Thursday, March 28, 2024

Legal Briefs

September 2022 OBA Legal Briefs

  • Concerns about overdrafts and fees grow (Part 1)
  • Repossessions and the SCRA

Concerns about overdrafts and fees grow — Part 1

By John S. Burnett

Regulators have run hot and cold on the topics of overdraft programs and associated fees for well over a decade. A few landmark issuances along that rocky road were:

Enter the CFPB

The subjects of overdrafts and associated fees have been studied and written about by the CFPB almost since the Bureau opened its doors in 2011. The Bureau’s first Director, Richard Cordray, was a harsh critic of then-current overdraft programs and fees during his tenure at the Bureau. He advocated for “safer” accounts designed to prevent overdraft fees, and even suggested the use of prepaid cards as an alternative to expensive checking accounts and their fees. In August 2017, in a press call on overdrafts, Cordray spoke of a study that found frequent overdrafters who have opted in to debit card and ATM overdraft service typically pay almost $450 more in overdraft fees per year comparted to frequent overdrafters who had not opted in. The Bureau issued updated model disclosure prototypes to replace the Regulation E Model A-9 disclosure form with that study

In April 2015, the Bureau issued a consent order in an administrative proceeding against Regions Bank for failing to obtain required opt-ins from customers who had linked their savings accounts to checking accounts to cover overdrafts, but charging the customers overdraft fees when the savings account was wiped out by ATM or one-time debit card transactions, but had not obtained an opt-in for overdraft service as required by Reg E. For that violation and others, Regions Bank was fined $7.5 million and refunded over $47 million to customers before the order was issued, and was ordered to identify any other customers who were owed a refund.

In July 2016, the Bureau ordered Santander Bank, N.A., to pay a $10 million fine for illegal overdraft service practices. This case involved a telemarketing vendor that deceptively marketed the service and signed some of the bank’s customers up without their consent.

In January 2017, a federal district court approved a Bureau settlement with TCF National Bank regarding its marketing and sale of overdraft services. The Bureau had alleged that, when attempting to obtain consent for OD service as required by Reg E, TCF obscured the fees it charged and made consenting to fees seem mandatory for new customers. TCF agreed to pay $25 million in restitution and a penalty of $5 million.

In August 2020, the Bureau issued a consent order against TD Bank, N.A. regarding its marketing and sale of its optional overdraft service, Debit Card Advance (DCA). The Bureau found that TD Bank’s overdraft enrollment practices violated the Electronic Fund Transfer Act (EFTA) and Regulation E by charging consumers overdraft fees for ATM and one-time debit card transactions without obtaining their affirmative consent. The Bureau found that TD Bank violated the Consumer Financial Protection Act (CFPA) prohibition against deceptive acts or practices by making misleading representations to consumers regarding DCA while offering that service to consumers in person, over the phone, and through mailed solicitations. The Bureau also found that TD Bank violated the CFPA’s prohibition against abusive acts or practices by materially interfering with consumers’ ability to understand the terms and conditions of DCA. . TD Bank paid a $25 million penalty and was ordered to pay an estimated $07 million in restitution.

Recent CFPB activity

One of the first actions taken by the Bureau’s newest director, Rohit Chopra, has been an ongoing campaign against “junk fees,” with an undisguised disdain for bank overdraft and NSF fees.

In December 2021, the CFPB released research on OD and NSF revenue, which reached an estimated $15.47 billion in 2019. Three banks (JPMorgan Chase, Wells Fargo, and Bank of America) brought in 44 percent of the total OD and NSF income reported in 2019 by banks with assets over $1 billion. The CFPB also said that while small institutions with overdraft programs charged lower fees on average, consumer outcomes were similar to those found at larger banks. The research also notes that, despite a drop in fees collected, many of the fee harvesting practices persisted during the COVID-19 pandemic,

In February 2022, the Bureau posted a blog article comparing overdraft fees and policies across the top 20 banks ranked by 2019 reported overdraft income. The article noted significant changes by several of the banks. In an update of the table provided in that blog. The Bureau now reports that, since the 2021 review, 15 of the banks have eliminated NSF fees (you will see a possible reason for that change later in this article). Fifteen reported no sustained OD fee (up from 12 in 2021). Two banks (up from one), reported they charge no OD fees at all. Four banks (up from three) reported they don’t charge OD fees on debit card purchases, and eight banks don’t charge OD fees on ATM withdrawals (up from four in 2021).

The Bureau is highlighting these changes to demonstrate that some big banks are paying attention to regulatory saber-rattling, or are just plain tired of fighting the battle over what the Bureau has termed “junk fees.”

Multiple NSF fees and the FDIC

There has been growing regulator concern over the practice of charging multiple NSF fees for multiple presentments of items for a single transaction. Briefly, this can happen when a bank charges a first NSF fee for a check drawn on insufficient funds and returns the check, and, when the check is presented a second time against insufficient funds, returns the check again, assessing a second NSF fee. In some cases, checks get presented more than twice, or they are converted to ACH debits (a re-presented check or RCK entry), which can be used once if the check has been returned twice, or twice if the check has only been returned once. Imagine a $50 check  being bounced three times at $35 an event!

Regulators have been voicing their concerns over the practice and point to recent litigation in which banks and a very large federal credit union have been sued for charging multiple NSF fees for a single transaction. A class action suit against Navy FCU was dismissed, but when the lead complainant appealed, the CU agreed to a settlement.

The FDIC issued “Supervisory Guidance on Multiple Re-Presentment NSF Fees” with FIL-40-2022 (https://www.fdic.gov/news/financial-institution-letters/2022/fil22040.html) on August 18, 2022, “to address certain consumer compliance risks associated with assessing multiple non-sufficient funds (NSF) fees arising from the re-presentment of the same unpaid transaction.” In the Guidance, the FDIC also shared “its supervisory approach when a violation of law is identified, as well as expectations for full corrective action.”

According to the Guidance, during consumer compliance examinations, the FDIC has “identifies violations of law when financial institutions charged multiple NSF gees for the re-presentment of unpaid transactions.” The FDIC found that “some disclosures provided to customers did not fully or clearly describe e the institution’s re-presentment practice, including not explaining that the same unpaid transaction might result in multiple NSF fees if an item was presented more than once.”

Comment: Some banks might be tempted at this point to pull out Regulation DD’s commentary to section 1030.4(b)(4) – Account disclosures; Content of account disclosures; Fees— and run down the page to comment 4(b)(4)-5, Fees for overdrawing an account, which says, “Under § 1030.4(b)(4) of this part, institutions must disclose the conditions under which a fee may be imposed. In satisfying this requirement institutions must specify the categories of transactions for which an overdraft fee may be imposed. An exhaustive list of transactions is not required. It is sufficient for an institution to state that the fee applies to overdrafts ‘created by check, in-person withdrawal, ATM withdrawal, or other electronic means,’ as applicable. Disclosing a fee ‘for overdraft items’ would not be sufficient.”

The point being made by the FDIC, however, isn’t that the banks that charged multiple fees for re-presentments violated the Truth in Savings Act or Regulation DD; it’s that not disclosing that multiple NSF fees may be charged if multiple items for the same transaction are presented and not explaining how that can occur creates “a heightened risk of violations of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices (UDAP).” The Guidance continues, “While specific facts and circumstances ultimately determine whether a practice violates a law or regulation, the failure to disclose material information to customers about re-presentment and fee practices has the potential to mislead reasonable customers, and there are situations that may also present risk of unfairness if the customer is unable to avoid fees related to re-presented transactions.”

In a footnote, the FDIC suggests that these practices may also violate Section 1036(a)(1)(B) of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (12 U.S.C. § 5536(a)(1)(B)), which prohibits any covered person or service provider from engaging in, among other things, abusive acts or practices in connection with a consumer financial product or service. That portion of the Dodd-Frank Act is also referred to as the Consumer Financial Protection Act.

Deceptive practices: The guidance continues: In a number of consumer compliance examinations, the FDIC determined that if a financial institution assesses multiple NSF fees arising from the same transaction, but disclosures do not adequately advise customers of this practice, the misrepresentation and omission of this information from the institution’s disclosures is material. The FDIC found that if this information is not disclosed clearly and conspicuously to customers, the material omission of this information is considered to be deceptive pursuant to Section 5 of the FTC Act.”

Unfair Practices: On this topic, the Guidance offers, “In certain circumstances, a failure to adequately advise customers of fee practices for re-presentments raises unfairness concerns because the practices may result in substantial injuries to customers; the injury may not be reasonably avoidable; and there may be no countervailing benefits to either customers or competition. In particular, a risk of unfairness may be present if multiple NSF fees are assessed for the same transaction in a short period of time without sufficient notice or opportunity for customers to bring their account to a positive balance in order to avoid the assessment of additional NSF fees. While revising disclosures may address the risk of deception, doing so may not fully address the unfairness risks.

Comment: Thus far, the Guidance has suggested that banks need to ensure that their disclosures reflect what actually happens in the case of multiple re-presentments for a single transaction, and that something may need to be done about better notifying customers when an item is returned and an NSF is assessed and/or banks may want to consider setting some limit on how many times re-presentments of items derived from the same transaction will trigger another NSF fee.

Watch for Part 2:  In Part 2 of this article, we’ll look at third-party risk and what the FDIC expects of a bank that discovers it has problems like those described in the Guidance. We will also look at another relatively new regulatory concern about overdraft programs.

Repossessions and the SCRA

By Andy Zavoina

I want to share a recent issue that a compliance officer consulted me on. This is your opportunity to realize that even when you train and have sound policies and procedures, people can – and will — still make mistakes.

I had a disturbing call recently from a banker who appears to have a good compliance program. I say the program is “good” not because I have audited it, but because she was auditing files from three months prior and she found a questionable repossession. As you will read, she was right to question it, and that is why I say that part of her Compliance Management Program is working. Detecting errors leads to an earlier correction when that may be possible, and to fewer repeat problems because a part of any corrective action typically involves re-training.  Very often an auditor reviews a file, scans it to understand what has happened and explains the actions away as a way of justification.

In this case, the lender had a car loan that was past due and was ready for a repossession order. Having recently had some training on repossession procedures and the Servicemembers Civil Relief Act (SCRA), he checked the DMDC database to verify the borrower was not covered.

In my SCRA training materials I recommend that banks “Design [their] foreclosure procedures to ensure counsel is following all requirements, to include completion of all background research and proper notice as expected by the regulators. This includes repossession of personal property as well. When you check the SCRA database you will enter a date in a field for ‘Active Duty Status Date’ and the response you will receive based on that date, is the status of the individual – whether or not the individual was actively serving, received a notice to serve, or was serving  – for a period of 367 days prior to the given date. So when you check this, you are getting the status for the last year.” The yearlong lookback allows for real property foreclosure protections that last for a year after discharge. That does not apply to vehicle repossessions.

In this case the lender checked, received a negative response and put the car out for repossession by a third-party agent. This is where it gets questionable. I do not know how much time elapsed, but on the day of the repossession itself, the lender checked again. As you can predict, the response was now affirmative. As of that day the borrower was a servicemember and afforded all the protections under section 302 of the SCRA (50 U.S.C. 3952).

“After a servicemember enters military service, a contract by the servicemember for–

(A) the purchase of real or personal property (including a motor vehicle); or

(B) the lease or bailment of such property,

may not be rescinded or terminated for a breach of terms of the contract occurring before or during that person’s military service, nor may the property be repossessed for such breach without a court order.

This section applies only to a contract for which a deposit or installment has been paid by the servicemember before the servicemember enters military service.”

I do not know if the car was repossessed before or after the second verification was done. If it was done before, repo order should have been rescinded. If it was not possible to do immediately it should have been done as soon as possible. Now that the car could not technically be repossessed, those expenses will be paid for by the bank and without the ability to collect them as a collection cost. Add to that the bank may now have to pay to return the car to the servicemember which adds to the cost of the already delinquent loan. The benefit here would be that a recent check did not indicate a protected status but one on the day of the repossession did. The car could be retuned and the bank could claim “no harm, no foul” so long as there is no claim of damage to the car from the repossession. But it did not stop there. That would not be an interesting lesson.

This repo occurred three months before. Regardless of the above recommendation to immediately return the car and undo a bad situation, that advice is too late. The lender, now knowing the borrower was protected, proceeded to sell the car and apply the proceeds against the loan balance. Why?

As an auditor there are now more questions to be asked. This file escalates from a routine audit to damage control.

  • When was the protected status known?
  • Why was the car sold?
  • Was this a commercially reasonable sale, were personal items returned, were notifications of the sale sent and was the borrower provided an ample period to cure the default?
  • When was the lender last trained on the bank’s policy and procedure?
  • Was the training thorough?
  • Was the second DMDC check a standard procedure (I would say it would be a good one) or did the lender suspect the borrower was going to be protected and wanted to “beat the clock” so to speak and get the car before protections were actually in effect?
  • What was the cost of the repo?
  • What was the sale price and was there a deficit?
  • Has the borrower contacted anyone at the bank?

The Compliance Officer also has immediate work to do, and it was needed yesterday.

  • Review training records to verify the lender was appropriately trained. If he was not, why not?
  • Advise all lenders/collectors of the requirements to immediately prevent a repeat violation. It would move to catastrophic to have the same thing happen after the bank is aware of this instance.
  • Was this an anomaly? Realistically all repossessions need to be reviewed for a period of (my recommendation) three years. After the most recent six months is done management needs to be aware of the problem. Since there have been no other alarms, attorney calls, anyone from JAG or the borrower, the issue is thus far contained, but now must be controlled.
  • Discuss the case with management. Advise them of the case and the fact that a review is being conducted and so far, how it looks.
  • The Compliance Officer is not Human Resources, but assuming training was done, and policies and procedures were provided, HR may have to be involved. Disciplinary action may well be called for.

Some readers may be asking why all this work, what’s the big deal if the borrower has not claimed any protections after three months? Here is the deal, and it can be costly. SCRA violations are reviewed by the Department of Justice (DOJ), not your banking regulator, although they will likely be involved if the case is worth pursuing.

There was one very similar case to this. On March 28, 2018, the United States vs California Auto Finance (CAF), Case No. 8:18-cv-00523 was filed. CAF is a large sub-prime lender in Southern California and the Southwest. The suit alleges CAF repossessed a servicemember’s car after being made aware the borrower was in the service.

Andrea Starks purchased a car in Glendale, Arizona, in September 2015. She made her first payment in October 2015 which was pre-service and meets the requirements for SCRA protection. She enlisted in April 2016 and reported for active duty on May 9, 2016, the same day her vehicle was repossessed. Two days after enlisting, she provided CAF with a copy of her orders. She would not have been protected as a reservist being called to active duty based on receipt of her orders, but rather when she met the definition of “military service” which, in this case, would be when she was paid by Uncle Sam.

Had the vehicle been repossessed the day before, Starks would not have been technically protected. In any case, it was taken on the same date as she reported for duty. CAF sold the vehicle on or about May 25, 2016.

This was the single complaint against CAF made by Starks to the DOJ in November 2016. There were no other complaints against CAF mentioned. In describing the violations committed by CAF, the DOJ explains the facts it reviewed in its investigation that began in December 2016.

  1. The Defense Manpower Data Center (DMDC) is a free database allowing lenders to determine if a person is protected under the SCRA. The CAF did not verify her status prior to repossessing the vehicle. (It would be interesting to know if Starks would have been shown as currently serving, it being her first day.) Regardless, CAF had already been given a copy of Starks orders by Starks herself.
  2. This was pre-service debt under the SCRA.
  3. No court order was obtained prior to the act of repossessing the vehicle.
  4. The CAF believed at the time, and still as of this court filing, that only deployment orders would have provided protections to a servicemember. (This is incorrect. It is the act of serving, whether that be in the continental United States or overseas.)
  5. The CAF had and still has no policies or procedures to provide staff with SCRA compliance guidance.
  6. Because of a demonstrated lack of knowledge and guidance (the policy or procedures) the DOJ stated they “may have repossessed motor vehicles without court orders from other servicemembers” and as such viewed this as a pattern or practice of violating the SCRA protections and requirements of the SCRA. This means that Starks and other servicemembers have suffered damages.
  7. The actions of CAF were “intentional, willful, and taken in disregard for the rights of servicemembers.”

The bank has obviously done more than CAF had and is aware of the protections the servicemember had. But it seems the violation was blatant and willful and because the lender represents the bank, the bank is at fault. The bank repossessed the car and knowing the borrower was protected, sold the car anyway.

In the Starks case there was $30,000 paid to Martinez, the only other violation the DOJ found after scrubbing years’ worth of repossession files and a $50,000 penalty. We do not know how much Starks was paid but I would be confident in estimating that in addition to the $80,000, plus the cost of attorneys, motions, court expenses, and employee cost on the CAF side of the file reviews, that CAF spent $125,000 because of that one repossession, which turned into two. Two is not excessive, but it is two too many.

In May 2017 Wells Fargo repossessed the car of Jin Nakamura. He was protected by the SCRA and paying, but the bank repossessed and sold his car. That launched an investigation, and a pattern was found. The bank paid $5,125,000 plus a third of the legal expenses for its violations. Each servicemember was paid $12,300 from the settlement except for Nakamura, who received a greater share as he instigated the case, which was settled in May 2019.

In our recent case the bank should immediately involve counsel who is familiar with the SCRA and enforcement actions. The bank should consider settling with the borrower if possible. That might avoid DOJ involvement. Servicemembers are trained on their benefits when they enlist, but it may have gone in one ear and out the other. But the military periodically retrains them, and the matter will likely come up again. Any amount of research and the borrower could decide that car was special and worth far more than the bank sold it for. The bank needs to consider zeroing the loan balance, removing the credit rating in total or certainly the repossession, and reimbursing the agreed value of the car to the servicemember. These costs combined would be far less than a DOJ investigation and the reputational risk the bank would suffer.

Here is an example/article from “Housing Wire” of a foreclosure that happened in 2010, but the complaint was not made for six years. The DOJ was heavily involved, and the complaint was years after the foreclosure.

In late 2017, Northwest Trustee Services, the “largest foreclosure trustee in the Pacific Northwest,” illegally foreclosed on dozens of military veterans and servicemembers over the last few years, the DOJ claimed in its lawsuit. According to the DOJ, in the prior six years, Northwest had foreclosed on at least 28 homes owned by servicemembers without the necessary court orders.

The lawsuit came after the DOJ launched an investigation into Northwest’s foreclosure practices at the urging of Marine veteran Jacob McGreevey of Vancouver, Washington, who submitted a complaint to the DOJ’s Servicemembers and Veterans Initiative in May 2016.

Portland’s The Oregonian has been all over McGreevy’s story, previously chronicling his fight against Northwest and PHH Mortgage, his mortgage servicer, for foreclosing on his home shortly after he returned from active duty.

According to the DOJ, Northwest foreclosed on McGreevey’s home in August 2010, less than two months after he was released from active duty in Operation Iraqi Freedom.

In 2016, McGreevey sued both PHH and Northwest, but a U.S. District Court Judge accepted PHH and Northwest’s argument that McGreevy had waited too long to file his case and dismissed the case on that basis.

Here’s how the Oregonian described that process in one of its reports:

Altogether, he served four tours in either Iraq or Afghanistan. In between deployments, McGreevey would return to Vancouver, where he bought a house on Northeast 24th Court. But he fell behind on payments.

PHH Mortgage repossessed his house in June 2010. Knowing next to nothing about the consumer protections afforded him as a member of the military, McGreevey didn’t contest it. The foreclosure became final the following September.

McGreevey had advanced from private to staff sergeant by the time his final deployment ended in 2012. Though diagnosed 80% disabled with post-traumatic stress syndrome, hearing loss and a back injury, he set about reinventing himself for civilian life. He earned a business degree from Portland State University and got a job at a bank.

That’s when he learned about consumer protection laws, including the Servicemembers Civil Relief Act.

From there, McGreevy sued Northwest and PHH. But McGreevy’s case was dealt a blow earlier that year, when the DOJ sided with Northwest and PHH in McGreevy’s lawsuit.

But later, the DOJ reversed its position and cites McGreevy’s case as the impetus for its lawsuit against Northwest. It should be noted that the DOJ had taken no action against PHH in this case, to this point.

According to the DOJ, its investigation revealed that, beyond McGreevey, Northwest foreclosed on other homes of SCRA-protected servicemembers in violation of the SCRA since 2010.

“The loss of a home is a devastating blow for anyone – but far worse for active duty service members often called to war zones far from Western Washington,” said U.S. Attorney Annette Hayes.

Our investigation revealed that Northwest Trustee Services repeatedly failed to comply with laws that are meant to ensure our service members do not have to fight a two-front war – one on behalf of all of us, and the other against illegal foreclosures,” Hayes continued. “My office will continue to work closely with our colleagues in the Civil Rights Division in Washington, D.C. to protect Western Washington service members from this kind of misconduct.”

According to the DOJ, it is seeking monetary damages for affected servicemembers, as the SCRA provides for civil monetary penalties of up to $60,788 for the first offense and $121,577 for each subsequent offense.

But Sean Ridell, who served in the Marines and is McGreevy’s lawyer, told the Oregonian that he wants much more than just money.

“I want Northwest Trustee and PHH put out of business, their buildings burned down, and the ground salted so that nothing ever grows for what they did to veterans,’ Ridell said.

As you can see, historically these violations do not end well for the bank whether it is a home foreclosure or auto repossession and there can be years between the violation and the final reckoning. During that time there are expenses and distractions, none of which are good for the bank. The actions of the lender may have cost the bank six figures. If it acts proactively, it will emerge smarter and only at a five-figure expense. This is a real case, and all bankers should assess their own situation and ask, “Could this have happened here?”

August 2022 OBA Legal Briefs

  • COVID coughs up and update
  • FCRA is on the front burner

COVID coughs up an update

by Andy Zavoina

Perhaps your staff is all back in the bank, some are travelling for summer vacation, masks are seen sparsely, and COVID-19 seems to be something viewed only in the rearview mirror. But that does not mean the pandemic is over, or that your pandemic procedures can be put back on the shelf as life moves forward once again. In addition to yet another variant, some things “pandemic” are still in motion and your bank needs to be aware. Your Human Resources department may need a copy of this update if they haven’t seen the information already. You may recall our covering the U.S. Equal Employment Opportunity Commission (EEOC) rules addressing pandemic procedures in the May 2021 Legal Briefs. This is an update to that article.

On July 12, 2022, the EEOC revised the informal guidance (https://www.eeoc.gov/laws/guidance/covid-19-pandemic-and-caregiver-discrimination-under-federal-employment). The EEOC has updated employee testing protocols and any mandates imposed for vaccine requirements as well as a few other related issues. Depending on what your bank was doing, there may be less justification for it today.

The EEOC revised its position on COVID-19 screening of employees. Screening or testing is no longer considered automatically a “business necessity” in order to operate day-to-day as it was at the beginning of the pandemic. Instead, your bank should evaluate your local conditions and individual circumstances to determine if continued screening or testing is justified as a business necessity, or if it is doing so today based on a potentially outdated policy or procedure.

The EEOC guidance provides eight factors to consider in determining whether circumstances indicate continued screening or testing would be considered a business necessity in your bank and branches:

1. The level of community transmission
2. The vaccination status of employees
3. The accuracy and speed of processing for different types of COVID-19 tests deemed acceptable
4. The degree to which breakthrough infections are possible for employees who are “up to date” on vaccinations
5. The ease of transmissibility of the current variants
6. The possible severity of illness from the current variants
7. What types of contacts employees may have with others in the workplace or elsewhere that they are required to work (e.g., working with medically vulnerable individuals)
8. The potential impact on operations if an employee enters the workplace with COVID-19.

Note: many of the terms used above are explained in greater detail with links on the EEOC site linked in this article. In making these assessments, the bank should check the latest CDC guidance as well as other relevant sources and determine whether screening or testing is appropriate for these employees.

If your branches are all in one area, it may be easy to handle them all the same. If, however, they are spread across many miles, it may be appropriate to tailor procedures to the outlying branches separately, based on the local conditions of each branch. In any case it is time to review the policy and procedures followed for the extreme circumstances a pandemic requires and ensure there is flexibility in screening and testing requirements as the threat level has been lowered and there are fewer protections from violations of the Americans with Disabilities Act.

FCRA is on the front burner

by Andy Zavoina

The Fair Credit Reporting Act (FCRA) is shifting to your front burner, at least until you complete a review and ensure your bank is completely compliant. Rarely is a compliance process one that you can “set and forget.” Procedures need controls that provide checks and balances and on occasion we get little reminders that at least some in our industry were slacking, or just plain doing it wrong.

The Consumer Financial Protection Bureau (CFPB) released an Advisory Opinion on July 7, 2022, on the FDCRA and Regulation V. The reality is that the CFPB is extending its authority in this case to emphasize data protection requirements and privacy. On July 26, 2022, we read an enforcement action from the CFPB against Hyundai for – yes – FCRA violations. The enforcement action included some language that alleged Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) in addition to the FCRA and Reg V violations. “Piling on” is seen more often in these enforcement actions and this one cost Hyundai over $19 million.

So, let’s discuss some of the FCRA reminders from the Advisory Opinion and the lessons learned from the enforcement action, so you can review your FCRA practices and ensure compliance is in order.

In fact, the enforcement action carries lessons far beyond the FCRA, as it says a lot about compliance management. In this case, deficiencies were found. But it took years for the fixes to be put in place and therein lies part of problem leading to the penalty. Problems were found, plans were made to address the issues, but it never really got done. “Follow through” is an important part of the compliance management and audit process and it did not work here.

This Advisory Opinion, “Fair Credit Reporting; Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports,” is an interpretation of the existing rules and is not intended to change the law or Reg V, but rather to provide guidance in your efforts to comply with the existing rules. This information should be preserved with your regulatory materials as a future reference for use in audits, training, and development of policies and procedures.

This Advisory Opinion applies to Credit Reporting Agencies (CRA) as providers of credit reports as well as users of those reports. Our emphasis here is on the latter but we must also appreciate the former and be aware that changes could result from this. As it relates to the Advisory Opinion, 604(a)(3) of the FCRA is consumer-specific and requires a CRA to ensure that only a specific consumer’s data is released when a credit report is requested. This data protection rule provides that John A Smith’s credit information should not be released when John A Smith Jr.’s file is accessed. It seems some CRAs have been lax in matching up just a name instead of several data points such as a Social Security number, date of birth or addresses to better narrow down the file actually requested.

As to name only matching, one CRA stated when providing a consumer report: “This record is matched by First Name, Last Name ONLY and may not belong to your subject. Your further review of the State Sex Offender Registry is required in order to determine if this is your subject.” That disclaimer sends up several red flags. This is a problem for the CRA as the provider of the report and for the bank as a user of the report. The Advisory Opinion makes it clear that any disclaimer from the CRA that the file “could” have someone else’s information is not sufficient to protect them from penalties resulting from the release of this information. It also does the bank no good to have information on John A Smith when it is Junior who is applying for a loan. Similarly, if the bank requested the file on John A Smith instead of Junior, it would have violated the FCRA because it had no permissible purpose to request that file. And because the bank’s contract with the CRA will require it only requests files when it has a permissible purpose, that contract would be violated.

Congress enacted the FCRA with particular goals, including, “to ensure f air and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” There were concerns that the contents of a credit file were not kept confidential. The FCRA is intended to protect the individual’s privacy by controlling both the collection and dissemination of credit information. The CFPB is respecting the privacy goals of the FCRA with its Advisory Opinion.

Section 604 of the FCRA is, “Permissible purposes of consumer reports,” and it identifies an exclusive list of “permissible purposes” under which a CRA can release the credit report including in accordance with the written instructions from the consumer to whom the report relates and for purposes relating to credit, employment, and insurance. Let’s place emphasis here on the fact that the consumer has to authorize the bank to request this report from the CRA and the fact that this is an exclusive list, meaning these are the only reasons allowed. Obviously if there is another person’s information in the file, which contributes to a violation. Among the key reasons a bank would access this includes, 604(a)(3)(A),” in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer,” and, “(F) otherwise has a legitimate business need for the information (i) in connection with a business transaction that is initiated by the consumer; or (ii) to review an account to determine whether the consumer continues to meet the terms of the account.” These are the direct banking issues. This section includes other reasons such as employment and insurance as well. Paragraph (F) seems broad with its use of having a legitimate business need and to review an account. In fact, these are not as broad as some lenders or collectors may think as the purposes can be narrow.

There is A LOT of content in the FCRA that cannot be covered here today. Suffice it to say that when the CFPB took the FCRA regulation from the Federal Reserve it inherited the consumer protection provisions. When you research the FCRA, be sure to look at what the FRB retained https://www.bankersonline.com/regulations/12-222-000 as well as what the CFPB has ownership of (https://www.bankersonline.com/regulations/12-1022-000), and the FCRA itself (https://www.bankersonline.com/regulations/fcra-000). The last link includes a link to a document, “FTC Staff Report – July 2011”. The FCRA and Reg V do not have an Official Staff Commentary with explanations and interpretations. But there were guidance opinions issued by the Federal Trade Commission (FTC) as it had a key role in FCRA oversight and enforcement.

One of the major changes to the FCRA was the FACT Act which provided the FTC with specific rulemaking authority. The FTC issued more than 430 opinion letters to act as compliance guidance. This 117-page document assembles many of these opinions to act as a proxy for a Commentary. This is a must read for FCRA compliance as it defines the difference between using a credit report for a loan request, and then also using it to prequalify the consumer for another loan product. Such a use violates the permissible use requirements as access was not granted for that cross-sale. These are the nuggets you will find in this booklet. It may be 11 years old as of this writing, but the information there is still pertinent.

Back to the Advisory Opinion itself. The CFPB places emphasis on the use of consumer reports and the circumstances under which they may be accessed – “and no other.” It drives this home by reminding the reader that Section 620 carries with criminal liability for any employee or officer of a CRA who knowingly and willfully provides an unauthorized report. This triggers two points which need to be mentioned. First, this could cause some CRAs to tighten up controls and requirements that users must follow so that the CRA can comply. Second, if the bank were to release this information to another party, it could be deemed to be acting as a CRA and now it would be subject to these penalties as well. That is why the bank must ensure staff be aware of when credit reports may be accessed and for what purposes.

FCRA section 604(f) provides that “a person shall not use or obtain a consumer report for any purpose unless” the consumer report “is obtained for a purpose for which the consumer report is authorized to be furnished under [FCRA section 604]” and “the purpose is certified in accordance with FCRA section 607 by a prospective user of the report through a general or specific certification.” FCRA section 619 imposes criminal liability on any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses. I remember early in my banking days when there was an incident of single person in the loan area looking at credit reports of customers who had asked her out. Certainly, that would not be an authorized use and if the credit report was pulled for that purpose, well in today’s FCRA environment that would have to be a terminable offense.

Having a permissible purpose is at the core of the FCRA’s protections. When a credit report is provided to unauthorized persons and for unauthorized purposes the consumer can suffer harm in a number of ways. It is an invasion of one’s financial privacy and as the Advisory Opinion puts it, this is a “reputational, emotional, physical and economic harm.” That’s from the CFPB, I will not try to interpret each. Suffice it to say, these harms are on the record and violations may include these points in the justification of a penalty. Take each seriously. There are some examples cited which explains some of the reasoning. “For example, in a case that resulted in a 2006 settlement with a consumer reporting agency, the FTC alleged that the agency violated the FCRA’s permissible purpose provisions by providing consumer reports to persons without a permissible purpose, resulting in at least 800 cases of identity theft. More recently, in 2020, a group of companies and individuals settled Bureau allegations that they obtained consumer reports without a permissible purpose when they obtained consumer reports for use in marketing debt relief services. Also in 2020, a mortgage broker settled FTC allegations that it used consumer reports for other than a permissible purpose when, in response to negative reviews on a website, it publicly posted information it had obtained from a consumer report about the reviewer.”

Recognizing the importance of permissible purposes, when was the last time staff with access to credit reports, being accessed or in credit files, were reminded of the requirements and the potential penalties for unauthorized access? A resource for teaching includes a booklet published by the CFPB in 2020, “List of Consumer Reporting Companies “ as it includes not just who is considered a CRA and therefore a major part of this topics discussion, but information for a consumer on who can see their credit reports, how to review them for free, how to dispute information and more on uses such as for credit, employment, check screening and more. (https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-companies-list.pdf). This is good information for staff to be aware of as a banker and a consumer. Staff should be trained on this topic before they are granted access to credit reports just as tellers get Bank Secrecy Act training before operating a teller drawer on their own. It could be a requirement in the vendor contract with your CRAs and based on the Advisory Opinion, it may be something these vendors emphasize in the future as well.

Under 604(a)(3)(A) of the FCRA, a CRA may provide a consumer report “to a person which it has reason to believe . . .  intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or 18 15 U.S.C. 1681b(a).review or collection of an account of, the consumer.” Similarly, FCRA section 604(a)(3)(F) permits a CRA to provide a consumer report “to a person which it has reason to believe . . . has a legitimate business need for the information . . . in connection with a business transaction that is initiated by the consumer or to review an account to determine whether the consumer continues to meet the terms of the account.” These are a few of the teachable points which deserve emphasis.

Note one particular phrase, “reason to believe.” The CFPB is directing this to users of consumer reports who lack a permissible purpose and want to rely on this as justification. The Advisory Opinion specifically rejects some judicial decisions that have applied a “reason to believe” standard to FCRA Section 604(f)’s permissible purpose requirement for users. Instead, the CFPB used a plain language approach to impose a prohibition on using a consumer report without a justifiable permissible purpose. The “reason to believe” standard will not provide an excuse for innocent mistakes. The CFPB appears to be taking a strict liability approach to permissible purpose requirements. With a high risk of enforcement by all federal agencies and state attorneys’ general who have been reminded, and almost invited by the CFPB to join in enforcement actions, plus the ability for private plaintiffs to obtain significant monetary relief, banks are advised to practice risk management and mitigate this with training.

The bank is a user of consumer reports and must ensure that it does not violate consumer privacy by obtaining consumer reports when it lacks a permissible purpose. From the CFPB, “For example, in 2018 a company settled Bureau allegations that it violated FCRA section 604(f) when its agents obtained consumer reports for consumers who were not seeking an extension of credit from the company and the company had no other permissible purpose for the consumer reports it obtained. In some instances, for example, the company’s agents initiated credit applications for the wrong consumer by incorrectly inputting consumer information into the company’s application system or by selecting the wrong consumer from a list of possible consumers identified in the system. When these applications were initiated in error, the company obtained a consumer report for a consumer with respect to which it had no permissible purpose, violating the FCRA’s permissible purpose provisions and the privacy of the consumers that were the subject of those reports, and also generating an inquiry on the consumers’ credit reports.” Making a choice from a list of possible customers and ensuring that the correct identifying information is input will help prevent violations and inadequate controls.

Hyundai Capital America

What are the ramifications of non-compliance? Let’s look at a Consent Order between Hyundai Capital America and the CFPB. This may seem like an extreme case, but there are lessons here that extend beyond the FCRA, and this is a good case to discuss with management and potentially your board.

On July 27, 2022, prompted initially by numerous consumer complaints over credit reporting problems, the CFPB investigated Hyundai for FCRA and Reg V. It expanded into UDAAP as well.

Violations cited indicated Hyundai:

1. Failed to promptly update and correct information it furnished to CRAs that it determined was not complete or accurate, and continued to furnish this inaccurate and incomplete information, in violation of the FCRA, 623(a)(2).
2. Furnished information about severely delinquent and charged-off accounts but failed to provide the “date of first delinquency” (623(a)(5)) which is a key date because it triggers several FCRA requirements.
3. After determining its reporting was inaccurate as to consumer accounts, failed to correct or delete it.
4. Lacked reasonable procedures to respond to notifications from CRAs indicating information Hyundai provided was the result of identity theft and therefore must be blocked from a victim’s credit report. It violated 623(a)(6) by reporting this information after notices from consumers without any validation process.
5. Failed to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information provided to CRAs, or to consider and incorporate the guidelines in Appendix E (in the CFPB’s Reg V link, App. E is “Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies”)

Note, while cited as a violation, the FCRA and Reg V do not explicitly require a policy and procedure for the FCRA. It could be argued however, that there was a genuine need by Hyundai based on the array of violations and lack of direction provided by management and the board.

Some of the above were cited a second time as violations of the Consumer Financial Protection Act (CFPA) which incorporates UDAAP. It was noted Hyundai used ineffective manual processes and systems containing known logic errors to furnish information to CRAs and therefore willfully violated the FCRA.

The “relevant period” for this action is cited as January 2016 through March 2, 2020. That’s going back nearly 7 years ago, however, evidence of problems as you will read date back to 2013. The “affected consumers” refers to those with inaccurate information that they were 30 or more days past due.

To establish a foundation here are some figures used in the consent order.

• Hyundai services approximately 2 million customers and has assets in excess of $45 billion as of 2021.

• The credit reporting format was Metro 2, which is very common in the finance industry.

• Inaccurate payment histories were reported 8.7 million times across 2.2 million accounts.

• In approximately 570,000 instances, Hyundai inaccurately inserted codes showing delinquent or no payments in the payment history.

• Due to coding errors related to lease accounts, in 1.4 million instances, payment history codes indicating that the consumer’s payment history was disputed by the consumer or that no data were available when neither of these things was true. This error affected the entire lease portfolio.

• When credit reporting disputes were made, a manual tradeline correction could be made, but then the auto-reporting systems overrode the corrections and reinserted the errors.

• In over 537,000 instances across more than 168,000 accounts, Hyundai furnished date of first delinquency (DOFD) information regarding consumer accounts that Hyundai itself had determined was inaccurate.

• Compounding the problem, Hyundai delayed fixes for errors affecting the DOFD reporting for nearly a year due to prioritization of allotted resources for the new credit furnishing system planned for release over the then-existing systems that were being replaced.

