Legal Briefs

December 2022 OBA Legal Briefs

  • Insider Abuses

Insider Abuses

By Andy Zavoina

Bert Lance.

Many, or most of you will not know that name, but all of you know Regulation O. Briefly, this reg was implemented to prevent bank directors, executive officers, and principal shareholders from benefiting from favorable credit terms and treatment in a bank. This group we refer to as “insiders” is not to be treated to better terms than similarly qualified “civilians” we can refer to as the public. Lance and Reg O are a cause and an effect of an insider abusing their authority and position.

Before we discuss the details of Reg O, we need to set the stage on events attributed to the development of Reg O. Bert Lance was the central figure on that stage. He considered himself a country banker from Georgia. His claim to fame was that he went to Washington as President Jimmy Carter’s budget director at the Office of Management and Budget (OMB). Carter took office in 1977. As one of Carter’s closest advisers for almost two decades, he was approved for his political appointment with ease, but not without some criticism. William Proxmire, chairman of the Senate Banking Committee, opposed Lance’s nomination, saying, “He has had none — zero, zip, zilch, not one year, not one week, not one day” of experience at managing a federal budget then estimated at $400 billion.

Perhaps this was demonstrated in Lance’s financial condition at the time. Lance was a banker and his bank had $5 million in loans to Carter’s family business. Carter was known as a peanut farmer when he became president. As to financial condition, Lance had a net worth of almost $3 million but with that he carried more than $5 million in debt. Lance lived well as he owned three large homes in Georgia and rented a house in Georgetown as he worked in Washington, DC. His annual interest payments on the various loans amounted to $370,000. To cover this debt service, he had his public service salary as budget director of $57,500. It did not take long for the speculation and criticisms to start of Lance’s performance, but was this legitimate criticism, or politics? Federal investigators questioned his appointment process and eventually the Senate Governmental Affairs Committee questioned Lance over allegations that he had misused bank funds, obtained loans at favorable rates, and used a company plane to fly to University of Georgia football games, all abusing his position in the bank and living a lifestyle beyond his means.

Several senators called for his resignation, and under increasing pressure Lance did resign less than nine months after taking his position at the OMB. This was the first major internal scandal of the Carter presidency. One could still question if this was deserved or political, but it got worse.

Lance was arraigned on twelve federal charges that could have sent him to prison for 95 years for conspiracy, fraud, and assorted violations of banking laws. This was pre-Reg O and insider abuses were considered as contributing factors to the violations. Lance and three other conspirators were charged with illegally obtaining 383 loans for themselves, their families, and associates from 41 banks stretching from Atlanta to New York and Chicago and from there to Luxembourg and Hong Kong.

The 1979 indictment alleged Lance and three others showed a “reckless disregard for the safety of the banks” that extended credit to them when there was “no reasonable expectation of repayment.” The indictment alleged that Lance repeatedly used a “false and misleading” personal financial statement to obtain loans, including one for $3.4 million from the First National Bank of Chicago. That same financial statement, dated Jan 7, 1977, was the one submitted to the Senate Governmental Affairs Committee for  his confirmation to head the OMB.

To illustrate the issues prompting increased regulation, Lance’s financial statement failed to reflect a $14,000 loan that the National City Bank of Rome, Ga., had made to Lance’s wife. After he became budget director, the grand jury said, Lance got the Rome bank to transfer the loan from his wife’s name to Lancelot, which was a partnership actually consisting of Lance and his wife.

In one of his many legal cases, Lance was acquitted on nine of twelve charges and the remaining three were eventually dropped. Lance had also been charged with twenty-one other felonies, including misapplication of bank funds as president of the National Bank of Georgia (NBG) and the First National Bank of Calhoun, falsification of personal financial statements and making false entries on NBG records. The indictment indicated that Lance and two others used their positions in a few small Georgia banks to acquire the stock of still other banks by lending each other money without adequate collateral and, in some cases, no collateral at all.

It came out that in 1974 and 1975, Lance “caused Calhoun First National Bank” to make a total of $79,530 in unsecured loans to his son, David Lance, who was then a twenty-year-old student. On May 27, 1976, Lance got a $150,000 loan from the Chemical Bank of New York, putting up 14,811 shares of stock as collateral. However, that stock was already pledged as part of the collateral of another loan Lance had, this one for $2.6 million from the Manufacturers Hanover Trust Co. of New York.

As a side note, several years later, Lance was still in trouble and under investigation by a federal grand jury and the Securities and Exchange Commission after being charged with “unsafe and unsound” banking practices and misappropriation of funds. In this case he was fined $50,000 and barred from banking by the Office of the Comptroller of the Currency.

With the abundance of accusations and cases, such poor banking practices achieved a national spotlight. Sounds like the reason for the birth of a regulation, right?

Reg O is somewhat of a standard to follow. The case examples below are from consent orders from the Office of the Comptroller of the Currency (OCC) which has an “Insiders Activities” section in its Comptroller’s Handbook. This section includes various discussions of risk but also refers to the Federal Reserve’s Reg O as requirements which must be followed. The Handbook states, “Various state and federal laws and regulations govern insider activities. Unlike the broad standards of fiduciary duties, these laws and regulations are specific about how insiders are to conduct themselves. Since the statutory and regulatory restrictions on insider transactions do not apply uniformly to all insiders, the board and management must become familiar with each restriction and must pay careful attention to the scope and requirements of each.” This may well be stated by other regulatory agencies as it would be good advice for all banks other than national banks.

Reg O established reporting requirements for bank insiders which were included in previous financial laws. The Financial Institutions Regulatory and Interest Rate Control Act of 1978 contributed significantly to the first iteration of Reg O which was originally established in 1980. It later incorporated the Depository Institutions Act of 1982 and has been revised many times since.

Reg O set forth a new set of rules to stop the preferred treatment that Bert Lance and others took advantage of. Abuses such as was described above can threaten the safety and soundness of a bank in large or small ways, but a threat is a threat. This article will recap pertinent sections of Reg O requirements but is not an in-depth review. I will not address recordkeeping, executive officer requirements or risk management issues.

Reg O applies to insiders, which includes executive officers, directors, and principal shareholders and the related interests of these individuals of the bank and its affiliates. Reg O further defines executive officer as any person who participates or has the authority to participate in major policy making functions, regardless of title or compensation, though it specifically lists the chairman of the board, the president, every vice president, the cashier, the secretary, and the treasurer as executive officers, unless excluded through bylaws or by a resolution of the board of directors and in practice the individual does not participate in major policy making functions. Most banks’ boards of directors define the insiders in their Reg O policy. Those listed should meet the test of a “person who participates or has the authority to participate” in the major policymaking activities and the bank needs to ensure someone who meets this test is in fact listed.

Related interests of the insider include any company controlled by the insider. For Reg O, this results from directly or indirectly owning, controlling, or having the power to vote 25 percent or more of any class of voting securities of a company. It also includes controlling the election of a majority of the directors of a company or having the power to exercise a controlling influence over the management or policies of a company. There is a presumption of control for any director or officer of a company who directly or indirectly owns, controls, or has the power to vote more than 10 percent of any class of voting securities of that company, or for any person who directly or indirectly owns, controls, or has the power to vote more than 10 percent of any class of voting securities if no other person owns a greater percentage.

The bank needs to be able to track loans to insiders and the related interest of those insiders. Recordkeeping requires this but the accuracy is the burden of the bank, knowing the insiders and having them understand and identify their related interests.

This information is also useful when the bank is employing any of these related interests. While not directly related to Reg O, as you will read below if there are issues with paying an insider’s “side business” for work not completed, that is a safety and soundness issue as well as a violation of ethics requirements the bank should have. The related interest list can be used in the vendors due diligence process to identify the players. In a small town and transparent bank environment the bank will know who they are dealing with. It is not a violation to employ them, but the purpose here is not only to avoid a problem, but to avoid any appearance of a problem or preferential treatment.

There are limits placed on the loans to insiders both on an individual and an aggregate basis. The lending limit to an individual, including their related interests, is 15 percent of the bank’s unimpaired capital and surplus for loans that are not fully secured, and an additional 10 percent for loans that are fully secured by readily marketable collateral. Loans fully secured by obligations of the U.S. government or agencies, or loans secured by deposits held at the bank are not counted toward the limit. On an aggregate basis, loans to insiders are limited to the equivalent of the bank’s unimpaired capital and surplus, or up to two times unimpaired capital and surplus for banks with less than $100 million in deposits, as long as a signed resolution by the bank’s board justifies the higher limit. The higher limit for smaller banks is also conditioned on the bank meeting applicable capital requirements and having a satisfactory CAMELS rating from the bank’s most recent examination.

Reg O includes general prohibitions based on terms and creditworthiness. Loans made to insiders must be on substantially the same terms, such as interest rates and collateral, as loans made to non-insiders, with the same underwriting standards applied at origination. This is not to say if the bank made one other loan under similar terms, it could use that as justification to provide a credit product with otherwise more favorable terms to its directors. The comparisons must be real and authentic. In addition, the loan must not involve more than the normal risk of repayment or present other unfavorable features. Any loan to an insider of an amount more than $25,000 or 5 percent of unimpaired capital and surplus, whichever is higher, must be preapproved by a majority vote of the board of directors, and the insider must abstain from the approval process. Prior approval is required when an extension of credit, regardless of the amount, results in aggregate debt to the individual and their related interests exceeding $500,000.

An extension of credit includes making or renewal of a loan, a line of credit, or extending credit in any manner. Overdrafts are included in Reg O. Overdrafts of $5,000 or less are not considered extensions of credit when made pursuant to a written, preauthorized, interest-bearing extension of credit plan, or a written, preauthorized transfer of funds from another account.

Banks are prohibited from paying overdrafts to executive officers and directors. The prohibition on overdrafts does not apply to the payment of inadvertent overdrafts if the aggregate amount of overdrafts on an account does not exceed $1,000, the account is not overdrawn for more than five business days, and the executive officer or director is charged the same fee as any other customer. The prohibition on the payment of overdrafts does not apply to principal shareholders who are not also an executive officer or director, or to the related interests of insiders.

Reg O is designed to add controls to loan related issues even though it includes a lot of recordkeeping, and the focus is on preferential treatment of those in control of the bank. Deposit rates to employees and insiders is not a Reg O issue but could be preferential treatment issue. I will draw your attention to 12 U.S.C. Sec. 376 which says, no member bank shall pay to any director, officer, attorney, or employee a greater rate of interest on the deposits of such director, officer, attorney, or employee than that paid to other depositors on similar deposits with such member bank.” Note this rule applies to member banks. Nonmember banks may consider it a good practice, but not a regulatory requirement.

The following cases are real and are public information by virtue of regulatory enforcement orders. In some cases, the reader may make assumptions to fill in gaps not otherwise in the enforcement orders. Nonetheless as is commonly stated in a consent order, these were done by the subject who, “without admitting or denying any wrongdoing, desires to consent to the issuance of this Consent Order…”

James Ratcliff

Considering the abuses that lead to Reg O and its intended protections for bank deposits, the first case to exemplify why these protections need to be adhered to, monitored, and enforced is one in which the OCC took against James Ratcliff.

Ratcliff was an Executive Vice President and Vice Chairman at an Oklahoma bank which had $285 million in assets as of December 2020. The bank has since been acquired.  Ratcliff was an Executive Vice President from 2000 to 2020. He held the position of Vice-Chairman of the Board of Directors from 2016 until mid-2020, when he became Chairman of the Board. He then served as Chairman until November 2020. He was most certainly an insider and empowered by virtue of his position to direct the bank and its activities on a daily basis.

The enforcement order (AA-ENF-2022-32) says Ratcliff, “caused the Bank to engage and pay numerous entities owned by Respondent as third-party vendors. Respondent participated in setting the financial arrangements between the Bank and the entities he owned.” These are issues that involve self dealing and while these may not violate any lending issues, the practices should certainly be scrutinized by the bank under its ethics policy. This does not mean that may not be done, but if they are transparency should prevail. Again, there should be no impropriety and no appearance of any impropriety.

In this case, Ratcliff (and presumably the bank itself) failed to ensure that the services that were to be provided were in fact done. In fact, in these instances there are often no contracts to compare the work or services to be completed to, yet there were payments made and therefore this long seasoned employee, officer, insider was receiving payment directly or indirectly with no evidence of work performed.

Also cited in the enforcement order was the fact that Ratcliff failed to ensure employee compensation was commensurate with that person’s responsibilities and actual work performed for the bank. But mostly that he also directed bank employees and contractors to perform work for his non-bank entities at the expense of the bank. Here again, it can be difficult to challenge a senior officer in the bank, yet there are times for the good of the bank that a challenge is required.

On to the issue of lending, Ratcliff approved and/or made multiple unsafe or unsound loans that were “liberally underwritten” and included inaccurate credit memorandums which then contained insufficient financial statement and cash flow analysis. Ratcliff himself participated in the practice of helping borrowers create new corporate entities and transferred existing debt to these new entities without any positive change in that borrower’s ability to repay. Similar to the prohibited practice of flipping loans, here the intent was to disguise who the debt was owed to, and it may have been a tactic to avoid debt service requirements.

The bank extended loans to entities owned in whole or in part by Ratcliff. In this process he failed to disclose his ownership interest in any of these entities to the bank or the board. During loan approval processes he also did not recuse himself from approvals of these loans. Was the bank at fault? If Ratcliff failed to disclose his ownership interest the bank had no idea that his recusal was required. From a compliance perspective I would at this point want to know when the insiders were last trained or reminded of their responsibilities. While ignorance of the law is no excuse for a violation, it may serve as a defense. Compliance should note to itself that periodically formal or informal training is conducted even if it serves only as a reminder to insiders as to their responsibilities. Similarly, staff in the bank need to be reminded that they have an obligation to the bank, and not the insiders, to notify others in management if they happen to be aware of any violation such as these.

In this case Ratcliff was deemed to have, “engaged in violations of law, regulation, or order, recklessly engaged in unsafe or unsound practices, and breached his fiduciary duty to the Bank; which violations, practices, or breaches were part of a pattern of misconduct, caused or were likely to cause more than a minimal loss to the Bank; and demonstrated willful or continuing disregard for the safety and soundness of the Bank. loans.”

As a result of this consent order, Ratcliff was essentially banned from banking. Among other prohibitions, he may not participate in any manner in the conduct of an insured bank’s affairs, solicit, procure, transfer, attempt to transfer, vote, or attempt to vote any proxy, consent, or authorization with respect to any voting rights or vote for a director, or serve or act as an “institution-affiliated party.” That is part of the standard order used in such cases.

What is more, and imposes individual liabilities for his actions, is the civil money penalty Ratcliff has to pay off $100,000. The amount of money the bank may have lost paying third party vendors for services not provided is not known. Any losses due to questionable loans when Ratcliff had borrowers create a new entity to takeover the debt of a different borrower but essentially with the same beneficial owner is not known. Any problems with loans to Ratcliff’s own companies in which he failed to disclose his ownership is not known. And the costs the bank incurred auditing all of its records for many, many years trying to unravel all of these violations, is not known. Even though the bank in question was acquired between the events above and this consent order in August 2022, the order stipulates Ratcliff, “shall not cause, participate in, or authorize the Bank (or any subsidiary or affiliate of the Bank) to incur, directly or indirectly, any expense relative to the negotiation and issuance of this Order except as permitted by 12 C.F.R. § 7.2014 and Part 359.” Those sections define the limited circumstances under which a bank may indemnify an employee or offer a golden parachute. With the acquisition of the bank in the interim between the acts and the order, any possibility of that happening would seem unlikely.

Contrast some of Ratcliff’s activities to those of Bert Lance and others and we see similar breakdowns. The abuse of authority both against the bank and the bank’s employees hurts the bank and the banking industry. We may believe what is often referred to as “the good old boys’ network” is a thing of the past. But 1977 is really not that long ago when compared to abuses that were allowed to happen.

Tony Fritz

Was Ratcliff alone in this enforcement action? No. It would seem that there was another in his bank that in many ways facilitated the wrongdoing whether knowingly, inadvertently, or through acts of negligence. Tony Fritz is the former Chief Lending Officer and Director at Ratcliff’s bank.

In his Consent Order (AA-ENF-2022-34) it is noted that Fritz worked for the bank as a credit analyst from 2014 to 2015 and was promoted, and from 2015 through December 2019 he was both a Chief Lending Officer and a director. In his position, Fritz was expected to uphold certain standards, which was not done. He failed to ensure that credit administration and risk management practices and controls were effective and commensurate with the risk and complexity of the loan portfolio. Fritz also failed to develop a system to ensure ongoing monitoring of complex commercial credits and to ensure the bank kept adequate loan documentation. And he failed to formalize loan review and approval processes and failed to properly document lending decisions. From these comments in the consent order, it appears many loans, including those in Ratcliff’s portfolio or under his direct supervision were “rubber stamped” for approval and were not questioned if deficiencies were noted, or should have been noted.

In fact, the consent order goes on to say, Fritz, “failed to provide credible challenge to members of senior management who maintained loan portfolios and failed to maintain adequate oversight over their portfolios. And it goes on to say, Fritz, “approved and/or originated multiple unsafe or unsound loans that were liberally underwritten and included inaccurate credit memorandums containing insufficient financial statement and cash flow analysis. (Fritz) originated loans to cover customers’ overdrafts and overdraft fees. (Fritz) extended additional loans to borrowers who were not credit-worthy, sometimes through creating new entities, in order to make payments on such borrowers’ non-performing loans.” Here again, a process of rubber stamping does not offer the checks and balances that are required, nor the controls to all but ensure compliance with banking regulations and requirements.

What Fritz did, or more correctly did not do was a dereliction of duty. It was considered an unsafe or unsound banking practice and breached his fiduciary duty to the bank. It stated that this misconduct caused more than a minimal loss to the bank. Fritz was personally assessed a civil money penalty but his was less than Ratcliff’s, at $10,000. He also has additional prohibitions placed upon him essentially banning him from banking. Before he could accept a position of responsibility in a bank, he would be required to provide that bank’s president or chief executive officer with a copy of the consent order describing the above.

Orlando Romero

On this topic of insider activities and Reg O, I want to mention a third case which is from the Federal Reserve (Docket No. 22-002-B-1) against Orlando Romero. This is an order involving ethics more than traditional insiders’ activities. In this case the banker was not fined but was banned from banking because of his misconduct which violated internal bank policies and constituted violations of law or regulation and were considered unsafe or unsound practices and breaches of fiduciary duty.

This case is special in several ways. Firstly, when I have discussed this with many bankers, most have not heard of such an enforcement before, and many do not see it as a fundamental problem. It is something that many have heard of or done to some extent.

Romero was a client service specialist in a Global Technology area of his large bank. He had received a job offer letter from a competing institution. That letter provided him with some specific terms of employment one of which was his salary. I would assume it offered him an increase, but that would not seem to be enough for Romero. He altered the letter and increased the starting salary above that which was actually offered.

Romero added $28,000 to his current salary and presented that to his current bank in hopes for a raise and he would then remain at his current bank. That amount is significant to me. In this case his bank met that amount and Romero’s annual salary was increased. This is where many bankers would proclaim a “win” for the employee. Questions bankers may ask include, “if the bank thought he was worth that amount when a competitor offered it to him, why wasn’t he worth that before?” In fact, he was not offered that amount by a competitor. There would seem to be a fine line between ethically asking for a raise and fraudulently stating that a competitor has valued your work at more than your current employer. Regardless, some bankers take the position that Romero’s bank had a decision to make regardless of where an offer came from: “Was he worth that much considering his job duties, his performance, and the costs associated with bringing in a new employee to fill that position?” If the bank paid him the increase, then its answer was that he was worth it.

But in the end, somehow the bank discovered the scheme. Romero resigned from his bank two and a half years after receiving his increased salary. That would amount to $70,000 in “additional” income. The order did not state if the resignation was triggered by this knowledge, or it was learned afterward. As noted above what he did was deemed to be in violation of several policies, laws and or regulations. Before he could work at another bank there were certain requirements he would have to meet. This includes providing the Managing Director/Senior Vice President or equivalent level in the reporting line of the institution with notice and a copy of the Fed’s cease and desist order against him and fully familiarize himself with the policies and procedures of the institution that pertain to his duties and responsibilities, including, but not limited to, the employee Code of Conduct, and provide written notice to the Board of Governors, along with a written certification of his compliance with each provision required in his order. It may not be a permanent, but it would take a lot to meet this, in my opinion.

At the end of the day, I hope you will ensure that management, the board, and all bank staff are both informed or reminded of their responsibilities and duties under applicable laws, regulations, and policies. As we close 2022 and enjoy the holiday season, ethics is a good topic to revisit as gifts may be offered to staff and prohibitions should apply.

November 2022 OBA Legal Briefs

  • HMDA Changes Un-Changing?
  • Defunding the CFPB
  • New “Junk Fees”

HMDA Changes Un-changing?

By Andy Zavoina

As a part of your Compliance Management Program, you should meet periodically with senior management and/or the board of directors and keep them informed of changes that are or may be coming down at you. This is especially the case as we approach budget talks. You absolutely do not want to submit your compliance budget only to advise senior management a month after it is approved that you already need an increase for 2023 because of a new requirement you had not factored in. And that is just one of the topics you should be briefing them about.

You may be thinking, “Well, Andy, we don’t think the Reg B small business data gathering will be completely in place and certainly not for the whole year, so what “new” requirement are you talking about?” In a nutshell, the Home Mortgage Disclosure Act (HMDA). Many HMDA reporters received benefit of a threshold change for reporting a HMDA Loan Application Register. The floor amount was raised in 2020 and the threshold for reporting was increased from 25 to 100 closed-end loans. More details on that in a minute, but the Consumer Financial Protection Bureau’s (CFPB) methodology for justifying this change was challenged in court and the CFPB “lost” meaning the Court is declaring the change to be invalid. Those banks taking advantage of the increased threshold may find themselves scrambling to complete HMDA LARs again.

Now some details for a better understanding. The case was between the National Community Reinvestment Coalition and the CFPB in the U.S. District Court for the District of Columbia. It was a federal judge who moved to vacate the HMDA changes by the CFPB to lower the reporting requirements by increasing the closed-end loan threshold.

HMDA rules require a lender to review two preceding years of mortgage loan activity to determine if reporting requirements apply. There is one threshold for closed-end loans and another for open-end. In 2015 the closed-end threshold for required reporting was 25 or more and the open-end threshold was 100 or more. Additional qualifications such as asset size and location are not addressed here but would still apply.

In 2020 the CFPB opted to reduce the reporting burden by increasing the threshold of reportable closed-end loans from 25 to 100. In theory this reduces the smaller, low volume reporters and still retained the bulk of the active HMDA reporters. In May 2020, the CFPB estimated there are about 4,860 financial institutions required to report their closed-end mortgage loans and applications under HMDA. These were banks and credit unions and together in 2018 they accounted for 6.3 million closed-end loans. The CFPB further noted that the total number of institutions that were engaged in closed-end mortgage lending in 2018, regardless of whether they met all HMDA reporting criteria, was about 11,600, and the total number of closed-end mortgage originations in 2018 was about 7.2 million. In other words, under the current 25 closed-end loan threshold, about 41.9 percent of all mortgage lenders are required to report HMDA data, and they account for about 87.8 percent of all closed-end mortgage originations in the country. Further, 3,250 of these insured depository institutions and insured credit unions were already partially exempt for closed-end mortgage loans under the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA), and thus were not required to report a subset of the data points currently required by Reg C for these transactions. So, the percentage of loans and lenders receiving the benefits of the exemption was small. The CFPB estimated that when the closed-end threshold would increase to 100 under this final rule, the total number of financial institutions required to report closed-end mortgage loans would drop to about 3,160, a decrease of about 1,700 financial institutions.

The plaintiffs were referred to as the National Community Reinvestment Coalition (“NCRC”), but actually also included Montana Fair Housing (“MFH”), Texas Low Income Housing Information Service (“TxLIHIS”), Empire Justice Center (“EJC”), and the Association for Neighborhood & Housing Development (“ANHD”)—and the City of Toledo, Ohio. They said that HMDA data have been invaluable in “uncovering and addressing redlining, fair lending violations, and other inequitable lending practices” over the decades and the CFPB did not dispute that claim. It was noted that open-end loans were reported after a 2015 HMDA change to the rule, but eventually that, “22 percent of depository institutions” that had previously been required to report HMDA data, were exempted and this resulted in a significant loss of data in certain census tracts.

The burden on low volume lenders to file HMDA reports did not justify the costs to complete that task, the CFPB heard and accepted as evidenced by changes in 2020. The CFPB increased the threshold from 25 to 100 closed-end loans in April of that year and it required the collection of HMDA data through June 30, for institutions that would no longer be subject to HMDA requirements for closed-end loans. These institutions no longer had to collect data starting July 1, 2020, and the reporting of any closed-end loan data collected in 2020 was optional for them.

The plaintiffs stated that each of them “use HMDA data in their research, education, and advocacy to promote access to credit, and thus to housing opportunities” in minority and rural communities. Not having the data from these low-volume lenders leaves holes and unanswered questions and could allow these lenders to violate fair lending laws because the controls are no longer in place to police them.”

The District Court ruled in favor of the plaintiffs and  invalidated the closed-end loan exemption expansions but let stand the of 200 open-end lines threshold. Remember reporting of those lines had been optional until these changes began. The court vacated and remanded the closed-end mortgage loan reporting threshold to the CFPB.

Now there are two questions we do not have the answers to, but banks must begin to prepare for in any case. What action will the CFPB take, and when will it take it? The CFPB could take the case to a higher court and seek to justify the changes it made, or it could reverse the closed-end loan reporting threshold back to the 25 closed-end loan limit. It is reasonable to assume that they will let the record stand for 2021 and 2022 and could enforce the new – old – limit effective for 2023. That is to me a logical plan but the CFPB’s intention has not yet been made public as of this writing. If that is the option they will select, those estimated 1,700 banks that fell out of reporting and any others who controlled their application counts with product restrictions need to consider training, systems and controls to get back up to speed with these new – old – rules. If this is less than two months away, HMDA reporters who were exempt deserve time to evaluate and react to their needs. If your bank may fall into this category, you must make some determinations and meet with senior management to advise them of your situation and action plan if one is needed.

Defunding the CFPB

By Andy Zavoina

Another legal case the CFPB is involved in may bring additional changes to the “keeper of the consumer protection regs.” In mid-October 2022, a three-judge panel of the United States Court of Appeals for the Fifth Circuit ruled on a pending case, Community Financial Services of America vs Consumer Financial Protection Bureau.

In this case, Community Financial sued the Bureau in 2018 on behalf of payday lenders and other small lending businesses. They wanted to set aside the 2017 Payday Lending Rule which affected personal loans with short term or balloon-payment structures, typically including payday, vehicle title loans and many high-cost installment credit products.

Community Financial alleged that the CFPB exceeded its statutory authority, and it further attacked the CFPB claiming that the rulemaking authority violated the Constitution’s separation of powers. Remember, the CFPB is set up to request its funding each year from the Federal Reserve. The amount is determined by the CFPB’s Director, and the Federal Reserve must approve the request so long as it does not exceed 12 percent of the Federal Reserve’s total operating expenses. Unlike other federal government agencies, the CFPB determines its own needs, and it automatically gets that funding from the Federal Reserve – bypassing Congressional appropriation steps. This limits Congressional control and makes the agency’s structure unconstitutional in the Court’s view.

This multi-pronged attack was not new. In Seila Law, LLC v. Consumer Financial Protection Bureau, the Supreme Court ruled that the CFPBs  structure of being a single director agency who was only removable by the President “for cause” violated the separation of powers requirements. The Court found that provision to be severable, and simply invalidated the “for cause” requirement in the Dodd-Frank Act meaning the President could replace the CFPB director at will. The Court did not invalidate actions taken by the CFPB. This new case with Community Financial differs in that the Fifth Circuit leaves the funding mechanism and the CFPBs actions connected.

In this case the Court ruled that the CFPB’s funding structure violates the Constitution’s Appropriations Clause and separation of powers. Because the funding used by the CFPB to create the Payday Lending Rule was drawn through the unconstitutional funding structure, the Court ordered the Rule vacated. In this case the Court stated that the “Bureau’s perpetual insulation from Congress’s appropriations power, including the express exemption from congressional review of its funding, renders the Bureau no longer dependent and, as a result, no longer accountable to Congress and, ultimately, to the people.” The three-judge panel noted that this constitutional problem is even more of a problem given the CFPB’s authority. The panel then quoted the Supreme Court in the Seila Law case as the CFPB “acts as a mini legislature, prosecutor, and court, responsible for creating substantive rules for a wide swath of industries, prosecuting violations, and levying knee-buckling penalties against private citizens.”

The debate goes on as to funding because not all agencies are covered by the Congress’s appropriations power. The FDIC as an example assesses fees to stakeholders in the industry. The CFPB does not. It gets funding as noted, from the Federal Reserve from funds that would normally be remitted to the Treasury Department. Treasury is itself appropriated under federal law. So, in a roundabout way the CFPB’s funding comes at the expense of the Treasury Department and therefore Congress is forced to appropriate more to Treasury than it otherwise would.

The Fifth Circuit panel then connected the dots. The Court explained that the remedy is based on “the distinction between the Bureau’s power to take the challenged action and the funding that would enable the exercise of that power.” Because Congress “plainly (and properly)” authorized the CFPB to promulgate the Payday Lending Rule, it is not per se invalid. Instead, Community Financial has to show that the unconstitutional funding provision of the law “inflicted harm.” The Court said that showing that was easy, because the CFPB used the unconstitutional funding to promulgate the Payday Lending Rule. The Court therefore held the Plaintiffs were entitled to “a rewinding of the [the Bureau’s] action.” The Court rendered judgment for Community Financial, vacating the Payday Lending Rule “as the product of the Bureau’s unconstitutional funding scheme.”

So, what does all this mean? As Yogi Berra said, “it’s never over till it’s over.” The CFPB is expected to request an “en banc” hearing where all the judges of the Fifth Circuit Court of Appeals will hear the case instead of the three-judge panel. If that is not successful, it could then go to the Supreme Court.

In this case the Payday Lending Rule was defeated, but remember the court did not say the law itself was not valid, just the way it got there. Still, that opens the door to other challenges. Community Financial’s case, if it becomes final, would only be binding on federal district courts in in Texas, Louisiana, and Mississippi. But the door is open and less than one week after this ruling by the Fifth Circuit we have seen a challenge on an Illinois case, the CFPB v. TransUnion, in which the CFPB alleges that TransUnion violated a prior consent order with the CFPB entered into in 2017, citing the Community Financial case. There is also now a Utah case, CFPB v. Progrexion Marketing, Inc., in which the CFPB alleges that the methods used by the defendants to market credit repair services violated the Telemarketing Sales Rule and the Consumer Financial Protection Act. Again, attributes of the Community Financial case are being used here. And there is a third case in the Ninth Circuit, the CFPB v Nationwide Biweekly Administration again following a similar argument. In this case a California district court imposed a $7.9 million civil penalty against Nationwide for allegedly misleading marketing practices but did not award the nearly $74 million in restitution sought by the CFPB. The CFPB is still pursuing that remedy in the court system.

As to the pending TransUnion case, the CFPB filed an immediate response saying the Fifth Circuit ruling was “neither controlling nor correct” and “mistaken.” The CFPB maintains the court cited no case law holding that Congress violates the appropriations clause or separation of powers when it authorizes spending by statute, that the funding through the Federal Reserve contains checks and balances via audits, reports and appearances it makes to Congress among other arguments.

There is no projecting how long this Community Financial case or those new cases with similar arguments will take to become final. One ruling may quickly resolve all the satellite cases coming from it and it is doubtful that everything the CFPB has done will be invalidated with one decision, but management does need to be apprised of the case and understand this is not a final word and that business cannot revert to a pre-CFPB era based on the Fifth Circuit ruling.

New “Junk Fees”

By Andy Zavoina

I had a frantic message on Slack the morning of October 26, 2022, from one of my bosses. President Biden was on national television talking about banks charging “junk fees” which is a new and derogatory term in many cases for fees consumers agreed to pay, but which are now, to use a phrase, “politically incorrect” to charge. These are unjust or unearned fees which take advantage of a consumer. It makes me wonder sometimes how many fees are justified and really good to a consumer. If a bank charges a fee for paying someone into an overdraft, rather than charging a fee and returning the check to another entity which might then charge a fee for the returned check, add a late fee and then refuse to accept any personal checks from that person again for the next six months, that first bank fee does not sound too bad. But hey, remove all these “junk fees” and the consumer will be happier and at no cost, right? It is like a toll-free telephone line, “don’t cost nobody nothing.” Well, except the bank paying for the toll-free calls that are not free at all.

I do take offense when it is said that if a bank charges “surprise overdraft fees … they may be breaking the law.” Firstly, what law prohibits the imposition of this agreed upon fee? Is it that subjectively someone decided that fee is “unfair” and hey again, “unfair” is in a law so it must be illegal. The Unfair, Deceptive or Abusive Acts or Practices (UDAAP) law is becoming the catch-all law many were afraid it could be. Classifying a fee as unfair just seems politically correct for a number of reasons – mostly because the majority does not like to pay them.

Here is my analogy. A person with tritanomaly has a hard time telling the difference between blue and green, and between yellow and red. Should yellow and red be deemed junk colors? Should yellow cabs be outlawed because they do not appear yellow to everyone? Should the government revise the colors at traffic lights because they can cause confusion to some color-blind people? Well, no. But if there were more people with this color blindness and they had a hard time with the order of stop lights red, yellow, and green vertically, top to bottom, or horizontally, left to right, banning these colors might be “politically correct” and they would be used less when colors matter. There one could cite the Americans with Disabilities Act more than UDAAP, but it is subjective nonetheless.

It is important that many agencies of the U.S. government are headed up by political appointees who are there to serve the president. That is their job, in addition to serving the people of the United States. In this national broadcast President Biden appeared at the White House with CFPB Director Rohit Chopra, the FTC Director and others proclaiming his administration was taking action to eliminate all “junk fees.” These include fees for deposited checks that are returned unpaid, surprise banking overdraft fees, and other non-bank fees like hidden hotel booking fees and termination charges to stop people from changing cable plans. President Biden said that this was about  making fees for depositing a check that bounces and overdraft fees for transactions that are authorized into a positive balance but later settle into a negative balance “illegal” and he wants to save consumers over $1 billion each year. The CFPB is developing rules and guidance that will reduce credit card late fees that cost credit card holders $24 billon each year. And his administration has “encouraged” banks to reduce the fees they charge consumers across-the-board and that the CFPB is developing rules that will require banks to go further in addressing additional types of junk fees.

The CFPB then provided guidance on two new fees often charged by banks that it classifies as “junk fees,” which is certainly a derogatory sounding fee label regardless of the fact that the fees have been around a very long time, and both disclosed to and accepted by consumers. In fact, the consumer opts in. The guidance document is Circular 2022-06, “Unanticipated overdraft fee assessment practices.” The circular even points this out in the Analysis section subtitled, “Violations of the Consumer Financial Protection Act,” as it states, “consumers generally cannot reasonably be expected to understand and thereby conduct their transactions to account for the delay between authorization and settlement—a delay that is generally not of the consumers’ own making but is the product of payment systems. Nor can consumers control the methods by which the financial institution will settle other transactions—both transactions that precede and that follow the current one—in terms of the balance calculation and ordering processes that the financial institution uses, or the methods by which prior deposits will be taken into account for overdraft fee purposes.” This is augmented by footnote 23, which states, “While financial institutions must obtain a consumer’s ‘opt-in’ before the consumer can be charged overdraft fees on one-time debit card and ATM transactions, 12 CFR 1005.17(b), this does not mean that the consumer intended to make use of those services in these transactions where the consumer believed they had sufficient funds to pay for the transaction without overdrawing their account.”

