to access the photos. They’re gone. Money comes and goes, but those photos are gone forever. Now the customer has a genuine interest. As a side note, Apple is working on a fix for this security change issue in an upcoming update to the operating system.

MLOs Hirable Now

We generally do not get too involved in Human Resources issues but this one has some compliance crossover implications, so it is worth mentioning, especially since we are just through the annual renewal period. Section 19 of the Federal Deposit Insurance Act contains restrictions on hiring employees with criminal backgrounds. That is, Section 19 prohibits hiring individuals convicted of crimes of dishonesty, breach of trust, or money laundering, including theft, misappropriation, embezzlement, false identification, and writing of a bad check, among others, from working in a bank without written consent from the FDIC.

But in December 2022, President Biden signed the National Defense Authorization Act for Fiscal Year 2023. Section 5705 of that Act is the “Fair Hiring in Banking” section, which instructs banks to disregard certain criminal convictions. While this eases the restrictions on the hiring of individuals with criminal records, the changes open questions regarding the de minimis standard, and whether the changes to Section 19 effectively amended Reg Z, as it applies to mortgage loan originators because of Reg Z’s references to Section 19. Specifically, § 1026.36(f)(3)(ii) addresses the qualifications individual loan originator employees and requires the bank to review the person’s background as to meeting certain standards and states that if they do not meet these standards, “before the individual acts as a loan originator in a consumer credit transaction secured by a dwelling, that the individual loan originator:

(A)( 1 ) Has not been convicted of, or pleaded guilty or nolo contendere to, a felony in a domestic or military court during the preceding seven-year period or, in the case of a felony involving an act of fraud, dishonesty, a breach of trust, or money laundering, at any time;
( 2 ) For purposes of this paragraph (f)(3)(ii)(A):

( i ) A crime is a felony only if at the time of conviction, it was classified as a felony under the law of the jurisdiction under which the individual was convicted;

( ii ) Expunged convictions and pardoned convictions do not render an individual unqualified; and

( iii ) A conviction or plea of guilty or nolo contendere does not render an individual unqualified under this § 1026.36(f) if the loan originator organization has obtained consent to employ the individual from the Federal Deposit Insurance Corporation (or the Board of Governors of the Federal Reserve System, as applicable) pursuant to section 19 of the Federal Deposit Insurance Act (FDIA), 12 U.S.C. 1829, the National Credit Union Administration pursuant to section 205 of the Federal Credit Union Act (FCUA), 12 U.S.C. 1785(d), or the Farm Credit Administration pursuant to section 5.65(d) of the Farm Credit Act of 1971 (FCA), 12 U.S.C. 227a-14(d), notwithstanding the bars posed with respect to that conviction or plea by the FDIA, FCUA, and FCA, as applicable; and

(B) Has demonstrated financial responsibility, character, and general fitness such as to warrant a determination that the individual loan originator will operate honestly, fairly, and efficiently…”

So, there are the rules and some exceptions now. Section 5705 provides that an individual no longer needs the consent of the FDIC (or NCUA if you are keeping score. Add NCUA in most places when you read FDIC here) to become employed with an insured bank or credit union for “Certain Older Offenses.” These exceptions apply where:

1. It has been seven years or more since the individual committed the offense; or
2. The individual was incarcerated with respect to the offense, and it has been five years or more since the individual was released from incarceration; or
3. The individual committed the offense when they were 21 years of age or younger, if more than 30 months have passed since the sentencing for the offense occurred.

These are lower thresholds than recognized under prior law and FDIC rules. In addition, other de minimis offenses may be exempt, subject to the FDIC rulemaking capabilities and meeting the following criteria:

1. Punishable by a term of three years or less confined in a correctional facility;”
2. Offenses for writing insufficient funds checks must require that the aggregate total face value of all insufficient funds checks (regardless of the number of convictions or program entries at issue) be $2,000 or less; and
3. Other lesser offenses, like the use of a fake ID, shoplifting, trespass, fare evasion, and driving with an expired license or tag, if at least one year has passed since the conviction or program entry for such offense.

There is greater opportunity for exempting de minimis offenses. Banks are now able to move through the hiring process more easily for individuals with lesser, minor convictions than in the past. I will draw attention to the fact that the rules do not say “may consider” or “may waive,” as in “this is optional.” It says banks should disregard prior requirements where these conditions exist. Theoretically if a young employee embezzled from the bank and has been released and meets these conditions, the bank could not stand on Section 19 of the FDI Act and refuse employment.

Under the current Section 19 rules, offenses are considered de minimis and a waiver is automatically granted if the maximum punishment for the crime was:

1. imprisonment of one year or less, and the individual served three days or less of jail time, and
2. a fine of $2,500 or less.
3. Offenses for writing “bad checks” are considered de minimis so long as the aggregate value of the “bad checks” written is less than $1,000 and the payees were not an insured depository institution (IDI) or a credit union.

For a direct comparison, the Fair Hiring in Banking changes this auto-exception to:

1. if the maximum punishment for the crime were three years, calculated based on the time an individual spent incarcerated and not including pretrial detention, probation, or parole.
2. The fine is not referenced.
3. The aggregate amount of the bad checks was increased to $2,000.

Now the Reg Z issues. Reg Z prohibits banks from employing individuals in loan originator positions if that individual was:

1. convicted of a felony in the preceding seven years, or
2. “at any time” for felonies “involving an act of fraud, dishonesty, a breach of trust, or money laundering,”
3. unless they have received consent from the FDIC pursuant to Section 19.

But now the Fair Hiring in Banking provisions removed the requirement that an individual must obtain consent under Section 19 for offenses where:

1. it has been seven years or more since the offense occurred, or
2. the individual was incarcerated for the offense, and it has been five years or more since the individual was released from incarceration; and (ii) the individual was 21 years or younger when he or she committed the offense and 30 months or more have passed since the individual was sentenced.

The result is a set of convictions that would require FDIC consent under Reg Z that are no longer covered convictions under Section 19. Fast forward to October 23, 2023, and the FDIC’s Notice of Proposed Rulemaking Concerning Section 19. The NPRM states:

The proposed rule would incorporate statutory changes to Section 19, including the following:

• Certain older offenses. The Act excludes certain offenses from the scope of Section 19 based on the amount of time that has passed since the offense occurred or since the individual was released from incarceration.

• Designated lesser offenses. Under the Act, Section 19 does not apply to the following offenses, if one year or more has passed since the applicable conviction or program entry: using fake identification; shoplifting; trespassing; fare evasion; and driving with an expired license or tag.

• Criminal offenses involving dishonesty. The Act excludes certain offenses from the definition of “criminal offenses involving dishonesty,” including “an offense involving the possession of controlled substances.” Historically, the FDIC has required an application as to drug-related offenses—aside from simple-possession offenses. In light of the Act, however, the FDIC believes that Congress intended to exclude, at least, the offenses of simple possession and possession with intent to distribute from the “involving dishonesty” category because of the statute’s use of the phrase “involving the possession of controlled substances.” Additionally, the FDIC believes it should shift from the presumption that other drug-related offenses are subject to Section 19 as crimes involving dishonesty, breach of trust, or money laundering. This revised approach would treat drug offenses the same as all other types of crimes, which do not automatically trigger the need for an application, but which may require an application depending on the elements of the underlying criminal offense.

• Expunged, sealed, and dismissed criminal records. The Act excludes certain convictions from the scope of Section 19 that have been expunged, sealed, or dismissed. The existing FDIC regulations already exclude most of those offenses. The proposed rule would modestly broaden the statutory language concerning such offenses to harmonize the FDIC’s current regulations concerning expunged and sealed records with the statutory language.

• Standards for FDIC review of Section 19 applications. The Act prescribes standards for the FDIC’s review of applications submitted under Section 19.

The proposed rule also provides interpretive language that addresses, among other topics, when an offense “occurs” under the Act, whether otherwise-covered offenses that occurred in foreign jurisdictions are covered by Section 19, and offenses that involve controlled substances.

Comments are due by January 16, 2024, as this appeared in the Federal Register on November 14. https://www.federalregister.gov/documents/2023/11/14/2023-23853/fair-hiring-in-banking-act. Compliance may want to coordinate with Human Resources on a comment letter if there are questions your bank has, clarifications you want, or changes to recommend.

AI in Banking

Is your bank an early adopter of technology? I do not see many community banks jumping on to the cutting edge of technology but soon it will become a more commonly offered service from vendors. Now is the time to become familiar with what is happening in this arena. Not banking but looking for shortcuts could be dangerous. If a “techie auditor” wants to use a ChatGPT or similar program to dress up an audit report, who fact checks it? In December the CEO of The Arena Group, which publishes Sports Illustrated, was fired weeks after the magazine was accused of publishing articles generated using artificial intelligence (AI).

The CFPB in June reported on consumer dissatisfaction with chatbots, another common use of AI. The report noted that about 37 percent of the U.S. population has interacted with chatbots. In banking, the use of chatbots raised several risks including: (i) noncompliance with federal consumer financial protection laws; (ii) diminished customer service and trust; and (iii) harm to customers. There have been complaints received by the CFPB. We have also seen AI result in fair lending cases based on poorly targeted marketing. You can find the CPPB’s report here: https://www.consumerfinance.gov/data-research/research-reports/chatbots-in-consumer-finance/chatbots-in-consumer-finance/

December 2023 OBA Legal Briefs

  • Year End, Year Start

Year-End, Year Start

By Andy Zavoina

This is a time of celebrations, family, and looking forward to a new beginning as the calendar turns to 2024. But, has every “i” been dotted and “t” crossed for 2023? Do you get to exhale in a sigh of relief as you enjoy the holiday season, chill for a moment, and start anew on January 1? The answers are, “You need to know they are,” and “Absolutely not.” As 2023 ends, 2024 begins as a new year but what’s not done from the year-end still has to be. So, let’s do a quick review of those annual tasks and ensure you are really ready to close the books on 2023 and open the new one for 2024.

What must you always consider as you begin planning your year? The major events you anticipate, especially changes.

HMDA

Are you a HMDA reporter, or now will be, based on your bank’s size and transactions and what ramifications does that bring? (See 1-5 immediately below for the requirements applicable to 2023 data. Each test must be met.) If applicable, are you ready for the March 1 filing deadline this year? Do you have only the final quarter’s Loan Application Register (LAR) entries to scrub, and if not, how long will that take? Are the first three quarters of 2023 ready to go?

1. Asset-Size Threshold Test. On December 31, 2022, your bank had assets in excess of $54 million. This was for data collection threshold for 2023. We expect the 2024 threshold to be released in late December.
2. Location Test. On the preceding December 31, your bank had a home or branch office located in a metropolitan statistical area (MSA).
3. Loan Activity Test. During the preceding calendar year, your bank originated at least one home purchase loan or refinancing of a home purchase loan secured by a first lien on a one-to four-unit dwelling.
4. Federally Related Test. Your bank is federally insured, regulated, or originated at least one home purchase loan or refinancing of a home purchase loan that was secured by a first lien on a one- to-four-unit dwelling and, well there is more to this test at 12 CFR 1003.2(g)(1)(iv) but I think we had you at “insured.”
5. Loan-Volume Threshold. Your bank meets or exceeds either the closed-end mortgage loan or the open-end line of credit loan volume threshold in each of the two preceding calendar years. A bank that originated at least 25 closed-end mortgage loans in each of the two preceding calendar years or originated at least 200 open-end lines of credit in each of the two preceding calendar years meets or exceeds the loan-volume threshold. (If the loan or line of credit is not a closed-end mortgage loan or an open-end line of credit, it does not need to be reported.

If you barely missed any of these five criteria, you’ll want to pay attention to any revisions to them next year, such as the asset threshold or loan volume.

Small Business Lending Data Rule

Small Business Lending Data Rule. The Reg B small business data gathering rule referred to as “1071” was released and there were legal challenges affecting the rule. It is important to note that the 1071 rule was not challenged, but the CFPB was. On July 31, 2023, the U.S. District Court for the Southern District of Texas ordered the CFPB not to implement or enforce the 1071 rule. The order stays all deadlines for compliance and in subsequent cases and rulings the stay applies to all banks. The Supreme Court has to rule on the case and that is expected about mid-2024. At that point, if the CFPB is successful, it may simply redesignate the deadlines and if it is not, the 1071 rule will be implemented in some form as it is based on Section 1071 of the Dodd-Frank Act, which is not in question. Ask yourself, if the CFPB is successful and that seems likely to many but remains an unknown, how fast will you be able to react on implementation and change management?

In the BOL Lending Compliance Triage Conference in November, Kimberly Boatwright recommended five critical steps compliance officers need to take now.

1. Determine your bank’s status/tier as a covered institution.

2. Conduct a Gap Analysis to understand your products, delivery channels and lending life cycle.

3. Commercial Lending Challenges that need focus, training, and action.

4. Based on your bank’s needs, allocate a budget.

5. Raise the Board’s and senior management’s awareness of issues related to implementation of Section 1071.

When is your next compliance exam?

That is a compliance officers’ direct responsibility. What has been done to prepare for it and depending on when that is expected, more importantly, what has not been done? Start making that list if your exam is imminent. What other exams do you contribute to – Bank Secrecy Act, Safety and Soundness which may include Reg O, any fair lending or mortgage origination and servicing requirements?

The New CRA Rule

One more biggie that cannot be ignored is the new Community Reinvestment Act rule that was recently published. Most of us are beginning to digest it now as the final rule takes effect on April 1, 2024, but with staggered compliance dates of January 1, 2026, and January 1, 2027. So, it is not an immediate need to completely revamp your policy and procedures, but the changes are enormous and you must start planning now. The November Legal Briefs edition has more on the new CRA, but here are a few key elements.

• Asset thresholds for small, intermediate and large banks will increase.
• Most of the rule’s requirements will go into effect on January 1, 2026, to give you time to prepare for implementation.
• Data reporting requirements, which only apply to large banks, will become applicable starting January 1, 2027.
• The rule allows small banks to be evaluated under the existing framework or opt in to be evaluated under the new framework.
• The final rule does not include a start date for examinations pursuant to the performance tests in the amended regulation. We will have to watch as the agencies prepare for and announce this.

Don’t forget the little things

Now let’s look at the future and eliminate some of the small things for peace of mind. These are minimal tasks that need to be sorted and ensure there are no issues with compliance. It’s the little things that sometimes catch you unprepared.

Let’s talk about signage requirements. In our main branch we had a “Fed wall,” which was one area which had the federally required (and state, as applicable) notice requirements. It should be in an area that is highly visible to the public to meet the intent of the posted notice requirements. It does no good to put these on the wall behind a door that stays open or the plastic trees in the lobby which prevent viewing them. You will not get credit during an exam for posting them where they cannot be seen. If there was a remodel done and the signage was taken down for maintenance, ensure it went back up, and in the right location.

As to being unsightly, beauty is in the eye of the beholder. If you put courier font printed pages in a $2 frame and nailed it to the wall, that is what it will look like. I recommend you lay out all the applicable disclosures and buy one large frame, have a matte cut for all these in one space and then everything is accounted for in one space. As a new branch is opened, just order another of the same design. This ensures everything is easily accounted for and posted easily on the wall rather than trying to lay out several frames, especially if those frames were each different giving a hodgepodge appearance. It is also a simple task to pull the frame down, remove the backing and switch out disclosures when necessary. As a tip, there is a transparent tape and removable tape that uses the same adhesive as sticky notes. It will hold your documents to the matte securely yet provide the flexibility to switch them out without destroying the matte or other documents.

Here are suggestions and justifications for your fed wall and other required signage.

1. Community Reinvestment Act Notice: This is to be posted in each lobby with one version in your main office and another in each branch, other than off premise electronic deposit facilities, the Public Notice described in 12 CFR 345.44 (FDIC), 228.44 (FRB), 25.44 (OCC).

2. Equal Housing Lending Poster: Post in lobby of main office, all branches, and in any other areas where loans are made. Note, this is an 11”x14” poster and unlike most other requirements for signage, the size requirements are specifically stated. 12 CFR 338.4 (FDIC), 24 CFR 110.15 and 110.25 (HUD and OCC) the FRB requirements fall under the Fair Housing Act. .

In August 2022 the FDIC made changes to its version of the sign. Refer to Federal Register Vol. 87, No. 151, Page 48079 as the Fair Housing and Consumer Protection Sale of Insurance Rule are both impacted. To improve efficiency and effectiveness the FDIC consolidated the Consumer Response Center and the Deposit Insurance Section under one organization, entitled the National Center for Consumer and Depositor Assistance. Fair Housing signage and the Sales of Insurance disclosure should refer to, “…National Center for Consumer and Deposit Assistance.” The effective date of the change was August 8, 2022. The OCC has also had changes to its poster. Refer to Bulletin 2021-35, August 5, 2021.

3. Home Mortgage Disclosure Act (HMDA). General notice of availability must be posted in each home office and physical branch offices located in an MSA. 12 CFR 1003.5(e). Non-HMDA banks do not post this notice.

4. Fair Credit Reporting Act (FCRA) requires that a consumer be allowed to notify the bank of an error in their consumer report. If a notice is posted informing consumers where to direct their notice, they may not be delivered to just any employee and must be properly directed. 623(a)(1)(C) (Note, this is a recommendation, not a requirement. Not having such a notice does set the bank up for failure as virtually all staff would need awareness training on how to handle such a notice from a customer.)

Additional signage requirements while you are auditing those above.

A. Customer Information Program procedures require providing adequate notice the bank is requesting information to verify customer identities prior to opening account. May be given or posted, 31 CFR 1020.220(a)(5)

B. FDIC Deposit Insurance Notices are to be displayed at each station or window (including drop boxes, teller windows, new accounts, drive-ups) where insured deposits are normally received, excluding automated service facilities such as ATMs, night depositories and POS. These signs must be 3″X7″ in size. 12 CFR 328.2 & FDIC 93-42, 94-17.

C. Funds Availability Policy is for banks routinely delaying availability of any deposited item. Disclosure is required of several items in a conspicuous place in each location where deposits are accepted. This includes the abbreviated text on ATMs but excludes drive-ups. These disclosures are contained in our Facts About Funds Availability brochure that doubles as the posted notice. 12 CFR 229.18

D. ATM Surcharge Notice requirements apply if your bank, as an ATM owner/operator, imposes a fee to complete a transaction or inquiry. The bank must disclose on the ATM that a fee may be imposed. 12 CFR 1005.16(c).

And for employees there are several other requirements.

E. 5-in-1 Employment Poster is required to be visible to job applicants and employees, 42 USC 2000e-10(a). This poster should include five parts, and if not in a combined poster, individual signs must be posted in the manager’s office or lobby. The five laws are: Equal Employment Opportunity Act, Fair Labor Standards Act, Employee Polygraph Protection Act, Family Medical Leave Act, and OSHA’s Plain Language “It’s The Law.” Refer to 29 USC 201, 29 USC 2003, 29 CFR 825.300, and 29 CFR 1903.2(a)(3)

F. Rate Board requirements under TISA/Reg DD are that indoor signs are exempt from many advertising requirements. But if a rate is stated it will use the term “annual percentage yield” or “APY” and contain a statement advising consumers to contact an employee for further information on terms and fees. 12 CFR 1030.8(e)(2)

G. Notice of Employee Rights has two requirements; 1) Executive Order 13496 is a Notice of Employee Rights under the National Labor Relations Act, the primary law governing relations between unions and employers in the private sector. See 29 CFR Part 471. Banks need to follow this for various reasons including due to FDIC insurance, savings bond transactions, TTL accounts and government contracts. Post the notice conspicuously in offices where employees covered by the NLRA perform contract-related activity, including all places where notices to employees are customarily posted both physically and electronically. 2) Employee Rights under the NLRA See section 7 of the NLRA, 29 U.S.C. 157

Now that signage requirements are addressed, let’s ensure “annual” tasks have been completed.

Annual compliance tasks

Reg BB (CRA), Content and availability of Public File § 228.43 – Your Public Files must be updated and current as of April 1 of each year. Many banks update this continuously, but it’s good to check. You want to ensure you have all written comments from the public from the current year plus each of the two prior calendar years. These are comments relating to the bank’s efforts in meeting community credit needs (your SBA loans may play a key role here) as well as any responses to comments. You also want a copy of the last public section of the CRA Performance Evaluation. That actually is to be placed here within 30 days of receipt. Ensure you are keeping up with branch locations and especially ATMs as those may fluctuate. The regulation has more on the content of this file. It may be best to review it with an audit workpaper to use as a checklist to avoid missing any required items.

CRA Notice and Recordkeeping § 228.42, 228.44, 1003.5 – CRA data, which can include small business and small farm as well as home mortgages, are gathered based on specific reporting requirements for the Loan Application Registers (LAR). CRA and HMDA information, if applicable, must be submitted by March 1, for the prior calendar year. If you are a reporter of either LAR you should start verifying the data integrity now to avoid stressing the process at the end of February. HMDA mortgage data should be compiled quarterly so this should not be a huge issue, but a thorough scrubbing as the new year starts and submission preparation approaches is always warranted.

Pertaining to this, national banks should ensure they have reviewed and updated as needed the CRA, FHA and ECOA notices in accordance with the Aug. 5, 2021, OCC Bulletin 2021-35. This bulletin provided updated content for the appropriate names and addresses for notices required by the Community Reinvestment Act and Equal Credit Opportunity Act, and for posters under the Fair Housing Act. National banks were required to make the appropriate changes to their notices and posters within 90 days of the issuance which then had a mandatory compliance date of Nov. 3, 2021.

Reg C – HMDA Notice and Recordkeeping § 1003.4, 1003.5 – HMDA data are gathered as home mortgage loans are applied for and are compiled quarterly if your bank is a HMDA reporter. There are specific and detailed reporting requirements for the Loan Application Register (LAR) itself. The LAR must be submitted by March 1, for the prior calendar year. If you are a reporter, you should start verifying the data integrity now and this is of vital importance if you have a large volume of records to report.

Reg E § 1005.8– If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement. If you’ve used this, you are done with this one. But if you send the longer version that is sent annually, it is time to review it for accuracy and ensure it has been sent or is scheduled to be. Electronic disclosures under E-SIGN are allowed here.

This is also a good time to review §1005.7(c) (additional electronic fund transfer services) and determine if any new services have been added and if they were disclosed as required. Think Person-to-Person transfers like Zelle, Venmo or Square.

Reg G – Annual MLO Registration § 1007.102, 1007.103 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. If this hasn’t been completed, don’t push it to the back burner and lose track during the holidays and then have to join a year-end rush to complete this task. This is also a good time to plan with management and Human Resources any MLO bonus plans. Reg Z Section 1026.36(d)(1)(iv)(B)(1) allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses. Additionally, paragraph (b) of 1007.103 requires updates that may require coordination with HR – were there name changes of an MLO or a move to another location?

Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of § 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.

Reg P § 1016.5 –There are exceptions allowing banks which meet certain conditions to forgo sending annual privacy notices to customers. The exception is generally based on two questions; does your bank share nonpublic personal information in any way that requires an opt-in under Reg P, and have you changed your policies and practices for sharing nonpublic personal information from the policies and procedures you routinely provide to new customers? Not every bank will qualify for the exception, however. John Burnett wrote about the privacy notice conundrum in the July 2017 Legal Briefs. That article has more details on this.

When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. If you don’t qualify for the exception described above, you must repeat that disclosure annually as well. Ensure that your practices have not changed and that the form you are sending accurately describes your practices.

For Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.

It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for your web-based disclosures. You can use e-disclosures on your bank web site when the customer uses the web site to access financial products and services electronically and agrees to receive notices at the web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the web site. So, the demonstrable consent requirements and others in E-SIGN’s 15 USC Sect. 7001(c) do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request this method is acceptable.

Fair Credit Reporting Act – FACTA Red Flags Report – Section VI (b) (12 CFR 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level.