• An inaccurate DOFD may be particularly problematic for consumers because use of the DOFD field in the Metro 2 format reflects the existence of an ongoing delinquency and the date itself shows how recently the delinquency occurred, both of which could negatively affect a consumer’s credit profile if the DOFD field is inaccurate.

• In tens of thousands of instances, Hyundai reported an inaccurate DOFD, which changed from month to month due to system issues, making some delinquencies appear more recent than was accurate.

• For thousands of delinquent accounts, they failed to furnish any DOFD at all.

• In over 2.2 million instances for over 1.2 million accounts, they furnished inaccurate amounts as to the highest credit or original loan amount.

• After furnishing the correct original loan amount (a field that should not change), they furnished increased amounts for the “original loan amount,” making it appear that a consumer had taken out a larger loan than they had actually taken out.

• In over 2.9 million instances on more than 189,000 accounts, they reported consumers’ accounts as delinquent, but also reported there was no amount past due

• For paid accounts, more than 17,000 reported a negative payment rating that was inaccurate.

• In at least 29,000 instances for approximately 3,900 accounts, they failed to report a DOFD where it reported other information instead, such as the accounts were placed for collection, charged-off, or at least 120 days delinquent.

The issue in this case is that Hyundai repeatedly furnished information to CRAs knowing it to be inaccurate. The company was making little attempt to correct the errors. A basic tenant of the FCRA is that a creditor is not required to report accounts but must report accurately when they do. In an audit report in March 2013, it was determined that required data in the Metro 2 fields was not always fully complete, accurate, or consistently reported. These appeared to be systemic logic issues and Hyundai lacked subject matter experts or a process to ensure accuracy and integrity of data reported. The audit also identified issues relating to the processing, monitoring, and tracking of direct disputes between processing units, and those policies and procedures reviewed as current did not accurately reflect actual practices.

When deficiencies are found compliance management systems call for a response that should be agreed upon as suitable, and a timeline under which corrective actions should occur. This is how repeat violations are avoided. In this case the corrective actions were going to be coordinated with an outside consulting firm. Hyundai initiated a “Credit Bureau Project” in July 2015, more than two years after the audit noted problems.
Completion of the Credit Bureau Project occurred in June 2016 for its vehicle retail installment portfolio and in February 2017 for its vehicle lease portfolio. However, the logic changes failed to address or resolve some of the issues identified in the 2013 audit, and created new, additional problems for both portfolios.

In October 2017, Hyundai began working on a different project to address credit report furnishing logic issues. It started work on a “next generation system” to support credit report furnishing across both lease and retail portfolios as one system. The rollout for this new system was not planned to occur until 2020.

In January 2018, the internal audit team concluded that its furnishing and dispute management controls remained unsatisfactory. It cited the same 2013 errors that remained unresolved. Additionally, there were other issues across its legacy credit report furnishing systems.

The 2018 audit also found that one upgrade to the company’s furnishing systems caused almost 18,000 consumers who were paid-in-full on their retail installment contracts to be erroneously reported as delinquent because Hyundai still lacked an adequate test environment for accuracy and logical consistency before the data was released to CRAs. In internal emails they acknowledged that this error may have caused significant drops in consumers’ credit scores.

As work continued on the “next generation system,” from 2017 until its rollout in March 2020, upgrades to the legacy credit report furnishing systems were deprioritized, and, as a result, many issues identified in the 2013 and 2018 audits, were not resolved until 2020.

So, for a period of years inaccurate information was reported and consumers were harmed as a result. Lower credit scores may have prevented a consumer from borrowing, borrowing at a preferred rate, obtaining a home loan or receiving promotional offers for which they may have qualified. Hyundai lacked policies and procedures that would have provided much needed guidance. Correcting errors and reducing harm to consumers was moved to a lower priority and the problems only grew.

In addition to many added compliance and reporting requirements, Hyundai was ordered to pay a $6 million civil penalty and at least $13.2 million in restitution to current and former customers as well as to take steps to correct all inaccurate account information.

July 2022 OBA Legal Briefs

  • What’s new with Reg B? – A Lot!
  • Electronic liens

What’s new with Reg B? – A lot!

by Andy Zavoina

In a world where Reg B has essentially been around since 1974 when Congress passed the Equal Credit Opportunity, after all these years there can’t be much new to it – right? WRONG! While it has not changed recently, Reg B has been in the news – a lot!

In this issue we will examine an advisory opinion from the CFPB on Reg B which describes some protections that apparently some creditors, “just don’t get” as to who is protected by Reg B and ECOA and deserving of required notices when adverse action is taken. Then we will look at another gray area involving adverse action notices and what information is not just a good idea to provide, but your legal requirement.

First, you may be asking if there is nothing new, why is Reg B worthy of this space and more importantly, your time? We need to start with a court case, Fralish v Bank of America. I will recap that case in a moment because it is what lead to a 16-page Advisory Opinion from the Consumer Financial Protection Bureau (CFPB). Understanding this requires some background on Reg B and this was described in detail in the Advisory Opinion. This background will also help you understand a second topic which pertains to a discussion clarifying why adverse action notices are given. Understanding their purpose helps us understand why there are content requirements for these disclosures. And last, we will do a little analysis on adverse action notices and what should be there, perhaps in moderation but in a misunderstood way, not necessarily.

Define Applicant

Fralish v. Bank of America (3:20-CV-418 RLM-MGG, United States District Court, Northern District of Indiana) is a suit brought by John Fralish in which he alleged Bank of America violated his rights under the Equal Credit Opportunity Act, which is implemented by Reg B. The suit actually cites the law at 15 USC § 1691(d) which addresses adverse action and notice requirements. Fralish had an existing loan account with Bank of America. That credit line was terminated. Fralish was not informed of the reasons for the adverse action and initiated a lawsuit for violations of the ECOA and Reg B.

In the U.S District Court, Bank of America moved for a judgment based on the pleadings as it contended that Fralish had no standing to sue under ECOA because he was not an “applicant” as defined in the law. Under ECOA, 15 USC 1691a(b), an applicant is defined as “any person who applies to a creditor directly for an extension, renewal, or continuation of credit, or applies to a creditor indirectly by use of an existing credit plan for an amount exceeding a previously established credit limit.” Bank of America was defending itself based on this definition maintaining that Fralish had not applied for any credit.

Reg B at § 1002.2(e) defines an applicant as, “any person who requests or who has received an extension of credit from a creditor, and includes any person who is or may become contractually liable regarding an extension of credit.”

The court also reviewed “adverse action.” as Fralish maintains he received no notification as to Bank of America’s reasoning for its action. “For purposes of this subsection, the term ‘adverse action’ means a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the amount or on substantially the terms requested. Such term does not include a refusal to extend additional credit under an existing credit arrangement where the applicant is delinquent or otherwise in default, or where such additional credit would exceed a previously established credit limit.” Key terms here are “revocation of credit, a change in the terms of an existing credit arrangement.” Must there be an application pending for a revocation of credit to be adverse action deserving a formal notice? That was one of the legal questions requiring an answer.

Bank of America maintained Fralish needed to show four points to continue his suit. That:

(1) Bank of America is a “creditor”;
(2) Mr. Fralish is an “applicant”;
(3) The Bank took adverse action with respect to his application for credit; and
(4) The Bank failed to provide Mr. Fralish with a notification that complied with the ECOA.

While Bank of America believes that to be an applicant as the term is defined, there must be a request for credit pending. The September 29, 2021, final decision from the court notes, “The vast majority of courts that have addressed the issue have found that the statutory definition of “applicant” is not ambiguous, and that existing account holders, like Mr. Fralish, aren’t “applicants” within the plain meaning of the ECOA because they weren’t applying for an extension, renewal, or continuation of his existing credit when the alleged violation (in this case the alleged failure to provide the notice of adverse action required under the statute) occurred, and don’t have standing to bring a claim under the ECOA’s notice provisions. The court finds the reasoning of those cases persuasive.”

This seemed to set of a bit of a compliance firestorm. By December the CFPB, the Federal Trade Commission, the U.S. Department of Justice and the Board of the Federal Reserve filed friend of the court (amicus) briefs with the United States Court of appeals for the Seventh Circuit. The CFPB said it was standing up for civil rights protections.

The CFPB’s premise is that if Bank of America argues, and a court agrees that the creditor can disregard ECOA provided rights for existing customers, it undermines the intended antidiscrimination protections. Acceptance of this could mean that a bank could offer a credit card, as an example, to a protected class and the law is complied with. It could then revoke that credit line because of the applicant’s demographics and because the consumer was not an applicant, it would still be compliant with the law.

Now fast forward to May 18, 2022, when the CFPB issued an Advisory Opinion on this topic. For the management version, succinctly it says that to comply with the spirit and intent as well as the commonly accepted definitions, a bank must provide ECOA and Reg B protections to the applicant throughout the life of the loan. An applicant’s rights do not end upon approval of a credit request.

Now the longer explanation adapted from the Advisory Opinion because these details must be understood by those who manage compliance in your bank.
To begin with, the Advisory Opinion applies to all “creditors” as this is a defined term under section 15 USC 1691a(e). It includes, “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” Yes, your bank is definitely a creditor.

And now let’s look at what an Advisory Opinion actually is. The CFPB is the agency empowered to interpret Reg B and, in this case, the Advisory Opinion is an interpretive rule under the Administrative Procedure Act (APA) that responds to a specific need for clarity on a statutory or regulatory interpretive question. It is not a change in a law or regulation and therefore requires no advance notice or comment period. It is the official interpretation. Period. As you will read the CFPB is providing the interpretation as an instructive document for banks, but it also seems to be directed to at least some courts. I recall a bit of a quip from a TV judge who said, “he wasn’t last because he was right, he was right because he was last.” The CFPB believes this is the last word.

The summary of the Advisory Opinion affirms Reg B protects those actively seeking credit as well as those who sought and received credit. To support this position the document states ECOA made it unlawful for “any creditor to discriminate against any applicant on the basis of sex or marital status with respect to any aspect of a credit transaction.” From the beginning, this prohibition has protected both those actively seeking credit and those who sought and have received credit.

ECOA has always defined “applicant” to mean “any person who applies to a creditor directly for an extension, renewal, or continuation of credit, or applies to a creditor indirectly by use of an existing credit plan for an amount exceeding a previously established credit limit.”

Here I must emphasize that ECOA’s prohibition on discrimination “applies to all credit transactions including the approval, denial, renewal, continuation, or revocation of any open-end consumer credit account.” I was always taught and do teach that Reg B applies to the entire life of a credit transaction. This is stated at § 1002.4(a) of Reg B, “A creditor shall not discriminate against an applicant on a prohibited basis regarding any aspect of a credit transaction.” “Any aspect” means the application, the credit decision process, terms, collections, etc. “All aspects” means all aspects. In the Bank of America case better legal minds than mine are arguing that the definition in ECOA is more limiting. As bankers we know we must follow Reg B which implements it. It makes me wonder if the attorneys are arguing their point because they must for their client, or because they believe that is a correct interpretation and action, with no regard for Reg B.

When ECOA first passed, the Federal Reserve had rule-writing and interpretive authority. To substantiate that the CFPB’s opinion is not new, it states “Reg B made clear that the new law’s protections against credit discrimination cover both those currently applying to receive credit and those who have already received it. It did so by defining ‘applicant’ to expressly include not only ‘any person who applies to a creditor directly for an extension, renewal or continuation of credit’ but also, ‘[w]ith respect to any creditor[,] . . . any person to whom credit is or has been extended by that creditor.’”

The original ECOA prohibited discrimination based on sex or marital status. Two years after ECOA passed, Congress added to the prohibited bases six more items, race, color, religion, national origin, age, and receipt of public assistance. It also added, “[e]ach applicant against whom adverse action is taken shall be entitled to a statement of reasons for such action from the creditor.” The amendments defined “adverse action” as “a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the amount or on substantially the terms requested.” Going back many years to compliance school in Norman we learned that adverse action notices were required when, as an example, a borrower did something and was no longer qualified for their credit. Applicants, (read that also as borrowers) are entitled to an explanation when adverse action is taken.

This explanation meets two objectives for ECOA and Reg B. It protects the consumer when an explanation must be provided because the bank knows it will have to provide a reasonable explanation. Reg B was enacted before my time on a compliance desk, but I heard stories from the old-timers who were there. I recall one who said he knew “a good ol’ boy” on the loan desk who swore if he had to make a loan to an unmarried woman he’d retire. And he did – retire. We could not fathom such an attitude today and would never expect to read as a reason for denial, “single woman.” Providing actual reasons for a declination of a loan request helps protect the applicant from an illegal discrimination-based decision.

The second objective is informing the applicant. When John Smith Sr. is denied a loan due to bad credit, he is told why that decision was made. Senior is also advised that a credit report was used and under the Fair Credit Reporting Act he knows which agency provided the information and can contact them to find out what was reported. Senior might then confirm the report with the creditor only to discover that it was actually John Smith Jr’s account that was bad. Very similar name, same address, erroneous reporting. Senior can then reapply and the corrected credit report should no longer be an obstacle. The same holds for debt-to-income ratios or too short a period of employment. When an applicant is informed as to the reasons for adverse action, they may be able to correct an error or have known parameters that must be met to qualify for credit with your bank. When the person can fix these issues, they are more likely to return to you because they believe they have overcome the stated objections to their last application.

The 1976 ECOA amendments not only included in adverse action the termination of an account or an unfavorable change in terms that does not affect all or substantially all of a class of the creditor’s accounts, but it required a statement of reasons. These are required to be specific and indicate the principal reasons causing the adverse action. We will discuss the reasons in more depth in a few minutes. For this Advisory Opinion and the Fralish case, suffice it to say that a reason must be provided and here, Bank of America failed to provide any because it maintains Fralish was not protected by the ECOA.

During this amendment, the Federal Reserve Board made a “minor editorial change” to Regulation B’s definition of “applicant.” The intent was to “express more succinctly the fact that the term includes both a person who requests credit and a debtor,” a debtor being one who has already requested and received credit.

Reg B originally defined “applicant” to include anyone who “applies to a creditor directly for an extension, renewal or continuation of credit” as well as, “with respect to any creditor . . . any person to whom credit is or has been extended by that creditor,” the revised definition clearly stated that “applicant” includes “any person who requests or who has received an extension of credit from a creditor.”

Bank of America was not alone in its stance on ECOA’s definition and application of the term “applicant.” The CFPB noted that other creditors also did not agree that both ECOA and Reg B apply to that debtor after an extension of credit is made and includes treatment when there is a revocation of credit or an unfavorable change to the terms of that credit agreement. It went on to say, “some creditors fail to provide applicants with required notifications that include a statement of the specific reasons for the adverse action taken or disclose an applicant’s right to such a statement.” As further explanation, a footnote stated,

Credit cards are one of the most commonly held and widely used financial products in America—over 175 million Americans hold at least one credit card. During the COVID-19 pandemic, credit cards played a vital role as both a source of credit in emergencies and a payment method as more transactions occurred online. According to the CFPB’s 2021 Credit Card Report, about 2%, or over 10 million credit card accounts, were closed in 2020 and consumers with low credit scores are two to three times more likely to have their accounts closed than those with a higher credit score. See Bureau of Consumer Fin. Prot., The Consumer Credit Card Market (Sept. 2021). Additionally, the same report shows that over 10 million accounts experienced a credit line decrease in 2020. See also 5 Reasons Credit Card Companies Close Accounts Without Notice – And How to Fix Them, USA TODAY (July 13, 2021).

To reinforce its opinion that the protections an applicant receives extend beyond the granting of a loan, it drew a parallel to a Supreme Court case, Robinson v. Shell Oil Co., where the Court held the use of “employees” in the Civil Rights Act of 1964, Section 704(a) included former employees who were subjected to discriminatory treatment as well. Justice Thomas explained in the decision that, “at first blush, the term ‘employees’ . . . would seem to refer to those having an existing employment relationship with the employer in question,”… that “initial impression … does not withstand scrutiny in the context of § 704(a).”

The Court observed, there is “no temporal qualifier in the statute such as would make plain that § 704(a) protects only persons still employed at the time of the retaliation.” The same reasoning applies to the term “applicant” in ECOA, which is not expressly limited to those currently in the process of seeking credit.

The Advisory adds to this that,

Reading ECOA’s definition of “applicant” alongside the Act’s other provisions makes clear that the term includes applicants who have received credit and become existing borrowers. For example, ECOA’s core anti-discrimination provision protects “applicant[s]” from discrimination “with respect to any aspect of a credit transaction”—not just during the application process itself. The phrase “any aspect of a credit transaction” is most naturally read to include both the initial formation of a credit agreement as well as the performance of that agreement. Consistent with this ordinary meaning, Regulation B has always defined the term “credit transaction” to encompass “every aspect of an applicant’s dealings with a creditor,” including elements of the transaction that take place after credit has been extended.”

Adverse action notices

Let’s spend a moment now on the notification of adverse action to an applicant. ECOA’s disclosure provision requires that creditors give a statement of reasons to “each applicant” against whom they take “adverse action.” In ECOA, adverse action is defined to include a “revocation of credit” as well as a “change in the terms of an existing credit arrangement.” Connecting the dots, the CFPB points out these are actions that can be taken only with respect to persons who have already received credit.

ECOA’s private right of action points in the same direction. It allows an aggrieved “applicant” to bring suit against creditors who fail to comply with ECOA or Reg B. These references to “applicant[s]” cannot be interpreted then, to refer only to those with credit applications awaiting decisions. Otherwise, a person whose application was denied on a prohibited basis would have no recourse under ECOA’s private right of action.

The point of the Advisory Opinion is to clarify any misunderstandings of these terms and the CFPB is pointing that out to courts and the judges who make rulings. The CFPB states, “Those courts that have properly read the term “applicant” in its statutory context, including the only court of appeals to have addressed the issue, have agreed that the statute protects existing borrowers.” Obviously then, it is stating there are courts which have ruled otherwise, and those lower courts were wrong. The Advisory goes on to say,

The Bureau acknowledges that a few other district court decisions have interpreted “applicant” to include only persons actively seeking credit, but the Bureau does not believe this interpretation is persuasive. No court of appeals has endorsed these district courts’ narrow reading. These district court decisions read “applicant” in isolation instead of reading this statutory term in context, as required by the Supreme Court. For example, these decisions did not attempt to square their interpretation with ECOA’s requirement that “applicants” receive an explanation when their existing credit is terminated or modified. Nor did they grapple with the clear loophole their interpretation would create or the degree to which it would frustrate the Act’s remedial purposes.

The point is to be clear that no court of appeals has disagreed with this interpretation of the term “applicant.”

In researching “John Fralish,” in addition to the suit against Bank of America in 2021, I also found John Fralish v Digital Media Solutions, (CASE NO. 3:21-CV-00045-JD-MGG) in 2021 dealing with spam calls to Fralish after his cell phone was on the Do Not Call list. There is also a class action suit against Early Warning Services, LLC in 2021 for violation of the Fair Credit Reporting Act. Early Warning Services is a consumer reporting agency out of Scottsdale, Arizona. It describes itself as being bank-owned and it sells credit reports to over 2,500 financial institutions. Fralish requested copies of his credit reports after being denied credit with one or more of his creditor banks. He claims to have not been advised by the lender why his credit was denied and he requested a copy of his credit report to review what his bank may have seen. This would allow him to have incorrect entries fixed but he was not provided with the information Early Warning Systems had on him.

I cannot render any opinions on the lawsuits involving John Fralish as I have no idea how much merit any of them has. But I will emphasize that compliance with the letter of the law, and the banking regulation, will help a bank avoid becoming the subject of a lawsuit, especially from a consumer looking for that single violation and an opportunity to file an action or class action suit. Often a bank will settle with a litigant to make the case go away and avoid the expense of a protracted lawsuit. The alternative may be to defend what your interpretation is and to pay for those legal defense costs for potentially years to come. Yes, your bank has to worry about that litigious consumer, but there is less worry if you stay current on the compliance requirements, train staff, and follow sound policies and procedures. I’m hoping your bank did not pass on studying this Advisory Opinion as it is the CFPB that has the last word on interpretating ECOA and its implementing Reg B. And the CFPB is not afraid to tell that to the courts as well. For a bank to challenge that it would need a very strong case and six or seven digits to the left of the decimal place in the legal defense section of its budget.

Recommended action

We recommend that banks take this opportunity to review Reg B and fair lending policies and procedures to ensure they are clear as to protections a customer has and that these are considered throughout all aspects of the life of a loan.

As you have read in prior Legal Briefs the CFPB has also opined that discriminatory acts are unfair. Read that to say that your deposit customers who are not protected under fair lending laws are protected under the prohibition on Unfair, Deceptive, or Abusive Acts or Practices (UDAAP), so broadly review fair lending more in the terms of fair banking.

We expect to see the CFPB continue to expand its supervisory and enforcement actions going forward. This is especially so in the area of fair lending/banking as the current administration has made fair access, including to credit, and equal treatment of all people a priority.

Reasons for Adverse Action

We have established that adverse action notices may be required to be given to an applicant and the purpose of such a disclosure includes stating the reason or reasons for denial. It is time to explore two facets of what this can mean.

To begin, Reg B § 1002.9(a)(2) requires that adverse action notices (in most cases, and here emphasis is on consumer loans) shall be in writing and contain four specific things, one of which includes a statement of specific reasons for the action taken. The Commentary to this section goes on to explain that “A creditor must disclose the principal reasons for denying an application or taking other adverse action. The regulation does not mandate that a specific number of reasons be disclosed, but disclosure of more than four reasons is not likely to be helpful to the applicant.” We will break this into two parts for discussion here, principal reasons, and then the number of reasons stated.

On May 26, 2022, the CFPB released a document titled, “CFPB Acts to Protect the Public from Black-Box Credit Models Using Complex Algorithms.” This emphasized that Reg B and ECOA, a federal antidiscrimination law, require specific reasons for taking adverse action. Above we described that is helps keep a creditor honest and informs the applicant. This notice is to emphasize that these rules apply even when using credit models which rely on complex algorithms.

In 1974, when ECOA and Reg B were conceived, a loan decision was based on an application for credit. A lender typically learned the five Cs of credit — character, capacity, capital, collateral and conditions — and applied them against the application. A human being made a decision and Reg B required that in the case of a denial, the reason would be given. It was not enough to say, “you do not meet our requirements for a loan,” as that was not a specific reason. The denial had to specify something about a debt ratio or excessive debt or length of employment. Remember part of the intent here is to inform the applicant so they can fix what is wrong and then reapply and receive credit.

In 2022 there is often less human being and more artificial intelligence involved. In a time of automation and analytics computer models use predictive analysis based on data input to compute credit scores, and to make loan decisions very quickly. “Companies are not absolved of their legal responsibilities when they let a black-box model make lending decisions,” said CFPB Director Rohit Chopra. “The law gives every applicant the right to a specific explanation if their application for credit was denied, and that right is not diminished simply because a company uses a complex algorithm that it doesn’t understand.”

What the CFPB is cautioning lenders about is technology is driving the reasons for adverse action back to a nondescript, “you do not meet our requirements for a loan.” These lenders understand less of what went into the computer’s loan decision than they do about how to compute a credit score. And “the computer model said No” is not informing the applicant, nor is it keeping the lender honest. The CFPB has accused artificial intelligence models of discrimination already. If a lender cannot explain the principal reasons for a decision, it needs a different way to make the decision. Computer models’ reasons for denial must be specific for the lender to comply with Reg B.

Lastly, I want to revisit the required number of reasons for denial. The Commentary says, “The regulation does not mandate that a specific number of reasons be disclosed, but disclosure of more than four reasons is not likely to be helpful to the applicant.” Many lenders read this to say you cannot quote more than four reasons but that isn’t so. It says it does not mandate the number of reasons. If you are criticized for providing five or more, consider challenging the critic. But if you have four reasons that will be difficult for the applicant to overcome, you do not need to pile on more reasons. What you do not want is to have (say) six reasons but list only four which are easily fixable. The applicant corrects those and comes back in only to be refused for two others that are very difficult to correct. It’s like kicking them when they’re down. List the most severe and exceed four reasons when necessary.

Electronic liens

By Pauli Loeffler

The PowerPoint presentation from the informational session presented by the Oklahoma Tax Commission covering electronic liens is accessible through this link: https://www.oba.com/wp-content/uploads/2022/07/OK-Tax-Commission-power-point.pdf. It is also available on the OBA’s Legal Links Webpage.

June 2022 OBA Legal Briefs

  • Please help us to help you (Part 2)
  • Oklahoma Mini-TCPA
  • Tit. 47 O.S. § 1110 (Perfection of Security Interest)
  • Tit. 47 O.S. § 427A/§ 1105A (Electronic filing, etc., of Titles) – REVISED
  • Changes in UCCC amounts effective 7/1/22

Please help us to help you (Part 2)

by Andy Zavoina

Last month, Pauli asked you to include certain information in your signature block when emailing us a question. This month, we ask you to avoid sending unnecessarily encrypted emails. We often find they are used for basic questions without information requiring such safeguards. It takes more time to register with an email provider and establish an acceptable password than to answer some questions. In many of these situations it may be faster just to call us.

When you do call, you may have to leave a voice mail. Please provide a detailed description of your question so that the appropriate person can call or email you and have the necessary resources available. And please, take the time to state clearly your questions, and especially your name, bank name and location, and call-back number.

[Editor’s note: In early May, an email security change at OBA locked the OBA Compliance Team out of the OBA email system, and we had to set up a temporary email account very quickly for the team. We are very happy to report that we regained access to our compliance@oba.com mailbox after only a few days. If any of you changed our email address in your contacts lists, please change it back. We appreciate your patience while we worked with the temporary setup.]

Oklahoma Mini-TCPA

By Andy Zavoina

The federal Telephone Consumer Protection Act (TCPA) was passed in 1991 and is well seasoned and understood by some and misunderstood by others. (“Your car warranty is expiring. This is your final notice.” Yeah, you wish it was final.) The law restricts certain telemarketing phone calls, text messages, and facsimiles. I’m not sure who is still using a fax so for the purposes of this article I will refer to telephone calls and text messages. Include faxes if your bank is using that delivery channel.) It also places restrictions on the use of automatic dialing systems and artificial or prerecorded voice messages.

In 2021 states began showing more interest by adding to the consumer protections. In particular, Florida passed its Florida Telephone Solicitation Act (FTSA). This included new and broader restrictions on telemarketing operations. Oklahoma has largely copied the FTSA in passing its own Oklahoma Telephone Solicitation Act. The Oklahoma version is often referred to as the mini-TCPA. It was signed by Governor Stitt in May and will be effective about five months later, beginning November 1, 2022. It will be codified in the Oklahoma Statutes as Section 775C.3 of Title 15.

There are a few key provisions we will focus on this month. The intent is consumer protection for Oklahoma residents, so the mini-TCPA expands on telemarketing restrictions. As with most telemarketing laws, this requires telemarketers to have a prior express written consent before they  contact a consumer. This is a term that is defined and means there is a written agreement that:

  1. bears the signature of the called party,
  2. clearly authorizes the person making or allowing the placement of a commercial telephonic sales call by telephone call, text message, or voicemail transmission to deliver or cause to be delivered to the called party a commercial telephonic sales call using an automated system for the selection or dialing of telephone numbers, the playing of a recorded message when a connection is completed to a number called, or the transmission of a prerecorded voicemail,
  3. includes the telephone number to which the signatory authorizes a commercial telephonic sales call to be delivered, and
  4. includes a clear and conspicuous disclosure informing the called party that:

(1) by executing the agreement, the called party authorizes the person making or allowing the placement of a commercial telephonic sales call to deliver or cause to be delivered a commercial telephonic sales call to the called party using an automated system for the selection or dialing of telephone numbers or the playing of a recorded message when a connection is completed to a number called, and

(2) he or she is not required to sign the written agreement directly or indirectly or to agree to enter into such an agreement as a condition of purchasing any property, goods, or services; and

This signature may be electronic as well as traditional wet ink.

In addition, telemarketers should pay special attention to four provisions of the Oklahoma law in particular. Let’s look at those four provisions.

One – There is no clarification over what is defined by the term “auto-dialer.” This has caused great concern and fueled litigation. The recent Supreme Court case of Facebook v Duguid established a limited definition to only the equipment which produces numbers using a random or sequential number generator. Without clarity the mini-TCPA could be more broadly interpreted making it more onerous on banks with marketing programs using applicable technologies. This new law refers only to, “an automated system for the selection or dialing of phone numbers.” This definition could refer to virtually any device which is not dialed manually.

Two – The mini-TCPA will limit the number of telephone calls and text messages which a telemarketer can send to any one consumer in a day. More specifically it limits contacting a consumer more than three times in a 24-hour period pertaining to the same subject matter or issue. This means the telemarketer must either track the calls and text messages to a given number based on the subject matter or have a system in place, be it software or some form of a database, that tracks and prevents any fourth or subsequent telephone or text message. If you ask me to define the “same subject matter or issue,” I cannot do that. It could be broadly or narrowly defined just as an auto-dialer may be. If a consumer was contacted once about opening a deposit account to take advantage of great rates and low fees, once about a new checking product, and then about a new savings account, could those three be bundled as one subject – deposit accounts? This may be up to legal interpretations and/or the courts.

Three – Although the “day” means a 24-hour period, the mini-TCPA passed for Oklahoma is a bit more limiting than many other states when it comes to time limits when the consumer may actually be contacted. The mini-TCPA limits contact to the 12-hour period from 8 a.m. until 8 p.m., local time. That is the consumer’s local time, not the bank’s. This has been a contentious issue in the past and will continue to be, because with mobile phones you have no idea where your consumers actually are. The area codes are not necessarily an indicator of your consumer’s local time, and this is especially true with military customers and those who travel and work or go to school in another time zone. Be sure to review item four (below) on this issue. Many other state laws and the federal TCPA allow contact from 8 a.m. until 9 p.m., so this new law is a bit more limiting.

Four – The new law does include a rebuttable presumption that your telephone calls and text messages to an Oklahoma area code are being made to an Oklahoma resident. So, for any of the state’s five area codes there is a defensible position as to when it is the customer’s local time. But unlike land lines that are geographically limited, your customer travels with their mobile phone and may permanently reside elsewhere. Be sure to cross reference addresses on file, because having sent bank statements to a consumer’s address in any other time zone may eliminate your rebuttable presumption.

Exemptions

The new mini-TCPA does provide exemptions that may apply to your bank. There are a number of exemptions, but I will draw your attention to number 20. It specifically exempts a “person soliciting business from prospective consumers who have an existing business relationship with or who have previously purchased from the business enterprise for which the solicitor is calling if the solicitor is operating under the same business enterprise.” This exemption alone may be enough to cause you to dismiss the mini-TCPA as a non-event but ensure you are familiar with it to avoid problems. And while this may be an exemption from the mini-TCPA, the bank may not enjoy the same exemptions from the federal TCPA.

Recommended actions

We recommend the bank evaluate all current telemarketing activities. There may be a concerted marketing effort in-house or outsourced for solicitations, or a branch may have taken upon itself an effort to contact new customers for sales in an effort to achieve periodic goal requirements. It happens and some employees will take the initiative. But a violation would be a violation regardless of the motivating factors. Know what is happening in and on behalf of your bank.

The bank should update policies and procedures addressing telemarketing activities even if called by another name, marketing, officer call programs, etc. that are impacted by the mini-TCPA.

Train staff so they all understand the basic requirements of the new mini-TCPA. Specifically focus on what activities are included and what they must do to comply both with the law itself and with the bank’s policies and procedures. This may include obtaining permission from customers as well as management to conduct any activities and following established procedures to comply with the new requirements.

Review and update any outsourcing agreements. Call centers that provide such marketing activities will be subject to the mini-TCPA whether they are a third party or part of the bank making “cold calls.” The bank may delegate authority to third parties, but it cannot delegate responsibilities. It is still the bank’s burden to ensure compliance and the bank has the ultimate responsibility. That said, any agreements may be reviewed to displace as much responsibility to a third party as possible for the actions of that third party.

Penalties

The mini-TCPA does contain a private right to action for consumers. The per call or text message penalties range from between the lesser of actual damages to $500 and to $1,500 for a willful violation. And with regulatory agencies using all possible penalties in enforcement actions, a problem or series of telemarketing problems could result in both state and federal TCPA actions. If the problem is large enough this could result in a class action suit.

There is time, but …

With several months between the date of this article and the November 1, 2022, effective date, there is time to accomplish these actions even with the summer months running interference. But banks are urged not to wait until the last minute and be forced to play catchup.

You will find HB3168 here,

Tit. 47 O.S. § 1110 (Perfection of Security Interest)

by Pauli Loeffler

Sec. 1110 was amended effective May 4, 2022, with regard to transfers of title when there is a lien entry filed by a commercial lender on a vehicle. The amendment provides:

A.

8. When there is an active lien from a commercial lender in place on a vehicle, motor license agents shall be prohibited from transferring the certificate of title on that vehicle until the lien is satisfied, except when the title is transferred:

a) to a person whose name is included on the loan for which the lien is placed pursuant to an agreement by the lender and any party to the title,

b) to a trust created by a person whose name is included on the loan for which the lien is placed, or

c)from a person who has died, upon the submission of a death certificate.

The provisions of this paragraph shall not be construed to release any lien or debt based solely upon a transfer of certificate of title.

The only way to perfect a security interest in a vehicle is by lien entry. As long as the lien remains on the title, the bank can repo the collateral, get a repo title, and sell the collateral. The original borrowers or their estates if the borrower is deceased will remain liable on the note regardless of whether they retain title or not.

Under the amendment if a co-borrower is NOT on the title to the vehicle, the title may only be transferred to the co-borrower if s/he provides proof of status as a co-borrower. Likewise, if the borrower is a natural person, title may be transferred to his or her trust subject to the lien. Note that a garnishment or levy will reach the settlor’s trust,

8.c. covers the situation where the borrower is deceased. The rationale for 8.c. is intended to cover the situation when the sole owner/borrower dies, and there is no other borrower, and no one is making loan payments, so the loan is in default. The problem facing the bank in repossessing and selling the vehicle is determining who must receive notice of the sale. If there is a probate, the bank can deal with the person appointed to represent the estate, but when there is no probate, things get messy.

If the owner provided a Transfer on Death Application (Tit. 47, Sec. 1107.5), title can be transferred to the named person, but such transfer is not allowed as long as the lien remains unsatisfied. Basically, 8.c. would allow the transfer provided payment of the loan has either been made, or the bank is willing to allow the individual named as Transfer on Death beneficiary to assume the loan. Note that if the TOD beneficiary neither pays off the loan nor assumes the loan, the bank can still repossess the vehicle, however, the TOD beneficiary will have no personal liability.

If the deceased owner/borrower had a will, then the title can be transferred using the OTC’s Affidavit of Small Estate. Again, as long as the lien remains on the title, there isn’t a problem, and the loan will have to be paid or provided for, e.g., the heir will assume the note or refi the loan. If there is no will, then the affidavit can’t be used. If the owner died intestate (no will), and there is no probate, then the bank has to determine who the deceased owner’s known heirs are and mail them notice of sake as well as provide publication notice to the unknown heirs. This is time and labor intensive which makes it more expensive to repo the vehicle and sell it. It remains to be seen whether 8.c. allows OTC to transfer title subject to the lien in such case. I believe that in order for this to be permitted, the OTC will need to promulgate new rules and forms.

Tit. 47 O.S. § 427A/§ 1105A (Electronic filing)

by Pauli Loeffler

I covered this in the October 2021 OBA Legal Briefs, but as we draw closer to its effective date on July 1, 2022, we need to review its provisions. This statute covers Electronic Filing, Storage and Delivery of Motor Vehicle Certificates of Title – Procedures. It provides for certificates of title and liens filed after June 30, 2022. Two provisions banks need to know are:

A. On or before July 1, 2022, the Oklahoma Tax Commission shall implement a program which will permit the electronic filing, storage and delivery of motor vehicle certificates of title and allow a lienholder to perfect, assign and release a lien on a motor vehicle in lieu of submission and maintenance of paper documents as otherwise provided in the provisions of Section 1101 et seq. of Title 47 of the Oklahoma Statutes…

B. The program authorized under subsection A of this section shall include, but not be limited to, procedures: 1. For the delivery of a certificate of title, on a paper document or in an electronic format, to the secured party having the primary perfected security interest in a vehicle in lieu of delivery to the record owner, notwithstanding the provisions of Section 1101 et seq. of Title 47 of the Oklahoma Statutes.  Provided, when electronic transmission of liens and lien satisfactions is used, a certificate of title need not be issued or printed until the last lien is satisfied and a clear certificate of title is issued to the owner of the vehicle at their request…

First, the Oklahoma Tax Commission will continue to offer both electronic and paper process on and after July 1, just as they do now. Second, instead of the vehicle’s owner receiving the title, the primary lien holder will receive the title. Since the OTC allows multiple lien entries on the title, lenders with inferior liens presumably have to request a copy of the title for their records, Finally, when all liens are released, it seems the owner will have to request a copy of the title.

Prior to July 1, 2022, the effective date of this legislation, there were only nine nontitle-holding states: Kentucky, Maryland, Michigan, Minnesota, Missouri, Montana, New York, Oklahoma, Wisconsin. In these states, the title is issued to the registered owner/operator of the vehicle, regardless of whether there is as a lien holder. In the other 41 states, titles are issued to the lien holder of the vehicle, who will hold the title until the loan is paid off. Oklahoma joins these title-holding states on July 1, 2022.

Changes in UCCC amounts effective 7/1/22

by Pauli D. Loeffler

Sec. 1-106 of the Oklahoma Uniform Consumer Credit Code  in Title 14A (the “U3C”) makes certain dollar limits subject to change when there are changes in the Consumer Price Index for Urban Wage Earners and Clerical Workers, compiled by the Bureau of Labor Statistics, U.S. Department of Labor.  You can download and print the notification from the Oklahoma Department of Consumer Credit by clicking here.   It is also accessible on the OBA’s Legal Links page under Resources once you create an account through the My OBA Member Portal. You can access the Oklahoma Consumer Credit Code as the changes in dollar amounts for prior years on that page as well.