In a nutshell, the justification says a consumer agreed to it, but that was before they knew they would be responsible for their own actions and have to pay for it. I can understand that consumers have a difficult time with payment priority of items. Bankers do as well. When a check is written it is presented through payment channels and it may have had sufficient funds when it was written, but the cash withdrawal at an ATM reduced the balance and now that check will not pay. Disclosures a bank gives would have a hard time making sense of all the different channels that can add and subtract from a consumer’s balance. But at the end of the day, if I rely not on what the computer says I have available but rather on my account register, if I started with $100 and wrote a check for $80, I know I should not take $60 from the ATM regardless of what the computer says I have available.

The Circular does make it clear that UDAAP is the enforcement action of choice. It asks one question: “Can the assessment of overdraft fees constitute an unfair act or practice under the Consumer Financial Protection Act(CFPA), even if the entity complies with the Truth in Lending Act (TILA) and Regulation Z, and the Electronic Fund Transfer Act (EFTA) and Regulation E?” and answers this with 13 pages of explanation.

The short answer is Yes, and that is because it is a UDAAP violation to charge such fees because “overdraft fees assessed by financial institutions on transactions that a consumer would not reasonably anticipate are likely unfair.” At the risk of sounding redundant, would an account register help the consumer understand they can not spend more than has gone into the account? Is relying on what a computer says the balance is what we used to call “playing the float,” and is not writing a check for funds not on deposit still “theft by check”? In my state it is a Class C or Class B Misdemeanor. But nowadays a consumer has more ways to access funds and it is a UDAAP violation of law by a bank.

One key concern in the circular are accounts that “authorize positive, settle negative” (APSN). That is, an unanticipated overdraft is charged because the consumer would not reasonably anticipate a fee because there were sufficient funds when an authorization was made.

The Circular differentiates between an overdraft which is a negative balance created when the bank pays an item for which there was not enough money to pay the item presented, and non-sufficient funds where the bank incurs no credit risk when it returns a transaction unpaid for insufficient funds. The overdraft is a loan which involves credit risk and banks charge fees for paying these items. The fee is typically a flat amount and is not based on the amount of the overdraft.

Two areas of concern are:

A fee banks have not seen targeted by the CFPB before—one imposed on a depositor when a bank charges back a check that has “bounced” (that is, it was returned unpaid) by the paying bank, and

“Surprise” fees, including overdraft fees charged when a consumer had enough money in their account to cover a debit charge at the time the bank authorized it.

In the first case (addressed in Compliance Bulletin 2022-06, issued the same day as Circular 2022-06), when the consumer deposits a check into their account, they assume these are good funds. We would believe this is less of a problem today as more payments are made electronically through Zelle, Venmo and the like. But while checks have declined in volume, they have not been eliminated. People are not accustomed to the potential bouncing and reversal of a check that they deposited whether a Reg CC hold notice was provided or not. These are not typically bad customers unless they played a role in the deception and no matter how meticulous they are at keeping a check register, they truly could not prevent the reversal and declining balance that would result from a deposited item coming back. The bank, however, dedicated staff time, decisioning, and technical resources to this process, so a fee for compensation is both disclosed and charged. Your bank accepted the deposit and never participated in the decision to pay or return the item. That was the paying bank’s decision.

According to the CFPB, while charging these fees across the board potentially violates existing law – UDAAP, banks may opt to have a targeted fee policy that charges depositor fees only in situations where a depositor could have avoided the fee. One such situations is when that depositor repeatedly accepts checks from the same originator who has paid them with checks which have bounced before. It would appear this process, while deserving of a fee, would be even more cumbersome and labor intensive to research and present to a depositor.

The second area of concern (covered in Circular 2022-06) are the surprise overdraft fees. The CFPB believes that these overdraft fees occur when a bank account balance reflects that a customer has sufficient funds to complete a debit card purchase at the time of the transaction, but the consumer is subsequently charged an overdraft fee because additional payments/withdrawals arrived possibly through a variety of channels which cause the balance to now be insufficient to cover that debit card withdrawal. The CFPB’s discussion here references the practice of using APSN (referenced above) to assess overdraft fees.

The CFPB asserts that a recent consent order entered into by the CFPB related to APSN overdrafts is applicable industrywide. It noted actions and discussions on these types of fees going back to 2010 by the CFPB, the Federal Reserve and the FDIC. It notes the FDIC cautioned banks on this in 2010 when it issued its Final Overdraft Payment Supervisory Guidance. In 2015, and the CFPB issued public guidance explaining how banks acted unfairly and deceptively when they charged certain overdraft fees. And in 2016, the Federal Reserve publicly discussed issues with unfair fees related to transactions that authorize positive and settle negative. They mentioned it again in 2018 in an issue of the Consumer Compliance Supervision Bulletin, describing it in terms of UDAP and Section 5 of the FTC Act. Then, in June 2019, the FDIC issued its Consumer Compliance Supervisory Highlights and raised risks regarding certain use of the available balance method. And finally in September 2022, the CFPB found that a financial institution had engaged in unfair and abusive conduct when it charged APSN fees and that is the case which is applicable to the industry. This was, of course, the Bureau’s action against Regions Bank where the bank was ordered to reimburse $141 million to customers, pay a civil money penalty of $50 million, and forgo charging any Authorized-Positive Overdraft Fees going forward.

The CFPB opined that, under the circumstances described, these “unanticipated” overdraft fees likely violate the Consumer Financial Protection Act(UDAAP) as they “are likely to impose substantial injury on consumers that they cannot reasonably avoid and that is not outweighed by countervailing benefits to consumers or competition.”

This is an area Compliance is involved in but needs to work with Operations and management to determine the extent of the circumstances in your bank described here. How often does it happen? What are the fees imposed and paid and the losses incurred? What are the risks of facing a regulatory enforcement action as a result? From there budget considerations can be made after a plan of action has been determined along with a policy change, if necessary.

October 2022 OBA Legal Briefs

  • Concerns about overdrafts and fees grow (Part 2)
  • 2022 OK legislative changes
  • A Reg O FAQ

Concerns about overdrafts and fees grow — Part 2

By John S. Burnett

In Part 1 of this article, I began a review of the FDIC’s August 18, 2022, “Supervisory Guidance on Multiple Re-Presentment NSF Fees,” issued with FIL-40-2022 ( I ended Part 1 of that review with a comment summarizing what the Guidance had suggested in the section on Consumer Compliance Risk.

Part 2 of this article starts with a restatement of that closing comment, with some added thoughts.

Comment: Thus far, the Guidance has suggested that banks need to ensure that their disclosures reflect what actually happens in the case of multiple re-presentments for a single transaction, and that something may need to be done about better notifying customers when an item is returned and an NSF is assessed and/or banks may want to consider setting some limit on how many times re-presentments of items derived from the same transaction will trigger another NSF fee.

On the first point — agreement between disclosures and practice —that can be approached from different directions. If a bank is charging an NSF fee for multiple presentments derived from the same transaction, the bank can formulate the right words to relate those facts to its consumer customers. On the other hand, if the bank isn’t disclosing that multiple re-presentments will trigger multiple NSF fees, it may determine a way to detect multiple re-presentments and not charge for more than one. Another possible option could be to stop charging NSF fees altogether so as not to mention them at all in disclosures. Could this be what 16 of the 20 banks included in the CFPB’s report on the top 20 banks by overdraft-related income decided to do?

Let’s move on to the next topic in the Guidance.

Third-Party Risk: The FDIC’s Guidance also expresses the agency’s concerns about risks that can be presented by third-party arrangements with core processors and others who may play significant roles in processing payments, identifying and tracking re-presented items, and assessing NSF fees when items are returned for insufficient funds. If not properly managed, such third-party arrangements can present risks for client financial institutions.

The FDIC expects (as all the regulators do) that financial institutions maintain adequate oversight of third-party actions and appropriate quality control over the products and services provided through third-party arrangements. Institutions are responsible for identifying and controlling such risks to the same extent as if the institution itself were handling the activity.

More succinctly, banks are responsible for what the third parties do for (or to) the bank’s customers. In that regard, banks should review and understand the risks presented by their core processing system settings related to multiple NSF fees, as well as the capabilities of such systems, such as identifying and tracking re-presented items and maintaining data on such transactions.

Litigation Risk: Cases involving Bank of America and the Navy Federal Credit Union are evidence there is litigation risk involved in multiple NSF fee practices. Class action lawsuits may allege breach of contract and raise other claims because of a failure to adequately disclose re-presentment NSF fee practices in bank account disclosures. Some cases have already resulted in substantial settlements, including customer restitution and legal fees.

Risk mitigation

The FDIC encourages banks to review their practices and disclosures concerning charging NSF fees for re-presented transactions. The agency shared these risk-mitigation actions banks have taken to reduce the potential risk of consumer harm and avoid potential violations of law:

  • Eliminating NSF fees
  • Charging no more than one NSF fee for a transaction, regardless of whether there are re-presentments
  • Conducting a comprehensive review of policies, practices, and monitoring activities related to re-presentments and making appropriate changes and clarifications, including providing revised disclosures to all existing and new customers
  • Clearly and conspicuously disclosing the amount of NSF fees to customers and when and how such fees will be imposed, including:
    • Information on whether multiple fees may be assessed in connection with a single transaction when a merchant submits the same transaction multiple times for payment
    • The frequency with which such fees can be assessed\o The maximum number of fees that can be assessed in connection with a single transaction
  • Reviewing customer notification or alert practices related to NSF transactions and the timing of fees to ensure customers are provided with an ability to effectively avoid multiple fees for re-presented items, including restoring their account balance to a sufficient amount before subsequent NSF fees are assessed

If your bank finds issues …

If your bank reviews its NSF fee practices surrounding multiple re-presentments and finds issues, what does the FDIC expect the bank to do about it?

Doing nothing and waiting for the FDIC to demand action is not an option. The FDIC expects a bank with issues to self-initiate corrective action, to include restitution to affected consumers consistent with the approach described in the Guidance. Such banks should also:

  • Promptly correct NSF fee disclosures and account agreements for both existing and new customers, including providing revised disclosures and agreements to all customers
  • Consider whether additional risk mitigation practices are needed to reduce potential unfairness risks
  • Monitor ongoing activities and customer feedback to ensure full and lasting corrective action

The FDIC’s Supervisory Approach

The Guidance indicates the FDIC intends to take appropriate action to address consumer harm and violations of law. It will focus on identifying re-presentment-related issues and ensuring correction of deficiencies and remediation to harmed customers. They consider such issues serious.

They will recognize a bank’s proactive efforts to self-identify and correct violations. They generally will not cite UDAP violations that have been self-identified and fully corrected before the start of a consumer compliance exam. The FDIC will also consider a bank’s record keeping practices and any challenges a bank may have with retrieving, reviewing, and analyzing re-presentment data, on a case by case basis when evaluating the lookback time period used for customer remediation. But failing to provide restitution for harmed customers when information on re-presentments is reasonably available will not be considered full corrective action.

If examiners find violations of law that have not been self-identified and fully corrected before an exam, the FDIC will consider appropriate supervisory or enforcement actions, which could include civil money penalties and restitution.

In simpler terms, this is not a concern that FDIC-supervised institutions can ignore and hope it goes away.

Is your bank’s overdraft program ‘dynamic’?

The March 2022 edition of the FDIC’s Consumer Compliance Supervisory Highlights includes compliance exam observations concerning automated overdraft programs that have been converted from static to dynamic overdraft limits.

Static limits are usually set at account opening and seldom change. Institutions use limits ranging from $100 to over $1,000 that may vary by account type. Some banks assign the same limit to all customers. Those limits are usually communicated to customers at account opening, in subsequent disclosures (particularly when participating in an overdraft program is delayed for a period after account opening) or through some other method, such as online or mobile banking channels.

Dynamic limits, on the other hand, vary for each customer and may change periodically (daily, weekly, monthly, for example) as a customer’s usage or bank relationship changes. In some cases, a customer’s assigned overdraft limit might be $1,000 one day and reduced to zero within a few days.

Changes are often controlled by an algorithm (a set of system rules) that attempt to manage risk by weighing variables and customer behaviors. Variables involved often include account age, balance, overdraft history, deposit amounts and frequency and other customer relationships with the bank. Algorithms may be adjusted based on policy changes, competition, customer behavior, etc. And, based on examination observations, banks do not always communicate limit changes to their customers.

Failures to communicate: In 2021, the FDIC identified several banks that converted their programs from a static limit to a dynamic limit. Examiners had concerns with how some of the conversions were implemented and cited violations of section 5 of the Federal Trade Commission Act due for deceptive acts or practices. Those institutions failed to disclose enough information about the change to a dynamic limit. Some institutions did not communicate with their customers about the change at all. In many cases, banks failed to disclose some or all of these key changes:

  • Replacement of the fixed amount with an overdraft limit that may change and could change as frequently as daily
  • Use of a new overdraft limit that may be lower or higher, at times, than the fixed amount to which the customer had become accustomed
  • Suspension of the overdraft limit when it falls to zero and how such a change may result in transactions being returned unpaid to merchants/third parties due to insufficient funds.

Those omissions were considered material by the FDIC. They included necessary information customers needed to make informed decisions about how the new dynamic limit program operated. Customers were not able to understand how to avoid fees associated with an overdraft or fees for transactions declined for payment. The FDIC determined that changes without adequate disclosure resulted in consumer harm.

Mitigating risk: As with its guidance to banks concerning assessing NSF fees for multiple re-presentations derived from the same transaction, the FDIC included in the “observations” article on implementation of overdraft program dynamic limits a list of risk-mitigating activities banks can consider to reduce the risk involved in implementing such limits:

  • Providing clear and conspicuous information to existing customers so they have advance notice of how the change from a fixed overdraft limit to a dynamic limit will affect them. This is especially important when the bank previously disclosed the amount of the fixed overdraft limit to customers.
  • Disclosing changes to overdraft limits in real time to consumers, as these vary, with the opportunity for consumers to adjust their behavior
  • Reviewing and revising account opening disclosures or other communications used to inform new customers about the automated overdraft program to avoid engaging in deceptive practices
  • Explaining that the dynamic limit is established based on algorithms, or a set of rules, that weigh numerous variables and customer behaviors, how the limit may change (including the frequency of change), and how the limit may be suspended or reduced to zero when eligibility criteria are no longer met
  • Training customer service and complaint processing staff to explain the features and terms of the automated overdraft program’s dynamic features. This training should be provided to staff who work with new customers as well as those who work with existing customers.

2022 OK Legislative Changes

By Pauli D. Loeffler

Title 12 O.S. § 1190

Garnishment fee increase

A history of garnishment fees in Oklahoma: Going back as far as 1996, and perhaps even before, a garnishee holding the judgment debtor’s funds was only allowed to deduct a fee in the amount of § 10.00 from funds of the judgment debtor as payment for processing the garnishment. Keep in mind that the Oklahoma statutes require the federally insured depository garnishee to:

  • Maintain a garnishment and note the receipt of the garnishment summons
  • Mail or deliver the garnishment packet to the judgment debtor
  • Segregate funds of the judgment debtor on deposit at the time the garnishment summons is serve
  • Determine whether the judgment debtor leases a safe deposit box, and if so, seal the box from entry for 30 days (Banking Code § 1312)
  • Respond to the garnishment summons by filling out the Garnishee’s Affidavit/Answer and filing it with the court within 10 business days (days the court issuing the garnishment is open, not the days the bank is open for business
  • Provide a copy of the Affidavit/Answer to the creditor’s attorney or the creditor
  • Remit a check to the creditor

If the judgment debtor does not have an account or lease a safe deposit box, the garnishee must still comply with the last three bullets and request the $10.00 fee. Law firms whose practice is representing creditors usually are very good about remitting the fee, but some collection firms, creditor’s representing themselves, and attorneys that rarely did collections would ignore the garnishee’s request. The $10.00 fee is pretty paltry, and if the creditor didn’t send the fee upon request, it isn’t efficient to take action against the creditor.

Handling garnishments became even more time and labor intensive with the U.S. Treasury Fiscal Services Garnishment of Accounts Containing Federal Benefit Payments, 31 C.F.R., Part 212 (“the Federal Benefits Rule”} effective May 1, 2011. In addition to requirements of Oklahoma law, the Federal Benefits Rule came with new and more onerous requirements:

  • The bank had to determine whether it has an account holder as defined in § 212.3: “Account holder means a natural person against whom a garnishment order is issued and whose name appears in a financial institution’s records as the direct or beneficial owner of an account.” Accounts held by corporations, LLCs, partnerships, limited partnerships, etc., even if they, for some reason, were receiving federal benefits by direct deposits, are not subject to the Federal Benefits Rule. On the other hand, revocable trust accounts and sole proprietorship accounts receiving federal benefits ARE subject to the Federal Benefits Rule.
  • The bank had to determine whether a federal benefit payment was paid by direct deposit to an account of an account holder. If so, the bank was required to determine the amount of benefits directly deposited during the lookback period, and
  • Establish the amount of protected funds, and
  • Provide the Notice to account holder under § 212.7. Under the 2013 revision, If ALL funds ae protected, the notice is not required.

Bankers ask whether Oklahoma has a maximum fee amount that can be charged customers for garnishments. Oklahoma has no limit the bank can charge a customer for a garnishment. The low-end fee is generally $25 while some banks charge two or three times that much particularly for garnishments on commercial accounts. If the amount in the judgment debtor’s account exceeds the judgment, the bank can satisfy its fee, but this is rarely the case. The bank can take the account negative to grab the fee if and when the account receives a deposit.

However, for accounts subject to the Federal Benefits Rule, banks were wholly prohibited from collection of their fee other than from unprotected funds. The bank could not collect under the original 2011 § 212.6 (h), which prohibited the bank from charging or collecting a garnishment fee against a protected amount or collecting a garnishment fee after the date of account review. This was modified in 2013 to allow the bank to “charge or collect a garnishment fee up to five business days after the account review if funds other than a benefit payment are deposited to the account within this period, provided that the fee may not exceed the amount of the non-benefit deposited funds.”

Scatter-gun garnishments

In addition to the garnishment fee remaining the same amount for two decades, banks were receiving more and more garnishments where the judgment debtor never was a customer of the bank. I envisioned the creditor took an Oklahoma map and used a compass to draw a circle around the judgment debtor’s home or place of business and sent garnishments to all banks within a 50-mile radius. OBA and several reputable collection attorneys held discussions regarding a proposed amendment to 12 O.S. § 1171 to require the creditor to exhibit good faith with some factual basis to believe the debtor has or previously had a relationship with the garnishee such as an inquiry, loan or account with the bank from a credit report or checks from the judgment debtor drawn on the bank. The collection attorneys had no objection to increasing the fee and mailing a check with the garnishment summons but did not support language that the service without the check allowed the garnishee to delay attachment of the fund. Their concern was due to their practice of providing the court clerk with the affidavit, garnishment summons, etc., together with a stamped and a pre-addressed envelope for mailing to the garnishee after filing done by the court clerk. If the garnishee claimed the check was not provided, there was no way to determine whether the creditor didn’t include it, the court clerk mislaid it, or it was mislaid by the garnishee.

Amendment clarifying bank’s duties if the fee doesn’t accompany the garnishment

One question I could not confidently answer under the 2016 amendment was: “What does the bank do if the check is NOT provided with the garnishment summons? “My belief was that while it was possible that the bank might misplace the check after receiving the garnishment, the person logging the garnishment should note the details of the check in the log. Further, the creditor was responsible for making sure the check was in the envelope with the garnishment summons, and if the court clerk mislaid it, s/he was the agent for the attorney. While I believed that if the check wasn’t provided, the bank wasn’t required to freeze the judgment debtor’s funds, I cautioned our members that a court could construe the provision differently. The statute effective for garnishments issued on and after November 1, 2022, not only increases the fee to $35.00 but also removes the uncertainty:

2. A judgment creditor shall remit a fee of Thirty-five Dollars ($35.00) as reimbursement for costs incurred in answering a garnishment issued pursuant to subparagraph d of paragraph 2 of subsection B of Section 1171 of this title to garnishees which are federally insured depository institutions. Such fee shall be delivered to the garnishee with the garnishment summons, and the garnishee shall not be required to attach funds of the judgment debtor until such fee is received. Any fee paid to a garnishee pursuant to this paragraph shall be taxed and collected as costs.

This language also works well as far as the Garnishment of Federal Benefit Payments is concerned. No funds of an account holder will be frozen until the check is received. The account review, lookback period, and determination of protected amount will be triggered upon receipt of the check. Further, the mailing or delivery of the garnishment package to the judgment debtor can and probably should be delayed until the check is received. Garnishments are public record, so the judgment debtor may learn of the garnishment before the bank receives the check and freezes the account, but I would not advise the bank to notify the customer until the check is received. The time to file the garnishee’s answer, mail the answer to the creditor or creditor’s attorney, and remit the judgment debtor’s funds to the creditor will be determined by the date the check is received.

I have been in contact with the Administrative Office of the Courts (the AOC), which is responsible for promulgating the Official Garnishment Forms. The revised non-continuing Pre- and Post-Judgment Garnishment forms will clearly state below the signature line: (Pursuant to 12 O.S. § 1190 a judgment creditor must remit a Thirty-five Dollar ($35.00) fee for costs to any federally insured depository institution garnishee. Fee must be delivered with the garnishment summons. Garnishee is not required to attach the funds of the judgment debtor until such fee is received.)
The AOC is responsible for drafting legal forms for use under a number of Oklahoma statutes. and the categories of forms is accessible at this link: The Garnishment Forms required to be used under the various statutes are available at and several are available in both Microsoft Word and PDF formats.

The first time I had the pleasure of working with the AOC was in 2011 in making changes to the forms with regard to the Garnishment of Federal Benefit Payments rule. The Federal Benefits Rule flew under the radar of the AOC because it wasn’t a change in state law, but it did require the revision of the garnishment summons and the garnishment Affidavit/Answer. On the other hand, when § 1190 was amended in 2016, the AOC had the revised forms ready to post on the website, removed the old forms on November 1, 2016, the date the amendment became effective, and removed the outdated forms.

Issues to expect

Based on past experience, banks should expect there will be some problems at first with the most recent changes. Banks should not expect garnishment summons issued on and after November 1, 2022, to contain the language on the AOC form. The majority of attorneys keep templates of the forms on their computers. With the 2011 revision to the AOC forms, a fair number of creditors’ attorneys were oblivious to the Federal Benefits Rule and didn’t revise their forms. When § 1190 became effective November 1, 2016, based on emails from OBA members, the OBA Compliance Team learned that some attorneys still hadn’t updated their forms more than five years later. I don’t expect it will be any different this time around. Note that when an outdated garnishment summons is used, the Garnishee’s Affidavit/Answer will likewise be an outdated form. That was an issue with regard to use of the Garnishee’s Affidavit/Answer for garnishments on and after the May 1, 2011, effective date of the Garnishment of Accounts Containing Federal Benefit Payments, so book marking the AOC webpage is a good idea not only for this reason but also when the garnishment packet doesn’t include the Claim for Exemption and Request for Hearing Form.

The majority of garnishments filed by pro se creditors (creditors representing themselves rather than through an attorney) also used the old forms for several months after the AOC issued revised forms in 2011 and again in 2016. Not all court clerks were aware of the changes, and court clerks tend to be a frugal bunch. Most clerks maintain packets of garnishment forms used by pro se creditors. Either to save money, time and labor, or to avoid killing trees, some clerks didn’t print the new forms until they ran out of the old ones. Court clerks are the primary forms source for pro se creditors. There is nothing to prohibit filing an outdated form. Clerks will file it if it is properly captioned, i.e.,  includes the names of the court, the plaintiff, the defendant, the case number, and the filing fee is paid.

Unlike the 2016 amendment to § 1190, the bank doesn’t need to do more than log the garnishment and note that the $35 did not accompany the garnishment Summons. I suggest contacting the creditor’s attorney or creditor and advise of the change to § 1190. If the bank receives the fee, I don’t believe that the creditor/creditor’s attorney needs to file a new or amended affidavit and garnishment summons.

Uniform Consumer Credit Code Amendments Effective November 1, 2022

Title 14A O.S. § 1-106

Effective November 1, 2022, § 1-106 Change in Dollar Amount Used in Certain Sections which includes late fees, $ 3-508A lender’s closing fee, § 3-511, and other sections is amended. The amendment removes § 3-508B loans from subsection (1) of this section. Subsection (2) provides the manner and index for adjustments to amounts under § 3-508B loans. Former Subsection (2) is renumbered as Subsection (3) and covers Sections under Subsection (1). Subsection (3) is renumbered as Subsection (4) and covers Sections under Subsection (2) i.e., § 3-508B. Subsection (4) is renumber Subsection (5), Subsection (5) is renumbered Subsection (6), and Subsection (6) is renumbered Subsection (7).

Title 14A O.S. § 3-508B

Sec. 3-508B provides an alternative method of imposing a finance charge to that provided for Sec. 3-508A loans. Late or deferral fees and convenience fees as well as convenience fees for electronic payments under § 3-508C are permitted, but other fees cannot be imposed. No insurance charges, application fees, documentation fees, processing fees, returned check fees, credit bureau fees, nor any other kind of fee is allowed. No credit insurance, even if it is voluntary, can be sold in connection with in § 3-508B loans. If a lender wants or needs to sell credit insurance or to impose other normal loan charges in connection with a loan, it will have to use § 3-508A instead. Existing loans made under § 3-508B cannot be refinanced as or consolidated with or into § 3-508A loans, nor vice versa. The statute as amended is available on the OBA’s Legal Links web page.

Oklahoma’s Telephone Solicitation Act of 2022 effective November 1, 2022

The June 2022 OBA Legal Briefs has in-depth information on this Act.


By Pauli Loeffler

We often get asked what happens when a borrower becomes an insider or an executive officer of the bank? The Federal Reserve covers this in one of its FAQs:

Q2: When do the requirements of Regulation O apply to extensions of credit to a person that becomes an insider after the member bank made the extension of credit (transition loans)?

A2: Transition loans need not conform to the requirements of Regulation O until such extensions of credit are renewed, revised, or extended, at which time the extensions of credit would be treated as a new extension of credit and therefore subject to all of the requirements of Regulation O. However, transition loans must be counted toward the individual and aggregate lending limits of Regulation O as soon as the borrower becomes an insider.

This same treatment would apply to extensions of credit to a director or principal shareholder that later becomes an executive officer. Such extensions of credit need not conform to the provisions of Regulation O that apply only to executive officers until such extensions of credit are renewed, revised, or extended. However, the amount of any such extensions of credit count toward the quantitative limits for loans to executive officers in section 215.5 of Regulation O as soon as the director or principal shareholder becomes an executive officer.

Many lines of credit by a member bank to an insider must be approved by the bank’s board of directors every 14 months. Each such approval constitutes a new extension of credit. Accordingly, transition loans that are lines of credit generally must conform to the requirements of Regulation O within 14 months of the borrower becoming an insider.

Notwithstanding the general principles noted above, the treatment described here does not apply to extensions of credit made by a member bank in contemplation of the borrower becoming an insider or executive officer. Under such circumstances, the extension of credit should comply with all requirements of Regulation O at the time it is made.

September 2022 OBA Legal Briefs

  • Concerns about overdrafts and fees grow (Part 1)
  • Repossessions and the SCRA

Concerns about overdrafts and fees grow — Part 1

By John S. Burnett

Regulators have run hot and cold on the topics of overdraft programs and associated fees for well over a decade. A few landmark issuances along that rocky road were:

Enter the CFPB

The subjects of overdrafts and associated fees have been studied and written about by the CFPB almost since the Bureau opened its doors in 2011. The Bureau’s first Director, Richard Cordray, was a harsh critic of then-current overdraft programs and fees during his tenure at the Bureau. He advocated for “safer” accounts designed to prevent overdraft fees, and even suggested the use of prepaid cards as an alternative to expensive checking accounts and their fees. In August 2017, in a press call on overdrafts, Cordray spoke of a study that found frequent overdrafters who have opted in to debit card and ATM overdraft service typically pay almost $450 more in overdraft fees per year comparted to frequent overdrafters who had not opted in. The Bureau issued updated model disclosure prototypes to replace the Regulation E Model A-9 disclosure form with that study

In April 2015, the Bureau issued a consent order in an administrative proceeding against Regions Bank for failing to obtain required opt-ins from customers who had linked their savings accounts to checking accounts to cover overdrafts, but charging the customers overdraft fees when the savings account was wiped out by ATM or one-time debit card transactions, but had not obtained an opt-in for overdraft service as required by Reg E. For that violation and others, Regions Bank was fined $7.5 million and refunded over $47 million to customers before the order was issued, and was ordered to identify any other customers who were owed a refund.

In July 2016, the Bureau ordered Santander Bank, N.A., to pay a $10 million fine for illegal overdraft service practices. This case involved a telemarketing vendor that deceptively marketed the service and signed some of the bank’s customers up without their consent.

In January 2017, a federal district court approved a Bureau settlement with TCF National Bank regarding its marketing and sale of overdraft services. The Bureau had alleged that, when attempting to obtain consent for OD service as required by Reg E, TCF obscured the fees it charged and made consenting to fees seem mandatory for new customers. TCF agreed to pay $25 million in restitution and a penalty of $5 million.

In August 2020, the Bureau issued a consent order against TD Bank, N.A. regarding its marketing and sale of its optional overdraft service, Debit Card Advance (DCA). The Bureau found that TD Bank’s overdraft enrollment practices violated the Electronic Fund Transfer Act (EFTA) and Regulation E by charging consumers overdraft fees for ATM and one-time debit card transactions without obtaining their affirmative consent. The Bureau found that TD Bank violated the Consumer Financial Protection Act (CFPA) prohibition against deceptive acts or practices by making misleading representations to consumers regarding DCA while offering that service to consumers in person, over the phone, and through mailed solicitations. The Bureau also found that TD Bank violated the CFPA’s prohibition against abusive acts or practices by materially interfering with consumers’ ability to understand the terms and conditions of DCA. . TD Bank paid a $25 million penalty and was ordered to pay an estimated $07 million in restitution.

Recent CFPB activity

One of the first actions taken by the Bureau’s newest director, Rohit Chopra, has been an ongoing campaign against “junk fees,” with an undisguised disdain for bank overdraft and NSF fees.

In December 2021, the CFPB released research on OD and NSF revenue, which reached an estimated $15.47 billion in 2019. Three banks (JPMorgan Chase, Wells Fargo, and Bank of America) brought in 44 percent of the total OD and NSF income reported in 2019 by banks with assets over $1 billion. The CFPB also said that while small institutions with overdraft programs charged lower fees on average, consumer outcomes were similar to those found at larger banks. The research also notes that, despite a drop in fees collected, many of the fee harvesting practices persisted during the COVID-19 pandemic,

In February 2022, the Bureau posted a blog article comparing overdraft fees and policies across the top 20 banks ranked by 2019 reported overdraft income. The article noted significant changes by several of the banks. In an update of the table provided in that blog. The Bureau now reports that, since the 2021 review, 15 of the banks have eliminated NSF fees (you will see a possible reason for that change later in this article). Fifteen reported no sustained OD fee (up from 12 in 2021). Two banks (up from one), reported they charge no OD fees at all. Four banks (up from three) reported they don’t charge OD fees on debit card purchases, and eight banks don’t charge OD fees on ATM withdrawals (up from four in 2021).

The Bureau is highlighting these changes to demonstrate that some big banks are paying attention to regulatory saber-rattling, or are just plain tired of fighting the battle over what the Bureau has termed “junk fees.”

Multiple NSF fees and the FDIC

There has been growing regulator concern over the practice of charging multiple NSF fees for multiple presentments of items for a single transaction. Briefly, this can happen when a bank charges a first NSF fee for a check drawn on insufficient funds and returns the check, and, when the check is presented a second time against insufficient funds, returns the check again, assessing a second NSF fee. In some cases, checks get presented more than twice, or they are converted to ACH debits (a re-presented check or RCK entry), which can be used once if the check has been returned twice, or twice if the check has only been returned once. Imagine a $50 check  being bounced three times at $35 an event!

Regulators have been voicing their concerns over the practice and point to recent litigation in which banks and a very large federal credit union have been sued for charging multiple NSF fees for a single transaction. A class action suit against Navy FCU was dismissed, but when the lead complainant appealed, the CU agreed to a settlement.

The FDIC issued “Supervisory Guidance on Multiple Re-Presentment NSF Fees” with FIL-40-2022 ( on August 18, 2022, “to address certain consumer compliance risks associated with assessing multiple non-sufficient funds (NSF) fees arising from the re-presentment of the same unpaid transaction.” In the Guidance, the FDIC also shared “its supervisory approach when a violation of law is identified, as well as expectations for full corrective action.”

According to the Guidance, during consumer compliance examinations, the FDIC has “identifies violations of law when financial institutions charged multiple NSF gees for the re-presentment of unpaid transactions.” The FDIC found that “some disclosures provided to customers did not fully or clearly describe e the institution’s re-presentment practice, including not explaining that the same unpaid transaction might result in multiple NSF fees if an item was presented more than once.”

Comment: Some banks might be tempted at this point to pull out Regulation DD’s commentary to section 1030.4(b)(4) – Account disclosures; Content of account disclosures; Fees— and run down the page to comment 4(b)(4)-5, Fees for overdrawing an account, which says, “Under § 1030.4(b)(4) of this part, institutions must disclose the conditions under which a fee may be imposed. In satisfying this requirement institutions must specify the categories of transactions for which an overdraft fee may be imposed. An exhaustive list of transactions is not required. It is sufficient for an institution to state that the fee applies to overdrafts ‘created by check, in-person withdrawal, ATM withdrawal, or other electronic means,’ as applicable. Disclosing a fee ‘for overdraft items’ would not be sufficient.”

The point being made by the FDIC, however, isn’t that the banks that charged multiple fees for re-presentments violated the Truth in Savings Act or Regulation DD; it’s that not disclosing that multiple NSF fees may be charged if multiple items for the same transaction are presented and not explaining how that can occur creates “a heightened risk of violations of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices (UDAP).” The Guidance continues, “While specific facts and circumstances ultimately determine whether a practice violates a law or regulation, the failure to disclose material information to customers about re-presentment and fee practices has the potential to mislead reasonable customers, and there are situations that may also present risk of unfairness if the customer is unable to avoid fees related to re-presented transactions.”

In a footnote, the FDIC suggests that these practices may also violate Section 1036(a)(1)(B) of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (12 U.S.C. § 5536(a)(1)(B)), which prohibits any covered person or service provider from engaging in, among other things, abusive acts or practices in connection with a consumer financial product or service. That portion of the Dodd-Frank Act is also referred to as the Consumer Financial Protection Act.

Deceptive practices: The guidance continues: In a number of consumer compliance examinations, the FDIC determined that if a financial institution assesses multiple NSF fees arising from the same transaction, but disclosures do not adequately advise customers of this practice, the misrepresentation and omission of this information from the institution’s disclosures is material. The FDIC found that if this information is not disclosed clearly and conspicuously to customers, the material omission of this information is considered to be deceptive pursuant to Section 5 of the FTC Act.”

Unfair Practices: On this topic, the Guidance offers, “In certain circumstances, a failure to adequately advise customers of fee practices for re-presentments raises unfairness concerns because the practices may result in substantial injuries to customers; the injury may not be reasonably avoidable; and there may be no countervailing benefits to either customers or competition. In particular, a risk of unfairness may be present if multiple NSF fees are assessed for the same transaction in a short period of time without sufficient notice or opportunity for customers to bring their account to a positive balance in order to avoid the assessment of additional NSF fees. While revising disclosures may address the risk of deception, doing so may not fully address the unfairness risks.

Comment: Thus far, the Guidance has suggested that banks need to ensure that their disclosures reflect what actually happens in the case of multiple re-presentments for a single transaction, and that something may need to be done about better notifying customers when an item is returned and an NSF is assessed and/or banks may want to consider setting some limit on how many times re-presentments of items derived from the same transaction will trigger another NSF fee.

Watch for Part 2:  In Part 2 of this article, we’ll look at third-party risk and what the FDIC expects of a bank that discovers it has problems like those described in the Guidance. We will also look at another relatively new regulatory concern about overdraft programs.