This report should contain information related to your bank’s program, including the effectiveness of the policies and procedures you have addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, as well as service provider arrangements, specifics surrounding and significant incidents involving identity theft plus management’s response to these and any recommendations for material changes to the bank’s program. Times change, customers’ habits change, and importantly criminals change and each may require tweaks to the bank’s program.

Reg V, Fair Credit Reporting Act – Affiliate Marketing Opt-Out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions and opt out requirements on you. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, you must know if there are there any expiration dates for the opt-outs and whether those consumers have been given an opportunity to renew their opt-out.

RESPA Reg X, Annual Escrow Statements § 1024.17 – For each escrow account you have, you must provide the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year. This need not be based on a calendar year. You must also provide them with the previous year’s projection or the initial escrow account statement, so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against next year’s escrow payments.

Reg Z Thresholds and Updates § 1026.3(b)– These changes are effective January 1, 2024. You should ensure they are available to staff or correctly hard coded in your systems. The exemption for Reg Z disclosures will increase from $66,400 to $69,500, meaning consumer loans over that amount (except for loans secured by real or personal property expected to be used as the consumer’s principal dwelling or a private education loan) will be exempt.

BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions. The other financial institution must certify annually to your bank that it has implemented its AML program. Also, banks must report all blockings to OFAC within ten days of the event and annually by September 30, concerning those assets blocked.

Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee at least annually. The report should describe the overall status of the information security program and the bank’s compliance with regulatory guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your bank’s Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.

Similar to the Compliance Officer reporting to the board, this may include a personal presentation, or it may not. I recommend that it is because this is an opportunity to express what is being done to control security events from the recent past as well as foreseeable events and why these are important issues. These facts can assist Security in getting the budget and assets necessary for the coming year. There is no prescribed period during which the report must be made other than “annually” and this may be based off the timing of the prior report, give or take a month. Annual presentations such as this are better done when the directors can focus more on the message, so try to avoid quarter ends, and especially the fourth quarter. This is not a “how-to” on the annual security report, but you can find more on the topic, free, on the BankersOnline Tools by searching on “annual security program.”

Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).

– BSA (31 CFR §1020.210(b)(4), and 12 CFR §208.63(c)(4) Provide training for appropriate personnel.
– Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii)) Provide initial and periodic training
– Reg CC (12 CFR §229.19(f)) – Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee.
– Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information), training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
– FCRA Red Flag (12 CFR 222.90(e)(3)) Train staff, as necessary, to effectively implement the Program;)
– Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.

MISCELLANY – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, following records retention requirements and destruction of expired records, and a designation by the bank’s board of the next year’s holidays.

And finally, has there been a review of those staffers who have not yet taken five consecutive vacation or “away time” days per Oklahoma Administrative Code 85:10-5-3 “Minimum control elements for bank internal control program”?

November 2023 OBA Legal Briefs

  • Loans, ECOA, and Noncitizen Discrimination
  • New CRA Final Rule Released

Loans, ECOA, and Noncitizen Discrimination

By Andy Zavoina

To me, this is one of those statements that says it is a warning shot and you need to know where the bullet may drop. This is your opportunity to evaluate the situation and step to the side to avoid injury, if necessary. On October 18, 2023, the Consumer Financial Protection Bureau (CFPB) and the Department of Justice (DOJ) published a joint statement in the Federal Register (https://www.federalregister.gov/d/2023-22968), “to assist creditors and borrowers in understanding the potential civil rights implications of a creditor’s consideration of an individual’s immigration status under the Equal Credit Opportunity Act (ECOA)”. The DOJ enforces civil rights violations as well as fair lending, so its involvement identifies the purpose of the statement.

First, let’s review what the joint statement says. It clearly states that lenders need to understand, “the potential civil rights implications of a creditor’s consideration of an individual’s immigration status under ECOA. ECOA does not expressly prohibit consideration of immigration status…,” and then it gets to the intent of the statement, “creditors should be aware that unnecessary or overbroad reliance on immigration status in the credit decisioning process, including when that reliance is based on bias, may run afoul of ECOA’s antidiscrimination provisions and could also violate other laws.”

I have taught Reg B, which implements ECOA, for many years. In subsection 1002.5(e) it states, “A creditor may inquire about the permanent residency and immigration status of an applicant or any other person in connection with a credit transaction.” That is under the section titled, “Rules concerning requests for information.” When I teach, I mention this section as being a nondiscriminatory way to ascertain residency status as it pertains to future collection of a debt. This should have nothing to do with color, race, religion or any other protected basis that cannot be used in making a loan decision. The intent of the question is, would this person be subject to, or scheduled to move out of the country during the term of the loan, and where might your collateral be at that time? When a person has few ties to where they live, it is easier for them to move and harder for you to contact them when necessary. I can tell you from experience that repossessing collateral internationally is much harder, and you are at the mercy of others when it comes to the bill and a sale.

As an example, person A arrived in your area a few months ago from South America. She is an executive at a large company that is a particularly good customer of the bank. She wants to buy a new car and finance it for sixty months. If your applicant has a B-1 visa and applies for this loan, be aware that the typical stay is usually six months for work, with a possible extension for another six months. What will happen to this new car in just a few months? What if the extension being requested is not approved? These are valid concerns.

On the other hand, if the lender reviews an application from the same person but for a short term loan that will be repaid prior to the visa’s expiration, and interviews the person, but still does not like the fact that English is a second language, communication is difficult at best, and the applicant is not a U.S. citizen, and denies the request for those reasons, that could be the Reg B issue this joint statement is concerned with. This is an obviously made-up scenario, but the point is, you may consider the immigration status but be cautious if it is a key reason for the denial. Lenders are still concerned with credit risk based on capacity, character, capital, collateral and conditions. Quoting from the joint statement, “Creditors should therefore be aware that if their consideration of immigration status is not ‘necessary to ascertain the creditor’s rights and remedies regarding repayment,’ and it results in discrimination on a prohibited basis, it violates ECOA and Regulation B.” At the end of the day, does the lender predict the loan would perform and pay as agreed or not? Is it a collateral rights or access issue? These are questions for the bank. A lender’s bias should not influence the credit decision of the bank as it is the bank making the loan. That is the heart of the joint statement as I read it.

Reg B tells us “…a creditor may consider any information obtained, so long as the information is not used to discriminate against an applicant on a prohibited basis.” If immigration status is a proxy for race, religion, national origin, color, or any prohibited basis, that would be a violation. As the joint statement explains it, “Regulation B notably provides that a ‘creditor may consider [an] applicant’s immigration status or status as a permanent resident of the United States, and any additional information that may be necessary to ascertain the creditor’s rights and remedies regarding repayment.’ 12 C.F.R. § 1002.6(b)(7). Regulation B does not, however, provide a safe harbor for all consideration of immigration status.” And this is where I would like to remind readers that, as noted above, it is the bank taking action here through a lender, and it is the bank’s responsibility to ensure compliance.
Considering the above, we may also introduce Bank Secrecy Act prohibitions here. Like the issues above, this may be a training issue that lenders should be reminded of. In section II of the joint statement we find, “As a general matter, creditors should evaluate whether their reliance on immigration status, citizenship status, or “alienage” (i.e., an individual’s status as a non-citizen) is necessary or unnecessary to ascertain their rights or remedies regarding repayment. To the extent that a creditor is relying on immigration status for a reason other than determining its rights or remedies for repayment, and the creditor cannot show that such reliance is necessary to meet other binding legal obligations, such as restrictions on dealings with citizens of particular countries, 12 C.F.R. pt. 1002, Supp I. ¶ 2(z)-2, the creditor may risk engaging in unlawful discrimination, including on the basis of race or national origin, in violation of ECOA and Regulation B.” What does comment 2(z)-2 address? It addresses National Origin. “A creditor may not refuse to grant credit because an applicant comes from a particular country but may take the applicant’s immigration status into account. A creditor may also take into account any applicable law, regulation, or executive order restricting dealings with citizens (or the government) of a particular country or imposing limitations regarding credit extended for their use.”

Going forward, banks should consider training in-person or at the least by memorandum or computer-based training reminding lenders of these issues. No bank or lender should look to automatically decline loan applications from certain groups of noncitizens regardless of the credit qualifications because of the citizenship unless there is a legal prohibition preventing working with them. To carry this to the next level of fair banking, the same rules should apply to deposit and service relationships. Denying a loan, deposit or service to someone solely because they do not have a Social Security account number is too broad a reach based on that one criterion. The absence of an SSAN should not be a proxy for non-citizenship which ignores other credit qualifications and causes an automatic denial. Treating this group of applicants differently would also be a Reg B violation. For example, that could include requiring all non-SSAN applicants to apply in person. When such a requirement is applied to a group and is predicated on a prohibited basis, it would be a discriminatory act.

It was recently noted that rules are changing to allow more people to be paired testers who enter a bank and apply for loans. The paired testers involve one applicant who has characteristics of a prohibited basis and another who does not, but the underlying credit qualifications for both are similar. An example would be a white couple applying for a joint loan and a Black couple asking for the same product and terms. The object is to detect if they are treated differently. I recall one evaluation from paired testers which criticized the lender because the majority testers were offered soft drinks, and the minority testers were not. The evaluations drill way down of what is considered being “treated similarly.” In addition to this training, the bank should ensure there are no conflicts in any policies and procedures. It should be an accepted fact that examiners will be scrutinizing this issue in your next compliance or fair lending exam. All banks would be wise to review the issues in advance of that.

I must be clear that I am not a lawyer, and this is not legal guidance. The joint statement gets its points across, but it offers advice that you can consider immigration status but cannot consider it completely or in a broad, overreaching manner. There is subjectivity in the terms used, but with what I read between the lines, the objective is as I stated above, make loans to those qualified, do not exclude a qualified borrower because they are a non-citizen, and lend in a safe and sound manner to comply with ECOA and civil rights.

Other Fair Lending Concerns

If your bank considers implementing a review and training on this fair lending and civil rights issue, you might as well get the most bang for your training buck and consider adding some “lessons learned” from mid-year CFPB release of its “2022 Fair Lending Annual Report to Congress” found here, https://www.consumerfinance.gov/about-us/blog/the-cfpbs-2022-fair-lending-annual-report-to-congress/ .
It shows how the CFPB set its sights on redlining and appraisal discrimination in the prior year, and we can rest assured it did not end there. Since that report was filed, an Oklahoma bank settled a redlining case for $1.15 million for failing to provide mortgages in all areas for a four-year period from 2017 through 2021. That case originated as a referral from the FDIC to the DOJ, which has the authority to handle fair lending cases. The bank allegedly engaged in a pattern or practice of lending discrimination by redlining historically Black neighborhoods in the Tulsa MSA. In part, the proposed consent order calls for the bank to:

1) Invest at least $950,000 in a loan subsidy fund to increase credit for home mortgage loans and lines of credit for consumers applying in majority-Black and Hispanic census tracts in the Tulsa MSA;
2) Spend at least $100,000 in advertising, community outreach, and consumer financial education programs and credit counseling in the Tulsa MSA;
3) Spend at least $100,000 in developing partnerships with one or more community-based or governmental organizations that provide the residents of majority-Black and Hispanic census tracts in the Tulsa MSA with services related to credit, financial education, homeownership, and foreclosure prevention;
4) Establish a community-oriented loan production office in a majority-Black and Hispanic census tract in the Tulsa MSA;
5) Assign at least two full-time loan officers to solicit mortgage applications primarily in majority-Black and Hispanic census tracts in the Tulsa MSA;
6) Employ a full-time director of community lending to oversee the continued development of lending.

Another recent redlining case occurring after the 2022 report involves a $9 million settlement agreement with a Rhode Island bank that allegedly failed to provide mortgage lending services in majority-Black and Hispanic neighborhoods in Rhode Island between 2016 and 2022. This case had its settlement agreement released at the end of September 2023. In this case the DOJ announced the bank would, among other things:

1) Invest at least $7 million in a loan subsidy fund for majority-Black and Hispanic neighborhoods in Rhode Island to increase access to credit for home mortgage, improvement, and refinance loans, and home equity loans and lines of credit;
2) Invest $1 million towards outreach, advertising, consumer financial education, and credit counseling initiatives;
3) Invest $1 million in developing community partnerships to expand access to residential mortgage credit for Black and Hispanic consumers;
4) Establish two new branches, ensure at least two mortgage loan officers, and employ a “Director of Community Lending” in majority-Black and Hispanic neighborhoods in Rhode Island;
5) Conduct a community credit needs assessment; and
6) Produce a fair lending status report and compliance plan and conduct fair lending training.

Back to the 2022 Fair Lending Annual Report— For those interested in getting up to date on enforcement actions, it recaps 2022’s enforcement actions related to fair lending, including an action against Trident Mortgage Company for alleged unlawful discrimination on the basis of race, color or national origin.
The CFPB also referred five fair lending cases to the DOJ which included four related to redlining and one related to discriminatory underwriting.
I have written previously here on appraisal discrimination and reconsideration of value complaints so I will not go over that again. While there are still hearings being held, the most recent on November 1, 2023, you can find more in our June and July 2023 Legal Briefs.

New CRA Final Rule Released

By Andy Zavoina

The modernized Community Reinvestment Act (CRA) final rule was released on October 24, 2023. It is a joint release by the FDIC, OCC and FRB. You’ll find it here if you haven’t already downloaded a copy to work from: https://www.federalreserve.gov/aboutthefed/boardmeetings/files/frn-cra-20231024.pdf . It is nearly 1,500 pages, so plan to break it into chunks. This is marked as a draft, but it’s the final form we have to start with.

Here are some quick facts for an overview:

Under the final rule, banks are classified as either a:
1) large bank – those with assets of at least $2 billion as of December 31 in both of the prior two calendar years
2) intermediate bank – those with assets of at least $600 million as of December 31 in both of the prior two calendar years and less than $2 billion as of December 31 in either of the prior two calendar years
3) small bank – those with assets of less than $600 million as of December 31 in either of the prior two calendar years
4) limited purpose bank – a bank that is not in the business of extending certain loans, except on an incidental and accommodation basis, and for which a designation as a limited purpose bank is in effect.

These asset-size thresholds will be adjusted annually for inflation.

In general, the rule is effective April 1, 2024. But to understand the complexity of what is effective when, you must dissect a copy of the rule as certain amendments are effective based on conditions such as the legal cases surrounding the Small Business Loan Reporting requirements. The agencies will publish an announcement of an effective date for those delayed amendments. One group of selected sections of the common rule text adopted by the agencies will be applicable on January 1, 2026; while another group of sections implementing reporting requirements will be applicable January 1, 2027, with data reporting each April 1, beginning in 2027.

The CRA was implemented originally to help low- and moderate-income borrowers receive loans. The old saying that banks would only loan money to those who didn’t need it was not completely inaccurate. The spirit and intent of the law was to ensure that banks were making loans to customers in their market area from which deposits were being received. So, the bank would loan to its community that was supporting it with deposits to lend.

The 1977 law was not meant to work in today’s economy, as much has changed and the CRA needed to be updated. This was a huge project that needed coordination and adoption by each of the regulatory agencies. Banks needed a unified CRA so that they are similarly graded, and the same rules apply across the board. That is the attempt with the modernization of the CRA. While there is unification, each agency will still publish its own set of rules as each has its own section of the laws. Banks regulated by the:

– Office of the Comptroller of the Currency will follow 12 CFR 25 (national banks) and 12 CFR 195 (federal savings associations)
– Board of Governors of the Federal Reserve System will follow 12 CFR 228
– Federal Deposit Insurance Corporation will follow 12 CFR 345.

The massive re-write to modernize the CRA will require extensive preparation on the part of each bank. You will need to prepare for these finalized requirements as they will go into effect in stages beginning on April 1, 2024, and continuing on January 1, 2026, and January 1, 2027. One or more persons in the bank will have to digest the CRA and “chunk it out” as different deliverables will have to be decided on for each bank and the complexity of those deliverables will depend on your bank’s market, niche, strategic goals going forward, and capabilities, all compounded by the court’s actions on the 1071 rule. It is important to note that the legal cases may involve 1071 and payday lending, but they challenge more the constitutionality of the CFPB, and its method of funding designed by Congress. The Senate has had bills submitted as to 1071 revisions but there may be no consensus in the House to facilitate change. At the center legal actions are going against the cause, the CFPB, not necessarily the rules themselves. The 1071 rule for small business data gathering was brought about by the Dodd-Frank Act, another law. The CFPB was slow to enact these requirements and was taken to court in California because of it. That law is not really in question at this time so there is little reason to believe that if the CFPB were to be criticized, that the work it has done would be reversed. It is quite possible that, like the challenges which were decided by the Supreme Court on the ability to appoint a new director at the CFPB as decided on by the current President, the court agreed and said just that would be changed, now go back to work. SCOTUS could rule that funding needs to be done by Congress annually, and now go back to work. In that case the CFPB could say everything stands as planned. Some extensions might be allowed based on the delay due to the wheels of justice moving slowly, but banks may not even get an extension equal to that gap. I encourage banks to prepare now for 1071 and not to expect the rule to change. That creates a domino effect with the Reg B 1071 rule and the new CRA rule. Start looking at the CRA as though the 1071 rule will be implemented as planned, however those rules affect your bank.

Here are five key issues in the new CRA.

1) Asset thresholds for small, intermediate and large banks will change and increase.
2) Most of the rule’s requirements will go into effect on January 1, 2026, to give you time for implementation and change management procedures.
3) Data reporting requirements will begin as of January 1, 2027, and will only apply to large banks.
4) The rule allows small banks to be evaluated under the existing criteria or opt in to be evaluated under the new criteria.
5) The final rule does not include a start date for examinations pursuant to the new performance tests so that is a wait-and-see issue.

I’ve mentioned the new thresholds above in the initial recap, but here they are with some additional explanation. These go into effect January 1, 2026.

Small banks will be those with total assets of less than $600 million. This is an increase from $376 million under the current CRA. The regulatory agencies estimate that this increase will shift approximately 778 banks from intermediate to small status.

Intermediate banks will be those with total assets of at least $600 million, but less than $2 billion. This is an increase from a range of $376 million to $1.503 billion under the current CRA. It is estimated that this increase will shift approximately 216 banks from large to intermediate status.

Large banks will be those with total assets of $2 billion or more. This is an increase from $1.503 billion under the current rule. There will be additional requirements for large banks with total assets of $10 billion or more. Those items are not carved out into a separate “very large” bank category, however.

Like the current CRA, the minimum asset threshold for an intermediate or large bank must be met for two consecutive calendar year-ends to reach the intermediate or large status. The threshold amounts will be adjusted annually for inflation. The new CRA includes a definition for limited purpose banks that includes those banks that are considered a limited purpose or wholesale bank under the current regulation, but it does not use those terms.

There is a definition of “military bank” which now means a bank whose business predominantly consists of serving the needs of military personnel who serve or have served in the U.S. armed forces or their dependents. There is an exception for assessment areas carved out for these military banks. Because the customer base is literally all over the world these banks may delineate its entire deposit customer base as its assessment area.

Excluding the military banking exception, the new CRA includes two types of assessment areas — facility-based assessment areas and retail lending assessment areas.

Facility-based assessment areas will be similar to current assessment areas except for the requirement that they include entire counties. An exception to the entire-county requirement exists for small and intermediate banks so long as the assessment area consists of contiguous whole census tracts. This section of the regulation is effective April 1, 2024, but the new definition of small and intermediate banks does not become effective until January 1, 2026. This may cause confusion, but a conservative compliance approach would be for banks that meet the current definition of a small or intermediate bank to have a facility-based assessment area that does not consist of entire counties. Otherwise keep them whole for now and assess if there is good reason to divide them.

Retail lending assessment areas will be applicable to large banks, and these are not effective until January 1, 2026. Retail lending assessment areas must be established when less than 80% of retail lending occurs within facility-based assessment areas. Retail lending assessment areas will then need to be designated in any nonmetropolitan area of a state or MSA where at least 150 closed-end home mortgage loans or 400 small business loans were originated or purchased during each of the prior two calendar years.

Small banks will have the easiest road to implementation. Small banks can opt-in to the new Retail Lending Test or continue to be evaluated under the current Small Bank Lending Test.

As to evaluations, the Retail Lending Test will be optional for small banks. Intermediate and large banks may be evaluated with this test when it becomes effective January 1, 2026. The agencies have not yet indicated when evaluations under the new CRA will begin. I’m sure it has not been a priority given the time gap and that they, too, need to grasp all the nuances of the new rule.

Under the current rule, which products will be evaluated may depend on borrower profiles and geographic distribution of loans. Now there will be Retail Lending Volume Screens and Major Product Line Standards which will provide the metrics. The loan types, such as home mortgages, multifamily, small business, small farm, and automobile loans, which will be evaluated can vary by assessment area and by Outside Retail Lending Areas. These are areas nationwide where the bank originated or purchased loans in a product line that is being evaluated outside any of its facility-based or retail lending assessment areas. Modernization, remember. This is not foreign to military banks as their effective lending areas exceeded local geographies. The bank’s lending performance will be evaluated in outside retail lending areas for large banks and in certain circumstances for intermediate and small banks.

Intermediate and small banks will be evaluated when more than 50% of certain loans have been originated or purchased outside of their assessment areas during the prior two calendar years or, if desired at your bank’s option.

As is the case under the current CRA, intermediate banks will be subject to two tests, and each contributes one-half to the total rating. The Retail Lending Test replaces the current lending test. Banks will have the option to be evaluated under the current Community Development test for intermediate banks for community development loans and services, along with qualified investments or a new Community Development Financing Test.

This new test evaluates your bank’s dollar volumes for community development loans and investments. This is compared to your deposit base and uses a new Impact and Responsiveness Review.

Community development activities have long been an area of subjectivity and there are changes effective January 1, 2026, to these.

You will now have eleven qualification criteria to determine if a loan, investment or service is a valid community development activity. You may also be eligible to receive full or partial credit. You will consider affordable housing, revitalization, and stabilization as well as economic development. There will also be considerations for community support services and new possibilities such as essential community facilities and infrastructure, disaster preparedness and weather resiliency as examples.

The Impact and Responsiveness of community development activities will be evaluated using a list of about twelve factors including:

– the benefit to counties with persistent poverty or census tracts with a poverty rate of 40 percent or more;
– support for minority depository institutions, women’s depository institutions, low-income credit unions or certified community development financial institutions;
– support of businesses or farms with gross annual revenues of $250,000 or less;
– whether it benefits or serves residents of Native Land Areas or benefits projects financed with low-income housing tax credit or new markets tax credit.

You will now be able to receive credit for community development activities anywhere in the country.

Large banks will now be evaluated under four tests. The Retail Lending Test and the Community Development Financing Test will each contribute 40%. The Retail Services and Products Test and the Community Development Services Test will each contribute 10%.

The Retail Services and Products Test will evaluate the bank’s credit and deposit products and programs along with the responsiveness of these programs to the needs of LMI communities. It will also assess your delivery methods, including digital, as well as the availability of branch and remote service facilities.

Deposit products will be evaluated based on availability and usage and only receive positive consideration for those larger banks with more than $10 billion in total assets or at the bank’s option for those with assets of $10 billion or less.

September 2023 OBA Legal Briefs

OK Legislation 2023

By Pauli D. Loeffler

Oklahoma Uniform Consumer Credit Code Title 14A

Sec. 1-106 of the Oklahoma Uniform Consumer Credit Code  in Title 14A (the “U3C”) is the section that determines when and how much dollar limits under Title 14A are subject to change. These changes are based on increases in the Consumer Price Index for Urban Wage Earners and Clerical Workers compiled by the Bureau of Labor Statistics, U.S. Department of Labor.

Legislation enacted in the last session modified Subsection (4)(a) of § 1-106 removing the 3% increase cap on increased amounts. The amendment became effective April 23, 2023, and is part of the notification by the Oklahoma Department of Consumer Credit of changes in dollar amounts effective July 1, 2023. I covered these changes in the June 2023 OBA Legal Briefs. The OK DOCC notice can be accessed here.   It is also accessible on the OBA’s Legal Links page under Resources. In order to gain access to the Legal Briefs online archive and the Legal Links, you will need to create an account through the My OBA Member Portal if you have not done so already.