Increased Late Fee

The maximum late fee that may be assessed on a consumer loan is the greater of (a) five percent of the unpaid amount of the installment or (b) the dollar amount provided by rule of the Administrator for this section pursuant to § 1-106. As of July 1, 2020, the amount provided under (b) will increase by $2.00 to $29.00

Late fees for consumer loans must be disclosed under both the UC3 and Reg Z, and the consumer must agree to the fee in writing. Any time a loan is originated, deferred, or renewed; the bank has the opportunity to obtain the borrower’s written consent to the increased late fee set by the Administrator of the Oklahoma Department of Consumer Credit.  However, if a loan is already outstanding and is not being modified or renewed, a bank has no way to unilaterally increase the late fee amount if it states a specific amount in the loan agreement.

On the other hand, the bank may take advantage of an increase in the dollar amount for late fees if the late-fee disclosure is worded properly, such as:

“If any installment is not paid in full within ten (10) days after its scheduled due date, a late fee in an amount which is the greater of five percent (5%) of the unpaid amount of the payment or the maximum dollar amount established by rule of the Consumer Credit Administrator from time to time may be imposed.”

§ 3-508A

This section of the “U3C” sets the maximum annual percentage rate for certain loans. It provides three tiers with different rates based on unpaid principal balances that may be “blended.” It also has an alternative maximum rate that may be used rather than blending the rates. The amounts under each tier are NOT subject to annual adjustment by the Administrator of the Oklahoma Department of Consumer Credit under §1-106. However, a new subsection (4) was added allowing the lender to charge a closing fee which IS subject to adjustment under § 1-106. The closing fee of $28.85 was effective for loans made on and after November 1, 2021. This amount has increased as follows:

(4)  In addition to the loan finance charge permitted in this section and other charges permitted in this act, a supervised lender may assess a lender closing fee not to exceed One Hundred Sixty-seven Dollars and thirty-three ($167.33) upon consummation of the loan.

Note that the closing fee, while not a finance charge under the OK U3C, and therefore not considered for purposes of Oklahoma usury IS a finance charge under Reg Z. Most banks use Reg Z disclosures. This means that it is possible that the fee under Reg Z disclosures will cause the APR to exceed the usury rate under § 3-508A. If that happens, document the file to show that the fee is excluded under the U3C in order to show that the loan does not in fact violate Oklahoma’s usury provisions. Please note that the bank is NOT required to charge a closing fee at all, and I know that at least one bank has stated it has decided to charge an amount less than the amount permitted under the statute.

You can access the § 3-508A Matrix here.

§ 3-508B Loans

Some banks make small consumer loans based on a special finance-charge method that combines an initial “acquisition charge” with monthly “installment account handling charges,” rather than using the provisions of § 3-508A with regard to maximum annual percentage rate.

The permitted principal amounts for § 3-508B is adjusting from $1,6200.00 to $1,740.00 for loans consummated on and after July 1, 2022.

Sec. 3-508B provides an alternative method of imposing a finance charge to that provided for Sec. 3-508A loans. Late or deferral fees and convenience fees as well as convenience fees for electronic payments under § 3-508C are permitted, but other fees cannot be imposed. No insurance charges, application fees, documentation fees, processing fees, returned check fees, credit bureau fees, nor any other kind of fee is allowed. No credit insurance even if it is voluntary can be sold in connection with in § 3-508B loans. If a lender wants or needs to sell credit insurance or to impose other normal loan charges in connection with a loan, it will have to use § 3-508A instead.  Existing loans made under § 3-508B cannot be refinanced as or consolidated with or into § 3-508A loans, nor vice versa.

As indicated above, § 3-508B can be utilized only for loans not exceeding $1,740.00. Further, substantially equal monthly payments are required. The first scheduled payment cannot be due less than one (1) calendar month after the loan is made, and subsequent installments due at not less than 30-day intervals thereafter. The minimum term for loans is 60 days. The maximum number of installments allowed is 18 months calculated based on the loan amount as 1 month for each $10.00 for loan amounts between $173.94 and $580.00 and $20 for loan amounts between $580.01 – $1,740.00.

Lenders making § 3-508B loans should be careful and promptly change to the new dollar amount brackets, as well as the new permissible fees within each bracket for loans originated on and after July 1st. Because of peculiarities in how the bracket amounts are adjusted, using a chart with the old rates after June 30 may result in excess charges for certain small loans and violations of the U3C provisions.

Since §3-508B is “math intensive,” and the statute whether online or in a print version does NOT show updated acquisition fees and handling fees, you will find a modified version of the statute with the 2022 amounts toward the bottom of the Legal Links page here. Again, you will need to register an account with the OBA in order to access it.

The acquisition charge authorized under this statute is deemed to be earned at the time a loan is made and shall not be subject to refund, if the loan is prepaid in full, refinanced or consolidated within the first sixty (60) days, the acquisition charge will NOT be deemed fully earned and must be refunded pro rata at the rate of one-sixtieth (1/60) of the acquisition charge for each day from the date of the prepayment, refinancing or consolidation to the sixtieth day of the loan. The Department of Consumer Credit has published a Daily Acquisition Fee Refund Chart for prior years with links on this page, (https://www.ok.gov/okdocc/Licenses_We_Regulate/Supervised_Lender/index.html)  but had not done so at the time this article was written. Note if a loan is prepaid, the installment account handling charge shall also be subject to refund. A Monthly Refund Chart for handling charges for prior years can be accessed on the page indicated above, as well as § 3-508B Loan Rate (APR) Table. I expect the charts and table for 2022 to be added shortly.

NOTE: Sec. 3-508B was amended this last legislative session with changes that are effective November 1, 2022. I will cover the changes in a future Legal Briefs article prior to the effective date.

§ 3-511 Loans

I frequently get calls when lenders receive a warning from their loan origination systems that a loan may exceed the maximum interest rate. Nearly always, the banker says the interest rate does not exceed the alternative non-blended 25% rate allowed under § 3-508A according to their calculations. Usually, the cause for the red flag on the system is § 3-511. This is another section for which loan amounts may adjust annually. Here is the section with the amounts as effective for loans made on and after July 1, 2022, in bold type.

Supervised loans, not made pursuant to a revolving loan account, in which the principal loan amount is $5,800.00 or less and the rate of the loan finance charge calculated according to the actuarial method exceeds eighteen percent (18%) on the unpaid balances of the principal, shall be scheduled to be payable in substantially equal installments at equal periodic intervals except to the extent that the schedule of payments is adjusted to the seasonal or irregular income of the debtor; and

(a) over a period of not more than forty-nine (49) months if the principal is more than $1,740.00, or

(b) over a period of not more than thirty-seven (37) months if the principal is $1740.00 or less.

The reason the warning has popped up is due to the italicized language: The small dollar loan’s APR exceeds 18%, and it is either single pay or interest-only with a balloon.

Dealer Paper “No Deficiency” Amount

If dealer paper is consumer-purpose and is secured by goods having an original cash price less than a certain dollar amount, and those goods are later repossessed or surrendered, the creditor cannot obtain a deficiency judgment if the collateral sells for less than the balance outstanding. This is covered in Section 5-103(2) of the U3C. This dollar amount was previously $5,400.00 and increases to $5,800.00 on July 1.

May 2022 OBA Legal Briefs

  • Please help us help you
  • Lender credits on the TRID closing disclosure
  • MLA and GAP
  • Overdraft fees are not interest

Please help us help you

By Pauli D. Loeffler

You may have missed the notice on the Oklahoma Bankers Association’s webpage regarding issues the OBA Legal and Compliance team is experiencing with emails sent to us. Regardless of the fact that we hope to have the issue resolved shortly, we found that many bankers fail to provide vital contact information in their email signature blocks. This delays or prevents us from providing a quick response.

Specifically, the signature block needs to have not only your name and the name of the bank but also your email address, phone number (with extension, if any), and the city where you are located. There are times when a phone call to get additional information to answer a question is better than a series of emails. We certainly can look up the phone number for the main bank, but most banks have branches which results in making additional calls.

We appreciate your understanding and patience during the resolution of the email issue and look forward to answering your legal and compliance questions.

Lender credits on the TRID closing disclosure

By John S. Burnett

There are two types of lender credits that are disclosed under Regulation Z’s “TRID” disclosure requirements. In this discussion, we will review how those two types of lender credits should be used and disclosed.

First, however, let’s review what lender credits include. They are (1) payments, such as credits, rebates, and reimbursements, that a creditor provides to a consumer to offset closing costs the consumer will pay as part of the mortgage loan transaction; and (2) premiums in the form of cash that a creditor provides to a consumer in exchange for specific acts, such as for accepting a specific interest rate, or as an incentive, such as to attract consumers away from competing creditors.   (https://www.consumerfinance.gov/compliance/compliance-resources/mortgage-resources/tila-respa-integrated-disclosures/tila-respa-integrated-disclosure-faqs/#lender-credits)

Another way of separating lender credits into two types is to use the terms “specific lender credits” and “general lending credits.” These are the ways in which lender credits are disclosed that our discussion is focused on.

General lender credits

Your bank may decide, for example, that it will pay up to $1,000 in borrower third-party closing costs, without specifying which third-party costs are included. Because you want the lender credit to appear on the loan estimate, you show that lender credit as a negative amount in the estimated closing costs on page one and in section J on page 2. You also disclose your good faith estimates of closing costs for the loan your applicant has applied for – the origination charges, title work costs, taxes and recording fees, prepaids and all the rest –  that collectively will most likely be paid in connection with the loan, without indicating which of those costs your promised $1,000 will cover. The “calculating cash to close” box starts with the total closing costs reduced by the general lender credit, so it flows through to the Estimated Cash to Close – the approximation of what the applicant can expect to bring to (or receive from) the closing.

Note: Completing the loan estimate this way does present a risk that the closing costs to be covered end up totaling less than the general lender credit amount at closing time. Because lender credits are considered “negative closing costs,” a lender cannot reduce the general lender credit that appears on the loan estimate unless the lender credit is directly affected by a changed circumstance affecting the lender credit as part of the pricing of the loan. However, this is the usual way to complete a loan estimate when the lender intends to provide a general lender credit toward closing costs.

General lender credits for tolerance violations

We just discussed an example of a planned or intentional general lender credit. There’s also the chance that your bank will have to provide an unexpected general lender credit if its closing costs estimates fall short of the actual closing costs, and the differences are more than permitted under the tolerance limits in Regulation Z §§ 1026.19(e)(3)(i) and 1026.19(e)(3)(ii) — the zero percent and ten percent tolerance rules, respectively.

When a lender determines that it has exceeded the tolerance limits under either or both of those sections, it has to adjust the amount due to or from the consumer by the amount by which the tolerance limits were exceeded. A general lender credit (or an increase to a general lender credit already provided) is one way to get that done.

In such a case, the amount of the excess closing costs will appear (itself or as part of a Lender Credits amount) in three places on the closing disclosure:

  1. On the Lender Credits line in section J on page 2, the amount of the excess closing costs will appear in parentheses in the label after the words “Lender Credits.” The statement in the parentheses will read “(Includes $XXX credit for increase in Closing Costs above legal limit)” and the total Lender Credit amount (including the excess closing costs and any other planned general lender credit) appears as a negative amount in the Borrower Paid At Closing column.
  2. On the Total Closing Costs line of the Calculating Cash to Close table on page 3, if the actual closing costs exceed the estimated closing costs, and tolerance violations have occurred, the total amount of the tolerance violations will appear in a second bullet list entry in the “Did this change?” response, saying “Increase exceeds legal limits by $XXX. See Lender Credits on page 2.”
  3. On page 1, on the Closing Costs line of the Costs at Closing table, the amount of the total tolerance violations (the amount to be credited in the general lender credit) appears as part of the Lender Credits after the minus sign and before the words “in Lender Credits,” so the statement to the right of the total closing costs figure reads: “Includes $XXXX.xx in Loan Costs + $XXXX.xx in Other Costs = $XXXX.xx in Lender Credits.”

Specific lender credits

If your bank wants to pay selected closing costs that consumers are typically charged as part of your residential mortgage lending strategy, there are two ways to prepare the loan estimate. You can simply omit those selected costs that the consumer will not be charged from the loan estimate completely (your applicants won’t be charged for these services, so they don’t have to be included on the loan estimate). Make sure you disclose any costs that the consumer will be charged (an application fee, for example).

Another way to complete the loan estimate is to include all the costs the lender estimates will be involved (including those the lender intends to absorb) and show a general lender credit. In that way, the consumer sees all those costs, but also sees the amount of those costs the lender plans to cover.

But this section is about specific lender credits, you’re thinking. That’s right, it is. Because when it’s time to issue the closing disclosure, you get down to specifics. For each loan cost or other cost on page 2 that the lender intends to cover, insert the amount of that cost in the Paid By Others column and (optionally) identify it as a lender credit by including “(L)” before the dollar amount (without the quotation marks, of course). That reduces the costs due from the consumer because there’s no cost for the service in the Borrower Paid column. You’ve correctly disclosed a specific lender credit. Now, do the same for each cost that the lender is absorbing.

Suppose that the loan estimate for the loan included a general lender credit. The total of specific lender credits and general lender credits on the closing disclosure must equal or exceed the amount of the general lender credit on the loan estimate. What do you do if you overestimated a cost on the loan estimate, or one of the services listed there was not used, and now your loan estimate has a general lender credit amount that’s $50 more than the total specific lender credits on the closing disclosure? You include a general lender credit of $50 on the closing disclosure in Section J on page 2 and in the Costs at Closing table at the bottom of page 1.

What about tolerance violations?

Earlier, we said that a lender can issue a loan estimate without including the costs that the lender intends to absorb. When it’s time for closing, you must include all costs, regardless of who pays them. We’ve described above the way to avoid tolerance violations, by putting the costs to be absorbed in the Paid by Others column on the closing disclosure.  Just to make it interesting, let’s assume that the lender did not intend to absorb the cost of the appraisal, and included that service on the loan estimate in section B as “not shoppable,” with a cost estimate of $750.  For whatever reason, the actual cost of the appraisal ends up at $900, and the lender did not elect to issue a revised loan estimate for a changed circumstance. So there is a $150 tolerance violation (it is a 0 percent tolerance service cost). Does the lender have to treat that as an “increase exceeding legal limits” and include that $150 in Section J and in the Costs at Closing table?

No. There’s an easier (and better, in this author’s view) way to handle it. Just break the cost of the appraisal into two parts: $750 goes in the Borrower Paid column and (L) $150 goes in the Paid by Others column.

The same strategy can be used for a cost omitted by mistake from the loan estimate or any other cost that would become a tolerance violation if paid by the consumer. If the lender is facing an excessive increase in 10-percent limit costs, enough costs to bring the “10 percent bucket” back to a 10 percent increase or less can be shifted from the Borrower Paid column to the Paid by Others column.

Whichever method is used, the total paid by the consumer will be the same. The only difference is how the lender credits are shown – as general or specific lender credits.

One important caveat – don’t use the specific lender credit method if you’re dealing with a prepaid finance charge. For some loan origination systems, doing so can alter the finance charge amounts and affect the APR.

 MLA and GAP

By Andy Zavoina

It is no surprise that the Department of Defense is not a fan of GAP coverage on loans to service members. When the Military Lending Act regulation (MLA) was revised and later clarified with guidance in Q&A form, the DoD essentially said that an automobile loan was exempt from MLA restrictions when the funds from the loan were used for the purchase of the collateral, but if there were additional funds such as for non-essential items, the loan would lose the exemption.

This could then require more disclosures on a loan and attention to the 36 percent Military Annual Percentage Rate (MAPR) cap which is the Annual Percentage Rate on steroids. The MAPR is inclusive of such fees as GAP and credit insurance and the 36 percent rate is easily within reach with these fees included. This is a reason those financing vehicles want the exclusion from disclosures and the 36 percent usury rate. The DoD dislikes GAP insurance as well as some other costs like credit life insurance. Many banks like them as they can be profitable for the banks especially in competitive low-rate environments.

The DoD views many costs as unnecessary and expensive to the service member borrower. Banks and auto dealers do make a profit on these add-ons and many of these serve a key and important role, when needed. As to insurance, more than once I have seen a service member who had no equity in the collateral be saved from a deficit balance when a car was totaled or an estate saved from a debt when a service member passed. If the insurance is never needed it may seem expensive. But for those who paid a fraction of what was later paid out in a claim, it was worthwhile. The DoD sees the payouts as an exception and greed, or unnecessary costs to a service member anyway, as the rule.

In 2016 the DoD attempted to clarify the wording of the MLA exemption requirements with Guidance instead of revising the regulation itself. In the text below you can read that the exemption was lost with certain additional items being financed, a hybrid loan, but not others. Cash out being included in the loan would clearly void the exemption. GAP was not directly discussed and many lenders believed it was an essential component of a loan.

Here is Question 2 from the original August 2016 Guidance from the DoD:

  1. Does credit that a creditor extends for the purpose of purchasing personal property, which secures the credit, fall within the exception to “consumer credit” under 32 CFR 232.3(f)(2)(iii) where the creditor simultaneously extends credit in an amount greater than the purchase price?

Answer: No.  Section 232.3(f)(1) defines “consumer credit” as credit extended to a covered borrower primarily for personal, family, or household purposes that is subject to a finance charge or payable by written agreement in more than four installments. Section 232.3(f)(2) provides a list of exceptions to paragraph (f)(1), including an exception for any credit transaction that is expressly intended to finance the purchase of personal property when the credit is secured by the property being purchased.  A hybrid purchase money and cash advance loan is not expressly intended to finance the purchase of personal property, because the loan provides additional financing that is unrelated to the purchase.  To qualify for the purchase money exception from the definition of consumer credit, a loan must finance only the acquisition of personal property.  Any credit transaction that provides purchase money secured financing of personal property along with additional “cash-out” financing is not eligible for the exception under § 232.3(f)(2)(iii) and must comply with the provisions set forth in the MLA regulation

In December 2017 that question was modified to include the section on personal property as well as on vehicles. They mirror one another, and it always seemed odd they separated the two forms of collateral but treated them exactly the same, less the original Guidance which discussed just vehicles. The revised Guidance was more detailed as you can read below, and was specific to state GAP would in fact void the MLA exemption.

  1. Does credit that a creditor extends for the purpose of purchasing a motor vehicle or personal property, which secures the credit, fall within the exception to “consumer credit” under 32 CFR 232.3(f)(2)(ii) or (iii) where the creditor simultaneously extends credit in an amount greater than the purchase price of the motor vehicle or personal property?

Answer: The answer will depend on what the credit beyond the purchase price of the motor vehicle or personal property is used to finance.  Generally, financing costs related to the object securing the credit will not disqualify the transaction from the exceptions, but financing credit-related costs will disqualify the transaction from the exceptions.

Section 232.3(f)(1) defines “consumer credit” as credit offered or extended to a covered borrower primarily for personal, family, or household purposes that is subject to a finance charge or payable by written agreement in more than four installments. Section 232.3(f)(2) provides a list of exceptions to paragraph (f)(1), including an exception for any credit transaction that is expressly intended to finance the purchase of a motor vehicle when the credit is secured by the vehicle being purchased and an exception for any credit transaction that is expressly intended to finance the purchase of personal property when the credit is secured by the property being purchased. 

 A credit transaction that finances the object itself, as well as any costs expressly related to that object, is covered by the exceptions in § 232.3(f)(2)(ii) and (iii), provided it does not also finance any credit-related product or service.  For example, a credit transaction that finances the purchase of a motor vehicle (and is secured by that vehicle), and also finances optional leather seats within that vehicle and an extended warranty for service of that vehicle is eligible for the exception under § 232.3(f)(2)(ii).  Moreover, if a covered borrower trades in a motor vehicle with negative equity as part of the purchase of another motor vehicle, and the credit transaction to purchase the second vehicle includes financing to repay the credit on the trade-in vehicle, the entire credit transaction is eligible for the exception under § 232.3(f)(2)(ii) because the trade-in of the first motor vehicle is expressly related to the purchase of the second motor vehicle.  Similarly, a credit transaction that finances the purchase of an appliance (and is secured by than appliance), and also finances the delivery and installation of that appliance, is eligible for the exception under § 232.3(f)(2)(iii).

 In contrast, a credit transaction that also finances a credit-related product or service rather than a product or service expressly related to the motor vehicle or personal property is not eligible for the exceptions under § 232.3(f)(2)(ii) and (iii).  For example, a credit transaction that includes financing for Guaranteed Auto Protection insurance or a credit insurance premium would not qualify for the exception under § 232.3(f)(2)(ii) or (iii).  Similarly, a hybrid purchase money and cash advance credit transaction is not expressly intended to finance the purchase of a motor vehicle or personal property because the credit transaction provides additional financing that is unrelated to the purchase.  Therefore, any credit transaction that provides purchase money secured financing of a motor vehicle or personal property along with additional “cash out” financing is not eligible for the exceptions under § 232.3(f)(2)(ii) and (iii) and must comply with the provisions set forth in the MLA regulation.

In this 2017 Guidance the DoD says a loan that finances the purchase of a motor vehicle and is secured by that vehicle can also finances optional leather seats, negative equity and an extended vehicle warranty as an example of a loan that would be eligible for the MLA exemption.  In contrast the Guidance used a credit transaction which includes financing for GAP insurance or a credit insurance premium as examples of a credit transaction that would not be exempt from the MLA.

Many banks and auto dealers stopped offering GAP coverage to those subject to the MLA, even when the loan was under the 36 percent usury cap. Some lenders’ systems were not ready to make all the other MLA disclosures that would be required. The wording of the MLA has been interpreted by some to understand that the MLA does not allow the financing to be secured by the purchased vehicle’s title. This caused further doubts as to lending to covered service members.

In 2019 many banking and vehicle trade groups tried to assist their members in dealing with the Guidance and the loss of exemptions citing reports of actual harm to the service members themselves as they now had limited options for loans and the ancillary products they historically had access to. Several trade organizations wrote and asked for clarity.

Then, in 2020, the DoD withdrew its earlier interpretation and it opened the window for GAP by removing the explicit statement that it voided the exemption.  The question was again re-phrased, now using just the term personal property apparently to include vehicles and other household items with the answer as follows:

  1. Does credit that a creditor extends for the purpose of purchasing personal property, which secures the credit, fall within the exception to “consumer credit” under 32 CFR 232.3(f)(2)(iii) where the creditor simultaneously extends credit in an amount greater than the purchase price?

Answer: No. Section 232.3(f)(1) defines ‘‘consumer credit’’ as credit extended to a covered borrower primarily for personal, family, or household purposes that is subject to a finance charge or payable by written agreement in more than four installments. Section 232.3(f)(2) provides a list of exceptions to subparagraph (f)(1), including an exception for any credit transaction that is expressly intended to finance the purchase of personal property when the credit is secured by the property being purchased. A hybrid purchase money and cash advance loan is not expressly intended to finance the purchase of personal property, because the loan provides additional financing that is unrelated to the purchase. To qualify for the purchase money exception from the definition of consumer credit, a loan must finance only the acquisition of personal property. Any credit transaction that provides purchase money secured financing of personal property along with additional ‘‘cash- out’’ financing is not eligible for the exception under § 232.3(f)(2)(iii) and must comply with the provisions set forth in the MLA regulation.

So if the GAP example was removed, that must mean that financing the GAP product was now allowed, right? Many banks and other lenders jumped on that bandwagon and resumed financing such purchases. In the 2020 announcement what the DoD said was that it was withdrawing its answer because of “unforeseen technical issues” and, “absent additional analysis, (the DoD) takes no position on any of the arguments or assertions advanced as a basis for withdrawing” its 2017 guidance.

The on again, off again and still without clarity roller coaster brings us to today. A 2021 court case decided by the U.S. District Court for the Eastern District of Virginia involves the MLA and GAP. In Davidson v. United Auto Credit, Davidson was a covered borrower under the MLA when he purchased and financed a vehicle with GAP coverage included at a cost of $350. The complaint was that the retail installment contract violated the MLA because it did not disclose the MAPR plus it had other MLA defects.

The trial court ruled that GAP being added to the contract did not void the MLA exemption. The judge said the clear language in the law and regulation did not void the exemption while Davidson argued the 2016 Guidance was not affected by withdrawal of the 2017 revision and that the loan for the vehicle purchase was still subject to the MLA requirements. The judge found Davidson’s argument unpersuasive, stating that the GAP coverage was “inextricably” tied to the purchase of the vehicle.

So far, this is good news for the banks and other lenders. But the case has been appealed to the U.S. Court of Appeals for the Fourth Circuit. In January 2022 the Consumer Finance Protection Bureau (CFPB) filed an amicus brief in favor of Davidson. The CFPB takes the position that when GAP coverage is included in the vehicle’s financing the exemption is voided and the loan requires complete compliance with the MLA. The DoD,  joined in the CFPB’s amicus brief. The DoD said it “strongly concurs” with the CFPB on the issue. Now it is established that the CFPB as well as the DoD do not look favorably to the financing of GAP coverage on vehicle loans.

It is unknown what or when the court will rule. We have seen the CFPB take very proactive consumer protection positions and itself reversing Trump period provisions which were deemed “pro business.” The DoD controls and interprets 32 CFR 232. Many do not believe it would get back on the roller coaster and again revise its guidance, but its position is clear. GAP is not as prevalent, but this case is service member specific. I doubt we would see a retroactive reversal of loans with GAP coverage being impacted but as future plans are considered for loan products, banks with high volumes of loans to service members, with GAP may opt to temper any high sales penetration goals or at least recognize that what the DoD gave, it can take back.

Overdraft fees are not interest

By Andy Zavoina

It was a split decision at the U.S. Court of Appeals for the Tenth Circuit as it ruled on Walker v. BOKF, Nat’l Ass’n, (10th Cir. April 8, 2022). Oklahoma is in the Tenth Circuit. This court affirmed a lower court’s dismissal of a suit claiming that the bank was charging usurious interest on overdrafts.

In this case Walker created an overdraft in his checking account in the amount of $25. The bank paid the item and added to that a fee of $34.50. The bank also charges a daily fee of $6.50 per business day after five days that the account remains in the overdraft. This is disclosed as an “extended overdraft charge.” There were 36 daily overdraft charges accrued before the deposit account reached a positive balance. The original NSF fee plus 36 daily fees total to $268.50.

Walker maintains that these fees equate to interest charged on the original $25 overdraft and that this amount is usurious. BOKF is a national bank. The National Banking Act of 1864 allows a national bank to charge an interest rate no greater than the rate allowed by the state in which the bank is chartered. In the case of Oklahoma this allows a rate of 6 percent. Doing the math, 6 percent per annum on $25 is $.00411 per day which is a lot less than the fee charged by BOKF.

The bank moved for dismissal and the District Court granted that motion. The District Court held that overdraft fees are fees for deposit account services and were not interest and therefore not subject to the National Banking Act or the 6 percent rate allowed by the state. “Back in the day,” paper items were presented and reviewed against deposit balances and manual decisions were made to pay or return an item. There were people involved and hard costs in addition to the opportunity costs of the funds themselves. The process has been automated today but the theory remains the same.

The District Court’s ruling was appealed to the Tenth Circuit Court where there was a dissenting opinion. This argued that the banking regulation was not ambiguous and that overdraft fees do meet the definition of interest. The dissenting opinion maintains that  “When [the Bank] decides to cover a customer’s overdraft, it pays for the item and expects to be paid back. For example, despite [Plaintiff’s] inability to afford the original charge due to insufficient funds, [the Bank] made money available to him by purchasing the item for him. [The Bank] deducted the cost from [Plaintiff’s] account and charged him an overdraft fee, which it also deducted. But the bank expected to be paid back. By covering an overdraft, [the Bank] thus makes a temporary provision of money with the expectation of repayment. In other words, [the Bank] makes a loan.” Others may also see a daily fee as being a time-price differential or a cost for the use of the funds on that daily basis and consider that akin to an interest charge.

The majority of the Tenth Circuit judges did not agree. They affirmed the lower court’s findings based on Interpretive Letter 1082 issued in 2001, in which the OCC maintains that overdraft fees are designed to compensate the bank for “services directly connected with the maintenance of a deposit account,” and “therefore the bank was not creating a ‘debt’ that it then ‘collected’ by recovering the overdraft and the overdraft fee from the account.  Instead, the bank was ‘providing a service to its depositors’ that the accountholder had agreed to pay for.” So, the OCC determined 21 years ago that fees for “deposit account services” (under 12 CFR 7.4002(a)) were not interest and were fees for agreed upon services which were offered, accepted and performed. The majority agreed that IL 1082 was entitled to an “Auer deference” — agency’s interpretation of its own ambiguous regulation is controlling unless plainly erroneous or inconsistent with the regulation — because 12 CFR 7.4001(a) addresses interest and is ambiguous.

April 2022 OBA Legal Briefs

  • Nacha warranties and old unauthorized ACH debits
  • P2P complaints
  • Fair banking

Nacha warranties and old unauthorized ACH debits

By John S. Burnett

Your bank just wrapped up its investigation of a consumer’s Regulation E claim involving a series of unauthorized ACH debits made by a gymnasium. Your customer, Sam, got a notice that the gym was being closed “temporarily” on August 10, 2019, for some major renovation work. He assumed the gym would suspend charging his account for his monthly membership fee, but the regular $39.95 charge showed up on his account on August 26, 2019. So, Sam emailed the gym’s owner/manager on August 27, 2019, to cancel the authorization for the monthly changes  and got an emailed response that no further charges would be made to his account, and the August 26 charge would be credited to his membership for the first month when the gym was allowed to reopen.

For whatever reason, Sam didn’t check his account again until March 10, 2022, when he wasn’t able to withdraw $50 at the bank’s ATM. Those of you who are used to handling Reg E claims know what he found – the gym didn’t stop charging his account, and there was a series of 30 monthly debits from September 25, 2019, through February 25, 2022, that he was not expecting to see.  On March 11, Sam, rightfully embarrassed by his lack of attention to his account, brought copies of his statements (which had been made available to him on the bank’s online banking portal on the last day of each month) into his local bank branch, each with a $39.95 ACH debit from the gym circled in red, along with a copy of his August 27, 2019, email to the gym manager and the manager’s response, and asked what the bank could do about getting his money back.

Your branch manager checked with the bank’s deposit operations manager, who suggested that Sam could get back the January 25 and February 25, 2022, debits quickly if the branch manager got him to complete and sign a Written Statement of Unauthorized Debit (WUSD) on those two transactions, but Operations would need to handle the Reg E claim on the earlier debits. Sam signed two WSUDs while the branch manager was copying the statements Sam had brought in. One WSUD covered the two most recent debits (totaling $79.90), as requested by the operations manager, and the other covered the 28 earlier debits (which totaled $1,118.60).

Sam’s documentation made it easy for Operations to complete a speedy investigation, and they agreed that all 30 of the ACH debits were unauthorized. Then they plugged the dates and amounts into their Regulation E Consumer Liability Calculation spreadsheet and determined that Sam should be reimbursed for the unauthorized transactions that posted to his account on or before November 29, 2019 (60 days after the September 2019 statement was available). That would include the September 25, October 25, and November 25, 2019, debits, for a total of 3 times $39.95, or $119.85. Operations also returned the ACH debits that hit Sam’s account on January 25 and February 25, 2022. Within three business days of filing his claims, Sam received credits of $119.85 and $79.90 to his account, and a couple of days later he got a letter explaining that the bank agreed that all thirty of the disputed debits were unauthorized, the bank had refunded only $119.85 for the first three debits, and Sam was responsible for the rest of them because he had failed to review his account statements and promptly notify the bank of the unauthorized debits. The letter then explained that, because he had provided the WSUD covering the two transactions that were less than 60 days old, the bank had been able to return them, and had credited him with $79.90. That leaves Sam with a loss of $998.75 due to his lack of attention to his account.

Using Nacha’s authorization warranty to recover more

The operations manager had done some further research and discovered that Nacha rules include a warranty of authorization that’s given by the Originating Depository Financial Institution (ODFI) in favor of the Receiving Depository Financial Institution (RDFI). That warranty covers two periods for consumer accounts — (11) the first 95 days from the settlement date of the first unauthorized entry to the consumer’s account (which generally corresponds to the period of time the RDFI would be responsible for unauthorized entries under Regulation E § 1005.6(b)(3)); and (2) after the first 95 days but with settlement dates less than two years old. [For non-consumer accounts, the Nacha warranty covers entries with Settlement Dates no more than one year old.]

Buoyed by what she found, the operations manager checked with the bank’s legal department, which suggested she:

  1. Identify the ODFI and its head office address.
  2. Compose a letter stating a claim for breach of warranties under section 2.4.1.1 of Nacha Rules (Warranty that the entry is authorized by the Originator and Receiver) with respect to the unauthorized entries on September 25, 2019, and during the 95 days following that date (that would include the transactions through December 29, 2019), and the entries with Settlement Dates later than two years ago but before January 1, 2022 (the two entries occurring later than January 1, 2022, had been returned).
  3. Include a schedule of the posting dates and amounts of the entries covered by the claim.
  4. Include a statement in the claim letter that the Receiver (Sam, your customer) revoked the authorization and the Originator had acknowledged and accepted that revocation on August 27, 2019.
  5. Include copies of the August 27, 2019, emails between Sam and the gym owner/manager.

She completed the claim letter and faxed it to the ODFI on March 24, 2022.

What happens next depends on how the ODFI treats the warranty claim. This is, of course, a contrived story designed to illustrate the fact that the ability to make an “extended return” of an unauthorized ACH debit up to 60 days after its Settlement Date is not the “last resort” attempt at recovering funds for the bank or its depositor. Nacha Rules warranty provisions provide this additional tool. In fact, Nacha has a handy tool to explain its warranty at https://www.nacha.org/content/warranty-claims-tool

Let’s suppose the ODFI honors the claim and sends full payment for 4 unauthorized debits during the 95-day period (9/25/19 through 12/29/19) and 22 debits covered under the two-year period (3/24/20 through 3/24/22, but the January and February 25, 2022, debits aren’t part of the claim because they had been successfully returned earlier). What should the operations manager do with the $1,038.70 check?

The RDFI gets reimbursed for the three early debits that it had to return to Sam. And, because the RDFI can’t profit from the warranty claim, it credits the remaining $918.85 to Sam’s account, which covers most of his loss. He’s still out $79.90 for the January and February 2020 debits, which fall into the gap between the two Nacha warranty periods.

Of course, not every ODFI would honor such a claim. If the claim is denied, the RDFI can file a rules violation case with Nacha or press the claim in a civil court suit after weighing the cost/benefit of such a course. In our contrived example, however, the ODFI reviewed a strong claim that the debits were clearly unauthorized and decided not to fight it.

P2P complaints

By Andy Zavoina

In December 2021, the Consumer Financial Protection Bureau released an updated Compliance Aid for Reg. E, in the form of FAQs. We wrote about the FAQs extensively this last January and February. Central to these FAQs were P2P, or Peer-to-Peer payment programs from companies like Venmo, Zelle and Cash App. About a week after the updated FAQs were released 33 state attorneys general wrote to CFPB Director Rohit Chopra wanting stronger safeguards for consumers using these P2P apps. Oklahoma’s Attorney General was not on the letter.

It is estimated that in 2023 more than $1 trillion in transactions will happen using these apps. Usage has increased during the pandemic and the public seems to have accepted these programs for many uses. Some people see them as an extension of their bank accounts and it makes it easy to split a dinner bill, pay for a Pampered Chef order or pay a vendor for services rendered.

But when a transaction goes south, whom do they call? It could be your bank, who will refer them to the P2P vendor for customer service. With the updated FAQs we now know that the concerns of the attorneys general were partially answered in the FAQs as the CFPB opined that in many cases banks will have to shoulder the burden of handling claims, however. We covered that in January and February but as a short recap, if a bank has an agreement with a P2P vendor handling transactions the bank cannot deflect a claim for unauthorized use to the vendor. The CFPB opined that if the bank and P2P vendor share a credit card agreement such as both accept Visa or Mastercard, that constitutes “an agreement.”

Aside from banks now shouldering the claims burden, the letter to the CFPB complained that the P2P vendors have poor customer service. It was noted that reaching an actual person was difficult and usually included long hold times. It was also difficult to email or use a chat program to work out problems. Consumers found an inability to use their funds at times without warning when the P2P vendor held them. Restricted use could include paychecks from an employer or government benefits. Likely many of these people were unbanked and using the P2P service for banking. Lastly there were scammers stealing funds with various ruses. “Grandma, I was in an accident. I’m OK but we came to Mexico on spring break. Mom and dad can’t know, but I need $500 to get out of this jam,” is an example.

The CFPB’s mission is to protect consumers. Certainly, after reading about the three common complaints from consumers cited by the attorneys general, you will agree that banks strive not to have such issues and perform better than the P2P vendors. It was noted in the letter to the CFPB that the unbanked were often the more damaged consumers. Regardless, the claims problem has largely been handed to banks and that may be viewed a spart of the solution to the problem.

Some takeaways include banking the unbanked when they are qualified to have a bank account. While banks do not typically have rigorous qualification criteria for deposit accounts, some of these consumers may have burned their bridges with banks with charge-offs or poorly handled accounts. Still, there are some good consumer relationships out there that banks can market to and experience a win-win relationship with. These new and existing customers need to be reminded of security issues. We’ve expanded on some BBB tips for using a P2P payment app safely:

  • Only use it with someone you know and trust. Consider sending a test transfer of say $1 before sending the other $99 for that purchase. Scammers do this to see if an account is good and our customers can learn from this.
  • Take your time entering payment information and double-check it before hitting send. It is usually possible to talk to a person and get the instructions as the data is being entered.
  • Enable security settings and other measures offered by the app, including multifactor authentication that requires another form of verification besides just a username and password. And use a unique password.
  • Remember that public Wi-Fi at places like coffee shops or libraries may not be secure for use in conducting financial transactions.
  • Be wary of any business that only accepts P2P payment apps.
  • When using a mobile device like a smartphone or tablet, lock the device when not in use and do not lend the device to someone to make a call who may then be able to access a P2P app and conduct any transfer using the owners account.
  • When any device, be it a smartphone, tablet, game console or similar device has financial data stored on it, wipe the device before it is sold, donated or otherwise repurposed.