Repossessions and the SCRA

By Andy Zavoina

I want to share a recent issue that a compliance officer consulted me on. This is your opportunity to realize that even when you train and have sound policies and procedures, people can – and will — still make mistakes.

I had a disturbing call recently from a banker who appears to have a good compliance program. I say the program is “good” not because I have audited it, but because she was auditing files from three months prior and she found a questionable repossession. As you will read, she was right to question it, and that is why I say that part of her Compliance Management Program is working. Detecting errors leads to an earlier correction when that may be possible, and to fewer repeat problems because a part of any corrective action typically involves re-training.  Very often an auditor reviews a file, scans it to understand what has happened and explains the actions away as a way of justification.

In this case, the lender had a car loan that was past due and was ready for a repossession order. Having recently had some training on repossession procedures and the Servicemembers Civil Relief Act (SCRA), he checked the DMDC database to verify the borrower was not covered.

In my SCRA training materials I recommend that banks “Design [their] foreclosure procedures to ensure counsel is following all requirements, to include completion of all background research and proper notice as expected by the regulators. This includes repossession of personal property as well. When you check the SCRA database you will enter a date in a field for ‘Active Duty Status Date’ and the response you will receive based on that date, is the status of the individual – whether or not the individual was actively serving, received a notice to serve, or was serving  – for a period of 367 days prior to the given date. So when you check this, you are getting the status for the last year.” The yearlong lookback allows for real property foreclosure protections that last for a year after discharge. That does not apply to vehicle repossessions.

In this case the lender checked, received a negative response and put the car out for repossession by a third-party agent. This is where it gets questionable. I do not know how much time elapsed, but on the day of the repossession itself, the lender checked again. As you can predict, the response was now affirmative. As of that day the borrower was a servicemember and afforded all the protections under section 302 of the SCRA (50 U.S.C. 3952).

“After a servicemember enters military service, a contract by the servicemember for–

(A) the purchase of real or personal property (including a motor vehicle); or

(B) the lease or bailment of such property,

may not be rescinded or terminated for a breach of terms of the contract occurring before or during that person’s military service, nor may the property be repossessed for such breach without a court order.

This section applies only to a contract for which a deposit or installment has been paid by the servicemember before the servicemember enters military service.”

I do not know if the car was repossessed before or after the second verification was done. If it was done before, repo order should have been rescinded. If it was not possible to do immediately it should have been done as soon as possible. Now that the car could not technically be repossessed, those expenses will be paid for by the bank and without the ability to collect them as a collection cost. Add to that the bank may now have to pay to return the car to the servicemember which adds to the cost of the already delinquent loan. The benefit here would be that a recent check did not indicate a protected status but one on the day of the repossession did. The car could be retuned and the bank could claim “no harm, no foul” so long as there is no claim of damage to the car from the repossession. But it did not stop there. That would not be an interesting lesson.

This repo occurred three months before. Regardless of the above recommendation to immediately return the car and undo a bad situation, that advice is too late. The lender, now knowing the borrower was protected, proceeded to sell the car and apply the proceeds against the loan balance. Why?

As an auditor there are now more questions to be asked. This file escalates from a routine audit to damage control.

  • When was the protected status known?
  • Why was the car sold?
  • Was this a commercially reasonable sale, were personal items returned, were notifications of the sale sent and was the borrower provided an ample period to cure the default?
  • When was the lender last trained on the bank’s policy and procedure?
  • Was the training thorough?
  • Was the second DMDC check a standard procedure (I would say it would be a good one) or did the lender suspect the borrower was going to be protected and wanted to “beat the clock” so to speak and get the car before protections were actually in effect?
  • What was the cost of the repo?
  • What was the sale price and was there a deficit?
  • Has the borrower contacted anyone at the bank?

The Compliance Officer also has immediate work to do, and it was needed yesterday.

  • Review training records to verify the lender was appropriately trained. If he was not, why not?
  • Advise all lenders/collectors of the requirements to immediately prevent a repeat violation. It would move to catastrophic to have the same thing happen after the bank is aware of this instance.
  • Was this an anomaly? Realistically all repossessions need to be reviewed for a period of (my recommendation) three years. After the most recent six months is done management needs to be aware of the problem. Since there have been no other alarms, attorney calls, anyone from JAG or the borrower, the issue is thus far contained, but now must be controlled.
  • Discuss the case with management. Advise them of the case and the fact that a review is being conducted and so far, how it looks.
  • The Compliance Officer is not Human Resources, but assuming training was done, and policies and procedures were provided, HR may have to be involved. Disciplinary action may well be called for.

Some readers may be asking why all this work, what’s the big deal if the borrower has not claimed any protections after three months? Here is the deal, and it can be costly. SCRA violations are reviewed by the Department of Justice (DOJ), not your banking regulator, although they will likely be involved if the case is worth pursuing.

There was one very similar case to this. On March 28, 2018, the United States vs California Auto Finance (CAF), Case No. 8:18-cv-00523 was filed. CAF is a large sub-prime lender in Southern California and the Southwest. The suit alleges CAF repossessed a servicemember’s car after being made aware the borrower was in the service.

Andrea Starks purchased a car in Glendale, Arizona, in September 2015. She made her first payment in October 2015 which was pre-service and meets the requirements for SCRA protection. She enlisted in April 2016 and reported for active duty on May 9, 2016, the same day her vehicle was repossessed. Two days after enlisting, she provided CAF with a copy of her orders. She would not have been protected as a reservist being called to active duty based on receipt of her orders, but rather when she met the definition of “military service” which, in this case, would be when she was paid by Uncle Sam.

Had the vehicle been repossessed the day before, Starks would not have been technically protected. In any case, it was taken on the same date as she reported for duty. CAF sold the vehicle on or about May 25, 2016.

This was the single complaint against CAF made by Starks to the DOJ in November 2016. There were no other complaints against CAF mentioned. In describing the violations committed by CAF, the DOJ explains the facts it reviewed in its investigation that began in December 2016.

  1. The Defense Manpower Data Center (DMDC) is a free database allowing lenders to determine if a person is protected under the SCRA. The CAF did not verify her status prior to repossessing the vehicle. (It would be interesting to know if Starks would have been shown as currently serving, it being her first day.) Regardless, CAF had already been given a copy of Starks orders by Starks herself.
  2. This was pre-service debt under the SCRA.
  3. No court order was obtained prior to the act of repossessing the vehicle.
  4. The CAF believed at the time, and still as of this court filing, that only deployment orders would have provided protections to a servicemember. (This is incorrect. It is the act of serving, whether that be in the continental United States or overseas.)
  5. The CAF had and still has no policies or procedures to provide staff with SCRA compliance guidance.
  6. Because of a demonstrated lack of knowledge and guidance (the policy or procedures) the DOJ stated they “may have repossessed motor vehicles without court orders from other servicemembers” and as such viewed this as a pattern or practice of violating the SCRA protections and requirements of the SCRA. This means that Starks and other servicemembers have suffered damages.
  7. The actions of CAF were “intentional, willful, and taken in disregard for the rights of servicemembers.”

The bank has obviously done more than CAF had and is aware of the protections the servicemember had. But it seems the violation was blatant and willful and because the lender represents the bank, the bank is at fault. The bank repossessed the car and knowing the borrower was protected, sold the car anyway.

In the Starks case there was $30,000 paid to Martinez, the only other violation the DOJ found after scrubbing years’ worth of repossession files and a $50,000 penalty. We do not know how much Starks was paid but I would be confident in estimating that in addition to the $80,000, plus the cost of attorneys, motions, court expenses, and employee cost on the CAF side of the file reviews, that CAF spent $125,000 because of that one repossession, which turned into two. Two is not excessive, but it is two too many.

In May 2017 Wells Fargo repossessed the car of Jin Nakamura. He was protected by the SCRA and paying, but the bank repossessed and sold his car. That launched an investigation, and a pattern was found. The bank paid $5,125,000 plus a third of the legal expenses for its violations. Each servicemember was paid $12,300 from the settlement except for Nakamura, who received a greater share as he instigated the case, which was settled in May 2019.

In our recent case the bank should immediately involve counsel who is familiar with the SCRA and enforcement actions. The bank should consider settling with the borrower if possible. That might avoid DOJ involvement. Servicemembers are trained on their benefits when they enlist, but it may have gone in one ear and out the other. But the military periodically retrains them, and the matter will likely come up again. Any amount of research and the borrower could decide that car was special and worth far more than the bank sold it for. The bank needs to consider zeroing the loan balance, removing the credit rating in total or certainly the repossession, and reimbursing the agreed value of the car to the servicemember. These costs combined would be far less than a DOJ investigation and the reputational risk the bank would suffer.

Here is an example/article from “Housing Wire” of a foreclosure that happened in 2010, but the complaint was not made for six years. The DOJ was heavily involved, and the complaint was years after the foreclosure.

In late 2017, Northwest Trustee Services, the “largest foreclosure trustee in the Pacific Northwest,” illegally foreclosed on dozens of military veterans and servicemembers over the last few years, the DOJ claimed in its lawsuit. According to the DOJ, in the prior six years, Northwest had foreclosed on at least 28 homes owned by servicemembers without the necessary court orders.

The lawsuit came after the DOJ launched an investigation into Northwest’s foreclosure practices at the urging of Marine veteran Jacob McGreevey of Vancouver, Washington, who submitted a complaint to the DOJ’s Servicemembers and Veterans Initiative in May 2016.

Portland’s The Oregonian has been all over McGreevy’s story, previously chronicling his fight against Northwest and PHH Mortgage, his mortgage servicer, for foreclosing on his home shortly after he returned from active duty.

According to the DOJ, Northwest foreclosed on McGreevey’s home in August 2010, less than two months after he was released from active duty in Operation Iraqi Freedom.

In 2016, McGreevey sued both PHH and Northwest, but a U.S. District Court Judge accepted PHH and Northwest’s argument that McGreevy had waited too long to file his case and dismissed the case on that basis.

Here’s how the Oregonian described that process in one of its reports:

Altogether, he served four tours in either Iraq or Afghanistan. In between deployments, McGreevey would return to Vancouver, where he bought a house on Northeast 24th Court. But he fell behind on payments.

PHH Mortgage repossessed his house in June 2010. Knowing next to nothing about the consumer protections afforded him as a member of the military, McGreevey didn’t contest it. The foreclosure became final the following September.

McGreevey had advanced from private to staff sergeant by the time his final deployment ended in 2012. Though diagnosed 80% disabled with post-traumatic stress syndrome, hearing loss and a back injury, he set about reinventing himself for civilian life. He earned a business degree from Portland State University and got a job at a bank.

That’s when he learned about consumer protection laws, including the Servicemembers Civil Relief Act.

From there, McGreevy sued Northwest and PHH. But McGreevy’s case was dealt a blow earlier that year, when the DOJ sided with Northwest and PHH in McGreevy’s lawsuit.

But later, the DOJ reversed its position and cites McGreevy’s case as the impetus for its lawsuit against Northwest. It should be noted that the DOJ had taken no action against PHH in this case, to this point.

According to the DOJ, its investigation revealed that, beyond McGreevey, Northwest foreclosed on other homes of SCRA-protected servicemembers in violation of the SCRA since 2010.

“The loss of a home is a devastating blow for anyone – but far worse for active duty service members often called to war zones far from Western Washington,” said U.S. Attorney Annette Hayes.

Our investigation revealed that Northwest Trustee Services repeatedly failed to comply with laws that are meant to ensure our service members do not have to fight a two-front war – one on behalf of all of us, and the other against illegal foreclosures,” Hayes continued. “My office will continue to work closely with our colleagues in the Civil Rights Division in Washington, D.C. to protect Western Washington service members from this kind of misconduct.”

According to the DOJ, it is seeking monetary damages for affected servicemembers, as the SCRA provides for civil monetary penalties of up to $60,788 for the first offense and $121,577 for each subsequent offense.

But Sean Ridell, who served in the Marines and is McGreevy’s lawyer, told the Oregonian that he wants much more than just money.

“I want Northwest Trustee and PHH put out of business, their buildings burned down, and the ground salted so that nothing ever grows for what they did to veterans,’ Ridell said.

As you can see, historically these violations do not end well for the bank whether it is a home foreclosure or auto repossession and there can be years between the violation and the final reckoning. During that time there are expenses and distractions, none of which are good for the bank. The actions of the lender may have cost the bank six figures. If it acts proactively, it will emerge smarter and only at a five-figure expense. This is a real case, and all bankers should assess their own situation and ask, “Could this have happened here?”

August 2022 OBA Legal Briefs

  • COVID coughs up and update
  • FCRA is on the front burner

COVID coughs up an update

by Andy Zavoina

Perhaps your staff is all back in the bank, some are travelling for summer vacation, masks are seen sparsely, and COVID-19 seems to be something viewed only in the rearview mirror. But that does not mean the pandemic is over, or that your pandemic procedures can be put back on the shelf as life moves forward once again. In addition to yet another variant, some things “pandemic” are still in motion and your bank needs to be aware. Your Human Resources department may need a copy of this update if they haven’t seen the information already. You may recall our covering the U.S. Equal Employment Opportunity Commission (EEOC) rules addressing pandemic procedures in the May 2021 Legal Briefs. This is an update to that article.

On July 12, 2022, the EEOC revised the informal guidance ( The EEOC has updated employee testing protocols and any mandates imposed for vaccine requirements as well as a few other related issues. Depending on what your bank was doing, there may be less justification for it today.

The EEOC revised its position on COVID-19 screening of employees. Screening or testing is no longer considered automatically a “business necessity” in order to operate day-to-day as it was at the beginning of the pandemic. Instead, your bank should evaluate your local conditions and individual circumstances to determine if continued screening or testing is justified as a business necessity, or if it is doing so today based on a potentially outdated policy or procedure.

The EEOC guidance provides eight factors to consider in determining whether circumstances indicate continued screening or testing would be considered a business necessity in your bank and branches:

1. The level of community transmission
2. The vaccination status of employees
3. The accuracy and speed of processing for different types of COVID-19 tests deemed acceptable
4. The degree to which breakthrough infections are possible for employees who are “up to date” on vaccinations
5. The ease of transmissibility of the current variants
6. The possible severity of illness from the current variants
7. What types of contacts employees may have with others in the workplace or elsewhere that they are required to work (e.g., working with medically vulnerable individuals)
8. The potential impact on operations if an employee enters the workplace with COVID-19.

Note: many of the terms used above are explained in greater detail with links on the EEOC site linked in this article. In making these assessments, the bank should check the latest CDC guidance as well as other relevant sources and determine whether screening or testing is appropriate for these employees.

If your branches are all in one area, it may be easy to handle them all the same. If, however, they are spread across many miles, it may be appropriate to tailor procedures to the outlying branches separately, based on the local conditions of each branch. In any case it is time to review the policy and procedures followed for the extreme circumstances a pandemic requires and ensure there is flexibility in screening and testing requirements as the threat level has been lowered and there are fewer protections from violations of the Americans with Disabilities Act.

FCRA is on the front burner

by Andy Zavoina

The Fair Credit Reporting Act (FCRA) is shifting to your front burner, at least until you complete a review and ensure your bank is completely compliant. Rarely is a compliance process one that you can “set and forget.” Procedures need controls that provide checks and balances and on occasion we get little reminders that at least some in our industry were slacking, or just plain doing it wrong.

The Consumer Financial Protection Bureau (CFPB) released an Advisory Opinion on July 7, 2022, on the FDCRA and Regulation V. The reality is that the CFPB is extending its authority in this case to emphasize data protection requirements and privacy. On July 26, 2022, we read an enforcement action from the CFPB against Hyundai for – yes – FCRA violations. The enforcement action included some language that alleged Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) in addition to the FCRA and Reg V violations. “Piling on” is seen more often in these enforcement actions and this one cost Hyundai over $19 million.

So, let’s discuss some of the FCRA reminders from the Advisory Opinion and the lessons learned from the enforcement action, so you can review your FCRA practices and ensure compliance is in order.

In fact, the enforcement action carries lessons far beyond the FCRA, as it says a lot about compliance management. In this case, deficiencies were found. But it took years for the fixes to be put in place and therein lies part of problem leading to the penalty. Problems were found, plans were made to address the issues, but it never really got done. “Follow through” is an important part of the compliance management and audit process and it did not work here.

This Advisory Opinion, “Fair Credit Reporting; Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports,” is an interpretation of the existing rules and is not intended to change the law or Reg V, but rather to provide guidance in your efforts to comply with the existing rules. This information should be preserved with your regulatory materials as a future reference for use in audits, training, and development of policies and procedures.

This Advisory Opinion applies to Credit Reporting Agencies (CRA) as providers of credit reports as well as users of those reports. Our emphasis here is on the latter but we must also appreciate the former and be aware that changes could result from this. As it relates to the Advisory Opinion, 604(a)(3) of the FCRA is consumer-specific and requires a CRA to ensure that only a specific consumer’s data is released when a credit report is requested. This data protection rule provides that John A Smith’s credit information should not be released when John A Smith Jr.’s file is accessed. It seems some CRAs have been lax in matching up just a name instead of several data points such as a Social Security number, date of birth or addresses to better narrow down the file actually requested.

As to name only matching, one CRA stated when providing a consumer report: “This record is matched by First Name, Last Name ONLY and may not belong to your subject. Your further review of the State Sex Offender Registry is required in order to determine if this is your subject.” That disclaimer sends up several red flags. This is a problem for the CRA as the provider of the report and for the bank as a user of the report. The Advisory Opinion makes it clear that any disclaimer from the CRA that the file “could” have someone else’s information is not sufficient to protect them from penalties resulting from the release of this information. It also does the bank no good to have information on John A Smith when it is Junior who is applying for a loan. Similarly, if the bank requested the file on John A Smith instead of Junior, it would have violated the FCRA because it had no permissible purpose to request that file. And because the bank’s contract with the CRA will require it only requests files when it has a permissible purpose, that contract would be violated.

Congress enacted the FCRA with particular goals, including, “to ensure f air and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” There were concerns that the contents of a credit file were not kept confidential. The FCRA is intended to protect the individual’s privacy by controlling both the collection and dissemination of credit information. The CFPB is respecting the privacy goals of the FCRA with its Advisory Opinion.

Section 604 of the FCRA is, “Permissible purposes of consumer reports,” and it identifies an exclusive list of “permissible purposes” under which a CRA can release the credit report including in accordance with the written instructions from the consumer to whom the report relates and for purposes relating to credit, employment, and insurance. Let’s place emphasis here on the fact that the consumer has to authorize the bank to request this report from the CRA and the fact that this is an exclusive list, meaning these are the only reasons allowed. Obviously if there is another person’s information in the file, which contributes to a violation. Among the key reasons a bank would access this includes, 604(a)(3)(A),” in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer,” and, “(F) otherwise has a legitimate business need for the information (i) in connection with a business transaction that is initiated by the consumer; or (ii) to review an account to determine whether the consumer continues to meet the terms of the account.” These are the direct banking issues. This section includes other reasons such as employment and insurance as well. Paragraph (F) seems broad with its use of having a legitimate business need and to review an account. In fact, these are not as broad as some lenders or collectors may think as the purposes can be narrow.

There is A LOT of content in the FCRA that cannot be covered here today. Suffice it to say that when the CFPB took the FCRA regulation from the Federal Reserve it inherited the consumer protection provisions. When you research the FCRA, be sure to look at what the FRB retained as well as what the CFPB has ownership of (, and the FCRA itself ( The last link includes a link to a document, “FTC Staff Report – July 2011”. The FCRA and Reg V do not have an Official Staff Commentary with explanations and interpretations. But there were guidance opinions issued by the Federal Trade Commission (FTC) as it had a key role in FCRA oversight and enforcement.

One of the major changes to the FCRA was the FACT Act which provided the FTC with specific rulemaking authority. The FTC issued more than 430 opinion letters to act as compliance guidance. This 117-page document assembles many of these opinions to act as a proxy for a Commentary. This is a must read for FCRA compliance as it defines the difference between using a credit report for a loan request, and then also using it to prequalify the consumer for another loan product. Such a use violates the permissible use requirements as access was not granted for that cross-sale. These are the nuggets you will find in this booklet. It may be 11 years old as of this writing, but the information there is still pertinent.

Back to the Advisory Opinion itself. The CFPB places emphasis on the use of consumer reports and the circumstances under which they may be accessed – “and no other.” It drives this home by reminding the reader that Section 620 carries with criminal liability for any employee or officer of a CRA who knowingly and willfully provides an unauthorized report. This triggers two points which need to be mentioned. First, this could cause some CRAs to tighten up controls and requirements that users must follow so that the CRA can comply. Second, if the bank were to release this information to another party, it could be deemed to be acting as a CRA and now it would be subject to these penalties as well. That is why the bank must ensure staff be aware of when credit reports may be accessed and for what purposes.

FCRA section 604(f) provides that “a person shall not use or obtain a consumer report for any purpose unless” the consumer report “is obtained for a purpose for which the consumer report is authorized to be furnished under [FCRA section 604]” and “the purpose is certified in accordance with FCRA section 607 by a prospective user of the report through a general or specific certification.” FCRA section 619 imposes criminal liability on any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses. I remember early in my banking days when there was an incident of single person in the loan area looking at credit reports of customers who had asked her out. Certainly, that would not be an authorized use and if the credit report was pulled for that purpose, well in today’s FCRA environment that would have to be a terminable offense.

Having a permissible purpose is at the core of the FCRA’s protections. When a credit report is provided to unauthorized persons and for unauthorized purposes the consumer can suffer harm in a number of ways. It is an invasion of one’s financial privacy and as the Advisory Opinion puts it, this is a “reputational, emotional, physical and economic harm.” That’s from the CFPB, I will not try to interpret each. Suffice it to say, these harms are on the record and violations may include these points in the justification of a penalty. Take each seriously. There are some examples cited which explains some of the reasoning. “For example, in a case that resulted in a 2006 settlement with a consumer reporting agency, the FTC alleged that the agency violated the FCRA’s permissible purpose provisions by providing consumer reports to persons without a permissible purpose, resulting in at least 800 cases of identity theft. More recently, in 2020, a group of companies and individuals settled Bureau allegations that they obtained consumer reports without a permissible purpose when they obtained consumer reports for use in marketing debt relief services. Also in 2020, a mortgage broker settled FTC allegations that it used consumer reports for other than a permissible purpose when, in response to negative reviews on a website, it publicly posted information it had obtained from a consumer report about the reviewer.”

Recognizing the importance of permissible purposes, when was the last time staff with access to credit reports, being accessed or in credit files, were reminded of the requirements and the potential penalties for unauthorized access? A resource for teaching includes a booklet published by the CFPB in 2020, “List of Consumer Reporting Companies “ as it includes not just who is considered a CRA and therefore a major part of this topics discussion, but information for a consumer on who can see their credit reports, how to review them for free, how to dispute information and more on uses such as for credit, employment, check screening and more. ( This is good information for staff to be aware of as a banker and a consumer. Staff should be trained on this topic before they are granted access to credit reports just as tellers get Bank Secrecy Act training before operating a teller drawer on their own. It could be a requirement in the vendor contract with your CRAs and based on the Advisory Opinion, it may be something these vendors emphasize in the future as well.

Under 604(a)(3)(A) of the FCRA, a CRA may provide a consumer report “to a person which it has reason to believe . . .  intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or 18 15 U.S.C. 1681b(a).review or collection of an account of, the consumer.” Similarly, FCRA section 604(a)(3)(F) permits a CRA to provide a consumer report “to a person which it has reason to believe . . . has a legitimate business need for the information . . . in connection with a business transaction that is initiated by the consumer or to review an account to determine whether the consumer continues to meet the terms of the account.” These are a few of the teachable points which deserve emphasis.

Note one particular phrase, “reason to believe.” The CFPB is directing this to users of consumer reports who lack a permissible purpose and want to rely on this as justification. The Advisory Opinion specifically rejects some judicial decisions that have applied a “reason to believe” standard to FCRA Section 604(f)’s permissible purpose requirement for users. Instead, the CFPB used a plain language approach to impose a prohibition on using a consumer report without a justifiable permissible purpose. The “reason to believe” standard will not provide an excuse for innocent mistakes. The CFPB appears to be taking a strict liability approach to permissible purpose requirements. With a high risk of enforcement by all federal agencies and state attorneys’ general who have been reminded, and almost invited by the CFPB to join in enforcement actions, plus the ability for private plaintiffs to obtain significant monetary relief, banks are advised to practice risk management and mitigate this with training.

The bank is a user of consumer reports and must ensure that it does not violate consumer privacy by obtaining consumer reports when it lacks a permissible purpose. From the CFPB, “For example, in 2018 a company settled Bureau allegations that it violated FCRA section 604(f) when its agents obtained consumer reports for consumers who were not seeking an extension of credit from the company and the company had no other permissible purpose for the consumer reports it obtained. In some instances, for example, the company’s agents initiated credit applications for the wrong consumer by incorrectly inputting consumer information into the company’s application system or by selecting the wrong consumer from a list of possible consumers identified in the system. When these applications were initiated in error, the company obtained a consumer report for a consumer with respect to which it had no permissible purpose, violating the FCRA’s permissible purpose provisions and the privacy of the consumers that were the subject of those reports, and also generating an inquiry on the consumers’ credit reports.” Making a choice from a list of possible customers and ensuring that the correct identifying information is input will help prevent violations and inadequate controls.

Hyundai Capital America

What are the ramifications of non-compliance? Let’s look at a Consent Order between Hyundai Capital America and the CFPB. This may seem like an extreme case, but there are lessons here that extend beyond the FCRA, and this is a good case to discuss with management and potentially your board.

On July 27, 2022, prompted initially by numerous consumer complaints over credit reporting problems, the CFPB investigated Hyundai for FCRA and Reg V. It expanded into UDAAP as well.

Violations cited indicated Hyundai:

1. Failed to promptly update and correct information it furnished to CRAs that it determined was not complete or accurate, and continued to furnish this inaccurate and incomplete information, in violation of the FCRA, 623(a)(2).
2. Furnished information about severely delinquent and charged-off accounts but failed to provide the “date of first delinquency” (623(a)(5)) which is a key date because it triggers several FCRA requirements.
3. After determining its reporting was inaccurate as to consumer accounts, failed to correct or delete it.
4. Lacked reasonable procedures to respond to notifications from CRAs indicating information Hyundai provided was the result of identity theft and therefore must be blocked from a victim’s credit report. It violated 623(a)(6) by reporting this information after notices from consumers without any validation process.
5. Failed to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information provided to CRAs, or to consider and incorporate the guidelines in Appendix E (in the CFPB’s Reg V link, App. E is “Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies”)

Note, while cited as a violation, the FCRA and Reg V do not explicitly require a policy and procedure for the FCRA. It could be argued however, that there was a genuine need by Hyundai based on the array of violations and lack of direction provided by management and the board.

Some of the above were cited a second time as violations of the Consumer Financial Protection Act (CFPA) which incorporates UDAAP. It was noted Hyundai used ineffective manual processes and systems containing known logic errors to furnish information to CRAs and therefore willfully violated the FCRA.

The “relevant period” for this action is cited as January 2016 through March 2, 2020. That’s going back nearly 7 years ago, however, evidence of problems as you will read date back to 2013. The “affected consumers” refers to those with inaccurate information that they were 30 or more days past due.

To establish a foundation here are some figures used in the consent order.

• Hyundai services approximately 2 million customers and has assets in excess of $45 billion as of 2021.

• The credit reporting format was Metro 2, which is very common in the finance industry.

• Inaccurate payment histories were reported 8.7 million times across 2.2 million accounts.

• In approximately 570,000 instances, Hyundai inaccurately inserted codes showing delinquent or no payments in the payment history.

• Due to coding errors related to lease accounts, in 1.4 million instances, payment history codes indicating that the consumer’s payment history was disputed by the consumer or that no data were available when neither of these things was true. This error affected the entire lease portfolio.

• When credit reporting disputes were made, a manual tradeline correction could be made, but then the auto-reporting systems overrode the corrections and reinserted the errors.

• In over 537,000 instances across more than 168,000 accounts, Hyundai furnished date of first delinquency (DOFD) information regarding consumer accounts that Hyundai itself had determined was inaccurate.

• Compounding the problem, Hyundai delayed fixes for errors affecting the DOFD reporting for nearly a year due to prioritization of allotted resources for the new credit furnishing system planned for release over the then-existing systems that were being replaced.

• An inaccurate DOFD may be particularly problematic for consumers because use of the DOFD field in the Metro 2 format reflects the existence of an ongoing delinquency and the date itself shows how recently the delinquency occurred, both of which could negatively affect a consumer’s credit profile if the DOFD field is inaccurate.

• In tens of thousands of instances, Hyundai reported an inaccurate DOFD, which changed from month to month due to system issues, making some delinquencies appear more recent than was accurate.

• For thousands of delinquent accounts, they failed to furnish any DOFD at all.

• In over 2.2 million instances for over 1.2 million accounts, they furnished inaccurate amounts as to the highest credit or original loan amount.

• After furnishing the correct original loan amount (a field that should not change), they furnished increased amounts for the “original loan amount,” making it appear that a consumer had taken out a larger loan than they had actually taken out.

• In over 2.9 million instances on more than 189,000 accounts, they reported consumers’ accounts as delinquent, but also reported there was no amount past due

• For paid accounts, more than 17,000 reported a negative payment rating that was inaccurate.

• In at least 29,000 instances for approximately 3,900 accounts, they failed to report a DOFD where it reported other information instead, such as the accounts were placed for collection, charged-off, or at least 120 days delinquent.

The issue in this case is that Hyundai repeatedly furnished information to CRAs knowing it to be inaccurate. The company was making little attempt to correct the errors. A basic tenant of the FCRA is that a creditor is not required to report accounts but must report accurately when they do. In an audit report in March 2013, it was determined that required data in the Metro 2 fields was not always fully complete, accurate, or consistently reported. These appeared to be systemic logic issues and Hyundai lacked subject matter experts or a process to ensure accuracy and integrity of data reported. The audit also identified issues relating to the processing, monitoring, and tracking of direct disputes between processing units, and those policies and procedures reviewed as current did not accurately reflect actual practices.

When deficiencies are found compliance management systems call for a response that should be agreed upon as suitable, and a timeline under which corrective actions should occur. This is how repeat violations are avoided. In this case the corrective actions were going to be coordinated with an outside consulting firm. Hyundai initiated a “Credit Bureau Project” in July 2015, more than two years after the audit noted problems.
Completion of the Credit Bureau Project occurred in June 2016 for its vehicle retail installment portfolio and in February 2017 for its vehicle lease portfolio. However, the logic changes failed to address or resolve some of the issues identified in the 2013 audit, and created new, additional problems for both portfolios.

In October 2017, Hyundai began working on a different project to address credit report furnishing logic issues. It started work on a “next generation system” to support credit report furnishing across both lease and retail portfolios as one system. The rollout for this new system was not planned to occur until 2020.

In January 2018, the internal audit team concluded that its furnishing and dispute management controls remained unsatisfactory. It cited the same 2013 errors that remained unresolved. Additionally, there were other issues across its legacy credit report furnishing systems.

The 2018 audit also found that one upgrade to the company’s furnishing systems caused almost 18,000 consumers who were paid-in-full on their retail installment contracts to be erroneously reported as delinquent because Hyundai still lacked an adequate test environment for accuracy and logical consistency before the data was released to CRAs. In internal emails they acknowledged that this error may have caused significant drops in consumers’ credit scores.

As work continued on the “next generation system,” from 2017 until its rollout in March 2020, upgrades to the legacy credit report furnishing systems were deprioritized, and, as a result, many issues identified in the 2013 and 2018 audits, were not resolved until 2020.

So, for a period of years inaccurate information was reported and consumers were harmed as a result. Lower credit scores may have prevented a consumer from borrowing, borrowing at a preferred rate, obtaining a home loan or receiving promotional offers for which they may have qualified. Hyundai lacked policies and procedures that would have provided much needed guidance. Correcting errors and reducing harm to consumers was moved to a lower priority and the problems only grew.

In addition to many added compliance and reporting requirements, Hyundai was ordered to pay a $6 million civil penalty and at least $13.2 million in restitution to current and former customers as well as to take steps to correct all inaccurate account information.

July 2022 OBA Legal Briefs

  • What’s new with Reg B? – A Lot!
  • Electronic liens

What’s new with Reg B? – A lot!

by Andy Zavoina

In a world where Reg B has essentially been around since 1974 when Congress passed the Equal Credit Opportunity, after all these years there can’t be much new to it – right? WRONG! While it has not changed recently, Reg B has been in the news – a lot!

In this issue we will examine an advisory opinion from the CFPB on Reg B which describes some protections that apparently some creditors, “just don’t get” as to who is protected by Reg B and ECOA and deserving of required notices when adverse action is taken. Then we will look at another gray area involving adverse action notices and what information is not just a good idea to provide, but your legal requirement.

First, you may be asking if there is nothing new, why is Reg B worthy of this space and more importantly, your time? We need to start with a court case, Fralish v Bank of America. I will recap that case in a moment because it is what lead to a 16-page Advisory Opinion from the Consumer Financial Protection Bureau (CFPB). Understanding this requires some background on Reg B and this was described in detail in the Advisory Opinion. This background will also help you understand a second topic which pertains to a discussion clarifying why adverse action notices are given. Understanding their purpose helps us understand why there are content requirements for these disclosures. And last, we will do a little analysis on adverse action notices and what should be there, perhaps in moderation but in a misunderstood way, not necessarily.

Define Applicant

Fralish v. Bank of America (3:20-CV-418 RLM-MGG, United States District Court, Northern District of Indiana) is a suit brought by John Fralish in which he alleged Bank of America violated his rights under the Equal Credit Opportunity Act, which is implemented by Reg B. The suit actually cites the law at 15 USC § 1691(d) which addresses adverse action and notice requirements. Fralish had an existing loan account with Bank of America. That credit line was terminated. Fralish was not informed of the reasons for the adverse action and initiated a lawsuit for violations of the ECOA and Reg B.

In the U.S District Court, Bank of America moved for a judgment based on the pleadings as it contended that Fralish had no standing to sue under ECOA because he was not an “applicant” as defined in the law. Under ECOA, 15 USC 1691a(b), an applicant is defined as “any person who applies to a creditor directly for an extension, renewal, or continuation of credit, or applies to a creditor indirectly by use of an existing credit plan for an amount exceeding a previously established credit limit.” Bank of America was defending itself based on this definition maintaining that Fralish had not applied for any credit.

Reg B at § 1002.2(e) defines an applicant as, “any person who requests or who has received an extension of credit from a creditor, and includes any person who is or may become contractually liable regarding an extension of credit.”

The court also reviewed “adverse action.” as Fralish maintains he received no notification as to Bank of America’s reasoning for its action. “For purposes of this subsection, the term ‘adverse action’ means a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the amount or on substantially the terms requested. Such term does not include a refusal to extend additional credit under an existing credit arrangement where the applicant is delinquent or otherwise in default, or where such additional credit would exceed a previously established credit limit.” Key terms here are “revocation of credit, a change in the terms of an existing credit arrangement.” Must there be an application pending for a revocation of credit to be adverse action deserving a formal notice? That was one of the legal questions requiring an answer.

Bank of America maintained Fralish needed to show four points to continue his suit. That:

(1) Bank of America is a “creditor”;
(2) Mr. Fralish is an “applicant”;
(3) The Bank took adverse action with respect to his application for credit; and
(4) The Bank failed to provide Mr. Fralish with a notification that complied with the ECOA.

While Bank of America believes that to be an applicant as the term is defined, there must be a request for credit pending. The September 29, 2021, final decision from the court notes, “The vast majority of courts that have addressed the issue have found that the statutory definition of “applicant” is not ambiguous, and that existing account holders, like Mr. Fralish, aren’t “applicants” within the plain meaning of the ECOA because they weren’t applying for an extension, renewal, or continuation of his existing credit when the alleged violation (in this case the alleged failure to provide the notice of adverse action required under the statute) occurred, and don’t have standing to bring a claim under the ECOA’s notice provisions. The court finds the reasoning of those cases persuasive.”