  • 3-508A Loans

This section of the “U3C” sets the maximum annual percentage rate for certain loans. It provides three tiers with different rates based on unpaid principal balances that may be “blended.” It also has an alternative maximum rate that may be used rather than blending the rates. Effective for loans consummated on or after November 1, 2023, § 3-508A is amended to read:

(2) The loan finance charge, calculated according to the actuarial method, may not exceed the equivalent of the greater of either of the following:

(a) the total of:

(i) thirty-two percent (32%) plus the federal funds rate per year on that part of the unpaid balances of the principal which is Seven Thousand Dollars ($7,000.00) or less;

(ii) twenty-three percent (23%) plus the federal funds rate per year on that part of the unpaid balances of the principal which is more than Seven Thousand Dollars ($7,000.00) but does not exceed Eleven Thousand Dollars ($11,000.00); and

(iii) twenty percent (20%) plus the federal funds rate per year on that part of the unpaid balances of the principal which is more than Eleven Thousand Dollars ($11,000.00); or

(b) twenty-five percent (25%) plus the federal funds rate per year on the unpaid balances of the principal…

(7) As used in this section, the “federal funds rate” means the rate published by the Board of Governors of the Federal Reserve System in its statistical release H.15 Selected Interest Rates [Click HERE] and in effect as of the first day of each month immediately preceding the month during which the loan is consummated.

Title 60 O.S. § 121 – Alien ownership of Oklahoma real estate

I covered loans to non-U.S. citizens in the January 2016 OBA Legal Briefs. Effective November 1, 2023, § 121 is amended as follows:

  1. No alien or any person who is not a citizen of the United States shall acquire title to or own land in this state either directly or indirectly through a business entity or trust, except as hereinafter provided, but he or she shall have and enjoy in this state such rights as to personal property as are, or shall be accorded a citizen of the United States under the laws of the nation to which such alien belongs, or by the treaties of such nation with the United States, except as the same may be affected by the provisions of Section 121et seq. of this title or the Constitution of this state. Provided, however, the requirements of this subsection shall not apply to a business entity that is engaged in regulated interstate commerce in accordance with federal law.
  2. On or after the effective date of this act, any deed recorded with a county clerk shall include as an exhibit to the deed an affidavit executed by the person or entity coming into title attesting that the person, business entity, or trust is obtaining the land in compliance with the requirements of this section and that no funding source is being used in the sale or transfer in violation of this section or any other state or federal law. A county clerk shall not accept and record any deed without an affidavit as required by this section. The Attorney General shall promulgate a separate affidavit form for individuals and for business entities or trusts to comply with the requirements of this section, with the exception of those deeds which the Attorney General deems necessary when promulgating the affidavit form.

The affidavit is only required for deeds transferring ownership of real estate on or after the November 1, 2023, effective date. It does not apply to deeds filed of record prior to that date nor does it apply to leases or personal property. If the bank is making a purchase money loan for real estate on or after the effective date, it will require that the affidavit be executed by the purchaser and recorded with deed. (Updated November 1, 2023)

I reached out to the Oklahoma Attorney General’s office regarding the affidavit. Drafts of the affidavit are currently being circulated. They anticipate the affidavit form will be finalized shortly and will be available to view next month. Expect an update with the link to the affidavit in a future article.

Title 12 – Garnishment Forms

Effective November 1, 2023, the Oklahoma garnishment forms, i.e., affidavits, pre- and post- judgment garnishment summonses, garnishee’s answer, etc., will be under the purview of the Oklahoma Bar Association rather than the Administrative Office of the Courts. Inasmuch as the garnishment statutes themselves did not have any substantive changes, there should be no changes in the forms themselves.

I worked with the Administrative Office of the Courts in amending the forms in 2011 when the Garnishment of Accounts Containing Federal Benefits rule became effective. I was also involved in changes to the garnishment summonses with regard to the amount and time of payment of the garnishment fee when a federally regulated financial institution is the garnishee as provided under § 1190 of Title 12 in regard to legislation effective November 1, 2016, and November 1, 2022. I have reached out to the Oklahoma Bar Association to find out who specifically is in charge of the forms.

Title 43A O.S. § Section 10-111.1 – Vulnerable Adult Abuse, Neglect and Exploitation Report

Elder financial exploitation has been the topic of three OBA Legal Briefs articles: July 2006, June 2007, and July 2008. These are available to read online on the OBA website.

  • 10-111.1 was added to the Oklahoma statutes in 2018. The statute as amended requires the Office of the Attorney General to maintain the Vulnerable Adult Abuse, Neglect and Exploitation Report accessible to the public on the Internet in an electronic format that is easily and readily searchable to include persons found guilty by a court of law or who have entered a plea of guilty or nolo contendere (Latin for “no contest”) to a charge of abuse, neglect, or exploitation of a vulnerable adult. The Report will provide the full name of the offender, information necessary to identify the individual, information regarding the case regarding convictions and confessions made in a court of law, and the date the offender was convicted or pled guilty or no contest. The Report is required to be updated quarterly.

The Oklahoma Uniform Power of Attorney Act that became effective November 1, 2021, which is covered in the September and October 2021 OBA Legal Briefs, requires banks to accept an acknowledged Power of Attorney (signed by the principal in the presence of a notary). There are six exceptions, one of which stated in § 3020 of the Act:

The person makes, or has actual knowledge that another person has made, a report to the Adult Protective Services office stating a good-faith belief that the principal may be subject to physical or financial abuse, neglect, exploitation or abandonment by the agent or a person acting for or with the agent.”

Title 58 O.S. § 1252 – Transfer-on-death (“TOD”) deeds

Oklahoma has allowed Transfer-on-Death-deeds since November 1, 2008, (see August 2008 OBA Legal Briefs), but the statute has had a few amendments over the years. Additional changes were made this last legislative session. The amendments are effective November 1, 2023.

TOD Deeds convey any estate or interest in, over or under land, including surface, minerals, structures and fixtures. The signature, consent, or notice to a beneficiary or beneficiaries is not required prior to the owner’s death.

Subsection C. is amended and provides:

A designated grantee beneficiary may accept real estate pursuant to a transfer-on-death deed only on behalf of himself, herself, or a legal entity over which he or she has proper authority. A beneficiary shall not accept such real estate on behalf of another designated beneficiary.

Subsection D. is amended to require:

Each designated grantee beneficiary wishing to accept real estate pursuant to a transfer-on-death deed shall execute an affidavit affirming:

  1. Verification of the record owner’s death;
  2. Whether the record owner and the designated beneficiary were married at the time of the record owner’s death; and
  3. A legal description of the real estate.

Former Subsection D. is now E.:

  1. The grantee shall attach a copy of the record owner’s death certificate to the beneficiary affidavit. For a record owner’s death occurring on or after November 1, 2011, the beneficiary shall record the affidavit and related documents with the office of the county clerk where the real estate is located within nine (9) months of the grantor’s death, otherwise the interest in the property reverts to the deceased grantor’s estate; provided, however, for a record owner’s death occurring before November 1, 2011, such recording of the affidavit and related documents by the beneficiary shall not be subject to the nine-month time limitation. Notwithstanding the provisions of Section 26 of Title 16 of the Oklahoma Statutes, an affidavit properly sworn to before a notary shall be received for record and recorded by the county clerk without having been acknowledged and, when recorded, shall be effective as if it had been acknowledged.

Subsection F. is new:

  1. A beneficiary affidavit recorded pursuant to this section before November 1, 2023, in which one or more, but not all, named beneficiaries of a transfer-on-death deed explicitly accept the interests being conveyed by the deed on behalf of all or some of the beneficiaries named shall be effective to accept such interests if executed by at least one of the named beneficiaries accepting such interests.

The real estate interest conveyed by a TOD Deed taken by the beneficiary/beneficiaries is subject to the bank’s existing mortgage.

Title 42 O.S. § 91 – Personal property liens

I last covered changes to this statute in the December 2014 OBA Legal Briefs, much of which remains unchanged.

This section applies to every vehicle, all-terrain vehicle, utility vehicle, manufactured home, motorcycle, boat, outboard motor, or trailer that has a certificate of title issued by the Oklahoma Tax Commission/Service Oklahoma or by a federally recognized Indian tribe in the State of Oklahoma.

The special possessory lien provided under this section will have priority over any perfected liens (e.g., lien entries and other lien claimants), ONLY if the lien claimant strictly complies with ALL applicable provisions of § 91 with regard to submission of claim and documentation, notice and mailing requirements to owner and other lien holders with regard to the lien, as well as notice of sale. If the lien is denied, the claimant may resubmit its claim once within 15 business days of denial. One change to the existing statute is when the possessory lien claimant has been in possession of the property for at least 21 days before the Notice of Sale is to be mailed. The second change is that proceedings for foreclosure in 20 days after the lien accrued, except as provided elsewhere by Oklahoma law.

RESPA – Section 8

By Andy Zavoina

In December 1974 Public Law 93-533 was passed. That may not mean much to you initially, but Section 8 of that law is very meaningful. In short, I’m referring to Section 8 of the Real Estate Settlement Procedures Act (RESPA). I’m not sure why we commonly reference the section of the actual law instead where there is a violation instead of Reg. X where we study it and read about the restrictions, but at times it is good to go to the roots of the law and see what it says. The law and the Reg follow each other closely in this section, which is implemented in § 1024.14 of Reg. X. Briefly, it prohibits a person from giving or accepting anything of value for referrals of settlement service business related to a federally related mortgage loan. It also prohibits a person from giving or accepting any part of a charge for services that are not performed. These are also known as kickbacks, fee-splitting and unearned fees.

Penalty Overview: Violations of Section 8 are subject to criminal and civil penalties. A person who violates Section 8 may be fined up to $10,000 and imprisoned for up to one year. In a private lawsuit a person who violates Section 8 may be liable to the person charged for the settlement service an amount equal to three times the amount of the charge paid for the service.

Background: When you search on “Section 8” or “kickbacks” you will find many resources including those from real estate brokers and Realtors. I am not a Realtor but those I know have all been trained on Section 8. “Thou shall not give, nor receive” and the emphasis is on any gift that could be construed as an incentive for a mortgage referral. The law aims to punish both sides of that violation because it is intended to protect the third party in this, the consumer – the borrower in these transactions.

If Lender A pays Realtor B to send business its way, Lender A gets more business but now has more costs. Lender A has to recover these costs and that would be compensated for by higher fees charged to Borrower C. This makes the loans less affordable. That is why we have this section of law and regulation. The common issues that promote discussions on Section 8 are inadvertent violations. That is, things not truly intended to violate the rules but at face value, may.

Lender A is at lunch and sees his friend, Realtor B. They chat about the Friday night football game the whole town is excited about and about business. If Realtor B mentions, “hey, I have a prospect you may be interested in. They just moved to this area, and I found them a great house. Qualifying for a new mortgage is hard, though, because of his new job.” Lender A is always looking for mortgage production and a new depositor prospect is icing on the cake. Lender A picks up the lunch tab. Is that a kickback, a Section 8 violation?

At other times, the violations appear concrete and completely justified. Let’s examine the August 17, 2023, Consent Order between the Consumer Financial Protection Bureau (CFPB) and Freedom Mortgage Corporation, (Freedom), File No. 2023-CFPB-0008. This is a case of both giving and receiving so we will include an examination of a separate Consent Order (File No. 2023-CFPB-0009) against Realty Connect USA Long Island, Inc. (Realty Connect) issued on the same day.

Section 8 violations do not appear to be common as this was the first for the CFPB since 2017, but it was egregious, as you will see. The CFPB is not the only agency looking at RESPA rules and compliance with them, however. The Federal Deposit Insurance Corporation (FDIC) published its Consumer Compliance Supervisory Highlights, in March 2023. It stated, “In 2022, the FDIC identified RESPA Section 8(a) violations where a bank contracted with third parties that took steps to identify and contact consumers in order to directly steer and affirmatively influence the consumer’s selection of the bank as the settlement service provider. In some cases, this process involved the third party calling identified consumers and directly connecting and introducing them to a specific mortgage representative on the phone. This process is often referred to as a “warm transfer.” In other cases, the process involved operation of a digital platform that purported to rank lender options based on neutral criteria but where the participating lenders merely rotated in the top spot. Although each case is fact specific, indicators of risk in these arrangements include a third party that does one or more of the following activities:

  • Initiates calls directly to consumers to steer them to a particular lender;
  • Offers consumers only one lender o will only transfer the consumer to one lender;
  • Describes the lender in non-neutral terms such as preferred, skilled, or possessing specialized expertise;
  • Receives payment from the lender only if a “warm transfer” occurs; or
  • On a consumer-facing digital platform that purports to rank settlement service providers based on objective factors, includes providers that pay to take turns appearing in the top spot in a round-robin format.

Payment for activities that go beyond the simple provision of a “lead” may be improper payment for referrals when the activity affirmatively influences the consumer towards the selection of a particular lender. The warm transfers were of particular interest in the report.

Consent Orders: Let’s review the specific compliance issues in the two consent orders, but first an attention getter – the Consent Orders provide for civil money penalties of $1.75 million against Freedom and $200,000 against Realty Connect, along with other compliance obligations. While each party has its own obligations to adhere to RESPA and Reg. X, one is not doing the other any favors with enticements that lead to long term and expensive problems such as these enforcement actions.

The period during which these actions took place began in January 2017 and essentially extends to August 2022. The focus was on Freedom’s “Traditional Retail Unit,” which was part of Freedom until about August 2021, and then these activities were conducted through a former subsidiary, RoundPoint Mortgage Servicing, Inc. The traditional retail unit was one in which loan officers went directly to real estate brokers and agents to obtain new loans.

Issue One: Freedom paid for subscription services and gave real estate agents and brokers (collectively “brokers”) free access. These were professional publications which offered useful information to the brokers concerning property reports, comparable sales, and foreclosure data in their markets. For RESPA this was a “thing of value,” as the retail cost would be $300 per month for this service. While the Realty Connect Consent Order states more than 100 of its brokers accepted this service, (Freedom’s cost based on a retail subscription would be $30,000 per month) the Freedom Consent Order indicates over 2,000 brokers accepted subscriptions. (Perhaps that was different brokers over a period of time and perhaps Freedom had a multi-user license at a lower cost. Still, a “thing of value” is based on the retail value.)

Issue Two: Freedom sometimes required brokers to be paired up specifically with an individual in the Traditional Retail Unit and this also influenced that broker’s access to the valuable subscription service. These brokers made more than 1,000 mortgage referrals and it was a quid pro quo arrangement, according to the Freedom Consent Order. Realty Connect’s Consent Order indicated more than 400 referrals were made during the period reviewed which affirms there were issues with other brokers as well.

Issue Three: From at least July 2017 through 2022, Freedom hosted and subsidized events for certain real estate brokers and agents. This included food, beverages, alcohol and entertainment. Freedom also gave away free tickets to sporting events, charity galas and other events that would each have had a cost had the brokers paid their own way. Some of these events cost Freedom thousands of dollars and more. One event paid for by Freedom and held at a restaurant and bar cost them more than $6,300 as it included rented sports simulators. There were fifty brokers there because they referred the most mortgage loans to Freedom and new brokers were also in attendance in a recruitment effort by Freedom to develop more referral brokers.

Freedom denied requests for event sponsorship from brokers who did not refer mortgage business to its loan officers.

These activities were viewed as part of a pattern, practice, or course of conduct of giving things of value to create, maintain, and strengthen mortgage referral relationships. It clearly went beyond mere business development.

Issue Four: in October 2020, the CFPB produced a guidance document to clarify its position on Marketing Service Agreements (MSAs) and Section 8 practices. An MSA involves two or more parties whereby one agrees to market or promote the services of another and receives compensation for the work provided. A lawful MSA is an agreement for the performance of marketing services where the payments under the MSA are reasonably related to the value of services actually performed.

Freedom had marketing agreements with over forty real estate brokerages. Payments varied but ranged from a few hundred to several thousand dollars per month. The total amount Freedom paid under its MSAs during the period reviewed here was approximately $90,000 per month.

One agreement included promotion rights by Freedom to the brokers at Realty Connect. Freedom was allowed to have its loan officers promote themselves at Realty Connect internal meetings and to allow those lenders to email the brokers directly as “referral partners.”  It was also agreed that Freedom would host at least one training event for Realty Connect’s brokers at least quarterly to maintain and increase the referrals from those brokers.

The MSA with brokerages, of which Realty Connect was one, required brokerages to provide marketing services. Realty Connect received $6,000 per month from Freedom under the MSA from January 2017 to December 2022. This equates to $432,000 for marketing services.

Realty Connect failed to execute many of the marketing tasks required by its MSA with Freedom. Realty Connect was to send 15,000 marketing emails each month, allocating 50% of the content to Freedom. Realty Connect sent no marketing emails at all. The MSA required Realty Connect to maintain three “physical locations showing video loop or kiosk advertising” for Freedom. Realty Connect had no video loops or kiosks. And the MSA required Realty Connect to create an average of 75 property websites per month showing Freedom’s content, but it never created any property websites.

As further demonstration that the MSAs were a sham to pay for referrals and not generally advertise for Freedom, the Realty Connect Consent order provides an example between a loan officer and broker in which a lender was to help promote a Realty Connect open house. The lender said, “I want to continue to help you with this, do you think on your listing you can try to get me some referrals to work with?” The agent replied, “I have recommended you many times—Gave them your info on the last two sales.”

Additionally, Freedom had its own professional design team to create the marketing copy it advertised with, including co-branded mailers and open house flyers. Freedom also owned and operated its own print shop that created the hard copies it used as advertisements. Freedom essentially created and produced its own advertisements and was not using the services the MSAs called for. Realty Connect’s actual role in the marketing activities was limited to offering minor design suggestions and it paid the postage for the co-branded mailers. The monthly $6,000 fee was excessive compensation for the services actually performed.

Freedom also encouraged those brokerages with MSAs to use a third-party smartphone app, which Freedom’s loan officers would share with the brokers. The brokers would then share the app with their clients. The app then featured the Freedom loan officer’s headshot and Freedom’s logo at the top, and included buttons where the client could directly contact the loan officer for assistance. It is inferred that this proprietary app is considered akin to a direct referral by the CFPB, although I have seen no specific guidance on this.

Some brokers who worked with Freedom and its MSAs received direct payments. This also emphasized to the CFPB that the MSA was a method to pay compensation for referrals and not for advertising.

Closing: Additional requirements in the Consent Orders require that there be no further Section 8 violations. I used to think it made no sense for an enforcement order to say “for the next 3 years you cannot violate Section 8…” as an example. There was never any inference that anyone could. But if there is a subsequent violation, it is not only a repeat violation but violates the enforcement action they specifically agreed to, allowing even more charges to be added to a new action. Additionally, the Consent order emphasizes that the Board of Freedom has the ultimate responsibility for compliance and the board must review all the plans and reports required in the Consent Order. It is putting them on notice. There are accounting and reporting requirements and additional prohibitions placed on things related to Section 8. One year from the Consent Order a detailed report has to be filed with the CFPB describing its progress. It also states that in the event the company is sold, the purchaser must agree to the terms of this Consent Order, effectively removing the possibility of a reorganization by the same or similar ownership attempting to dodge these restrictions and requirements.

Section 8(c) of RESPA does describe allowable payments as it states, “Nothing in this section shall be construed as prohibiting (1) the payment of a fee (A) to attorneys at law for services actually rendered or (B) by a title company to its duly appointed agent for services actually performed in the issuance of a policy of title insurance or (C) by a lender to its duly appointed agent for services actually performed in the making of a loan, or (2) the payment to any person of a bona fide salary or compensation or other payment for goods or facilities actually furnished or for services actually performed.”

The FDIC in its Consumer Compliance Supervisory Highlights referenced earlier also noted five things that banks can do to mitigate risks associated with Section 8 violations.

  1. Train applicable staff on what is permitted to generate leads, and what is prohibited and would be an illegal referral.
  2. The lenders and management need to review any referral program the bank is participating in to clearly understand the functions of the program and any cost structure and cost justification.
  3. Management must develop policies and procedures which strictly comply with the regulatory requirements in Reg. X and RESPA as to programs designed to generate leads.
  4. Require loan officers to report annually the established relationships that are used for mortgage loan generations and new ones which develop, so that they may be reviewed and approved by management.
  5. The bank must impose controls to monitor lead generation activities for compliance with the bank’s policy and procedures as well as RESPA and Reg. X.

August 2023 OBA Legal Briefs

  • HMDA Analysis
  • Personal Responsibility
  • Forms Update

HMDA Analysis

By Andy Zavoina

If your bank is a reporter under the Home Mortgage Disclosure Act (HMDA), you may well have some work to do if you have not already done some or all of this. On June 29, 2023, the Federal Financial Institutions Examination Council (FFIEC) announced the availability of data on 2022 mortgage lending transactions reported under HMDA. This HMDA data is the largest source of publicly available data on mortgage lending in the United States. If your bank is reporting, your data is here. Other banks in your geographic areas who report also have data here. Banks outside your area which may be similar to yours, yes, that data is here too. It is all available and can more easily than ever before be analyzed. This article is a discussion on why — and a little bit of how — to analyze your data and that of your peer banks.

Years ago, the system was far less automated than we have today. When the HMDA data came out it was sent to central repositories. In my case it was held as reference material in the local public library which happened to be a few blocks from the main branch I was working out of. It was set up by Metropolitan Statistical Area (MSA) and was a treasure trove if you knew what you wanted to do with it.

When teaching compliance management, I often say compliance is not a cost center as it is often described, but a resource because it touches so many areas in the bank. In this case you are touching on loan production, and you can compare your bank’s production against that of your peers. Management likes to know how the competition is doing and you can compare apples to apples, at least as far as HMDA reportable loans are concerned.

Your Marketing area can use this data to see what type of applicants for HMDA loans it is attracting and where these applicants may be from as well as where they want to move to. Consider the ways you can use this data. You can easily build a picture of who your applicants are and where they live. That means you also know the areas they are not living in, and this is what can help Marketing redirect advertising campaigns if those are areas you need or want to market to. This information is data gold for Marketing and management as well, and you have it all available right now.

You can plot where the mortgage loans (so long as they are HMDA reportable, so not everything, but a lot) are not just for your bank, but for all those peer lenders in your area as well. And you can reach farther if desired. One of my banks was a military bank. We had borrowers literally all over the world and, while it was less common than say a car loan, we did some mortgage financing all over the country. Other military banks may be doing the same. It is often difficult to get a lot of data about your peer banks when they happen to be across the country from you, but as a military bank, they were our peers, and it was important to understand how my numbers compared to theirs. We recognized that there were different markets and quite different conditions, yet when it came to the Community Reinvestment Act (CRA) this was a comparison you wanted to be aware of. Were our numbers close to our peers or far different – and in either case why? When you compare your loan volumes to your peers, and when you understand the different lending strategies of these other lenders, it helps set benchmarks and goals as well as to understand your own loan patterns.

Again, when you know to whom you are lending, you also know those to whom you are not lending. Are your numbers good or bad when you look, for example, at racial demographics? When you ask in the loan committee meeting why (as a hypothetical) there were so few loans to Blacks and the response is there are few Black applicants applying, it sets off questions such as:

  • Are we marketing to areas of a majority minority?
  • Are we trying to reach this demographic in targeted ads? Why or why not?
  • What percent of our applicants were Black?
  • What percent of our Black applicants were approved, denied, withdrawn, or closed for other reasons?
  • And if there is a level of complacency with those figures, next compare yourself to those peer banks’ lending in the same area, to the same would-be home buyers.