These tips need to be given repeatedly to bank customers just as they should be routinely reminded not to write a PIN on their debit card. Drive the point home. The dollars saved may be the bank’s money.

The last item here is a deliverable to bank management. Whoever is best suited to review Reg E claims for the last year or two should analyze the claims, both approved and denied (including those referred to a P2P vendor). Use this information to estimate what increase the bank may see based on the CFPB’s FAQs and the placement of responsibility on the bank for many of the P2P claims you would not have paid in the past. Management should be aware if this will be substantial. Some banks have reported seeing a significant increase and we can now assume that the pressure is on for banks to make up for these vendors’ shortcomings.

Any time bank management has the ear of a legislative influencer, it may be worth asking why, based on the above, Reg E cannot require the P2P vendors to be responsible for claims they are involved in. It is that vendor who has all the transaction information pertinent to a claim and who profited from the transaction, not your bank. And that vendor doesn’t even have to assist in any investigation. The CFPB should have the ability to police those vendors, not to shift the vendors’ responsibilities to banks.

Fair banking

By Andy Zavoina

In March, the CFPB announced it would be targeting unfair discrimination in consumer finance. “Consumer finance” seems like a broad term and it is. It takes in all types of consumer financial products, not just those involving credit. Banks will certainly be included in the Bureau’s reach, as we have the lion’s share of deposit accounts, and it is important to recognize how these changes will apply.

For years we have been asked questions related to deposit accounts. A customer complained and said the bank was discriminating based on race or gender but only had a savings account, or Marketing was asking if ads for new checking accounts needed to have the same pictorial diversification as home loan ads, showing both men and women and with various racial characteristics. Often the safe answer was “there is no fair lending equivalent for deposits.” While that is true, I and others have argued for years that “fair banking” should always be considered, and I believe most banks do keep that in mind. But under the heading of “what gets checked, gets done” this fair banking procedure will be going to a much higher level.

What the CFPB said was, “In the course of examining banks’ and other companies’ compliance with consumer protection rules, the CFPB will scrutinize discriminatory conduct that violates the federal prohibition against unfair practices. The CFPB will closely examine financial institutions’ decision-making in advertising, pricing, and other areas to ensure that companies are appropriately testing for and eliminating illegal discrimination.”

Note what that statement said — the CFPB will examine for discriminatory conduct, as this would be an unfair practice. Unfair is the “U” in UDAAP — Unfair, Deceptive or Abusive Acts or Practices. We have seen large UDAAP penalties, and because there is no statute of limitations, we have seen enforcement orders that went back for many years. While we often associate UDAAP enforcement actions with the CFPB, the prudential agencies still enforce UDAP as was the case in 2021 when the FDIC penalized Umpqua Bank. The FDIC determined that Umpqua Bank engaged in Section 5 violations (that’s UDAP in the FTC Act) related to collection practices involving commercial equipment financing through its wholly owned subsidiary, Financial Pacific Leasing, Inc. (FinPac).  The FDIC determined that FinPac’s collection fee practices were unfair and deceptive.  Specifically, FinPac charged various undisclosed collection fees to 17,000 borrowers whose accounts were past due, such as collection call and letter fees and third-party collection fees. So, the bank was fined for what its subsidiary was doing and paid restitution of $1.7 million and a civil money penalty of $1.8 million. (FDIC-20-0156k)

From July to October 2020 there were nine separate advertising enforcement actions against mortgage lenders totaling $4.446 million. Triggering terms were missed, ads were poorly arranged which made them misleading and in some cases the numbers were just wrong, or payments quoted were not obtainable.  There were also instances of products being offered which were not being made at the time they were advertised.

While UDAAP and UDAP can bring a high dollar penalty and restitution amounts, this is in part based on how many consumers were disadvantaged and to what dollar amounts. As an example, a 2018 enforcement action included Community Trust Bank, Inc. of Pikesville, Kentucky, as it was hit with a UDAP penalty. Key points in this Federal Reserve enforcement action are that the bank would pay at least $4.75 million in penalties and restitution. The penalty arises from add-on products of a minimal cost, but it reached back to 1994. That was 24 years prior to the action taken. If there is a product and it has a UDAAP/UDAP defect since inception, the next question is when did it launch? From that date forward consumers with that product were harmed and compensation must be paid to the consumer harmed, reimbursements for unfair charges, and civil money penalties to the agency.

We have seen UDAAP used as an enforcement tool on other regulatory requirements such as Reg E where disclosures were made but additional requirements imposed, like requiring a police report to file a claim. Banks are not permitted to add requirements like that and UDAAP has more severe consequences that Reg E itself, so it became the enforcement tool of choice.

(1) CFPB Director Rohit Chopra stated, “When a person is denied access to a bank account because of their religion or race, this is unambiguously unfair,” and “We will be expanding our anti-discrimination efforts to combat discriminatory practices across the board in consumer finance.” So, no time limit and high dollar penalty amounts are associated with UDAAP actions. With this announcement of discriminatory practices on non-loan issues the CFPB released its revised UDAAP section of its exam manual. [https://files.consumerfinance.gov/f/documents/cfpb_unfair-deceptive-abusive-acts-practices-udaaps_procedures.pdf]

The Equal Credit Opportunity Act (ECOA) and its implementing Regulation B, along with the Fair Housing Act and data gathering requirements under the OCC’s Fair Housing Home Loan Data System and the Home Mortgage Disclosure Act have long been bundled together as anti-discrimination requirements for general loan and home mortgage loans. The revisions to the UDAAP examination manual coupled with a definitive tying of “unfair” to any discrimination, even involving non-loan related products and services, adds an enforcement tool.

The March 2022 Legal Briefs looked at UDAAP in some detail. That was published before this action by the CFPB. We refer you back to that edition for the details, but here I will point out that under the section of some act or practice “causing substantial harm” to a consumer, we find in the exam procedures that this, “may result from discriminatory behavior.”

Discrimination or discriminatory behavior is referenced 25 times in this 19-page document. It is used as an example under collections activities, under the section where a consumer cannot avoid an injury, such as a discriminatory practice, and elsewhere. With a discriminatory practice being unfair, both unintentional discriminatory practices and practices that fall outside  the scope of ECOA now meet the test for being unfair. So, there is a longer reach. It also notes that what is discriminatory may be unfair, violating UDAAP, and at the same time violate other laws such as ECOA. Remember the CFPB does not have to pick one or the other of these laws to use for enforcement action, it can compound them and cite both as each is being violated if you have a loan or home mortgage product.

The revised UDAAP section states, “A discriminatory act or practice is not shielded from the possibility of being unfair, deceptive or abusive even when fair lending laws do not apply to the conduct. For example, not allowing African-American consumers to open deposit accounts or subjecting African-American consumers to different requirements to open deposit accounts, may be an unfair practice even in those instances when ECOA does not apply to this type of transaction.” This brings us to a new awareness level of UDAAP.

When Compliance or Legal has been involved in the development or revision of a product or service, UDAAP and risks have been examined from many perspectives. Traditionally ECOA and Reg B were included in a mindset when a loan was mentioned — Who does it appeal to? Where will it be offered? How will it be advertised? — and the focus was on marital status, race, gender, gender identification and similar topics. Those demographics were considered for loans while deposit products and services would have considered different demographics, potential deposit product appeal based on income, balances on deposit, services required to support the deposit relationship, etc. Now the latter requires the same mindset, or perspective if you will, as the loan discussions.

When reviewing loan products, the bank has demographic information for its lending area and on its home mortgages. The bank can easily review HMDA and other data points to determine if there are any disparities in where applications are coming from, for homes in certain areas, from applicants based on gender, race, marital status and other key categories. This is not as easy when the bank wants to know if there are any discriminatory concerns on auto loans, unsecured loans or other products which exclude the gathering of any demographics.

If the bank wants to generate a fair lending or fair banking analysis it will have to use a proxy for that information that it does not specifically have. This is not a new technique, but it may be one the bank wants to employ against various loan and deposit products as well as complaints. Here is an excerpt from a 2013 CFPB blog post on the topic.

Let’s say a responsible auto lender wanted to make sure that their female customers are not paying more for a loan than similarly situated men. Before analyzing the pricing patterns, the lender needs to calculate the likelihood that a borrower is male or female. Without actually recording the gender of each borrower, to substitute, or “proxy,” for gender, responsible lenders often rely on a first name database  from the Social Security Administration. The public database contains counts of individuals by gender and birth year for first names occurring at least five times for a particular gender in a birth year. Using statistics, they can determine a probability that a particular applicant is male or female based on the distribution of the population across gender categories for the applicant’s first name. [https://www.consumerfinance.gov/about-us/blog/preventing-illegal-discrimination-in-auto-lending/]

The above cites a first name database that should be available at minimal or no cost. There may well be others or established programs available complete with databases for various checks and verifications. The CFPB published a 37-page booklet in 2014, “Using publicly available information to proxy for unidentified race and ethnicity – A methodology and assessment” [https://files.consumerfinance.gov/f/201409_cfpb_report_proxy-methodology.pdf] which may also help control costs while accomplishing a large project.

The CFPB has used this methodology many times in the past on the files it has from banks and consumers. If the bank can extract certain field from its CIF files, once that process is established many different products and services could be analyzed. Having multiple uses for the one-time costs of establishing the program can prove beneficial. The results of this analysis may prove useful for fair lending, fair banking and have a positive impact on the Community Reinvestment Act file and exams as well. The methodology should be well documented and proven for accuracy.

Naturally if there are shortcomings the bank would need a strategy to correct them. Any corrective actions would be based on the specific product or service and the results of the bank’s analysis. This could be any solution from adjusting marketing media, to community outreach, to a branch or mobile branch serving an under-banked area. Similar to some fair lending strategies, the bank may also consider using bank counsel to facilitate some of this analysis for confidentiality and discovery reasons. That is obviously at the bank’s discretion. It may also be something to only explore at this point and to commit to as fair banking issues develop and mature within regulatory agencies and the industry. It should be worth exploring at this point to know what the time and cost requirements would be, and how it might integrate with future expansion and strategic plans of the bank.

Your bank may not have the CFPB examining it. But as a lead agency, and with other agency’s following it, this is something all banks should prepare for.  The CFPB manual has redefined “unfair acts or practices” and this is the mindset banks should begin adopting across the board.

Borrowing from UDAAP, one element of an unfair act or practice is whether a consumer is “reasonably able to avoid the injury. “ As noted above, this includes examples that the “consumer cannot reasonably avoid discrimination” and “typically cannot avoid the harms of discrimination.” Expect that as the CFPB expands its scope of exams that it will find and address cases of “unfairness” when it feels a consumer was harmed, or could be harmed by such a practice, product or service. Think outside the loan box. Examiners have new marching orders, and your bank should also, to ensure that:

  • The bank has a process to prevent discrimination in relation to all aspects of consumer products or services it offers. Evaluate all policies, procedures and processes for discrimination prior to implementation or making changes and continue monitoring for discrimination after implementation.
  • The bank’s compliance management program includes an established process for periodic analysis and monitoring of all decision-making processes used in connection with consumer products or services and a process to take corrective action to address any potential UDAAP concerns including discrimination.
  • The bank has established policies and procedures to review, test, and monitor any decision-making processes used for potential UDAAP concerns, including discrimination.
  • The bank has established policies and procedures to mitigate potential UDAAP concerns, including discrimination.
  • The bank’s policies, procedures and practices do not target or exclude consumers from products and services, or offer different terms and conditions, in any discriminatory way.
  • The bank has appropriate training for customer service personnel to prevent all forms of illegal discrimination.

Banks should be proactive in internal audits and test, as examiners will, to:

  • Evaluate any product targeted to particular demographics to ensure the marketing, disclosures, and other materials are designed for the target market and will be understood by that market. Appropriateness of the product or service to a consumer is a key.
  • Ensure there is equal treatment among qualified consumers as to terms and conditions of products and services offered without bias based on demographics.
  • Avoid offering or provide more products or services to one customer demographic as compared to another.
  • Customer service representatives should treat all customers the same meaning they provide the same level of assistance and service to all. In the past, paired testing used for loan discrimination cases included criticisms when one applicant was offered beverages while another was not.
  • Review all targeted advertising for potential discrimination.
  • Determine whether the bank uses any decision-making processes to determine eligibility, underwriting, pricing, servicing or collection actions which could result in illegal discrimination.
  • See whether the bank periodically evaluates for, and takes corrective actions to prevent, illegal discrimination.

 

 

March 2022 OBA Legal Briefs

  • The Beneficial Ownership Rule hasn’t gone away
  • UDA(A)P is becoming all the rage!

The Beneficial Ownership Rule hasn’t gone away

By John S. Burnett

The Corporate Transparency Act of 2021 (CTA) was enacted by Congress on January 1, 2021, as Title XIV of the William M. Thornberry National Defense Authorization Act for 2021, Public Law 116-283. It added a new section 31 U.S.C. 5336 to the Bank Secrecy Act.

The CTA requires that most private domestic U.S. entities formed on or after January 1, 2021, must self-report to FinCEN certain basic information about themselves, their beneficial owners and those individuals authorized to act on their behalf. The stated purpose of the CTA is to “discourage the use of shell corporations as a tool to disguise and move illicit funds” as part of the broader federal attempts to prevent and combat money laundering, tax fraud and terrorist financing.

The CTA requires FinCEN to promulgate regulations implementing the Act. No entity reporting to FinCEN can start until the final implementing regulations are issued and effective, and the structure for that reporting (presumably an online portal and a huge database) is completed.

What’s been completed so far?

FinCEN has begun the process of promulgating the regulations. In fact, FinCEN appears to be moving on the CTA requirements fairly quickly.

On April 1, 2021, FinCEN issued an Advance Notice of Proposed Rulemaking— a form of “heads up” that it was working on the rules and an invitation for stakeholders to offer suggestions and comments on the process.

On December 8, 2021, FinCEN published its proposed rules in the Federal Register [86 FR 69920], with a comment period ending February 7, 2022. There were 250 public comments submitted through Regulations.gov. We don’t know how many comments were sent directly to FinCEN itself.

As of this writing (early March 2022) no final regulation has been issued.

The CTA and financial institutions

Financial institutions have been required since May 11, 2018, to comply with 31 CFR 1010.230 (Beneficial ownership requirements for legal entity customers). The CTA has not changed that fact, and the regulations are still in effect.

It is true that the CTA was enacted with the intent to shift some of the burdens of gathering beneficial ownership information away from financial institutions and make it a government responsibility. It is also true that at some future time — FinCEN has unofficially suggested it will be a year or more after implementation of its final CTA beneficial ownership regulations — there will be a change for financial institutions, which will probably begin verifying entity ownership information against the CTA database, rather than gathering certifications of ownership information repeatedly during the existence of entity customer relationships.

To get to that time, FinCEN will first need to set up a secure and confidential portal through which financial institutions can make those verifications. How that will be done, or what information they will be required to verify, and what will happen if they are not able to successfully verify the information, has yet to be determined.

And yet, we have heard that bank examiners have identified financial institutions that totally misinterpreted — was this wishful thinking? — what FinCEN has so far done as a license to discontinue obtaining beneficial ownership certifications and stopped obtaining them around the time FinCEN announced the December 2021 proposed rule. If it is true that examiners have found financial institutions that made such an error, I can only imagine the sinking feeling the management, BSA officer or compliance officer at those institutions must have had when confronted with their error.

What to do about it

I sincerely hope your institution was not one of those making that mistake. But if it is, it is fortunate that only about three months have passed since the FinCEN proposed rule was published (in December 2021). If that’s when your institution stopped complying with § 1010.230, you can limit the damage by doing a look-back to identify each of the occasions on which you should have obtained beneficial ownership certification (or certification that information you were provided earlier was still correct) and start communicating with the entity customers involved to get those missing certifications.

If, instead, your institution made the wrong decision back in April 2021 when the advance notice of proposed rulemaking was published, you have a bit more digging to do — almost a year’s worth of account openings, renewals, etc.

Don’t assume that, once FinCEN finally eliminates § 1010.230 (remember there will be a different rule replacing it that you will have to follow), it will not matter that your institution jumped too soon to stop complying with § 1010.230. It will matter, so don’t postpone your remedial action to collect those missing certifications.

 

UDA(A)P is becoming all the rage!

By Andy Zavoina

I was recently reviewing enforcement actions published over approximately the last 18 months and saw what I believe is a trend not too many bankers are talking about. As an example, on a mortgage servicing topic the Consumer Finance Protection Bureau (CFPB) used the phrase, “…identified various Regulation Z and Regulation X violations, as well as unfair and deceptive acts or practices.” As past due fees were charged it was noted, “Examiners found that mortgage servicers engaged in unfair acts or practices…” and “Examiners found that lenders engaged in unfair acts or practices when they debited or attempted one or more additional, identical, unauthorized debits from consumers’ bank accounts after consumers called to authorize a loan payment by debit card and lenders’ systems erroneously indicated the transactions did not process.” In this article we will examine in more detail some of these violations that were made public. Like an iceberg, we know there is much more to it that we can not see, and we are not certain how much is there. But we do know we don’t want to run into it ourselves.

First, let’s cover some of the rules involving Unfair, Deceptive, or Abusive Acts or Practices so we can understand how broadly they can be applied in different scenarios.

UDAAP penalties can go up to $5,000 per day and if they are deemed “reckless” violations they could be $25,000 per day. Yes, it gets worse. Knowingly violating UDAAP can run a penalty of $1 million a day. Do we expect to see these maximum penalties? That would be a “no.” But the penalties can be severe. Consider that there are civil money penalties for the violations, and we have seen these go back for years and years.

Say a bank creates an add-on product to a deposit account. This product requires the customer to enroll with the bank and provide some affirmation such as that they are in good health, and they need to sign and return this form. But they fail to do this for one reason or another. The bank was diligent however, in charging the customer each month for a service that was never provided and technically could not be. That is a UDAAP violation. It may violate another law or regulation as well, and that law or regulation may also be referenced, but UDAAP has big teeth as we already mentioned the fines available. Because there seems to be no statute of limitations, UDAAP penalties at only hundreds of dollars a month add up quickly when a problem goes back 5 or 10 years.

“Seems outlandish, never going to happen,” you might say. Consider the penalty assessed against First Tennessee Bank by the Office of the Comptroller of the Currency (OCC). The bank sold an add-on product which required two things from the customer. They needed to enroll, and they needed to provide personal verification information. With this service, they would have credit monitoring services. Customers who failed to provide the verification information for whatever reason were charged a monthly fee for a service that was not performed for them. This penalty was in 2016, and the product was launched in 2000. The bank needed to look at 16 years of records. The bank paid a $1 million civil money penalty.

But UDAAP does not stop there. The CFPB can require that agreements be amended or terminated, that customers are refunded for charges that were improper, that restitution be ordered so that the bank understands the severity of the penalty, that profits from the act in question are surrendered and that the government be repaid for the time and effort put into the case. This is all on top of the work spent trying to review 16 years of files and responding to every customer and former customer who claims to have had that product and wants a refund.

There are some basic things that are considered a UDAP issue (one “A,” which omits “Abusive” which was added by the Dodd-Frank Act and is an addition the CFPB enforces) while prudential regulators still look at the Federal Trade Commission Act Section 5 rules for Unfair or Deceptive Acts or Practices. Some basic issues blatantly considered UDAP include prohibited provisions in agreements:

  1.  a confession-of-judgment;
  2.  a waiver of exemption in which the consumer relinquishes rights protecting their home and other necessities from seizure to satisfy a judgment,
  3. a n assignment of wages; and
  4.  the taking of household goods as loan collateral.

Also prohibited is the pyramiding of late fees. If you are not familiar with that concept, assume a borrower is late on a loan payment. They send the exact payment, and the bank applies it by first taking the late fee owed, then interest due and the remainder to principal. But the principal payment is short because of the late fee, so another late fee is accrued. And when the exact scheduled payment is made on time the following month, another late fee is paid and so on. That is pyramiding. I’m sure it doesn’t happen in your bank because automated routines control how payments are applied and interest and principal are always collected first, then fees.

But consider a case discussed more below where the borrower rounded up their payment. The extra principal was simply deposited to escrow. That is an improper application and has a similar impact as late fee pyramiding. The bank has certain remedies it can follow and compliance and/or audit needs to ensure the proper actions are taken.

Lastly, UDAP addresses the Holder in Due Course rule which involves the buying and selling of credit contracts and specifically also prohibits a bank from misrepresenting a co-signer’s liability and requires the bank to give a co-signer, prior to becoming obligated in a consumer credit transaction, a disclosure notice which explains the nature of the co-signer’s obligations and liabilities under the contract.

As already noted, it was the Dodd-Frank Act which empowered the CFPB to prevent unfair, deceptive, or abusive acts or practices. The other agencies enforce the FTC Act, Section 5. Rest assured for all intents and purposes they are similar as it pertains to the ability to right a perceived wrong.

The CFPB has definitions bankers must be familiar with to navigate compliance with UDAP and UDAAP. These are definitions that must be applied broadly when the bank is designing a new product, service, or policy.

Unfair: a practice that is “unfair” is one that:

a)  Causes or is likely to cause substantial injury to consumers;

(Substantial injury usually involves monetary harm. Monetary harm includes, for example, costs or fees paid by consumers as a result of an unfair practice. An act or practice that causes a small amount of harm to a large number of people may be deemed to cause substantial injury.

Actual injury is not required in every case. A significant risk of concrete harm is also sufficient. However, trivial or merely speculative harms are typically insufficient for a finding of substantial injury. Emotional impact and other more subjective types of harm also will not ordinarily amount to substantial injury. Nevertheless, in certain circumstances, such as unreasonable debt collection harassment, emotional impacts may amount to or contribute to substantial injury.)

b)  The injury is not reasonably avoidable by consumers;

An act or practice is not considered unfair if consumers may reasonably avoid injury. Consumers cannot reasonably avoid injury if the act or practice interferes with their ability to effectively make decisions or to take action to avoid injury. Normally the marketplace is self-correcting; it is governed by consumer choice and the ability of individual consumers to make their own private decisions without regulatory intervention. If material information about a product, such as pricing, is modified after, or withheld until after, the consumer has committed to purchasing the product, however, the consumer cannot reasonably avoid the injury. Moreover, consumers cannot avoid injury if they are coerced into purchasing unwanted products or services or if a transaction occurs without their knowledge or consent.

A key question is not whether a consumer could have made a better choice. Rather, the question is whether an act or practice hinders a consumer’s decision-making. For example, not having access to important information could prevent consumers from comparing available alternatives, choosing those that are most desirable to them, and avoiding those that are inadequate or unsatisfactory. In addition, if almost all market participants engage in a practice, a consumer’s incentive to search elsewhere for better terms is reduced, and the practice may not be reasonably avoidable.

The actions that a consumer is expected to take to avoid injury must be reasonable. While a consumer might avoid harm by hiring independent experts to test products in advance or by bringing legal claims for damages in every case of harm, these actions generally would be too expensive to be practical for individual consumers and, therefore, are not reasonable.

and,

c) The injury is not outweighed by countervailing benefits to consumers or to competition.

To be unfair, the act or practice must be injurious in its net effects — that is, the injury must not be outweighed by any offsetting consumer or competitive benefits that also are produced by the act or practice. Offsetting consumer or competitive benefits of an act or practice may include lower prices to the consumer or a wider availability of products and services resulting from competition.

Costs that would be incurred for measures to prevent the injury also are taken into account in determining whether an act or practice is unfair. These costs may include the costs to the institution in taking preventive measures and the costs to society as a whole of any increased burden and similar matters.

In determining whether an act or practice is unfair, the CFPB may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.

UDAP’s unfairness prong applies not only to overt acts and practices, but also to those that unreasonably impair a consumer’s ability to make an informed decision, such as withholding material information until after a consumer has purchased a product.  But a bevy of UDAP case law creates nuances. For instance, “substantial injury” can be monetary or reputation harm, but there must be a significant risk of concrete harm rather than a speculation that harm might occur. An act is not  considered unfair if its benefits outweigh any injuries caused. Some  examples of benefits include lower prices or the availability of products  and services to a wider range of consumers.

A representation, omission, act or practice is deceptive when—

  • The representation, omission, act, or practice misleads or is likely to mislead the consumer;
  • The consumer’s interpretation of the representation, omission, act, or practice is reasonable under the circumstances; and
  • The misleading representation, omission, act, or practice is material. This applies when it misleads or is likely to mislead the consumer.

Written disclosures may be insufficient to correct a misleading statement or representation, particularly where the consumer is directed away from qualifying limitations in the text or is counseled that reading the disclosures is unnecessary. Likewise, oral or fine print disclosures or contract disclosures may be insufficient to cure a misleading headline or a prominent written representation. Similarly, a deceptive act or practice may not be cured by subsequent truthful disclosures.

Acts or practices that may be deceptive include making misleading cost or price claims; offering to provide a product or service that is not in fact available; using bait-and-switch techniques; omitting material limitations or conditions from an offer; or failing to provide the promised services.

The FTC’s “four Ps” test can assist in the evaluation of whether a representation, omission, act, or practice is likely to mislead:

  • Is the statement prominent enough for the consumer to notice?
  • Is the information presented in an easy-to-understand format that does not contradict other information in the package and at a time when the consumer’s attention is not distracted elsewhere?
  • Is the placement of the information in a location where consumers can be expected to look or hear?
  • Finally, is the information in close proximity to the claim it qualifies?

A representation may be deceptive if the majority of consumers in the target class do not share the consumer’s interpretation, so long as a significant minority of such consumers is misled.

Exaggerated claims or “puffery” are not deceptive if a reasonable consumer would not take the claims seriously.

A representation, omission, act, or practice is material if it is likely to affect a consumer’s choice of, or conduct regarding, the product or service. Information that is important to consumers is material.

Certain categories of information are presumed to be material such as costs, benefits, or restrictions on the use or availability.

Express claims made with respect to a financial product or service are presumed material. Implied claims are presumed to be material when evidence shows that the institution intended to make the claim (even though intent to deceive is not necessary for deception to exist).

Claims made with knowledge that they are false are presumed to be material. Omissions will be presumed to be material when the financial institution knew or should have known that the consumer needed the omitted information to evaluate the product or service.

If a representation or claim is not presumed to be material, it still would be considered material if there is evidence that it is likely to be considered important by consumers.

The Dodd-Frank Act makes it unlawful for any covered person or service provider to engage in an “abusive act or practice.”  This is an act or practice which—

  1. materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or
  2. takes unreasonable advantage of—

a) a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;

b) the inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or

c) the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

Combined, this definition of “abusive” indicates terms, disclosures and advertisements for products need to be clear and easily understood without reliance on micro-font footnotes or other disclosures that may be “legalese” or have “hidden” terms. It also tells us that the more complex a product or service is, the more it may need to be explained and this will also depend on the market it is provided for. Lastly it says the bank has to act in the best interest of the consumer. It will not be enough to say, “we made the full disclosure, so we are covered for liability.”

Consumer complaints play a key role in the detection of unfair, deceptive, or abusive practices. As a general matter, consumer complaints can indicate weaknesses in elements of the institution’s compliance management system, such as training, internal controls, or monitoring. Complaints against subsidiaries, affiliates and third parties which pertain to your institution and its products and services are included in this analysis. While the absence of complaints does not ensure that unfair, deceptive, or abusive practices are not occurring, complaints may be one indication.

Now let’s examine some recent penalties and while I will use one specific example, as you read this and contemplate the issues, think broadly. As an example, this first penalty involves a credit card product. Do not discount it because it is a credit card, and your bank may not offer them but pay attention to it because it is about the advertising of the product, the training of staff, and the failure to deliver what was advertised.

The advertisement was targeted to sell new credit card accounts. Both existing customers and new ones were the target market. The intent was to have them qualify for the new card and then to meet prescribed spending requirements to qualify for a bonus. The plain terms on the face of the advertisement stated what was required as to the spending threshold. The bonus was central to the advertisement.  Remembering the criteria for UDAAP compliance, in this case a consumer could reasonably conclude that if they qualified for the new card and met the spending limit, they would receive the bonus.

The issuers of the product failed to state that the bonus would be offered only to consumers who applied online. This made the advertisements misleading as they were incomplete. Staff were not correctly trained on how to program these accounts, which further lead to bonuses not being paid. And because not all consumers would qualify for the bonus because of how they applied, the ads were deceptive. This is like many of the UDAAP enforcement actions taken on add-on products. That is poor marketing, poor training and charging fees without ensuring that all the qualifications were disclosed, programmed, and understood by both staff and the consumer.

A second case examines debt collection and the Fair Debt Collections Practices Act (FDCPA). Do not skip this section because you do not believe that the FDCPA does not apply to your bank because you collect your own debts. I believe the CFPB could connect the FDCPA to UDAAP dots in this manner. The FDCPA states in many places that certain acts or practices can be unfair or deceptive. As an unfair or deceptive act, UDAAP can then apply and using this proxy, UDAAP is violated while collection one’s own debt because of how it was done. I have not yet seen this in practice, but is it worth testing the action? I would not.

The FDCPA prohibits the use of any false representation or deceptive means to collect or attempt to collect any debt.   What examiners found was debt collectors proposing an alternate payment plan with past due borrowers. It was noted the new payment plan, when repaid, would improve the borrower’s credit because they paid the revised plan and extinguished the debt. That has to be better and lead to an improved credit rating, right? But there are many factors affecting creditworthiness and a person’s credit score, including repayment of the debt.  Saying that paying just this loan would improve their credit score and lead to increased borrowing power could be misleading.  Examiners found that the least sophisticated consumer could conclude from this discussion was that deleting derogatory information by paying this loan would result in improved creditworthiness, and this created the risk of a false representation and was a deceptive means to collect the debt. This is then defined as a UDAAP issue. You may not be subject to the FDCPA, but you are to UDAP and UDAAP.

Mortgage servicing is a hot issue as many borrowers are exiting pandemic protection forbearance plans on their home loans and may be ill equipped to resume payments. Mortgage servicing exams have identified various Reg Z and X violations, as well as UDAP problems. Remember UDAAP is brought up when a product or service: (1)  causes or is likely to cause substantial injury; (2) the injury is not reasonably avoidable by consumers; and (3) the substantial injury is not outweighed by countervailing benefits to consumers or to competition.

Examiners found that mortgage servicers engaged in the following unfair acts or practices by:

  • charging delinquency-related fees to borrowers in CARES Act forbearance plans. (Refer to the Coronavirus Aid, Relief, and Economic Security Act, Section 4022(b)(3) prohibits a mortgage servicer from imposing fees, penalties, or interest beyond the amounts scheduled or calculated as if the borrower made all contractual payments on time and in full under the terms of the mortgage contract);
  • failing to stop electronic fund transfers after receiving notice that the consumer’s bank account was closed, and an NSF fee had been assessed; and
  • assessing fees for services that exceeded the actual cost of the services performed.

Read this and look for those UDAAP buzzwords. The CFPB report said that consumers experienced substantial injury in the form of illegal fees, which were considered significant because these are the consumers experiencing hardships from the pandemic.  The mortgage servicers failed to refund some of the fees until almost a year after they were assessed.  These consumers  likely suffered further harm when because of these fees, they could not pay other expenses they had.  The injury was to a large number of consumers.  The consumers could not reasonably avoid the injury because they could not anticipate that the mortgage servicers would assess unlawful fees and they had no reasonable means to avoid the fees from being charged.  Charging the illegal fees did not provide any countervailing benefit to consumers.

Expanding on the second bullet above, what examiners found were mortgage servicers that engaged in unfair acts or practices by failing to terminate preauthorized EFTs that the servicer should have realized were from closed or inactive accounts. Examiners found that servicers received notices of account closures but continued to initiate EFTs from the closed accounts each month until the consumer affirmatively canceled the preauthorized EFT.  Borrowers experienced substantial injury because the mortgage servicers’ practices resulted in repeated NSF charges.  Borrowers could not reasonably avoid the injury because they could not anticipate that the mortgage servicers would continue to attempt the EFTs, even where the EFT agreement disclosed that the EFTs would terminate when the “from” account was closed.  The continued attempts to withdraw payment from closed accounts and fees associated with the subsequent NSF transactions did not provide any countervailing benefit to consumers.

Another issue examiners found was that mortgage servicers engaged in deceptive acts by incorrectly disclosing transaction and payment information in borrowers’ online mortgage loan accounts. They found violations of Reg X (RESPA) requirements to evaluate a borrower’s complete loss mitigation applications within 30 days of receipt. Reg Z requirements relating to overpayments to borrowers’ escrow accounts and Homeowners Protection Act (HPA) requirements to automatically terminate PMI as required were subtopics found with the online statement errors.

Still on the topic of mortgage servicing, some practices were deemed deceptive because  inaccurate descriptions of payment and transaction information was provided in online mortgage statements.  The inaccurate descriptions and information were likely to mislead borrowers because the information was false.  It would be reasonable for borrowers to rely on their mortgage servicers to report accurate mortgage payments and account transaction histories wherever the information was offered.  The inaccurate descriptions and information were material because they were likely to affect borrowers’ conduct regarding their mortgage payments.

February 2022 OBA Legal Briefs

  • Reg E FAQs – Part II

Reg E FAQs – Part II

By Andy Zavoina

Last month I introduced you to the updated Reg E FAQ Guidance issued by the Consumer Financial Protection Bureau (CFPB). The FAQ is a Compliance Aid as defined by the CFPB. It is not a new rule, but guidance on compliance with an existing rule. When a Compliance Aid such as an FAQ is issued, it can be periodically revised as is the case here.  In this instance the existing rules are addressing Reg E concerns. Unlike the first iteration of Reg E FAQs issued in June 2021 this update addresses new concerns and not just what bankers were getting wrong. In this iteration, issued December 13, 2021, there are several issues addressed on Person-to-Person payments and specifically on liability.  The interpretation is not favorable for banks.

The purpose of the Compliance Aid is not to write new rules, but to clarify how the CFPB interprets what is already in the laws, regulations and official interpretations without having to go through a rule writing process.

In January’s Reg E FAQ – Part I, we explained how the CFPB was going back to the bare definitions of what is an electronic fund transfer (EFT) and what is a financial institution. Briefly, EFTs are electronic transfers to or from a consumer’s account. Financial institutions include banks and can include P2P providers. And if a P2P provider does not hold the consumer’s account, issues its own access device such as the logon for an app, and has no agreement with a bank to do such transfers, under 1005.14 that vendor has Reg E liability and responsibility. Lastly, we ended last month’s Part 1 with the CFPB interpretation that if the bank and the P2P vendor have an ACH agreement to move funds and share another agreement such as each accepting the others debit cards, then the exception at 1005.14 placing error resolution liability on the P2P provider does not apply. The fact that each entity will accept the other’s debit cards satisfies the need for an “agreement.” We also noted the CFPB expressed this opinion to bankers at least nine months in advance of issuing the FAQ, so it was a somewhat accepted opinion within the CFPB.

Now, let’s continue a review of the third and fourth sections of the Reg E FAQs as updated in December 2021 and we will add a few compliance recommendations.

Error Resolution

In this section the CFPB restates much of what the regulation and prior iteration of the FAQ had with two of the questions shown as new.

1,  What is an error for purposes of EFTA and Regulation E?

While shown as a new question, the information is not changed from the regulatory verbiage, but this is intended to be a foundational topic on which claims will build.

An error under EFTA and Regulation E includes any of the following:

  • An unauthorized EFT.
  • An incorrect EFT to or from the consumer’s account.
  • The omission from a periodic statement of an EFT to or from the consumer’s account that should have been included.
  • A computational or bookkeeping error made by the financial institution relating to an EFT.
  • The consumer’s receipt of an incorrect amount of money from an electronic terminal.
  • An EFT not identified in accordance with the requirements of 12 CFR 1005.9 or 1005.10(a).
  • A consumer’s request for any documentation required by 12 CFR 1005.9 or 1005.10(a) or for additional information or clarification concerning an EFT

(12 CFR 1005.11(a)(1)).

The term “error” does not include:

  • A routine inquiry about the consumer’s account balance;
  • A request for information for tax or other recordkeeping purposes; or
  • A request for duplicate copies of documentation.

(Comment 11(a)-6).

2. What are a financial institution’s error resolution obligations under Regulation E?

Again, this is not new information but is necessary to build on in the following FAQs.

In general, Regulation E requires that after a financial institution receives oral or written notice of an error from a consumer, the financial institution must do all of the following:

  • Promptly investigate the oral or written allegation of error.
  • Complete its investigation within the time limits specified in Regulation E.
  • Report the results of its investigation within three business days after completing its investigation.
  • Correct the error within one business day after determining that an error has occurred.

12 CFR 1005.11(c)(1).

The investigation must be reasonable, including a reasonable review of relevant information within the financial institution’s own records.  2019-BCFP-0001.  The Bureau found that a financial institution did not conduct a reasonable investigation when it summarily denied error disputes if consumers had prior transactions with the same merchant, and the financial institution did not consider other relevant information such as the consumer’s assertion that the EFT was unauthorized or for an incorrect amount.  2019-BCFP-0001.  If the error is an unauthorized EFT, certain consumer liability limits apply.  12 CFR 1005.6.

3.  If private network rules provide less consumer protection than federal law, can a financial institution rely on private network rules?

The CFPB indicates this is not an update. It does reiterate what has been noted in practice for many years, that a consumer’s rights may not be adversely affected by an agreement.