This seemed to set of a bit of a compliance firestorm. By December the CFPB, the Federal Trade Commission, the U.S. Department of Justice and the Board of the Federal Reserve filed friend of the court (amicus) briefs with the United States Court of appeals for the Seventh Circuit. The CFPB said it was standing up for civil rights protections.

The CFPB’s premise is that if Bank of America argues, and a court agrees that the creditor can disregard ECOA provided rights for existing customers, it undermines the intended antidiscrimination protections. Acceptance of this could mean that a bank could offer a credit card, as an example, to a protected class and the law is complied with. It could then revoke that credit line because of the applicant’s demographics and because the consumer was not an applicant, it would still be compliant with the law.

Now fast forward to May 18, 2022, when the CFPB issued an Advisory Opinion on this topic. For the management version, succinctly it says that to comply with the spirit and intent as well as the commonly accepted definitions, a bank must provide ECOA and Reg B protections to the applicant throughout the life of the loan. An applicant’s rights do not end upon approval of a credit request.

Now the longer explanation adapted from the Advisory Opinion because these details must be understood by those who manage compliance in your bank.
To begin with, the Advisory Opinion applies to all “creditors” as this is a defined term under section 15 USC 1691a(e). It includes, “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” Yes, your bank is definitely a creditor.

And now let’s look at what an Advisory Opinion actually is. The CFPB is the agency empowered to interpret Reg B and, in this case, the Advisory Opinion is an interpretive rule under the Administrative Procedure Act (APA) that responds to a specific need for clarity on a statutory or regulatory interpretive question. It is not a change in a law or regulation and therefore requires no advance notice or comment period. It is the official interpretation. Period. As you will read the CFPB is providing the interpretation as an instructive document for banks, but it also seems to be directed to at least some courts. I recall a bit of a quip from a TV judge who said, “he wasn’t last because he was right, he was right because he was last.” The CFPB believes this is the last word.

The summary of the Advisory Opinion affirms Reg B protects those actively seeking credit as well as those who sought and received credit. To support this position the document states ECOA made it unlawful for “any creditor to discriminate against any applicant on the basis of sex or marital status with respect to any aspect of a credit transaction.” From the beginning, this prohibition has protected both those actively seeking credit and those who sought and have received credit.

ECOA has always defined “applicant” to mean “any person who applies to a creditor directly for an extension, renewal, or continuation of credit, or applies to a creditor indirectly by use of an existing credit plan for an amount exceeding a previously established credit limit.”

Here I must emphasize that ECOA’s prohibition on discrimination “applies to all credit transactions including the approval, denial, renewal, continuation, or revocation of any open-end consumer credit account.” I was always taught and do teach that Reg B applies to the entire life of a credit transaction. This is stated at § 1002.4(a) of Reg B, “A creditor shall not discriminate against an applicant on a prohibited basis regarding any aspect of a credit transaction.” “Any aspect” means the application, the credit decision process, terms, collections, etc. “All aspects” means all aspects. In the Bank of America case better legal minds than mine are arguing that the definition in ECOA is more limiting. As bankers we know we must follow Reg B which implements it. It makes me wonder if the attorneys are arguing their point because they must for their client, or because they believe that is a correct interpretation and action, with no regard for Reg B.

When ECOA first passed, the Federal Reserve had rule-writing and interpretive authority. To substantiate that the CFPB’s opinion is not new, it states “Reg B made clear that the new law’s protections against credit discrimination cover both those currently applying to receive credit and those who have already received it. It did so by defining ‘applicant’ to expressly include not only ‘any person who applies to a creditor directly for an extension, renewal or continuation of credit’ but also, ‘[w]ith respect to any creditor[,] . . . any person to whom credit is or has been extended by that creditor.’”

The original ECOA prohibited discrimination based on sex or marital status. Two years after ECOA passed, Congress added to the prohibited bases six more items, race, color, religion, national origin, age, and receipt of public assistance. It also added, “[e]ach applicant against whom adverse action is taken shall be entitled to a statement of reasons for such action from the creditor.” The amendments defined “adverse action” as “a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the amount or on substantially the terms requested.” Going back many years to compliance school in Norman we learned that adverse action notices were required when, as an example, a borrower did something and was no longer qualified for their credit. Applicants, (read that also as borrowers) are entitled to an explanation when adverse action is taken.

This explanation meets two objectives for ECOA and Reg B. It protects the consumer when an explanation must be provided because the bank knows it will have to provide a reasonable explanation. Reg B was enacted before my time on a compliance desk, but I heard stories from the old-timers who were there. I recall one who said he knew “a good ol’ boy” on the loan desk who swore if he had to make a loan to an unmarried woman he’d retire. And he did – retire. We could not fathom such an attitude today and would never expect to read as a reason for denial, “single woman.” Providing actual reasons for a declination of a loan request helps protect the applicant from an illegal discrimination-based decision.

The second objective is informing the applicant. When John Smith Sr. is denied a loan due to bad credit, he is told why that decision was made. Senior is also advised that a credit report was used and under the Fair Credit Reporting Act he knows which agency provided the information and can contact them to find out what was reported. Senior might then confirm the report with the creditor only to discover that it was actually John Smith Jr’s account that was bad. Very similar name, same address, erroneous reporting. Senior can then reapply and the corrected credit report should no longer be an obstacle. The same holds for debt-to-income ratios or too short a period of employment. When an applicant is informed as to the reasons for adverse action, they may be able to correct an error or have known parameters that must be met to qualify for credit with your bank. When the person can fix these issues, they are more likely to return to you because they believe they have overcome the stated objections to their last application.

The 1976 ECOA amendments not only included in adverse action the termination of an account or an unfavorable change in terms that does not affect all or substantially all of a class of the creditor’s accounts, but it required a statement of reasons. These are required to be specific and indicate the principal reasons causing the adverse action. We will discuss the reasons in more depth in a few minutes. For this Advisory Opinion and the Fralish case, suffice it to say that a reason must be provided and here, Bank of America failed to provide any because it maintains Fralish was not protected by the ECOA.

During this amendment, the Federal Reserve Board made a “minor editorial change” to Regulation B’s definition of “applicant.” The intent was to “express more succinctly the fact that the term includes both a person who requests credit and a debtor,” a debtor being one who has already requested and received credit.

Reg B originally defined “applicant” to include anyone who “applies to a creditor directly for an extension, renewal or continuation of credit” as well as, “with respect to any creditor . . . any person to whom credit is or has been extended by that creditor,” the revised definition clearly stated that “applicant” includes “any person who requests or who has received an extension of credit from a creditor.”

Bank of America was not alone in its stance on ECOA’s definition and application of the term “applicant.” The CFPB noted that other creditors also did not agree that both ECOA and Reg B apply to that debtor after an extension of credit is made and includes treatment when there is a revocation of credit or an unfavorable change to the terms of that credit agreement. It went on to say, “some creditors fail to provide applicants with required notifications that include a statement of the specific reasons for the adverse action taken or disclose an applicant’s right to such a statement.” As further explanation, a footnote stated,

Credit cards are one of the most commonly held and widely used financial products in America—over 175 million Americans hold at least one credit card. During the COVID-19 pandemic, credit cards played a vital role as both a source of credit in emergencies and a payment method as more transactions occurred online. According to the CFPB’s 2021 Credit Card Report, about 2%, or over 10 million credit card accounts, were closed in 2020 and consumers with low credit scores are two to three times more likely to have their accounts closed than those with a higher credit score. See Bureau of Consumer Fin. Prot., The Consumer Credit Card Market (Sept. 2021). Additionally, the same report shows that over 10 million accounts experienced a credit line decrease in 2020. See also 5 Reasons Credit Card Companies Close Accounts Without Notice – And How to Fix Them, USA TODAY (July 13, 2021).

To reinforce its opinion that the protections an applicant receives extend beyond the granting of a loan, it drew a parallel to a Supreme Court case, Robinson v. Shell Oil Co., where the Court held the use of “employees” in the Civil Rights Act of 1964, Section 704(a) included former employees who were subjected to discriminatory treatment as well. Justice Thomas explained in the decision that, “at first blush, the term ‘employees’ . . . would seem to refer to those having an existing employment relationship with the employer in question,”… that “initial impression … does not withstand scrutiny in the context of § 704(a).”

The Court observed, there is “no temporal qualifier in the statute such as would make plain that § 704(a) protects only persons still employed at the time of the retaliation.” The same reasoning applies to the term “applicant” in ECOA, which is not expressly limited to those currently in the process of seeking credit.

The Advisory adds to this that,

Reading ECOA’s definition of “applicant” alongside the Act’s other provisions makes clear that the term includes applicants who have received credit and become existing borrowers. For example, ECOA’s core anti-discrimination provision protects “applicant[s]” from discrimination “with respect to any aspect of a credit transaction”—not just during the application process itself. The phrase “any aspect of a credit transaction” is most naturally read to include both the initial formation of a credit agreement as well as the performance of that agreement. Consistent with this ordinary meaning, Regulation B has always defined the term “credit transaction” to encompass “every aspect of an applicant’s dealings with a creditor,” including elements of the transaction that take place after credit has been extended.”

Adverse action notices

Let’s spend a moment now on the notification of adverse action to an applicant. ECOA’s disclosure provision requires that creditors give a statement of reasons to “each applicant” against whom they take “adverse action.” In ECOA, adverse action is defined to include a “revocation of credit” as well as a “change in the terms of an existing credit arrangement.” Connecting the dots, the CFPB points out these are actions that can be taken only with respect to persons who have already received credit.

ECOA’s private right of action points in the same direction. It allows an aggrieved “applicant” to bring suit against creditors who fail to comply with ECOA or Reg B. These references to “applicant[s]” cannot be interpreted then, to refer only to those with credit applications awaiting decisions. Otherwise, a person whose application was denied on a prohibited basis would have no recourse under ECOA’s private right of action.

The point of the Advisory Opinion is to clarify any misunderstandings of these terms and the CFPB is pointing that out to courts and the judges who make rulings. The CFPB states, “Those courts that have properly read the term “applicant” in its statutory context, including the only court of appeals to have addressed the issue, have agreed that the statute protects existing borrowers.” Obviously then, it is stating there are courts which have ruled otherwise, and those lower courts were wrong. The Advisory goes on to say,

The Bureau acknowledges that a few other district court decisions have interpreted “applicant” to include only persons actively seeking credit, but the Bureau does not believe this interpretation is persuasive. No court of appeals has endorsed these district courts’ narrow reading. These district court decisions read “applicant” in isolation instead of reading this statutory term in context, as required by the Supreme Court. For example, these decisions did not attempt to square their interpretation with ECOA’s requirement that “applicants” receive an explanation when their existing credit is terminated or modified. Nor did they grapple with the clear loophole their interpretation would create or the degree to which it would frustrate the Act’s remedial purposes.

The point is to be clear that no court of appeals has disagreed with this interpretation of the term “applicant.”

In researching “John Fralish,” in addition to the suit against Bank of America in 2021, I also found John Fralish v Digital Media Solutions, (CASE NO. 3:21-CV-00045-JD-MGG) in 2021 dealing with spam calls to Fralish after his cell phone was on the Do Not Call list. There is also a class action suit against Early Warning Services, LLC in 2021 for violation of the Fair Credit Reporting Act. Early Warning Services is a consumer reporting agency out of Scottsdale, Arizona. It describes itself as being bank-owned and it sells credit reports to over 2,500 financial institutions. Fralish requested copies of his credit reports after being denied credit with one or more of his creditor banks. He claims to have not been advised by the lender why his credit was denied and he requested a copy of his credit report to review what his bank may have seen. This would allow him to have incorrect entries fixed but he was not provided with the information Early Warning Systems had on him.

I cannot render any opinions on the lawsuits involving John Fralish as I have no idea how much merit any of them has. But I will emphasize that compliance with the letter of the law, and the banking regulation, will help a bank avoid becoming the subject of a lawsuit, especially from a consumer looking for that single violation and an opportunity to file an action or class action suit. Often a bank will settle with a litigant to make the case go away and avoid the expense of a protracted lawsuit. The alternative may be to defend what your interpretation is and to pay for those legal defense costs for potentially years to come. Yes, your bank has to worry about that litigious consumer, but there is less worry if you stay current on the compliance requirements, train staff, and follow sound policies and procedures. I’m hoping your bank did not pass on studying this Advisory Opinion as it is the CFPB that has the last word on interpretating ECOA and its implementing Reg B. And the CFPB is not afraid to tell that to the courts as well. For a bank to challenge that it would need a very strong case and six or seven digits to the left of the decimal place in the legal defense section of its budget.

Recommended action

We recommend that banks take this opportunity to review Reg B and fair lending policies and procedures to ensure they are clear as to protections a customer has and that these are considered throughout all aspects of the life of a loan.

As you have read in prior Legal Briefs the CFPB has also opined that discriminatory acts are unfair. Read that to say that your deposit customers who are not protected under fair lending laws are protected under the prohibition on Unfair, Deceptive, or Abusive Acts or Practices (UDAAP), so broadly review fair lending more in the terms of fair banking.

We expect to see the CFPB continue to expand its supervisory and enforcement actions going forward. This is especially so in the area of fair lending/banking as the current administration has made fair access, including to credit, and equal treatment of all people a priority.

Reasons for Adverse Action

We have established that adverse action notices may be required to be given to an applicant and the purpose of such a disclosure includes stating the reason or reasons for denial. It is time to explore two facets of what this can mean.

To begin, Reg B § 1002.9(a)(2) requires that adverse action notices (in most cases, and here emphasis is on consumer loans) shall be in writing and contain four specific things, one of which includes a statement of specific reasons for the action taken. The Commentary to this section goes on to explain that “A creditor must disclose the principal reasons for denying an application or taking other adverse action. The regulation does not mandate that a specific number of reasons be disclosed, but disclosure of more than four reasons is not likely to be helpful to the applicant.” We will break this into two parts for discussion here, principal reasons, and then the number of reasons stated.

On May 26, 2022, the CFPB released a document titled, “CFPB Acts to Protect the Public from Black-Box Credit Models Using Complex Algorithms.” This emphasized that Reg B and ECOA, a federal antidiscrimination law, require specific reasons for taking adverse action. Above we described that is helps keep a creditor honest and informs the applicant. This notice is to emphasize that these rules apply even when using credit models which rely on complex algorithms.

In 1974, when ECOA and Reg B were conceived, a loan decision was based on an application for credit. A lender typically learned the five Cs of credit — character, capacity, capital, collateral and conditions — and applied them against the application. A human being made a decision and Reg B required that in the case of a denial, the reason would be given. It was not enough to say, “you do not meet our requirements for a loan,” as that was not a specific reason. The denial had to specify something about a debt ratio or excessive debt or length of employment. Remember part of the intent here is to inform the applicant so they can fix what is wrong and then reapply and receive credit.

In 2022 there is often less human being and more artificial intelligence involved. In a time of automation and analytics computer models use predictive analysis based on data input to compute credit scores, and to make loan decisions very quickly. “Companies are not absolved of their legal responsibilities when they let a black-box model make lending decisions,” said CFPB Director Rohit Chopra. “The law gives every applicant the right to a specific explanation if their application for credit was denied, and that right is not diminished simply because a company uses a complex algorithm that it doesn’t understand.”

What the CFPB is cautioning lenders about is technology is driving the reasons for adverse action back to a nondescript, “you do not meet our requirements for a loan.” These lenders understand less of what went into the computer’s loan decision than they do about how to compute a credit score. And “the computer model said No” is not informing the applicant, nor is it keeping the lender honest. The CFPB has accused artificial intelligence models of discrimination already. If a lender cannot explain the principal reasons for a decision, it needs a different way to make the decision. Computer models’ reasons for denial must be specific for the lender to comply with Reg B.

Lastly, I want to revisit the required number of reasons for denial. The Commentary says, “The regulation does not mandate that a specific number of reasons be disclosed, but disclosure of more than four reasons is not likely to be helpful to the applicant.” Many lenders read this to say you cannot quote more than four reasons but that isn’t so. It says it does not mandate the number of reasons. If you are criticized for providing five or more, consider challenging the critic. But if you have four reasons that will be difficult for the applicant to overcome, you do not need to pile on more reasons. What you do not want is to have (say) six reasons but list only four which are easily fixable. The applicant corrects those and comes back in only to be refused for two others that are very difficult to correct. It’s like kicking them when they’re down. List the most severe and exceed four reasons when necessary.

Electronic liens

By Pauli Loeffler

The PowerPoint presentation from the informational session presented by the Oklahoma Tax Commission covering electronic liens is accessible through this link: It is also available on the OBA’s Legal Links Webpage.

June 2022 OBA Legal Briefs

  • Please help us to help you (Part 2)
  • Oklahoma Mini-TCPA
  • Tit. 47 O.S. § 1110 (Perfection of Security Interest)
  • Tit. 47 O.S. § 427A/§ 1105A (Electronic filing, etc., of Titles) – REVISED
  • Changes in UCCC amounts effective 7/1/22

Please help us to help you (Part 2)

by Andy Zavoina

Last month, Pauli asked you to include certain information in your signature block when emailing us a question. This month, we ask you to avoid sending unnecessarily encrypted emails. We often find they are used for basic questions without information requiring such safeguards. It takes more time to register with an email provider and establish an acceptable password than to answer some questions. In many of these situations it may be faster just to call us.

When you do call, you may have to leave a voice mail. Please provide a detailed description of your question so that the appropriate person can call or email you and have the necessary resources available. And please, take the time to state clearly your questions, and especially your name, bank name and location, and call-back number.

[Editor’s note: In early May, an email security change at OBA locked the OBA Compliance Team out of the OBA email system, and we had to set up a temporary email account very quickly for the team. We are very happy to report that we regained access to our mailbox after only a few days. If any of you changed our email address in your contacts lists, please change it back. We appreciate your patience while we worked with the temporary setup.]

Oklahoma Mini-TCPA

By Andy Zavoina

The federal Telephone Consumer Protection Act (TCPA) was passed in 1991 and is well seasoned and understood by some and misunderstood by others. (“Your car warranty is expiring. This is your final notice.” Yeah, you wish it was final.) The law restricts certain telemarketing phone calls, text messages, and facsimiles. I’m not sure who is still using a fax so for the purposes of this article I will refer to telephone calls and text messages. Include faxes if your bank is using that delivery channel.) It also places restrictions on the use of automatic dialing systems and artificial or prerecorded voice messages.

In 2021 states began showing more interest by adding to the consumer protections. In particular, Florida passed its Florida Telephone Solicitation Act (FTSA). This included new and broader restrictions on telemarketing operations. Oklahoma has largely copied the FTSA in passing its own Oklahoma Telephone Solicitation Act. The Oklahoma version is often referred to as the mini-TCPA. It was signed by Governor Stitt in May and will be effective about five months later, beginning November 1, 2022. It will be codified in the Oklahoma Statutes as Section 775C.3 of Title 15.

There are a few key provisions we will focus on this month. The intent is consumer protection for Oklahoma residents, so the mini-TCPA expands on telemarketing restrictions. As with most telemarketing laws, this requires telemarketers to have a prior express written consent before they  contact a consumer. This is a term that is defined and means there is a written agreement that:

  1. bears the signature of the called party,
  2. clearly authorizes the person making or allowing the placement of a commercial telephonic sales call by telephone call, text message, or voicemail transmission to deliver or cause to be delivered to the called party a commercial telephonic sales call using an automated system for the selection or dialing of telephone numbers, the playing of a recorded message when a connection is completed to a number called, or the transmission of a prerecorded voicemail,
  3. includes the telephone number to which the signatory authorizes a commercial telephonic sales call to be delivered, and
  4. includes a clear and conspicuous disclosure informing the called party that:

(1) by executing the agreement, the called party authorizes the person making or allowing the placement of a commercial telephonic sales call to deliver or cause to be delivered a commercial telephonic sales call to the called party using an automated system for the selection or dialing of telephone numbers or the playing of a recorded message when a connection is completed to a number called, and

(2) he or she is not required to sign the written agreement directly or indirectly or to agree to enter into such an agreement as a condition of purchasing any property, goods, or services; and

This signature may be electronic as well as traditional wet ink.

In addition, telemarketers should pay special attention to four provisions of the Oklahoma law in particular. Let’s look at those four provisions.

One – There is no clarification over what is defined by the term “auto-dialer.” This has caused great concern and fueled litigation. The recent Supreme Court case of Facebook v Duguid established a limited definition to only the equipment which produces numbers using a random or sequential number generator. Without clarity the mini-TCPA could be more broadly interpreted making it more onerous on banks with marketing programs using applicable technologies. This new law refers only to, “an automated system for the selection or dialing of phone numbers.” This definition could refer to virtually any device which is not dialed manually.

Two – The mini-TCPA will limit the number of telephone calls and text messages which a telemarketer can send to any one consumer in a day. More specifically it limits contacting a consumer more than three times in a 24-hour period pertaining to the same subject matter or issue. This means the telemarketer must either track the calls and text messages to a given number based on the subject matter or have a system in place, be it software or some form of a database, that tracks and prevents any fourth or subsequent telephone or text message. If you ask me to define the “same subject matter or issue,” I cannot do that. It could be broadly or narrowly defined just as an auto-dialer may be. If a consumer was contacted once about opening a deposit account to take advantage of great rates and low fees, once about a new checking product, and then about a new savings account, could those three be bundled as one subject – deposit accounts? This may be up to legal interpretations and/or the courts.

Three – Although the “day” means a 24-hour period, the mini-TCPA passed for Oklahoma is a bit more limiting than many other states when it comes to time limits when the consumer may actually be contacted. The mini-TCPA limits contact to the 12-hour period from 8 a.m. until 8 p.m., local time. That is the consumer’s local time, not the bank’s. This has been a contentious issue in the past and will continue to be, because with mobile phones you have no idea where your consumers actually are. The area codes are not necessarily an indicator of your consumer’s local time, and this is especially true with military customers and those who travel and work or go to school in another time zone. Be sure to review item four (below) on this issue. Many other state laws and the federal TCPA allow contact from 8 a.m. until 9 p.m., so this new law is a bit more limiting.

Four – The new law does include a rebuttable presumption that your telephone calls and text messages to an Oklahoma area code are being made to an Oklahoma resident. So, for any of the state’s five area codes there is a defensible position as to when it is the customer’s local time. But unlike land lines that are geographically limited, your customer travels with their mobile phone and may permanently reside elsewhere. Be sure to cross reference addresses on file, because having sent bank statements to a consumer’s address in any other time zone may eliminate your rebuttable presumption.


The new mini-TCPA does provide exemptions that may apply to your bank. There are a number of exemptions, but I will draw your attention to number 20. It specifically exempts a “person soliciting business from prospective consumers who have an existing business relationship with or who have previously purchased from the business enterprise for which the solicitor is calling if the solicitor is operating under the same business enterprise.” This exemption alone may be enough to cause you to dismiss the mini-TCPA as a non-event but ensure you are familiar with it to avoid problems. And while this may be an exemption from the mini-TCPA, the bank may not enjoy the same exemptions from the federal TCPA.

Recommended actions

We recommend the bank evaluate all current telemarketing activities. There may be a concerted marketing effort in-house or outsourced for solicitations, or a branch may have taken upon itself an effort to contact new customers for sales in an effort to achieve periodic goal requirements. It happens and some employees will take the initiative. But a violation would be a violation regardless of the motivating factors. Know what is happening in and on behalf of your bank.

The bank should update policies and procedures addressing telemarketing activities even if called by another name, marketing, officer call programs, etc. that are impacted by the mini-TCPA.

Train staff so they all understand the basic requirements of the new mini-TCPA. Specifically focus on what activities are included and what they must do to comply both with the law itself and with the bank’s policies and procedures. This may include obtaining permission from customers as well as management to conduct any activities and following established procedures to comply with the new requirements.

Review and update any outsourcing agreements. Call centers that provide such marketing activities will be subject to the mini-TCPA whether they are a third party or part of the bank making “cold calls.” The bank may delegate authority to third parties, but it cannot delegate responsibilities. It is still the bank’s burden to ensure compliance and the bank has the ultimate responsibility. That said, any agreements may be reviewed to displace as much responsibility to a third party as possible for the actions of that third party.


The mini-TCPA does contain a private right to action for consumers. The per call or text message penalties range from between the lesser of actual damages to $500 and to $1,500 for a willful violation. And with regulatory agencies using all possible penalties in enforcement actions, a problem or series of telemarketing problems could result in both state and federal TCPA actions. If the problem is large enough this could result in a class action suit.

There is time, but …

With several months between the date of this article and the November 1, 2022, effective date, there is time to accomplish these actions even with the summer months running interference. But banks are urged not to wait until the last minute and be forced to play catchup.

You will find HB3168 here,

Tit. 47 O.S. § 1110 (Perfection of Security Interest)

by Pauli Loeffler

Sec. 1110 was amended effective May 4, 2022, with regard to transfers of title when there is a lien entry filed by a commercial lender on a vehicle. The amendment provides:


8. When there is an active lien from a commercial lender in place on a vehicle, motor license agents shall be prohibited from transferring the certificate of title on that vehicle until the lien is satisfied, except when the title is transferred:

a) to a person whose name is included on the loan for which the lien is placed pursuant to an agreement by the lender and any party to the title,

b) to a trust created by a person whose name is included on the loan for which the lien is placed, or

c)from a person who has died, upon the submission of a death certificate.

The provisions of this paragraph shall not be construed to release any lien or debt based solely upon a transfer of certificate of title.

The only way to perfect a security interest in a vehicle is by lien entry. As long as the lien remains on the title, the bank can repo the collateral, get a repo title, and sell the collateral. The original borrowers or their estates if the borrower is deceased will remain liable on the note regardless of whether they retain title or not.

Under the amendment if a co-borrower is NOT on the title to the vehicle, the title may only be transferred to the co-borrower if s/he provides proof of status as a co-borrower. Likewise, if the borrower is a natural person, title may be transferred to his or her trust subject to the lien. Note that a garnishment or levy will reach the settlor’s trust,

8.c. covers the situation where the borrower is deceased. The rationale for 8.c. is intended to cover the situation when the sole owner/borrower dies, and there is no other borrower, and no one is making loan payments, so the loan is in default. The problem facing the bank in repossessing and selling the vehicle is determining who must receive notice of the sale. If there is a probate, the bank can deal with the person appointed to represent the estate, but when there is no probate, things get messy.

If the owner provided a Transfer on Death Application (Tit. 47, Sec. 1107.5), title can be transferred to the named person, but such transfer is not allowed as long as the lien remains unsatisfied. Basically, 8.c. would allow the transfer provided payment of the loan has either been made, or the bank is willing to allow the individual named as Transfer on Death beneficiary to assume the loan. Note that if the TOD beneficiary neither pays off the loan nor assumes the loan, the bank can still repossess the vehicle, however, the TOD beneficiary will have no personal liability.

If the deceased owner/borrower had a will, then the title can be transferred using the OTC’s Affidavit of Small Estate. Again, as long as the lien remains on the title, there isn’t a problem, and the loan will have to be paid or provided for, e.g., the heir will assume the note or refi the loan. If there is no will, then the affidavit can’t be used. If the owner died intestate (no will), and there is no probate, then the bank has to determine who the deceased owner’s known heirs are and mail them notice of sake as well as provide publication notice to the unknown heirs. This is time and labor intensive which makes it more expensive to repo the vehicle and sell it. It remains to be seen whether 8.c. allows OTC to transfer title subject to the lien in such case. I believe that in order for this to be permitted, the OTC will need to promulgate new rules and forms.

Tit. 47 O.S. § 427A/§ 1105A (Electronic filing)

by Pauli Loeffler

I covered this in the October 2021 OBA Legal Briefs, but as we draw closer to its effective date on July 1, 2022, we need to review its provisions. This statute covers Electronic Filing, Storage and Delivery of Motor Vehicle Certificates of Title – Procedures. It provides for certificates of title and liens filed after June 30, 2022. Two provisions banks need to know are:

A. On or before July 1, 2022, the Oklahoma Tax Commission shall implement a program which will permit the electronic filing, storage and delivery of motor vehicle certificates of title and allow a lienholder to perfect, assign and release a lien on a motor vehicle in lieu of submission and maintenance of paper documents as otherwise provided in the provisions of Section 1101 et seq. of Title 47 of the Oklahoma Statutes…

B. The program authorized under subsection A of this section shall include, but not be limited to, procedures: 1. For the delivery of a certificate of title, on a paper document or in an electronic format, to the secured party having the primary perfected security interest in a vehicle in lieu of delivery to the record owner, notwithstanding the provisions of Section 1101 et seq. of Title 47 of the Oklahoma Statutes.  Provided, when electronic transmission of liens and lien satisfactions is used, a certificate of title need not be issued or printed until the last lien is satisfied and a clear certificate of title is issued to the owner of the vehicle at their request…

First, the Oklahoma Tax Commission will continue to offer both electronic and paper process on and after July 1, just as they do now. Second, instead of the vehicle’s owner receiving the title, the primary lien holder will receive the title. Since the OTC allows multiple lien entries on the title, lenders with inferior liens presumably have to request a copy of the title for their records, Finally, when all liens are released, it seems the owner will have to request a copy of the title.

Prior to July 1, 2022, the effective date of this legislation, there were only nine nontitle-holding states: Kentucky, Maryland, Michigan, Minnesota, Missouri, Montana, New York, Oklahoma, Wisconsin. In these states, the title is issued to the registered owner/operator of the vehicle, regardless of whether there is as a lien holder. In the other 41 states, titles are issued to the lien holder of the vehicle, who will hold the title until the loan is paid off. Oklahoma joins these title-holding states on July 1, 2022.

Changes in UCCC amounts effective 7/1/22

by Pauli D. Loeffler

Sec. 1-106 of the Oklahoma Uniform Consumer Credit Code  in Title 14A (the “U3C”) makes certain dollar limits subject to change when there are changes in the Consumer Price Index for Urban Wage Earners and Clerical Workers, compiled by the Bureau of Labor Statistics, U.S. Department of Labor.  You can download and print the notification from the Oklahoma Department of Consumer Credit by clicking here.   It is also accessible on the OBA’s Legal Links page under Resources once you create an account through the My OBA Member Portal. You can access the Oklahoma Consumer Credit Code as the changes in dollar amounts for prior years on that page as well.

Increased Late Fee

The maximum late fee that may be assessed on a consumer loan is the greater of (a) five percent of the unpaid amount of the installment or (b) the dollar amount provided by rule of the Administrator for this section pursuant to § 1-106. As of July 1, 2020, the amount provided under (b) will increase by $2.00 to $29.00

Late fees for consumer loans must be disclosed under both the UC3 and Reg Z, and the consumer must agree to the fee in writing. Any time a loan is originated, deferred, or renewed; the bank has the opportunity to obtain the borrower’s written consent to the increased late fee set by the Administrator of the Oklahoma Department of Consumer Credit.  However, if a loan is already outstanding and is not being modified or renewed, a bank has no way to unilaterally increase the late fee amount if it states a specific amount in the loan agreement.

On the other hand, the bank may take advantage of an increase in the dollar amount for late fees if the late-fee disclosure is worded properly, such as:

“If any installment is not paid in full within ten (10) days after its scheduled due date, a late fee in an amount which is the greater of five percent (5%) of the unpaid amount of the payment or the maximum dollar amount established by rule of the Consumer Credit Administrator from time to time may be imposed.”

§ 3-508A

This section of the “U3C” sets the maximum annual percentage rate for certain loans. It provides three tiers with different rates based on unpaid principal balances that may be “blended.” It also has an alternative maximum rate that may be used rather than blending the rates. The amounts under each tier are NOT subject to annual adjustment by the Administrator of the Oklahoma Department of Consumer Credit under §1-106. However, a new subsection (4) was added allowing the lender to charge a closing fee which IS subject to adjustment under § 1-106. The closing fee of $28.85 was effective for loans made on and after November 1, 2021. This amount has increased as follows:

(4)  In addition to the loan finance charge permitted in this section and other charges permitted in this act, a supervised lender may assess a lender closing fee not to exceed One Hundred Sixty-seven Dollars and thirty-three ($167.33) upon consummation of the loan.

Note that the closing fee, while not a finance charge under the OK U3C, and therefore not considered for purposes of Oklahoma usury IS a finance charge under Reg Z. Most banks use Reg Z disclosures. This means that it is possible that the fee under Reg Z disclosures will cause the APR to exceed the usury rate under § 3-508A. If that happens, document the file to show that the fee is excluded under the U3C in order to show that the loan does not in fact violate Oklahoma’s usury provisions. Please note that the bank is NOT required to charge a closing fee at all, and I know that at least one bank has stated it has decided to charge an amount less than the amount permitted under the statute.

You can access the § 3-508A Matrix here.

§ 3-508B Loans

Some banks make small consumer loans based on a special finance-charge method that combines an initial “acquisition charge” with monthly “installment account handling charges,” rather than using the provisions of § 3-508A with regard to maximum annual percentage rate.

The permitted principal amounts for § 3-508B is adjusting from $1,6200.00 to $1,740.00 for loans consummated on and after July 1, 2022.

Sec. 3-508B provides an alternative method of imposing a finance charge to that provided for Sec. 3-508A loans. Late or deferral fees and convenience fees as well as convenience fees for electronic payments under § 3-508C are permitted, but other fees cannot be imposed. No insurance charges, application fees, documentation fees, processing fees, returned check fees, credit bureau fees, nor any other kind of fee is allowed. No credit insurance even if it is voluntary can be sold in connection with in § 3-508B loans. If a lender wants or needs to sell credit insurance or to impose other normal loan charges in connection with a loan, it will have to use § 3-508A instead.  Existing loans made under § 3-508B cannot be refinanced as or consolidated with or into § 3-508A loans, nor vice versa.

As indicated above, § 3-508B can be utilized only for loans not exceeding $1,740.00. Further, substantially equal monthly payments are required. The first scheduled payment cannot be due less than one (1) calendar month after the loan is made, and subsequent installments due at not less than 30-day intervals thereafter. The minimum term for loans is 60 days. The maximum number of installments allowed is 18 months calculated based on the loan amount as 1 month for each $10.00 for loan amounts between $173.94 and $580.00 and $20 for loan amounts between $580.01 – $1,740.00.

Lenders making § 3-508B loans should be careful and promptly change to the new dollar amount brackets, as well as the new permissible fees within each bracket for loans originated on and after July 1st. Because of peculiarities in how the bracket amounts are adjusted, using a chart with the old rates after June 30 may result in excess charges for certain small loans and violations of the U3C provisions.

Since §3-508B is “math intensive,” and the statute whether online or in a print version does NOT show updated acquisition fees and handling fees, you will find a modified version of the statute with the 2022 amounts toward the bottom of the Legal Links page here. Again, you will need to register an account with the OBA in order to access it.

The acquisition charge authorized under this statute is deemed to be earned at the time a loan is made and shall not be subject to refund, if the loan is prepaid in full, refinanced or consolidated within the first sixty (60) days, the acquisition charge will NOT be deemed fully earned and must be refunded pro rata at the rate of one-sixtieth (1/60) of the acquisition charge for each day from the date of the prepayment, refinancing or consolidation to the sixtieth day of the loan. The Department of Consumer Credit has published a Daily Acquisition Fee Refund Chart for prior years with links on this page, (  but had not done so at the time this article was written. Note if a loan is prepaid, the installment account handling charge shall also be subject to refund. A Monthly Refund Chart for handling charges for prior years can be accessed on the page indicated above, as well as § 3-508B Loan Rate (APR) Table. I expect the charts and table for 2022 to be added shortly.

NOTE: Sec. 3-508B was amended this last legislative session with changes that are effective November 1, 2022. I will cover the changes in a future Legal Briefs article prior to the effective date.

§ 3-511 Loans

I frequently get calls when lenders receive a warning from their loan origination systems that a loan may exceed the maximum interest rate. Nearly always, the banker says the interest rate does not exceed the alternative non-blended 25% rate allowed under § 3-508A according to their calculations. Usually, the cause for the red flag on the system is § 3-511. This is another section for which loan amounts may adjust annually. Here is the section with the amounts as effective for loans made on and after July 1, 2022, in bold type.