When it comes to fair lending justifications of your bank’s actions, read fair lending enforcement actions, and learn how regulators and the Department of Justice (DOJ) attorneys compare the results of your bank to peer banks. As one example, consider when the Consumer Financial Protection Bureau (CFPB) and the DOJ took action against Trident Mortgage Company LP (Trident) under the Fair Housing Act (FHA), the Equal Credit Opportunity Act (ECOA),  and Regulation B, as well as the Consumer Financial Protection Act of 2010 (CFPA) (also referred to as Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)) to remedy discrimination in Trident’s mortgage lending. There were many problems with Trident, and we covered many of the problems in last April’s edition of the Legal Briefs. Here is a snippet from that edition to emphasize the points of this HMDA analysis.

Trident received 80 percent of its mortgage applications for properties located in that MSA its defined as its market area. But the actual loan distribution pattern showed a disproportionate number in the majority-white areas. As a foundation there was the selection of office locations and limited outreach and marketing which led to these lending patterns which are confirmed by HMDA data. One must ask, “was this a choice?” When comparing HMDA data, Trident significantly underperformed its peer lenders in generating home mortgage applications from majority-minority neighborhoods and the disparity between the rate of applications generated by Trident and by its peer lenders from majority-minority neighborhoods and high-minority neighborhoods was both statistically significant.

Of the nearly 31,000 applications on the HMDA reports from 2015 through 2019, 12 percent came from majority-minority areas. Peer lenders generated 21.5 percent of their 135,000 applications. The disparity was seen year after year. In in high-minority neighborhoods, Trident showed 4.1 percent of its applications as coming from high-minority areas, compared to 10.8 percent of its peer lenders.

Trident significantly underperformed its peer lenders in making home loans in majority-minority neighborhoods as well. The complaint notes that, “…of the 22,960 HMDA-reportable loans Trident made for single family dwellings from 2015 through 2019 in the Philadelphia MSA, 11.7% came from residents of majority-minority areas. By contrast, Trident’s peers made 16.2% of their 50,060 loans from these same majority-minority neighborhoods.” And only 3.7 percent of Trident’s loans were made in high-minority areas, while peer lenders made 6.9 percent of their loans in these same areas.

Enforcement actions are a good “go by” for the type of analysis done when lending is questionable. CRA Public Evaluations are another resource not only for key analytics, but also for comments as to what was good, bad and ugly. Remember that HMDA analysis is a basis for fair lending examinations which are a foundation for your next CRA exam. When you can identify weaknesses in your numbers, you can proactively impose corrective actions, and this demonstrates to examiners reviewing your bank’s lending activity and your compliance program that you are aware of and managing the processes.

The data available will help show whether your lenders and therefore your bank are serving the housing needs of the communities you serve as your market area. It includes information that helps management make recommendations to the board on decisions and policies and draws attention to your lending patterns that could be discriminatory. Your bank, as a HMDA filer, recorded up to 110 different data points for each HMDA applicable mortgage application received on a Loan Application Register (LAR). What you have in your bank is your complete LAR. In March, the FFIEC provided your bank with a modified, or sanitized, LAR. The modified LAR data provides information from the most current HMDA submission that was required to be submitted essentially a month earlier, by March 1, of each year. This modified LAR is available to the public, and to your bank and your peer banks who are also evaluating your bank’s performance. Section 1003.5(c) of Regulation C requires that you post, “a written notice that clearly conveys that the institution’s loan/application register, as modified by the Bureau to protect applicant and borrower privacy, may be obtained on the Bureau’s Web site at www.consumerfinance.gov/hmda.” The publicly released data excludes or modifies several data points reported by all the institutions submitting LAR data, such as the universal loan identifier, the date the application was received or the date shown on the application form, the address of the property, the credit score or scores relied on in making the credit decision, and any applicant or borrower ethnicity free-form text field. In theory this makes it difficult to review entries and identify a particular applicant and therefore data about that applicant which is protected by privacy laws. Others have pointed out faults in this system as deeds are public documents and with a little work a knowledgeable person can connect many dots. Connecting those dots is not the point of this article, but rather what you can do with the LAR data to analyze the mortgage lending picture your lenders are painting and how you compare to peer banks.

So, where would you find HMDA data now that the old central repositories are automated? HMDA data is available at https://ffiec.cfpb.gov/. You can also find a HMDA Data Browser at https://ffiec.cfpb.gov/data-browser/ which will help you filter any and all of the LARs that were submitted. In June 2022 the CFPB published, “A Beginner’s Guide to Accessing and Using Home Mortgage Disclosure Act Data” which you can find online here, https://files.consumerfinance.gov/f/documents/cfpb_beginners-guide-accessing-using-hmda-data_guide_2022-06.pdf. In addition to background HMDA information, this is a step-by-step guide on how to filter the data to extract just what you want to know. In computer coding there is an old adage, garbage in – garbage out,” meaning you can get out what you put in. Your LAR has that “up to 110 data points” mentioned already. Data for your peers is modified information but as said earlier, it is still especially useful to management, Marketing, those working on your bank’s strategic plan, everyone analyzing fair lending and certainly Compliance. A sound recap and analysis of the data available will be a compliance value-added exercise to the bank for the information you need to know anyway.

Review the Beginner’s Guide mentioned just above as it takes a user through the steps to apply the filters and it has additional instructions with graphics to help you use Excel and Pivot Tables to get the most out of your analysis. In total this is a 29-page PDF that will help ignite your analytical curiosity and provide needed information to your bank. Compare your results, especially those government monitoring demographics, to the breakdown for your market areas. That is, if your area is X percent white, Y percent Black and Z percent Asian, how do your applications correlate to those numbers, and your approved loans, and do not forget the denials and withdrawn applications. Based on the HMDA data tables available annually from the CFPB and ideas of key data points gleaned from enforcement actions and CRA Performance Evaluations, choose the data you want to focus on.

While you can do peer comparisons only annually, you can track your bank’s progress using quarterly updates to further refine corrective actions. Then determine how your numbers compare to peers. Does this analysis indicate strengths, weaknesses, and areas upon which you can improve? The lending data you arrive at should influence or confirm what you are doing with marketing activities, lending policies, and exceptions being made, and may shed light on complaints.

Here are some high-level observations about the 2022 HMDA data that are of interest.

  • The 2022 LAR data includes information on 14.3 million home loan applications.
  • 5 million applications (82 percent) were for closed-end credit, while 2.5 million (18 percent) were for open-end products.
  • As to the aggregate demographics of the borrowers’ race and ethnicity, the portion of closed-end home purchase loans made to Black borrowers rose from 7.9 percent in 2021 to 8.1 percent in 2022. The portion made to Hispanic borrowers decreased slightly from 9.2 percent to 9.1 percent, and those made to Asian borrowers increased from 7.1 percent to 7.6 percent.
  • In 2022, Black and Hispanic applicants experienced denial rates for home purchase loans of 16.4 percent and 11.1 percent respectively, while the denial rates for Asian and non-Hispanic White applicants were 9.2 percent and 5.8 percent, respectively.

After management has had an opportunity to study the data, your board of directors should receive a high-level summary of where you are and where the data will be taking you. This is an opportunity to influence the confidence they have in your abilities and the resources available for your compliance management program.

Personal Responsibility

By Andy Zavoina

If you have taught regulatory requirements before, you likely mentioned the potential penalties for noncompliance. As an example, Reg B has penalties for noncompliance in § 1002.16(b) that include Actual damages in individual or class actions – without a limit, and Punitive damages in individual or class actions, where liability for punitive damages is limited to $10,000 in individual actions and the lesser of $500,000 or 1 percent of the lender’s net worth in class actions.

By the time an instructor gets to this part of the presentation the listener’s eyes are glazing over and they hear Charlie Brown’s teacher saying, “never has happened, don’t worry, the bank gets penalized not the employee or officer.” But that is not always the case, and it is often wise to remind everyone of that, from the newest teller to that longest-standing director on the board. Everyone in the bank is responsible for ethical behavior and compliance. And while everyone has a boss they report to, I remind officers of a bank that they work for the bank, and not necessarily for their boss. This is especially important for those in the role of auditor and those responsible for compliant and ethical performance evaluations. Just as in the military, we follow instructions, but we also trust that no “illegal” orders will be given.

It may have seemed harmless initially, but let’s look back at Wells Fargo for a moment. A few years ago, Wells Fargo’s troubles really came to the forefront when the bank was accused of, among other things, opening accounts for consumers without those consumers’ requests or consents. At the center was a push to meet lofty sales goals. In September 2016, the bank agreed to pay a $185 million fine and return $5 million in fees wrongly charged to customers. The problem originated with bank employees allegedly opening more than two million deposit and credit card accounts without customers’ permission. Wells Fargo’s ex-CEO John Stumpf apologized during a congressional hearing in which he accepted the blame saying, “I accept full responsibility for all unethical sales practices.”  In the long term, however, 5,300 Wells Fargo employees lost their jobs because of the practices employed.

A personal observation of mine was that because the employees created the accounts without authorization and moved deposits to and from the accounts to activate them, I could have seen a case for identity theft and fraud against those employees. Thankfully, I never heard of that happening and the root of the problem was not the employees’ actions, but the push to meet goals and the potential that “illegal orders” were given or at least insinuated. Here are three examples of how unethical sales practices sprang from minor unethical compromises.

  1. A new accounts representative is under pressure to meet sales goals and pushes a customer to add a credit card, even though the rep knows it’s not in the customer’s best interest and was not requested.
  2. As the month progresses, the rep is short of the goal and asks friends and family to open new accounts. These accounts served one purpose – to inflate account production numbers. In reality, the bank staff spent time programming these new accounts which were closed shortly thereafter, and the cost was greater than the income that was never produced.
  3. With the account production goal still out of reach, the rep opens accounts without asking customers and transfers a small amount of money. These accounts are also closed shortly after opening and the money is transferred back. Customers may question what happened but when they see the funds transferred back, why frustrate themselves by calling the bank to complain and inquire as to what happened?

But to be clear, Wells Fargo was not alone, they were just the first big bank to gain national coverage for unethical and illegal practices surrounding creating deposit and credit accounts that were not requested by the consumer’s whose names they carried. Fifth Third was accused of this and In March 2020 the CFPB initiated a suit against that bank. The complaint alleged that Fifth Third’s cross-selling practices, which included sales goals and an incentive-compensation program, caused Fifth Third’s employees to open new consumer accounts for existing customers without their knowledge or consent. The CFPB alleged that such conduct in certain respects was unfair and abusive (yes, a UDA(A)P issue) and that issuing unauthorized credit cards and opening deposit accounts without required disclosures violated Reg Z and Reg DD.

Fast forward to July 2023, when the OCC and CFPB ordered Bank of America to pay $100M in consumer redress and $150M in fines for and an out-of-control incentive program that resulted in unauthorized account openings, credit reports, etc., which is a basic rehash of the problems at Wells Fargo and Fifth Third. These were not the only issues, as the Bank of America action also cites junk fees relating to multiple presentments of NSF items and for mismanagement of credit card systems. As it typically happens, many regulatory and ethical violations are part of a snowball that grows as the investigation continues and additional violations are uncovered or found to have evolved, such as the failure to make disclosures on an account that was fraudulently opened anyway.

Let’s look closer at one case of a former executive involved in the Wells Fargo case. Carrie Tolstedt was an executive, or THE executive, accused of overseeing programs that resulted in the millions of fraudulent customer accounts at Wells. In March 2023, she agreed to plead guilty to criminal charges which could impose actual prison time. In her agreement with the court, she will serve a 16-month prison sentence for obstructing regulators’ investigations into abusive sales practices that culminated in the bank paying what has turned into billions of dollars in fines. Tolstedt also agreed to pay a $17 million fine in a separate settlement with the OCC that also bans her from working again in the banking industry. BankersOnline covered this in its Top Story at https://www.bankersonline.com/topstory/173048.

Tolstedt was not alone in the list of executives who fell as a result of the new account production goals that were virtually unattainable. These goals were emphasized with a slogan of “eight is great.” That was, each customer should have eight separate accounts at the bank. Why eight? It was said that was selected because it rhymed with “great.”

Take a moment to look at your product offerings and try to determine what sales techniques you could use to accomplish this. Now reconsider it as if your job is on the line as it was for the 5,300 former employees who talked of supervisors screaming at them to meet the goals. They were told if they could not meet their goal, they would be working at McDonald’s. Those missing goals would have what was essentially an after-school detention and were often tasked with “call sessions” on Saturdays. Presumably, these sessions were to make calls and hone sales skills. Employees in many cases either reverted to unethical and illegal techniques or were embarrassed in front of their peers, demoted, or fired. In the three-step process to meet goals, consider that some new accounts reps were able to meet goals. Now the pressure was up because others had to employ the same tactics. And that culture fed on itself and has caused huge fines to be imposed as well as direct personal responsibility. Goals should be realistic, and rules should be well known and to police the rules, controls must be in place.

Forms Update

By Andy Zavoina

We are in the heat of summer as this edition of Legal Briefs goes to the presses, but it is a perfect time to get a pesky change out of the way. Often this might be something to do at year end, but as some banks prepare for 1071 changes, and the normal year-end tasks followed by HMDA submissions will all be coming about at the same time, why wait? These changes impact Reg B’s Adverse Action Notices, some Fair Credit Reporting Act disclosures, and a bit of Reg E. There were several others, but we will cover in detail what impacts our banks.

If you use preprinted forms that will change, you will want to use up any supply and not reorder any bulk that may not be used by the mandatory compliance date. You will want to get the new addresses on your next order. And if you need to have a forms vendor program the changes, well, they will be busy at year-end and beginning of 2024 too, so just get this out of the way so you can enjoy summer.

Change management is what I’m speaking of and notices – disclosure changes. On March 20, 2023, the CFPB published a Final Rule in the Federal Register. Look for Vol. 88, No. 53, Monday, March 20, 2023, and page 16531 if you want all the details. The “Regulations” pages on BankersOnline.com also reflect these changes. These were considered non-substantive corrections and updates. The “Cliff Notes” version of the changes simply tells you that some regulatory agencies have had address changes for notices you provide to your customers and those disclosures and notices need to be corrected. The effective date for optional compliance has passed. It was April 19, 2023, so you may comply now, but compliance with these changes is not mandatory until March 20, 2024. Again, why wait and risk this falling through the cracks?

Reg B and Adverse Action Notices
The most significant change for banks is under Reg B. Appendix A, which lists contact information for the CFPB, OCC, FDIC, National Credit Union Administration (NCUA), Federal Trade Commission (FTC), and other agencies. (The Federal Reserve is listed but did not change.) This contact information listed must be included in Reg B adverse action notices. This is separate from the FCRA disclosure many banks have combined onto the Reg B, adverse action notices. The two are called the same thing but have different disclosure rules and content. The FCRA notice on Reg B’s forms has not changed, although there is an FCRA change noted below.

The OCC regulated institutions should be showing the following:

Office of the Comptroller of the Currency
Customer Assistance Group
P.O. Box 53570
Houston, TX 77052

The FDIC regulated institutions should be showing the following:

Division of Depositor and Consumer Protection
National Center for Consumer and Depositor Assistance
Federal Deposit Insurance Corporation
1100 Walnut Street, Box #11
Kansas City, MO 64106.

The CFPB regulated institutions should be showing the following:

 Bureau of Consumer Financial Protection
1700 G Street NW
Washington DC 20552

And without change but for the record and accountability in case you want to check, the FRB regulated institutions should be showing the following:

Federal Reserve Consumer Help Center
P.O. Box 1200
Minneapolis, MN 55480

Interpretations
The CFPB also corrected its contact information in Reg B’s Appendix D, for the process for requesting official CFPB interpretations of Reg B. The same address below is applicable for Reg E interpretations. The difference between the old and new addresses was a change in the ZIP code.

A request for an official interpretation should be in writing and addressed to:

Assistant Director, Office of Regulations,
Division of Research, Monitoring, and Regulations,
Bureau of Consumer Financial Protection,
1700 G Street, NW
Washington, DC 20552

Fair Credit Reporting Act
In Reg. V and the Fair Credit Reporting Act (FCRA), the CFPB amended the model form in Appendix K for the “Summary of Consumer Rights” to correct the contact information for various agencies, including the OCC, FDIC, and NCUA. Those addresses are on the form itself. A Word version is in a link on the BankersOnline, Regulations page. Consumer reporting agencies must provide the Summary form when making written disclosure of information from a consumer’s file or providing a credit score to a consumer. Most importantly, this Summary must also be provided by Human Resources at your bank, before obtaining  an investigative consumer report (under 1681d(a)(1)), and with pre-adverse action notices for employment purposes (under 1681b(b)(3)). As Compliance and/or Internal Audit complete a periodic FCRA audit this is one of those potential “gotchas” you want to look at to ensure the procedures are correct for providing these notices if someone is denied employment or a promotion, as examples, based on a credit report.

Real Estate Settlement Protections Act
In Reg. X, the Real Estate Settlement Protections Act (RESPA), the CFPB has corrected its contact information in the definition of “Public Guidance Documents” in section 1024.2(b) and in the introductory section of Supplement I, which provides the procedure for requesting copies of public guidance documents from the CFPB and the procedure for requesting official CFPB interpretations of Regulation X.

Truth in Savings Act
In Reg. DD, and the Truth in Savings Act (TISA), the CFPB has corrected its contact information in Appendix C, which provides the procedure for requesting a determination from the CFPB regarding whether a state law is inconsistent with TISA and Regulation DD.

Truth in Lending Act
In Reg. Z, the Truth in Lending Act (TILA), the Bureau has corrected its contact information in Appendices A, B, and C which provide the procedures for requesting a determination from the CFPB regarding whether a state law is inconsistent with or substantially the same as TILA and Reg Z, the process for a state to apply to the CFPB to exempt a class of transactions from TILA and Reg Z, and the process for requesting official CFPB interpretations of Reg Z.  In Appendix J, the CFPB has corrected its postal address for requests to the CFPB for APR calculation tables and to add a URL on its website at which the tables can be accessed.

July 2023 OBA Legal Briefs

  • Appraisal bias – Part II
  • Reconsideration of value
  • 1071 – Small Business Lending Rule, Basics

 

Appraisal bias – Part II

By Andy Zavoina

In March 2021 HUD approved a settlement between JPMorgan Chase and an African American woman over appraisal bias. There was no admission of fault on Chase’s side, but the bank agreed to pay the woman $50,000, and to improve and increase training of its staff, particularly on Reconsideration of Value (“ROV”) processes related to appraisals. The training includes specifics on how to manage complaints of discrimination in the appraisal process and the process for customers to submit an ROV request. The CFPB has said a lender’s reconsideration of value process must ensure that all borrowers have an opportunity to explain why they believe that a valuation is inaccurate and the benefit of a reconsideration to determine whether an adjustment is appropriate.

An ROV is a request to the appraiser to reconsider the analysis and conclusions the appraisal was based on and potentially information not presented in the appraisal report. Only the lender may request an ROV from an appraiser on the borrower’s behalf and most would be due to the appraised value being less than what the seller or borrower desires. ROVs became common vernacular when appraisal bias was in the news and in the courts and many regulators believe it should be routinely discussed with borrowers now.

Back to that Chase settlement, one provision of the agreement is that when a borrower gets a copy of the appraisal as required by Reg B, they’ll also get a cover letter and part of it will say:

Chase is committed to maintaining appraiser independence and preventing attempts to influence appraisers in the preparation of appraisal reports, as well as avoiding any discrimination or bias in the appraisal process. If you believe that any person has attempted to influence the appraiser in the preparation of the appraisal of your property or have any concerns with the reliability or credibility of the appraisal, please contact Chase mortgage support by calling 1-855-242-7346 Option “0”, as soon as possible to report any concerns of discrimination or bias or to discuss your options to contest the reliability of the appraisal.

Appraisals will be changing. On May 5, 2023, the Appraisal Standards Board voted to adopt the Fifth Exposure Draft of proposed changes to the Uniform Standards of Professional Appraisal Practice. Exposure drafts are developed by the Appraisal Standards Board and released for public comment. The new edition will be available this fall and will become effective on January 1, 2024. Press releases did not highlight the changes and I have not seen the draft yet, but bankers doing appraisal reviews should review it, and look for educational opportunities on them when finalized. ROVs and appraisal bias will be of special interest, although I did not find these in a keyword search of the latest draft. The Fifth Exposure Draft is available here, https://appraisalfoundation.sharefile.com/share/view/s1c715f1ed49541e6a5170f7bda14329f and the Appraisal Foundation says on its website that even if the comment period is over, and this draft closed in April, they still welcome comments on the rules.

Reconsideration of value

By Andy Zavoina

Well, no sooner than we went to press with last month’s Legal Briefs discussing appraisal bias and the regulatory agencies, the Office of the Comptroller of the Currency (OCC), Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), Consumer Financial Protection Bureau (CFPB) and even the National Credit Union Administration (NCUA) (collectively referred to as the regulators) issued proposed guidance on Reconsiderations of Value (ROV) of Residential Real Estate Valuations. This is just an interagency proposal, but because your bank has compliance obligations today under anti-discriminatory laws and regulations, if you do not already have a compliance and risk management plan to deal with this issue, this proposal will certainly help you with interim steps to comply. By interim steps, I recommend you take your existing policy and procedures and consider incorporating key compliance techniques here, or if you are starting from nothing, use these recommendations as a starter document to help you comply with the existing requirements today. Starting from scratch is not a bad thing, because the agencies do not currently have any uniform ROV guidance.

This proposal will be a new concept to many lenders and contains and alters no existing law or regulation; it simply helps your bank to direct compliance actions to requirements that you already have, and where you may not have recognized there was a specific need. You may ask, “is there really a need?” The answer is a resounding Yes. Just refer to last month’s Legal Briefs. Mortgage applicants may ask about it, appraisal rules are being altered to comply, and since each of the federal regulators is a part of this guidance proposal, you can expect your examiners to ask what your bank is doing, are you proactive on these compliance needs, and how often you may have heard from an applicant who disagreed with an appraisal, so it is known that your bank actively seeks out compliant appraisals.

I will refer to the applicant as an interested party, but the guidance is focused on consumers. These terms should be used interchangeably and recognize that this could be a buyer or seller and a claim of a discriminatory process carries weight regardless of who it is from. And to be clear, in this context an appraisal includes any valuation your bank is using. I believe the “proactive” issue here may be the most important for many banks. You cannot afford to wait until there is a problem or until your examiners recommend you take action.

The proposal can be found here, https://www.consumerfinance.gov/about-us/newsroom/agencies-propose-interagency-guidance-on-reconsiderations-value-residential-real-estate-valuations/ As of this writing it has not been published in the Federal Register, but it will be, and banks will have 60 days to comment. The proposal contains all the information to include objectives and where to send your comments to each agency. With this pre-release you may start gathering thoughts now as to if and what you would comment on. We will point out some of the objectives below, but there are nuggets of compliance ideas in this proposal regardless. So, improve your existing procedures with these nuggets today, and finalize them in approved policies and procedures after the guidance is finalized.

Your bank is now aware that there have been obvious appraisal issues affecting the mortgage loan process and discriminatory practices whether they were overt, covert, or just the way the numbers came out, as some appraisers have put it. This is not a solution in search of a problem. Examinations and complaints indicate this is a nationwide problem. Two questions to ask are, have you experienced this discriminatory practice, and would you have recognized it if you had seen it? Appraisal reviews may need enhanced procedures. Applicants may need to be aware of their rights. And absolutely all mortgage lenders and those involved in the appraisal process must be cognizant of their responsibilities both to the applicant and the appraiser.

This proposed guidance describes how financial institutions may create or improve ROV processes that comply with existing laws and regulations yet preserve appraiser independence, which is an equally key element required in the mortgage lending process. You do not want to jump from the frying pan into the fire as you conduct ROV processes.

Comments requested on specific issues in the proposal aside, let’s look at some of those nuggets that you may use to improve compliance procedures surrounding appraisals immediately.