Although private network rules and other agreements may provide additional consumer protections beyond Regulation E, less protective rules do not change a financial institution’s Regulation E obligations.  [See 15 USC  1693l.  For example, some network rules require consumers to provide notice of an error within 60 days of the date of the transaction, even though Regulation E, 12 CFR 1005.11(b)(1)(i), allows consumers to provide notice within 60 days after the institution sends the periodic statement showing the unauthorized transaction.  Other network rules allow a financial institution to require a consumer to contact the merchant before initiating an error investigation, even though 1005.11(b)(1) triggers error investigation obligations upon notice from the consumer.  The Bureau discussed instances where examiners found financial institutions had violated the 60-day notice requirement in the Summer 2020 edition of Supervisory Highlights.

4.  Can a financial institution require a consumer to file a police report or other documentation as a condition of initiating an error resolution investigation?

This is not updated from June 2021 but is reposted here so as to be a complete reference to the reader.

No.  A financial institution must begin its investigation promptly upon receipt of an oral or written notice of error and may not delay initiating or completing an investigation pending receipt of information from the consumer.  See Comments 11(b)(1)-2 and 11(c)-2.  In the past, Bureau examiners found that one or more financial institutions failed to initiate and complete reasonable error resolution investigations pending the receipt of additional information required by the institution.  These examples can be found in the Bureau’s Summer 2020 edition of Supervisory Highlights and Fall 2014 edition of Supervisory Highlights.  The Bureau cited similar violations in 2019-BCFP-0001.

Error Resolution: Unauthorized EFTs

With EFT errors defined and some basic responsibilities set, the FAQ looks deeper at unauthorized transfers and provides guidance banks will need to evaluate their practices and procedures.

1.  What is an unauthorized EFT?

While the CFPB’s answer has a December date as a new addition, it is regulatory verbiage that has not changed, so accept it as a reminder of the rules as it helps express the duties and liabilities of the bank.

An unauthorized EFT is an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m). Unauthorized EFTs include transfers initiated by a person who obtained a consumer’s access device through fraud or robbery and consumer transfers at an ATM that were induced by force.  Comments 2(m)-3 and 4.

The term unauthorized EFT does not include an EFT initiated through any of the following means:

(1) By a person who was furnished the access device to the consumer’s account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized.  12 CFR 1005.2(m)(1).  This exclusion does not apply to transfers initiated by a person who obtained a consumer’s access device through fraud or robbery.  Comment 2(m)-3.

(2) With fraudulent intent by the consumer or any person acting in concert with the consumer.  12 CFR 1005.2(m)(2); or

(3) By the financial institution or its employee, 12 CFR 1005.2(m)(3).

This FAQ is important and often misunderstood by claims investigators. It is important to understand that a consumer loaning their debit card to someone does not provide evergreen authorization for use until the consumer reports to the bank that the person is no longer authorized to use the card. Essentially that person given the card is authorized until the consumer customer retrieves the card or notifies the bank. Once the customer re-secures the card the authorization has ended. If that authorized user remembers the PIN and steals the card, that’s fraud or robbery and not authorized use. If a bank has a problem with these types of losses remind the users of security precautions, the ability to get a new card or change the PIN, and the possibility that the bank will rescind the card and not re-issue it if the bank chooses. There is no legal right to have a debit card. That is a feature of having a deposit account at your bank. Many bankers have also not read the back of the debit cards they issue. All I have looked at specifically states the card is the property of the bank. That provides the bank with the option to rescind that card and make it non-usable.

2.  If a transfer meets the Regulation E definition of unauthorized EFT, how does a financial institution determine the consumer’s liability, if any?

Not an updated response from the first FAQ – but in short if the claim is valid, § 1005.6 is used to determine liability based on when the transfers happened, if an accepted access device was used, and when the bank was notified. The response is as follows:

“If a consumer has provided timely notice of an error under 12 CFR 1005.11(b)(1) and the financial institution determines that the error was an unauthorized EFT, the liability protections in Regulation E section 1005.6 would apply. Depending on the circumstances regarding the unauthorized EFT and the timing of the reporting, a consumer may or may not have some liability for the unauthorized EFT. See 12 CFR 1005.6(b).”

The three basic tiers of liability are up to $50 for a timely notice of the claim within 2 business days of the consumer learning of the loss or theft [of an access device], up to $500 if the notice is beyond 2 business days and potentially unlimited for those transfers occurring after 60 days after the first statement was sent to the consumer reflecting an unauthorized transfer.

3.  Is an EFT from a consumer’s account initiated by a fraudster through a non-bank P2P payment provider considered an unauthorized EFT?

Shown as a new question and using P2P as an example, the CFPB states, “Yes.  Because the EFT was initiated by a person other than the consumer without actual authority to initiate the transfer – i.e., the fraudster – and the consumer received no benefit from the transfer, the EFT is an unauthorized EFT.  12 CFR 1005.2(m).  This is true even if the consumer does not have a relationship with, or does not recognize, the non-bank P2P payment provider.”

Succinctly, in this case it is a basic theft because the consumer did not do, authorize, or benefit from the transaction. Whether the customer had a relationship already with the P2P provider is immaterial.

4.  Does an EFT initiated by a fraudster using stolen credentials meet the Regulation E definition of an unauthorized EFT?

The response is still a basic example of a theft but specifically uses stolen credentials to execute the transfer.

“Yes.  As discussed in Electronic Fund Transfers Error Resolution: Unauthorized EFT Question 1, Regulation E defines an unauthorized EFT as a transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.  12 CFR 1005.2(m).  When a consumer’s account access information is obtained from a third party through fraudulent means such as computer hacking, and a hacker uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.

For example, the Bureau is aware of the following situations involving unauthorized EFTs:

  • A consumer shares their account access information in order to enter into a transaction with a third party, such as a merchant, lender, or employer offering direct deposit, and a fraudster obtains the consumer’s account access information by hacking into the computer system of the third party. The fraudster then uses a bank-provided P2P payment application to initiate a credit push payment out of the consumer’s deposit account.
  • A consumer shares their debit card information with a P2P payment provider in order to use a mobile wallet. A fraudster then hacks into the consumer’s phone and uses the mobile wallet to initiate a debit card transfer out of the consumer’s deposit or prepaid account.
  • A thief steals a consumer’s physical wallet and initiates a payment using the consumer’s stolen debit card.

See Electronic Fund Transfers Error Resolution: Unauthorized EFTs Question 5 for more examples of unauthorized EFTs.

All of the financial institutions in these examples, including any non-bank P2P payment provider or deposit account holding financial institution, must comply with the error resolution requirements discussed in Electronic Fund Transfers Error Resolution Question 2, as well as the liability protections for unauthorized transfers in 12 CFR 1005.6.

5.  A third party fraudulently induces a consumer into sharing account access information that is used to initiate an EFT from the consumer’s account. Does the transfer meet Regulation E’s definition of an unauthorized EFT?

A key to this June 2021 question is that the consumer was duped into providing account access information and the while the consumer did provide it, it was not with the intent of creating a transfer. That was done fraudulently, and Reg E is a consumer protection regulation. The CFPB provided the following guidance:

“Yes.  As discussed in Electronic Fund Transfers Error Resolution: Unauthorized Fund Transfers Question 1, Regulation E defines an unauthorized EFT as an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.  12 CFR 1005.2(m).  Comment 1005.2(m)-3 explains further that an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.  Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.

For example, the Bureau is aware of the following situations where a third party has fraudulently obtained a consumer’s account access information, and thus, are considered unauthorized EFTs under Regulation E: (1) a third-party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information.  EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.”

6.  If a third-party fraudulently induces a consumer to share account access information, are subsequent transfers initiated with the fraudulently obtained account information excluded from Regulation E’s definition of unauthorized electronic fund transfer because they are initiated “[b]y a person who was furnished the access device to the consumer’s account by the consumer”?

As in the example above, the subsequent transfers were not the intent of the consumer. Even if the consumer authorized one transfer, the intent was for that one transfer, not any additional. Perhaps more to the exact question, any and all transfers that use fraudulently obtained access can be part of a valid EFT claim because there was no intent for the transfers and the consumer received no benefit. So, the CFPB states, “No.  A consumer who is fraudulently induced into providing account information has not furnished an access device under Regulation E.  As explained above in Electronic Fund Transfers Error Resolution: Unauthorized EFTs 3, 4, and 5, EFTs initiated using account access information obtained through fraud or robbery fall within the Regulation E definition of unauthorized EFT.  See Comment 1005.2(m)-3.”

7.  Can a financial institution consider a consumer’s negligence when determining liability for unauthorized EFTs under Regulation E?

The regulation has never allowed a consumer’s negligence to be used in denying a claim of unauthorized use. The Reg commentary even uses the example of a consumer writing their PIN on the card. In that case the claim would still be valid because there was no intended use allowed. Some vendors may offer enhanced liability protections such as zero liability and some of those enhancements may be reduced because of negligence. But the basic requirements of Reg E do not change, only the enhanced protections.

The June FAQ stands, “No.  Regulation E sets forth the conditions in which consumers may be held liable for unauthorized transfers, and its commentary expressly says that negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E.  12 CFR 1005.6; Comment 6(b)-2.  For example, consumer behavior that may constitute negligence under state law, such as situations where the consumer wrote the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers under Regulation E.  Comment 1005.6(b)-2.”

8.  If a financial institution’s agreement with a consumer includes a provision that modifies or waives certain protections granted by Regulation E, such as waiving Regulation E liability protections if a consumer has shared account information with a third party, can the institution rely on its agreement when determining whether the EFT was unauthorized and whether related liability protections apply?

This restated response further illustrates that rights granted under Reg E may not be taken away. I will add that there are times a consumer will call and make a claim. Perhaps they are on vacation and a great distance away and when told the card will be canceled and reissued in a few days, they protest. They say they will accept the liability because they cannot be without their card while away. That is not an option. The consumer cannot accept that additional liability because to do so would amount to the bank taking away the consumer’s legal rights.

“No.  EFTA includes an anti-waiver provision stating that “[n]o writing or other agreement between a consumer and any other person may contain any provision which constitutes a waiver of any right conferred or cause of action created by [EFTA].”  15 U.S.C. § 1693l.  Although there may be circumstances where a consumer has provided actual authority to a third party under Regulation E according to 12 CFR 1005.2(m), an agreement cannot restrict a consumer’s rights beyond what is provided in the law, and any contract or agreement attempting to do so is a violation of EFTA.”

9.  If a consumer provides notice to a financial institution about an unauthorized EFT, can the financial institution require that the consumer first contact the merchant about the potential unauthorized EFT before the financial institution initiates its error resolution investigation?

Remember that the consumer has basic requirements to file a claim with the bank, and the bank is required to determine if it was an unauthorized use and to investigate and determine liability. The only things the consumer is required to do is indicate who they are and why they believe their account had an unauthorized transfer. Nothing allows the bank to refuse a claim and impose additional requirements beyond what the EFTA has required.

The CFPB’s response: “No.  A financial institution must begin its investigation promptly upon receipt of an oral or written notice of error and may not delay initiating or completing an investigation pending receipt of information from the consumer.  See Comments 11(b)(1)-2 and 11(c)-2.  For example, in 2019-BCFP-0001, the Bureau found that the practice of requiring a consumer to contact the merchant before initiating an error resolution investigation was a violation of Regulation E.  Similarly, the Fall 2014 edition of Supervisory Highlights discussed instances where examiners found that one or more financial institutions had instructed consumers to contact the merchant instead of promptly initiating an error investigation.”

10.  Do private network rules, such as provisions that a transfer is final and irrevocable, impact whether a P2P credit-push transfer meets the Regulation E definition of unauthorized EFT?

This is a new question and addresses specifically a P2P payment. Many P2P agreements indicate that when a transfer is sent and is based on, for example, a cell phone number, the transfer is completed and not reversible once it is accepted by the recipient. There is no process to reverse the transfer from the recipient. This question emphasizes that the bank’s consumer is protected regardless of any network rules. This is a question demonstrating additional liability on the bank. There is no process requiring the consumer to contact the cell number that received the funds and demand the return of those funds. The bank or P2P vendor may attempt this as a part of the investigation but likely there would be no response from the receiver of the funds, especially if the transfer was part of a fraud transaction.

“No.  Although private network rules and other commercial agreements may provide for interbank finality and irrevocability, they do not reduce consumer protections against liability for unauthorized EFTs afforded by the Electronic Fund Transfer Act.  See 15 USC 1693g(e). Moreover, no agreement between a consumer and any other person may waive any right provided by the EFTA.  See 15 USC 1693l.  Accordingly, any financial institution in this transaction must comply with the error resolution requirements discussed in Electronic Fund Transfers Error Resolution Question 2, as well as the liability protections for unauthorized transfers.”

11.  A fraudster initiates an EFT through a non-bank P2P payment provider that the consumer does not have a relationship with from the consumer’s account with a depository institution. Is the depository institution considered a financial institution with full error resolution obligations under Regulation E?

This is another new and P2P specific question. If a fraudster sets up an account using someone else’s identity and account information, transfers can be valid claims.

The Bureau’s response:

“Yes.  As discussed in Electronic Fund Transfers Coverage: Financial Institutions Question 1, the definition of financial institution includes a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide EFT services.  12 CFR 1005.2(i). Here, the account-holding financial institution holds the consumer’s account, and is thus considered a financial institution under Regulation E.  Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error, with limited exceptions.  12 CFR 1005.11.  As discussed in Electronic Fund Transfers Error Resolution: Unauthorized Transfers Question 4, since the transaction is an unauthorized EFT, the depository institution must comply with any applicable liability protections for unauthorized transfers in 12 CFR 1005.6.”

Expectations:

Based on this interpretation in the FAQs regarding P2P transactions and liability, we can expect more examiner scrutiny on any claim pertaining to P2P losses by consumers. Prior to the FAQs many in the industry interpreted the needed “agreement” under 1005.14 to be a specific agreement defining the duties of the P2P vendor and the bank and this could have included liability. It may have also addressed daily transactions limits and many P2P vendors allow greater limits on transactions than banks do. Banks consciously keep daily limits low to protect the consumer’s balances and reduce losses. Exceptions are generally granted upon request and verification by the consumer. With the bank having to bear the burden of claims processing and payment liability the P2P vendor’s transaction limitations now control the amount of losses banks may have.

Under Reg E and the Electronic Fund Transfer Act (EFTA) consumers are granted certain rights. While the bank and a vendor may have separate agreements addressing some of these same rights – such as monetary liability for unauthorized transactions, the consumers rights always stand and may not be adversely limited by any of these agreements. You can always treat a consumer better, but never worse than the law or regulation provides.

In many cases, because of the CFPB’s interpretation pertaining to a broad definition of what an agreement with the bank is, banks will see an increase in liability for Reg E claims involving P2P transfers reported as unauthorized if the banks were pushing these claims to the P2P vendors in the past. If the P2P vendor allows a $1,200 daily limit and the bank has a $400 daily limit, two similar transfers will arrive at the bank in different ways. The P2P vendor will ACH the funds but a consumer would have directly been allowed say only $400 using their debit card. If the transfer is claimed as unauthorized, the bank now has a greater chance of losing $1,200 rather than $350. Remember the consumer typically has liability for the first $50 when an accepted access device is used. An ACH directly from the consumer’s account is not using an accepted access device between the consumer and the bank. It is easy to see how, in an example such as this, losses could grow over prior years.

Recommended Actions:

If the data is readily available, your bank may want to review EFT claims to determine, based on the new guidance, how many and what amount of EFT claims were P2P related in the past year or two and what new liability the bank may have. This may be a budgeting issue that needs to be addressed depending on the volumes you have seen. You must recognize if this will be a complication and how severe it may be.

Bank staff involved in any part of the claims process may require training to recognize P2P claims as valid EFT claims on which the bank is now deemed responsible. Where these may have been referred to the P2P vendor in the past, that may no longer be allowed.

Advise customers of ways to protect themselves – and the bank. Do not write PINs on debit cards. Secure their cell phones. Use multifactor authentication. Review balances and transactions regularly and even advertise services the bank has where it can advise a consumer of their balance and/or large transactions, etc.

When using P2P transfers, the consumer needs to absolutely verify the recipient that funds will be going to is the intended recipient. And watch out for fraudsters. If a consumer will buy hundreds or thousands of dollars in gift cards and send that information to a fraudster, they will certainly take the convenient track and P2P the funds to an unknown person.

For now, we have Reg E guidance that will, for many banks, increase Reg E liability for more valid claims than in the past. Bank management and the industry as a whole will need to determine if these are valid risks banks want to accept, or if the banks want to find other ways to reduce these claims without disadvantaging consumers and certainly without reducing any Reg E rights. Can ACH transfers require sone customer authentication or verification? Can a limit be placed on daily transfers or each transfer over a given amount?

Lastly, determine if this guidance will require any changes to bank policies and procedures and react appropriately.

January 2022 OBA Legal Briefs

  • The FDCPA Regulation—Part 2
  • The CFPB’s Reg E FAQ—Part 1

Don’t Ignore the FDCPA Regulation (Part 2)

By John Burnett

Part 1 of our update on the CFPB’s Regulation F (12 CFR Part 1006), “Fair Debt Collection Practices Act,” appears in our November 2021 Legal Briefs.

False, deceptive, or misleading representations or means

To remain compliant with section 1006.18 of the regulation, debt collectors cannot use any false, deceptive, or misleading representation or means in connection with their collection of any debt.

The regulation provides examples of the things that a compliant debt collector cannot do in paragraphs (b) through (d) of this section.

False, deceptive or misleading representations: Debt collectors must not falsely represent or imply that—

  • they are vouched for, bonded by, or affiliated with federal or state government including through the use of a badge, uniform, or facsimile of a badge or uniform
  • they operate or are employed by a consumer reporting agency (credit bureau)
  • they are attorneys or that any communication is from an attorney
  • the consumer committed any credit or other conduct, in order to disgrace the consumer
  • a sale, referral, or other transfer of any interest in a debt causes or will cause the consumer to:
    • lose any claim or defense to payment of the debt, or
    • become subject to any practice banned by the regulation
  • accounts have been turned over to innocent persons for value
  • documents are legal process
  • documents are not legal process forms or do not required action by the consumer

Debt collectors also must not falsely represent the character, amount, or legal status of any debt, or falsely represent any services rendered, or compensation that may be lawfully received, by the debt collector for the collection of a debt.

Many, many complaints to the CFPB included collectors who had incorrect information about the amount of the debt, and in some cases the debts had already been paid off or settled and no amount was owed. The consumers had to prove to the collector that an aged bill had been paid and this can take a lot of time and effort and the “official loan records” which the collector should have, are really what’s needed. Did the creditor accept payments after a loan was sold?  Did a settled amount not get properly written off? These are issues the consumer can’t easily fix and the collector is not interested in doing because they are interested in collecting money, as perhaps their income depends on how much they bring in. But the collector must know what’s owed.

Debt collectors mustn’t represent or imply that nonpayment of a debt will result in a person’s arrest or imprisonment, or the seizure, garnishment, attachment or sale of a person’s property or wages, unless such action is lawful, and the debt collector or creditor intends to take such action.

False, deceptive, or misleading collection means:

  • Threatening to take any action that cannot legally be taken or that is not intended to be taken (such as threatening to sue when you don’t or won’t sue to collect the debt)
  • Communicating or threatening to communicate to any person credit information that the debt collector knows or should know is false, including the failure to communicate that a disputed debt is disputed.
  • Using or distributing any written communication that simulates or that the debt collector falsely represents to be a document authorized, issued, or approved by any court, official, or agency of the U.S. or any state, or that creates a false impression about its source, authorization, or approval.
  • Using any business, company or organization name other than the true name of the debt collector’s business, company or organization.

False representations or deceptive means. Use of any false representation or deceptive means to collect or attempt to collect a debt or to obtain information concerning a customer is forbidden by the regulation. This is a catch-all that can cover any deceptive tactic that isn’t specifically listed.

For example, in a social media context, it would be a false representation or implication for a debt collector to request to be added as one of a consumer’s contacts or “friends” on a social media platform marketed for social or professional networking purposes if they do not disclose their identity as a debt collector in the request.

Or assume that a debt collector communicates privately with a friend or coworker of a consumer on a social media platform, for the purpose of getting location information about the consumer. The debt collector must identify himself or herself individually by name when communicating for the purpose of acquiring location information. To avoid violating that requirement, the debt collector must communicate using a profile that accurately identifies the debt collector’s individual name. (There is a limited exception for the consistent use of assumed names. See “Use of assumed names” below.) The debt collector also must comply with the other applicable requirements for obtaining location information (e.g., with respect to stating that the debt collector is confirming or correcting location information concerning the consumer and, only if expressly requested, identifying the name of the debt collector’s employer), for communicating with third parties and for communicating through social media.

Initial communication with debtor: A collector must disclose in their initial communication with a consumer that the debt collector is attempting to collect a debt and that any information obtained will be used for that purpose. If the debt collector’s initial communication with the consumer is oral, the debt collector must repeat the disclosure that they are attempting to collect a debt in its initial written communication with the consumer.

In each subsequent communication with the consumer, the debt collector must disclose that the communication is from a debt collector. These disclosures must be in the same language or languages used for the rest of the communication.

Use of assumed names. A debt collector’s employees can use assumed names when communicating or attempting to communicate with a person, but only if the employee uses the assumed name consistently and the debt collector can readily identify any employee using an assumed name.

Unfair or unconscionable means

Debt collectors cannot use unfair or unconscionable means to collect or attempt to collect any debt, including any of the following conduct:

Collection of unauthorized amounts, such as interest, fees, charges or expenses not expressly authorized by the loan note or other agreement creating the debt or permitted by law. Many collectors were in the habit of collecting more than legally permitted, on the theory that excess funds collected could always be returned.

Acceptance or use of postdate payment instruments, such as a check or other instrument post-dated more than five days, unless the consumer is notified in writing of the debt collector’s intent to deposit the check or instrument no more than 10 nor less than 3 days (excluding weekends and legal public holidays) before making the deposit.

Solicitation of post-dated checks or other payment instruments for the purpose of threatening or instituting criminal prosecution (“Give me a post-dated check and I won’t have you arrested.”)

Depositing (or threatening to) any post-dated check before its date (“You gave me four post-dated checks. I will run them all if you don’t come up with a cash payment!”)

Causing charges resulting from concealment of purpose. That’s a fancy way of saying a debt collector can’t pose as a friend or family member to make a collect telephone call to get a consumer to answer the telephone. The word “telegram” is included in this paragraph of the rule just in case someone figures out how to send a collect telegram. There are still ways to make collect phone calls, and they can be expensive for the person who accepts such a call.

Taking or threatening to take any nonjudicial action to effect dispossession or disablement of property if the creditor or debt collector has no current right to take possession of or to disable the property or has no present intention to take possession of it, or the property is exempted by law from dispossession or disablement.

Restrictions on use of certain media. Debt collectors are not allowed to:

  1. Communicate with a consumer about a debt by postcard
  2. Use any language or symbol other than the debt collector’s address, on any envelope when communicating with a consumer by mail (the debt collector’s business name may appear on the envelope if it does not show that the debt collector is in the business of debt collection).
  3. Communicate or attempt to communicate with a consumer by email sent to an email address the debt collector knows is provided to the consumer by the consumer’s employer, unless the consumer has directly given the debt collector prior consent to use that address, or the consumer has sent the debt collector an email from that address and has not subsequently rescinded the expressed or implied consent to use of the address.
  4. Communicate (or attempt to) with a person about collection of a debt through a social media platform if the communication or attempt can be viewed by the public or the person’s social media contacts.

Time-barred debts

Every state has statutes of limitations that prescribe the time limit for bringing a legal action to collect a debt. In some cases, these time limits can vary by the type of debt.

A time-barred debt is one for which the applicable statute of limitations has run or expired.

Under the FDCPA regulation, a debt collector is not allowed to bring or threaten to bring a legal action against a consumer to collect a time-barred debt.

Other prohibitions and requirements

There are miscellaneous other requirements in the regulation that prohibit certain actions and mandate others.

  • 1006.30—Other prohibited practices.
  • 1006.34—Notice for validation of debts.
  • 1006.38—Disputes and requests for original-creditor information.
  • 1006.42—Sending required disclosures.
  • 1006.100—Record retention

Why is this important for bankers?

The Fair Debt Collection Practices Act itself and the FDCPA regulation (Regulation F) are replete with prohibitions against actions that are deemed Unfair, Deceptive, or Abusive, the first three words abbreviated in UDAAP. If a bank were found to engage regularly in the unfair, deceptive, or abusive actions banned in this regulation, it would not be unreasonable for a regulator to bring an enforcement action against the bank under the UDAP provisions of the FTC Act or for the Bureau to bring an action against a large bank for violations of the UDAAP provisions of the Consumer Protection Act of 2010.

The more immediate concern, however, is that a bank that hires an outside debt collection firm has responsibility to verify that firm’s and its collectors’ compliance with the FDCPA and the regulation.

The CFPB’s Reg E FAQ – Part 1

By Andy Zavoina

In one episode of the TV sitcom Big Bang Theory, Leonard asked Sheldon, “What you would be if you were attached to another object by an incline plane wrapped helically around an axis?” And Sheldon answered appropriately, “Screwed.” When I teach Reg E, I typically say more than once that “Reg E is not fair to banks, and it is not meant to be. Reg E is a consumer protection regulation.” But the Electronic Fund Transfers FAQs issued in December 2021 by the Consumer Financial Protection Bureau have taken these protections up a notch. Using its interpretive authority without requesting input from the industry or public, The CFPB has made banks liable for more transactions than in the past, at least based on the common interpretations of the past.

This guidance is in the form of FAQs which the CFPB considers a Compliance Aid. Compliance Aids were introduced in February 2020. Refer to the Federal Register / Vol. 85, No. 17, January 27, 2020, page 4579. The CFPB stated it is not intended that Compliance Aids will bind banks and other entities to new rules. Unlike actual regulations and official interpretations, Compliance Aids are not “rules” under the Administrative Procedures Act.  Instead, Compliance Aids present the requirements of existing rules and statutes in a manner that is useful for those who must comply with the rules as well as the public and others interested in the topics. Compliance Aids can include practical suggestions for how to properly comply with these rules. An FAQ Compliance Aid from the CFPB is simply an explanation of how it connects the dots and interprets an existing rule. It is not new, but it is how those currently in the driver’s seat at the CFPB understand the rule. Again, above all, Reg E, which implements the Electronic Fund Transfer Act, is intended to protect consumers, and the CFPB will read and interpret it from that perspective. It is not intended to be fair to the banks or others.

Now, let’s preview the Reg E FAQs. This December 13, 2021, issuance is an update of the original FAQs on Reg E the CFPB issued on June 4, 2021. It is not all new content. There are four major categories and questions and answers under each.

  • “Coverage: Transactions” is the first section and it contains five new questions and answers. This general topic lays the foundation for interpretations that follow.
  • The second section, “Coverage: Financial Institutions” has four new questions and answers. This section is intended to add clarity as to who the banks and other entities such as “Person to Person” (P2P) vendors are. By defining the roles of these players, we are better able to define the responsibilities of each based on the transactions and relationships between the players.
  • Section three is “Error Resolution,” and it is a general topic. There are four questions and answers, of which two are new to the topic and two were issued in June 2021.
  • The fourth and final section is “Error Resolution: Unauthorized EFTs.” It includes six restated questions and answers from June 2021 and five new ones specific to the topic at hand as Reg E drills into some liability issues particular to P2P payments.

Section two on Coverage is perhaps one of the more controversial. As I read the FAQs the last question is where I annotated “gotcha” in the column. As far back as March 2021 one banker on the BOL threads referred to a conversation with an attorney at the CFPB who opined banks could not displace error resolution responsibilities and liabilities to a P2P third-party vendor as they were believing they could under § 1005.14. And nine months later we received this in print.

Under § 1005.14 a person that provides an electronic fund transfer service to a consumer (think P2P providers like Zell, Venmo, CashApp, etc.) but does not hold the consumer’s account, is subject to the error resolution requirements if the person meets a two-pronged test:

  1. The person issues a debit card (or other access device) that the consumer can use to access the consumer’s account held by a bank, and
  2. The person has no agreement with the account-holding institution regarding such access.

P2P providers often have an agreement directly with a bank to provide services to that bank’s customers. In that case the bank still has Reg E error resolution responsibilities. But when that company is acting on its own it assumes these responsibilities. At least that is how many bankers interpreted the rules.

Under that common understanding, most P2P providers issue logon credentials for access in an app or to a web site such as with a smartphone and this constitutes an access device. Therefore § 1005.14 applies when 1) the service provider offers EFT services and 2) the provider does not have an agreement with the bank who holds the account in question.  So, when a bank consumer customer loans their smartphone to someone who then without authority uses the P2P app to transfer money, the bank simply executed the debit order and sent the funds through the P2P provider to a destination not known by the bank. The P2P provider issued an access device, does not hold the deposit account, and has no agreement to execute such orders with the bank. Section 1005.14 has been used by many banks because of this understanding to refer the harmed consumer to the P2P provider they selected on their own, for satisfaction of a claim.

A. Coverage: Transactions

1. What transactions are covered by the Electronic Fund Transfer Act and Regulation E?

This is new to the FAQ, but the answer provided is not. It is straight out of Reg E, but it must be understood as it is a foundation for most of what follows. Per § 1005.3(a) the answer reminds us this is all about electronic fund transfer requests to a financial institution (FI) to debit or credit a consumer’s account. It applies to checking, savings and other consumer asset accounts, held directly or indirectly by a FI and established primarily for personal, family or household use.

The rules apply to any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a FI to debit or credit a consumer’s account, 1005.3(b)(1). Here the CFPB states inclusively that Reg E applies to any P2P or mobile payment transaction that meets the definition of EFT, including debit card, ACH, prepaid account and other EFTs to or from a consumer account. So, an EFT to or from a P2P vendor is an EFT to your consumer customer’s account.

2. Can person-to-person or “P2P” payments be EFTs under Regulation E?

This reinforces what was just presented as the short CFPB answer is “Yes.” The specific answer is that in general, yes, so long as the P2P payment meets the definition of an EFT, it is under Reg E.

3. Is a P2P payment that uses the consumer’s debit card to transfer funds considered an EFT?

Short answer, “Yes.” This allows the tying of a debit card to the P2P account and clearly includes such transfers.

4. Is a credit-push P2P payment that transfers funds out out of a consumer’s deposit, prepaid, or mobile account considered an EFT? (The FAQ uses “out” twice.)

Short answer is again, “Yes.” It ties back to the definition of an EFT and this meets that definition while associating the transfer as out of a consumer deposit. It further explains that a credit-push P2P transfer is considered an EFT even if the payment was initiated by a third party that fraudulently obtained access to the consumer’s account. An example is by using login credentials stolen in a data breach or obtained through fraudulent inducement. The credit-push P2P transfer would be considered an unauthorized EFT. The consumer neither did it, authorized it nor benefitted from the EFT and the credentials were obtained fraudulently. Remember, too, that if the access device as defined under 1005.2(a)(1) was not an accepted device, the consumer’s liability under 1005.6(a)-(b) may be eliminated and become the responsibility of the bank.

5.  Is a P2P debit card “pass-through” payment considered an EFT?

Another “Yes” plus the explanation that a “pass-through” payment transfers funds from the consumer’s account held by an external FI to another person’s account held by an external FI.Now the FAQ introduces a third-party P2P vendor. It tells us a “pass-through” payment is initiated through a FI that does not hold a consumer’s account, such as a non-bank P2P provider. It restates the foundational question and answer 1 above, that Reg E applies to any EFT that authorizes a debit or credit from a consumer’s account. Therefore, debit card “pass through” payments are EFTs.

B. Coverage: Financial Institutions

In this section the FAQ better defines who the financial institution players are to assist in defining liability and responsibility.

1. What is a financial institution under EFTA and Regulation E?

 Simply put it includes banks, savings associations, credit unions, and:

any other person that directly or indirectly holds an account belonging to a consumer, or

any other person that issues an access device and agrees with a consumer to provide electronic fund transfer (EFT) services.

This includes providers of P2P payment and bill payment services if they directly or indirectly hold an account belonging to a consumer, or if they issue an access device and agree with a consumer to provide EFT services.

So far so good, except that more of the answer clarifies how the P2P provider may become liable itself (it states essentially the two-pronged test under 1005.14), and then how that liability can revert to the FI based on another agreement. It states, “In narrow circumstances, a financial institution can also be considered a “service provider” under Regulation E. A financial institution who provides EFT services to a consumer but does not hold the consumer’s account is a service provider under Regulation E if the financial institution: (1) issues an access device that the consumer can use to access the account and (2) no agreement exists between the access device-issuing financial institution and the account-holding financial institution.  12 CFR 1005.14(a).  The automated clearing house (ACH) rules alone do not generally constitute an agreement for purposes of whether a financial institution meets the definition of “service provider” under Regulation E. However, an ACH agreement combined with another agreement to process payment transfers – such as an ACH agreement under which members specifically agree to honor each other’s debit cards – is an “agreement,” and thus section 1005.14 does not apply. Comment 14(a)-2.” So, the ACH agreement, plus another agreement such as acceptance of each other’s debit cards is sufficient to eliminate the § 1005.14 exception.

In the past many have interpreted that second agreement as one being between the P2P provider and the bank such as when the bank is endorsing and using Zelle. That would eliminate that § 1005.14 exception, but the CFPB tells us that both accepting each other’s debit cards, as an example, constitutes that agreement regardless of specific terms as to liability.

2. Can non-bank P2P payment providers be considered financial institutions under Regulation E?

The CFPB says, “Yes” as expected and refers to what is defined as a FI. It goes on to explain that the FI has certain responsibilities, as it states that even, “non-account-holding providers of P2P payment or bill payment services are considered covered financial institutions under Regulation E if the provider issues an access device and agrees with a consumer to provide EFT services. 12 CFR 1005.2(i).  For example, a P2P provider may enter into an agreement with a consumer for a mobile wallet that the consumer can use to initiate debit card transactions from their external bank account to another person’s external bank account.

Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error, with limited exceptions.”

3. If a non-bank P2P payment provider initiates a debit card “pass-through” payment from the consumer’s account held by a depository institution to a different person’s account at another institution, is the non-bank P2P payment provider considered a financial institution under Regulation E?

Response from the CFBP is “generally yes.” It references the definitions of what is an FI and states that “an entity, including a non-bank P2P payment provider, enters into an agreement with a consumer to provide EFT services and issues an access device, and initiates a debit card “pass-through” payment, then that entity would be covered as a financial institution under Regulation E.  Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error. So, we still can read that when there is liability for unauthorized EFTs, the FI will hold liability. But at this point we commonly have the bank, which is an FI, and a P2P provider, which can be an FI. The key to liability is that the bank is liable unless 1005.14 and the two-pronged test can come into play.

4.  If a consumer uses a non-bank P2P payment provider to initiate a debit card “pass-through” payment from the consumer’s account held by a depository institution, is the depository institution considered a financial institution under Regulation E, even though the transfer was initiated through the non-bank P2P payment provider?

The answer is Yes, and this has the definitive “Gotcha.” The bank holding the deposit account has full Reg E error resolution responsibilities as there is a narrow circumstance that redirect those responsibilities when 1005.14 applies. This exception is not applicable when there is an ACH agreement combined with another agreement to process payment transfers – such as an ACH agreement under which members specifically agree to honor each other’s debit cards. This constitutes an “agreement,” and 1005.14 does not apply. Comment 14(a)-2.

Conclusively, the FAQ states, where an EFT is initiated through a non-bank P2P payment provider using a consumer’s debit card information, the P2P provider and the account-holding financial institution are parties to an agreement to honor each other’s debit cards – the debit card network rules – and the service provider provision in 12 CFR 1005.14 does not apply.  The account-holding financial institution has full error resolution responsibilities.

5.  I know many bankers will state that the card acceptance issue is not an agreement per se with the P2P provider and liability is not addressed, plus the P2P provider controls the daily limits that are here said to be the bank’s liability. That is all true but again, the CFPB is protecting the consumer and looking at the raw definitions. Until the industry can come to terms on the specifics to an “agreement,” banks will have the responsibility in most P2P disputes. Remember too, that a bank may not reduce any consumer rights afforded by the EFTA and Reg E. It may have other agreements with vendors, but the consumer’s rights may not be diminished.

The final two sections of the Reg E FAQs and recommended actions will be covered in next month’s Legal Briefs.

 

December 2021 OBA Legal Briefs

  • 2022 to-dos today
  • New year, new rule—Computer-security incident notification
  • Foreclosure forbearance reminder
[Editor’s note: Due to the timeliness of this months articles, Part 2 of last month’s article on the new Fair Debt Collection Practice Act regulation will appear in our January 2022 Legal Briefs.]

_________________________________

2022 to-dos today

By Andy Zavoina

It is hard to believe that we are at the end of the year so soon. On the other hand, it seems like 2021 has lasted two years already. Still, we have worked through most of a pandemic but started bringing many if not all workers back into the branches, as well as our customers and soon we may expect examiners. It is time to get ready for 2022 and that means some of the light housekeeping may be in order. Let’s review some of your annual compliance chores to ensure they are tidy and cared for.

Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.

Similar to compliance reporting to the board, this may include a personal presentation, or it may not. I recommend that it is, as it is an opportunity to express what is being done to control what has happened as well as foreseeable events and why, as that can assist you in getting the budget and assets necessary in the coming year. While the year end is not necessarily the most desirable time to make such a presentation, take whatever time you do get and use it wisely. Annual presentations such as this are better done when the directors can focus more on the message so try to avoid quarter ends, and especially the fourth quarter. This is not a “how-to” on the annual security report, but you can find more on the topic, free, on the BankersOnline Tools by searching on “annual security program.”

Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.