Supervised loans, not made pursuant to a revolving loan account, in which the principal loan amount is $5,800.00 or less and the rate of the loan finance charge calculated according to the actuarial method exceeds eighteen percent (18%) on the unpaid balances of the principal, shall be scheduled to be payable in substantially equal installments at equal periodic intervals except to the extent that the schedule of payments is adjusted to the seasonal or irregular income of the debtor; and

(a) over a period of not more than forty-nine (49) months if the principal is more than $1,740.00, or

(b) over a period of not more than thirty-seven (37) months if the principal is $1740.00 or less.

The reason the warning has popped up is due to the italicized language: The small dollar loan’s APR exceeds 18%, and it is either single pay or interest-only with a balloon.

Dealer Paper “No Deficiency” Amount

If dealer paper is consumer-purpose and is secured by goods having an original cash price less than a certain dollar amount, and those goods are later repossessed or surrendered, the creditor cannot obtain a deficiency judgment if the collateral sells for less than the balance outstanding. This is covered in Section 5-103(2) of the U3C. This dollar amount was previously $5,400.00 and increases to $5,800.00 on July 1.

May 2022 OBA Legal Briefs

  • Please help us help you
  • Lender credits on the TRID closing disclosure
  • MLA and GAP
  • Overdraft fees are not interest

Please help us help you

By Pauli D. Loeffler

You may have missed the notice on the Oklahoma Bankers Association’s webpage regarding issues the OBA Legal and Compliance team is experiencing with emails sent to us. Regardless of the fact that we hope to have the issue resolved shortly, we found that many bankers fail to provide vital contact information in their email signature blocks. This delays or prevents us from providing a quick response.

Specifically, the signature block needs to have not only your name and the name of the bank but also your email address, phone number (with extension, if any), and the city where you are located. There are times when a phone call to get additional information to answer a question is better than a series of emails. We certainly can look up the phone number for the main bank, but most banks have branches which results in making additional calls.

We appreciate your understanding and patience during the resolution of the email issue and look forward to answering your legal and compliance questions.

Lender credits on the TRID closing disclosure

By John S. Burnett

There are two types of lender credits that are disclosed under Regulation Z’s “TRID” disclosure requirements. In this discussion, we will review how those two types of lender credits should be used and disclosed.

First, however, let’s review what lender credits include. They are (1) payments, such as credits, rebates, and reimbursements, that a creditor provides to a consumer to offset closing costs the consumer will pay as part of the mortgage loan transaction; and (2) premiums in the form of cash that a creditor provides to a consumer in exchange for specific acts, such as for accepting a specific interest rate, or as an incentive, such as to attract consumers away from competing creditors.   (

Another way of separating lender credits into two types is to use the terms “specific lender credits” and “general lending credits.” These are the ways in which lender credits are disclosed that our discussion is focused on.

General lender credits

Your bank may decide, for example, that it will pay up to $1,000 in borrower third-party closing costs, without specifying which third-party costs are included. Because you want the lender credit to appear on the loan estimate, you show that lender credit as a negative amount in the estimated closing costs on page one and in section J on page 2. You also disclose your good faith estimates of closing costs for the loan your applicant has applied for – the origination charges, title work costs, taxes and recording fees, prepaids and all the rest –  that collectively will most likely be paid in connection with the loan, without indicating which of those costs your promised $1,000 will cover. The “calculating cash to close” box starts with the total closing costs reduced by the general lender credit, so it flows through to the Estimated Cash to Close – the approximation of what the applicant can expect to bring to (or receive from) the closing.

Note: Completing the loan estimate this way does present a risk that the closing costs to be covered end up totaling less than the general lender credit amount at closing time. Because lender credits are considered “negative closing costs,” a lender cannot reduce the general lender credit that appears on the loan estimate unless the lender credit is directly affected by a changed circumstance affecting the lender credit as part of the pricing of the loan. However, this is the usual way to complete a loan estimate when the lender intends to provide a general lender credit toward closing costs.

General lender credits for tolerance violations

We just discussed an example of a planned or intentional general lender credit. There’s also the chance that your bank will have to provide an unexpected general lender credit if its closing costs estimates fall short of the actual closing costs, and the differences are more than permitted under the tolerance limits in Regulation Z §§ 1026.19(e)(3)(i) and 1026.19(e)(3)(ii) — the zero percent and ten percent tolerance rules, respectively.

When a lender determines that it has exceeded the tolerance limits under either or both of those sections, it has to adjust the amount due to or from the consumer by the amount by which the tolerance limits were exceeded. A general lender credit (or an increase to a general lender credit already provided) is one way to get that done.

In such a case, the amount of the excess closing costs will appear (itself or as part of a Lender Credits amount) in three places on the closing disclosure:

  1. On the Lender Credits line in section J on page 2, the amount of the excess closing costs will appear in parentheses in the label after the words “Lender Credits.” The statement in the parentheses will read “(Includes $XXX credit for increase in Closing Costs above legal limit)” and the total Lender Credit amount (including the excess closing costs and any other planned general lender credit) appears as a negative amount in the Borrower Paid At Closing column.
  2. On the Total Closing Costs line of the Calculating Cash to Close table on page 3, if the actual closing costs exceed the estimated closing costs, and tolerance violations have occurred, the total amount of the tolerance violations will appear in a second bullet list entry in the “Did this change?” response, saying “Increase exceeds legal limits by $XXX. See Lender Credits on page 2.”
  3. On page 1, on the Closing Costs line of the Costs at Closing table, the amount of the total tolerance violations (the amount to be credited in the general lender credit) appears as part of the Lender Credits after the minus sign and before the words “in Lender Credits,” so the statement to the right of the total closing costs figure reads: “Includes $XXXX.xx in Loan Costs + $XXXX.xx in Other Costs = $XXXX.xx in Lender Credits.”

Specific lender credits

If your bank wants to pay selected closing costs that consumers are typically charged as part of your residential mortgage lending strategy, there are two ways to prepare the loan estimate. You can simply omit those selected costs that the consumer will not be charged from the loan estimate completely (your applicants won’t be charged for these services, so they don’t have to be included on the loan estimate). Make sure you disclose any costs that the consumer will be charged (an application fee, for example).

Another way to complete the loan estimate is to include all the costs the lender estimates will be involved (including those the lender intends to absorb) and show a general lender credit. In that way, the consumer sees all those costs, but also sees the amount of those costs the lender plans to cover.

But this section is about specific lender credits, you’re thinking. That’s right, it is. Because when it’s time to issue the closing disclosure, you get down to specifics. For each loan cost or other cost on page 2 that the lender intends to cover, insert the amount of that cost in the Paid By Others column and (optionally) identify it as a lender credit by including “(L)” before the dollar amount (without the quotation marks, of course). That reduces the costs due from the consumer because there’s no cost for the service in the Borrower Paid column. You’ve correctly disclosed a specific lender credit. Now, do the same for each cost that the lender is absorbing.

Suppose that the loan estimate for the loan included a general lender credit. The total of specific lender credits and general lender credits on the closing disclosure must equal or exceed the amount of the general lender credit on the loan estimate. What do you do if you overestimated a cost on the loan estimate, or one of the services listed there was not used, and now your loan estimate has a general lender credit amount that’s $50 more than the total specific lender credits on the closing disclosure? You include a general lender credit of $50 on the closing disclosure in Section J on page 2 and in the Costs at Closing table at the bottom of page 1.

What about tolerance violations?

Earlier, we said that a lender can issue a loan estimate without including the costs that the lender intends to absorb. When it’s time for closing, you must include all costs, regardless of who pays them. We’ve described above the way to avoid tolerance violations, by putting the costs to be absorbed in the Paid by Others column on the closing disclosure.  Just to make it interesting, let’s assume that the lender did not intend to absorb the cost of the appraisal, and included that service on the loan estimate in section B as “not shoppable,” with a cost estimate of $750.  For whatever reason, the actual cost of the appraisal ends up at $900, and the lender did not elect to issue a revised loan estimate for a changed circumstance. So there is a $150 tolerance violation (it is a 0 percent tolerance service cost). Does the lender have to treat that as an “increase exceeding legal limits” and include that $150 in Section J and in the Costs at Closing table?

No. There’s an easier (and better, in this author’s view) way to handle it. Just break the cost of the appraisal into two parts: $750 goes in the Borrower Paid column and (L) $150 goes in the Paid by Others column.

The same strategy can be used for a cost omitted by mistake from the loan estimate or any other cost that would become a tolerance violation if paid by the consumer. If the lender is facing an excessive increase in 10-percent limit costs, enough costs to bring the “10 percent bucket” back to a 10 percent increase or less can be shifted from the Borrower Paid column to the Paid by Others column.

Whichever method is used, the total paid by the consumer will be the same. The only difference is how the lender credits are shown – as general or specific lender credits.

One important caveat – don’t use the specific lender credit method if you’re dealing with a prepaid finance charge. For some loan origination systems, doing so can alter the finance charge amounts and affect the APR.

 MLA and GAP

By Andy Zavoina

It is no surprise that the Department of Defense is not a fan of GAP coverage on loans to service members. When the Military Lending Act regulation (MLA) was revised and later clarified with guidance in Q&A form, the DoD essentially said that an automobile loan was exempt from MLA restrictions when the funds from the loan were used for the purchase of the collateral, but if there were additional funds such as for non-essential items, the loan would lose the exemption.

This could then require more disclosures on a loan and attention to the 36 percent Military Annual Percentage Rate (MAPR) cap which is the Annual Percentage Rate on steroids. The MAPR is inclusive of such fees as GAP and credit insurance and the 36 percent rate is easily within reach with these fees included. This is a reason those financing vehicles want the exclusion from disclosures and the 36 percent usury rate. The DoD dislikes GAP insurance as well as some other costs like credit life insurance. Many banks like them as they can be profitable for the banks especially in competitive low-rate environments.

The DoD views many costs as unnecessary and expensive to the service member borrower. Banks and auto dealers do make a profit on these add-ons and many of these serve a key and important role, when needed. As to insurance, more than once I have seen a service member who had no equity in the collateral be saved from a deficit balance when a car was totaled or an estate saved from a debt when a service member passed. If the insurance is never needed it may seem expensive. But for those who paid a fraction of what was later paid out in a claim, it was worthwhile. The DoD sees the payouts as an exception and greed, or unnecessary costs to a service member anyway, as the rule.

In 2016 the DoD attempted to clarify the wording of the MLA exemption requirements with Guidance instead of revising the regulation itself. In the text below you can read that the exemption was lost with certain additional items being financed, a hybrid loan, but not others. Cash out being included in the loan would clearly void the exemption. GAP was not directly discussed and many lenders believed it was an essential component of a loan.

Here is Question 2 from the original August 2016 Guidance from the DoD:

  1. Does credit that a creditor extends for the purpose of purchasing personal property, which secures the credit, fall within the exception to “consumer credit” under 32 CFR 232.3(f)(2)(iii) where the creditor simultaneously extends credit in an amount greater than the purchase price?

Answer: No.  Section 232.3(f)(1) defines “consumer credit” as credit extended to a covered borrower primarily for personal, family, or household purposes that is subject to a finance charge or payable by written agreement in more than four installments. Section 232.3(f)(2) provides a list of exceptions to paragraph (f)(1), including an exception for any credit transaction that is expressly intended to finance the purchase of personal property when the credit is secured by the property being purchased.  A hybrid purchase money and cash advance loan is not expressly intended to finance the purchase of personal property, because the loan provides additional financing that is unrelated to the purchase.  To qualify for the purchase money exception from the definition of consumer credit, a loan must finance only the acquisition of personal property.  Any credit transaction that provides purchase money secured financing of personal property along with additional “cash-out” financing is not eligible for the exception under § 232.3(f)(2)(iii) and must comply with the provisions set forth in the MLA regulation

In December 2017 that question was modified to include the section on personal property as well as on vehicles. They mirror one another, and it always seemed odd they separated the two forms of collateral but treated them exactly the same, less the original Guidance which discussed just vehicles. The revised Guidance was more detailed as you can read below, and was specific to state GAP would in fact void the MLA exemption.

  1. Does credit that a creditor extends for the purpose of purchasing a motor vehicle or personal property, which secures the credit, fall within the exception to “consumer credit” under 32 CFR 232.3(f)(2)(ii) or (iii) where the creditor simultaneously extends credit in an amount greater than the purchase price of the motor vehicle or personal property?

Answer: The answer will depend on what the credit beyond the purchase price of the motor vehicle or personal property is used to finance.  Generally, financing costs related to the object securing the credit will not disqualify the transaction from the exceptions, but financing credit-related costs will disqualify the transaction from the exceptions.

Section 232.3(f)(1) defines “consumer credit” as credit offered or extended to a covered borrower primarily for personal, family, or household purposes that is subject to a finance charge or payable by written agreement in more than four installments. Section 232.3(f)(2) provides a list of exceptions to paragraph (f)(1), including an exception for any credit transaction that is expressly intended to finance the purchase of a motor vehicle when the credit is secured by the vehicle being purchased and an exception for any credit transaction that is expressly intended to finance the purchase of personal property when the credit is secured by the property being purchased. 

 A credit transaction that finances the object itself, as well as any costs expressly related to that object, is covered by the exceptions in § 232.3(f)(2)(ii) and (iii), provided it does not also finance any credit-related product or service.  For example, a credit transaction that finances the purchase of a motor vehicle (and is secured by that vehicle), and also finances optional leather seats within that vehicle and an extended warranty for service of that vehicle is eligible for the exception under § 232.3(f)(2)(ii).  Moreover, if a covered borrower trades in a motor vehicle with negative equity as part of the purchase of another motor vehicle, and the credit transaction to purchase the second vehicle includes financing to repay the credit on the trade-in vehicle, the entire credit transaction is eligible for the exception under § 232.3(f)(2)(ii) because the trade-in of the first motor vehicle is expressly related to the purchase of the second motor vehicle.  Similarly, a credit transaction that finances the purchase of an appliance (and is secured by than appliance), and also finances the delivery and installation of that appliance, is eligible for the exception under § 232.3(f)(2)(iii).

 In contrast, a credit transaction that also finances a credit-related product or service rather than a product or service expressly related to the motor vehicle or personal property is not eligible for the exceptions under § 232.3(f)(2)(ii) and (iii).  For example, a credit transaction that includes financing for Guaranteed Auto Protection insurance or a credit insurance premium would not qualify for the exception under § 232.3(f)(2)(ii) or (iii).  Similarly, a hybrid purchase money and cash advance credit transaction is not expressly intended to finance the purchase of a motor vehicle or personal property because the credit transaction provides additional financing that is unrelated to the purchase.  Therefore, any credit transaction that provides purchase money secured financing of a motor vehicle or personal property along with additional “cash out” financing is not eligible for the exceptions under § 232.3(f)(2)(ii) and (iii) and must comply with the provisions set forth in the MLA regulation.

In this 2017 Guidance the DoD says a loan that finances the purchase of a motor vehicle and is secured by that vehicle can also finances optional leather seats, negative equity and an extended vehicle warranty as an example of a loan that would be eligible for the MLA exemption.  In contrast the Guidance used a credit transaction which includes financing for GAP insurance or a credit insurance premium as examples of a credit transaction that would not be exempt from the MLA.

Many banks and auto dealers stopped offering GAP coverage to those subject to the MLA, even when the loan was under the 36 percent usury cap. Some lenders’ systems were not ready to make all the other MLA disclosures that would be required. The wording of the MLA has been interpreted by some to understand that the MLA does not allow the financing to be secured by the purchased vehicle’s title. This caused further doubts as to lending to covered service members.

In 2019 many banking and vehicle trade groups tried to assist their members in dealing with the Guidance and the loss of exemptions citing reports of actual harm to the service members themselves as they now had limited options for loans and the ancillary products they historically had access to. Several trade organizations wrote and asked for clarity.

Then, in 2020, the DoD withdrew its earlier interpretation and it opened the window for GAP by removing the explicit statement that it voided the exemption.  The question was again re-phrased, now using just the term personal property apparently to include vehicles and other household items with the answer as follows:

  1. Does credit that a creditor extends for the purpose of purchasing personal property, which secures the credit, fall within the exception to “consumer credit” under 32 CFR 232.3(f)(2)(iii) where the creditor simultaneously extends credit in an amount greater than the purchase price?

Answer: No. Section 232.3(f)(1) defines ‘‘consumer credit’’ as credit extended to a covered borrower primarily for personal, family, or household purposes that is subject to a finance charge or payable by written agreement in more than four installments. Section 232.3(f)(2) provides a list of exceptions to subparagraph (f)(1), including an exception for any credit transaction that is expressly intended to finance the purchase of personal property when the credit is secured by the property being purchased. A hybrid purchase money and cash advance loan is not expressly intended to finance the purchase of personal property, because the loan provides additional financing that is unrelated to the purchase. To qualify for the purchase money exception from the definition of consumer credit, a loan must finance only the acquisition of personal property. Any credit transaction that provides purchase money secured financing of personal property along with additional ‘‘cash- out’’ financing is not eligible for the exception under § 232.3(f)(2)(iii) and must comply with the provisions set forth in the MLA regulation.

So if the GAP example was removed, that must mean that financing the GAP product was now allowed, right? Many banks and other lenders jumped on that bandwagon and resumed financing such purchases. In the 2020 announcement what the DoD said was that it was withdrawing its answer because of “unforeseen technical issues” and, “absent additional analysis, (the DoD) takes no position on any of the arguments or assertions advanced as a basis for withdrawing” its 2017 guidance.

The on again, off again and still without clarity roller coaster brings us to today. A 2021 court case decided by the U.S. District Court for the Eastern District of Virginia involves the MLA and GAP. In Davidson v. United Auto Credit, Davidson was a covered borrower under the MLA when he purchased and financed a vehicle with GAP coverage included at a cost of $350. The complaint was that the retail installment contract violated the MLA because it did not disclose the MAPR plus it had other MLA defects.

The trial court ruled that GAP being added to the contract did not void the MLA exemption. The judge said the clear language in the law and regulation did not void the exemption while Davidson argued the 2016 Guidance was not affected by withdrawal of the 2017 revision and that the loan for the vehicle purchase was still subject to the MLA requirements. The judge found Davidson’s argument unpersuasive, stating that the GAP coverage was “inextricably” tied to the purchase of the vehicle.

So far, this is good news for the banks and other lenders. But the case has been appealed to the U.S. Court of Appeals for the Fourth Circuit. In January 2022 the Consumer Finance Protection Bureau (CFPB) filed an amicus brief in favor of Davidson. The CFPB takes the position that when GAP coverage is included in the vehicle’s financing the exemption is voided and the loan requires complete compliance with the MLA. The DoD,  joined in the CFPB’s amicus brief. The DoD said it “strongly concurs” with the CFPB on the issue. Now it is established that the CFPB as well as the DoD do not look favorably to the financing of GAP coverage on vehicle loans.

It is unknown what or when the court will rule. We have seen the CFPB take very proactive consumer protection positions and itself reversing Trump period provisions which were deemed “pro business.” The DoD controls and interprets 32 CFR 232. Many do not believe it would get back on the roller coaster and again revise its guidance, but its position is clear. GAP is not as prevalent, but this case is service member specific. I doubt we would see a retroactive reversal of loans with GAP coverage being impacted but as future plans are considered for loan products, banks with high volumes of loans to service members, with GAP may opt to temper any high sales penetration goals or at least recognize that what the DoD gave, it can take back.

Overdraft fees are not interest

By Andy Zavoina

It was a split decision at the U.S. Court of Appeals for the Tenth Circuit as it ruled on Walker v. BOKF, Nat’l Ass’n, (10th Cir. April 8, 2022). Oklahoma is in the Tenth Circuit. This court affirmed a lower court’s dismissal of a suit claiming that the bank was charging usurious interest on overdrafts.

In this case Walker created an overdraft in his checking account in the amount of $25. The bank paid the item and added to that a fee of $34.50. The bank also charges a daily fee of $6.50 per business day after five days that the account remains in the overdraft. This is disclosed as an “extended overdraft charge.” There were 36 daily overdraft charges accrued before the deposit account reached a positive balance. The original NSF fee plus 36 daily fees total to $268.50.

Walker maintains that these fees equate to interest charged on the original $25 overdraft and that this amount is usurious. BOKF is a national bank. The National Banking Act of 1864 allows a national bank to charge an interest rate no greater than the rate allowed by the state in which the bank is chartered. In the case of Oklahoma this allows a rate of 6 percent. Doing the math, 6 percent per annum on $25 is $.00411 per day which is a lot less than the fee charged by BOKF.

The bank moved for dismissal and the District Court granted that motion. The District Court held that overdraft fees are fees for deposit account services and were not interest and therefore not subject to the National Banking Act or the 6 percent rate allowed by the state. “Back in the day,” paper items were presented and reviewed against deposit balances and manual decisions were made to pay or return an item. There were people involved and hard costs in addition to the opportunity costs of the funds themselves. The process has been automated today but the theory remains the same.

The District Court’s ruling was appealed to the Tenth Circuit Court where there was a dissenting opinion. This argued that the banking regulation was not ambiguous and that overdraft fees do meet the definition of interest. The dissenting opinion maintains that  “When [the Bank] decides to cover a customer’s overdraft, it pays for the item and expects to be paid back. For example, despite [Plaintiff’s] inability to afford the original charge due to insufficient funds, [the Bank] made money available to him by purchasing the item for him. [The Bank] deducted the cost from [Plaintiff’s] account and charged him an overdraft fee, which it also deducted. But the bank expected to be paid back. By covering an overdraft, [the Bank] thus makes a temporary provision of money with the expectation of repayment. In other words, [the Bank] makes a loan.” Others may also see a daily fee as being a time-price differential or a cost for the use of the funds on that daily basis and consider that akin to an interest charge.

The majority of the Tenth Circuit judges did not agree. They affirmed the lower court’s findings based on Interpretive Letter 1082 issued in 2001, in which the OCC maintains that overdraft fees are designed to compensate the bank for “services directly connected with the maintenance of a deposit account,” and “therefore the bank was not creating a ‘debt’ that it then ‘collected’ by recovering the overdraft and the overdraft fee from the account.  Instead, the bank was ‘providing a service to its depositors’ that the accountholder had agreed to pay for.” So, the OCC determined 21 years ago that fees for “deposit account services” (under 12 CFR 7.4002(a)) were not interest and were fees for agreed upon services which were offered, accepted and performed. The majority agreed that IL 1082 was entitled to an “Auer deference” — agency’s interpretation of its own ambiguous regulation is controlling unless plainly erroneous or inconsistent with the regulation — because 12 CFR 7.4001(a) addresses interest and is ambiguous.

April 2022 OBA Legal Briefs

  • Nacha warranties and old unauthorized ACH debits
  • P2P complaints
  • Fair banking

Nacha warranties and old unauthorized ACH debits

By John S. Burnett

Your bank just wrapped up its investigation of a consumer’s Regulation E claim involving a series of unauthorized ACH debits made by a gymnasium. Your customer, Sam, got a notice that the gym was being closed “temporarily” on August 10, 2019, for some major renovation work. He assumed the gym would suspend charging his account for his monthly membership fee, but the regular $39.95 charge showed up on his account on August 26, 2019. So, Sam emailed the gym’s owner/manager on August 27, 2019, to cancel the authorization for the monthly changes  and got an emailed response that no further charges would be made to his account, and the August 26 charge would be credited to his membership for the first month when the gym was allowed to reopen.

For whatever reason, Sam didn’t check his account again until March 10, 2022, when he wasn’t able to withdraw $50 at the bank’s ATM. Those of you who are used to handling Reg E claims know what he found – the gym didn’t stop charging his account, and there was a series of 30 monthly debits from September 25, 2019, through February 25, 2022, that he was not expecting to see.  On March 11, Sam, rightfully embarrassed by his lack of attention to his account, brought copies of his statements (which had been made available to him on the bank’s online banking portal on the last day of each month) into his local bank branch, each with a $39.95 ACH debit from the gym circled in red, along with a copy of his August 27, 2019, email to the gym manager and the manager’s response, and asked what the bank could do about getting his money back.

Your branch manager checked with the bank’s deposit operations manager, who suggested that Sam could get back the January 25 and February 25, 2022, debits quickly if the branch manager got him to complete and sign a Written Statement of Unauthorized Debit (WUSD) on those two transactions, but Operations would need to handle the Reg E claim on the earlier debits. Sam signed two WSUDs while the branch manager was copying the statements Sam had brought in. One WSUD covered the two most recent debits (totaling $79.90), as requested by the operations manager, and the other covered the 28 earlier debits (which totaled $1,118.60).

Sam’s documentation made it easy for Operations to complete a speedy investigation, and they agreed that all 30 of the ACH debits were unauthorized. Then they plugged the dates and amounts into their Regulation E Consumer Liability Calculation spreadsheet and determined that Sam should be reimbursed for the unauthorized transactions that posted to his account on or before November 29, 2019 (60 days after the September 2019 statement was available). That would include the September 25, October 25, and November 25, 2019, debits, for a total of 3 times $39.95, or $119.85. Operations also returned the ACH debits that hit Sam’s account on January 25 and February 25, 2022. Within three business days of filing his claims, Sam received credits of $119.85 and $79.90 to his account, and a couple of days later he got a letter explaining that the bank agreed that all thirty of the disputed debits were unauthorized, the bank had refunded only $119.85 for the first three debits, and Sam was responsible for the rest of them because he had failed to review his account statements and promptly notify the bank of the unauthorized debits. The letter then explained that, because he had provided the WSUD covering the two transactions that were less than 60 days old, the bank had been able to return them, and had credited him with $79.90. That leaves Sam with a loss of $998.75 due to his lack of attention to his account.

Using Nacha’s authorization warranty to recover more

The operations manager had done some further research and discovered that Nacha rules include a warranty of authorization that’s given by the Originating Depository Financial Institution (ODFI) in favor of the Receiving Depository Financial Institution (RDFI). That warranty covers two periods for consumer accounts — (11) the first 95 days from the settlement date of the first unauthorized entry to the consumer’s account (which generally corresponds to the period of time the RDFI would be responsible for unauthorized entries under Regulation E § 1005.6(b)(3)); and (2) after the first 95 days but with settlement dates less than two years old. [For non-consumer accounts, the Nacha warranty covers entries with Settlement Dates no more than one year old.]

Buoyed by what she found, the operations manager checked with the bank’s legal department, which suggested she:

  1. Identify the ODFI and its head office address.
  2. Compose a letter stating a claim for breach of warranties under section of Nacha Rules (Warranty that the entry is authorized by the Originator and Receiver) with respect to the unauthorized entries on September 25, 2019, and during the 95 days following that date (that would include the transactions through December 29, 2019), and the entries with Settlement Dates later than two years ago but before January 1, 2022 (the two entries occurring later than January 1, 2022, had been returned).
  3. Include a schedule of the posting dates and amounts of the entries covered by the claim.
  4. Include a statement in the claim letter that the Receiver (Sam, your customer) revoked the authorization and the Originator had acknowledged and accepted that revocation on August 27, 2019.
  5. Include copies of the August 27, 2019, emails between Sam and the gym owner/manager.

She completed the claim letter and faxed it to the ODFI on March 24, 2022.

What happens next depends on how the ODFI treats the warranty claim. This is, of course, a contrived story designed to illustrate the fact that the ability to make an “extended return” of an unauthorized ACH debit up to 60 days after its Settlement Date is not the “last resort” attempt at recovering funds for the bank or its depositor. Nacha Rules warranty provisions provide this additional tool. In fact, Nacha has a handy tool to explain its warranty at

Let’s suppose the ODFI honors the claim and sends full payment for 4 unauthorized debits during the 95-day period (9/25/19 through 12/29/19) and 22 debits covered under the two-year period (3/24/20 through 3/24/22, but the January and February 25, 2022, debits aren’t part of the claim because they had been successfully returned earlier). What should the operations manager do with the $1,038.70 check?

The RDFI gets reimbursed for the three early debits that it had to return to Sam. And, because the RDFI can’t profit from the warranty claim, it credits the remaining $918.85 to Sam’s account, which covers most of his loss. He’s still out $79.90 for the January and February 2020 debits, which fall into the gap between the two Nacha warranty periods.

Of course, not every ODFI would honor such a claim. If the claim is denied, the RDFI can file a rules violation case with Nacha or press the claim in a civil court suit after weighing the cost/benefit of such a course. In our contrived example, however, the ODFI reviewed a strong claim that the debits were clearly unauthorized and decided not to fight it.

P2P complaints

By Andy Zavoina

In December 2021, the Consumer Financial Protection Bureau released an updated Compliance Aid for Reg. E, in the form of FAQs. We wrote about the FAQs extensively this last January and February. Central to these FAQs were P2P, or Peer-to-Peer payment programs from companies like Venmo, Zelle and Cash App. About a week after the updated FAQs were released 33 state attorneys general wrote to CFPB Director Rohit Chopra wanting stronger safeguards for consumers using these P2P apps. Oklahoma’s Attorney General was not on the letter.

It is estimated that in 2023 more than $1 trillion in transactions will happen using these apps. Usage has increased during the pandemic and the public seems to have accepted these programs for many uses. Some people see them as an extension of their bank accounts and it makes it easy to split a dinner bill, pay for a Pampered Chef order or pay a vendor for services rendered.

But when a transaction goes south, whom do they call? It could be your bank, who will refer them to the P2P vendor for customer service. With the updated FAQs we now know that the concerns of the attorneys general were partially answered in the FAQs as the CFPB opined that in many cases banks will have to shoulder the burden of handling claims, however. We covered that in January and February but as a short recap, if a bank has an agreement with a P2P vendor handling transactions the bank cannot deflect a claim for unauthorized use to the vendor. The CFPB opined that if the bank and P2P vendor share a credit card agreement such as both accept Visa or Mastercard, that constitutes “an agreement.”

Aside from banks now shouldering the claims burden, the letter to the CFPB complained that the P2P vendors have poor customer service. It was noted that reaching an actual person was difficult and usually included long hold times. It was also difficult to email or use a chat program to work out problems. Consumers found an inability to use their funds at times without warning when the P2P vendor held them. Restricted use could include paychecks from an employer or government benefits. Likely many of these people were unbanked and using the P2P service for banking. Lastly there were scammers stealing funds with various ruses. “Grandma, I was in an accident. I’m OK but we came to Mexico on spring break. Mom and dad can’t know, but I need $500 to get out of this jam,” is an example.

The CFPB’s mission is to protect consumers. Certainly, after reading about the three common complaints from consumers cited by the attorneys general, you will agree that banks strive not to have such issues and perform better than the P2P vendors. It was noted in the letter to the CFPB that the unbanked were often the more damaged consumers. Regardless, the claims problem has largely been handed to banks and that may be viewed a spart of the solution to the problem.

Some takeaways include banking the unbanked when they are qualified to have a bank account. While banks do not typically have rigorous qualification criteria for deposit accounts, some of these consumers may have burned their bridges with banks with charge-offs or poorly handled accounts. Still, there are some good consumer relationships out there that banks can market to and experience a win-win relationship with. These new and existing customers need to be reminded of security issues. We’ve expanded on some BBB tips for using a P2P payment app safely:

  • Only use it with someone you know and trust. Consider sending a test transfer of say $1 before sending the other $99 for that purchase. Scammers do this to see if an account is good and our customers can learn from this.
  • Take your time entering payment information and double-check it before hitting send. It is usually possible to talk to a person and get the instructions as the data is being entered.
  • Enable security settings and other measures offered by the app, including multifactor authentication that requires another form of verification besides just a username and password. And use a unique password.
  • Remember that public Wi-Fi at places like coffee shops or libraries may not be secure for use in conducting financial transactions.
  • Be wary of any business that only accepts P2P payment apps.
  • When using a mobile device like a smartphone or tablet, lock the device when not in use and do not lend the device to someone to make a call who may then be able to access a P2P app and conduct any transfer using the owners account.
  • When any device, be it a smartphone, tablet, game console or similar device has financial data stored on it, wipe the device before it is sold, donated or otherwise repurposed.

These tips need to be given repeatedly to bank customers just as they should be routinely reminded not to write a PIN on their debit card. Drive the point home. The dollars saved may be the bank’s money.

The last item here is a deliverable to bank management. Whoever is best suited to review Reg E claims for the last year or two should analyze the claims, both approved and denied (including those referred to a P2P vendor). Use this information to estimate what increase the bank may see based on the CFPB’s FAQs and the placement of responsibility on the bank for many of the P2P claims you would not have paid in the past. Management should be aware if this will be substantial. Some banks have reported seeing a significant increase and we can now assume that the pressure is on for banks to make up for these vendors’ shortcomings.

Any time bank management has the ear of a legislative influencer, it may be worth asking why, based on the above, Reg E cannot require the P2P vendors to be responsible for claims they are involved in. It is that vendor who has all the transaction information pertinent to a claim and who profited from the transaction, not your bank. And that vendor doesn’t even have to assist in any investigation. The CFPB should have the ability to police those vendors, not to shift the vendors’ responsibilities to banks.

Fair banking

By Andy Zavoina

In March, the CFPB announced it would be targeting unfair discrimination in consumer finance. “Consumer finance” seems like a broad term and it is. It takes in all types of consumer financial products, not just those involving credit. Banks will certainly be included in the Bureau’s reach, as we have the lion’s share of deposit accounts, and it is important to recognize how these changes will apply.

For years we have been asked questions related to deposit accounts. A customer complained and said the bank was discriminating based on race or gender but only had a savings account, or Marketing was asking if ads for new checking accounts needed to have the same pictorial diversification as home loan ads, showing both men and women and with various racial characteristics. Often the safe answer was “there is no fair lending equivalent for deposits.” While that is true, I and others have argued for years that “fair banking” should always be considered, and I believe most banks do keep that in mind. But under the heading of “what gets checked, gets done” this fair banking procedure will be going to a much higher level.

What the CFPB said was, “In the course of examining banks’ and other companies’ compliance with consumer protection rules, the CFPB will scrutinize discriminatory conduct that violates the federal prohibition against unfair practices. The CFPB will closely examine financial institutions’ decision-making in advertising, pricing, and other areas to ensure that companies are appropriately testing for and eliminating illegal discrimination.”

Note what that statement said — the CFPB will examine for discriminatory conduct, as this would be an unfair practice. Unfair is the “U” in UDAAP — Unfair, Deceptive or Abusive Acts or Practices. We have seen large UDAAP penalties, and because there is no statute of limitations, we have seen enforcement orders that went back for many years. While we often associate UDAAP enforcement actions with the CFPB, the prudential agencies still enforce UDAP as was the case in 2021 when the FDIC penalized Umpqua Bank. The FDIC determined that Umpqua Bank engaged in Section 5 violations (that’s UDAP in the FTC Act) related to collection practices involving commercial equipment financing through its wholly owned subsidiary, Financial Pacific Leasing, Inc. (FinPac).  The FDIC determined that FinPac’s collection fee practices were unfair and deceptive.  Specifically, FinPac charged various undisclosed collection fees to 17,000 borrowers whose accounts were past due, such as collection call and letter fees and third-party collection fees. So, the bank was fined for what its subsidiary was doing and paid restitution of $1.7 million and a civil money penalty of $1.8 million. (FDIC-20-0156k)

From July to October 2020 there were nine separate advertising enforcement actions against mortgage lenders totaling $4.446 million. Triggering terms were missed, ads were poorly arranged which made them misleading and in some cases the numbers were just wrong, or payments quoted were not obtainable.  There were also instances of products being offered which were not being made at the time they were advertised.