Justification – Issues to Mitigate

In October 2022, the CFPB blogged an opinion piece, “Mortgage Borrowers Can Challenge Inaccurate Appraisals Through the Reconsideration of Value Process, clearly stating that applicants have rights to contest a valuation. (Also refer to June 2023’s Legal Briefs.) In June 2023, the FDIC also published its “FDIC Consumer News,” in which it states when appraisals are required, and the applicant will pay some or all the costs. It goes on to explain, “Once the appraisal has been completed, a lender is required to provide you with a copy of the appraisal as soon as reasonably possible, but no later than three days prior to closing. Therefore, if you receive an appraisal that you suspect has inaccuracies that affect the resulting value, some initial work on your part may help to expedite a secondary review of the valuation and assist in closing on time.

“One thing you can do to prepare is to ask your lender early in the loan process whether they have a process for re-analyzing an appraisal, particularly if a consumer provides information that may affect the valuation. This process of re-analyzing an appraisal is also known as a reconsideration of value. If your lender has such a process, ask what information they will need and what their procedures are to request a reconsideration of value. Also, to set expectations, find out how the lender will keep you informed about the status of the review of the information you provide and of any action the lender may take to address your concerns.”  It later states, “If you believe your property appraisal was not accurate, suspect any possible discrimination in the lending process, or have an appraisal-specific complaint, you should contact your lender to request reconsideration of value, if they have a process to do so, or to file a complaint regarding the appraisal with the lender if they do not.

“If you believe that the lender has not addressed your concerns, you can contact the lender’s primary federal regulator.”

Consumers are being made aware of the ability to dispute an appraised value and essentially encouraged to do so. This challenge may be made when they feel the valuation was completed with a bias or simply errors. Improperly completed appraisals may devalue the collateral. These could be caused by errors, omissions, poor comparable properties, or discrimination, all of which may affect the final valuation as being either incorrectly stated high or low. Undervaluing a property value can have long reaching negative effects and overvaluing it could be a safety and soundness issue for the lender. (Also refer to the Interagency Appraisal and Evaluation Guidelines, 75 FR 77450 (Dec. 10, 2010)). If an appraisal is questioned, corrective actions may include ordering a second appraisal or attempting to resolve the issue with the appraiser directly. Let’s assume the bank has discussed any noted shortcomings with the appraiser that both the bank and applicant brought to light and they have not adjusted it to your satisfaction.

It makes sense that the proposed guidance says that an ROV is a request from the financial institution to the appraiser to reassess the report based on potential deficiencies or other information that may have affected the value. It does not say any other party may make that request and because the financial institution made the request and understands the importance of appraiser independence, we will hope this also makes the final guidance.

The goal is to design an ROV procedure which is consistent with safety and soundness requirements, complies with pertinent laws and regulations, respects the appraiser independence requirements, and responds in a suitable manner to the applicants. The proposed guidance will assist you, as it has four intentions.

  1.  It describes the risks when collateral valuations are incorrect.
  2.  It outlines applicable statutes, regulations, and existing guidance that govern ROVs and collateral valuations.
  3.  It explains how ROV processes and controls can be incorporated into existing risk management functions, such as your appraisal review and complaint management programs.
  4.  It provides examples of ROV policies, procedures, and controls.

As you begin to outline your policy and procedures, consider these elements:

Why. Accurate valuations of all collateral, especially for mortgage loans, are essential to the loan process.

What. Deficiencies identified in appraisals, whether through appraisal review processes or from the applicant-provided information, may be a basis for financial institutions to question the credibility of the appraisal or valuation report.

How. Anyone reviewing the appraisal, whether for the bank or the applicant, may believe the valuation is biased based on some form of:

  • discrimination,
  • errors or omissions,
  • valuation methods,
  • assumptions,
  • data sources, or
  • conclusions that are otherwise unreasonable, unsupported, unrealistic, or inappropriate.

Laws, Regulations and Guidance

Resources for your policy and procedures should include meeting the compliance requirements of the following:

  • Equal Credit Opportunity Act (ECOA) and Reg B. These prohibit discrimination in any aspect of a credit transaction, and the valuation is a part of the transaction.
  • Fair Housing Act, as it prohibits discrimination in all aspects of residential real estate-related transactions.
  • Unfair, Deceptive, or Abusive Acts or Practices UDA(A)P – Section 5 of the Federal Trade Commission Act (UDAP) which prohibits unfair or deceptive acts or practices and the “Abusive” addition from the Consumer Financial Protection Act which prohibits any covered person or service provider of a covered person from engaging in any unfair, deceptive, or abusive act or practice. Undervaluing property deprives the borrower and potentially a seller of funds which translates into many issues such as wealth, funds for education, business, home improvements, etc.
  • Truth in Lending Act (TILA) and Reg Z, which prohibit compensation, coercion, extortion, bribery, or other efforts that may impede the appraiser’s independent valuation in connection with any covered transaction.However, Reg Z explicitly clarifies that it is permissible for covered persons (which includes creditors, mortgage brokers, appraisers, appraisal management companies, real estate agents, and other persons that provide “settlement services” per RESPA and Reg X) to request the preparer of the valuation to consider additional, appropriate property information, including to, among other things, request the preparer of the valuation to consider additional, appropriate property information, including information on comparable properties or to correct errors in the appraisal.
  • The appraisal regulations issued by the regulatory agencies require these valuations to conform to the Uniform Standards of Professional Appraisal Practice (USPAP) (the latter is currently being revised and may be finalized for use in January 2024). USPAP requires compliance with ECOA and the FH Act.

The proposal reminds bankers that they are to conduct an independent review prior to providing the consumer with a copy of the appraisal. Additional review may be warranted if the consumer provides information that could affect the value conclusion or if deficiencies are identified in the original appraisal. This in itself justifies an ROV based on the applicant’s request, but the bank must continue respecting the appraiser’s independence.

If during the review process or based on information from the applicant, you determine that the appraisal does not meet the minimum standards outlined in the appraisal regulations and if the deficiencies remain uncorrected, that appraisal cannot be used as part of the loan decision.

When this issue arises, there are three actions the bank may employ as corrective action.

  • Resolve the deficiencies directly with the appraiser.
  • Use an independent party who is qualified (perhaps a state certified or licensed appraiser) to review the valuation and the suspected deficiencies.
  • Obtain a second appraisal.

Authority vs. Responsibility

As with all vendor/third party relationships, the bank may delegate its authority to act for the bank, but the responsibility for compliance with all laws and regulations remains with the bank. That is the reason any appraisal potentially tainted with a discriminatory bias must be resolved.

ROV Policy & Procedures

Any of three issues may trigger an ROV process. There may be discrepancies found during the bank’s review activities, after a complaint or other information is received from the applicant, or any request to the loan officer or other lender representative.

The ROV must be requested by the bank. When there are potential issues either from the bank’s review or the applicant’s complaint, the bank must understand the issues and react accordingly. The Interagency Appraisal and Evaluation Guidelines from December 2010 state, “An institution should establish policies and procedures for resolving any inaccuracies or weaknesses in an appraisal or evaluation identified through the review process, including procedures for:

  • Communicating the noted deficiencies to and requesting correction of such deficiencies by the appraiser or person who prepared the evaluation.
  • An institution should implement adequate internal controls to ensure that such communications do not result in any coercion or undue influence on the appraiser or person who performed the evaluation.
  • Addressing significant deficiencies in the appraisal that could not be resolved with the original appraiser by obtaining a second appraisal or relying on a review that complies with Standards Rule 3 of USPAP and is performed by an appropriately qualified and competent state certified or licensed appraiser prior to the final credit decision.
  • Replacing evaluations prior to the credit decision that do not provide credible results or lack sufficient information to support the final credit decision.”

The applicant will typically receive their copy of the appraisal after the bank has completed its review. Chronologically then, the bank will have had its opportunity to review the appraisal and have any discrepancies it found corrected. That last version is what goes to the applicant.

The applicant may then place a complaint or inquiry preferably denoting specific, verifiable information which was not in the final appraisal either because it was omitted or was not available at the time the appraisal was being completed. This may include such things as‚ including comparable properties which were not identified in the appraisal, specific characteristics of property being evaluated, or other information about the property that may have been incorrectly reported or was not considered but may affect the valuation.

If your bank has a Complaint and Inquiry Procedure to compliment UDA(A)P, your ROV procedures may refer to that, or that Complaint Procedure may refer to the ROV procedure in these specific instances, but one should refer to the other for reasons of accountability. I do not recommend being redundant as one of the two may be revised at some point and then the procedures would be out of sync and potentially lead to confusion and noncompliance. That is not desired, but what is important is that the bank has an effective policy and procedure for UDA(A)P and discrimination/ROV issues. The Complaint and Inquiry procedures should be already established and should record desired information broadly about all products and services as well as who complained, why, where, how, and the resolution with both start and end dates to ensure the bank’s actions were timely. The reason a separate procedure may be desired for ROVs is because of the sensitivity of the complaint, the necessary skillset to respect the appraiser’s independence and the prescribed steps required while also considering the pending loan request.

The Appraisal Bias Part I from June 2023, and the Appraisal Bias Part II in this month’s issue each support the reasons why this deserves immediate attention and without waiting for final guidance from the regulators. Basing the bank’s corrective actions on the three resolution methods above should be described in your procedures so there is a roadmap for staff to follow.

The proposal also makes suggestions you can use while developing your risk-based ROV policies, procedures, control systems, and complaint processes that identify, address, and mitigate the risk of problematic appraisals that may involve prohibited discrimination. Here are the eight topics with six additional subtopics:

  • Consider ROVs as a possible resolution for consumer complaints related to residential property valuations.
  • Consider whether any information or other process requirements related to a consumer’s request for a financial institution to initiate an ROV create unreasonable barriers or discourage consumers from requesting an ROV.
  • Establish a process that provides for the identification, management, analysis, escalation, and resolution of valuation related complaints across all relevant lines of business, from various channels and sources (such as letters, phone calls, in person, regulators, third-party service providers, emails, and social media).
  • Establish a process to inform consumers how to raise concerns about the valuation sufficiently early enough in the underwriting process for any errors or issues to be resolved before a final credit decision is made. This may include suggesting to consumers the type of information they may provide when communicating with the financial institution about potential valuation deficiencies.
  • Identify stakeholders and clearly outline each business unit’s roles and responsibilities for processing an ROV request (e.g., loan origination, processing, underwriting, collateral valuation, compliance, customer experience or complaints).
  • Establish risk-based ROV systems that route the request to the appropriate business unit (e.g., ROV requests that allege discrimination could be routed to the appropriate compliance, legal, and appraisal review staff that have the requisite skills and authority to research and resolve the request).
  • Establish standardized processes to increase the consistency of consideration of requests for ROVs:
    • Use clear, plain language in notices to consumers of how they may request the ROV;
    • Use clear, plain language in ROV policies that provide a consistent process for the consumer, appraiser, and internal stakeholders;
    • Establish guidelines for the information the financial institution may need to initiate the ROV process;
    • Establish timelines in the complaint or ROV process for when milestones need to be achieved;
    • Establish guidelines for when a second appraisal could be ordered and who assumes the cost; and
    • Establish protocols for communicating the status of the complaint or ROV and results to consumers.
  • Ensure relevant lending- and valuation-related staff, inclusive of third parties (e.g., appraisal management companies, fee-appraisers, mortgage brokers, and mortgage servicers) are trained to identify deficiencies (inclusive of prohibited discriminatory practices) through the valuation review process.

Automated Valuation Models

The problem of appraisal bias in residential real estate appraisals has been a hot topic for regulators and promises to continue as it is fueled by court cases, complaints, and settlements with regulatory agencies like the Federal Housing Administration, and as they are reported by the news media and social media. This proposed ROV guidance follows by a week a proposed rule with a request for comments to implement quality control standards for automated valuation models (AVMs). Third-party relationships and tools used for mortgage loans are under scrutiny. That AVM proposal – request is at https://files.consumerfinance.gov/f/documents/cfpb_automated-valuation-models_proposed-rule-request-for-comment_2023-06.pdf. This AVM proposal would require mortgage originators and secondary market insurers that use AVMs to adhere to quality control standards designed to:

1) ensure a high level of confidence in the estimates,

2) protect against the manipulation of data,

3) seek to avoid conflicts of interest,

4) require random sample testing and reviews, and

5) comply with applicable nondiscrimination laws.

1071 – Small Business Lending Rule, Basics

By Andy Zavoina

Is 1071 approaching and do you need to worry about it yet? The answer is, “it depends” because there are many variables. There are optional compliance dates and mandatory dates. We will focus on the mandatory for now. The final rule, which is Subpart B of Regulation B, https://www.bankersonline.com/regulations/12-1002-subpart-B was issued in March of this year. Banks can begin collecting data as early as October 2023, but for the higher tier banks mandatory collection begins in October 2024. The smallest tier is required to begin collection in January 2026. 2026 you say! Yes, if you are in the smallest tier, you have a lot of work to do, but 1071 is not an immediate front-burner task on your to-do list. The immediate task is to know where you fall in the tier breakout so you know when you will be required to begin reporting. To define your tier, you have to know how many qualified loans your bank has made in the immediate past, and therefore you have to know what a covered loan is.

Covered Loans

Sometimes compliance definitions are basic, like Reg Z and its definition of closed end credit, “Closed-end credit means consumer credit other than ‘open-end credit’.“ That’s a very basic definition and fortunately we do get a little more in Regulation B describing a covered loan under Subpart B, but just a little more. The term “covered credit transaction” includes all business credit (including loans, lines of credit, credit cards, and merchant cash advances) unless otherwise excluded under § 1002.104(b). So, all business loans unless excluded. So, what is excluded?

  • Trade credit, (The financing arrangement between businesses for goods or services from without immediate payment in full. This will not likely hit your radar. The CFPB has opined this trade credit as being a business loan and will add the relationship between franchisees and franchisors to its purview with the lending entity considered a financial institution);
  • HMDA-reportable transactions (Yes – if you are not a HMDA bank, you need to learn what these are);
  • Insurance premium financing, (generally financing when a business agrees to repay a bank the proceeds advanced to an insurer for payment of the premium on the business’s insurance contract and the business assigns to the bank certain rights, obligations, and/or considerations in its insurance contract to secure repayment of the advanced proceeds);
  • Public utilities credit (see 1002.3(a)(1));
  • Securities credit (see 1002.3(b)(1)); and
  • Incidental credit (see 1002.3(c)(1), but without regard to whether the credit is consumer credit, is extended by a creditor, or is extended to a consumer).

A covered origination is a covered credit transaction that the financial institution (your bank) originated to a small business. Refinancings can be covered originations. (A refi is a loan created when an existing loan is satisfied and replaced by a new one by the same borrower.)  Note, extensions, renewals, and other amendments of existing transactions are not considered covered originations even if they increase the credit line or credit amount of the existing transaction.

Tier 1
If your bank originated at least 2,500 covered loans in both 2022 and 2023, you must begin collecting data and otherwise complying with the final rule on October 1, 2024.

Tier 2
If your bank originated 500 to 2,499 covered loans in both 2022 and 2023 and at least 100 in 2024, you must begin collecting data and otherwise complying with the final rule on April 1, 2025.

Tier 3
If your bank originated at least 100 covered loans in both 2024 and 2025, you must begin collecting data and otherwise complying with the final rule on January 1, 2026.

Guidance Documents – Tools

Above we note that “trade credit” is likely something your bank will not be involved in. It isn’t impossible, but it is not likely in my experience. The CFPB offered this guidance as its interpretation rather than formally update the Reg B interpretations/commentary. You can find the rule, FAQs, a data points chart, a key dates chart  and more on the CFPB’s resource page  here https://www.consumerfinance.gov/compliance/compliance-resources/small-business-lending-resources/small-business-lending-collection-and-reporting-requirements/ to help guide you through creating your 1071 Small Business Lending Rule implementation process.

 

June 2023 OBA Legal Briefs

  • Appraisal Bias, ECOA, FHA and USPAP
  • Changes in UCCC amounts effective 7/1/23

Appraisal Bias, ECOA, FHA and USPAP

By Andy Zavoina

Appraisal bias is a new big thing. Well, not brand new. It has been a problem for a few years and the current thrust is to promote an understanding of the rules and the results when an appraisal is done with fairness and accuracy in mind.

I recently attended a BOL Learning Connect webinar entitled, “Building a Safe & Sound Real Estate Program” by noted speaker and appraiser Eric Collinsworth. He started a segment on appraisal bias by referring to an interagency task force and PAVE, which stands for Property Appraisal and Valuation Equity. One of the task force’s major goals is to address “the persistent mis-valuation and undervaluation of properties experienced by families and communities of color.”

This task force also relates to actions from the Biden Administration, which said early on its goals include equal opportunity. In a 42-page National Strategy on Gender Equity and Equality it was stated that, “Women face barriers in access to consumer loans and other credit products, and women business owners have less access to capital. These inequalities compound over the course of a woman’s lifetime, jeopardizing her financial security later in life and affecting the generations that follow.”

It was also noted in Feb 2022 by AmericanProgress.org that, “To increase equitable access to loans, mortgages, and other lending for home-buying and renting, HUD began the process to restore the discriminatory effects rule to protect against housing policies, such as zoning requirements, lending and property insurance policies, criminal records policies, and others that have a disparate impact by race. Also, HUD issued a letter encouraging lenders to devise special purpose credit programs to remedy racial inequities in homeownership.” This philosophy of reducing barriers to allow consumers and their families and heirs to access equity and to pass it on to future generations to build wealth is also a part of the impetus behind eliminating appraisal bias.

AmericanProgress.org also noted, “Racial discrimination and injustice have entrenched stark racial disparities in homeownership rates and home values. Homeownership rates for Black Americans amount to 44 percent, well below the rates for white Americans at 74 percent and behind the national average of 65 percent. Hispanic and Asian, Native Hawaiian, and Pacific Islander (AAPI) people also own homes at rates lower than the national average, at 48 percent and 60 percent, respectively.”

Generally speaking, a home is often the largest single purchase the average American makes. We’ve all heard that home values only go up. While this is not a rule, it is generally true over time. And this increased value and decreasing debt against a home do combine to build wealth and provide wealth to the next generation often inheriting a home. The equity in a home can be used for many things that further build wealth and provide for a higher quality of life. This is one reason so many in the industry see appraisal bias as a major factor.

Carla Duffy’s appraisals

In 2021 National Public Radio ran a segment on appraisal bias. In Indianapolis, Indiana, Carla Duffy has a three-bedroom home in a historic Black neighborhood. The home had been completely renovated and was across from an attractive and well-maintained park. She purchased the home four years prior for $100,000. Duffy felt based on the renovation, appreciation, and low interest rates it was a good time to use her equity from a refinance to help her daughter renovate and improve her home. Duffy had an appraisal done and it indicated her home was worth $125,000. This is a thorough way to ascertain a value, but Duffy was not convinced the appraisal was accurate. She decided to get a market analysis as a way to verify the value and it indicated her home was worth $187,000. The latter is not an appraisal, but a 50 percent higher value was more of what she felt the home was worth. So, believing the first appraisal was low for some reason, and wanting the credibility an appraisal brings, she had a second appraisal done just a few months later. This one came in $15,000 lower than the first.

Duffy was persistent and had a theory. She applied with a different lender for a refinance and this time she omitted her gender and racial information from the government monitoring information section of her application. And before this third appraisal was done, she “cleaned” the home of racial indicators like family photos, and had a white friend of the family, a male, at her home to meet the appraiser when he came to view the property.

The third appraisal shocked Duffy – but this time in a good way. This appraisal came back with a value of $259,000. That is 107 percent higher than the first appraisal and 135 percent higher than the second. When a borrower wants to consolidate debt, purchase a car, or start a business as three common examples of equity funds use, those are significant differences. Just for the purposes of asset valuation, such disparities are very significant and obviously contribute to the wealth gap reported between whites and minorities.

Several housing studies have shown this, and cumulatively the Brookings Institute estimates Black people have lost an estimated $156 billion dollars. The effect of a discriminatory practice impacts more than the current owner; everyone is touched by how the equity is used in the homes. In this case, Duffy said, “the thing devaluing her home, was her” and she knew this was not right. She filed a complaint with HUD against two of the lenders.

The appraiser providing Duffy’s lowest appraised value commented on the story. He said his values are data driven and he couldn’t change the value if he wanted to because he cannot change the data. He explained that he prepares every appraisal with the knowledge that he may have to defend his results to peers and others, and this was no exception.

Gwen and Lorenzo Mitchell

One may read the Duffy story and believe this is surely an isolated incident – an anomaly. But let’s move to Denver, Colorado. The Philadelphia Inquirer ran a story on January 27, 2021, about Gwen and Lorenzo Mitchell. Their three-bedroom house sits in a racially diverse area where homes typically sell for $450,000 to $550,000. The couple estimated their home would appraise for about $500,000. Values had been going up and they saw this as an opportunity to refinance because they were in a strong housing market. Lorenzo was home with their three kids when the appraiser was there. Lorenzo is Black, and the home appraisal came back at $405,000. That seemed low. The comps were all taken from north of Martin Luther King Boulevard — a dividing line, if you will, between a predominantly Black neighborhood where the comps were, even though the Mitchells’ home is south of the boulevard in a more diverse area. That was a red flag to the Mitchells. So, they ordered a second appraisal. This time, only Gwen was home during the appraisal visit, and Gwen is white. This appraisal came back with a value of $550,000. That is a $145,000 increase in value, almost 36 percent. That’s quite a discrepancy, and there were no changes to the home between appraisals; the Mitchells said they didn’t even mow the yard between appraisals, it was in the exact same condition.

And in Connecticut  …

And in a story similar to Duffy’s, let’s finally consider a Black homeowner in Connecticut who had his home appraised at $340,000. He thought that was low and decided a second appraisal was advisable, so he took down family photos and other family racial indicators and had his white neighbor stand in during the on-site appraisal. In his case there was an 18 percent increase in the value of his home to $400,000, a $60,000 increase.  If you are financing or refinancing a home, these differences are significant and may be impacted by external circumstances, but race appears to be a common denominator.

A regulator’s view

Michael Hsu, the Acting Comptroller of the Currency, delivered remarks to raise awareness about the need to reduce bias in real estate appraisals at a CFPB event in June 2021 on bias in appraisals. His comments highlighted the significant impact bias in appraisals has on minority families. A few notable nuggets from Hsu’s remarks were that “We are here at an opportune time in history where the energy to tear down barriers to fair and equal participation in our economy may finally exceed the resistance protecting the status quo.” The Biden administration sees this as a chance to facilitate change and it is my opinion that those in charge of the regulatory agencies are in agreement with the administration and share these goals. Hsu went on to cite a few reasons appraisals with a bias are problematic. “Biased appraisals can keep a family from getting approved for a loan or raise the price of a loan. They can trap “undervalued” neighborhoods by depressing property taxes, resulting in lower income to support education and infrastructure. Biased appraisals mean good loans to creditworthy customers go unmade.” He went on to say, “discrimination and bias in appraisals contribute to inequity in housing values and adversely affect a critical source of wealth accumulation for minority families. The impact is large and cannot be ignored. Studies have found that homes in Black neighborhoods are valued at roughly half the price [of] homes in neighborhoods with few or no Black residents.” The undervaluing of property snowballs, as it can impact tax revenue and then everything which develops from that, schools, emergency services, public facilities, etc.

Hsu did point out that appraisal processes are not seen as a part of the banking industry, but that there are intersections, and the OCC expects banks to ensure their vendors treat customers fairly and do not discriminate. We are seeing banks held accountable for discrimination in appraisals they use. He also noted that holding banks accountable is necessary, but the problem as a whole is bigger than just banks. That is why PAVE is forcing USPAP’s processes to improve the appraisal process.

Reg B requires a disclosure of the consumer’s ability to receive a copy of any appraisal(s) and valuation(s) prepared in connection with first-lien loans secured by a dwelling to be provided to applicants within three business days of receiving the application. This is not new — it’s been in effect since January 18, 2014.  Appraisal bias is why this disclosure is a big deal and its importance in the disclosure and compliance process was accelerated more than a year ago. As an example, regulators are working to provide more oversight over the activities of the Appraisal Foundation, which has power over the appraisal industry. The CFPB has had public meetings to discuss appraisal bias.