Reg BB (CRA), Content and availability of Public File § 228.43 – Your Public Files must be updated and current as of April 1 of each year. Many banks update continuously, but it’s good to check. You want to ensure you have all written comments from the public from the current year plus each of the two prior calendar years. These are comments relating to the bank’s efforts in meeting community credit needs (your SBA loans may play a key role here) as well as any responses to comments. You also want a copy of the last public section of the CRA Performance Evaluation. That must be placed here within 30 days of receipt. Ensure you are keeping up with branch locations and especially ATMs, as those may change. The regulation has more on the content of this file. It may be best to review it with an audit workpaper to use as a checklist to avoid missing any required items.

CRA Notice and Recordkeeping  § 228.42, 228.44, 1003.5 – CRA data, which can include small business and small farm as well as home mortgages are gathered based on specific reporting requirements for the Loan Application Registers (LAR). CRA and HMDA information, if applicable, must be submitted by March 1, for the prior calendar year. If you are a reporter of either LAR you should start verifying the data integrity now to avoid stressing the process at the end of February. HMDA mortgage data should be compiled quarterly so this should not be a huge issue, but a thorough scrubbing as the new year starts and submission preparation readies is always warranted.

Pertaining to this, national banks should ensure they have reviewed and updated as needed the CRA, FHA and ECOA notices in accordance with the Aug. 5, 2021, OCC Bulletin 2021-35. This bulletin provided updated content for the appropriate names and addresses for notices required by the Community Reinvestment Act and Equal Credit Opportunity Act, and for posters under the Fair Housing Act. National banks were required to make the appropriate changes to their notices and posters within 90 days of the issuance which then had a mandatory compliance date of Nov. 3, 2021.

Fair Credit Reporting Act – FACTA Red Flags ReportSection VI (b) (§ 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level.

This report should contain information related to your bank’s program, including the effectiveness of the policies and procedures you have addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, as well as service provider arrangements, specifics surrounding and significant incidents involving identity theft plus management’s response to these and any recommendations for material changes to the bank’s program. Times change, customers habits change, and importantly criminals change and each may require tweaks to the bank’s program.

Reg E § 1005.8– If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement. If you’ve used this, you are done with this one. But if you send the longer version that is sent annually, it is time to review it for accuracy and ensure it has been sent or is scheduled to be. Electronic disclosures under E-SIGN are allowed here.

This is also a good time to review §1005.7(c) (additional electronic fund transfer services) and determine if any new services have been added and if they were disclosed as required. Think Person-to-Person transfers like Zelle, Venmo or Square. These require disclosure and inaccurate disclosures may affect your claims processing.

HMDA Notice and Recordkeeping § 1003.4, 1003.5 – HMDA data are gathered as home mortgage loans are applied for and are compiled quarterly if your bank is a HMDA reporter. There are specific and detailed reporting requirements for the Loan Application Register (LAR) itself. The LAR must be submitted by March 1 for the prior calendar year. If you are a reporter, you should start verifying the data integrity now and this is of vital importance if you have a large volume of records to report. When a systemic error is found it can be very time consuming to scrub all files for errors and correct them.

Annual MLO Registration § 1007.102 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. If this hasn’t been completed, don’t push it to the back burner and lose track during the holidays and then have to join a year-end rush to complete this task. This is also a good time to plan with management and Human Resources any MLO bonus plans. Reg Z Section 1026.36(d)(1)(iv)(B)(1) allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses.

Reg P § 1016.5 –There are exceptions allowing banks which meet certain conditions to forgo sending annual privacy notices to customers. The exception is generally based on two questions, does your bank share nonpublic personal information in any way that requires an opt-in under Reg P, and have you changed your policies and practices for sharing nonpublic personal information from the policies and procedures you routinely provide to new customers? Not every institution will qualify for the exception, however. John Burnett wrote about the privacy notice conundrum in the July 2017 Legal Briefs. That article has more details on this.

When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. If you don’t qualify for the exception described above, you must repeat that disclosure annually as well. Ensure that your practices have not changed and that the form you are sending accurately describes your practices.

For Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.

It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for your web-based disclosures. You can use e-disclosures on your bank website when the customer uses the website to access financial products and services electronically and agrees to receive notices at the website, and you post your current privacy notice continuously in a clear and conspicuous manner on the website. So, the demonstrable consent requirements and others in E-SIGN’s 15 USC Sect. 7001(c) do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request this method is acceptable.

Fair Credit Reporting Act – Affiliate Marketing Opt-Out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions and opt out requirements on you. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, you must know if there are there any expiration dates for the opt-outs and have these consumers been given an opportunity to renew their opt-out?

Annual Escrow Statements § 1024.17 – For each escrow account you have, you must provide the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year. This need not be based on a calendar year. You must also provide them with the previous year’s projection or the initial escrow account statement, so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against the next year’s escrow payments.

Reg Z Thresholds and Updates § 1026.00– These changes are effective January 1, 2022. You should ensure they are available to staff or correctly hard coded in your systems:

  • For open-end consumer credit plans under TILA, the threshold that triggers requirements to disclose minimum interest charges will remain unchanged at $1.00
  • For open-end consumer credit plans under the CARD Act amendments to TILA, the adjusted dollar amount in 2022 for the safe harbor for a first violation penalty fee will increase to $30 and the adjusted dollar amount for the safe harbor for a subsequent violation penalty fee will increase to $41
  • For HOEPA loans, the adjusted total loan amount threshold for high-cost mortgages in 2022 will be $22,969.
  • The adjusted points-and-fees dollar trigger for high-cost mortgages in 2022 will be $1,148.
  • For qualified mortgages (QMs) under the General QM loan definition in § 1026.43(e)(2), the thresholds for the spread between the annual percentage rate (APR) and the average prime offer rate (APOR) in 2022 will be:
    • 2.25 or more percentage points for a first lien covered transaction with a loan amount greater than or equal to $114,847
    • 3.5 or more percentage points for a first lien covered transaction with a loan amount greater than or equal to $68,908 but less than $114,847
    •  6.5 or more percentage points for a first lien covered transaction with loan amount less than $68,908
    • 6.5 or more percentage points for a first lien covered transaction secured by a manufactured home with a loan amount less than $114,847
    • 3.5 or more percentage points for a subordinate-lien covered transaction with a loan amount greater than or equal to $68,908
    • 6.5 or more percentage points for a subordinate-lien covered transaction with a loan amount less than $68,908
  • For all categories of QMs, the thresholds for total points and fees in 2022 will be:
    • 3 percent of the total loan amount for a loan greater than or equal to $114,847
    • $3,445 for a loan amount greater than or equal to $68,908 but less than $114,847
    • 5 percent of the total loan amount for a loan greater than or equal to $22,969 but less than $68,908
    • $1,148 for a loan amount greater than or equal to $14,356 but less than $22,969
    • 8 percent of the total loan amount for a loan amount less than $14,356
  • For Higher Priced Mortgage Loans (HPMLs), the special appraisal requirement exemption amount will be $28,500
  • The consumer lease (Reg M) and consumer credit transaction (Reg Z) exemption thresholds will be $61,000.

BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions.  The other financial institution must certify annually to your bank that it has implemented its AML program. Also, banks must report all blockings to OFAC within ten days of the event and annually by September 30, concerning those assets blocked as of June 30.

Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee at least annually. The report should describe the overall status of the information security program and the bank’s compliance with regulatory guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

IRAs, IRS Notice 2002-27  If a minimum distribution is required from an IRA for a calendar year and the IRA owner is alive at the beginning of the year, the trustee that held the IRA on the prior year-end must provide a statement to the IRA owner by January 31 of the calendar year regarding the required minimum distribution.

Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).

  • BSA (12 CFR §21.21(c)(4) and §208.63(c)(4) Provide training for appropriate personnel.
  • Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii)) Provide initial & periodic training
  • Reg CC (12 CFR §229.19(f) Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee)
  • Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information), training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
  • FCRA Red Flag (12 CFR 222.90(e)(3)) Train staff, as necessary, to effectively implement the Program;)
  • Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.

Miscellany – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, records retention requirements and destruction of expired records, and a designation by the bank’s board of the next year’s holidays. And last but not least, has there been a review of those staffers who have not yet taken vacation or “away time” to the five consecutive business days per the Oklahoma Administrative Code 85:10-5-3 “Minimum control elements for bank internal control program”?

New year, new rule – Computer-security incident notification

By Andy Zavoina

On November 18, 2021, there was a joint release by the OCC, FDIC and the Federal Reserve concerning a new rule intended to close a gap on computer-security incident reporting requirements. The new final rule does several things. Succinctly, a bank will have 36 hours to report certain computer related security incidents to its prudential regulator. That sounds like a tight time frame, and it is, but the 79-page final rule provides a lot more details. We will leave it to the group within your bank to slice and dice the details, but we wanted to give you a detailed overview of these new requirements so that it can be discussed intelligently and planned for accordingly.

As FDIC Chairman Jelena McWilliams put it, the rule “addresses a gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations.” For many years banks have been tasked with reporting computer related security incidents to its regulator whether that be a formal requirement or in informal one. This final rule has a mandatory compliance date of May 1, 2022. Preparations for compliance will therefore be mixed with still working through the pandemic, the holiday season, CRA and HMDA scrubs and all things IRA and IRS. There is a lot to do in the next five months.

The new requirements are imposed not just on your bank to report to its federal regulator, but on certain of the bank’s service providers to report incidents to you. This allows the bank to then make a determination as to whether or not it must then in turn report up the food chain to its regulator, the OCC, FDIC or Fed.

So, let’s get to the nitty gritty.

When: The bank must notify its federal regulator as soon as possible and not later than 36 hours after determining a “notification incident” has occurred.

The rule separately requires your service providers to notify your bank as soon as possible when the service provider determines it has experienced “a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”

You may be questioning the service provider’s timing requirement of “as soon as possible.” Read that to include a sense of urgency. The proposal wanted immediate notification but that is a very high benchmark and virtually impossible to follow. Timing is something the bank should discuss with its providers in advance, as well as whether there will be a designated point of contact with a back-up named, or if by default the contact is the chief executive or chief information officer or a comparable position.

What: The focus here is broadly described as “computer-security incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided by a bank service provider.”

The final rule attempts to partially synchronize the definition of a computer-security incident with an existing definition from the National Institute of Standards and Technology (NIST). The final rule defines “computer-security incident” as an occurrence that results in actual harm to an information system or the information contained within it.  Computer related incidents “may include major computer-system failures; cyber-related interruptions, such as distributed denial of service and ransomware attacks; or other types of significant operational interruptions.”

As defined in the final rule, a notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

There is obviously a lot in the final rule, and it may depend on your actual involvement in the IT area as to how deep your role will go. There will obviously be several subject matter experts involved in the task of compiling a risk strategy prior to completing any policy and procedures for compliance with the rule.

Why: The bank is required to notify its regulator within such a short period because the intent is to promote early awareness of the threat and the fact that others in the industry may be subject to similar threats. If there is a broader risk, it must be immediately addressed. This is the same reason a service provider is required to notify its bank customer – so that the bank can determine the risk to itself and the banking customers. A notification from a service provider may trigger a bank’s notification to its regulator.

This is separate from the requirements on the bank to address potential exposure or the actual loss of customer information and the reporting requirements that are triggered from that.

Practical Application: The bank needs to define some critical examples of the incidents it could foresee and ensure that there is room for interpretation as technology and attacks on it vary and change with time. The service providers fitting into these critical roles are those subject to the Bank Service Company Act. You may refer to 12 USC 18 Bank Service Companies as well as FIL-49-99 Required Notification for Compliance with the Bank Service Company Ac and FIL-19-2019 Technology Service Provider Contracts for more on who is subject to the rule and the responsibilities of the parties involved. If not referenced in contracts with these service providers already, amended and future contracts may mandate notifications requirements for qualified incidents.

Of importance is defining the moment that the 36-hour window opens is when the bank determines that a notification incident has occurred. The proposal started this clock when there was a “good faith belief” so the bank will want to best define these terms based on the descriptions and examples in the final rule. It is recommended the bank use clear procedures to evaluate the risk of any system compromise or failure that qualifies.

Because the final rule is targeted toward an occurrence that results in actual harm to an information system or the information contained within it, material incidents such as systems failures and the ever-increasing threat of ransomware attacks are an instigator for these rules. If your bank has insurance against ransomware attacks you may incorporate procedures associated  with that with procedures for the new rules. Pay attention to the term “actual harm” as that was a key variation from the proposal. The NIST definition was broader and the regulators wanted to narrow the reportable incidents to those that actually occurred. The regulators expressed that the changes were made to “narrow the focus of the final rule to those incidents most likely to materially and adversely affect banking organizations.” One example was a large-scale distributed denial of service attack that disrupts customer account access for an extended period of time, meaning longer than four hours.

Foreclosure forbearance reminder

By Andy Zavoina

The CFPB is all about protecting consumers and that point was reiterated in a November 10, 2021, release, “CFPB Takes Action to Prevent Avoidable Foreclosures.”

The Bureau announced that working in concert with other agencies (the FDIC, NCUA, OCC and others) they were prepared to enforce the protections in place for families and homeowners who are at risk of losing their homes. Protections were put in place to provide alternatives to foreclosure, and there are an estimated one million home loans with forbearance programs put in place due to COVID-19 which are due to expire at the end of 2021.

CFPB Director Rohit Chopra  said, “Failures by mortgage servicers and regulators worsened the impact of the economic crisis a decade ago…. Regulators have learned their lesson, and we will be scrutinizing servicers to ensure they are doing all they can to help homeowners and follow the law.” The agencies mentioned above issued a joint statement in April 2020 advising they would relax enforcement of Reg. X because of the pandemic. The recent statement is clear that lenders and servicers have had ample opportunity to adapt and the requirements of Reg. X all apply at this time.

It reminds servicers there needs to be attention to the borrower’s needs. Borrowers need a meaningful chance at loss mitigation programs, not lip service. This means the servicer must have adequate staff to handle the accounts and to communicate to borrowers what may be available to them. There are many options available for streamlined loss mitigation programs and servicers should be familiar with what is available to qualified applicants. There should be consistency in who is communicating with a borrower and efforts to avoid unnecessary handoffs and disqualification from a program followed by option to start a new process for some alternative program with someone else.

Those borrowers ending a forbearance program should also be allowed to resume scheduled payments. Determine if most or all of any missed payments can be deferred to the end of the current Note obligation under a deferral agreement. If needed, explore options to modify an existing loan and lower their payments if necessary and if feasible. Lastly, in many areas it is a sellers’ market and it may be an option that allows them to lessen any loss of equity in their home.  Your efforts at avoiding foreclosure should be well documented.

It is recommended that a pre-foreclosure checklist be used to ensure all the banks records are in order before a home is put into a foreclosure process. Document efforts to avoid foreclosure, to find loss mitigation programs, modifications available, deferral amounts and the borrower’s ability to maintain any restructuring that could be done. Then verify that all the bank’s disclosures required for the loan (think TRID and Reg B) were complete and accurate. If there are any deficiencies, consider how material they may be and if a plaintiff’s attorney could take advantage of them. Then, and only then, act accordingly.

 

November 2021 OBA Legal Briefs

  • Don’t ignore the FDCPA regulation coming November 30 (Part 1)
  • New Stuff on Legal Links

Don’t ignore the FDCPA regulations

By John S. Burnett
The Consumer Financial Protection Bureau’s revisions to Regulation F become effective on November 30, 2021, less than a month from now. While on their face the rules in Reg F will apply to debt collectors who collect debts owed to other parties, there is plenty to be concerned about in the Fair Debt Collection Practices Act itself and in revised Reg F for first-party creditors, including banks, who handle their collection of debts owed to them in-house.

But first, some background.

The current rule

Until May 3, 2021, the current CFPB regulation implementing the Fair Debt Collection Practices Act (FDCPA, 15 U.S.C. 1692 et seq.) did not actually implement the statute. As originally written, the FDCPA did not provide for implementing regulations at all. Instead, the Federal Trade Commission was given enforcement authority, and any violation of the FDCPA was deemed an unfair or deceptive act or practice (UDAP) in violation of the Federal Trade Commission Act. The Federal Reserve Board, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation were given enforcement powers under the Federal Deposit Insurance Act, and the National Credit Union Administration was assigned enforcement responsibilities under the Federal Credit Union Act. Similar enforcement powers were granted to the Secretaries of Transportation and Agriculture.

Until May 3, 2021, 12 CFR Part 1006 (Regulation F), dealt only with procedures and criteria for states to apply to the Bureau for exemption of a class of debt collection practices within the applying state from the provisions of the FDCPA.

Subpart B added

On April 22, 2021, the CFPB published an interim final rule to add Subpart B to the regulation, with § 1006.9 (Debt Collection Practices in Connection with the Global COVID-19 Pandemic), which became effective May 3, 2021. This addition was made without the usual proposal, comment period, and final rule steps required under the Administrative Procedures Act due to the immediacy of the concerns the new section was issued to address.

Section 1006.9’s purpose is “to eliminate certain abusive debt collection practices by debt collectors related to the global COVID-19 pandemic, to ensure that debt collectors who refrain from using such abusive debt collection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against such debt collection abuses.” It remains effective during the effective period of the order issued by the Centers for Disease Control and Prevention titled Halt in Residential Evictions to Prevent the Further Spread of COVID–19 (86 FR 16731 (Mar. 31, 2021)), as extended. That order has expired, so Section 1006.9 is no longer effective.

The CFPB overhaul of Reg F

The Consumer Financial Protection Act of 2010 (CFPA, 12 U.S.C. 5561 et seq.), the portion of the Dodd-Frank Act that gave life to the Consumer Financial Protection Bureau and transferred the authority and responsibility for issuing regulations under a number of consumer protection statutes, included the FDCPA among the statutes for which the Bureau “may prescribe rules with respect to the collection of debts by debt collectors.”

The CFPB also has rulemaking authority to issue regulations for providers of financial products and services with regard to activity deemed by the Bureau to be “unfair, deceptive or abusive acts or practices” (UDAAP).

In May 2019, the Bureau issued proposed rules to implement provisions of the FDCPA. See 84 FR 23274. There was a comment period of 90 days.

The Bureau followed by issuing two final rules. The first (see 85 FR 76734 published on November 30, 2020 completely revised and reissued Regulation F, moving the existing provisions on state exemption applications to a new § 108 in a new Subpart D and new Appendix A. The second rule (see 87 FR 5766 published on January 19, 2021, finalized required disclosures by debt collectors and prohibited threats of suits or suits to collect time-barred debts under applicable statutes of limitations. The second rule also requires certain actions by debt collectors before furnishing information on a consumer’s debt to a consumer reporting agency.

Effective dates

Both of these final rules were to take effect on November 30, 2021. However, on April 19, 2021, the Bureau proposed delaying that date 60 days, to January 29, 2022. That proposal was withdrawn on July 30, 2021, leaving the effective date on November 30, 2021.

Frequently asked questions released

On October 1, 2021, the Bureau released frequently asked questions on limited-content messages and the call frequency provisions in the Debt Collection Rule. On October 29. 2021, additional FAQs were added to that document to address the validation information provisions in the Rule. As the Bureau compiles additional FAQs on the Rule, they will add them to the current FAQ document. You should check the link periodically to ensure you have the most current guidance from the CFPB.

Structure of the rule

The Regulation is set out in four subparts and three appendices (and Official Interpretations)—

• Subpart A includes the usual references to the legal authority for the regulation, its purpose and coverage. Persons covered by the rule include debt collectors, as defined in § 1006.2, except for motor vehicle dealers that are predominately engaged in the sale and/or leasing and servicing of motor vehicles.

• Subpart B comprises the substantive provisions of the regulation, providing rules for debt collectors. Much of this section of the rule focuses on communications.

• Subpart C is reserved.

• Subpart D includes miscellaneous requirements such as record retention, the relationship of the rule to state laws, and the provisions for state applications for exemption from portions of the regulation (due to similar state law requirements).

• Appendix A includes more detailed information and requirements for states seeking exemptions from portions of the regulation

• Appendix B includes Model Forms for compliance with the regulation

• Appendix C addresses the Bureau’s issuance of advisory opinions concerning the regulation (one such opinion was published at 81 FR 71977 on October 19. 2016

• Supplement I comprises Official Interpretations of the regulation by the CFPB. In the BankersOnline.com Regulations pages for Regulation F, these interpretations are broken out and included after the sections or paragraphs of regulatory text they interpret.

Applicability: “Debt collector”

Section 1006.2(a)(1) defines the term debt collector as “any person who uses any instrumentality of interstate commerce or mail in any business the principal purpose of which is the collection of debts, or who regularly collects or attempts to collect, directly or indirectly, debts owed or due, or asserted to be owed or due, to another. … the term debt collector includes any creditor that, in the process of collecting its own debts, uses any name other than its own that would indicate that a third person is collecting or attempting to collect such debts. For purposes of § 1006.22(e), the term also includes any person who uses any instrumentality of interstate commerce or mail in any business the principal purpose of which is the enforcement of security interests.”

Does that make your bank a debt collector? It’s clear that if your bank does collection work on debts owed to someone else, your bank is a debt collector subject to the regulation. There are some technical exceptions, which we’ll review in a moment. Does your bank, when collecting its own debts, use any name other than its own in its communications that might suggest it is using a third person to collect its debts? If so, the language in bold text in the definition above should concern you, because using that other name pulls the bank directly under the regulation’s requirements.

What are the exceptions? Paragraph 1006.2(it)(2) lists exceptions to the debt collector definition.

(i) Any officer or employee of a creditor while the officer or employee is collecting debts for the creditor in the creditor’s name;

(ii) Any person while acting as a debt collector for another person if:

(A) The person acting as a debt collector does so only for persons with whom the person acting as a debt collector is related by common ownership or affiliated by corporate control; and

(B) The principal business of the person acting as a debt collector is not the collection of debts;

(iii) Any officer or employee of the United States or any State to the extent that collecting or attempting to collect any debt is in the performance of the officer’s or employee’s official duties;

(iv) Any person while serving or attempting to serve legal process on any other person in connection with the judicial enforcement of any debt;

(v) Any nonprofit organization that, at the request of consumers, performs bona fide consumer credit counseling and assists consumers in liquidating their debts by receiving payment from such consumers and distributing such amounts to creditors;

(vi) Any person collecting or attempting to collect any debt owed or due, or asserted to be owed or due to another, to the extent such debt collection activity:

(A) Is incidental to a bona fide fiduciary obligation or a bona fide escrow arrangement;

(B) Concerns a debt that such person originated;

(C) Concerns a debt that was not in default at the time such person obtained it; or

(D) Concerns a debt that such person obtained as a secured party in a commercial credit transaction involving the creditor; and

(vii) A private entity, to the extent such private entity is operating a bad check enforcement program that complies with section 818 of the Act.

Consider paragraph (ii) in bold print in that list. Can a holding company or affiliate do debt collection on behalf of its subsidiary banks or other affiliates? It would seem so, but the exemption would not apply if the affiliate’s principal business is debt collection.

Be wary of the reach of UDAAP

Any violation – by anyone collecting debts – of the requirements of Regulation F can be deemed an Unfair, Deceptive, or Abusive Act or Practice (UDAAP), even when the person doing the debt collection is collecting its own debts.

Prior to Dodd-Frank in 2010, the FTC primarily enforced the FDCPA and UDAP and there was often a cross-over. The FTC reported common tactics debt collectors would use included telling a debtor they had committed a crime like check fraud, and unless they paid the debt, they could be arrested, be sued, have their wages garnished and go to jail. Many collectors harassed debtors, even after being provided with evidence that the debts had already been paid off. Some would illegally contact family, friends, and employers about the past due debts. So, the final rule is very much about communications in connection with debt collection and prohibitions on harassment or abuse, false or misleading representations, and unfair practices in debt collection.

Let’s connect the dots. If your bank did something deemed unfair or abusive in the way it communicated with a borrower, and the FDCPA or Regulation F said it was a UDAAP issue, could an examiner say the bank, while not subject to FDCPA, is subject to UDAAP/UDAP and it did something categorized as a UDAAP/UDAP violation? It’s easy to see that connection.

And, of course, there is the always-present requirement for vendor due diligence if the bank has a third party collecting debts owed to the bank.

Some definitions

Attempt to communicate means any act to initiate a communication or other contact with any person through any medium, including by soliciting a response from such person. This is very broad and is all encompassing. It also includes “limited content messages” which is a defined term defined a few paragraphs below.

The act of initiating communication or contact about a debt is an attempt regardless of whether it is successful. Example – you dial the number of a past due borrower. Whether or not you reach them, that is logged as an attempt.

Communicate or communication means conveying information about a debt directly or indirectly to any person through any medium. Leaving a “limited content message” is not “conveying information.” Similarly communicating something such as a marketing message is not conveying information as it is not debt related.

Debt is any obligation of a consumer to pay money arising from a transaction in which the money, property, insurance, or services are primarily for personal, family, or household purposes.

Limited-content message means a message for a consumer that includes all of the content in (j)(1) and may include any of the optional content described in (j)(2), and it includes no other content.

(1) Required content. …includes all of the following:

(i) The caller’s business name which is not indicative that this is a debt collection call

(ii) A request that the consumer reply to the message;

(iii) The name of a person or persons whom the consumer can contact in reply;

(iv) A telephone number the consumer can use for the reply:

(2) Optional content. In addition to the content described, you may include one or more of the following:

(i) A salutation;

(ii) The date and time of the message;

(iii) Suggested dates and times for the consumer to reply to the message, and

(iv) A statement that the return call they can speak to any rep from the company.

These limited content messages may really come into play on voicemails. They are not “communications” which, as you will see, come with frequency limitations. A call to a third party is not a limited content message because it isn’t to the debtor, such as to a “will call” who accepts messages. This is ok to the debtor – “This is Andy Zavoina calling from Last National Bank. Please contact me or John Burnett at 1-800-555-1212.”

Consumer – any natural person, whether living or deceased, obligated or allegedly obligated to pay any debt. For purposes of § 1006.6 – Communications, the term consumer includes “persons” (and see below).

Persons is broad and includes natural persons, corporations, companies, associations, firms, partnerships, societies, and joint stock companies.
For purposes of this section (on Communications), the term consumer includes:

(1) The consumer’s spouse;
(2) The consumer’s parent, if the consumer is a minor;
(3) The consumer’s legal guardian;
(4) The executor or administrator of the consumer’s estate, if the consumer is deceased;
and
(5) A confirmed successor in interest, as defined in Regulation X, 12 CFR 1024.31, and Regulation Z, 12 CFR 1026.2(a)(27)(ii).

Communications

Communications with the consumer in general

We will discuss some exceptions in a moment, but there are restrictions in contacting a consumer.

§ 1006.6(b) says a debt collector must not communicate or attempt to communicate with a consumer to collect a debt as prohibited by paragraphs (b)(1) through (3):

(1). Prohibits collection communication with a consumer based on time and place that is:

(i) At any unusual time, Unless the collector knows different based on a schedule, before 8:00 a.m. and after 9:00 p.m. local time to the consumer is inconvenient;

There have been complaints when a cell phone is called, and the consumer is now in a different time zone. These cases place the burden on the collector to know where the consumer is. It is difficult and courts have not allowed much latitude.

(ii) At any unusual place, or at a place that the collector knows or should know is inconvenient.

It may have been mentioned not to call at a time when the consumer says he’ll be in a meeting, or during a religious service or funeral the collector knows the consumer will be at.

(2) Except as provided in paragraph (b)(4) [below]…, a debt collector must not communicate or attempt to communicate with a consumer in connection with the collection of any debt if the debt collector knows the consumer is represented by an attorney with respect to such debt and knows, or can readily ascertain, the attorney’s name and address, unless the attorney:

(i) Fails to respond within a reasonable period of time to a communication from the debt collector; or

(ii) Consents to the debt collector’s direct communication with the consumer.

(3). A collector must not communicate or attempt to communicate with a consumer in connection with the collection of any debt at the consumer’s place of employment, if the collector knows or has reason to know that the employer prohibits the consumer from receiving the communication.

Places like a plant, for example, have employees working assembly lines. It can be a big deal to have someone’s work interrupted to come to a telephone. The consumers employment could be in jeopardy. Typically, if the employee tells you not to call at work, you must oblige. If you know the employer’s policy is to restrict such calls, don’t call.

If the consumer requests they not be contacted at work, they generally cannot be but can be asked how and when they should be contacted. Under 1006.22(f)(3) – “Unfair or unconscionable means” prohibits sending an email to an address that the collector knows is provided by the consumer’s employer. There are some nuances that allow this if the consumer has used it with you on the debt. That’s under 1006.22(f)(3). [More on emails later.]

Exceptions to the prohibitions on contact

Section 1006.6(b)(4) includes a couple of exceptions to the prohibitions on time, place, attorney and employer prohibitions in §§ 1006.6(b)(1) – (3). The prohibitions do not apply in the case of (1) prior consent from the consumer given directly to the debt collector during a communication that was not in violation, and (2) with the express permission of a court.

Refusal to pay or “cease communication” notice

Section 1006.6(c)(1) provides that, with limited exceptions, if a consumer notifies a debt collector in writing that the consumer refuses to pay a debt or that the consumer wants the debt collector to cease further communication with the consumer, the debt collector must not communicate or attempt to communicate further with the consumer with respect to such debt.

What are the exceptions?

This prohibition does not apply with a debt collector communicates or attempts to communicate further with respect to the debt—

(i) To advise the consumer that the debt collector’s further efforts are being terminated

(ii) To notify the consumer that the debt collector or creditor may invoke specified remedies that the debt collector or creditor ordinarily invokes

Do not make idle threats, but if repossession or foreclosure may be a remedy and it is used by the debt collector or creditor, you may indicate it will be considered. Small claims suits can also fit here.

(iii) Where applicable, to notify the consumer that the debt collector or creditor intends to invoke a specified remedy.

For example, if you must send a notice of intent to foreclose or repossess, it is allowed here.

Mortgage servicing exceptions.

The Official Interpretations to § 1006.6(c)(2) indicate that the written early intervention notice required by 12 CFR 1024.39(d)(3) falls within the exceptions to the cease communication provision. They also indicate that mortgage servicers who are subject to the FDCPA with respect to a mortgage loan is not liable under the FDCPA for complying with certain servicing rule provisions, including requirements to provide a consumer with disclosures regarding the forced placement of hazard insurance as required by 12 CFR 1024.37, a disclosure regarding an adjustable-rate mortgage’s initial interest rate adjustment as required by 12 CFR 1026.20(d), and a periodic statement for each billing cycle as required by 12 CFR 1026.41.

Prohibitions on communications with third parties

Section 1006.6(d)(1) includes a general prohibition on debt collector communications with third parties. Communications about the debt must only be with—

i. The consumer
ii. The consumer’s attorney
iii. A consumer reporting agency, if otherwise permitted by law
iv. The creditor
v. The creditor’s attorney, or
vi. The debt collector’s attorney

Exceptions: Section 1006.6(d)(2) includes these exceptions from those restrictions:

(i) For the purpose of acquiring location information, as provided in § 1006.10 (home address and telephone and place of employment)
(ii) With the prior consent of the consumer given directly to the debt collector;
(iii) With the express permission of a court of competent jurisdiction; or
(iv) As reasonably necessary to effectuate a post-judgment judicial remedy.

A case in point: the Eleventh Circuit Court of Appeals has held that a debt collector (as defined under the FDCPA) who transmits debtor information to a third party violates section 1692c(b) of the FDCPA, which prohibits debt collectors from communicating consumers’ personal information to third parties “in connection with the collection of any debt.” Hunstein v. Preferred Collection & Management Services, Inc., 994 F.3d 1341 (11th. Cir. 2021). If your bank farms out some of its collections to third-party collectors, part of your vendor due diligence should be verifying that the third party doesn’t contract out any part of that effort, including mailing services, etc.

Full disclosure: The Eleventh Circuit’s holding was made by a three-judge panel, from which one of the judges dissented. It is only binding in the states of Alabama, Florida, and Georgia, and the case was remanded back to the District Court to determine whether any unauthorized disclosure actually occurred, and whether the plaintiff is entitled to damages. Other cases involving debt collectors sharing debtor information with third parties are being brought in both federal and state courts. The issue should not be considered settled.

Communications via email and text

Sections 1006.6(d)(3) and (4) permit debt collectors to communicate with a debtor using an email address or phone number (for text messaging) recently used by the debtor regarding the debt unless the debtor subsequently opted out of using that address. But the debt collector may not use an email address or phone number that the debt collector knows has led to a prohibited disclosure of information. The debt collector must have procedures to ensure their use of email or text messaging remains compliant.

A collector who uses a specific email address, telephone number for text messages, or other electronic-medium address of a consumer must include in each such message a clear and conspicuous statement describing a reasonable and simple method by which the consumer can opt out of further electronic communications by the collector to that address or number. The collector may not require, directly or indirectly, that the consumer pay any fee to the collector or provide any information other than the consumer’s opt-out preferences and the email address, telephone number for text messages, or other electronic-medium address they do not want contact thru.

Assume that a debt collector sends a text message to a consumer’s mobile telephone number. The text message includes the following instruction: “Reply STOP to stop texts to this telephone number.” Assuming that it is readily noticeable and legible to consumers, this instruction constitutes a clear and conspicuous statement describing a reasonable and simple method to opt out.

Harassing, oppressive, or abusive conduct
Under § 1006.14(a) there is a general rule of conduct:
“A debt collector must not engage in any conduct the natural consequence of which is to harass, oppress, or abuse any person in connection with the collection of any debt, including, but not limited to, the conduct described in paragraphs 1006.14(b) through (h).”

b) Phone calls: Repeated or continuous calls prohibited. A collector violates this prohibition by placing a telephone call to a particular person in connection with collection of a particular debt either more than seven times within seven consecutive days, or within a period of seven consecutive days after having had a telephone conversation with the person in connection with the collection of that debt (the date of this conversation is the first day of the seven-day period).

Student loan debts: The term “particular debt” means all student loan debts that a consumer owns or allegedly owes that were serviced under a single account number at the time the debts were obtained by a debt collector.

Exclusions from frequency limits: Calls placed to a person do not count toward the frequency limits if they are (1) made with the person’s prior consent given directly to the debt collector within the last seven days; (2) not connected to the dialed number; or (3) with the consumer’s attorney, the creditor’s attorney, or the collector’s attorney.

Unconnected calls: A debt collector’s telephone call does not connect to the dialed number if, for example, the debt collector receives a busy signal or an indication that the dialed number is not in service. Conversely, a telephone call placed to a person counts toward the telephone call frequencies described in § 1006.14(b)(2)(i) if it connects to the dialed number, unless an exclusion in § 1006.14(b)(3) applies. A debt collector’s telephone call connects to the dialed number if, for example, the telephone call is answered, even if it subsequently drops; if the telephone call causes a telephone to ring at the dialed number but no one answers it; or if the telephone call is connected to a voicemail or other recorded message, even if it does not cause a telephone to ring and even if the debt collector is unable to leave a voicemail. [Comment 14(b)(3)(ii)-1]

c) Violence: A collector must not use or threaten violence or harm to a person, their reputation or property

d) Obscene language: A collector must not use obscene language or language deemed abusive to the listener or reader.

e) Debtor’s list: A collector must not publish a list of consumers who refuse to pay debts, except to a consumer reporting bureau

f) Coercive advertisements: A collector must not advertise for sale any debt to coerce payment of the debt.

g) Meaningful disclosure of identity: A collector must not place phone calls without meaningfully disclosing the caller’s identity, except as provided in § 1006.10 [when communicating with a person other than the consumer for the purpose of acquiring location information].

h) Prohibited communication media: Communication is prohibited with a consumer through a medium if the consumer has requested that it not be used. However, a collector may ask follow-up questions regarding preferred media to clarify statements by the person
If a consumer opts out in writing of receiving electronic communications from a collector, the collector may send a confirmation the consumer’s request to opt out, provided that the reply contains no information other than a statement confirming the consumer’s request;
If a consumer initiates contact with a debt collector using an address or a telephone number that the consumer previously said not to use, the collector may respond once using that. Or

If otherwise required by law, a collector may communicate about the collection of any debt through a medium of communication that the person has requested they not use [think required periodic statements].

To be continued

Our discussion of the new FDCPA regulation will conclude in our December 2021 Legal Briefs.

New stuff on Legal Links

By Pauli D. Loeffler

In response to legislative changes (see August, September, and October Legal Briefs), new and updated information and forms have been added to the OBA’s Legal Links web page under the Templates, Forms, and Charts. You will need to create an account through the My OBA Member Portal to gain access if you have already done so.
In response to the changes under Banking Code § 901, there is a summary of how PODs are paid based on whether the POD designations were made before November 1, 2021, as well as those made on and after that date.

With amendments to § 906 which deals with the use of an Affidavit of Heirs for deposits when there are no PODs, there is a new Affidavit form that incorporates statutory language regarding probates as well as an optional Indemnity and hold harmless clause.

Under the Miscellaneous subsection, there are links to all the statutes for both the Power of Attorney Act in Title 58 and for the Statutory Form Power of Attorney Act in Title 15. I have also provided a Power of Attorney Checklist you may find helpful when the bank receives a POA.

October 2021 OBA Legal Briefs

  • Regulatory priorities
  • Consumer complaints
  • 2021 OK legislation—Part III
    • OK Banking Code
    • Judgment liens
    • Motor Vehicles
    • OK Tax Code
    • OK POA Act—Part II
    • Uniform Consumer Credit Code (“U3C”) § 3-508A
    • Uniform Interstate Depositions and Discovery Act of 2021

 

Regulatory Priorities

By Andy Zavoina

You spend your days preparing for meetings, going to meetings, auditing your bank for various compliance topics, and answering questions about what can and cannot be done, and that is all before lunch. We understand you are busy, and your time is limited. Still, one of the issues you must address is forecasting changes that impact your bank and part of this is what the regulators’ priorities are. We watch what Congress and the agencies are doing and proposing and want to take time this month to condense a few of these potential issues before you commit to budgets and audit schedules and all those “next year” things that are about to happen to you in the weeks to come.