While UDAAP and UDAP can bring a high dollar penalty and restitution amounts, this is in part based on how many consumers were disadvantaged and to what dollar amounts. As an example, a 2018 enforcement action included Community Trust Bank, Inc. of Pikesville, Kentucky, as it was hit with a UDAP penalty. Key points in this Federal Reserve enforcement action are that the bank would pay at least $4.75 million in penalties and restitution. The penalty arises from add-on products of a minimal cost, but it reached back to 1994. That was 24 years prior to the action taken. If there is a product and it has a UDAAP/UDAP defect since inception, the next question is when did it launch? From that date forward consumers with that product were harmed and compensation must be paid to the consumer harmed, reimbursements for unfair charges, and civil money penalties to the agency.

We have seen UDAAP used as an enforcement tool on other regulatory requirements such as Reg E where disclosures were made but additional requirements imposed, like requiring a police report to file a claim. Banks are not permitted to add requirements like that and UDAAP has more severe consequences that Reg E itself, so it became the enforcement tool of choice.

(1) CFPB Director Rohit Chopra stated, “When a person is denied access to a bank account because of their religion or race, this is unambiguously unfair,” and “We will be expanding our anti-discrimination efforts to combat discriminatory practices across the board in consumer finance.” So, no time limit and high dollar penalty amounts are associated with UDAAP actions. With this announcement of discriminatory practices on non-loan issues the CFPB released its revised UDAAP section of its exam manual. []

The Equal Credit Opportunity Act (ECOA) and its implementing Regulation B, along with the Fair Housing Act and data gathering requirements under the OCC’s Fair Housing Home Loan Data System and the Home Mortgage Disclosure Act have long been bundled together as anti-discrimination requirements for general loan and home mortgage loans. The revisions to the UDAAP examination manual coupled with a definitive tying of “unfair” to any discrimination, even involving non-loan related products and services, adds an enforcement tool.

The March 2022 Legal Briefs looked at UDAAP in some detail. That was published before this action by the CFPB. We refer you back to that edition for the details, but here I will point out that under the section of some act or practice “causing substantial harm” to a consumer, we find in the exam procedures that this, “may result from discriminatory behavior.”

Discrimination or discriminatory behavior is referenced 25 times in this 19-page document. It is used as an example under collections activities, under the section where a consumer cannot avoid an injury, such as a discriminatory practice, and elsewhere. With a discriminatory practice being unfair, both unintentional discriminatory practices and practices that fall outside  the scope of ECOA now meet the test for being unfair. So, there is a longer reach. It also notes that what is discriminatory may be unfair, violating UDAAP, and at the same time violate other laws such as ECOA. Remember the CFPB does not have to pick one or the other of these laws to use for enforcement action, it can compound them and cite both as each is being violated if you have a loan or home mortgage product.

The revised UDAAP section states, “A discriminatory act or practice is not shielded from the possibility of being unfair, deceptive or abusive even when fair lending laws do not apply to the conduct. For example, not allowing African-American consumers to open deposit accounts or subjecting African-American consumers to different requirements to open deposit accounts, may be an unfair practice even in those instances when ECOA does not apply to this type of transaction.” This brings us to a new awareness level of UDAAP.

When Compliance or Legal has been involved in the development or revision of a product or service, UDAAP and risks have been examined from many perspectives. Traditionally ECOA and Reg B were included in a mindset when a loan was mentioned — Who does it appeal to? Where will it be offered? How will it be advertised? — and the focus was on marital status, race, gender, gender identification and similar topics. Those demographics were considered for loans while deposit products and services would have considered different demographics, potential deposit product appeal based on income, balances on deposit, services required to support the deposit relationship, etc. Now the latter requires the same mindset, or perspective if you will, as the loan discussions.

When reviewing loan products, the bank has demographic information for its lending area and on its home mortgages. The bank can easily review HMDA and other data points to determine if there are any disparities in where applications are coming from, for homes in certain areas, from applicants based on gender, race, marital status and other key categories. This is not as easy when the bank wants to know if there are any discriminatory concerns on auto loans, unsecured loans or other products which exclude the gathering of any demographics.

If the bank wants to generate a fair lending or fair banking analysis it will have to use a proxy for that information that it does not specifically have. This is not a new technique, but it may be one the bank wants to employ against various loan and deposit products as well as complaints. Here is an excerpt from a 2013 CFPB blog post on the topic.

Let’s say a responsible auto lender wanted to make sure that their female customers are not paying more for a loan than similarly situated men. Before analyzing the pricing patterns, the lender needs to calculate the likelihood that a borrower is male or female. Without actually recording the gender of each borrower, to substitute, or “proxy,” for gender, responsible lenders often rely on a first name database  from the Social Security Administration. The public database contains counts of individuals by gender and birth year for first names occurring at least five times for a particular gender in a birth year. Using statistics, they can determine a probability that a particular applicant is male or female based on the distribution of the population across gender categories for the applicant’s first name. []

The above cites a first name database that should be available at minimal or no cost. There may well be others or established programs available complete with databases for various checks and verifications. The CFPB published a 37-page booklet in 2014, “Using publicly available information to proxy for unidentified race and ethnicity – A methodology and assessment” [] which may also help control costs while accomplishing a large project.

The CFPB has used this methodology many times in the past on the files it has from banks and consumers. If the bank can extract certain field from its CIF files, once that process is established many different products and services could be analyzed. Having multiple uses for the one-time costs of establishing the program can prove beneficial. The results of this analysis may prove useful for fair lending, fair banking and have a positive impact on the Community Reinvestment Act file and exams as well. The methodology should be well documented and proven for accuracy.

Naturally if there are shortcomings the bank would need a strategy to correct them. Any corrective actions would be based on the specific product or service and the results of the bank’s analysis. This could be any solution from adjusting marketing media, to community outreach, to a branch or mobile branch serving an under-banked area. Similar to some fair lending strategies, the bank may also consider using bank counsel to facilitate some of this analysis for confidentiality and discovery reasons. That is obviously at the bank’s discretion. It may also be something to only explore at this point and to commit to as fair banking issues develop and mature within regulatory agencies and the industry. It should be worth exploring at this point to know what the time and cost requirements would be, and how it might integrate with future expansion and strategic plans of the bank.

Your bank may not have the CFPB examining it. But as a lead agency, and with other agency’s following it, this is something all banks should prepare for.  The CFPB manual has redefined “unfair acts or practices” and this is the mindset banks should begin adopting across the board.

Borrowing from UDAAP, one element of an unfair act or practice is whether a consumer is “reasonably able to avoid the injury. “ As noted above, this includes examples that the “consumer cannot reasonably avoid discrimination” and “typically cannot avoid the harms of discrimination.” Expect that as the CFPB expands its scope of exams that it will find and address cases of “unfairness” when it feels a consumer was harmed, or could be harmed by such a practice, product or service. Think outside the loan box. Examiners have new marching orders, and your bank should also, to ensure that:

  • The bank has a process to prevent discrimination in relation to all aspects of consumer products or services it offers. Evaluate all policies, procedures and processes for discrimination prior to implementation or making changes and continue monitoring for discrimination after implementation.
  • The bank’s compliance management program includes an established process for periodic analysis and monitoring of all decision-making processes used in connection with consumer products or services and a process to take corrective action to address any potential UDAAP concerns including discrimination.
  • The bank has established policies and procedures to review, test, and monitor any decision-making processes used for potential UDAAP concerns, including discrimination.
  • The bank has established policies and procedures to mitigate potential UDAAP concerns, including discrimination.
  • The bank’s policies, procedures and practices do not target or exclude consumers from products and services, or offer different terms and conditions, in any discriminatory way.
  • The bank has appropriate training for customer service personnel to prevent all forms of illegal discrimination.

Banks should be proactive in internal audits and test, as examiners will, to:

  • Evaluate any product targeted to particular demographics to ensure the marketing, disclosures, and other materials are designed for the target market and will be understood by that market. Appropriateness of the product or service to a consumer is a key.
  • Ensure there is equal treatment among qualified consumers as to terms and conditions of products and services offered without bias based on demographics.
  • Avoid offering or provide more products or services to one customer demographic as compared to another.
  • Customer service representatives should treat all customers the same meaning they provide the same level of assistance and service to all. In the past, paired testing used for loan discrimination cases included criticisms when one applicant was offered beverages while another was not.
  • Review all targeted advertising for potential discrimination.
  • Determine whether the bank uses any decision-making processes to determine eligibility, underwriting, pricing, servicing or collection actions which could result in illegal discrimination.
  • See whether the bank periodically evaluates for, and takes corrective actions to prevent, illegal discrimination.



March 2022 OBA Legal Briefs

  • The Beneficial Ownership Rule hasn’t gone away
  • UDA(A)P is becoming all the rage!

The Beneficial Ownership Rule hasn’t gone away

By John S. Burnett

The Corporate Transparency Act of 2021 (CTA) was enacted by Congress on January 1, 2021, as Title XIV of the William M. Thornberry National Defense Authorization Act for 2021, Public Law 116-283. It added a new section 31 U.S.C. 5336 to the Bank Secrecy Act.

The CTA requires that most private domestic U.S. entities formed on or after January 1, 2021, must self-report to FinCEN certain basic information about themselves, their beneficial owners and those individuals authorized to act on their behalf. The stated purpose of the CTA is to “discourage the use of shell corporations as a tool to disguise and move illicit funds” as part of the broader federal attempts to prevent and combat money laundering, tax fraud and terrorist financing.

The CTA requires FinCEN to promulgate regulations implementing the Act. No entity reporting to FinCEN can start until the final implementing regulations are issued and effective, and the structure for that reporting (presumably an online portal and a huge database) is completed.

What’s been completed so far?

FinCEN has begun the process of promulgating the regulations. In fact, FinCEN appears to be moving on the CTA requirements fairly quickly.

On April 1, 2021, FinCEN issued an Advance Notice of Proposed Rulemaking— a form of “heads up” that it was working on the rules and an invitation for stakeholders to offer suggestions and comments on the process.

On December 8, 2021, FinCEN published its proposed rules in the Federal Register [86 FR 69920], with a comment period ending February 7, 2022. There were 250 public comments submitted through We don’t know how many comments were sent directly to FinCEN itself.

As of this writing (early March 2022) no final regulation has been issued.

The CTA and financial institutions

Financial institutions have been required since May 11, 2018, to comply with 31 CFR 1010.230 (Beneficial ownership requirements for legal entity customers). The CTA has not changed that fact, and the regulations are still in effect.

It is true that the CTA was enacted with the intent to shift some of the burdens of gathering beneficial ownership information away from financial institutions and make it a government responsibility. It is also true that at some future time — FinCEN has unofficially suggested it will be a year or more after implementation of its final CTA beneficial ownership regulations — there will be a change for financial institutions, which will probably begin verifying entity ownership information against the CTA database, rather than gathering certifications of ownership information repeatedly during the existence of entity customer relationships.

To get to that time, FinCEN will first need to set up a secure and confidential portal through which financial institutions can make those verifications. How that will be done, or what information they will be required to verify, and what will happen if they are not able to successfully verify the information, has yet to be determined.

And yet, we have heard that bank examiners have identified financial institutions that totally misinterpreted — was this wishful thinking? — what FinCEN has so far done as a license to discontinue obtaining beneficial ownership certifications and stopped obtaining them around the time FinCEN announced the December 2021 proposed rule. If it is true that examiners have found financial institutions that made such an error, I can only imagine the sinking feeling the management, BSA officer or compliance officer at those institutions must have had when confronted with their error.

What to do about it

I sincerely hope your institution was not one of those making that mistake. But if it is, it is fortunate that only about three months have passed since the FinCEN proposed rule was published (in December 2021). If that’s when your institution stopped complying with § 1010.230, you can limit the damage by doing a look-back to identify each of the occasions on which you should have obtained beneficial ownership certification (or certification that information you were provided earlier was still correct) and start communicating with the entity customers involved to get those missing certifications.

If, instead, your institution made the wrong decision back in April 2021 when the advance notice of proposed rulemaking was published, you have a bit more digging to do — almost a year’s worth of account openings, renewals, etc.

Don’t assume that, once FinCEN finally eliminates § 1010.230 (remember there will be a different rule replacing it that you will have to follow), it will not matter that your institution jumped too soon to stop complying with § 1010.230. It will matter, so don’t postpone your remedial action to collect those missing certifications.


UDA(A)P is becoming all the rage!

By Andy Zavoina

I was recently reviewing enforcement actions published over approximately the last 18 months and saw what I believe is a trend not too many bankers are talking about. As an example, on a mortgage servicing topic the Consumer Finance Protection Bureau (CFPB) used the phrase, “…identified various Regulation Z and Regulation X violations, as well as unfair and deceptive acts or practices.” As past due fees were charged it was noted, “Examiners found that mortgage servicers engaged in unfair acts or practices…” and “Examiners found that lenders engaged in unfair acts or practices when they debited or attempted one or more additional, identical, unauthorized debits from consumers’ bank accounts after consumers called to authorize a loan payment by debit card and lenders’ systems erroneously indicated the transactions did not process.” In this article we will examine in more detail some of these violations that were made public. Like an iceberg, we know there is much more to it that we can not see, and we are not certain how much is there. But we do know we don’t want to run into it ourselves.

First, let’s cover some of the rules involving Unfair, Deceptive, or Abusive Acts or Practices so we can understand how broadly they can be applied in different scenarios.

UDAAP penalties can go up to $5,000 per day and if they are deemed “reckless” violations they could be $25,000 per day. Yes, it gets worse. Knowingly violating UDAAP can run a penalty of $1 million a day. Do we expect to see these maximum penalties? That would be a “no.” But the penalties can be severe. Consider that there are civil money penalties for the violations, and we have seen these go back for years and years.

Say a bank creates an add-on product to a deposit account. This product requires the customer to enroll with the bank and provide some affirmation such as that they are in good health, and they need to sign and return this form. But they fail to do this for one reason or another. The bank was diligent however, in charging the customer each month for a service that was never provided and technically could not be. That is a UDAAP violation. It may violate another law or regulation as well, and that law or regulation may also be referenced, but UDAAP has big teeth as we already mentioned the fines available. Because there seems to be no statute of limitations, UDAAP penalties at only hundreds of dollars a month add up quickly when a problem goes back 5 or 10 years.

“Seems outlandish, never going to happen,” you might say. Consider the penalty assessed against First Tennessee Bank by the Office of the Comptroller of the Currency (OCC). The bank sold an add-on product which required two things from the customer. They needed to enroll, and they needed to provide personal verification information. With this service, they would have credit monitoring services. Customers who failed to provide the verification information for whatever reason were charged a monthly fee for a service that was not performed for them. This penalty was in 2016, and the product was launched in 2000. The bank needed to look at 16 years of records. The bank paid a $1 million civil money penalty.

But UDAAP does not stop there. The CFPB can require that agreements be amended or terminated, that customers are refunded for charges that were improper, that restitution be ordered so that the bank understands the severity of the penalty, that profits from the act in question are surrendered and that the government be repaid for the time and effort put into the case. This is all on top of the work spent trying to review 16 years of files and responding to every customer and former customer who claims to have had that product and wants a refund.

There are some basic things that are considered a UDAP issue (one “A,” which omits “Abusive” which was added by the Dodd-Frank Act and is an addition the CFPB enforces) while prudential regulators still look at the Federal Trade Commission Act Section 5 rules for Unfair or Deceptive Acts or Practices. Some basic issues blatantly considered UDAP include prohibited provisions in agreements:

  1.  a confession-of-judgment;
  2.  a waiver of exemption in which the consumer relinquishes rights protecting their home and other necessities from seizure to satisfy a judgment,
  3. a n assignment of wages; and
  4.  the taking of household goods as loan collateral.

Also prohibited is the pyramiding of late fees. If you are not familiar with that concept, assume a borrower is late on a loan payment. They send the exact payment, and the bank applies it by first taking the late fee owed, then interest due and the remainder to principal. But the principal payment is short because of the late fee, so another late fee is accrued. And when the exact scheduled payment is made on time the following month, another late fee is paid and so on. That is pyramiding. I’m sure it doesn’t happen in your bank because automated routines control how payments are applied and interest and principal are always collected first, then fees.

But consider a case discussed more below where the borrower rounded up their payment. The extra principal was simply deposited to escrow. That is an improper application and has a similar impact as late fee pyramiding. The bank has certain remedies it can follow and compliance and/or audit needs to ensure the proper actions are taken.

Lastly, UDAP addresses the Holder in Due Course rule which involves the buying and selling of credit contracts and specifically also prohibits a bank from misrepresenting a co-signer’s liability and requires the bank to give a co-signer, prior to becoming obligated in a consumer credit transaction, a disclosure notice which explains the nature of the co-signer’s obligations and liabilities under the contract.

As already noted, it was the Dodd-Frank Act which empowered the CFPB to prevent unfair, deceptive, or abusive acts or practices. The other agencies enforce the FTC Act, Section 5. Rest assured for all intents and purposes they are similar as it pertains to the ability to right a perceived wrong.

The CFPB has definitions bankers must be familiar with to navigate compliance with UDAP and UDAAP. These are definitions that must be applied broadly when the bank is designing a new product, service, or policy.

Unfair: a practice that is “unfair” is one that:

a)  Causes or is likely to cause substantial injury to consumers;

(Substantial injury usually involves monetary harm. Monetary harm includes, for example, costs or fees paid by consumers as a result of an unfair practice. An act or practice that causes a small amount of harm to a large number of people may be deemed to cause substantial injury.

Actual injury is not required in every case. A significant risk of concrete harm is also sufficient. However, trivial or merely speculative harms are typically insufficient for a finding of substantial injury. Emotional impact and other more subjective types of harm also will not ordinarily amount to substantial injury. Nevertheless, in certain circumstances, such as unreasonable debt collection harassment, emotional impacts may amount to or contribute to substantial injury.)

b)  The injury is not reasonably avoidable by consumers;

An act or practice is not considered unfair if consumers may reasonably avoid injury. Consumers cannot reasonably avoid injury if the act or practice interferes with their ability to effectively make decisions or to take action to avoid injury. Normally the marketplace is self-correcting; it is governed by consumer choice and the ability of individual consumers to make their own private decisions without regulatory intervention. If material information about a product, such as pricing, is modified after, or withheld until after, the consumer has committed to purchasing the product, however, the consumer cannot reasonably avoid the injury. Moreover, consumers cannot avoid injury if they are coerced into purchasing unwanted products or services or if a transaction occurs without their knowledge or consent.

A key question is not whether a consumer could have made a better choice. Rather, the question is whether an act or practice hinders a consumer’s decision-making. For example, not having access to important information could prevent consumers from comparing available alternatives, choosing those that are most desirable to them, and avoiding those that are inadequate or unsatisfactory. In addition, if almost all market participants engage in a practice, a consumer’s incentive to search elsewhere for better terms is reduced, and the practice may not be reasonably avoidable.

The actions that a consumer is expected to take to avoid injury must be reasonable. While a consumer might avoid harm by hiring independent experts to test products in advance or by bringing legal claims for damages in every case of harm, these actions generally would be too expensive to be practical for individual consumers and, therefore, are not reasonable.


c) The injury is not outweighed by countervailing benefits to consumers or to competition.

To be unfair, the act or practice must be injurious in its net effects — that is, the injury must not be outweighed by any offsetting consumer or competitive benefits that also are produced by the act or practice. Offsetting consumer or competitive benefits of an act or practice may include lower prices to the consumer or a wider availability of products and services resulting from competition.

Costs that would be incurred for measures to prevent the injury also are taken into account in determining whether an act or practice is unfair. These costs may include the costs to the institution in taking preventive measures and the costs to society as a whole of any increased burden and similar matters.

In determining whether an act or practice is unfair, the CFPB may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.

UDAP’s unfairness prong applies not only to overt acts and practices, but also to those that unreasonably impair a consumer’s ability to make an informed decision, such as withholding material information until after a consumer has purchased a product.  But a bevy of UDAP case law creates nuances. For instance, “substantial injury” can be monetary or reputation harm, but there must be a significant risk of concrete harm rather than a speculation that harm might occur. An act is not  considered unfair if its benefits outweigh any injuries caused. Some  examples of benefits include lower prices or the availability of products  and services to a wider range of consumers.

A representation, omission, act or practice is deceptive when—

  • The representation, omission, act, or practice misleads or is likely to mislead the consumer;
  • The consumer’s interpretation of the representation, omission, act, or practice is reasonable under the circumstances; and
  • The misleading representation, omission, act, or practice is material. This applies when it misleads or is likely to mislead the consumer.

Written disclosures may be insufficient to correct a misleading statement or representation, particularly where the consumer is directed away from qualifying limitations in the text or is counseled that reading the disclosures is unnecessary. Likewise, oral or fine print disclosures or contract disclosures may be insufficient to cure a misleading headline or a prominent written representation. Similarly, a deceptive act or practice may not be cured by subsequent truthful disclosures.

Acts or practices that may be deceptive include making misleading cost or price claims; offering to provide a product or service that is not in fact available; using bait-and-switch techniques; omitting material limitations or conditions from an offer; or failing to provide the promised services.

The FTC’s “four Ps” test can assist in the evaluation of whether a representation, omission, act, or practice is likely to mislead:

  • Is the statement prominent enough for the consumer to notice?
  • Is the information presented in an easy-to-understand format that does not contradict other information in the package and at a time when the consumer’s attention is not distracted elsewhere?
  • Is the placement of the information in a location where consumers can be expected to look or hear?
  • Finally, is the information in close proximity to the claim it qualifies?

A representation may be deceptive if the majority of consumers in the target class do not share the consumer’s interpretation, so long as a significant minority of such consumers is misled.

Exaggerated claims or “puffery” are not deceptive if a reasonable consumer would not take the claims seriously.

A representation, omission, act, or practice is material if it is likely to affect a consumer’s choice of, or conduct regarding, the product or service. Information that is important to consumers is material.

Certain categories of information are presumed to be material such as costs, benefits, or restrictions on the use or availability.

Express claims made with respect to a financial product or service are presumed material. Implied claims are presumed to be material when evidence shows that the institution intended to make the claim (even though intent to deceive is not necessary for deception to exist).

Claims made with knowledge that they are false are presumed to be material. Omissions will be presumed to be material when the financial institution knew or should have known that the consumer needed the omitted information to evaluate the product or service.

If a representation or claim is not presumed to be material, it still would be considered material if there is evidence that it is likely to be considered important by consumers.

The Dodd-Frank Act makes it unlawful for any covered person or service provider to engage in an “abusive act or practice.”  This is an act or practice which—

  1. materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or
  2. takes unreasonable advantage of—

a) a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;

b) the inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or

c) the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

Combined, this definition of “abusive” indicates terms, disclosures and advertisements for products need to be clear and easily understood without reliance on micro-font footnotes or other disclosures that may be “legalese” or have “hidden” terms. It also tells us that the more complex a product or service is, the more it may need to be explained and this will also depend on the market it is provided for. Lastly it says the bank has to act in the best interest of the consumer. It will not be enough to say, “we made the full disclosure, so we are covered for liability.”

Consumer complaints play a key role in the detection of unfair, deceptive, or abusive practices. As a general matter, consumer complaints can indicate weaknesses in elements of the institution’s compliance management system, such as training, internal controls, or monitoring. Complaints against subsidiaries, affiliates and third parties which pertain to your institution and its products and services are included in this analysis. While the absence of complaints does not ensure that unfair, deceptive, or abusive practices are not occurring, complaints may be one indication.

Now let’s examine some recent penalties and while I will use one specific example, as you read this and contemplate the issues, think broadly. As an example, this first penalty involves a credit card product. Do not discount it because it is a credit card, and your bank may not offer them but pay attention to it because it is about the advertising of the product, the training of staff, and the failure to deliver what was advertised.

The advertisement was targeted to sell new credit card accounts. Both existing customers and new ones were the target market. The intent was to have them qualify for the new card and then to meet prescribed spending requirements to qualify for a bonus. The plain terms on the face of the advertisement stated what was required as to the spending threshold. The bonus was central to the advertisement.  Remembering the criteria for UDAAP compliance, in this case a consumer could reasonably conclude that if they qualified for the new card and met the spending limit, they would receive the bonus.

The issuers of the product failed to state that the bonus would be offered only to consumers who applied online. This made the advertisements misleading as they were incomplete. Staff were not correctly trained on how to program these accounts, which further lead to bonuses not being paid. And because not all consumers would qualify for the bonus because of how they applied, the ads were deceptive. This is like many of the UDAAP enforcement actions taken on add-on products. That is poor marketing, poor training and charging fees without ensuring that all the qualifications were disclosed, programmed, and understood by both staff and the consumer.

A second case examines debt collection and the Fair Debt Collections Practices Act (FDCPA). Do not skip this section because you do not believe that the FDCPA does not apply to your bank because you collect your own debts. I believe the CFPB could connect the FDCPA to UDAAP dots in this manner. The FDCPA states in many places that certain acts or practices can be unfair or deceptive. As an unfair or deceptive act, UDAAP can then apply and using this proxy, UDAAP is violated while collection one’s own debt because of how it was done. I have not yet seen this in practice, but is it worth testing the action? I would not.

The FDCPA prohibits the use of any false representation or deceptive means to collect or attempt to collect any debt.   What examiners found was debt collectors proposing an alternate payment plan with past due borrowers. It was noted the new payment plan, when repaid, would improve the borrower’s credit because they paid the revised plan and extinguished the debt. That has to be better and lead to an improved credit rating, right? But there are many factors affecting creditworthiness and a person’s credit score, including repayment of the debt.  Saying that paying just this loan would improve their credit score and lead to increased borrowing power could be misleading.  Examiners found that the least sophisticated consumer could conclude from this discussion was that deleting derogatory information by paying this loan would result in improved creditworthiness, and this created the risk of a false representation and was a deceptive means to collect the debt. This is then defined as a UDAAP issue. You may not be subject to the FDCPA, but you are to UDAP and UDAAP.

Mortgage servicing is a hot issue as many borrowers are exiting pandemic protection forbearance plans on their home loans and may be ill equipped to resume payments. Mortgage servicing exams have identified various Reg Z and X violations, as well as UDAP problems. Remember UDAAP is brought up when a product or service: (1)  causes or is likely to cause substantial injury; (2) the injury is not reasonably avoidable by consumers; and (3) the substantial injury is not outweighed by countervailing benefits to consumers or to competition.

Examiners found that mortgage servicers engaged in the following unfair acts or practices by:

  • charging delinquency-related fees to borrowers in CARES Act forbearance plans. (Refer to the Coronavirus Aid, Relief, and Economic Security Act, Section 4022(b)(3) prohibits a mortgage servicer from imposing fees, penalties, or interest beyond the amounts scheduled or calculated as if the borrower made all contractual payments on time and in full under the terms of the mortgage contract);
  • failing to stop electronic fund transfers after receiving notice that the consumer’s bank account was closed, and an NSF fee had been assessed; and
  • assessing fees for services that exceeded the actual cost of the services performed.

Read this and look for those UDAAP buzzwords. The CFPB report said that consumers experienced substantial injury in the form of illegal fees, which were considered significant because these are the consumers experiencing hardships from the pandemic.  The mortgage servicers failed to refund some of the fees until almost a year after they were assessed.  These consumers  likely suffered further harm when because of these fees, they could not pay other expenses they had.  The injury was to a large number of consumers.  The consumers could not reasonably avoid the injury because they could not anticipate that the mortgage servicers would assess unlawful fees and they had no reasonable means to avoid the fees from being charged.  Charging the illegal fees did not provide any countervailing benefit to consumers.

Expanding on the second bullet above, what examiners found were mortgage servicers that engaged in unfair acts or practices by failing to terminate preauthorized EFTs that the servicer should have realized were from closed or inactive accounts. Examiners found that servicers received notices of account closures but continued to initiate EFTs from the closed accounts each month until the consumer affirmatively canceled the preauthorized EFT.  Borrowers experienced substantial injury because the mortgage servicers’ practices resulted in repeated NSF charges.  Borrowers could not reasonably avoid the injury because they could not anticipate that the mortgage servicers would continue to attempt the EFTs, even where the EFT agreement disclosed that the EFTs would terminate when the “from” account was closed.  The continued attempts to withdraw payment from closed accounts and fees associated with the subsequent NSF transactions did not provide any countervailing benefit to consumers.

Another issue examiners found was that mortgage servicers engaged in deceptive acts by incorrectly disclosing transaction and payment information in borrowers’ online mortgage loan accounts. They found violations of Reg X (RESPA) requirements to evaluate a borrower’s complete loss mitigation applications within 30 days of receipt. Reg Z requirements relating to overpayments to borrowers’ escrow accounts and Homeowners Protection Act (HPA) requirements to automatically terminate PMI as required were subtopics found with the online statement errors.

Still on the topic of mortgage servicing, some practices were deemed deceptive because  inaccurate descriptions of payment and transaction information was provided in online mortgage statements.  The inaccurate descriptions and information were likely to mislead borrowers because the information was false.  It would be reasonable for borrowers to rely on their mortgage servicers to report accurate mortgage payments and account transaction histories wherever the information was offered.  The inaccurate descriptions and information were material because they were likely to affect borrowers’ conduct regarding their mortgage payments.

February 2022 OBA Legal Briefs

  • Reg E FAQs – Part II

Reg E FAQs – Part II

By Andy Zavoina

Last month I introduced you to the updated Reg E FAQ Guidance issued by the Consumer Financial Protection Bureau (CFPB). The FAQ is a Compliance Aid as defined by the CFPB. It is not a new rule, but guidance on compliance with an existing rule. When a Compliance Aid such as an FAQ is issued, it can be periodically revised as is the case here.  In this instance the existing rules are addressing Reg E concerns. Unlike the first iteration of Reg E FAQs issued in June 2021 this update addresses new concerns and not just what bankers were getting wrong. In this iteration, issued December 13, 2021, there are several issues addressed on Person-to-Person payments and specifically on liability.  The interpretation is not favorable for banks.

The purpose of the Compliance Aid is not to write new rules, but to clarify how the CFPB interprets what is already in the laws, regulations and official interpretations without having to go through a rule writing process.

In January’s Reg E FAQ – Part I, we explained how the CFPB was going back to the bare definitions of what is an electronic fund transfer (EFT) and what is a financial institution. Briefly, EFTs are electronic transfers to or from a consumer’s account. Financial institutions include banks and can include P2P providers. And if a P2P provider does not hold the consumer’s account, issues its own access device such as the logon for an app, and has no agreement with a bank to do such transfers, under 1005.14 that vendor has Reg E liability and responsibility. Lastly, we ended last month’s Part 1 with the CFPB interpretation that if the bank and the P2P vendor have an ACH agreement to move funds and share another agreement such as each accepting the others debit cards, then the exception at 1005.14 placing error resolution liability on the P2P provider does not apply. The fact that each entity will accept the other’s debit cards satisfies the need for an “agreement.” We also noted the CFPB expressed this opinion to bankers at least nine months in advance of issuing the FAQ, so it was a somewhat accepted opinion within the CFPB.

Now, let’s continue a review of the third and fourth sections of the Reg E FAQs as updated in December 2021 and we will add a few compliance recommendations.

Error Resolution

In this section the CFPB restates much of what the regulation and prior iteration of the FAQ had with two of the questions shown as new.

1,  What is an error for purposes of EFTA and Regulation E?

While shown as a new question, the information is not changed from the regulatory verbiage, but this is intended to be a foundational topic on which claims will build.

An error under EFTA and Regulation E includes any of the following:

  • An unauthorized EFT.
  • An incorrect EFT to or from the consumer’s account.
  • The omission from a periodic statement of an EFT to or from the consumer’s account that should have been included.
  • A computational or bookkeeping error made by the financial institution relating to an EFT.
  • The consumer’s receipt of an incorrect amount of money from an electronic terminal.
  • An EFT not identified in accordance with the requirements of 12 CFR 1005.9 or 1005.10(a).
  • A consumer’s request for any documentation required by 12 CFR 1005.9 or 1005.10(a) or for additional information or clarification concerning an EFT

(12 CFR 1005.11(a)(1)).

The term “error” does not include:

  • A routine inquiry about the consumer’s account balance;
  • A request for information for tax or other recordkeeping purposes; or
  • A request for duplicate copies of documentation.

(Comment 11(a)-6).

2. What are a financial institution’s error resolution obligations under Regulation E?

Again, this is not new information but is necessary to build on in the following FAQs.

In general, Regulation E requires that after a financial institution receives oral or written notice of an error from a consumer, the financial institution must do all of the following:

  • Promptly investigate the oral or written allegation of error.
  • Complete its investigation within the time limits specified in Regulation E.
  • Report the results of its investigation within three business days after completing its investigation.
  • Correct the error within one business day after determining that an error has occurred.

12 CFR 1005.11(c)(1).

The investigation must be reasonable, including a reasonable review of relevant information within the financial institution’s own records.  2019-BCFP-0001.  The Bureau found that a financial institution did not conduct a reasonable investigation when it summarily denied error disputes if consumers had prior transactions with the same merchant, and the financial institution did not consider other relevant information such as the consumer’s assertion that the EFT was unauthorized or for an incorrect amount.  2019-BCFP-0001.  If the error is an unauthorized EFT, certain consumer liability limits apply.  12 CFR 1005.6.

3.  If private network rules provide less consumer protection than federal law, can a financial institution rely on private network rules?

The CFPB indicates this is not an update. It does reiterate what has been noted in practice for many years, that a consumer’s rights may not be adversely affected by an agreement.

Although private network rules and other agreements may provide additional consumer protections beyond Regulation E, less protective rules do not change a financial institution’s Regulation E obligations.  [See 15 USC  1693l.  For example, some network rules require consumers to provide notice of an error within 60 days of the date of the transaction, even though Regulation E, 12 CFR 1005.11(b)(1)(i), allows consumers to provide notice within 60 days after the institution sends the periodic statement showing the unauthorized transaction.  Other network rules allow a financial institution to require a consumer to contact the merchant before initiating an error investigation, even though 1005.11(b)(1) triggers error investigation obligations upon notice from the consumer.  The Bureau discussed instances where examiners found financial institutions had violated the 60-day notice requirement in the Summer 2020 edition of Supervisory Highlights.

4.  Can a financial institution require a consumer to file a police report or other documentation as a condition of initiating an error resolution investigation?

This is not updated from June 2021 but is reposted here so as to be a complete reference to the reader.

No.  A financial institution must begin its investigation promptly upon receipt of an oral or written notice of error and may not delay initiating or completing an investigation pending receipt of information from the consumer.  See Comments 11(b)(1)-2 and 11(c)-2.  In the past, Bureau examiners found that one or more financial institutions failed to initiate and complete reasonable error resolution investigations pending the receipt of additional information required by the institution.  These examples can be found in the Bureau’s Summer 2020 edition of Supervisory Highlights and Fall 2014 edition of Supervisory Highlights.  The Bureau cited similar violations in 2019-BCFP-0001.

Error Resolution: Unauthorized EFTs

With EFT errors defined and some basic responsibilities set, the FAQ looks deeper at unauthorized transfers and provides guidance banks will need to evaluate their practices and procedures.

1.  What is an unauthorized EFT?

While the CFPB’s answer has a December date as a new addition, it is regulatory verbiage that has not changed, so accept it as a reminder of the rules as it helps express the duties and liabilities of the bank.

An unauthorized EFT is an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m). Unauthorized EFTs include transfers initiated by a person who obtained a consumer’s access device through fraud or robbery and consumer transfers at an ATM that were induced by force.  Comments 2(m)-3 and 4.

The term unauthorized EFT does not include an EFT initiated through any of the following means:

(1) By a person who was furnished the access device to the consumer’s account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized.  12 CFR 1005.2(m)(1).  This exclusion does not apply to transfers initiated by a person who obtained a consumer’s access device through fraud or robbery.  Comment 2(m)-3.

(2) With fraudulent intent by the consumer or any person acting in concert with the consumer.  12 CFR 1005.2(m)(2); or

(3) By the financial institution or its employee, 12 CFR 1005.2(m)(3).