Lenders, take note

More recently, the CFPB and the DOJ filed a joint Statement of Interest in the case of Nathan Connolly and Shani Mott, v. Shane Lanham, 20/20 Valuations, LLC, and loanDepot.com, LLC, in the United States District Court, District of Maryland case Civil Action No. 1:22-cv-02048-SAG. These two agencies say that mortgage lenders can be liable if they rely on a discriminatory appraisal even from a third-party appraiser. This case was brought by a Black family that had an appraisal done, replaced the photos with those of a white family, had a second appraisal done, and had an immediate increase in value. The defendants maintain they should not be the ones liable for the third-party appraisal. Appraisers must have independence. But this is when the CFPB and DOJ jumped in and said both the FHA and ECOA (Reg B) require lenders NOT to rely on appraisals that are inaccurate or violate the law. It was added that TILA’s (Reg Z) rules on appraisal independence agree that there is no requirement to follow a biased appraisal.

Regulatory agencies are expected to develop and implement changes to examinations procedures for mortgage lenders. Future examinations may look for evidence that a lender’s compliance management programs are considering appraisal bias as a risk, and the examiner may collect additional information on appraisal attributes and tailor exam aides to evaluate irregularities in appraisals which are evident in the loan file.

If you are making notes of to-do items, the importance of your appraisal reviews has just gone to a higher level, based on the opinion of these two agencies and expectations of future exams. There are new classes being offered specifically to combat appraisal bias. These are being offered to appraisers according to Collinsworth, but I suspect appraiser reviewers in bank could enroll or find similar training. He also stated, “Regulatory agencies will, as needed, devise and implement changes to how examinations of mortgage lenders under their purview are conducted. For example, examinations can look for evidence that a lender’s compliance management programs are considering appraisal bias as a risk, collect additional information on appraisal attributes and tailor exam aides to evaluate irregularities in appraisals documented in the loan file.”

Reg Z prohibits banks, lenders, and any other covered party from coercing, instructing, or inducing an appraiser to cause the appraised value to be based on any factor other than the appraiser’s independent judgment. Lenders and others also cannot alter an appraised value. Banks have gone to great lengths to separate the lender on a loan from having any control over the selection or instructions to an appraiser. Although the bank can ask the appraiser to consider additional information, provide further details or an explanation for this, or correct errors in the appraisal, there is a line the bank may not cross here as to influencing that appraisal’s outcome. The Statement filed with the court by the CFPB and DOJ does indicate the bank would be protected if it asks an appraiser to reconsider a value under certain circumstances. No specific examples were provided as to what would be acceptable to do this and remain protected. For appraisers, the Conduct section of the Ethics Rule states an appraiser “must not use or rely on unsupported conclusions relating to characteristics such as race, color, religion, national origin, gender, marital status, familial status, age, receipt of public assistance income, handicap, or an unsupported conclusion that homogeneity of such characteristics is necessary to maximize value.” A violation of these may be a circumstance allowing reconsideration especially if a bank believes discrimination may be involved. That then raises another concern—would the bank have to consider reporting an appraiser for such conduct?

When an appraisal is completed, there may be situations when the bank and the borrower believe the value is lower than expected or the reasoning for the values are flawed. This would be especially so if an inappropriate bias was believed to exist. Such a belief should be supported by facts. A reviewer would require adequate training and experience to support such a conclusion, and this would be based in part on their competence to perform the review and the complexity of the transaction and type of property in question. The bank should also have a policy and procedures to both protect the parties involved and maintain appraisal independence. From the Collinsworth webinar, here are four examples regarding periods when the institution may exchange information or contact with the appraiser include:

  1. A request to provide additional supporting information about the basis for the valuation
  2. Requesting consideration of additional sales or information provided by the lender or borrower
  3. Correct factual errors in an appraisal
  4. Requesting consideration of additional information about the subject property or comparable properties.

A duty to report?

What if the bank does reject an appraisal? Collinsworth said, “If an appraisal is “rejected” for failing to comply with USPAP or applicable state laws, or if the institution suspects the appraiser performed in other unethical or unprofessional conduct, a complaint should be filed with the appropriate state appraiser regulatory officials.  Furthermore, as of April 1, 2011, an institution MUST file a complaint with the appropriate state licensing agency if it believes the appraiser has materially failed to comply with USPAP or applicable state or federal laws according to Supplement I of Part [1026] of Regulation Z – Truth in Lending.  For purposes of this deficiency, material failure to comply is one that is likely to affect the value assigned to the consumer’s principal dwelling.  An institution MUST also file a suspicious activity report (SAR) with the Financial Crimes Enforcement Network of the Department of the Treasury (FinCEN) when suspecting fraud or identifying other transactions that meet the SAR filing criteria.

It should also be noted that if an examiner finds evidence of unethical or unprofessional conduct by an appraiser, they should instruct the institution to file a complaint with the necessary state appraiser regulatory officials and to file a SAR with FinCEN when required.  If the examiner determines there is a concern with the institution’s ability or willingness to file a complaint or make a referral, the examiner should forward his or her findings and recommendations to their supervisory office for disposition and referral to the state regulatory officials and FinCEN as necessary.  In addition, penalties could be assessed to the institution and the reviewer if deficiencies are found by the examiner and not reported as mentioned above.”

What if the bank or borrower wants a second appraisal? The regulators do expect the bank to follow a policy of selecting the most credible appraisal and not specifically the one with the highest value. Documentation should be maintained in the loan file to support the decision for using the valuation selected as most appropriate.

Editor’s note: Part II of Andy’s article on Appraisal Bias will appear in our July 2023 Legal Briefs.

Changes in UCCC amounts effective 7/1/23

By Pauli D. Loeffler

Sec. 1-106 of the Oklahoma Uniform Consumer Credit Code  in Title 14A (the “U3C”) makes certain dollar limits subject to change when there are changes in the Consumer Price Index for Urban Wage Earners and Clerical Workers, compiled by the Bureau of Labor Statistics, U.S. Department of Labor.  You can download and print the notification from the Oklahoma Department of Consumer Credit by clicking here.   It is also accessible on the OBA’s Legal Links page under Resources once you create an account through the My OBA Member Portal. You can access the Oklahoma Consumer Credit Code with regard to changes in dollar amounts for prior years on that page as well.

Increased Late Fee

The maximum late fee that may be assessed on a consumer loan is the greater of (a) five percent of the unpaid amount of the installment or (b) the dollar amount provided by rule of the Administrator for this section pursuant to § 1-106. As of July 1, 2023, the amount provided under (b) will increase by $2.00 to $31.00.

Late fees for consumer loans must be disclosed under both the UC3 and Reg Z, and the consumer must agree to the fee in writing. Any time a loan is originated, deferred, or renewed, the bank has the opportunity to obtain the borrower’s written consent to the increased late fee as set by the Administrator of the Oklahoma Department of Consumer Credit.  However, if a loan is already outstanding and is not being modified or renewed, a bank has no way to unilaterally increase the late fee amount if it states a specific amount in the loan agreement.

On the other hand, the bank may take advantage of an increase in the dollar amount for late fees if the late-fee disclosure is properly worded, such as:

“If any installment is not paid in full within ten (10) days after its scheduled due date, a late fee in an amount which is the greater of five percent (5%) of the unpaid amount of the payment or the maximum dollar amount established by rule of the Consumer Credit Administrator from time to time may be imposed.”

§ 3-508A. This section of the “U3C” sets the maximum annual percentage rate for certain loans. It provides three tiers with different rates based on unpaid principal balances that may be “blended.” It also has an alternative maximum rate that may be used rather than blending the rates. The amounts under each tier are NOT subject to annual adjustment by the Administrator of the Oklahoma Department of Consumer Credit under §1-106. However, a new subsection (4) was added allowing the lender to charge a closing fee which IS subject to adjustment under § 1-106. The closing fee, which was $167.33, has increased as follows:

(4)  In addition to the loan finance charge permitted in this section and other charges permitted in this act, a supervised lender may assess a lender closing fee not to exceed One Hundred Seventy-Eight Dollars and Eighty-Seven Cents ($178.87) upon consummation of the loan.

Note that the closing fee is NOT a finance charge under the OK U3C, and therefore not considered for purposes of usury. However, the fee IS a finance charge under Reg Z. Most banks use Reg Z disclosures. This means that it is possible that the fee under Reg Z disclosures will cause the APR to exceed the usury rate under § 3-508A. If that happens, document the file to show that the fee is excluded under the U3C in order to show the loan does not in fact violate Oklahoma’s usury provisions. Please note that the bank is NOT required to charge a closing fee at all, and banks may choose to not charge the fee at all, or charge less than the amount permitted under the statute.

You can access the § 3-508A Table https://www.oba.com/wp-content/uploads/2022/11/3-508A-ABS-Chart.pdf

§ 3-508B Loans

Some banks make small consumer loans based on a special finance-charge method that combines an initial “acquisition charge” with monthly “installment account handling charges,” rather than using the provisions of § 3-508A with regard to maximum annual percentage rate.

The permitted principal amounts for § 3-508B are adjusting from $1,740.00 to $3,450.00 for loans consummated on and after July 1, 2023.

Sec. 3-508B provides an alternative method of imposing a finance charge to that provided for Sec. 3-508A loans. Late or deferral fees and convenience fees as well as convenience fees for electronic payments under § 3-508C are permitted, but other fees cannot be imposed. No insurance charges, application fees, documentation fees, processing fees, returned check fees, credit bureau fees, nor any other kind of fee is allowed. No credit insurance, even if it is voluntary, can be sold in connection with § 3-508B loans. If a lender wants or needs to sell credit insurance or to impose other normal loan charges in connection with a loan, it will have to use § 3-508A instead.  Existing loans made under § 3-508B cannot be refinanced as or consolidated with or into § 3-508A loans, nor vice versa.

As indicated above, § 3-508B can be utilized only for loans not exceeding $3,450.00. Further, substantially equal monthly payments are required. The first scheduled payment cannot be due less than one (1) calendar month after the loan is made, and subsequent installments due at not less than 30-day intervals thereafter. The minimum term for loans is 60 days. The maximum term of any loan made under this section shall be one (1) month for each Ten Dollars ($10.00) of principal up to a maximum term of eighteen (18) months.  This would be loans not exceeding $621.00.  Loans under subparagraphs e through i of paragraph 1 of this section ($621.01 up to $2,300.00) the maximum terms shall be one (1) month for each Twenty Dollars ($20.00) of principal up to a maximum term of eighteen (18) months, and under subparagraphs j and k of paragraph 1 of this section ($2,300.01 – $3,450), the maximum terms shall be one (1) month for each Twenty Dollars ($20.00) of principal to a maximum term of twenty-four (24) months.

Lenders making § 3-508B loans should be careful and promptly change to the new dollar amount brackets, as well as the new permissible fees within each bracket for loans originated on and after July 1st. Because of peculiarities in how the bracket amounts are adjusted, using a chart with the old rates after June 30 may result in excess charges for certain small loans and violations of the U3C provisions.

Since §3-508B is “math intensive,” and the statute whether online or in a print version does NOT show updated acquisition fees and handling fees. I have inserted the current amounts effective on July 1, 2023 into the statute which you will find toward the bottom of the OBA Legal Links page under Sec. 3-508B – Effective July 1, 2023. Again, you will need to register an account with the OBA in order to access it.

The acquisition charge authorized under this statute is deemed to be earned at the time a loan is made and shall not be subject to refund. However, if the loan is prepaid in full, refinanced or consolidated within the first sixty (60) days, the acquisition charge will NOT be deemed fully earned and must be refunded pro rata at the rate of one-sixtieth (1/60) of the acquisition charge for each day from the date of the prepayment, refinancing or consolidation to the sixtieth day of the loan. The Department of Consumer Credit has published a Daily Acquisition Fee Refund Chart for prior years with links here: https://www.ok.gov/okdocc/Licenses_We_Regulate/Supervised_Lender/index.html  The Oklahoma Department had not published the Chart for 2023 at the time this article was written. Note if a loan is prepaid, the installment account handling charge shall also be subject to refund. A Monthly Refund Chart for handling charges for prior years can be accessed on the page indicated above, as well as § 3-508B Loan Rate (APR) Table.  I expect the charts and table for 2023 to be added shortly.

§3-511 Loans

I frequently get calls when lenders receive a warning from their loan origination systems that a loan may exceed the maximum interest rate. Nearly always, the banker says the interest rate does not exceed the alternative non-blended 25% rate allowed under § 3-508A according to their calculations. Usually, the cause for the red flag on the system is § 3-511. This is another section for which loan amounts may adjust annually. Here is the section with the amounts as effective for loans made on and after July 1, 2023, in bold type.

Supervised loans, not made pursuant to a revolving loan account, in which the principal loan amount is $6,200.00 or less and the rate of the loan finance charge calculated according to the actuarial method exceeds eighteen percent (18%) on the unpaid balances of the principal, shall be scheduled to be payable in substantially equal installments at equal periodic intervals except to the extent that the schedule of payments is adjusted to the seasonal or irregular income of the debtor; and

(a) over a period of not more than forty-nine (49) months if the principal is more than $1,860.00, or

(b) over a period of not more than thirty-seven (37) months if the principal is $1,860.00 or less.

The reason the warning has popped up is due to the italicized language: The small dollar loan’s APR exceeds 18%, and it is either single pay or interest-only with a balloon.

Dealer Paper “No Deficiency” Amount

If dealer paper is consumer-purpose and is secured by goods having an original cash price less than a certain dollar amount, and those goods are later repossessed or surrendered, the creditor cannot obtain a deficiency judgment if the collateral sells for less than the balance outstanding. This is covered in Section 5-103(2) of the U3C. This dollar amount was previously $5,800.00 and increases to $6,200.00 on July 1.

March 2023 OBA Legal Briefs

  • Reputation risk and theft
  • Deposit mismatches and liability

Reputation risk and theft

By Andy Zavoina

I think I’ve always been fascinated by “the con” and the way some people will steal, and others will be gullible. That fed a degree of interest and intrigue in me for many years and led me to a hobby of magic (where lying and stealing is for entertainment) and my first job in law enforcement. I was then involved in security at my bank, but my full-time duty was compliance. In the bigger picture, however, as an officer of the bank, my first responsibility was to the bank. That means I was always interested in the safety and soundness and reputation of the bank. I believe all our readers share those same interests and all of this was the inspiration for this month’s Legal Briefs. First, we’ll take a deep dive into much of the information available to you in several court cases and enforcement orders and then we’ll use the pertinent facts to provide the information needed to assist in improving policies and procedures in your bank to avoid similar instances, when warranted.

Maguire: On the 24th of February 2023, the United States Attorney’s Office for the Northern District of Florida posted a notice about Nicole Maguire. She was just sentenced to three years in federal prison after she pleaded guilty to conspiracy to commit bank fraud, bank fraud, and aggravated identity theft charges. That issue would involve the safety and soundness of the bank. The fact that I also had it show up in my alerts because there was also a story about her in The News & Observer, and I’m certain many other online and paper-based publications also ran the story, made it a bank reputation-related issue.

Nicole Maguire sold the names of bank customers, their identification card numbers, and bank account numbers to others who then stole more than $125,000 from those customers, and ultimately from the bank, in 2019. Yes, the wheels of justice turn slowly. But I’m sure the case is still of interest to customers of Regions Bank in Florida, Alabama, Iowa, and Missouri where the victims were.

Maguire was obviously not alone in this. Her co-defendants were Desmond Brannon, who was sentenced to four years in prison after pleading guilty to conspiracy to commit bank fraud and bank fraud charges; Steven Mussington, who was sentenced to 1 year and 1 day in prison for conspiracy to commit bank fraud and bank fraud charges; and Chelsie Worthen, who pleaded guilty to conspiracy to commit bank fraud, bank fraud, and aggravated identity theft charges. Then there were co-conspirators Darrell Wells and Georgia Ward who both reside in New York and were or are being prosecuted in the Southern District of New York under a separate but related indictment. Ward pleaded guilty to conspiracy to commit bank fraud and was sentenced to time served and an additional nine months of home confinement. Wells is awaiting trial on charges of conspiracy to commit bank fraud and aggravated identity theft.

The FBI and police departments in Florida, Iowa, and Missouri, along with the bank’s security investigators, were all involved in the case as well. It was far-reaching and I’m certain complex to unravel. At the end of the day, the short story is Maguire was the insider who sold the IDs and information and another woman had fake IDs made with others’ photos and the customers’ information to make withdrawals. They also passed some fake money orders and checks.

When a Regions customer, especially those in the four states specifically mentioned in this case, reads this story they will do one of three things— check their own accounts and worry about the security of their money, know this person was caught and that no customer lost any money, or worry that next time the perpetrator won’t be caught and the customer will be unaware of a loss from their own account. In any scenario, we do not want customers to worry. And while I said “no customer lost money” that is a supposition. There was no statement from the bank for whatever reason.

If your bank were to suffer such a loss, the bank should have a reaction plan in place. You should be able to fill in the blanks and put together an official statement in short order to demonstrate control of the situation and to instill confidence in the public and your customers. The bank should always look to emphasize that the bad actors were caught, and that no customer has lost money, not one dime. There are customers and customers-to-be who may need to be reassured.

This is the most recent case I have read about. But there are many others, and we want to explore some of those this month. When we pay particular attention to what happened, how and sometimes why, we learn valuable lessons about things that can be done in our own banks to avoid such problems. One common fact we see in internal cases is that they can take years to discover. This is especially so when the thief is going to “take a little, leave a little” and has the knowledge and authority, to cover their tracks. This is a key reason areas like security and audit need unfettered access when it comes to internal audits and investigations and staff need to speak up when they see transactions outside the ordinary. It is also a reason your bank should have a vacation or “period of absence” policy that will take a person away from their desk and out of control of internal accounts for a period long enough for discrepancies to show up. Those discrepancies should not be explained away but understood, accepted, or corrected. Questioning transactions and documents should be viewed as a constructive and protective act. If nothing wrong is found, it is a reassurance, and if something is amiss, the review is money saved overall and an opportunity to improve procedures.

Torgerson: In another recent case, Brady Daniel Torgerson from Beulah, North Dakota, was sentenced in February 2023 to two years in federal prison, three years of supervised release and a $200 special assessment. Torgerson pleaded guilty to two separate counts of bank fraud against financial institutions located in Beulah. This case also went back to 2019 and extended to 2021. Torgerson was employed as the president of First Security Bank-West and separately as a loan officer at the Union Bank. He used these positions of authority to conduct transactions that caused harm to both the banks he was working at and their customers.

While employed at First Security Bank-West, Torgerson funded loans which should have raised red flags with the most basic of controls. These questionable loans lacked necessary financial information, security interest documentation and even promissory notes. He created deceptive transactions by falsifying records in the bank’s computer system, increasing loans which then exceeded the original approved loan amounts, and extended maturity dates of loans to keep them off the past due listings and therefore anyone’s radar.

When he was working at the Union Bank, Torgerson created fraudulent loans in the amounts of $225,487.44 and $225,487.45 in the names of three separate individuals who neither knew about these loans nor received the funds. Torgerson had three co-defendants who were sentenced to both short jail terms which included one day of time served and a year of supervised release plus a monetary fine for each and $98,ooo restitution from one. I believe one of these was his father and the other two likely friends. You can almost hear the offer of something for nothing and them making a quick buck to help him out.

Anything that is transacted on the bank’s systems should be traceable to an employee based on logon credentials. An employee doing account maintenance at the direction of a superior should remember what was done and why, and their credentials should never be shared. When someone leaves a terminal, they should sign off. This helps protect everyone and promotes the integrity of the systems in place. Similarly, when loans are funded and booked without the standard security agreements and collateral documentations, and especially without executed note forms, questions must be asked, and the notification chain accelerated upward as that is a serious issue that would be difficult to explain.

On that same note, I remember “back in the day” when I was on the loan desk. This was at a military bank and predated internet banking. A young lieutenant who banked with us called from a large city about three hours away. He had found a car he just had to have. I got the necessary information from him and already knew his father was a retired colonel and his grandfather was a retired general, both West Point graduates. Of key interest was that fact that he would be back in town in two or three days, and he promised to come in and sign his contract. I provided the dealership with draft instructions so I as good as made the loan. I proudly informed my boss because I knew this was excellent customer service and would help build loyalty of this up-and-coming military officer. Unfortunately, after day three I had not heard from him. I waited nervously on day four and called him on day five. Even after all these years, I still remember his answering machine as he introduced himself and he said he was “either out rescuing a damsel in distress or a cat from a tree.” I just knew at that moment I had a nutcase for an almost borrower. But he came in shortly thereafter, the paperwork was done, and the loan paid as agreed. I never did that again. But it would explain what happened and there was no loan being booked without a note and collateral.

Seck: A case as recent as we can get was published February 27, 2023, by the U.S. Attorney’s Office, District of Maryland. In this case Diape Seck, of Rockville, Maryland, was at the time of the bad acts a customer service representative at a bank. He and his eight co-conspirators stole or attempted to steal almost $2 million by fraud, including by stealing checks from the mail of churches and religious institutions. Seck was the ringleader.

Seck fraudulently opened bank accounts using fake identities. He took cash bribes for his efforts. Among other illegal acts, his accomplices then deposited stolen checks from churches and other religious institutions into the fraudulent new bank accounts. The co-conspirators withdrew and spent those funds as compensation for their efforts.

There were more than 400 accounts opened in just over a year beginning in January 2019. Identification relied on was often Romanian passports and driver’s license information. Generally, the deposits were made to ATMs the bank owned. From those deposits cash withdrawals would be made and debit cards associated to the fraudulent accounts would be used for purchases.

Seck’s sentencing is scheduled for June. He faces up to 30 years in prison. The accomplices generally are facing three to five years each. One in Dania Beach, Florida, and another in Baltimore are the only two facing restitution with each exceeding $1 million. Raise your hand if you think the restitution will actually be paid. I’m not raising mine.

What might have helped stop this sooner than a year into the scheme? Sending new account verification letters could have helped alert an auditor that an address was bad if that was the case here. So would address scrubs where the bank compares accounts with the same address and different owners. That could show as an example multiple owners using the same post office box address.

Schroeder: Let’s turn our attention to Ronald Wayne Schroeder and the Bank of San Antonio where he was the bank president. His crime dated back to before 2020, but it was August 2022 when he was sentenced to 97 months in federal prison as his fraudulent activities cost the bank $13 million.

Schroeder himself took nearly $3.2 million. He and his co-defendants conspired to defraud various banks of money through the factoring of false and fraudulent invoices.  They began with Southwest Bank, then included Schroeder’s bank, Bank of San Antonio, and finally included the TransPecos Bank.

Schroeder sent false and fraudulent invoices of companies owned or controlled by the other defendants in the case, to be factored by these financial institutions.  This is a process where a company sells its receivables to a third party, in this case the victim banks. Factoring is intended to provide a quick capital injection into the business selling the receivables as they are sold at a discount which provides an immediate short-term gain and allows for a profit margin to the buyer as the receivables pay back over time. Schroeder and other co-defendants would then use that money for their own personal enrichment or to pay off old invoices owed to the banks much like a Ponzi scheme where money from new investors is used to pay old investors. Schroeder used his $3.2M to buy a beach house, airplane, boat, and vehicles.

Schroeder and the others obviously knew what they were doing. It was a definite abuse of authority by Schroeder and that certainly would have influenced the first bank they factored with. Once they got the first bank in place, they were able to leverage credibility and get a second and then a third victim bank. Like all Ponzi schemes it would reach a point where there was not enough money coming in to support the debt already established. When the receivables stop paying and they are discovered to be fraudulent, the house of cards falls and, in this case, there were $13 million of them.

As you can imagine, based on this case and others, an abuse of position was a contributing factor. Staff must be able and willing to question transactions, loans, and arrangements where the bank is paying some high-ranking officer or board member or someone or a company associated with that person. When it is an unusual arrangement, it deserves to be questioned and that person, if legitimate, really should not mind so everything is transparent and above reproach.