As to priorities, the regulatory agencies have a focus on fair lending and equal access to credit. Let me first mention a potential addition to Reg. B and the Equal Credit Opportunity Act (ECOA). HR 166, short titled “Fair Lending for All Act” is intended to clarify, if not expand, protected classes under the ECOA by adding specificity that, (i) sexual orientation, (ii) gender identity, and (iii) location based on zip code or census tract, are also protected classes under the ECOA.

Be sure to also read the section on the Consumer Financial Protection Bureau’s (CFPB) analysis of complaints as it specifically correlates race to census tract to types of complaints submitted. These are fair lending issues and is the first time the CFPB has done such an in-depth review and used census data to get there. Census data will play a larger role in more Reg B changes as well.

CFPB acting Director David Uejio said earlier this year that the CFPB had a new focus and priorities. He said, “I am going to elevate and expand existing investigations and exams and add new ones to ensure we have a healthy docket intended to address racial equity.” He went on, “This of course means that fair lending enforcement is a top priority and will be emphasized accordingly. But we will also look more broadly, beyond fair lending, to identify and root out unlawful conduct that disproportionately impacts communities of color and other vulnerable populations.” He also appeared in a CFPB produced video in which he said, “the CFPB will take action against institutions and individuals whose policies and practices prevent fair and equal access to credit or take advantage of poor, underserved, and disadvantaged communities.”

Acting Director Uejio is not alone; Acting Comptroller of the Currency Michael J. Hsu said, “There is no place for discrimination in the federal banking system,” and added, “The OCC will use the full force of our authority to correct fair lending violations with our supervisory and enforcement tools, including civil money penalties, cease and desist orders, and requiring restitution for customers harmed as a result of any discriminatory practices.”

The Federal Trade Commission took enforcement actions last year in one case requiring $1.5 million in refunds. This was the first time the FTC had charged an auto dealer with illegal racial discrimination said FTC Commissioner Rohit Chopra. Yes, this Commissioner is the incoming CFPB director now that his nomination has been confirmed by the Senate. One would reasonably believe that Chopra and Uejio have shared information as well as objectives and goals.

The OCC recently joined with the Department of Justice in taking actions against Cadence Bank for fair lending discrimination issues which resulted in a $3 million penalty and pledge to invest $5.5 million to increase credit opportunities in some Houston areas (think census tracts) that are predominantly Black and Hispanic neighborhoods.

While fair lending changes are projected, increased enforcement has already begun.

Another change to Reg B is out for comment. Section 1071 of the Dodd-Frank Act requires banks to collect, maintain and report to the CFPB, data on credit applications made by women-owned, minority-owned, and small businesses. This has been a slow-moving change but is now becoming a reality. The Bureau’s 1,000-page proposal will require many small business lenders to essentially collect LAR-like data you are accustomed to under HMDA and CRA for these small business loans when criteria are met. It will also restrict access to certain parts of the information, require recordkeeping and retention as well as publication of the collected data. While a potentially huge undertaking for small business lenders, this rule has some issues and conflicts to resolve and will be finalized within 18 months after its 10/8/2021 publication in the Federal Register . The CFPB is also proposing a transitional period permitting collection of the data such as the owners’ ethnicity, race, and sex and this could extend the required implementation to 2025.

If you are thinking that allows three years, yes, that is the way it looks now. But like the 2018 HMDA overhaul, preparations should begin when you know what you will have to address and that should start in 2022. Monitoring the bank’s lending activity to small business and the minimum thresholds in the final rule may put a bank into or outside data collection requirements.

Consumer Complaints

By Andy Zavoina

On September 23, 2021, the CFPB issued a report, “Consumer complaints throughout the credit life cycle, by demographic characteristics.” We know that complaint management is crucial to your compliance management program as complaints are critical in detecting and resolving issues before they become UDAP, fair lending or other compliance issues. Think of complaint resolution as a way to “nip it in the bud” and avoid a problem from becoming a pattern or practice.

This report used one million complaints from 2018 to 2020 and matches complaints to census tracts, and then uses census tract data to assimilate demographics of the complainant. What was deduced was that complaints from wealthier communities and communities with higher percentages of white, non-Hispanic residents complained about loan origination and performing servicing, and complaints from communities of color and lower income communities complained about credit reporting, identity theft, and delinquent servicing.

Complaints may then be categorized by type, to income and race, based on this methodology. CFPB Acting Director Dave Uejio said, “Our consumer complaint data is a crucial tool for understanding varying consumer experiences, including across racial and economic divides.”

Additional general findings were that:

  • Loan origination complaints increased 50% during the year, driven by higher-income areas with fewer people of color.
  • Areas with the highest share of whites complain twice as much as predominantly Black areas.
  • Predominantly Black areas complain twice as much (per resident) as others.
  • Lower income census tracts submit 30% more complaints per resident.

One reason this is important in my mind relates to the recent action by HUD to rescind the 2020 rule on disparate impact which will make it easier to “prove” discrimination exists based on generalizations. Disparate impact is one method used to show evidence of lending discrimination under ECOA and the Fair Housing Act. The methodology is controversial because it allows a person to claim a fair lending violation when a neutral practice is applied uniformly to all applicants but has a discriminatory effect on a prohibited basis. Could one connect the dots between complaints, income and race that then lead to Reg B – ECOA violations of equal treatment?

Action Items:

1) Stay abreast of the bills and proposals pending. Comment on them when it is of interest to your bank. Be aware of changes and how they impact your operations.

2) As changes are made, keep your policies and procedures current to new requirements. Even if changes are not necessary, document your review so any auditing will see that they are current.

3) Remember that fair lending starts with advertising and flows through the loan process, servicing, and collections. In the last year we have seen big enforcement penalties based on poorly crafted advertising and we see complaints on servicing and credit reporting.

4) Train staff to be aware, ultra-aware of lending issues and complaints and to treat all of them equally and thoroughly as a lending issue may more easily be deemed a fair lending issue today.

2021 OK legislation – Part III

By Kelsey Hull

Hello! My name is Kelsey Hull, and I am an extern for the Oklahoma Bankers Association for the fall semester. I’m currently in my last year at Oklahoma City University School of Law. My hometown is Waynoka, Oklahoma, and I hold a bachelor’s degree in International Studies from the University of Oklahoma. I’m very grateful for the opportunity to write this article, and I hope you find it helpful.

OK Banking Code

Title 6 O.S. § 908. This new section of the Banking Code covers Savings Promotion Raffles. In 2014, Congress passed the American Savings Promotion Act, and Andy Zavoina wrote about the Act in the March 2015 OBA Legal Briefs, which you can access online. While the federal Act excluded these raffles from being an illegal lottery under federal law, it was up to each state to enact legislation to allow these raffles under state law. See Can Contests Help Fill Americans’ Savings Gap?, Pew Charitable Trusts (Nov. 9, 2018); Caroline Ratcliffe, et. al., Evidence-Based Strategies to Build Emergency Savings, Consumer Financial Protection Bureau (July 2020).

Effective November 1, 2021, Oklahoma banks and credit unions may begin offering savings promotion raffles under § 908:

As used in this section, the term “savings promotion raffle” means a contest in which the sole consideration required for a chance of winning designated prizes is obtained by the deposit of a specified amount of money in a savings account or other savings program and each ticket or entry has an equal chance of being drawn, with such contest being subject to regulations that may from time to time be promulgated by the bank’s or credit union’s primary regulator. Oklahoma banks and credit unions are authorized to offer savings promotion raffles.

The only difference between Oklahoma’s Section 908 and the federal Act is in the last sentence. In the federal Act, the last sentence ends by saying “…to be promulgated by the appropriate prudential regulator (as defined in section 1002 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5481)).” In Oklahoma’s statute, it refers to the bank’s or credit union’s primary regulator.

If any questions remain as to whether saving promotion raffles are lotteries, the definition of “lottery” was changed under 12 U.S.C §25A in 2014, specifically excluding such raffles: “The term ‘lottery’ includes any arrangement, other than a savings promotion raffle…”

Judgment liens

Title 46 O.S. § 15 (Mortgage Code) and Title 36 O.S. § 5008 (Insurance Code). Bankers may recall that Title 47 of the Mortgage Code § 15 requires the release of mortgage be recorded within 30 days after the debt has been paid. If the release is not timely recorded, the mortgagor or the title insurer may demand release, and the mortgagee has 10 days to record the release or face penalties. Beginning 11/1/21 this section will apply to judgment lien holders as well as mortgagees.

Title 36 O.S. § 5008 in the Oklahoma Insurance Code provides that If a mortgagee fails to execute and deliver a release of mortgage to the mortgagor or designated agent of the mortgagor within sixty (60) days after the date of receipt of payment of the mortgage in accordance with a payoff statement provided by the mortgagee or servicer, an authorized officer of a title insurance company or its duly appointed agent may execute and record an affidavit with the county clerk where the real property is located on behalf of the mortgagor or a transferee of the mortgagor together with documentation of the payment. Effective 11/1/21, this section will also apply to judgment liens.

Motor vehicles

Title 47 O.S. § 1110 Perfection of Security Interest

Effective November 1, 2021, the following new provision is added under subsection A:

  1. When there is an active lien from a commercial lender in place on a vehicle, motor license agents shall be prohibited from transferring the certificate of title on that vehicle until the lien is satisfied.

Title 47 O.S. § 427A.  Electronic filing of certificates of title, liens, assignments, and releases. This is a new law under Title 47—Motor Vehicles, which takes effect November 1, 2021. The central idea of this law is the creation of an electronic filing, storage, and delivery of motor vehicle title certificates program. Additionally, the program allows the perfection, assignment, and release of a lien by a lienholder through electronic means rather than paper documents. This program will start on or before July 1, 2022. A qualified system developer will help with providing and accessing the necessary software and equipment to actually implement this digital transformation. However, this new system will only affect applications filed after June 30, 2022. Okla. Stat. Tit. 47, § 427A Sec. A.

Section B of the statute covers various procedures that are available for the program, although the list is nonexclusive.  Okla. Stat. tit. 47, §1105A(B)(1)-(6). First up on the list is delivery of a certificate of title. If a party chooses to use the electronic route, the certificate need only be issued or printed upon the satisfaction of the last lien. The next two examples regard the service provider, and basically say that the vendor will be qualified and charge reasonable fees. In the fourth example, the statute states that the program will allow access to electronic records of the filed items. Part five allows motor license agents to participate in the program and for their receipt of all fees provided by the Oklahoma Vehicle License and Registration Act. Finally, the program accepts electronic or digital signatures.

Section C concerns definitions, which match with those listed throughout the existing statutes in sections 1101 and beyond.

Section D addresses the validity of the documents created, stored, or delivered through the program. All the documents are in fact valid, even with scanned or electronic signatures. As long as the document is a certified copy of the Oklahoma Tax Commission’s electronic record, it will be admissible in court proceedings, if needed.

Section E deals with financing the program. Essentially, the Tax Commission can spend the necessary funds needed to implement the program.

Finally, section F allows the Tax Commission to consult third parties specifically including the Oklahoma Bankers Association to help with the program’s development.

Tax Code

Title 68 O.S. § 2370. This section is amended for taxable years beginning after December 31, 2021. The Oklahoma privilege tax of doing business within Oklahoma for state banking associations, national banking associations and credit unions organized under the laws of this state, located or doing business within the limits of the State of Oklahoma is reduced from the rate of 6% to 4% of the amount of the taxable income.

Title 68 O.S. § 2370.1. This section of the Oklahoma Tax Code is amended effective January 1, 2021, with regard to credit for SBA guaranty of 7(a) program loans. The new timeframe for these credits will be on or after January 1, 2022, and before January 1, 2025.

 Oklahoma POA Act – Part II

By Pauli D. Loeffler

I need to correct a statement made in the newspaper and email versions of the September 2021 OBA Legal Briefs indicating that some but not all the sections under the Durable Power of Attorney Act (“DPOA Act”) were repealed. In fact, all sections (Title 58 O.S. §§ 1071 – 1077) are repealed effective November 1, 2021. How does this affect DPOAs executed prior to November 1, 2021?

Appointment of guardian. Does appointment of a guardian terminate powers granted an AIF under a DPOA? The appointment of a guardian does not automatically revoke the DPOA under either ACT. § 1074 of the old DPOA Act and § 3008 of the new POA Act are similar but not identical. Under both Acts, the principal may nominate a guardian or conservator in the DPOA, and the court shall appoint such person unless s/he is disqualified or for good cause shown.  The AIF is accountable to both the principal and the guardian. The main difference between the two Acts is that under § 1074 (old), the guardian had the power to revoke or amend the DPOA, while under § 3008 (new) the AIF’s authority continues unless limited, suspended or terminated by the court. Note that if the POA is not durable, the powers granted the AIF terminate.

If the AIF under a non-durable POA has no actual knowledge that a guardian has been appointed, actions of the AIF on behalf of the principal are binding. This is true under § 1075 of the DPOA Act and under § 3010 of the new POA Act. On the other hand, even if the AIF does not know of the guardianship, if the bank has actual knowledge that a guardian has been appointed, if the bank allows the transaction under a non-durable POA, it may be liable.

Appointment of Rep Payee or Federal Fiduciary. Neither the Social Security Administration nor the Veteran’s Administration will accept a POA/DPOA. There is a presumption that every beneficiary is capable of handling his or her own money, and the appointment of a Rep Payee does not carry the same notice and hearing requirements as a guardianship. The question of whether appointment of a rep payee or federal fiduciary is effective to terminate a non-durable power of attorney is somewhat uncertain, but I would argue that it doesn’t necessarily amount to a determination of incapacity. Why do I say this? If the rep payee or the federal fiduciary dies or is determined by a court to require a guardian, the bank must notify the SSA or VA and return any benefit payments received. When this happens, the SSA and the VA will send checks directly to the beneficiary until such time as these agencies determine a new rep payee/federal fiduciary needs to be appointed. It is not uncommon for a beneficiary to have one individual named as rep payee/federal fiduciary and someone else appointed as guardian. Until the SSA or VA acknowledges the guardianship and directs payments to the guardian, the guardian will have to work with the current rep payee/federal fiduciary.

Death of the principal. Whether the POA is durable or not, the AIF’s authority terminates upon the principal’s death. Yes, I have actually seen DPOAs that say they are unaffected by death of the principal, but that isn’t true. On the other hand, both the DPOA Act (§ 1075) and the POA Act (§ 3010) provide that if the AIF does not have actual knowledge of the principal’s death and the acts performed are solely for the benefit of the principal, such acts are binding upon the principal’s heirs and successors. Again, if the bank has actual knowledge of the principal’s death, the bank has no protection if it allows the AIF to make transactions.

Protecting the bank. Section 1076 of the DPOA Act provided protection for the bank in making transactions with an AIF if the bank had concerns whether the POA or DPOA may have been revoked, a guardian may have been appointed for the principal if the POA was non-durable, or the principal had died. The bank could require the AIF to sign an Affidavit of Lack of Knowledge and be protected. As was mentioned in the September article, § 3042 of the POA Act provides an optional form that the bank may require the AIF to fill out and execute before a notary Certifying Facts Concerning Power of Attorney. Use of this form will protect the bank.

  • 3024 Authority and Restrictions. I review a lot of POAs/DPOAs to determine whether the AIF can add himself as joint owner or POD, add, remove, or otherwise change PODs, add an authorized signer to an account, directly make transactions on the principal’s living trust, etc. This section of the POA Act clearly sets forth restrictions on the authority of the AIF to do certain act unless explicitly granted in writing under the POA. It supports the positions and answers I have given for the past 17 years. In order for an AIF to create, amend, revoke or terminate an inter vivos trust, make a gift, create or change rights of survivorship, create or change a beneficiary designation, add an authorized signer, waive the principal’s right to be a beneficiary of a joint and survivor annuity, including a survivor benefit under a retirement plan, or exercise fiduciary powers that the principal has authority to delegate (e.g., appoint an authorized signer on a corporation, LLC, etc. account), these powers must be explicitly granted. Further, an AIF who is not an ancestor, spouse or descendant of the principal may not exercise authority under a power of attorney to create in the AIF, or in an individual to whom the AIF owes a legal obligation of support, an interest in the principal’s property, whether by gift, right of survivorship, beneficiary designation, disclaimer or otherwise.

Attorneys generally put in the catch-all provision granting the AIF the power to do any act that the principal may himself do.  I often have to defend my requirement that certain acts, such as adding the AIF as joint owner or a POD require explicit authority.  Subsection C. of this statute provides that subject to subsections A, B, D and E of this section, if a power of attorney grants to an agent authority to do all acts that a principal could do, the agent has the general authority described in Sections 27 through 39 of the POA Act while the grant of the power to make a gift is explained in detail under § 3040.

Uniform Consumer Credit Code (“U3C”) § 3-508A

Title 14A O.S. § 3-508. This section of the “U3C” sets the maximum annual percentage rate for certain loans. It provides three tiers based with different rates based on unpaid principal balances that may be “blended.” It also has an alternative maximum rate that may be used rather than blending the rates. The amounts under each tier were subject to annual adjustment by the Administrator of the Oklahoma Department of Consumer Credit under §1-106, however. The annual adjustment of tier amounts was removed effective August 22, 2014, and a loan made under §3-508A could not have a repayment term of less than 12 months from the date the loan is made which provision was removed effective November 1, 2015.

The loan amount subject to tier (2)(a)(i) has greatly increased as well as the maximum annual percentage rate allowed for that tier. The maximum annual percentage rate for the other two tiers did not increase, but the loan amounts under the second and third tier have. The alternative maximum annual percentage rate allowed in lieu of blending the tiers under (2)(b) remains unchanged.

Maximum Rates by Tier Amounts. §3-508A as amended limits the maximum APR under the three tiers as follows:

(2) The loan finance charge, calculated according to the actuarial method, may not exceed the equivalent of the greater of either of the following:

(a)  the total of:

(i)  thirty-two percent (32%) [currently 27%] per year on that part of the unpaid balances of the principal which is Seven Thousand Dollars ($7,000.00) [currently $2,910] or less;

(ii)  twenty-three percent (23%) [no change] per year on that part of the unpaid balances of the principal which is more than Seven Thousand Dollars ($7,000.00) [currently $2,910.01] but does not exceed Eleven Thousand Dollars ($11,000.00) [currently $6,200.00]; and

(iii)  twenty percent (20%) [no change] per year on that part of the unpaid balances of the principal which is more than Eleven Thousand Dollars ($11,000.00) [currently $6,200.00]; or

(b)  twenty-five percent (25%) [no change] per year on the unpaid balances of the principal.

The Dollar Amounts under the three tiers of §3-508A Loans are NOT subject to annual adjustment, but a new subsection (4) has been added allowing the lender to charge a closing fee IS subject to adjustment under § 1-106:

(4)  In addition to the loan finance charge permitted in this section and other charges permitted in this act, a supervised lender may assess a lender closing fee not to exceed Twenty-eight Dollars and eighty-five cents ($28.85) upon consummation of the loan.

Note that the closing fee, while not a finance charge under the OK U3C, IS a finance charge under Reg Z. Most banks use Reg Z disclosures. This means that it is possible that the fee under Reg Z disclosures will cause the APR to exceed the usury rate under § 3-508A. If that happens, document the file to show that the fee is excluded under the U3C to show that the loan does not in fact violate Oklahoma’s usury provisions.

You can access the § 3-508A Matrix here.

 

Uniform Interstate Depositions and Discovery Act of 2021

By Pauli D. Loeffler

This new Act is codified in Title 12, the Civil Procedure Code, and contains §§ 3250 – 3257. Per § 3257 the Act applies to requests for discovery in cases pending on November 1, 2021.

A subpoena issued by a court of a state other than Oklahoma served on a bank without branches in the state issuing the subpoena had to be logged by the court clerk in the county where the bank was located before service in order to have jurisdiction over the Oklahoma bank. If this wasn’t done, I advised the bank to use the “No Jurisdiction Letter” template available on the OBA’s Legal Links page found under Templates, Forms, and Charts.  On and after 11/1/21, the procedures under the new Act will apply.

§ 3251 contains definitions. “Foreign jurisdiction” is a state other than Oklahoma while a “foreign subpoena” is one issued under the authority of a court of record of a foreign jurisdiction. “State” means the United States, the District of Columbia, Puerto Rico, the United States Virgin Islands, a federally recognized Indian tribe or any territory or insular possession subject to the jurisdiction of the United States. The Act covers subpoenas requiring attendance and giving of testimony at a deposition, production of documents (Subpoena Duces Tecum), and inspection of premises.

§ 3252 requires a party to submit the foreign subpoena to the court clerk of the county in which discovery is to be conducted. Generally, this would be the county where the main bank is located. A request for the issuance of a subpoena does not constitute an appearance in the courts of this state. This is important if the attorney requesting the subpoena is not licensed to practice law in Oklahoma, because s/he would have to file a Motion Pro Hac Vice with the court and obtain a judicial order in order to appear in the Oklahoma court. The names, addresses and telephone numbers of all counsel of record in the proceeding and any unrepresented party have to be provided.

The subpoena issued by the Oklahoma court clerk must be served in compliance with § 2004.1 of the Civil Procedure Code just like any other subpoena. The duties to respond to the subpoena are also subject to § 2004.1.

Orders to enforce, quash, or modify the subpoena or for a protective order must be submitted to the county court in Oklahoma that issued the subpoena.

 

Consumer Complaints

By Andy Zavoina

On September 23, 2021, the CFPB issued a report, “Consumer complaints throughout the credit life cycle, by demographic characteristics.” We know that complaint management is crucial to your compliance management program as complaints are critical in detecting and resolving issues before they become UDAP, fair lending or other compliance issues. Think of complaint resolution as a way to “nip it in the bud” and avoid a problem from becoming a pattern or practice.

This report used one million complaints from 2018 to 2020 and matches complaints to census tracts, and then uses census tract data to assimilate demographics of the complainant. What was deduced was that complaints from wealthier communities and communities with higher percentages of white, non-Hispanic residents complained about loan origination and performing servicing, and complaints from communities of color and lower income communities complained about credit reporting, identity theft, and delinquent servicing.

Complaints may then be categorized by type, to income and race, based on this methodology. CFPB Acting Director Dave Uejio said, “Our consumer complaint data is a crucial tool for understanding varying consumer experiences, including across racial and economic divides.”

Additional general findings were that:

  • Loan origination complaints increased 50% during the year, driven by higher-income areas with fewer people of color.
  • Areas with the highest share of whites complain twice as much as predominantly Black areas.
  • Predominantly Black areas complain twice as much (per resident) as others.
  • Lower income census tracts submit 30% more complaints per resident.

One reason this is important in my mind relates to the recent action by HUD to rescind the 2020 rule on disparate impact which will make it easier to “prove” discrimination exists based on generalizations. Disparate impact is one method used to show evidence of lending discrimination under ECOA and the Fair Housing Act. The methodology is controversial because it allows a person to claim a fair lending violation when a neutral practice is applied uniformly to all applicants but has a discriminatory effect on a prohibited basis. Could one connect the dots between complaints, income and race that then lead to Reg B – ECOA violations of equal treatment?

Action Items:

1) Stay abreast of the bills and proposals pending. Comment on them when it is of interest to your bank. Be aware of changes and how they impact your operations.

2) As changes are made, keep your policies and procedures current to new requirements. Even if changes are not necessary, document your review so any auditing will see that they are current.

3) Remember that fair lending starts with advertising and flows through the loan process, servicing, and collections. In the last year we have seen big enforcement penalties based on poorly crafted advertising and we see complaints on servicing and credit reporting.

4) Train staff to be aware, ultra-aware of lending issues and complaints and to treat all of them equally and thoroughly as a lending issue may more easily be deemed a fair lending issue today.

The CFPB is also proposing a transitional period permitting collection of the data such as the owners’ ethnicity, race, and sex and this could extend the required implementation to 2025.

If you are thinking that allows three years, yes, that is the way it looks now. But like the 2018 HMDA overhaul, preparations should begin when you know what you will have to address and that should start in 2022. Monitoring the bank’s lending activity to small business and the minimum thresholds in the final rule may put a bank into or outside data collection requirements.

2021 OK legislation – Part III

By Kelsey Hull

Hello! My name is Kelsey Hull, and I am an extern for the Oklahoma Bankers Association for the fall semester. I’m currently in my last year at Oklahoma City University School of Law. My hometown is Waynoka, Oklahoma, and I hold a bachelor’s degree in International Studies from the University of Oklahoma. I’m very grateful for the opportunity to write this article, and I hope you find it helpful.

OK Banking Code

Title 6 O.S. § 908. This new section of the Banking Code covers Savings Promotion Raffles. In 2014, Congress passed the American Savings Promotion Act, and Andy Zavoina wrote about the Act in the March 2015 OBA Legal Briefs, which you can access online. While the federal Act excluded these raffles from being an illegal lottery under federal law, it was up to each state to enact legislation to allow these raffles under state law. See Can Contests Help Fill Americans’ Savings Gap?, Pew Charitable Trusts (Nov. 9, 2018), https://www.pewtrusts.org/en/research-and-analysis/issue-briefs/2018/11/can-contests-help-fill-americans-savings-gap; Caroline Ratcliffe, et. al., Evidence-Based Strategies to Build Emergency Savings, Consumer Financial Protection Bureau (July 2020), https://files.consumerfinance.gov/f/documents/cfpb_evidence-based-strategies-build-emergency-savings_report_2020-07.pdf

Effective November 1, 2021, Oklahoma banks and credit unions may begin offering savings promotion raffles under § 908:

As used in this section, the term “savings promotion raffle” means a contest in which the sole consideration required for a chance of winning designated prizes is obtained by the deposit of a specified amount of money in a savings account or other savings program and each ticket or entry has an equal chance of being drawn, with such contest being subject to regulations that may from time to time be promulgated by the bank’s or credit union’s primary regulator. Oklahoma banks and credit unions are authorized to offer savings promotion raffles.

The only difference between Oklahoma’s Section 908 and the federal Act is in the last sentence. In the federal Act, the last sentence ends by saying “…to be promulgated by the appropriate prudential regulator (as defined in section 1002 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5481)).” In Oklahoma’s statute, it refers to the bank’s or credit union’s primary regulator.

If any questions remain as to whether saving promotion raffles are lotteries, the definition of “lottery” was changed under 12 U.S.C §25A in 2014, specifically excluding such raffles: “The term ‘lottery’ includes any arrangement, other than a savings promotion raffle…”

Judgment liens

Title 46 O.S. § 15 (Mortgage Code) and Title 36 O.S. § 5008 (Insurance Code). Bankers may recall that § 15 in the Mortgage Code requires the release of mortgage be recorded within 30 days after the debt has been paid. If the release is not timely recorded, the mortgagor or the title insurer may demand release, and the mortgagee has 10 days to record the release or face penalties. Beginning 11/1/21 this section will apply to judgment lien holders as well as mortgagees.

§ 5008 in the Oklahoma Insurance Code provides that If a mortgagee fails to execute and deliver a release of mortgage to the mortgagor or designated agent of the mortgagor within sixty (60) days after the date of receipt of payment of the mortgage in accordance with a payoff statement provided by the mortgagee or servicer, an authorized officer of a title insurance company or its duly appointed agent may execute and record an affidavit with the county clerk where the real property is located on behalf of the mortgagor or a transferee of the mortgagor together with documentation of the payment. Effective 11/1/21, this section will also apply to judgment liens.

Motor vehicles

Title 47 O.S. § 1110 Perfection of Security Interest

Effective November 1, 2021, the following new provision is added under subsection A:

  1. When there is an active lien from a commercial lender in place on a vehicle, motor license agents shall be prohibited from transferring the certificate of title on that vehicle until the lien is satisfied.

Title 47 O.S. § 1105A.  Electronic filing of certificates of title, liens, assignments, and releases. This is a new law under Title 47—Motor Vehicles, which takes effect November 1, 2021. The central idea of this law is the creation of an electronic filing, storage, and delivery of motor vehicle title certificates program. Additionally, the program allows the perfection, assignment, and release of a lien by a lienholder through electronic means rather than paper documents. This program will start on or before July 1, 2022. A qualified system developer will help with providing and accessing the necessary software and equipment to actually implement this digital transformation. However, this new system will only affect applications filed after June 30, 2022. Okla. Stat. tit. 47, §1105A(A).

Section B of the statute covers various procedures that are available for the program, although the list is nonexclusive.  Okla. Stat. tit. 47, §1105A(B)(1)-(6). First up on the list is delivery of a certificate of title. If a party chooses to use the electronic route, the certificate need only be issued or printed upon the satisfaction of the last lien. The next two examples regard the service provider, and basically say that the vendor will be qualified and charge reasonable fees. In the fourth example, the statute states that the program will allow access to electronic records of the filed items. Part five allows motor license agents to participate in the program and for their receipt of all fees provided by the Oklahoma Vehicle License and Registration Act. Finally, the program accepts electronic or digital signatures.

Section C concerns definitions, which match with those listed throughout the existing statutes in sections 1101 and beyond.

Section D addresses the validity of the documents created, stored, or delivered through the program. All the documents are in fact valid, even with scanned or electronic signatures. As long as the document is a certified copy of the Oklahoma Tax Commission’s electronic record, it will be admissible in court proceedings, if needed.

Section E deals with financing the program. Essentially, the Tax Commission can spend the necessary funds needed to implement the program.

Finally, section F allows the Tax Commission to consult third parties to help with the program’s development.

Tax Code

Title 68 O.S. § 2370. This section is amended for taxable years beginning after December 31, 2021. The Oklahoma privilege tax of doing business within Oklahoma for state banking associations, national banking associations and credit unions organized under the laws of this state, located or doing business within the limits of the State of Oklahoma is reduced from the rate of 6% to 4% of the amount of the taxable income.

Title 68 O.S. § 2370.1. This section of the Oklahoma Tax Code is amended effective January 1, 2021, with regard to credit for SBA guaranty of 7(a) program loans. The new timeframe for these credits will be on or after January 1, 2022, and before January 1, 2025.

Oklahoma POA Act – Part II

By Pauli D. Loeffler

I need to correct a statement made in the newspaper and email versions of the September 2021 OBA Legal Briefs indicating that some but not all the sections under the Durable Power of Attorney Act (“DPOA Act”) were repealed. In fact, all sections (Title 58 O.S. §§ 1071 – 1077) are repealed effective November 1, 2021. How does this affect DPOAs executed prior to November 1, 2021?

Appointment of guardian. Does appointment of a guardian terminate powers granted an AIF under a DPOA? The appointment of a guardian does not automatically revoke the DPOA under either ACT. § 1074 of the old DPOA Act and § 3008 of the new POA Act are similar but not identical. Under both Acts, the principal may nominate a guardian or conservator in the DPOA, and the court shall appoint such person unless s/he is disqualified or for good cause shown.  The AIF is accountable to both the principal and the guardian. The main difference between the two Acts is that under § 1074 (old), the guardian had the power to revoke or amend the DPOA, while under § 3008 (new) the AIF’s authority continues unless limited, suspended or terminated by the court. Note that if the POA is not durable, the powers granted the AIF terminate.

If the AIF under a non-durable POA has no actual knowledge that a guardian has been appointed, actions of the AIF on behalf of the principal are binding. This is true under § 1075 of the DPOA Act and under § 3010 of the new POA Act. On the other hand, even if the AIF does not know of the guardianship, if the bank has actual knowledge that a guardian has been appointed, if the bank allows the transaction under a non-durable POA, it may be liable.

Appointment of Rep Payee or Federal Fiduciary. Neither the Social Security Administration nor the Veteran’s Administration will accept a POA/DPOA. There is a presumption that every beneficiary is capable of handling his or her own money, and the appointment of a Rep Payee does not carry the same notice and hearing requirements as a guardianship. The question of whether appointment of a rep payee or federal fiduciary is effective to terminate a non-durable power of attorney is somewhat uncertain, but I would argue that it doesn’t necessarily amount to a determination of incapacity. Why do I say this? If the rep payee or the federal fiduciary dies or is determined by a court to require a guardian, the bank must notify the SSA or VA and return any benefit payments received. When this happens, the SSA and the VA will send checks directly to the beneficiary until such time as these agencies determine a new rep payee/federal fiduciary needs to be appointed. It is not uncommon for a beneficiary to have one individual named as rep payee/federal fiduciary and someone else appointed as guardian. Until the SSA or VA acknowledges the guardianship and directs payments to the guardian, the guardian will have to work with the current rep payee/federal fiduciary.

Death of the principal. Whether the POA is durable or not, the AIF’s authority terminates upon the principal’s death. Yes, I have actually seen DPOAs that say they are unaffected by death of the principal, but that isn’t true. On the other hand, both the DPOA Act (§ 1075) and the POA Act (§ 3010) provide that if the AIF does not have actual knowledge of the principal’s death and the acts performed are solely for the benefit of the principal, such acts are binding upon the principal’s heirs and successors. Again, if the bank has actual knowledge of the principal’s death, the bank has no protection if it allows the AIF to make transactions.

Protecting the bank. Section 1076 of the DPOA Act provided protection for the bank in making transactions with an AIF if the bank had concerns whether the POA or DPOA may have been revoked, a guardian may have been appointed for the principal if the POA was non-durable, or the principal had died. The bank could require the AIF to sign an Affidavit of Lack of Knowledge and be protected. As was mentioned in the September article, § 3042 of the POA Act provides an optional form that the bank may require the AIF to fill out and execute before a notary Certifying Facts Concerning Power of Attorney. Use of this form will protect the bank. 3024 Authority and

§ 3024 Authority and Restrictions. I review a lot of POAs/DPOAs to determine whether the AIF can add himself as joint owner or POD, add, remove, or otherwise change PODs, add an authorized signer to an account, directly make transactions on the principal’s living trust, etc. This section of the POA Act clearly sets forth restrictions on the authority of the AIF to do certain act unless explicitly granted in writing under the POA. It supports the positions and answers I have given for the past 17 years. In order for an AIF to create, amend, revoke or terminate an inter vivos trust, make a gift, create or change rights of survivorship, create or change a beneficiary designation, add an authorized signer, waive the principal’s right to be a beneficiary of a joint and survivor annuity, including a survivor benefit under a retirement plan, or exercise fiduciary powers that the principal has authority to delegate (e.g., appoint an authorized signer on a corporation, LLC, etc. account), these powers must be explicitly granted. Further, an AIF who is not an ancestor, spouse or descendant of the principal may not exercise authority under a power of attorney to create in the AIF, or in an individual to whom the AIF owes a legal obligation of support, an interest in the principal’s property, whether by gift, right of survivorship, beneficiary designation, disclaimer or otherwise.

Attorneys generally put in the catch-all provision granting the AIF the power to do any act that the principal may himself do.  I often have to defend my requirement that certain acts, such as adding the AIF as joint owner or a POD require explicit authority.  Subsection C. of this statute provides that subject to subsections A, B, D and E of this section, if a power of attorney grants to an agent authority to do all acts that a principal could do, the agent has the general authority described in Sections 27 through 39 of the POA Act while the grant of the power to make a gift is explained in detail under § 3040.

Uniform Consumer Credit Code (“U3C”) § 3-508A

By Pauli D. Loeffler

Title 14A O.S. § 3-508. This section of the “U3C” sets the maximum annual percentage rate for certain loans. It provides three tiers based with different rates based on unpaid principal balances that may be “blended.” It also has an alternative maximum rate that may be used rather than blending the rates. The amounts under each tier were subject to annual adjustment by the Administrator of the Oklahoma Department of Consumer Credit under §1-106, however. The annual adjustment of tier amounts was removed effective August 22, 2014, and a loan made under §3-508A could not have a repayment term of less than 12 months from the date the loan is made which provision was removed effective November 1, 2015.

The loan amount subject to tier (2)(a)(i) has greatly increased as well as the maximum annual percentage rate allowed for that tier. The maximum annual percentage rate for the other two tiers did not increase, but the loan amounts under the second and third tier have. The alternative maximum annual percentage rate allowed in lieu of blending the tiers under (2)(b) remains unchanged.

Maximum Rates by Tier Amounts. § 3-508A as amended limits the maximum APR under the three tiers as follows:

(2) The loan finance charge, calculated according to the actuarial method, may not exceed the equivalent of the greater of either of the following:

(a)  the total of:

(i)  thirty-two percent (32%) [currently 27%] per year on that part of the unpaid balances of the principal which is Seven Thousand Dollars ($7,000.00) [currently $2,910] or less;

(ii)  twenty-three percent (23%) [no change] per year on that part of the unpaid balances of the principal which is more than Seven Thousand Dollars ($7,000.00) [currently $2,910.01 but does not exceed Eleven Thousand Dollars ($11,000.00); and

(iii)  twenty percent (20%) [no change] per year on that part of the unpaid balances of the principal which is more than Eleven Thousand Dollars ($11,000.00); or

(b)  twenty-five percent (25%) [no change] per year on the unpaid balances of the principal.

The Dollar Amounts under the three tiers of §3-508A Loans are NOT subject to annual adjustment, but a new subsection (4) has been added allowing the lender to charge a closing fee IS subject to adjustment under § 1-106:

(4)  In addition to the loan finance charge permitted in this section and other charges permitted in this act, a supervised lender may assess a lender closing fee not to exceed Twenty-eight Dollars and eighty-five cents ($28.85) upon consummation of the loan.

Note that the closing fee, while not a finance charge under the OK U3C, IS a finance charge under Reg Z. Most banks use Reg Z disclosures. This means that it is possible that the fee under Reg Z disclosures will cause the APR to exceed the usury rate under § 3-508A. If that happens, document the file to show that the fee is excluded under the U3C to show that the loan does not in fact violate Oklahoma’s usury provisions.