This FAQ is important and often misunderstood by claims investigators. It is important to understand that a consumer loaning their debit card to someone does not provide evergreen authorization for use until the consumer reports to the bank that the person is no longer authorized to use the card. Essentially that person given the card is authorized until the consumer customer retrieves the card or notifies the bank. Once the customer re-secures the card the authorization has ended. If that authorized user remembers the PIN and steals the card, that’s fraud or robbery and not authorized use. If a bank has a problem with these types of losses remind the users of security precautions, the ability to get a new card or change the PIN, and the possibility that the bank will rescind the card and not re-issue it if the bank chooses. There is no legal right to have a debit card. That is a feature of having a deposit account at your bank. Many bankers have also not read the back of the debit cards they issue. All I have looked at specifically states the card is the property of the bank. That provides the bank with the option to rescind that card and make it non-usable.

2.  If a transfer meets the Regulation E definition of unauthorized EFT, how does a financial institution determine the consumer’s liability, if any?

Not an updated response from the first FAQ – but in short if the claim is valid, § 1005.6 is used to determine liability based on when the transfers happened, if an accepted access device was used, and when the bank was notified. The response is as follows:

“If a consumer has provided timely notice of an error under 12 CFR 1005.11(b)(1) and the financial institution determines that the error was an unauthorized EFT, the liability protections in Regulation E section 1005.6 would apply. Depending on the circumstances regarding the unauthorized EFT and the timing of the reporting, a consumer may or may not have some liability for the unauthorized EFT. See 12 CFR 1005.6(b).”

The three basic tiers of liability are up to $50 for a timely notice of the claim within 2 business days of the consumer learning of the loss or theft [of an access device], up to $500 if the notice is beyond 2 business days and potentially unlimited for those transfers occurring after 60 days after the first statement was sent to the consumer reflecting an unauthorized transfer.

3.  Is an EFT from a consumer’s account initiated by a fraudster through a non-bank P2P payment provider considered an unauthorized EFT?

Shown as a new question and using P2P as an example, the CFPB states, “Yes.  Because the EFT was initiated by a person other than the consumer without actual authority to initiate the transfer – i.e., the fraudster – and the consumer received no benefit from the transfer, the EFT is an unauthorized EFT.  12 CFR 1005.2(m).  This is true even if the consumer does not have a relationship with, or does not recognize, the non-bank P2P payment provider.”

Succinctly, in this case it is a basic theft because the consumer did not do, authorize, or benefit from the transaction. Whether the customer had a relationship already with the P2P provider is immaterial.

4.  Does an EFT initiated by a fraudster using stolen credentials meet the Regulation E definition of an unauthorized EFT?

The response is still a basic example of a theft but specifically uses stolen credentials to execute the transfer.

“Yes.  As discussed in Electronic Fund Transfers Error Resolution: Unauthorized EFT Question 1, Regulation E defines an unauthorized EFT as a transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.  12 CFR 1005.2(m).  When a consumer’s account access information is obtained from a third party through fraudulent means such as computer hacking, and a hacker uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.

For example, the Bureau is aware of the following situations involving unauthorized EFTs:

  • A consumer shares their account access information in order to enter into a transaction with a third party, such as a merchant, lender, or employer offering direct deposit, and a fraudster obtains the consumer’s account access information by hacking into the computer system of the third party. The fraudster then uses a bank-provided P2P payment application to initiate a credit push payment out of the consumer’s deposit account.
  • A consumer shares their debit card information with a P2P payment provider in order to use a mobile wallet. A fraudster then hacks into the consumer’s phone and uses the mobile wallet to initiate a debit card transfer out of the consumer’s deposit or prepaid account.
  • A thief steals a consumer’s physical wallet and initiates a payment using the consumer’s stolen debit card.

See Electronic Fund Transfers Error Resolution: Unauthorized EFTs Question 5 for more examples of unauthorized EFTs.

All of the financial institutions in these examples, including any non-bank P2P payment provider or deposit account holding financial institution, must comply with the error resolution requirements discussed in Electronic Fund Transfers Error Resolution Question 2, as well as the liability protections for unauthorized transfers in 12 CFR 1005.6.

5.  A third party fraudulently induces a consumer into sharing account access information that is used to initiate an EFT from the consumer’s account. Does the transfer meet Regulation E’s definition of an unauthorized EFT?

A key to this June 2021 question is that the consumer was duped into providing account access information and the while the consumer did provide it, it was not with the intent of creating a transfer. That was done fraudulently, and Reg E is a consumer protection regulation. The CFPB provided the following guidance:

“Yes.  As discussed in Electronic Fund Transfers Error Resolution: Unauthorized Fund Transfers Question 1, Regulation E defines an unauthorized EFT as an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.  12 CFR 1005.2(m).  Comment 1005.2(m)-3 explains further that an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.  Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.

For example, the Bureau is aware of the following situations where a third party has fraudulently obtained a consumer’s account access information, and thus, are considered unauthorized EFTs under Regulation E: (1) a third-party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information.  EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.”

6.  If a third-party fraudulently induces a consumer to share account access information, are subsequent transfers initiated with the fraudulently obtained account information excluded from Regulation E’s definition of unauthorized electronic fund transfer because they are initiated “[b]y a person who was furnished the access device to the consumer’s account by the consumer”?

As in the example above, the subsequent transfers were not the intent of the consumer. Even if the consumer authorized one transfer, the intent was for that one transfer, not any additional. Perhaps more to the exact question, any and all transfers that use fraudulently obtained access can be part of a valid EFT claim because there was no intent for the transfers and the consumer received no benefit. So, the CFPB states, “No.  A consumer who is fraudulently induced into providing account information has not furnished an access device under Regulation E.  As explained above in Electronic Fund Transfers Error Resolution: Unauthorized EFTs 3, 4, and 5, EFTs initiated using account access information obtained through fraud or robbery fall within the Regulation E definition of unauthorized EFT.  See Comment 1005.2(m)-3.”

7.  Can a financial institution consider a consumer’s negligence when determining liability for unauthorized EFTs under Regulation E?

The regulation has never allowed a consumer’s negligence to be used in denying a claim of unauthorized use. The Reg commentary even uses the example of a consumer writing their PIN on the card. In that case the claim would still be valid because there was no intended use allowed. Some vendors may offer enhanced liability protections such as zero liability and some of those enhancements may be reduced because of negligence. But the basic requirements of Reg E do not change, only the enhanced protections.

The June FAQ stands, “No.  Regulation E sets forth the conditions in which consumers may be held liable for unauthorized transfers, and its commentary expressly says that negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E.  12 CFR 1005.6; Comment 6(b)-2.  For example, consumer behavior that may constitute negligence under state law, such as situations where the consumer wrote the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers under Regulation E.  Comment 1005.6(b)-2.”

8.  If a financial institution’s agreement with a consumer includes a provision that modifies or waives certain protections granted by Regulation E, such as waiving Regulation E liability protections if a consumer has shared account information with a third party, can the institution rely on its agreement when determining whether the EFT was unauthorized and whether related liability protections apply?

This restated response further illustrates that rights granted under Reg E may not be taken away. I will add that there are times a consumer will call and make a claim. Perhaps they are on vacation and a great distance away and when told the card will be canceled and reissued in a few days, they protest. They say they will accept the liability because they cannot be without their card while away. That is not an option. The consumer cannot accept that additional liability because to do so would amount to the bank taking away the consumer’s legal rights.

“No.  EFTA includes an anti-waiver provision stating that “[n]o writing or other agreement between a consumer and any other person may contain any provision which constitutes a waiver of any right conferred or cause of action created by [EFTA].”  15 U.S.C. § 1693l.  Although there may be circumstances where a consumer has provided actual authority to a third party under Regulation E according to 12 CFR 1005.2(m), an agreement cannot restrict a consumer’s rights beyond what is provided in the law, and any contract or agreement attempting to do so is a violation of EFTA.”

9.  If a consumer provides notice to a financial institution about an unauthorized EFT, can the financial institution require that the consumer first contact the merchant about the potential unauthorized EFT before the financial institution initiates its error resolution investigation?

Remember that the consumer has basic requirements to file a claim with the bank, and the bank is required to determine if it was an unauthorized use and to investigate and determine liability. The only things the consumer is required to do is indicate who they are and why they believe their account had an unauthorized transfer. Nothing allows the bank to refuse a claim and impose additional requirements beyond what the EFTA has required.

The CFPB’s response: “No.  A financial institution must begin its investigation promptly upon receipt of an oral or written notice of error and may not delay initiating or completing an investigation pending receipt of information from the consumer.  See Comments 11(b)(1)-2 and 11(c)-2.  For example, in 2019-BCFP-0001, the Bureau found that the practice of requiring a consumer to contact the merchant before initiating an error resolution investigation was a violation of Regulation E.  Similarly, the Fall 2014 edition of Supervisory Highlights discussed instances where examiners found that one or more financial institutions had instructed consumers to contact the merchant instead of promptly initiating an error investigation.”

10.  Do private network rules, such as provisions that a transfer is final and irrevocable, impact whether a P2P credit-push transfer meets the Regulation E definition of unauthorized EFT?

This is a new question and addresses specifically a P2P payment. Many P2P agreements indicate that when a transfer is sent and is based on, for example, a cell phone number, the transfer is completed and not reversible once it is accepted by the recipient. There is no process to reverse the transfer from the recipient. This question emphasizes that the bank’s consumer is protected regardless of any network rules. This is a question demonstrating additional liability on the bank. There is no process requiring the consumer to contact the cell number that received the funds and demand the return of those funds. The bank or P2P vendor may attempt this as a part of the investigation but likely there would be no response from the receiver of the funds, especially if the transfer was part of a fraud transaction.

“No.  Although private network rules and other commercial agreements may provide for interbank finality and irrevocability, they do not reduce consumer protections against liability for unauthorized EFTs afforded by the Electronic Fund Transfer Act.  See 15 USC 1693g(e). Moreover, no agreement between a consumer and any other person may waive any right provided by the EFTA.  See 15 USC 1693l.  Accordingly, any financial institution in this transaction must comply with the error resolution requirements discussed in Electronic Fund Transfers Error Resolution Question 2, as well as the liability protections for unauthorized transfers.”

11.  A fraudster initiates an EFT through a non-bank P2P payment provider that the consumer does not have a relationship with from the consumer’s account with a depository institution. Is the depository institution considered a financial institution with full error resolution obligations under Regulation E?

This is another new and P2P specific question. If a fraudster sets up an account using someone else’s identity and account information, transfers can be valid claims.

The Bureau’s response:

“Yes.  As discussed in Electronic Fund Transfers Coverage: Financial Institutions Question 1, the definition of financial institution includes a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide EFT services.  12 CFR 1005.2(i). Here, the account-holding financial institution holds the consumer’s account, and is thus considered a financial institution under Regulation E.  Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error, with limited exceptions.  12 CFR 1005.11.  As discussed in Electronic Fund Transfers Error Resolution: Unauthorized Transfers Question 4, since the transaction is an unauthorized EFT, the depository institution must comply with any applicable liability protections for unauthorized transfers in 12 CFR 1005.6.”


Based on this interpretation in the FAQs regarding P2P transactions and liability, we can expect more examiner scrutiny on any claim pertaining to P2P losses by consumers. Prior to the FAQs many in the industry interpreted the needed “agreement” under 1005.14 to be a specific agreement defining the duties of the P2P vendor and the bank and this could have included liability. It may have also addressed daily transactions limits and many P2P vendors allow greater limits on transactions than banks do. Banks consciously keep daily limits low to protect the consumer’s balances and reduce losses. Exceptions are generally granted upon request and verification by the consumer. With the bank having to bear the burden of claims processing and payment liability the P2P vendor’s transaction limitations now control the amount of losses banks may have.

Under Reg E and the Electronic Fund Transfer Act (EFTA) consumers are granted certain rights. While the bank and a vendor may have separate agreements addressing some of these same rights – such as monetary liability for unauthorized transactions, the consumers rights always stand and may not be adversely limited by any of these agreements. You can always treat a consumer better, but never worse than the law or regulation provides.

In many cases, because of the CFPB’s interpretation pertaining to a broad definition of what an agreement with the bank is, banks will see an increase in liability for Reg E claims involving P2P transfers reported as unauthorized if the banks were pushing these claims to the P2P vendors in the past. If the P2P vendor allows a $1,200 daily limit and the bank has a $400 daily limit, two similar transfers will arrive at the bank in different ways. The P2P vendor will ACH the funds but a consumer would have directly been allowed say only $400 using their debit card. If the transfer is claimed as unauthorized, the bank now has a greater chance of losing $1,200 rather than $350. Remember the consumer typically has liability for the first $50 when an accepted access device is used. An ACH directly from the consumer’s account is not using an accepted access device between the consumer and the bank. It is easy to see how, in an example such as this, losses could grow over prior years.

Recommended Actions:

If the data is readily available, your bank may want to review EFT claims to determine, based on the new guidance, how many and what amount of EFT claims were P2P related in the past year or two and what new liability the bank may have. This may be a budgeting issue that needs to be addressed depending on the volumes you have seen. You must recognize if this will be a complication and how severe it may be.

Bank staff involved in any part of the claims process may require training to recognize P2P claims as valid EFT claims on which the bank is now deemed responsible. Where these may have been referred to the P2P vendor in the past, that may no longer be allowed.

Advise customers of ways to protect themselves – and the bank. Do not write PINs on debit cards. Secure their cell phones. Use multifactor authentication. Review balances and transactions regularly and even advertise services the bank has where it can advise a consumer of their balance and/or large transactions, etc.

When using P2P transfers, the consumer needs to absolutely verify the recipient that funds will be going to is the intended recipient. And watch out for fraudsters. If a consumer will buy hundreds or thousands of dollars in gift cards and send that information to a fraudster, they will certainly take the convenient track and P2P the funds to an unknown person.

For now, we have Reg E guidance that will, for many banks, increase Reg E liability for more valid claims than in the past. Bank management and the industry as a whole will need to determine if these are valid risks banks want to accept, or if the banks want to find other ways to reduce these claims without disadvantaging consumers and certainly without reducing any Reg E rights. Can ACH transfers require sone customer authentication or verification? Can a limit be placed on daily transfers or each transfer over a given amount?

Lastly, determine if this guidance will require any changes to bank policies and procedures and react appropriately.

January 2022 OBA Legal Briefs

  • The FDCPA Regulation—Part 2
  • The CFPB’s Reg E FAQ—Part 1

Don’t Ignore the FDCPA Regulation (Part 2)

By John Burnett

Part 1 of our update on the CFPB’s Regulation F (12 CFR Part 1006), “Fair Debt Collection Practices Act,” appears in our November 2021 Legal Briefs.

False, deceptive, or misleading representations or means

To remain compliant with section 1006.18 of the regulation, debt collectors cannot use any false, deceptive, or misleading representation or means in connection with their collection of any debt.

The regulation provides examples of the things that a compliant debt collector cannot do in paragraphs (b) through (d) of this section.

False, deceptive or misleading representations: Debt collectors must not falsely represent or imply that—

  • they are vouched for, bonded by, or affiliated with federal or state government including through the use of a badge, uniform, or facsimile of a badge or uniform
  • they operate or are employed by a consumer reporting agency (credit bureau)
  • they are attorneys or that any communication is from an attorney
  • the consumer committed any credit or other conduct, in order to disgrace the consumer
  • a sale, referral, or other transfer of any interest in a debt causes or will cause the consumer to:
    • lose any claim or defense to payment of the debt, or
    • become subject to any practice banned by the regulation
  • accounts have been turned over to innocent persons for value
  • documents are legal process
  • documents are not legal process forms or do not required action by the consumer

Debt collectors also must not falsely represent the character, amount, or legal status of any debt, or falsely represent any services rendered, or compensation that may be lawfully received, by the debt collector for the collection of a debt.

Many, many complaints to the CFPB included collectors who had incorrect information about the amount of the debt, and in some cases the debts had already been paid off or settled and no amount was owed. The consumers had to prove to the collector that an aged bill had been paid and this can take a lot of time and effort and the “official loan records” which the collector should have, are really what’s needed. Did the creditor accept payments after a loan was sold?  Did a settled amount not get properly written off? These are issues the consumer can’t easily fix and the collector is not interested in doing because they are interested in collecting money, as perhaps their income depends on how much they bring in. But the collector must know what’s owed.

Debt collectors mustn’t represent or imply that nonpayment of a debt will result in a person’s arrest or imprisonment, or the seizure, garnishment, attachment or sale of a person’s property or wages, unless such action is lawful, and the debt collector or creditor intends to take such action.

False, deceptive, or misleading collection means:

  • Threatening to take any action that cannot legally be taken or that is not intended to be taken (such as threatening to sue when you don’t or won’t sue to collect the debt)
  • Communicating or threatening to communicate to any person credit information that the debt collector knows or should know is false, including the failure to communicate that a disputed debt is disputed.
  • Using or distributing any written communication that simulates or that the debt collector falsely represents to be a document authorized, issued, or approved by any court, official, or agency of the U.S. or any state, or that creates a false impression about its source, authorization, or approval.
  • Using any business, company or organization name other than the true name of the debt collector’s business, company or organization.

False representations or deceptive means. Use of any false representation or deceptive means to collect or attempt to collect a debt or to obtain information concerning a customer is forbidden by the regulation. This is a catch-all that can cover any deceptive tactic that isn’t specifically listed.

For example, in a social media context, it would be a false representation or implication for a debt collector to request to be added as one of a consumer’s contacts or “friends” on a social media platform marketed for social or professional networking purposes if they do not disclose their identity as a debt collector in the request.

Or assume that a debt collector communicates privately with a friend or coworker of a consumer on a social media platform, for the purpose of getting location information about the consumer. The debt collector must identify himself or herself individually by name when communicating for the purpose of acquiring location information. To avoid violating that requirement, the debt collector must communicate using a profile that accurately identifies the debt collector’s individual name. (There is a limited exception for the consistent use of assumed names. See “Use of assumed names” below.) The debt collector also must comply with the other applicable requirements for obtaining location information (e.g., with respect to stating that the debt collector is confirming or correcting location information concerning the consumer and, only if expressly requested, identifying the name of the debt collector’s employer), for communicating with third parties and for communicating through social media.

Initial communication with debtor: A collector must disclose in their initial communication with a consumer that the debt collector is attempting to collect a debt and that any information obtained will be used for that purpose. If the debt collector’s initial communication with the consumer is oral, the debt collector must repeat the disclosure that they are attempting to collect a debt in its initial written communication with the consumer.

In each subsequent communication with the consumer, the debt collector must disclose that the communication is from a debt collector. These disclosures must be in the same language or languages used for the rest of the communication.

Use of assumed names. A debt collector’s employees can use assumed names when communicating or attempting to communicate with a person, but only if the employee uses the assumed name consistently and the debt collector can readily identify any employee using an assumed name.

Unfair or unconscionable means

Debt collectors cannot use unfair or unconscionable means to collect or attempt to collect any debt, including any of the following conduct:

Collection of unauthorized amounts, such as interest, fees, charges or expenses not expressly authorized by the loan note or other agreement creating the debt or permitted by law. Many collectors were in the habit of collecting more than legally permitted, on the theory that excess funds collected could always be returned.

Acceptance or use of postdate payment instruments, such as a check or other instrument post-dated more than five days, unless the consumer is notified in writing of the debt collector’s intent to deposit the check or instrument no more than 10 nor less than 3 days (excluding weekends and legal public holidays) before making the deposit.

Solicitation of post-dated checks or other payment instruments for the purpose of threatening or instituting criminal prosecution (“Give me a post-dated check and I won’t have you arrested.”)

Depositing (or threatening to) any post-dated check before its date (“You gave me four post-dated checks. I will run them all if you don’t come up with a cash payment!”)

Causing charges resulting from concealment of purpose. That’s a fancy way of saying a debt collector can’t pose as a friend or family member to make a collect telephone call to get a consumer to answer the telephone. The word “telegram” is included in this paragraph of the rule just in case someone figures out how to send a collect telegram. There are still ways to make collect phone calls, and they can be expensive for the person who accepts such a call.

Taking or threatening to take any nonjudicial action to effect dispossession or disablement of property if the creditor or debt collector has no current right to take possession of or to disable the property or has no present intention to take possession of it, or the property is exempted by law from dispossession or disablement.

Restrictions on use of certain media. Debt collectors are not allowed to:

  1. Communicate with a consumer about a debt by postcard
  2. Use any language or symbol other than the debt collector’s address, on any envelope when communicating with a consumer by mail (the debt collector’s business name may appear on the envelope if it does not show that the debt collector is in the business of debt collection).
  3. Communicate or attempt to communicate with a consumer by email sent to an email address the debt collector knows is provided to the consumer by the consumer’s employer, unless the consumer has directly given the debt collector prior consent to use that address, or the consumer has sent the debt collector an email from that address and has not subsequently rescinded the expressed or implied consent to use of the address.
  4. Communicate (or attempt to) with a person about collection of a debt through a social media platform if the communication or attempt can be viewed by the public or the person’s social media contacts.

Time-barred debts

Every state has statutes of limitations that prescribe the time limit for bringing a legal action to collect a debt. In some cases, these time limits can vary by the type of debt.

A time-barred debt is one for which the applicable statute of limitations has run or expired.

Under the FDCPA regulation, a debt collector is not allowed to bring or threaten to bring a legal action against a consumer to collect a time-barred debt.

Other prohibitions and requirements

There are miscellaneous other requirements in the regulation that prohibit certain actions and mandate others.

  • 1006.30—Other prohibited practices.
  • 1006.34—Notice for validation of debts.
  • 1006.38—Disputes and requests for original-creditor information.
  • 1006.42—Sending required disclosures.
  • 1006.100—Record retention

Why is this important for bankers?

The Fair Debt Collection Practices Act itself and the FDCPA regulation (Regulation F) are replete with prohibitions against actions that are deemed Unfair, Deceptive, or Abusive, the first three words abbreviated in UDAAP. If a bank were found to engage regularly in the unfair, deceptive, or abusive actions banned in this regulation, it would not be unreasonable for a regulator to bring an enforcement action against the bank under the UDAP provisions of the FTC Act or for the Bureau to bring an action against a large bank for violations of the UDAAP provisions of the Consumer Protection Act of 2010.

The more immediate concern, however, is that a bank that hires an outside debt collection firm has responsibility to verify that firm’s and its collectors’ compliance with the FDCPA and the regulation.

The CFPB’s Reg E FAQ – Part 1

By Andy Zavoina

In one episode of the TV sitcom Big Bang Theory, Leonard asked Sheldon, “What you would be if you were attached to another object by an incline plane wrapped helically around an axis?” And Sheldon answered appropriately, “Screwed.” When I teach Reg E, I typically say more than once that “Reg E is not fair to banks, and it is not meant to be. Reg E is a consumer protection regulation.” But the Electronic Fund Transfers FAQs issued in December 2021 by the Consumer Financial Protection Bureau have taken these protections up a notch. Using its interpretive authority without requesting input from the industry or public, The CFPB has made banks liable for more transactions than in the past, at least based on the common interpretations of the past.

This guidance is in the form of FAQs which the CFPB considers a Compliance Aid. Compliance Aids were introduced in February 2020. Refer to the Federal Register / Vol. 85, No. 17, January 27, 2020, page 4579. The CFPB stated it is not intended that Compliance Aids will bind banks and other entities to new rules. Unlike actual regulations and official interpretations, Compliance Aids are not “rules” under the Administrative Procedures Act.  Instead, Compliance Aids present the requirements of existing rules and statutes in a manner that is useful for those who must comply with the rules as well as the public and others interested in the topics. Compliance Aids can include practical suggestions for how to properly comply with these rules. An FAQ Compliance Aid from the CFPB is simply an explanation of how it connects the dots and interprets an existing rule. It is not new, but it is how those currently in the driver’s seat at the CFPB understand the rule. Again, above all, Reg E, which implements the Electronic Fund Transfer Act, is intended to protect consumers, and the CFPB will read and interpret it from that perspective. It is not intended to be fair to the banks or others.

Now, let’s preview the Reg E FAQs. This December 13, 2021, issuance is an update of the original FAQs on Reg E the CFPB issued on June 4, 2021. It is not all new content. There are four major categories and questions and answers under each.

  • “Coverage: Transactions” is the first section and it contains five new questions and answers. This general topic lays the foundation for interpretations that follow.
  • The second section, “Coverage: Financial Institutions” has four new questions and answers. This section is intended to add clarity as to who the banks and other entities such as “Person to Person” (P2P) vendors are. By defining the roles of these players, we are better able to define the responsibilities of each based on the transactions and relationships between the players.
  • Section three is “Error Resolution,” and it is a general topic. There are four questions and answers, of which two are new to the topic and two were issued in June 2021.
  • The fourth and final section is “Error Resolution: Unauthorized EFTs.” It includes six restated questions and answers from June 2021 and five new ones specific to the topic at hand as Reg E drills into some liability issues particular to P2P payments.

Section two on Coverage is perhaps one of the more controversial. As I read the FAQs the last question is where I annotated “gotcha” in the column. As far back as March 2021 one banker on the BOL threads referred to a conversation with an attorney at the CFPB who opined banks could not displace error resolution responsibilities and liabilities to a P2P third-party vendor as they were believing they could under § 1005.14. And nine months later we received this in print.

Under § 1005.14 a person that provides an electronic fund transfer service to a consumer (think P2P providers like Zell, Venmo, CashApp, etc.) but does not hold the consumer’s account, is subject to the error resolution requirements if the person meets a two-pronged test:

  1. The person issues a debit card (or other access device) that the consumer can use to access the consumer’s account held by a bank, and
  2. The person has no agreement with the account-holding institution regarding such access.

P2P providers often have an agreement directly with a bank to provide services to that bank’s customers. In that case the bank still has Reg E error resolution responsibilities. But when that company is acting on its own it assumes these responsibilities. At least that is how many bankers interpreted the rules.

Under that common understanding, most P2P providers issue logon credentials for access in an app or to a web site such as with a smartphone and this constitutes an access device. Therefore § 1005.14 applies when 1) the service provider offers EFT services and 2) the provider does not have an agreement with the bank who holds the account in question.  So, when a bank consumer customer loans their smartphone to someone who then without authority uses the P2P app to transfer money, the bank simply executed the debit order and sent the funds through the P2P provider to a destination not known by the bank. The P2P provider issued an access device, does not hold the deposit account, and has no agreement to execute such orders with the bank. Section 1005.14 has been used by many banks because of this understanding to refer the harmed consumer to the P2P provider they selected on their own, for satisfaction of a claim.

A. Coverage: Transactions

1. What transactions are covered by the Electronic Fund Transfer Act and Regulation E?

This is new to the FAQ, but the answer provided is not. It is straight out of Reg E, but it must be understood as it is a foundation for most of what follows. Per § 1005.3(a) the answer reminds us this is all about electronic fund transfer requests to a financial institution (FI) to debit or credit a consumer’s account. It applies to checking, savings and other consumer asset accounts, held directly or indirectly by a FI and established primarily for personal, family or household use.

The rules apply to any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a FI to debit or credit a consumer’s account, 1005.3(b)(1). Here the CFPB states inclusively that Reg E applies to any P2P or mobile payment transaction that meets the definition of EFT, including debit card, ACH, prepaid account and other EFTs to or from a consumer account. So, an EFT to or from a P2P vendor is an EFT to your consumer customer’s account.

2. Can person-to-person or “P2P” payments be EFTs under Regulation E?

This reinforces what was just presented as the short CFPB answer is “Yes.” The specific answer is that in general, yes, so long as the P2P payment meets the definition of an EFT, it is under Reg E.

3. Is a P2P payment that uses the consumer’s debit card to transfer funds considered an EFT?

Short answer, “Yes.” This allows the tying of a debit card to the P2P account and clearly includes such transfers.

4. Is a credit-push P2P payment that transfers funds out out of a consumer’s deposit, prepaid, or mobile account considered an EFT? (The FAQ uses “out” twice.)

Short answer is again, “Yes.” It ties back to the definition of an EFT and this meets that definition while associating the transfer as out of a consumer deposit. It further explains that a credit-push P2P transfer is considered an EFT even if the payment was initiated by a third party that fraudulently obtained access to the consumer’s account. An example is by using login credentials stolen in a data breach or obtained through fraudulent inducement. The credit-push P2P transfer would be considered an unauthorized EFT. The consumer neither did it, authorized it nor benefitted from the EFT and the credentials were obtained fraudulently. Remember, too, that if the access device as defined under 1005.2(a)(1) was not an accepted device, the consumer’s liability under 1005.6(a)-(b) may be eliminated and become the responsibility of the bank.

5.  Is a P2P debit card “pass-through” payment considered an EFT?

Another “Yes” plus the explanation that a “pass-through” payment transfers funds from the consumer’s account held by an external FI to another person’s account held by an external FI.Now the FAQ introduces a third-party P2P vendor. It tells us a “pass-through” payment is initiated through a FI that does not hold a consumer’s account, such as a non-bank P2P provider. It restates the foundational question and answer 1 above, that Reg E applies to any EFT that authorizes a debit or credit from a consumer’s account. Therefore, debit card “pass through” payments are EFTs.

B. Coverage: Financial Institutions

In this section the FAQ better defines who the financial institution players are to assist in defining liability and responsibility.

1. What is a financial institution under EFTA and Regulation E?

 Simply put it includes banks, savings associations, credit unions, and:

any other person that directly or indirectly holds an account belonging to a consumer, or

any other person that issues an access device and agrees with a consumer to provide electronic fund transfer (EFT) services.

This includes providers of P2P payment and bill payment services if they directly or indirectly hold an account belonging to a consumer, or if they issue an access device and agree with a consumer to provide EFT services.

So far so good, except that more of the answer clarifies how the P2P provider may become liable itself (it states essentially the two-pronged test under 1005.14), and then how that liability can revert to the FI based on another agreement. It states, “In narrow circumstances, a financial institution can also be considered a “service provider” under Regulation E. A financial institution who provides EFT services to a consumer but does not hold the consumer’s account is a service provider under Regulation E if the financial institution: (1) issues an access device that the consumer can use to access the account and (2) no agreement exists between the access device-issuing financial institution and the account-holding financial institution.  12 CFR 1005.14(a).  The automated clearing house (ACH) rules alone do not generally constitute an agreement for purposes of whether a financial institution meets the definition of “service provider” under Regulation E. However, an ACH agreement combined with another agreement to process payment transfers – such as an ACH agreement under which members specifically agree to honor each other’s debit cards – is an “agreement,” and thus section 1005.14 does not apply. Comment 14(a)-2.” So, the ACH agreement, plus another agreement such as acceptance of each other’s debit cards is sufficient to eliminate the § 1005.14 exception.

In the past many have interpreted that second agreement as one being between the P2P provider and the bank such as when the bank is endorsing and using Zelle. That would eliminate that § 1005.14 exception, but the CFPB tells us that both accepting each other’s debit cards, as an example, constitutes that agreement regardless of specific terms as to liability.

2. Can non-bank P2P payment providers be considered financial institutions under Regulation E?

The CFPB says, “Yes” as expected and refers to what is defined as a FI. It goes on to explain that the FI has certain responsibilities, as it states that even, “non-account-holding providers of P2P payment or bill payment services are considered covered financial institutions under Regulation E if the provider issues an access device and agrees with a consumer to provide EFT services. 12 CFR 1005.2(i).  For example, a P2P provider may enter into an agreement with a consumer for a mobile wallet that the consumer can use to initiate debit card transactions from their external bank account to another person’s external bank account.

Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error, with limited exceptions.”

3. If a non-bank P2P payment provider initiates a debit card “pass-through” payment from the consumer’s account held by a depository institution to a different person’s account at another institution, is the non-bank P2P payment provider considered a financial institution under Regulation E?

Response from the CFBP is “generally yes.” It references the definitions of what is an FI and states that “an entity, including a non-bank P2P payment provider, enters into an agreement with a consumer to provide EFT services and issues an access device, and initiates a debit card “pass-through” payment, then that entity would be covered as a financial institution under Regulation E.  Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error. So, we still can read that when there is liability for unauthorized EFTs, the FI will hold liability. But at this point we commonly have the bank, which is an FI, and a P2P provider, which can be an FI. The key to liability is that the bank is liable unless 1005.14 and the two-pronged test can come into play.

4.  If a consumer uses a non-bank P2P payment provider to initiate a debit card “pass-through” payment from the consumer’s account held by a depository institution, is the depository institution considered a financial institution under Regulation E, even though the transfer was initiated through the non-bank P2P payment provider?

The answer is Yes, and this has the definitive “Gotcha.” The bank holding the deposit account has full Reg E error resolution responsibilities as there is a narrow circumstance that redirect those responsibilities when 1005.14 applies. This exception is not applicable when there is an ACH agreement combined with another agreement to process payment transfers – such as an ACH agreement under which members specifically agree to honor each other’s debit cards. This constitutes an “agreement,” and 1005.14 does not apply. Comment 14(a)-2.

Conclusively, the FAQ states, where an EFT is initiated through a non-bank P2P payment provider using a consumer’s debit card information, the P2P provider and the account-holding financial institution are parties to an agreement to honor each other’s debit cards – the debit card network rules – and the service provider provision in 12 CFR 1005.14 does not apply.  The account-holding financial institution has full error resolution responsibilities.

5.  I know many bankers will state that the card acceptance issue is not an agreement per se with the P2P provider and liability is not addressed, plus the P2P provider controls the daily limits that are here said to be the bank’s liability. That is all true but again, the CFPB is protecting the consumer and looking at the raw definitions. Until the industry can come to terms on the specifics to an “agreement,” banks will have the responsibility in most P2P disputes. Remember too, that a bank may not reduce any consumer rights afforded by the EFTA and Reg E. It may have other agreements with vendors, but the consumer’s rights may not be diminished.

The final two sections of the Reg E FAQs and recommended actions will be covered in next month’s Legal Briefs.


December 2021 OBA Legal Briefs

  • 2022 to-dos today
  • New year, new rule—Computer-security incident notification
  • Foreclosure forbearance reminder
[Editor’s note: Due to the timeliness of this months articles, Part 2 of last month’s article on the new Fair Debt Collection Practice Act regulation will appear in our January 2022 Legal Briefs.]


2022 to-dos today

By Andy Zavoina

It is hard to believe that we are at the end of the year so soon. On the other hand, it seems like 2021 has lasted two years already. Still, we have worked through most of a pandemic but started bringing many if not all workers back into the branches, as well as our customers and soon we may expect examiners. It is time to get ready for 2022 and that means some of the light housekeeping may be in order. Let’s review some of your annual compliance chores to ensure they are tidy and cared for.

Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.

Similar to compliance reporting to the board, this may include a personal presentation, or it may not. I recommend that it is, as it is an opportunity to express what is being done to control what has happened as well as foreseeable events and why, as that can assist you in getting the budget and assets necessary in the coming year. While the year end is not necessarily the most desirable time to make such a presentation, take whatever time you do get and use it wisely. Annual presentations such as this are better done when the directors can focus more on the message so try to avoid quarter ends, and especially the fourth quarter. This is not a “how-to” on the annual security report, but you can find more on the topic, free, on the BankersOnline Tools by searching on “annual security program.”

Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.

Reg BB (CRA), Content and availability of Public File § 228.43 – Your Public Files must be updated and current as of April 1 of each year. Many banks update continuously, but it’s good to check. You want to ensure you have all written comments from the public from the current year plus each of the two prior calendar years. These are comments relating to the bank’s efforts in meeting community credit needs (your SBA loans may play a key role here) as well as any responses to comments. You also want a copy of the last public section of the CRA Performance Evaluation. That must be placed here within 30 days of receipt. Ensure you are keeping up with branch locations and especially ATMs, as those may change. The regulation has more on the content of this file. It may be best to review it with an audit workpaper to use as a checklist to avoid missing any required items.

CRA Notice and Recordkeeping  § 228.42, 228.44, 1003.5 – CRA data, which can include small business and small farm as well as home mortgages are gathered based on specific reporting requirements for the Loan Application Registers (LAR). CRA and HMDA information, if applicable, must be submitted by March 1, for the prior calendar year. If you are a reporter of either LAR you should start verifying the data integrity now to avoid stressing the process at the end of February. HMDA mortgage data should be compiled quarterly so this should not be a huge issue, but a thorough scrubbing as the new year starts and submission preparation readies is always warranted.