Romero: Orlando Romero worked at Deutsche Bank as a client service specialist. Always wanting to improve his position he was seeking employment opportunities in the banking field. He received a written employment offer from another bank. While that offer was good, he knew he could do better. He decided to look within his current bank, and he doctored that offer by adding to the salary the competitor bank was offering him. He presented this “modified” offer to his supervisor at Deutsche Bank who agreed to meet that offer and Romero received a $28,000 increase to his annual salary. One might believe the bank must have been under-compensating him to provide such a hefty increase all at once. But Romero left Deutsche Bank some thirty months later when his prior deception became known. Romero was deemed By the Federal Reserve to have violated the bank’s internal policies and committed violations of law or regulation, unsafe or unsound practices, or breaches of fiduciary duty. He was ordered to cease and desist and has been banned from banking.

Many are of the opinion that the bank made the decision to pay him presumably what he was worth as an employee. But the way he went about it was deemed unacceptable. Staff needs to be aware that ethics policies do have teeth.

Ratcliff: James Ratcliff worked at the First National Bank and Trust Company of Vinita for 20 years. He was an executive vice president and vice-chairman and chairman of the board at his bank at different times. Abusing his position, he had the bank engage and pay entities owned by him as third-party vendors. This in itself is not the violation, but the manner in which the relationship was handled was. He set up financial arrangements between the bank and the entities he owned. There should have been someone else managing that relationship just as tellers should not complete transactions for relatives. Work was not tracked or verified but was paid for. There was little evidence that what was billed for was actually done, which causes doubts as to the validity of the billing. Because of his insider status and long standing at the bank, he was not sufficiently challenged by others in management. He failed to ensure employee compensation was commensurate with the employees’ responsibilities and actual work performed for the bank.

Ratcliff also directed employees and contractors to perform work for the entities he owned, at the bank’s expense. He made unsafe and unsound loans. The OCC noted in its consent order that delinquent borrowers were instructed to form new entities and Ratcliff had the debt transferred to that new entity without correcting the problems leading to the delinquency, which only hid those past due accounts from accurate recordkeeping., These loans were also made without sufficient documentation such as financial statements.

Ratcliff was handed a $100,000 civil money penalty and was banned from banking. Here again, we see officers in high positions run a bank as though it was their personal piggybank and they had unfettered control. That is not how it should ever appear and internally the bank requires a culture of separation and transparency.

Fritz: Ratcliff was not doing everything alone at First National Bank and Trust Company of Vinita. Tony Fritz was the former chief lending officer and a director at the bank.

Fritz was cited for failing to ensure that credit administration and risk management practices and controls were effective and commensurate with the risk and complexity of the loan portfolio. He failed to develop a system to ensure ongoing monitoring of complex commercial credits and to ensure the bank kept adequate loan documentation. He failed to formalize loan review and approval processes and failed to properly document lending decisions. He failed to provide credible challenge to members of senior management who maintained loan portfolios and failed to maintain adequate oversight over their portfolios. Fritz approved and/or originated multiple unsafe or unsound loans that were liberally underwritten and included inaccurate credit memorandums containing insufficient financial statement and cash flow analysis. He originated loans to cover customers’ overdrafts and overdraft fees. He extended additional loans to borrowers who were not creditworthy, sometimes through creating new entities, in order to make payments on such borrowers’ non-performing loans. In short, Fritz was a key officer whose authority and duties were in part to balance the scale for what others might do and to ensure controls were in place and functioning as they were designed to. That did not happen in this case. Sometimes staff can only do so much, and when bad acts are committed willingly by the most senior of officers, the regulators take action. Fritz was cited with a $20,000 civil money penalty.

While these last two enforcement orders from late 2022, the bad acts were from years before. BancFirst purchased this bank early 2021.

Deposit mismatches and liability

By Andy Zavoina

Continuing with the theme of fraudulent transactions but changing to liability, let’s review a new case that screams “what you do know, can hurt you,” especially if a bank turns a blind eye to the obvious.

This is a legal case, Studco Building System U.S., LLC, plaintiff, V. 1st Advantage Federal Credit Union,  (Studco) Civil Action No: 2:20-cv-417 in Virginia. This case began about August 2018 when 1st Advantage opened an account for an individual. In the court documents he is referenced as “John Doe.” The court does not know who the actual account holder is. With Bank Secrecy Act regulations, 1st Advantage would have had to follow basic requirement to know the customer. But it did not verify John Doe’s identity, physical or mailing address, prior banking history, whether John Doe was eligible to be a member, nor did it verify the source of funds intended for the account.

This is not a case of an account takeover but a BEC or Business Email Compromise. The end result is similar, as the scammer gets the victim’s money. But in a BEC there is hacking or social engineering to get into a corporate email account. Once inside, the scammer looks for some discussion about a project and bill for that project that is due or will be soon. Studco Building Systems sounds like a company that would buy large amounts of materials and then pay the large bills they receive for them. Once he finds one of those the scammer is halfway there.

In this case, about two months after opening his account, Doe impersonated Olympic Steel out of Ohio. He sent Studco instructions to make an ACH payment to the 1st Advantage account he opened. 1st Advantage received those funds and was aware that Olympic Steel was not a depositor of theirs.  Beginning in October 2018, Studco sent one ACH to 1st Advantage to the account number of Doe in the amount of $156,834.55. That transfer identified Studco as the originator and Olympic Steel as the intended receiver. This did not match any account holder with 1st Advantage. The ACH credit identified a personal account number, but the transfer was coded commercially as a “CCD” meaning it was a “Corporate Credit or Debit.”  In this case NACHA rules require CCD payments to be restricted to transactions that involve only businesses. Any CCD payments directed to personal accounts are required to be rejected by the receiving bank. In this case 1st Advantage did not do that. A short time later 1st Advantage accepted three more large commercial ACH credits for Doe’s personal account totaling nearly $559,000.

Doe wasted no time as he began transferring the funds out. Typically, when these funds reach John Doe’s account, the valid originating bank’s customer and the originating bank have to take fast action as Doe will be getting that cash out of the account. Doe’s goal is to beat any reclamation claim by the originating bank or the company paying its bill. Sophisticated scammers may send these funds through several banks and then convert it to crypto or have it sent to a foreign bank. In this case, Doe was taking the funds incrementally — all $559,000 — and he did it in person and with the assistance of 1st Advantage staff. It took him more than a month as 1st Advantage employees issued thirteen cashier’s checks and wire transfers to move the funds out. Nine of the thirteen withdrawals were reportedly to an individual or entity known to the 1st Advantage staff who assisted him. This added validity to his transfers.

When there is a BEC you may find yourself with many of the same questions you would have for a takeover:

  • Who may be responsible for the loss?
  • Did the bank that sent the funds following the company’s orders (Studco) follow the instructions precisely?
  • Was this an unusual transaction for Studco?
  • Is Studco liable for the loss, what were their actions, and how did they protect themselves?
  • Was the hacker using an actual vendor’s system, and if so, does that vendor have liability?

The FBI in Rochester, New York, initiated the investigation. During the investigation, Studco alleged that 1st Advantage intentionally concealed, and continued to conceal, material information from Studco related to John Doe and the account. That both hindered the investigation and aided John Doe in his theft. Studco initiated actions against 1st Advantage in November 2019.

You may be surprised how the Virginia court ruled in this case. 1st Advantage, the credit union that received the funds, would have liability under Article 4A of the UCC. The credit union had AML software and that software provided alerts on mismatch between the account name and the name in the ACH transfers, but no one acted on those alerts. 1st Advantage certainly did not follow BSA requirements to know its customer. There was no indication that 1st Advantage had actual knowledge of John Doe’s illegal activities. But the court found that there was certainly an inference the bank should have made, as its AML software generated several alerts pertaining to account discrepancies, fraudulently diverted payments, and withdrawals by the John Doe himself. There were many indications that the account was being used for fraudulent purposes.

The court’s order effectively said there exists a “should-have-known” standard under the relevant provision of UCC Article 4A, but this is in contrast to many other court decisions that required proof of actual knowledge by the receiving bank of the discrepancy between named payee and actual account holder at the time the payment was credited to the account. Other courts have yielded to part of Article 4A stating, “If the beneficiary’s bank has both the account number and name of the beneficiary supplied by the originator of the funds transfer, it is possible for the beneficiary’s bank to determine whether the name and number refer to the same person, but if a duty to make that determination is imposed on the beneficiary’s bank the benefits of automated payment are lost.”

The court hearing the Studco case reviewed both the UCC and NACHA rules requiring a commercially reasonable manner or exercise of ordinary care when processing ACH payments. The court held 1st Advantage fell short of this standard in the way it opened the account and ignored red flags generated from its own software. The court stated that 1st Advantage “did not maintain reasonable routines for communicating significant information to the person conducting the transaction. If 1st Advantage had exercised due diligence, the misdescription would have been discovered during the first ACH transfer.”

Finally, while it is an unusual finding, it is one that bank customers would likely agree with. The red flag warnings would have been triggered based on criteria 1st Advantage defined, yet it failed to do anything when the alerts were generated.

Let’s look at a basic argument that many banks rely on — if we have a valid account number, deposit the funds. We in the Compliance team hear this question regularly and thoroughly expect to again this year as tax refunds begin to be deposited. What do you do when there is a known mismatch in a tax refund between the name in the direct deposit ACH record and the name of the account holder? This is sometimes complicated because the person named on the deposit may be a convenience signer on the account, but not an owner. They may be a known associate of the owner, but not an owner. Could this person be hiding assets from a creditor and shielding those funds in an account that could not be touched legally because that person is not the account owner? What if the account owner takes the funds? Technically the funds are their property, but does the bank want to be involved in that? What if the account owner is served a garnishment and the other person’s funds are taken as a result? Again, it is their property by virtue of account ownership, but does the bank want to be involved? Would it not be more responsible to require that even with personal accounts, the account number and name in the deposit record must match? Based on this Studco opinion, could your bank find itself with liability? And lastly, how much is the bank willing to spend to find out?

February 2023 OBA Legal Briefs

  • Signage management
  • SCRA and a new best practice recommended?
  • The child support levy moratorium is over

Signage management

By Andy Zavoina

As we enter the new year, let’s continue from last month on getting the little things squared away so we can focus on a new year of compliance work. Let’s talk about signage requirements. In our main branch we had a “Fed wall” which was one area which had the federally required (and state, as applicable) notice requirements. It should be in an area that is highly visible to meet the intent of the posted notice requirements. It does no good to put these on the wall behind a door that stays open and prevents viewing them. You will not get credit during an exam for posting them where they cannot be seen. Similarly, when the branch manager thinks your Fed wall is an eyesore and puts the plastic Ficus trees in front of your detailed work – no points. If there was a remodel done and the signage was taken down for maintenance, ensure it goes back up.

As to being unsightly, beauty is in the eye of the beholder. If you put courier font printed pages in a $2 frame and nailed it to the wall, that is what it will look like. What we did was to lay out all the applicable disclosures and we bought one large frame, had a mat cut for all these in one space and then everything was accounted for in one space. As a new branch was opened, we ordered another of the same design. This ensured that everything was easily accounted for and posted easily on the wall rather than trying to lay out several frames, especially if those frames were each different giving a hodgepodge appearance. It was also a simple task to pull the frame down, remove the backing and switch out the disclosures when necessary. As a tip, there is a transparent and removable tape that uses the same type of glue as sticky notes have. It will hold your documents to the mat securely yet provide the flexibility to switch them out without destroying the mat or other documents.

Here are suggestions and justifications for your Fed wall and other required signage.

  1. Community Reinvestment Act Notice: This is to be posted in each lobby with one version in your main office and another in each branch, other than off premise electronic deposit facilities, the Public Notice described in 12 CFR 345.44 (FDIC), 228.44 (FRB), 25.44 (OCC).
  2. Equal Housing Lending Poster: Post in lobby of main office, all branches, and in any other areas where loans are made. Note, this is an 11”x14” poster and unlike most other requirements for signage, the size requirements are specifically stated. 12 CFR 338.4 (FDIC), 24 CFR 110.15 and 110.25 (HUD and OCC) the FRB requirements fall under the Fair Housing Act. .
  3. In August 2022 the FDIC made changes to the sign. Refer to Federal Register Vol. 87, No. 151, Page 48079 as the Fair Housing and Consumer Protection Sale of Insurance Rule are both impacted. To improve their efficiency and effectiveness the FDIC consolidated the Consumer Response Center and the Deposit Insurance Section under one organization, entitled the National Center for Consumer and Depositor Assistance. Fair Housing signage and the Sales of Insurance disclosure should refer to, “…National Center for Consumer and Deposit Assistance.” The effective date of the change was August 8, 2022. The OCC has also had changes to its poster. Refer to Bulletin 2021-35, August 5, 2021.
  4. Home Mortgage Disclosure Act (HMDA). General notice of availability must be posted in each home office and physical branch offices located in an MSA. 12 CFR 1003.5(e). Non-HMDA banks do not post this notice. First-time filers post it after receiving notice their disclosure is ready after they have submitted their file for the prior year.
  5. Fair Credit Reporting Act (FCRA) requires that a consumer be allowed to notify the bank of an error in their consumer report. If a notice is posted informing consumers where to direct their notice, they may not be delivered to just any employee and must be properly directed.  623(a)(1)(C) (Note, this is a recommendation, not a requirement. Not having such a notice does set the bank up for failure as virtually all staff would need awareness training of how to handle such a notice from a customer.)

Additional signage requirements while you are auditing these:

  1. Customer Information Program procedures require providing adequate notice the bank is requesting information to verify customer identities prior to opening account. May be given or posted. 31 CFR 1020.220(a)(5)
  2. FDIC Deposit Insurance Notices are to be displayed at each station or window (including drop boxes, teller windows, New Accounts, drive-ups) where insured deposits are normally received, excluding automated service facilities such as ATMs, night depositories and POS. These signs must be 3″X7″ in size. 12 CFR 328.2 & FDIC 93-42, 94-17. [Editor’s note: The FDIC has a proposed rule out for comment through April 7, 2023, that could affect this requirement]
  3. Funds Availability Policy is for banks routinely delaying availability of any deposited item. Disclosure is required of several items in a conspicuous place in each location where deposits are accepted. This includes abbreviated text on ATMs but excludes drive-ups.  These disclosures are contained in our Facts About Funds Availability brochure that can double as the posted notice.  12 CFR 229.18
  4. ATM Surcharge Notice requirements apply if your bank, as an ATM owner/operator, imposes a fee to complete a transaction or inquiry. The bank must disclose on the ATM or ATM screen that a fee may be imposed. 12 CFR 1005.16(c).
  5. Rate Board requirements under TISA/Reg DD are that indoor signs are exempt from many advertising requirements. But if a rate is stated it will use the term “annual percentage yield” or “APY” and contain a statement advising consumers to contact an employee for further information on terms and fees. 12 CFR 1030.8(e)(2)

And for employees there are several other requirements.

  1. 5-in-1 Employment Poster is required to be visible to job applicants and employees, 42 USC 2000e-10(a).

    This poster should include five parts, and if not in a combined poster, individual signs must be posted in the manager’s office or lobby. The five laws are: Equal Employment Opportunity Act, Fair Labor Standards Act, Employee Polygraph Protection Act, Family Medical Leave Act, and OSHA’s Plain Language “It’s The Law”. Refer to 29 USC 201, 29 USC 2003, 29 CFR 825.300, and 29 CFR 1903.2(a)(3)

  2. Notice of Employee Rights has two requirements; 1) Executive Order 13496 is a Notice of Employee Rights under the National Labor Relations Act, the primary law governing relations between unions and employers in the private sector. See 29 CFR Part 471. Banks need to follow this for various reasons including due to FDIC insurance, savings bond transactions, TTL accounts and government contracts. Post the notice conspicuously in offices where employees covered by the NLRA perform contract-related activity, including all places where notices to employees are customarily posted both physically and electronically. 2) Employee Rights under the NLRA See section 7 of the NLRA, 29 U.S.C. 157

SCRA and a new best practice recommended?

By Andy Zavoina

The Servicemembers Civil Relief Act (SCRA) has been around a very long time. It has existed under several names and can trace its origins to the Civil War. Prior versions were enacted and would terminate, but the Soldiers’ and Sailors’ Civil Relief Act has been in force since 1940. It was modified and became the current SCRA in December 2003.

The premise of the law has not changed. The intent of Congress was to give peace of mind to the servicemember by granting special protections to their rights and property interests while they are in the service of our country. The provisions of the SCRA allow servicemembers to have their legal rights secured until they can return from the military to defend themselves, when necessary, and to better afford existing debt which may be more difficult to service with a reduced income from military service.

Many banks misunderstand the SCRA and believe it is a wartime protection, but the SCRA is in effect at all times – not just when the country is at war. Many SCRA protections affecting the banking relationship your customer has with you apply to debts incurred prior to military service. That is the 6 percent maximum rate many bankers are aware of.

You will find the actual law at 50 U.S.C. 3901 and it is conveniently located in the “Other / Misc Regulations” section of the BankersOnline Regulations pages. There is no implementing regulation. Often when looking for guidance a banker should review the SCRA workpapers of its overseeing agencies, court cases, and enforcement actions published by any of the banking agencies. There are also guidance documents that may be issued. The agency with “key” enforcement powers is the Consumer Financial Protection Bureau (CFPB). Although it is responsible for the larger banks (with assets over $10 billion) it is very connected to the SCRA and even has a department dedicated to servicemembers. This department provides many updates each year about the treatment of servicemembers, although each of the prudential agencies has oversight as well. In fact, most have established rigorous exam schedules to ensure the SCRA is being adhered to, and it is not uncommon to read of enforcement actions by any of them. These may be for repossessions that were not following SCRA requirements, and also for violating that six percent rule. That rule is what this article is really about as the CFPB has issued its opinion that may be read as guidance, and practically requires banks to be proactive on providing the interest rate reduction even when a servicemember does not request it. In a nutshell, it is recommended that banks seek out possible opportunities to reduce interest rates and do so at any indication that there may be SCRA protections available.

Servicemembers do receive training on the availability of these protections and in many cases I have read that there are articles and training available periodically to remind them of this law. In fact, recruiters “sell” the rate reductions as a benefit of military service. But as I have studied the law and its evolution, I understand that it was intended to offer the thanks of a grateful nation for their service. This six percent interest rate reduction was offered (read – required) by law but at the expense of lenders, not taxpayers. That is what politicians call a win – win.

Here is an example. Assume your customer has a civilian occupation earning $63,000 annually. This person has an annual debt service requirement of $42,000 which yields a debt ratio of 67 percent. Now let’s have your customer called up for active duty. He is an E-6 with over six years of service. His annual income is now $44,544 for 2023 and his debt service jumps to 94 percent. It seems like he might benefit from an interest rate reduction.

This reduction in income is not always the case. When the law originated there was a draft and military pay was not competitive with the same jobs’ civilian counterparts. There was an article in 2006 that cited a RAND National Defense Research Institute study which revealed 72 percent of servicemembers surveyed were making more money in the service than as civilians. The original law’s intent was to assist a servicemember when needed and it was not an automatic protection. It was to be requested based on a lower income due to military service. A classic example is Gene Autry, the Singing Cowboy in the 1940s. He enlisted to serve in WW II. His income went from $400,000 a year to $1,008.

Where did the six percent rate originate? I honestly do not know how Congress arrived at that number in 1940, but that was it. The rate allowed does not fluctuate and is not adjusted with the cost of living. The prime rate in 1940 was 1.5 percent so there was a margin of 4.5 percent. In January 2023 the prime rate is 7.50 percent which with that same margin would yield an SCRA adjusted rate of 12.00 percent – double what is currently allowed.

A general rule of thumb is that a person being paid by Uncle Sam is “in the military.” The recent high school graduate who enlists in the military is being paid by the military the day they report for basic training. This is an easy and clear-cut test but there are always other possibilities. Based on definitions in the SCRA, a servicemember (reservist) being called up is afforded protections upon receipt of their orders.  Further, the definitions tell us that a servicemember is “in the military” when they are employed full-time in this capacity and further, that debts incurred prior to that are subject to SCRA Section 3937, which provides the 6 percent rate cap. These are two different events, the date of being protected, and being “in the military” and paid by the U.S. government (Uncle Sam). When the debt was incurred and when the person was protected can be exclusive of one another. It is possible that a reservist will receive their orders, borrow, and later claim protected status and want a rate reduction. I discussed this with an Army Judge Advocate General officer (JAG attorney) and he said while that was not the intent, it does seem to be the result.

What is happening in theory is a person has that civilian debt ratio and all is fine. There is a national emergency, and this person wants to go into the military and serve their country. Loan rates are reduced, and this makes that government paycheck stretch a bit farther. A servicemember borrowing after they are in the service is not required to be given a rate of no more than 6 percent because they know what their income is now and should borrow responsibly, only when they know they can afford to repay it. This supports my understanding of why this exists and it is not to be a benefit and reason to serve but rather one less inhibitor for those wanting to serve.

The protections under Sec. 3937 apply to debts incurred by the servicemember, or the servicemember and their spouse, jointly. This is a clarification from the old law, the SSCRA. Industry practices then were to apply the protections against any loan on which the servicemember was obligated.  The new law specifies who is covered. As reassuring as this may be, it can also be troubling as there would be reputational risks if you refused to lower the rate on a loan to the servicemember and their parents or children, as an example. The same debt service standards may apply, but the law isn’t written to protect other borrowing relationships.

Pre-service debt is a key factor. The interest rate on a pre-service credit card balance today of a servicemember must be reduced if it exceeds 6 percent. Charges made tomorrow (or at any time during military service) are not pre-service and thus not subject to the cap.

The SCRA made it very clear that a bank’s knowledge alone that a customer was now a servicemember was not sufficient to justify any adjustment to the loan rate. The SCRA required the servicemember to provide a written request for relief and provide a copy of their military orders as well as any extensions of those orders. Keep in mind, however, that the servicemember may invoke their rights under this section at any time up to 180 days after their release from military service. The application of the six percent rate becomes retroactive.  Even if the debt was paid in full before the servicemember invoked their rights, a re-amortization and refund could be owed based on the date they were under protection of the SCRA until their release.

Notification requirements were changed a little by Public Law No. 115-232 on August 13, 2018. The SCRA now says the servicemember shall provide to the creditor written notice and a copy of—

  1. military orders calling the servicemember to military service and any orders further extending military service; or
  2. any other appropriate indicator of military service, including a certified letter from a commanding officer.
  3. a creditor may use, in lieu of notice and documentation under 1 or 2 above, information retrieved from the Defense Manpower Data Center (DMDC) database through the creditor’s normal business reviews for purposes of obtaining information indicating that the servicemember is on active duty.

So, item 2 provides a more flexible notice and a third option was added for, “normal business reviews.” So, a safe harbor was introduced for a creditor that uses the information retrieved from the DMDC with respect to a servicemember if—

a. such information indicates that, on the date the creditor retrieves such information, the servicemember is not on active duty; and

b. the creditor has not, by the end of the 180-day period, received the written notice and documentation required requesting protection. (There is no six percent rate requirement.)

4. A substitute for copies of the servicemembers orders is a certified letter from the servicemembers’ commanding officer. This term, “certified letter” is not defined but in its purest United States Postal Service form would be “a special USPS service that provides proof of mailing via a receipt to the sender. With electronic USPS Tracking, the sender is notified when the mailing was delivered or that a delivery attempt was made.” This is not Registered Mail which has different handling and security features from Certified Mail.

The existing SCRA, 3937(b)(1) already included the 180-day period, but the certified letter from a commanding officer is a new alternative for invoking the rate reduction.

Many banks can verify individual servicemembers as well as batch process requests with the DMDC SCRA database. Many banks adopted the batch processing method and check the bank’s CIF records against it on a monthly or other regular basis. New hits could show active duty status and immediately bank records would be adjusted or a relationship manager would contact the customer and verifications would be initiated or protections would go in effect. They could be reversed later if in error.

In December 2022, the CFPB published an analysis of servicemembers not getting the benefits of interest rate reductions for various reasons. “Protecting Those Who Protect Us” discusses those Guard and Reserve servicemembers who are activated but are not receiving these benefits.

Here are some points brought out in the publication:

  • Reserve and National Guard members called to active duty are paying an extra $9 million in interest every year because they are not always receiving the benefit of their right to rate reduction.
  • In an odd selection of a time period, the CFPB estimates that between 2007 and 2018, data show fewer than 10 percent of auto loans and 6 percent of personal loans received a reduced interest rate and it is believed this reflects lower numbers than should exist.
  • It is estimated the underutilization amounted to $100 million of interest that was paid unnecessarily to lenders for auto and personal loans.

Who is entitled to these protections? The regulators expect banks to use the DMDC database which has proven accurate enough to warrant a safe harbor when used for verifications under the SCRA and the Military Lending Act. (Note, the SCRA has one database, and the MLA has another. You would expect that the servicemembers themselves would be on both and dependents would be on the MLA. So, if you are checking on the servicemember, either should suffice, right? When I spoke to someone at the DMDC they could not explain a servicemember difference but were emphatic to check the respective database based on the purpose of the inquiry. I believe one difference may be that some SCRA benefits extend beyond the period of military service but not for MLA use. The results of the query may include that. The DMDC has a manual that among other things denotes “Title 32 outlines the role of the United States National Guard; normally Title 32 members are not covered under SCRA. Those Title 32 members and others who meet the criteria referenced in Title 50 USC App. §§ 3901 below are accurately represented on the SCRA website.

In order to be considered for SCRA coverage a Title 32 member must be called “…to active service authorized by the President or the Secretary of Defense for a period of more than 30 consecutive days under section 502(f) of title 32, United States Code, for purposes of responding to a national emergency declared by the President and supported by Federal funds.””

The CFPB says in its 39-page publication, “Existing literature suggests that the interest rate reduction benefit is underutilized, and continued enforcement efforts suggest that some creditors continue to violate protections against repossession, despite efforts to increase awareness of SCRA protections and improve information about servicemember eligibility for those protections. There is also limited information on utilization rates, making the development and evaluation of public policy efforts to increase benefit utilization difficult.” The paper indicates servicemembers are not receiving the protections they are entitled to for various reasons, that banks (that is my term as the CFPB refers to financial institutions, creditors, finance companies, etc. but I am writing for banks) are violating the SCRA and that servicemembers must jump through too many hoops to get these protections. Further the CFPB complains that banks are not thorough in retroactively applying the interest rate reductions.

The law is clear that the servicemember can request protections, but the CFPB wants to emphasize option 3 above where banks will voluntarily use the DMDC database. It actually goes further and attacks creditors who insist on following the law’s stated requirements, saying in the publication: “However, creditors could just as easily access a Department of Defense system [the Defense Manpower Data Center SCRA website] that checks any borrower for active-duty status.” This raises two issues bankers need to consider. First, how much would be involved in the bank regularly batch processing its CIF files against the database, and second, would this be a cost-effective use of resources? Positive hits would require additional procedures to verify the status with the customer. That is, a positive hit could be verified before progressing, or the bank could take that positive hit and respond with a  confirmation letter. The bank could explain how it made its discovery, that the customer’s loan has been reduced in rate, the effective date, the reamortization of those applicable payments and the deposit or attached check for the refund of interest that had been paid and is being refunded. The letter will explain the new payment amount as it will be reduced and what to expect if the servicemember’s protections end before the loan is repaid in full. This is also an opportunity to thank them for their service, point out the benefits of internet banking and request a copy of the person’s orders if the bank wants them for their files. The CFPB recommends the best practice is to provide the rate discount without burdening the servicemember with any requests. Your bank needs to determine if it agrees with that. At the very least it is an opportunity to verify the bank has the correct mailing address as we all know it is typically a requirement in account agreements, but typically a completely ignored requirement as well.

I may have downplayed the CFPB’s intention as it actually encourages bank employees to be whistleblowers, “Employees who believe their companies have violated federal consumer financial protection laws are encouraged to send information about what they know to whistleblower@cfpb.gov. To learn more about reporting potential industry misconduct, visit the CFPB’s website.“ This is not in the published document but the online news release. https://www.consumerfinance.gov/about-us/newsroom/cfpb-finds-members-of-the-reserves-and-national-guard-paying-millions-of-dollars-in-extra-interest-each-year/

Here is a takeaway list for banks to consider:

  1. Should it be batch checking CIF files?
  2. What follow-up if any with the servicemember is desired?
  3. Will protections be applied automatically?
  4. Procedures should already be to retroactively apply the rate reduction to the date of protected status.
  5. When the borrower has one or more loans, the benefits should apply to all.

The SCRA does allow in Section 3937(c) for a challenge to the rate reduction. A court may grant a creditor relief from the limitations of this section (3937) if, in the opinion of the court, the ability of the servicemember to pay interest upon the obligation or liability at a rate in excess of 6 percent per year is not materially affected by reason of the servicemember’s military service. As an example, let’s assume the bank makes a car loan to a college student who is working their way through college on scholarships and delivering pizza. The student is not making a lot of money but enough to survive and make a small car payment. Come graduation day the student graduates and becomes a military officer and doctor, receiving a huge increase in their income. They request a rate reduction because “it is their right.” That was not the intent of the law initially, but it has become so political. The bank has the right to contest the request, but the reputation risk is severe, and the bank could appear unpatriotic.

I believe a challenge to protections would require an extraordinary case and we have yet to see a deserving one. But the CFPB is promoting a new best practice which is not called for in the law. Bankers should understand, what is requested by the CFPB is purely optional and would come at a cost. Banks individually must determine if it is a reasonable cost or not.

The child support levy moratorium is over

By Pauli D. Loeffler

During COVID-19, the Oklahoma Child Support Service (“OCSS”) took a break from issuing levies. The moratorium has ended, and banks are receiving levies again. I covered child support levies in the February 2018 OBA Legal Briefs, which you can access online once you register an account through the My OBA Member Portal. Here are few bullet points to keep in mind.

  • The levy is exempt from the Garnishment of Federal Benefits rule.
  • The levy attaches to all deposit accounts OWNED by the Obligor/customer whether or not the account number is included on the levy. That includes accounts held in sole ownership, joint ownership, sole proprietorships, grantor trusts, CDs, MMDAs, IRAs, retirement, annuities, 401Ks, and HSAs. It will NOT reach accounts owned by an LLC (even if it uses a sole member’s SSN), a corporation, partnership, a limited partnership, IOLTA, insurance premium trust account, etc.
  • The levy is effective for 60 days after receipt and subsequent deposits will be captured. The bank may cash “on-us” checks payable to the account owner but should not cash checks drawn on other financial institutions.
  • A copy of the levy will be mailed to the account owner by OCSS, so the bank does not mail a copy. The bank is free to let the owner know of the levy as soon as it locks the account down.
  • OCSS may release or partially release the levy prior to 60 days. The release must be signed by an attorney.

 

January 2023 OBA Legal Briefs

  • Has your bank suddenly become a HMDA reporter?
  • Minutiae matter
  • Joint owners’ signatures on new joint accounts

Has your bank suddenly become a HMDA reporter?

By John S. Burnett

A recent federal court decision has lowered the loan reporting threshold for closed-end mortgage loans under the Home Mortgage Disclosure Act-implementing Regulation C from 100 to 25 closed-end mortgage loans in each of the two preceding calendar years. If your bank has been routinely making 50 or 60 closed-end mortgage loans and very few open-end mortgage loans each year for the last several years, you might have been planning to enjoy another year in 2023 of not being a HMDA reporter.

All that has changed. And if you haven’t realized that yet, you’ve got some scrambling to do.

Background

In a final rule that became effective in 2015 (the “2015 final rule”), the CFPB set the HMDA reporting threshold for closed-end mortgage loans at 25 in either of the two preceding calendar years.

On May 2, 2019, the Bureau issued a proposal to, among other things, increase the 25 closed-end mortgage loan reporting threshold to either 50 or 100 such loans in either of the two preceding calendar years.

On May 12, 2020, the CFPB issued a final rule (the “2020 final rule”) that, among other things, increased the closed-end mortgage loan reporting threshold to 100 such loans in either of the two preceding calendar year. The change was effective July 1, 2020.

After the adoption of the 2020 rule, the National Community Reinvestment Coalition, Montana Fair Housing, Texas Low Income Housing Information Service, Empire Justice Center, the Association for Neighborhood & Housing Development, and the City of Toledo, Ohio, filed a lawsuit challenging the changes to the closed-end reporting thresholds (and other provisions) in the 2020 final rule, asserting that the 2020 final rule was arbitrary and capricious, contrary to law, and in excess of the Bureau’s statutory authority under the Administrative Procedure Act.

On September 23, 2022, the U.S. District Court for the District of Columbia issued an order vacating (nullifying) only the portions of the 2020 final rule that increased the closed-end mortgage loan reporting threshold. The court found that the “CFPB failed adequately to explain or support its rationales for adoption of the closed-end reporting thresholds under the 2020 Rule, rendering this aspect of the rule arbitrary and capricious.”

The court cited the preamble to the 2015 final rule in noting that the CFPB explained that “the loss of data in communities at closed-end mortgage loan-volume thresholds higher than 25 would substantially impede the ability of the public and public officials in these locales and others to understand access to credit in their communities.”

The CFPB offered no comment on the court’s ruling until December 6, 2022, when an article, “Changes to HMDA’s closed-end loan reporting threshold,”[https://www.consumerfinance.gov/about-us/blog/changes-to-hmda-closed-end-loan-reporting-threshold/] was posted to the Bureau’s blog. The article simply said, “The [court’s] decision means that the threshold for reporting data on closed-end mortgage loans is now 25 loans in each of the two preceding calendar years, which is the threshold established by the 2015 HMDA Final Rule, rather than the 100-loan threshold set by the 2020 HMDA Final Rule.”

The Blog article went on to say that the “CFPB recognizes that financial institutions affected by this change may need time to implement or adjust policies, procedures, systems, and operations to come into compliance with their reporting obligations. In these limited circumstances, in allocating the CFPB’s enforcement and supervisory resources, the CFPB does not view action regarding these institutions’ HMDA data as a priority. Thus, the CFPB does not intend to initiate enforcement actions or cite HMDA violations for failures to report closed-end mortgage loan data collected in 2022, 2021, or 2020 for institutions subject to the CFPB’s enforcement or supervisory jurisdiction that meet Regulation C’s other coverage requirements and originated at least 25 closed-end mortgage loans in each of the two preceding calendar years but fewer than 100 closed-end mortgage loans in either or both of the two preceding calendar years.”

On December 21, 2022, the CFPB published a final rule at 87 FR 77980 [https://www.federalregister.gov/d/2022-27204] with technical amendments to Regulation C that changed each mention of the 100 closed-end mortgage loans reporting threshold in subsections 1003.2(g) [definition of financial institution] and 1003.3(c) [excluded transactions] and the Official Interpretations of those subsections to 25 closed-end mortgage loans. The amendments became effective on publication.

What this all means

When the District Court vacated the portion of the 2020 final rule that increased the reporting threshold for closed-end mortgage loans from 25 to 100 such loans in either of the preceding two calendar years, it put those portions of the regulation and official interpretations back to their 2015 final rule wording, as if they were not changed by the 2020 final rule.

In the Bureau’s Blog article described just above, the Bureau acknowledged that the court’s ruling could HMDA filing requirements for applications and loans dated in 2020 (from July 1), 2021, and 2022, for financial institutions that made at least 25 but fewer than 100 closed-end mortgage loans in the two previous calendar years. It went on to say that it doesn’t intend to initiate enforcement actions or cite HMDA violations for failures to report closed-end mortgage loan data collected in 2020 through 2022 for institutions subject to Bureau enforcement or supervisory jurisdiction.

There have been no similar statements of intent not to initiate enforcement actions or cite HMDA violations from the Federal Reserve Board, FDIC, OCC, or NCUA. It would seem that those regulators will have to issue a similar statement because it is next to impossible for many bankers to go back over their applications and loans to find the data to back-file because they weren’t collecting HMDA data during that period.

Let’s assume that the other regulators issue such a statement. What does your bank need to do if it originated 25 or more closed-end mortgage loans in both 2021 and 2022 but hasn’t had to file since 2015?

1. If your bank never obtained a Legal Entity Identifier (LEI) or let its LEI lapse, jump on the task of getting one (or renewing or replacing the old one). You need it to create the unique loan numbers that have to be assigned to each entry on the HMDA LAR.

2. Make sure the bank has the right application forms to collect HMDA data

3. Quickly get lenders and loan assistants spun up on any changes in loan interview scripts and the necessity for checking that HMDA data are being collected with applications

4. Remember that each HMDA-related loan application received after December 31, 2022, will need to include HMDA data added as it gets processed and originated, denied, or withdrawn.

5. For loans already in the pipeline on January 1, 2023, check to see what HMDA data are missing, and take steps to obtain it.

Some industry trade groups have asked the CFPB and prudential regulators to formally declare a one-year amnesty on enforcement for small-volume lenders impacted by the court’s ruling. As of this writing, many such lenders are uncertain they can adapt their procedures by January 1, 2023, and we haven’t heard more from the Bureau or the prudential regulators.

Minutiae matter

By Andy Zavoina

Welcome to 2023. As I pen this month’s article one of my inbox emails is from Apple News and it is about 2023 horoscopes and what is in the stars for me. It is time to look forward, which may require looking back. I remember sitting at my compliance desk at 6:30 p.m., after having been there since 6:30 a.m., that a new year should come with a fresh start, a clean slate, a new beginning. All those audits I had not gotten to should be erased and I should be able to start with a fresh calendar. After all, I made it another year. But that is not how life works. It is not like a sporting event and the last game is over, start your game plan for the next one. Well – you do have to prepare for the future and that is what this article is about. But there was no “last game” and what was not finished still needs to get done. It is like the saying says, this is not a sprint, it is a marathon. That is when I consider coming in at 6 a.m. tomorrow to get an earlier start.

One thing to always consider as you begin planning your year is what are the major events you are aware of?

• Are we a HMDA reporter or now will be and what ramifications does that bring? If applicable, are we ready for the March 1 filing deadline this year? Do we have only the final quarter’s LAR entries to scrub or more, and how long will that take?

• The Regulation B small business data gathering rule will be coming out this first quarter. The CFPB has said it will, and in fact has promised it will be to both Congress and a court. But the final rule is not here yet and I will worry directly about that when we have the new rule. It will be a lot of preparation work. I am aware of that, and it is in the back of my mind as I start planning major events for 2023. But my focus now is what do I need to get done and on my “completed list” before that new requirement begins taking my time and attention.

• When is my next compliance exam? That is a compliance officers’ direct responsibility. What has been done to prepare for it and depending on when that is expected, more importantly, what has not been done? Start making that list if your exam is eminent. What other exams do you contribute to – Bank Secrecy, Safety and Soundness which may include Reg O, any fair lending or mortgage origination and servicing requirements? When we had a separate mortgage loan origination department, HUD and the VA. separately examined it You may have similar issues. And while we follow regulatory requirements typically to ensure consumer protections are in place, the fact is that exams are where our success or failure is often judged and scored. In preparation for those, we may have internally and externally completed audits done. When are these on the calendar and what preparation is needed for them?

Let’s look at the future, and to do that we have to reflect on the past. Let’s eliminate some of the small things, the minutiae. These are minimal tasks that need to be sorted and ensure there are no issues with compliance. It’s the little things sometimes that surprise you and bite you on the backside. So, let’s strive to eliminate as many of those as we can.

Now that signage requirements are addressed, let’s ensure “annual” tasks have been completed.

Reg BB (CRA), Content and availability of Public File Reg H § 228.43 – Your Public Files must be updated and current as of April 1 of each year. Many banks update this continuously, but it’s good to check. You want to ensure you have all written comments from the public from the current year plus each of the two prior calendar years. These are comments relating to the bank’s efforts in meeting community credit needs (your SBA loans may play a key role here) as well as any responses to comments. You also want a copy of the last public section of the CRA Performance Evaluation. That actually is to be placed here within 30 days of receipt. Ensure you are keeping up with branch locations and especially ATMs as those may fluctuate. The regulation has more on the content of this file. It may be best to review it with an audit workpaper to use as a checklist to avoid missing any required items.

CRA Notice and Recordkeeping § 228.42, 228.44, 1003.5 – CRA data, which can include small business and small farm as well as home mortgages are gathered based on specific reporting requirements for the Loan Application Registers (LAR). CRA and HMDA information, if applicable, must be submitted by March 1, for the prior calendar year. If you are a reporter of either LAR, you should start verifying the data integrity now to avoid stressing the process at the end of February. HMDA mortgage data should be compiled quarterly so this should not be a huge issue, but a thorough scrubbing as the new year starts and submission preparation readies is always warranted.

Pertaining to this, national banks should ensure they have reviewed and updated as needed the CRA, FHA and ECOA notices in accordance with the Aug. 5, 2021, OCC Bulletin 2021-35. This bulletin provided updated content for the appropriate names and addresses for notices required by the Community Reinvestment Act and Equal Credit Opportunity Act, and for posters under the Fair Housing Act. National banks were required to make the appropriate changes to their notices and posters within 90 days of the issuance which then had a mandatory compliance date of Nov. 3, 2021.

Reg C – HMDA Notice and Recordkeeping § 1003.4, 1003.5 – HMDA data are gathered as home mortgage loans are applied for and are compiled quarterly if your bank is a HMDA reporter. There are specific and detailed reporting requirements for the Loan Application Register (LAR) itself. The LAR must be submitted by March 1, for the prior calendar year. If you are a reporter, you should start verifying the data integrity now and this is of vital importance if you have a large volume of records to report.

Reg E § 1005.8– If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement. If you’ve used this, you are done with this one. But if you send the longer version that is sent annually, it is time to review it for accuracy and ensure it has been sent or is scheduled to be. Electronic disclosures under E-SIGN are allowed here.

This is also a good time to review §1005.7(c) (additional electronic fund transfer services) and determine if any new services have been added and if they were disclosed as required. Think Person-to-Person transfers like Zelle, Venmo or Square.

Reg G – Annual MLO Registration § 1007.102 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. If this hasn’t been completed, don’t push it to the back burner and lose track during the holidays and then have to join a year-end rush to complete this task. This is also a good time to plan with management and Human Resources any MLO bonus plans. Reg Z Section 1026.36(d)(1)(iv)(B)(1) allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses.

Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.

Reg P § 1016.5 –There are exceptions allowing banks which meet certain conditions to forgo sending annual privacy notices to customers. The exception is generally based on two questions; does your bank share nonpublic personal information in any way that requires an opt-in under Reg P, and have you changed your policies and practices for sharing nonpublic personal information from the policies and procedures you routinely provide to new customers? Not every bank will qualify for the exception, however. John Burnett wrote about the privacy notice conundrum in the July 2017 Legal Briefs. That article has more details on this.

When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. If you don’t qualify for the exception described above, you must repeat that disclosure annually as well. Ensure that your practices have not changed and that the form you are sending accurately describes your practices.

For Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.

It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for your web-based disclosures. You can use e-disclosures on your bank web site when the customer uses the web site to access financial products and services electronically and agrees to receive notices at the web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the web site. So, the demonstrable consent requirements and others in E-SIGN’s 15 USC Sect. 7001(c) do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request this method is acceptable.

Fair Credit Reporting Act – FACTA Red Flags Report – Section VI (b) (12 CFR 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level.
This report should contain information related to your bank’s program, including the effectiveness of the policies and procedures you have addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, as well as service provider arrangements, specifics surrounding and significant incidents involving identity theft plus management’s response to these and any recommendations for material changes to the bank’s program. Times change, customers’ habits change, and importantly criminals change, and each may require tweaks to the bank’s program.

Reg V, Fair Credit Reporting Act – Affiliate Marketing Opt-Out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions and opt out requirements on you. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, you must know if there are there any expiration dates for the opt-outs and have these consumers been given an opportunity to renew their opt-out?

RESPA Reg X, Annual Escrow Statements § 1024.17 – For each escrow account you have, you must provide the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year. This need not be based on a calendar year. You must also provide them with the previous year’s projection or the initial escrow account statement, so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against next year’s escrow payments.

Reg Z Thresholds and Updates § 1026.3(b) – These changes are effective January 1, 2023. You should ensure they are available to staff or correctly hard coded in your systems. The exemption for Reg Z disclosures will increase from $61,000 to $66,400, meaning consumer loans over that amount (less real or personal property expected to be used as the consumer’s principal dwelling or a private education loan) will be exempt.

BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions. The other financial institution must certify annually to your bank that it has implemented its AML program. Also, banks must report all blockings to OFAC within ten days of the event and annually by September 30, concerning those assets blocked.

Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee at least annually. The report should describe the overall status of the information security program and the bank’s compliance with regulatory guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your bank’s Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.

Similar to the Compliance Officer reporting to the board, this may include a personal presentation, or it may not. I recommend that it is because this is an opportunity to express what is being done to control security events from the recent past as well as foreseeable events and why these are important issues. These facts can assist Security in getting the budget and assets necessary for the coming year. There is no prescribed period during which the report must be made other than “annually,” and this may be based off the timing of the prior report, give or take a month. Annual presentations such as this are better done when the directors can focus more on the message so try to avoid quarter ends, and especially the fourth quarter. This is not a “how-to” on the annual security report, but you can find more on the topic, free, on the BankersOnline Tools by searching on “annual security program.”

Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).

• BSA (31 CFR §1020.210(b)(4), and 12 CFR §208.63(c)(4) Provide training for appropriate personnel.
• Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii)) Provide initial & periodic training
• Reg CC (12 CFR §229.19(f) Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee)
• Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information), training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
• FCRA Red Flag (12 CFR 222.90(e)(3)) Train staff, as necessary, to effectively implement the Program;)
• Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.

MISCELLANEOUS – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, following records retention requirements and destruction of expired records, and a designation by the bank’s board of the next year’s holidays. And finally, has there been a review of those staffers who have not yet taken vacation or “away time” to the five consecutive business days per the Oklahoma Administrative Code 85:10-5-3 “Minimum control elements for bank internal control program”?

Joint owners’ signatures on new joint accounts

By John S. Burnett

We on the OBA Compliance Team were reminded in recent weeks of the problems that can arise when a bank has opened a joint account without obtaining all of the joint owners’ signatures on the account signature card or other deposit contract. It’s our sense that banks aren’t allowing this to happen as often now as it did years ago. But a quick review of the subject may help keep it at “top of mind” when opening joint accounts.

First, a bank account agreement, whether it’s on the signature card itself or in a separate document, is a legal contract between the bank and the owner(s) of the bank account. When there are two or more owners, the agreement is also a contract between or among the joint owners. In most cases, each joint owner agrees that each owner has a right to all of the funds in the account, and, for most banks, each owner agrees to be responsible for any overdraft balance, regardless of which owner causes it.

But in order to have the right to the funds in the account or to be responsible for an overdraft in the account or have the right to request information on or statements of the account, each person has to formalize their participation in the agreement by signing the signature card. Furthermore, to be FDIC insured as a joint account, each owner must have signed, or there must be other evidence of the intent that the account be jointly owned.

Banks should have a tight policy and procedure for managing the opening of a joint account when an owner isn’t present. Assuming they have the ability, they could obtain electronic signatures for account agreements from owners absent from the account opening. If that is not possible, they should consider including in the deposit contract, atter consulting legal counsel, a provision that, if a person identified as a joint owner has not signed the signature card within ___ days after the opening of the account, the account’s ownership will change to eliminate that person’s interest in the account. They should also do a proactive (effective) job of following up with the customer who failed to sign in the days after the account was opened.