Pertaining to this, national banks should ensure they have reviewed and updated as needed the CRA, FHA and ECOA notices in accordance with the Aug. 5, 2021, OCC Bulletin 2021-35. This bulletin provided updated content for the appropriate names and addresses for notices required by the Community Reinvestment Act and Equal Credit Opportunity Act, and for posters under the Fair Housing Act. National banks were required to make the appropriate changes to their notices and posters within 90 days of the issuance which then had a mandatory compliance date of Nov. 3, 2021.

Fair Credit Reporting Act – FACTA Red Flags ReportSection VI (b) (§ 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level.

This report should contain information related to your bank’s program, including the effectiveness of the policies and procedures you have addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, as well as service provider arrangements, specifics surrounding and significant incidents involving identity theft plus management’s response to these and any recommendations for material changes to the bank’s program. Times change, customers habits change, and importantly criminals change and each may require tweaks to the bank’s program.

Reg E § 1005.8– If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement. If you’ve used this, you are done with this one. But if you send the longer version that is sent annually, it is time to review it for accuracy and ensure it has been sent or is scheduled to be. Electronic disclosures under E-SIGN are allowed here.

This is also a good time to review §1005.7(c) (additional electronic fund transfer services) and determine if any new services have been added and if they were disclosed as required. Think Person-to-Person transfers like Zelle, Venmo or Square. These require disclosure and inaccurate disclosures may affect your claims processing.

HMDA Notice and Recordkeeping § 1003.4, 1003.5 – HMDA data are gathered as home mortgage loans are applied for and are compiled quarterly if your bank is a HMDA reporter. There are specific and detailed reporting requirements for the Loan Application Register (LAR) itself. The LAR must be submitted by March 1 for the prior calendar year. If you are a reporter, you should start verifying the data integrity now and this is of vital importance if you have a large volume of records to report. When a systemic error is found it can be very time consuming to scrub all files for errors and correct them.

Annual MLO Registration § 1007.102 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. If this hasn’t been completed, don’t push it to the back burner and lose track during the holidays and then have to join a year-end rush to complete this task. This is also a good time to plan with management and Human Resources any MLO bonus plans. Reg Z Section 1026.36(d)(1)(iv)(B)(1) allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses.

Reg P § 1016.5 –There are exceptions allowing banks which meet certain conditions to forgo sending annual privacy notices to customers. The exception is generally based on two questions, does your bank share nonpublic personal information in any way that requires an opt-in under Reg P, and have you changed your policies and practices for sharing nonpublic personal information from the policies and procedures you routinely provide to new customers? Not every institution will qualify for the exception, however. John Burnett wrote about the privacy notice conundrum in the July 2017 Legal Briefs. That article has more details on this.

When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. If you don’t qualify for the exception described above, you must repeat that disclosure annually as well. Ensure that your practices have not changed and that the form you are sending accurately describes your practices.

For Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.

It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for your web-based disclosures. You can use e-disclosures on your bank website when the customer uses the website to access financial products and services electronically and agrees to receive notices at the website, and you post your current privacy notice continuously in a clear and conspicuous manner on the website. So, the demonstrable consent requirements and others in E-SIGN’s 15 USC Sect. 7001(c) do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request this method is acceptable.

Fair Credit Reporting Act – Affiliate Marketing Opt-Out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions and opt out requirements on you. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, you must know if there are there any expiration dates for the opt-outs and have these consumers been given an opportunity to renew their opt-out?

Annual Escrow Statements § 1024.17 – For each escrow account you have, you must provide the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year. This need not be based on a calendar year. You must also provide them with the previous year’s projection or the initial escrow account statement, so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against the next year’s escrow payments.

Reg Z Thresholds and Updates § 1026.00– These changes are effective January 1, 2022. You should ensure they are available to staff or correctly hard coded in your systems:

  • For open-end consumer credit plans under TILA, the threshold that triggers requirements to disclose minimum interest charges will remain unchanged at $1.00
  • For open-end consumer credit plans under the CARD Act amendments to TILA, the adjusted dollar amount in 2022 for the safe harbor for a first violation penalty fee will increase to $30 and the adjusted dollar amount for the safe harbor for a subsequent violation penalty fee will increase to $41
  • For HOEPA loans, the adjusted total loan amount threshold for high-cost mortgages in 2022 will be $22,969.
  • The adjusted points-and-fees dollar trigger for high-cost mortgages in 2022 will be $1,148.
  • For qualified mortgages (QMs) under the General QM loan definition in § 1026.43(e)(2), the thresholds for the spread between the annual percentage rate (APR) and the average prime offer rate (APOR) in 2022 will be:
    • 2.25 or more percentage points for a first lien covered transaction with a loan amount greater than or equal to $114,847
    • 3.5 or more percentage points for a first lien covered transaction with a loan amount greater than or equal to $68,908 but less than $114,847
    •  6.5 or more percentage points for a first lien covered transaction with loan amount less than $68,908
    • 6.5 or more percentage points for a first lien covered transaction secured by a manufactured home with a loan amount less than $114,847
    • 3.5 or more percentage points for a subordinate-lien covered transaction with a loan amount greater than or equal to $68,908
    • 6.5 or more percentage points for a subordinate-lien covered transaction with a loan amount less than $68,908
  • For all categories of QMs, the thresholds for total points and fees in 2022 will be:
    • 3 percent of the total loan amount for a loan greater than or equal to $114,847
    • $3,445 for a loan amount greater than or equal to $68,908 but less than $114,847
    • 5 percent of the total loan amount for a loan greater than or equal to $22,969 but less than $68,908
    • $1,148 for a loan amount greater than or equal to $14,356 but less than $22,969
    • 8 percent of the total loan amount for a loan amount less than $14,356
  • For Higher Priced Mortgage Loans (HPMLs), the special appraisal requirement exemption amount will be $28,500
  • The consumer lease (Reg M) and consumer credit transaction (Reg Z) exemption thresholds will be $61,000.

BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions.  The other financial institution must certify annually to your bank that it has implemented its AML program. Also, banks must report all blockings to OFAC within ten days of the event and annually by September 30, concerning those assets blocked as of June 30.

Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee at least annually. The report should describe the overall status of the information security program and the bank’s compliance with regulatory guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

IRAs, IRS Notice 2002-27  If a minimum distribution is required from an IRA for a calendar year and the IRA owner is alive at the beginning of the year, the trustee that held the IRA on the prior year-end must provide a statement to the IRA owner by January 31 of the calendar year regarding the required minimum distribution.

Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).

  • BSA (12 CFR §21.21(c)(4) and §208.63(c)(4) Provide training for appropriate personnel.
  • Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii)) Provide initial & periodic training
  • Reg CC (12 CFR §229.19(f) Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee)
  • Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information), training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
  • FCRA Red Flag (12 CFR 222.90(e)(3)) Train staff, as necessary, to effectively implement the Program;)
  • Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.

Miscellany – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, records retention requirements and destruction of expired records, and a designation by the bank’s board of the next year’s holidays. And last but not least, has there been a review of those staffers who have not yet taken vacation or “away time” to the five consecutive business days per the Oklahoma Administrative Code 85:10-5-3 “Minimum control elements for bank internal control program”?

New year, new rule – Computer-security incident notification

By Andy Zavoina

On November 18, 2021, there was a joint release by the OCC, FDIC and the Federal Reserve concerning a new rule intended to close a gap on computer-security incident reporting requirements. The new final rule does several things. Succinctly, a bank will have 36 hours to report certain computer related security incidents to its prudential regulator. That sounds like a tight time frame, and it is, but the 79-page final rule provides a lot more details. We will leave it to the group within your bank to slice and dice the details, but we wanted to give you a detailed overview of these new requirements so that it can be discussed intelligently and planned for accordingly.

As FDIC Chairman Jelena McWilliams put it, the rule “addresses a gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations.” For many years banks have been tasked with reporting computer related security incidents to its regulator whether that be a formal requirement or in informal one. This final rule has a mandatory compliance date of May 1, 2022. Preparations for compliance will therefore be mixed with still working through the pandemic, the holiday season, CRA and HMDA scrubs and all things IRA and IRS. There is a lot to do in the next five months.

The new requirements are imposed not just on your bank to report to its federal regulator, but on certain of the bank’s service providers to report incidents to you. This allows the bank to then make a determination as to whether or not it must then in turn report up the food chain to its regulator, the OCC, FDIC or Fed.

So, let’s get to the nitty gritty.

When: The bank must notify its federal regulator as soon as possible and not later than 36 hours after determining a “notification incident” has occurred.

The rule separately requires your service providers to notify your bank as soon as possible when the service provider determines it has experienced “a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”

You may be questioning the service provider’s timing requirement of “as soon as possible.” Read that to include a sense of urgency. The proposal wanted immediate notification but that is a very high benchmark and virtually impossible to follow. Timing is something the bank should discuss with its providers in advance, as well as whether there will be a designated point of contact with a back-up named, or if by default the contact is the chief executive or chief information officer or a comparable position.

What: The focus here is broadly described as “computer-security incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided by a bank service provider.”

The final rule attempts to partially synchronize the definition of a computer-security incident with an existing definition from the National Institute of Standards and Technology (NIST). The final rule defines “computer-security incident” as an occurrence that results in actual harm to an information system or the information contained within it.  Computer related incidents “may include major computer-system failures; cyber-related interruptions, such as distributed denial of service and ransomware attacks; or other types of significant operational interruptions.”

As defined in the final rule, a notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

There is obviously a lot in the final rule, and it may depend on your actual involvement in the IT area as to how deep your role will go. There will obviously be several subject matter experts involved in the task of compiling a risk strategy prior to completing any policy and procedures for compliance with the rule.

Why: The bank is required to notify its regulator within such a short period because the intent is to promote early awareness of the threat and the fact that others in the industry may be subject to similar threats. If there is a broader risk, it must be immediately addressed. This is the same reason a service provider is required to notify its bank customer – so that the bank can determine the risk to itself and the banking customers. A notification from a service provider may trigger a bank’s notification to its regulator.

This is separate from the requirements on the bank to address potential exposure or the actual loss of customer information and the reporting requirements that are triggered from that.

Practical Application: The bank needs to define some critical examples of the incidents it could foresee and ensure that there is room for interpretation as technology and attacks on it vary and change with time. The service providers fitting into these critical roles are those subject to the Bank Service Company Act. You may refer to 12 USC 18 Bank Service Companies as well as FIL-49-99 Required Notification for Compliance with the Bank Service Company Ac and FIL-19-2019 Technology Service Provider Contracts for more on who is subject to the rule and the responsibilities of the parties involved. If not referenced in contracts with these service providers already, amended and future contracts may mandate notifications requirements for qualified incidents.

Of importance is defining the moment that the 36-hour window opens is when the bank determines that a notification incident has occurred. The proposal started this clock when there was a “good faith belief” so the bank will want to best define these terms based on the descriptions and examples in the final rule. It is recommended the bank use clear procedures to evaluate the risk of any system compromise or failure that qualifies.

Because the final rule is targeted toward an occurrence that results in actual harm to an information system or the information contained within it, material incidents such as systems failures and the ever-increasing threat of ransomware attacks are an instigator for these rules. If your bank has insurance against ransomware attacks you may incorporate procedures associated  with that with procedures for the new rules. Pay attention to the term “actual harm” as that was a key variation from the proposal. The NIST definition was broader and the regulators wanted to narrow the reportable incidents to those that actually occurred. The regulators expressed that the changes were made to “narrow the focus of the final rule to those incidents most likely to materially and adversely affect banking organizations.” One example was a large-scale distributed denial of service attack that disrupts customer account access for an extended period of time, meaning longer than four hours.

Foreclosure forbearance reminder

By Andy Zavoina

The CFPB is all about protecting consumers and that point was reiterated in a November 10, 2021, release, “CFPB Takes Action to Prevent Avoidable Foreclosures.”

The Bureau announced that working in concert with other agencies (the FDIC, NCUA, OCC and others) they were prepared to enforce the protections in place for families and homeowners who are at risk of losing their homes. Protections were put in place to provide alternatives to foreclosure, and there are an estimated one million home loans with forbearance programs put in place due to COVID-19 which are due to expire at the end of 2021.

CFPB Director Rohit Chopra  said, “Failures by mortgage servicers and regulators worsened the impact of the economic crisis a decade ago…. Regulators have learned their lesson, and we will be scrutinizing servicers to ensure they are doing all they can to help homeowners and follow the law.” The agencies mentioned above issued a joint statement in April 2020 advising they would relax enforcement of Reg. X because of the pandemic. The recent statement is clear that lenders and servicers have had ample opportunity to adapt and the requirements of Reg. X all apply at this time.

It reminds servicers there needs to be attention to the borrower’s needs. Borrowers need a meaningful chance at loss mitigation programs, not lip service. This means the servicer must have adequate staff to handle the accounts and to communicate to borrowers what may be available to them. There are many options available for streamlined loss mitigation programs and servicers should be familiar with what is available to qualified applicants. There should be consistency in who is communicating with a borrower and efforts to avoid unnecessary handoffs and disqualification from a program followed by option to start a new process for some alternative program with someone else.

Those borrowers ending a forbearance program should also be allowed to resume scheduled payments. Determine if most or all of any missed payments can be deferred to the end of the current Note obligation under a deferral agreement. If needed, explore options to modify an existing loan and lower their payments if necessary and if feasible. Lastly, in many areas it is a sellers’ market and it may be an option that allows them to lessen any loss of equity in their home.  Your efforts at avoiding foreclosure should be well documented.

It is recommended that a pre-foreclosure checklist be used to ensure all the banks records are in order before a home is put into a foreclosure process. Document efforts to avoid foreclosure, to find loss mitigation programs, modifications available, deferral amounts and the borrower’s ability to maintain any restructuring that could be done. Then verify that all the bank’s disclosures required for the loan (think TRID and Reg B) were complete and accurate. If there are any deficiencies, consider how material they may be and if a plaintiff’s attorney could take advantage of them. Then, and only then, act accordingly.


November 2021 OBA Legal Briefs

  • Don’t ignore the FDCPA regulation coming November 30 (Part 1)
  • New Stuff on Legal Links

Don’t ignore the FDCPA regulations

By John S. Burnett
The Consumer Financial Protection Bureau’s revisions to Regulation F become effective on November 30, 2021, less than a month from now. While on their face the rules in Reg F will apply to debt collectors who collect debts owed to other parties, there is plenty to be concerned about in the Fair Debt Collection Practices Act itself and in revised Reg F for first-party creditors, including banks, who handle their collection of debts owed to them in-house.

But first, some background.

The current rule

Until May 3, 2021, the current CFPB regulation implementing the Fair Debt Collection Practices Act (FDCPA, 15 U.S.C. 1692 et seq.) did not actually implement the statute. As originally written, the FDCPA did not provide for implementing regulations at all. Instead, the Federal Trade Commission was given enforcement authority, and any violation of the FDCPA was deemed an unfair or deceptive act or practice (UDAP) in violation of the Federal Trade Commission Act. The Federal Reserve Board, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation were given enforcement powers under the Federal Deposit Insurance Act, and the National Credit Union Administration was assigned enforcement responsibilities under the Federal Credit Union Act. Similar enforcement powers were granted to the Secretaries of Transportation and Agriculture.

Until May 3, 2021, 12 CFR Part 1006 (Regulation F), dealt only with procedures and criteria for states to apply to the Bureau for exemption of a class of debt collection practices within the applying state from the provisions of the FDCPA.

Subpart B added

On April 22, 2021, the CFPB published an interim final rule to add Subpart B to the regulation, with § 1006.9 (Debt Collection Practices in Connection with the Global COVID-19 Pandemic), which became effective May 3, 2021. This addition was made without the usual proposal, comment period, and final rule steps required under the Administrative Procedures Act due to the immediacy of the concerns the new section was issued to address.

Section 1006.9’s purpose is “to eliminate certain abusive debt collection practices by debt collectors related to the global COVID-19 pandemic, to ensure that debt collectors who refrain from using such abusive debt collection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against such debt collection abuses.” It remains effective during the effective period of the order issued by the Centers for Disease Control and Prevention titled Halt in Residential Evictions to Prevent the Further Spread of COVID–19 (86 FR 16731 (Mar. 31, 2021)), as extended. That order has expired, so Section 1006.9 is no longer effective.

The CFPB overhaul of Reg F

The Consumer Financial Protection Act of 2010 (CFPA, 12 U.S.C. 5561 et seq.), the portion of the Dodd-Frank Act that gave life to the Consumer Financial Protection Bureau and transferred the authority and responsibility for issuing regulations under a number of consumer protection statutes, included the FDCPA among the statutes for which the Bureau “may prescribe rules with respect to the collection of debts by debt collectors.”

The CFPB also has rulemaking authority to issue regulations for providers of financial products and services with regard to activity deemed by the Bureau to be “unfair, deceptive or abusive acts or practices” (UDAAP).

In May 2019, the Bureau issued proposed rules to implement provisions of the FDCPA. See 84 FR 23274. There was a comment period of 90 days.

The Bureau followed by issuing two final rules. The first (see 85 FR 76734 published on November 30, 2020 completely revised and reissued Regulation F, moving the existing provisions on state exemption applications to a new § 108 in a new Subpart D and new Appendix A. The second rule (see 87 FR 5766 published on January 19, 2021, finalized required disclosures by debt collectors and prohibited threats of suits or suits to collect time-barred debts under applicable statutes of limitations. The second rule also requires certain actions by debt collectors before furnishing information on a consumer’s debt to a consumer reporting agency.

Effective dates

Both of these final rules were to take effect on November 30, 2021. However, on April 19, 2021, the Bureau proposed delaying that date 60 days, to January 29, 2022. That proposal was withdrawn on July 30, 2021, leaving the effective date on November 30, 2021.

Frequently asked questions released

On October 1, 2021, the Bureau released frequently asked questions on limited-content messages and the call frequency provisions in the Debt Collection Rule. On October 29. 2021, additional FAQs were added to that document to address the validation information provisions in the Rule. As the Bureau compiles additional FAQs on the Rule, they will add them to the current FAQ document. You should check the link periodically to ensure you have the most current guidance from the CFPB.

Structure of the rule

The Regulation is set out in four subparts and three appendices (and Official Interpretations)—

• Subpart A includes the usual references to the legal authority for the regulation, its purpose and coverage. Persons covered by the rule include debt collectors, as defined in § 1006.2, except for motor vehicle dealers that are predominately engaged in the sale and/or leasing and servicing of motor vehicles.

• Subpart B comprises the substantive provisions of the regulation, providing rules for debt collectors. Much of this section of the rule focuses on communications.

• Subpart C is reserved.

• Subpart D includes miscellaneous requirements such as record retention, the relationship of the rule to state laws, and the provisions for state applications for exemption from portions of the regulation (due to similar state law requirements).

• Appendix A includes more detailed information and requirements for states seeking exemptions from portions of the regulation

• Appendix B includes Model Forms for compliance with the regulation

• Appendix C addresses the Bureau’s issuance of advisory opinions concerning the regulation (one such opinion was published at 81 FR 71977 on October 19. 2016

• Supplement I comprises Official Interpretations of the regulation by the CFPB. In the Regulations pages for Regulation F, these interpretations are broken out and included after the sections or paragraphs of regulatory text they interpret.

Applicability: “Debt collector”

Section 1006.2(a)(1) defines the term debt collector as “any person who uses any instrumentality of interstate commerce or mail in any business the principal purpose of which is the collection of debts, or who regularly collects or attempts to collect, directly or indirectly, debts owed or due, or asserted to be owed or due, to another. … the term debt collector includes any creditor that, in the process of collecting its own debts, uses any name other than its own that would indicate that a third person is collecting or attempting to collect such debts. For purposes of § 1006.22(e), the term also includes any person who uses any instrumentality of interstate commerce or mail in any business the principal purpose of which is the enforcement of security interests.”

Does that make your bank a debt collector? It’s clear that if your bank does collection work on debts owed to someone else, your bank is a debt collector subject to the regulation. There are some technical exceptions, which we’ll review in a moment. Does your bank, when collecting its own debts, use any name other than its own in its communications that might suggest it is using a third person to collect its debts? If so, the language in bold text in the definition above should concern you, because using that other name pulls the bank directly under the regulation’s requirements.

What are the exceptions? Paragraph 1006.2(it)(2) lists exceptions to the debt collector definition.

(i) Any officer or employee of a creditor while the officer or employee is collecting debts for the creditor in the creditor’s name;

(ii) Any person while acting as a debt collector for another person if:

(A) The person acting as a debt collector does so only for persons with whom the person acting as a debt collector is related by common ownership or affiliated by corporate control; and

(B) The principal business of the person acting as a debt collector is not the collection of debts;

(iii) Any officer or employee of the United States or any State to the extent that collecting or attempting to collect any debt is in the performance of the officer’s or employee’s official duties;

(iv) Any person while serving or attempting to serve legal process on any other person in connection with the judicial enforcement of any debt;

(v) Any nonprofit organization that, at the request of consumers, performs bona fide consumer credit counseling and assists consumers in liquidating their debts by receiving payment from such consumers and distributing such amounts to creditors;

(vi) Any person collecting or attempting to collect any debt owed or due, or asserted to be owed or due to another, to the extent such debt collection activity:

(A) Is incidental to a bona fide fiduciary obligation or a bona fide escrow arrangement;

(B) Concerns a debt that such person originated;

(C) Concerns a debt that was not in default at the time such person obtained it; or

(D) Concerns a debt that such person obtained as a secured party in a commercial credit transaction involving the creditor; and

(vii) A private entity, to the extent such private entity is operating a bad check enforcement program that complies with section 818 of the Act.

Consider paragraph (ii) in bold print in that list. Can a holding company or affiliate do debt collection on behalf of its subsidiary banks or other affiliates? It would seem so, but the exemption would not apply if the affiliate’s principal business is debt collection.

Be wary of the reach of UDAAP

Any violation – by anyone collecting debts – of the requirements of Regulation F can be deemed an Unfair, Deceptive, or Abusive Act or Practice (UDAAP), even when the person doing the debt collection is collecting its own debts.

Prior to Dodd-Frank in 2010, the FTC primarily enforced the FDCPA and UDAP and there was often a cross-over. The FTC reported common tactics debt collectors would use included telling a debtor they had committed a crime like check fraud, and unless they paid the debt, they could be arrested, be sued, have their wages garnished and go to jail. Many collectors harassed debtors, even after being provided with evidence that the debts had already been paid off. Some would illegally contact family, friends, and employers about the past due debts. So, the final rule is very much about communications in connection with debt collection and prohibitions on harassment or abuse, false or misleading representations, and unfair practices in debt collection.

Let’s connect the dots. If your bank did something deemed unfair or abusive in the way it communicated with a borrower, and the FDCPA or Regulation F said it was a UDAAP issue, could an examiner say the bank, while not subject to FDCPA, is subject to UDAAP/UDAP and it did something categorized as a UDAAP/UDAP violation? It’s easy to see that connection.

And, of course, there is the always-present requirement for vendor due diligence if the bank has a third party collecting debts owed to the bank.

Some definitions

Attempt to communicate means any act to initiate a communication or other contact with any person through any medium, including by soliciting a response from such person. This is very broad and is all encompassing. It also includes “limited content messages” which is a defined term defined a few paragraphs below.

The act of initiating communication or contact about a debt is an attempt regardless of whether it is successful. Example – you dial the number of a past due borrower. Whether or not you reach them, that is logged as an attempt.

Communicate or communication means conveying information about a debt directly or indirectly to any person through any medium. Leaving a “limited content message” is not “conveying information.” Similarly communicating something such as a marketing message is not conveying information as it is not debt related.

Debt is any obligation of a consumer to pay money arising from a transaction in which the money, property, insurance, or services are primarily for personal, family, or household purposes.

Limited-content message means a message for a consumer that includes all of the content in (j)(1) and may include any of the optional content described in (j)(2), and it includes no other content.

(1) Required content. …includes all of the following:

(i) The caller’s business name which is not indicative that this is a debt collection call

(ii) A request that the consumer reply to the message;

(iii) The name of a person or persons whom the consumer can contact in reply;

(iv) A telephone number the consumer can use for the reply:

(2) Optional content. In addition to the content described, you may include one or more of the following:

(i) A salutation;

(ii) The date and time of the message;

(iii) Suggested dates and times for the consumer to reply to the message, and

(iv) A statement that the return call they can speak to any rep from the company.

These limited content messages may really come into play on voicemails. They are not “communications” which, as you will see, come with frequency limitations. A call to a third party is not a limited content message because it isn’t to the debtor, such as to a “will call” who accepts messages. This is ok to the debtor – “This is Andy Zavoina calling from Last National Bank. Please contact me or John Burnett at 1-800-555-1212.”

Consumer – any natural person, whether living or deceased, obligated or allegedly obligated to pay any debt. For purposes of § 1006.6 – Communications, the term consumer includes “persons” (and see below).

Persons is broad and includes natural persons, corporations, companies, associations, firms, partnerships, societies, and joint stock companies.
For purposes of this section (on Communications), the term consumer includes:

(1) The consumer’s spouse;
(2) The consumer’s parent, if the consumer is a minor;
(3) The consumer’s legal guardian;
(4) The executor or administrator of the consumer’s estate, if the consumer is deceased;
(5) A confirmed successor in interest, as defined in Regulation X, 12 CFR 1024.31, and Regulation Z, 12 CFR 1026.2(a)(27)(ii).


Communications with the consumer in general

We will discuss some exceptions in a moment, but there are restrictions in contacting a consumer.

§ 1006.6(b) says a debt collector must not communicate or attempt to communicate with a consumer to collect a debt as prohibited by paragraphs (b)(1) through (3):

(1). Prohibits collection communication with a consumer based on time and place that is:

(i) At any unusual time, Unless the collector knows different based on a schedule, before 8:00 a.m. and after 9:00 p.m. local time to the consumer is inconvenient;

There have been complaints when a cell phone is called, and the consumer is now in a different time zone. These cases place the burden on the collector to know where the consumer is. It is difficult and courts have not allowed much latitude.

(ii) At any unusual place, or at a place that the collector knows or should know is inconvenient.

It may have been mentioned not to call at a time when the consumer says he’ll be in a meeting, or during a religious service or funeral the collector knows the consumer will be at.

(2) Except as provided in paragraph (b)(4) [below]…, a debt collector must not communicate or attempt to communicate with a consumer in connection with the collection of any debt if the debt collector knows the consumer is represented by an attorney with respect to such debt and knows, or can readily ascertain, the attorney’s name and address, unless the attorney:

(i) Fails to respond within a reasonable period of time to a communication from the debt collector; or

(ii) Consents to the debt collector’s direct communication with the consumer.

(3). A collector must not communicate or attempt to communicate with a consumer in connection with the collection of any debt at the consumer’s place of employment, if the collector knows or has reason to know that the employer prohibits the consumer from receiving the communication.

Places like a plant, for example, have employees working assembly lines. It can be a big deal to have someone’s work interrupted to come to a telephone. The consumers employment could be in jeopardy. Typically, if the employee tells you not to call at work, you must oblige. If you know the employer’s policy is to restrict such calls, don’t call.

If the consumer requests they not be contacted at work, they generally cannot be but can be asked how and when they should be contacted. Under 1006.22(f)(3) – “Unfair or unconscionable means” prohibits sending an email to an address that the collector knows is provided by the consumer’s employer. There are some nuances that allow this if the consumer has used it with you on the debt. That’s under 1006.22(f)(3). [More on emails later.]

Exceptions to the prohibitions on contact

Section 1006.6(b)(4) includes a couple of exceptions to the prohibitions on time, place, attorney and employer prohibitions in §§ 1006.6(b)(1) – (3). The prohibitions do not apply in the case of (1) prior consent from the consumer given directly to the debt collector during a communication that was not in violation, and (2) with the express permission of a court.

Refusal to pay or “cease communication” notice

Section 1006.6(c)(1) provides that, with limited exceptions, if a consumer notifies a debt collector in writing that the consumer refuses to pay a debt or that the consumer wants the debt collector to cease further communication with the consumer, the debt collector must not communicate or attempt to communicate further with the consumer with respect to such debt.

What are the exceptions?

This prohibition does not apply with a debt collector communicates or attempts to communicate further with respect to the debt—

(i) To advise the consumer that the debt collector’s further efforts are being terminated

(ii) To notify the consumer that the debt collector or creditor may invoke specified remedies that the debt collector or creditor ordinarily invokes

Do not make idle threats, but if repossession or foreclosure may be a remedy and it is used by the debt collector or creditor, you may indicate it will be considered. Small claims suits can also fit here.

(iii) Where applicable, to notify the consumer that the debt collector or creditor intends to invoke a specified remedy.

For example, if you must send a notice of intent to foreclose or repossess, it is allowed here.

Mortgage servicing exceptions.

The Official Interpretations to § 1006.6(c)(2) indicate that the written early intervention notice required by 12 CFR 1024.39(d)(3) falls within the exceptions to the cease communication provision. They also indicate that mortgage servicers who are subject to the FDCPA with respect to a mortgage loan is not liable under the FDCPA for complying with certain servicing rule provisions, including requirements to provide a consumer with disclosures regarding the forced placement of hazard insurance as required by 12 CFR 1024.37, a disclosure regarding an adjustable-rate mortgage’s initial interest rate adjustment as required by 12 CFR 1026.20(d), and a periodic statement for each billing cycle as required by 12 CFR 1026.41.

Prohibitions on communications with third parties

Section 1006.6(d)(1) includes a general prohibition on debt collector communications with third parties. Communications about the debt must only be with—

i. The consumer
ii. The consumer’s attorney
iii. A consumer reporting agency, if otherwise permitted by law
iv. The creditor
v. The creditor’s attorney, or
vi. The debt collector’s attorney

Exceptions: Section 1006.6(d)(2) includes these exceptions from those restrictions:

(i) For the purpose of acquiring location information, as provided in § 1006.10 (home address and telephone and place of employment)
(ii) With the prior consent of the consumer given directly to the debt collector;
(iii) With the express permission of a court of competent jurisdiction; or
(iv) As reasonably necessary to effectuate a post-judgment judicial remedy.

A case in point: the Eleventh Circuit Court of Appeals has held that a debt collector (as defined under the FDCPA) who transmits debtor information to a third party violates section 1692c(b) of the FDCPA, which prohibits debt collectors from communicating consumers’ personal information to third parties “in connection with the collection of any debt.” Hunstein v. Preferred Collection & Management Services, Inc., 994 F.3d 1341 (11th. Cir. 2021). If your bank farms out some of its collections to third-party collectors, part of your vendor due diligence should be verifying that the third party doesn’t contract out any part of that effort, including mailing services, etc.

Full disclosure: The Eleventh Circuit’s holding was made by a three-judge panel, from which one of the judges dissented. It is only binding in the states of Alabama, Florida, and Georgia, and the case was remanded back to the District Court to determine whether any unauthorized disclosure actually occurred, and whether the plaintiff is entitled to damages. Other cases involving debt collectors sharing debtor information with third parties are being brought in both federal and state courts. The issue should not be considered settled.

Communications via email and text

Sections 1006.6(d)(3) and (4) permit debt collectors to communicate with a debtor using an email address or phone number (for text messaging) recently used by the debtor regarding the debt unless the debtor subsequently opted out of using that address. But the debt collector may not use an email address or phone number that the debt collector knows has led to a prohibited disclosure of information. The debt collector must have procedures to ensure their use of email or text messaging remains compliant.

A collector who uses a specific email address, telephone number for text messages, or other electronic-medium address of a consumer must include in each such message a clear and conspicuous statement describing a reasonable and simple method by which the consumer can opt out of further electronic communications by the collector to that address or number. The collector may not require, directly or indirectly, that the consumer pay any fee to the collector or provide any information other than the consumer’s opt-out preferences and the email address, telephone number for text messages, or other electronic-medium address they do not want contact thru.

Assume that a debt collector sends a text message to a consumer’s mobile telephone number. The text message includes the following instruction: “Reply STOP to stop texts to this telephone number.” Assuming that it is readily noticeable and legible to consumers, this instruction constitutes a clear and conspicuous statement describing a reasonable and simple method to opt out.

Harassing, oppressive, or abusive conduct
Under § 1006.14(a) there is a general rule of conduct:
“A debt collector must not engage in any conduct the natural consequence of which is to harass, oppress, or abuse any person in connection with the collection of any debt, including, but not limited to, the conduct described in paragraphs 1006.14(b) through (h).”

b) Phone calls: Repeated or continuous calls prohibited. A collector violates this prohibition by placing a telephone call to a particular person in connection with collection of a particular debt either more than seven times within seven consecutive days, or within a period of seven consecutive days after having had a telephone conversation with the person in connection with the collection of that debt (the date of this conversation is the first day of the seven-day period).

Student loan debts: The term “particular debt” means all student loan debts that a consumer owns or allegedly owes that were serviced under a single account number at the time the debts were obtained by a debt collector.

Exclusions from frequency limits: Calls placed to a person do not count toward the frequency limits if they are (1) made with the person’s prior consent given directly to the debt collector within the last seven days; (2) not connected to the dialed number; or (3) with the consumer’s attorney, the creditor’s attorney, or the collector’s attorney.

Unconnected calls: A debt collector’s telephone call does not connect to the dialed number if, for example, the debt collector receives a busy signal or an indication that the dialed number is not in service. Conversely, a telephone call placed to a person counts toward the telephone call frequencies described in § 1006.14(b)(2)(i) if it connects to the dialed number, unless an exclusion in § 1006.14(b)(3) applies. A debt collector’s telephone call connects to the dialed number if, for example, the telephone call is answered, even if it subsequently drops; if the telephone call causes a telephone to ring at the dialed number but no one answers it; or if the telephone call is connected to a voicemail or other recorded message, even if it does not cause a telephone to ring and even if the debt collector is unable to leave a voicemail. [Comment 14(b)(3)(ii)-1]

c) Violence: A collector must not use or threaten violence or harm to a person, their reputation or property

d) Obscene language: A collector must not use obscene language or language deemed abusive to the listener or reader.

e) Debtor’s list: A collector must not publish a list of consumers who refuse to pay debts, except to a consumer reporting bureau

f) Coercive advertisements: A collector must not advertise for sale any debt to coerce payment of the debt.

g) Meaningful disclosure of identity: A collector must not place phone calls without meaningfully disclosing the caller’s identity, except as provided in § 1006.10 [when communicating with a person other than the consumer for the purpose of acquiring location information].

h) Prohibited communication media: Communication is prohibited with a consumer through a medium if the consumer has requested that it not be used. However, a collector may ask follow-up questions regarding preferred media to clarify statements by the person
If a consumer opts out in writing of receiving electronic communications from a collector, the collector may send a confirmation the consumer’s request to opt out, provided that the reply contains no information other than a statement confirming the consumer’s request;
If a consumer initiates contact with a debt collector using an address or a telephone number that the consumer previously said not to use, the collector may respond once using that. Or

If otherwise required by law, a collector may communicate about the collection of any debt through a medium of communication that the person has requested they not use [think required periodic statements].

To be continued

Our discussion of the new FDCPA regulation will conclude in our December 2021 Legal Briefs.

New stuff on Legal Links

By Pauli D. Loeffler

In response to legislative changes (see August, September, and October Legal Briefs), new and updated information and forms have been added to the OBA’s Legal Links web page under the Templates, Forms, and Charts. You will need to create an account through the My OBA Member Portal to gain access if you have already done so.
In response to the changes under Banking Code § 901, there is a summary of how PODs are paid based on whether the POD designations were made before November 1, 2021, as well as those made on and after that date.

With amendments to § 906 which deals with the use of an Affidavit of Heirs for deposits when there are no PODs, there is a new Affidavit form that incorporates statutory language regarding probates as well as an optional Indemnity and hold harmless clause.

Under the Miscellaneous subsection, there are links to all the statutes for both the Power of Attorney Act in Title 58 and for the Statutory Form Power of Attorney Act in Title 15. I have also provided a Power of Attorney Checklist you may find helpful when the bank receives a POA.