 

Uniform Interstate Depositions and Discovery Act of 2021

By Pauli D. Loeffler

This new Act is codified in Title 12, the Civil Procedure Code, and contains §§ 3250 – 3257. Per § 3257 the Act applies to requests for discovery in cases pending on November 1, 2021.

A subpoena issued by a court of a state other than Oklahoma served on a bank without branches in the state issuing the subpoena had to be logged by the court clerk in the county where the bank was located before service in order to have jurisdiction over the Oklahoma bank. If this wasn’t done, I advised the bank to use the “No Jurisdiction Letter” template available on the OBA’s Legal Links page found under Templates, Forms, and Charts.  On and after 11/1/21, the procedures under the new Act will apply.

§ 3251 contains definitions. “Foreign jurisdiction” is a state other than Oklahoma while a “foreign subpoena” is one issued under the authority of a court of record of a foreign jurisdiction. “State” means the United States, the District of Columbia, Puerto Rico, the United States Virgin Islands, a federally recognized Indian tribe or any territory or insular possession subject to the jurisdiction of the United States. The Act covers subpoenas requiring attendance and giving of testimony at a deposition, production of documents (Subpoena Duces Tecum), and inspection of premises.

§ 3252 requires a party to submit the foreign subpoena to the court clerk of the county in which discovery is to be conducted. Generally, this would be the county where the main bank is located. A request for the issuance of a subpoena does not constitute an appearance in the courts of this state. This is important if the attorney requesting the subpoena is not licensed to practice law in Oklahoma, because s/he would have to file a Motion Pro Hac Vice with the court and obtain a judicial order in order to appear in the Oklahoma court. The names, addresses and telephone numbers of all counsel of record in the proceeding and any unrepresented party have to be provided.

The subpoena issued by the Oklahoma court clerk must be served in compliance with § 2004.1 of the Civil Procedure Code just like any other subpoena. The duties to respond to the subpoena are also subject to § 2004.1.

Orders to enforce, quash, or modify the subpoena or for a protective order must be submitted to the county court in Oklahoma that issued the subpoena.

August 2021 OBA Legal Briefs

  • Reg Z’s business day definitions
  • Advance Child Tax Credits and closed accounts
  • 2021 Oklahoma legislation—Part I

Reg Z’s business day definitions

By John S. Burnett

Why Juneteenth caught lenders unprepared

Congress clearly doesn’t know (or care?) that two days’ notice isn’t enough to give lenders when they pass legislation creating a new federal legal public holiday. The kerfuffle that erupted over the addition of the Juneteenth National Independence Day to the list of holidays in 5 U.S.C. 6103(a) may not have ruffled Congress’s legislative feathers, but it raised a lot of questions among lenders, compliance officers, closing agents, investors and, yes, borrowers.

Why? Because it affected many mortgage loans for which closing disclosures had already been provided in the days immediately before the law was enacted on July 17, with closing dates set for early the following week. It also eliminated Saturday, June 19, as a business day for the purpose of counting rescission period days on loans that had closed on June 16 and 17.

In short, some lenders had to postpone closings by a day or more and others had to delay disbursement of loan proceeds, and, of course, borrowers weren’t happy that the new holiday forced those scheduling changes. For lenders who, for whatever reason, were not able to make the right moves, the risk is very real of litigation down the road over technical timing requirements in Regulation Z.

There is talk – or wishful thinking – that the CFPB can “fix” everything with an interpretation or ruling about the impact of the new holiday on mortgage loans closed with unavoidable errors. However, the Bureau can do what it can, but the courts will ultimately decide whether lenders’ concerns are real, and at what cost.

The “business day” definitions

The key to complying with any law or regulations is an understanding of its terms. That’s why there is usually a collection of important definitions, and for regulations, it is usually found in one of the first sections of the rule.

Regulation Z has so many technical timing requirements that include a count of business days that it should be no surprise that “business day” is a defined term in the regulation. In fact, there are two definitions of the term, and which definition applies in a given case depends on which timing requirement in the regulation is in question.

Regulation Z’s definitions of “business day” are found in section 1026.2(a), in paragraph 1026.2(a)(6), which includes two sentences.

The “general” definition. The first sentence of the paragraph reads—

Business day means a day on which the creditor’s offices are open to the public for carrying on substantially all of its business functions.

What does that sentence mean by “substantially all of its business functions”? Comment 2(a)(6)-1 explains—

Business function test. Activities that indicate that the creditor is open for substantially all of its business functions include the availability of personnel to make loan disbursements, to open new accounts, and to handle credit transaction inquiries. Activities that indicate that the creditor is not open for substantially all of its business functions include a retailer’s merely accepting credit cards for purchases or a bank’s having its customer-service windows open only for limited purposes such as deposits and withdrawals, bill paying, and related services.

So, for example, if your bank’s branches are open on Saturdays for handling deposits, check cashing, withdrawals and other routine teller responsibilities, but there are no staffers who can disburse loan proceeds, handle inquiries about loans or loan rates or open new accounts, your bank is not “open to the pubic for carrying on substantially all of its business functions,” and Saturday would not be a business day for your bank under the business day definition in the first sentence of section 1026.2(a)(6).

But if during your Saturday teller hours there is someone at all or most of your branches to open accounts, make loan disbursements and handle credit transaction inquiries, Saturdays would be a business day for your bank.

The term “business day” appears 72 more times in the text of the full regulation (excluding the Official Interpretations in Supplement I). This general definition — a day on which the creditor’s offices are open to the public for carrying on substantially all of its business functions — applies to most of those uses of the term.

However, there are thirteen sections or paragraphs of the regulation in which “business day” is used where the “precise” definition for “business day” is used. Those sections and paragraphs are listed in the second sentence of paragraph 1026.2(a)(6), which reads—

However, for purposes of rescission under §§ 1026.15 and 1026.23, and for purposes of §§ 1026.19(a)(1)(ii), 1026.19(a)(2), 1026.19(e)(1)(iii)(B), 1026.19(e)(1)(iv), 1026.19(e)(2)(i)(A), 1026.19(e)(4)(ii), 1026.19(f)(1)(ii), 1026.19(f)(1)(iii), 1026.20(e)(5), 1026.31, and 1026.46(d)(4), the term means all calendar days except Sundays and the legal public holidays specified in 5 U.S.C, 6103(a), such as New Year’s Day, the Birthday of Martin Luther King, Jr., Washington’s Birthday, Memorial Day, [Juneteenth National Independence Day,] Independence Day, Labor Day, Columbus Day, Veterans Day, Thanksgiving Day, and Christmas Day.

(I added Juneteenth to the list in the regulatory text.)

There are two important lists in that sentence:

  • The list of sections where the “precise” definition applies
  • The list of legal public holidays

The affected Regulation provisions: Here’s a list of the affected Reg Z sections with a brief description of each:

  • 1026.15 – Counting the three business days in the rescission period for certain open-end credit extensions for which there is a security interest in a consumer’s principal dwelling
  • 1026.23—Counting the three business days in the rescission period for certain closed-end credit transactions secured by a consumer’s principal dwelling
  • 1026.19(a)(1)(ii)—Counting the presumed three business days by which a consumer is deemed to have received good faith estimate disclosures in connection with a consumer’s application for a reverse mortgage to be secured by the consumer’s dwelling, if the disclosures are mailed to the consumer. The consumer cannot be charged a fee (except for the cost of a credit report) before the consumer receives (or is deemed to have received) the disclosures.
  • 1026.19(a)(2)—Those good faith estimate disclosures must also be delivered in person or placed in the mail not later than the seventh (precise definition) business day before consummation of the reverse mortgage loan. The precise definition is also used in counting three business days before consummation (and the presumed three-day delivery time if sent by mail) that a revised disclosure must be received if the APR in the early disclosures becomes inaccurate.
  • 1026.19(e)(1)(iii)(B)—Counting the seven business days before consummation to determine the latest day the creditor may send a TRID loan estimate (except for loans secured by a timeshare interest).
  • 1026.19(e)(1)(iv)—If a TRID loan estimate is not provided to the consumer in person, counting the three business days until the consumer is considered to have received it after it was delivered or placed in the mail
  • 1026.19(e)(2)(i)(A)—The consumer in a TRID transaction cannot be charged a fee (other that for a credit report) before the consumer has received the loan estimate and has expressed an intent to proceed with the transaction described in the loan estimate. Section 1026.19(e)(1)(iv) just above requires that, if the loan estimate isn’t given in person, the consumer is considered to have received the loan estimate three (precise) business days after delivery or mailing.
  • 1026.19(e)(4)(ii)—Counting the four business days before consummation by which the consumer must receive any required revised loan estimate and counting the three business days after non-in-person delivery by which the consumer is considered to have received a revised loan estimate.
  • 1026.(f)(1)(ii)—Counting three business days before consummation to determine when the consumer is required to have received the TRID closing disclosure.
  • 1026.19(f)(1)(iii)— If the TRID closing disclosure isn’t given in person, counting the three business days after placing them in the mail by which the consumer is considered to have received them.
  • 1026.20(e)(5)—Counting business days for the timing requirements for disclosures involved when closing a consumer’s mortgage escrow account.
  • 1026.31—Counting the three business days prior to consummation or account opening by which the creditor must provide disclosures required by § 1026.32 for a high cost mortgage or by § 1026.33 for a reverse mortgage
  • 1026.46(d)(4)—Counting the three business days after which a required disclosure for a private education loan is mailed to a consumer that the consumer is considered to have received the disclosure.

The public legal holidays. There are now 11 public legal holidays and 52 (or 53) Sundays that are not business days (even if your bank is open for all purposes) when the precise business day definition in Regulation Z applies. Six of those holidays —the Birthday of Martin Luther King, Jr., Washington’s Birthday, Memorial Day, Labor Day, Columbus (or Indigenous Peoples) Day, and Thanksgiving Day—are always weekdays (five Mondays and one Thursday), and have not caused anyone any confusion.

The other five public legal holidays fall on designated dates—January 1, June 19, July 4, November 11, and December 25—that can occur on Saturday or Sunday. When one of these holidays falls on Saturday, it is often observed the previous Friday, especially by federal employees. In those cases, whether or not the Federal Reserve Banks are closed (they normally are open under these circumstances) the observed holiday (Friday) is a business day when the precise business day definition is applied. The actual holiday (Saturday in such cases) is not a business day when the precise business day definition is applied, even if your bank is fully operational.

When one of the five designated dates occurs on Sunday (Juneteenth and Christmas in 2022, New Year’s Day in 2023), it is often observed on the following Monday, especially by federal agencies and offices. In such cases, the actual holiday is not a business day (both because it is one of the 11 public legal holidays and because it is a Sunday); the observed holiday on Monday (June 20 and December 26 in 2022, and January 2, 2023) is a business day when the precise business day definition applies, even though all Federal Reserve Bank offices will be closed.

For those of you who have read comment 2(a)(6)-2 and note that it says nothing about a designated date public legal holiday falling on Sunday, I agree. The Fed, when it added that little clarifying example of July 4 occurring on Saturday, ignored the fact that it also falls on Sundays with a Monday observance (as it did in 2021). In a phone conversation with a CFPB representative on Friday, July 2, I was assured that Monday, July 5 would be a business day.

In that conversation I suggested that the CFPB will probably be issuing an amendment to § 1026.2(a)(6) and comment 2(a)(6)-2 to add Juneteenth National Independence Day to their lists (hopefully they will make those amendments before Juneteenth arrives in 2022), and that when they make those amendments it would be the perfect opportunity to add an example to the commentary of one of the five designated date holidays (Juneteenth would be the perfect example to use) falling on Sunday. We’ll have to wait and see if the powers that be at the Bureau agree with that logical suggestion.

Don’t use the Reg Z definition elsewhere

Some of you may already be anticipating where this is going, and you’re wondering, “What about Regulation CC and its definition of “business day?” And this is the perfect time for the warning: Never “borrow” a definition from one regulation and apply it to a different regulation. It is a recipe for confusion (or worse) to do so.

Regulation CC is the perfect example, since it has its own “business day” definition in § 229.2(g):

Business day means a calendar day other than a Saturday or a Sunday, January 1, the third Monday in January, the third Monday in February, the last Monday in May, July 4, the first Monday in September, the second Monday in October, November 11, the fourth Thursday in November, or December 25. If January 1, July 4, November 11, or December 25 fall on a Sunday, the next Monday is not a business day.

Do you see the differences between this definition and either definition in Regulation Z?

  • It can never be a Saturday or a Sunday.
  • It doesn’t matter whether your bank is open for substantially all business (it does matter in the definition of “banking day”).
  • If one of the designated-date holidays occurs on a Sunday, the next Monday is not a business day (because the Fed isn’t open for check clearing, etc.)

The same list of public legal holidays is included in both regulations. The Fed should be amending the definition at some point to add Juneteenth to that list in Regulation CC (but, given the Fed’s track record on keeping the regulation current, I won’t hold my breath).

Advance Child Tax Credits and closed accounts

By John Burnett

The IRS started sending direct deposits of Advance Child Tax Credits (ACTC) on July 15, 2021. Additional ACTC credits will be sent on August 13, and the 15th of each month from September through December 2021.

Some of the direct deposits will be directed to accounts that have been closed by the depositor or the bank. This will probably mean that people in some banks will start thinking about “offsets.” But don’t go there!

Treasury regulations require that direct deposits of federal benefit payments directed to closed accounts be returned. The IRS will reissue the payments in check form. A bank cannot legally “reopen” a closed account to accept such a payment, and the payment cannot be diverted to recover on a charge-off. The payments should be returned even if the recipient has another account with your bank.

The IRS has an online tool – the Child Tax Credit Update Portal at https://www.irs.gov/credits-deductions/child-tax-credit-update-portal — for taxpayers to use to update bank account information.

2021 Oklahoma legislation – Part I

By Pauli D. Loeffler

Legislation was enacted amending two sections in the Oklahoma Banking Code (Title 6) and an entirely new section was added. The effective date for the amendments and the new section is November 1, 2021.

§ 901 – POD beneficiaries.

The amended provisions of this statute are emphasized.

B.

2.  A deposit account with a P.O.D. designation shall constitute a contract between the account owner, (or owners, if more than one) and the bank that upon the death of the last surviving owner of the account, and after payment of account proceeds to any secured party with a valid security interest in the account, the bank will hold the funds for or pay them to the named primary beneficiary or beneficiaries if living. If a primary beneficiary predeceases the account owner, the share of that primary beneficiary shall be distributed pursuant to either paragraph 4 or 5 of this subsection, whichever is applicable.

3.  Each P.O.D. beneficiary designated on a deposit account shall be a primary beneficiary unless specifically designated as a contingent beneficiary.

4.  If there is only one primary P.O.D. beneficiary on a deposit account and that beneficiary is an individual, the account owner may designate one or more contingent beneficiaries for whom the funds shall be held or to whom the funds shall be paid if the primary beneficiary is not living when the last surviving owner of the account dies. If there is more than one primary P.O.D. beneficiary on a deposit account, contingent beneficiaries shall not be allowed on that account.

5.  If the sole primary P.O.D. beneficiary is not living and one or more contingent beneficiaries have been designated as allowed by paragraph 4 of this subsection, the funds shall be held for or paid to the contingent beneficiaries who are alive at the time of the account owner’s death in equal shares, and shall not belong to the estate of the deceased primary beneficiary. If neither the primary beneficiary nor any contingent beneficiary is living at the time of the account owner’s death, the funds shall be paid to the account owner’s estate

7.  If only one primary P.O.D. beneficiary has been designated on a deposit account, the account owner may add the following, or words of similar meaning, in the style of the account or in the account agreement:

“If the designated P.O.D. beneficiary is deceased, then payable on the death of the account owner to (Name of Beneficiary), (Name of Beneficiary), and (Name of Beneficiary), as contingent beneficiaries, in equal share.”

8.  Adjustments may be made in the styling, depending upon the number of owners of the account, to allow for survivorship rights, and the number of beneficiaries.  It is to be understood that each beneficiary is entitled to a proportionate share of the account proceeds only after the death of the last surviving account owner, and after payment of account proceeds to any secured party with a valid security interest in the account.  All designated primary P.O.D. beneficiaries shall have equal shares.  All designated contingent P.O.D. beneficiaries shall have equal shares as if the sole primary beneficiary is deceased. In the event of the death of a beneficiary prior to the death of the account owner, the share of that beneficiary shall be divided among any surviving beneficiaries or distributed to contingent beneficiaries pursuant to paragraphs 4 and 5 of this subsection, if applicable.  If no beneficiaries are alive at the time of the account owner’s death, the funds should be held for, or paid to, the estate of the deceased account owner…

12. Subsequent to the effective date of this act, a bank shall provide a customer creating a P.O.D. account with a written notice that the distribution of the proceeds in the P.O.D. account shall be consistent with the provisions of this section.

 What you need to know:

  • First and most importantly, the changes apply ONLY with regard to POD beneficiary designations made on or after November 1, 2021. They do not apply to existing POD designations, so it is critical to take into account the date the POD designations were made in order to comply with the statute.
  • If only one natural person is named as POD beneficiary, the owner may name contingent beneficiaries. if a tax-exempt § 501(3)(c) beneficiary or a trust is named as POD beneficiary, no contingent beneficiaries can be named. These statements apply under both the current version of § 901 and the amended version.
  • If two or more natural persons are named as POD beneficiaries and one of them predeceases the last surviving owner of the account, under the current version of § 901 the funds will be split equally among the living PODs and the estate of the predeceasing POD beneficiary. Under the amended version, only those PODs alive at the time the last surviving account owner dies will receive equal shares.
  • If there is only one natural person named as POD beneficiary who predeceases the last surviving account owner and contingent beneficiaries are named, the contingent beneficiaries who are alive at the time the last account owner dies will receive equal shares under the amended statute as opposed to the current statute under which the estate of a predeceasing beneficiary would receive a share.
  • If all primary beneficiaries predecease the last surviving owner, the funds belong to the owner’s estate under the amended statute, Likewise, this is the result if the sole primary beneficiary and all named contingent beneficiaries predecease the owner.

§ 906 – Transfer of deposits or contents of safe deposit boxes to heirs.

Again, I have emphasized the amendments to this statute.

A. 1. When a deposit has been made in a bank or credit union in the name of a sole individual without designation of a payable-on-death beneficiary, upon the death of the sole owner of the account if the amount of the aggregate deposits held in single ownership accounts in the name of the deceased individual is Fifty Thousand Dollars ($50,000.00) or less, the bank or credit union may, without a requirement that heirs open an additional account, transfer the funds to the known heirs of the deceased upon receipt of an affidavit sworn to by the known heirs of the deceased which establishes jurisdiction and relationship and states that the owner of the account left no will; provided, however, that no probate proceedings are pending.  The affidavit shall be sworn to and signed by the known heirs of the deceased and the same shall swear that the facts set forth in the affidavit establishing jurisdiction, heirship and intestacy are true and correct. The affidavit may contain a clause indemnifying the bank from any damages related to the release of funds.  In the event the account is subject to pending probate proceedings, the release of the deposits in the account shall be determined by the court.

2.  Upon the death of an individual who is the sole renter of a safe deposit box in a bank or credit union, the bank or credit union may open the box in the presence of all known heirs and transfer or release the contents to such heirs upon receipt of an affidavit which establishes jurisdiction and relationship to the deceased and states that the renter of the safe deposit box left no will or that the contents of the safe deposit box are the only known assets of the deceased renter. The affidavit shall be sworn to and signed by the known heirs of the deceased and the same shall swear that the facts set forth in the affidavit establishing jurisdiction, heirship and intestacy or that the contents of the safe deposit box are the only asset of the deceased are true and correct.  Every known heir shall either be present in person or by a duly authorized agent.  If any known heir is unable to be physically present for the opening of the box and transfer of the contents, such heir may appoint an agent by executing authorization in writing in the following form:  “I hereby authorize (name of person) to act as my agent at the opening and transfer of contents of safe deposit box (number or other identification) at (name of financial institution).”  The authorization form shall be signed and dated by the heir and notarized.  The bank or credit union may impose its standard fee for drilling the box if the heirs cannot provide the key for opening.

B.  Receipt by the bank or credit union of the affidavit described in subsection A of this section shall be a valid and sufficient release and discharge to the bank or credit union for any transfer of deposits or contents made in good-faith reliance on the affidavit and shall serve to discharge the bank or credit union from liability as to any other party, including any heir, legatee, devisee, creditor or other person having rights or claims to funds or property of the decedent, and include a discharge of the bank or credit union from liability for any estate, inheritance or other taxes which may be due the state from the estate or as a result of the transfer.

C.  Any person who knowingly submits and signs a false affidavit as provided in this section shall be fined not more than Three Thousand Dollars ($3,000.00) or imprisoned for not more than six (6) months, or both. Restitution of the amount fraudulently attained shall be made to the rightful beneficiary by the guilty person.

Unlike the amendments to § 901, the amendments should have little or no impact on banks. If a) the aggregate deposits held in sole ownership without PODs do not exceed $50,000, b) the customer died a resident of Oklahoma, and c) did not have a will, the affidavit under § 906 was and is available for authority to disburse the funds. If there is a will, or the customer died a resident of another state, then an affidavit under this section is not an option, but the Affidavit under § 393 of the Oklahoma Probate Code (Title 58) might be used both for deposits and safe deposit boxes, if all conditions of that statute are met. I note that under the probate code the Affidavit requires a statement that there is no pending probate. Unlike an Affidavit submitted under § 393, the bank does not face liability for refusing to accept an affidavit under § 906 of the Banking Code for either deposits or safe deposit box contents.

I am mystified by some of the additional language. For instance, I have no clue why “without a requirement that heirs open an additional account” was added. I assume that some banks or credit unions may have had such a requirement that I didn’t know about. Allowing the bank to include an indemnity clause was not prohibited under the current statute, and in light of the provisions under subsections B. and C, I am not sure this change was needed. I note that charging a drilling fee was not prohibited under the prior version.

§ 909 – Powers of Authorized Signer — Form for Additional Powers

This is an entirely new statute. You may access both the statute and the form here.

A. Unless the deposit agreement states otherwise, an authorized signer on a deposit account shall have the following powers, regardless of whether the account is a consumer or commercial account:

 1.  Sign checks;

2.  Make deposits of checks payable to the account owner into the account;

3.  Make cash deposits into the account;

4.  Obtain an account balance;

5.  View copies of checks he or she has signed; and

6.  Obtain deposit slips when making a deposit.

B.  If additional authority is not expressly granted in the deposit account agreement, additional powers may be granted in writing by the owner of the account. If the account is an individual account, the owner may execute an additional authorization document.  It must be dated and in writing and may be revoked or amended at any time by the account owner.  If there are multiple owners, all must execute the additional authorization document.  If the account is owned by an entity, the entity must approve the grant of additional powers in the same manner as it appoints authorized signers.

C.  A customer may initial next to the additional powers to be granted and line through those that are not being granted, pursuant to subsection D of this section.

Form for Additional Powers for Authorized Signer:

I, the undersigned account owner or duly empowered representative of the account owner, hereby grant and approve the following additional powers for authorized signer(s) on account

# _______________________.  Bank name ______________________.

____________ Obtain and use a debit card or automated teller machine card

____________ Obtain copies of statements on the account from the bank

____________ Order checks

____________ Obtain copies of checks or other transactions on the account

____________ Authorize or terminate automated clearing house debits to the account

____________ Complete affidavits of forgery

____________ Initiate a change of address for the account

____________ Withdraw cash up to $___________

____________ Dispute a card transaction on the account

____________ Report a lost or stolen card on the account

____________ Use online banking to view transactions on the account

____________ Set up online bill payments

____________ Use the mobile app to access information about the account.

Important points. The list of powers granted to an authorized signer in subsection A. is not exclusive, and your account agreement may grant powers that aren’t listed in that subsection or restrict powers that are. Additionally, UCC § 4-403 provides that any person authorized on an account may stop payment or close the account and that power exists regardless of the omission from this statute.

There is no requirement that the bank use the additional powers form, and the bank is free to add to or delete powers from the form as it chooses. Please keep in mind that guardians and attorneys-in-fact are governed by other law, so neither the statute nor the additional powers form is appropriate for use in those cases.

July 2021 OBA Legal Briefs

  • Vacations — Required or recommended

Vacations – Required or recommended

By Andy Zavoina

We last wrote about vacation time in the September 2019 Legal Briefs. That was a short article on the recommended necessity of taking consecutive days off. After a year of COVID-19 and everyone being couped up, summer 2021 stands to be a record as people can finally get back out and take much needed vacation time. But rather than say, “here is a cite from the FDIC and Human Resources needs to enforce a policy…” I want to explore why a “vacation” policy should be required, where it is required as well as where it is not, and how to meet the spirit and intent. I put quotes around the key term, vacation, but that is misleading. I also want to explore not just being absent but also being disconnected, and why this is important. It is important to point out to both management and staff that such a policy is a safety and soundness issue, not a way to inconvenience staff or force them to group together the few days of vacation they have.

We will talk about a few real-life cases which reinforce why this policy needs to exist, and under what circumstances exceptions are allowed. By the time you are done, you will be able to ensure management has all the facts and the reasons for requiring many staff members are in fact absent from their duties, and how this is beneficial to both the bank and the employee. In short, it will help you understand why a policy is needed and how to craft it or tweak, if needed, what you already have in place, to best meet the spirit and intent of the rule.

Three cases of interest

Indirect vehicle financing. Fortunately, this was not my bank, but it was a bank about a block away from our main branch and we all knew many of the staff there. Many in my bank knew the woman in question. She had worked for the bank for over 20 years. She rarely took a vacation or sick day. She was seen as dedicated. She was seen as experienced. She was trusted.

It turned out what she was, was a thief, an embezzler. She worked in the indirect dealer area and handled drafts. With many larger floorplans there was a lot of money coming in and going out and that meant large suspense accounts. Those accounts had to be reconciled and checked. But when you have an employee of this caliber and with this experience, you ask her “why?” She will explain it and on you go, because these audits are such a pain to do and explain anyway.

But when she was on a very rare vacation, the employee filling in had questions. Nobody liked the answers because it was well over $100,000 that could not be reconciled and that is a shock for a small bank. She had been taking money and as the phrase goes, cooking the books. When she was not available to answer certain questions, the facts came pouring out because numbers do not lie.

First Community Bank, Cave City, AR. Two years ago, there was an incident in Cave City, Arkansas. This is “Home of the world’s sweetest watermelons.” In the 2010 census this was a town of less than 2,000 people, so a small town to say the least.

Today the bank involved has 28 locations in Arkansas and Missouri and the Cave City branch shows to have deposits of $22 million. For 18 years Carrie Porter worked at First Community Bank. She was a teller. For about 12 of those years Carrie would periodically take a stack of $100 bills. The first time she walked out of the bank with $10,000 in her purse that was not hers, it was not hard. She continued this every three or four months.

By the time she was caught the sum of her theft was calculated to be $285,125. She was very apologetic and confessed what she had done. She was cashing in her retirement and her family was harvesting trees from their property and selling land. She hoped to repay 80 percent of what she had stolen before she reported to prison for 18 months. She swore she would repay all of it. She said the money “was just gone” and really had nothing to show for it.

Carrie Porter will be about 51 years old when she is released and most certainly her family will be paying the price with her. Thefts such as this impact the bank, the employee, and the families of all involved.

Bank fraud, wire fraud, and money laundering (Oh, my!). In April of this year in New York, Gangadai Rampersaud Azim was arrested and charged with wire fraud, bank fraud, bank theft, money laundering, and conspiracy, for her role in a scheme to defraud the bank she worked at, of $1.7 million. These charges are pending, so the crime is alleged at this point.

Azim allegedly stole more than $1.7 million and concealed the crime until an absence from work led to its discovery. Yes, she had an illness that forced her to take leave. She was not there to cover her tracks.
In January 2021, the bank set off a customer’s deposit for a delinquent loan. The customer claimed the loan had been paid off in 2019, and the unravelling began. In 2019 the money was taken for the loan and the customer believed the loan was paid off. Azim kept that payoff and unbeknownst to the borrower, started a renewal of the loan for them. There is both a debit and credit, but Azim’s theft created an additional debit that had to be concealed in the future.

The investigation revealed Azim repeatedly made false entries in the bank’s systems, misappropriating funds paid to the bank by many borrowers who thought their loans were paid off. In fact, Azim was extending the maturity dates, so the bank believed it had assets, while the borrowers thought they had no debts. As loans came due, they were covered by new loans faked by Azim to replace them.

The criminal complaint says, “Between August 2008 and January 2021, Azim, a long-time employee of a New York, New York-based bank (“Bank-1”) stole approximately $1.7 million from her employer. Over the course of approximately 12 years, Azim executed hundreds of wire transfers of Bank-1 funds to co-conspirators and related companies, who then sent portions of the ill-gotten funds to Azim’s personal bank account.

“In furtherance of her scheme to defraud Bank-1, Axim repeatedly made false entries in Bank-1’s systems, misappropriating funds paid to Bank-1 by its clients to satisfy outstanding loan obligations and then extending the maturity dates of those loan obligations, making it appear as though the loan obligations had not yet been paid. When even the fraudulently extended maturity dates came due, Azim originated new, fraudulent loans. Azim utilized the proceeds of those fraudulent loans to satisfy the loans for which she had previously stolen the client payments. In doing so, Azim abused her position at Bank-1 and enriched herself at the expense of her employer.”

In all it appears there were 14 fraudulent loans without promissory notes for $1 million that were used to pay the fictitious debts Azim created, and five others for more than $700,000 with extended maturity dates where the borrower thought the loans had been satisfied. Over approximately 12 years, between 2008 and 2020, Azim made approximately 200 wire transfers of bank funds, each for an amount under $10,000, sent to third party accounts. Transfers were made to co-conspirators and related companies, which then returned portions of those funds to Azim.

We never would have thought …

The bank’s Security Officer will advise the bank to diligently have the internal control and other periodic audits completed because the bank must be diligent against theft. Banks and other companies often say when an embezzlement is found that that was the last employee they would have ever thought would steal from them. Unfortunately, many of the traits of a dedicated employee are also those of someone covering up a theft. Additionally, there are signs to look for in employees such as those living beyond their means, having financial difficulties, having unusually close relationships with vendors, and having excessive control issues such as over the account relationships they oversee.

Security programs will point out common warning signs seen when employee thefts have occurred. These are not definitive points, but rather are intended to raise awareness.

• The employee never wants to take vacation.

• The employee works a lot of overtime and enjoys the peace of quiet of being the only one there.

• The employee takes work home.

• There are signs of excessive personal spending, cars, vacations, collectibles, etc. Some of these may be converted to cash through sale, laundering if you will, and some may be for personal enjoyment.

• Frequent casino trips.

• Unusually close relationship with customers or vendors.

• Unverified expense reports for supplies or travel.

Disconnecting

Human Resource managers and health experts all agree that there is a reason for weekends and vacations regardless of the energy and dedication an employee has. Disconnecting from the job is needed for mental health. Therefore, your bank offers vacation time.

There are many reasons big vacations are not taken. Not every employee wants to travel or has the means to do so. There may be additional restrictions due to an employee’s health or that of someone they care for. Family schedules can be hard to sync and there can be many other reasons. But that does not prevent a person from using time off and disconnecting from the job.

There is the occasional employee who wants control. The work they do may be intricate and detailed and having a day-to-day knowledge of what has transpired assists them in keeping up to date and resolving problems quickly and accurately. “If I leave for a few days, I’ll just come back to a mess that will take weeks to clean up.” This may be a valid concern, but sometimes it is a sign of a controlling person who has falsified records and accounts and is concerned that anyone stepping into their job may find a discrepancy and that could lead to discovery. It is like a juggler with many balls in the air. If you miss one, many others may come down as well. They must be there, in control, to keep those balls in the air.

There are pros and cons of a mandatory vacation requirement. These should be recognized by management, HR, and the bank’s employees. Taking a short block of days, such as one week, gives the employee a chance to recharge their batteries. It can be a needed break.

This employee’s time off is also an opportunity for the bank to review the employee’s area. Have there been complaints from customers or staff that a supervisor was overstepping their authority? This is a chance for issues to come to the top so they can be resolved. It is also a time when workloads can be reviewed and balanced for the benefit of everyone. It also encourages cross training staff. No one person is irreplaceable and if they are, the bank needs to rectify that. People come and go but the business tasks continue as do deadlines. This gives the junior employee a chance to work at a higher level and to understand a job they may inherit or may not be suited for. In that case, it is better to know sooner rather than later. If that junior employee is in a rut, this may be an opportunity to help them as well. And if that seasoned employee were to decide to leave suddenly, the bank wants to know who can fill the position and what information may be needed to do so. A few vacation days may reveal that more cross training is required to be efficient, or that the written procedures are not adequate for the position in today’s environment.

After a year of so many telecommuting on a full or part time basis, this need is even more pressing today. It is rare that an employee will come back from a vacation more tired than when they left, even if they filled every day with activities. They either enjoyed the time off or looked forward to getting back to their routine. Either way, it is a positive position for the bank. That leads to happier employees, and makes future recruiting easier as well. It also makes planning easier for the bank and the employees because certain dates can be blacked out well in advance for the benefit of both the bank and staff.

Something that can be a short term “con” and a long term “pro” is that this advance planning reveals staffing concerns. Certain positions can be harder to fill and may stretch key employees very thin. Knowing this in advance assists in resolving the issue before it happens at a less controlled time.

Preplanned vacations may contribute to scheduling challenges as well. When several employees want the week off around given holidays like July 4th or Christmas, it can be taxing on those left to complete all the work. This may also draw down management’s time as increased supervision over a department or certain jobs becomes required. For this reason, adding planned maternity leaves into the calendar aids in the overall planning. A vacation will be easier to adjust than a parental leave.

Another challenge in having a mandatory vacation requirement is enforcing it. HR needs to be able to warn employees well in advance so there is not a concentration of employees who all need the last week of the year off. If planned events must be adjusted for whatever reason, they should be rescheduled immediately to avoid a bottleneck.

If an employee does not use their annual vacation time, either it accumulates which could cause the bank actual cash if it pays the employee for that time, or the employee could lose those days which could be seen in the long term as “theft of time” by the employee. That is, if their opinion of the bank sours, this will be one more thing they dislike about it and blame the bank. It also serves to support a bad employee as it adds justification to anything they are doing wrong.

How should the bank manage these situations? The bank controls the risks. The risk is the employee could be embezzling, but that is certainly not the norm and we do not assume it is, but we do recognize it as a red flag. It is a risk that is mitigated in part by ensuring employees use vacation time. You may hear arguments, “I don’t have enough vacation time to take an entire week off,” or “I’m a one-person department. If I’m not here to do my job, it will not get done.” This brings us back to risk mitigation. The bank truly needs someone else to understand that job and to be able to do it. In addition to the proverbial bus taking that employee out of their job, that employee limits their upward mobility in the bank, and if they ever choose to leave the bank there would be nobody cross-trained to fill in or take over. Again, risk mitigation is good for the bank and the employee in this case. Fortunately, this risk mitigation is also an audit control feature.

Audit Controls

The bank’s HR area should have a record of which employees have how many days of vacation. Proper procedures tell us the vacation days should be tracked. The bank needs to be aware of who uses, stockpiles, or loses vacation time. Proactively monitoring who has how many vacation days is a positive step for the bank in planning its calendar. When the bank has large projects coming up such as systems conversions, a new branch opening, or a major exam, certain employees may not be able to take vacation days. These need to blacked out and the employee needs to know this in advance.

Likewise, the employee should be able to identify at least one block of time they do want vacation, and this should be communicated to the bank. As an example, a bank with a mandatory five-day block of vacation needs to know when certain employees will be out. Additional vacation days may be broken up as some people enjoy short breaks and pairing one or two days with a holiday weekend provides interim breaks. But that five-day break helps detect possible ongoing fraud. Five days is often enough for one or more of those balls in the air to drop.

There may be a set period of days the bank identifies as “mandatory vacation.” If the bank determines that for a variety of reasons a five or even ten-day block of time is required, employees and the bank need to plan when this will be, so it meets the needs of both the staff and the bank. Employees may be restricted from having overlapping days with another key employee, so it may be necessary to create a hierarchy of who gets preference, the senior employee by position or time at the bank, the first one to request those days or some other methodology that works for your bank.

OK Administrative Code 85:10-5-3

To save you from looking this up, here is what the Administrative Code requires of your internal controls program as to being absent. The actual text is in italics, and I’ve injected my own comments after each paragraph, as needed, to reinforce certain points:

All internal control programs adopted by banks shall contain as a minimum the following:

(1) A requirement that each officer and employee, when eligible for vacation, be absent from the institution at least five consecutive banking days each calendar year, unless otherwise approved in writing by the bank’s bonding company for bank officers and employees generally and then each officer and employee who may be excepted from this requirement must be specifically approved by the bank’s board of directors and it shall be recorded in the board of director’s minutes, that the officer or the employee may be absent less than the five consecutive banking days. During the absence of an officer or employee, the duties of the absent officer or employee must be performed by other bank officers and employees.

This section says a lot. Some banks have expressed a policy of providing immediate vacation availability to meet this perceived five days off requirement. Note the text says, “when eligible for vacation.” If the bank’s vacation policy requires accrual and prohibits taking vacation in the first three or six months, then the requirement to take days off is based on eligibility and no time is available during that probation or accrual period. The bank may consider a policy such as “the employee will accrue 0.83 days of vacation per month yielding 10 days after one year. The employee will be eligible for vacation after 6 months, when five days have accrued. As vacations are planned, a five-day continuous block must be scheduled by the employee. Additional days may be taken at the convenience of the bank in one day increments, but at least one block of five days must be planned.” A policy such as this means that an employee hired after June will not have time to accrue the minimum five days required, July to December is six months, 6 x0.83=4.98 days, rounded up to the five needed, but the calendar year ends with the last accrual. In this case the accrued days could be taken in that year with the caveat that the 5-day block will be taken the following calendar year as there are more days accrued. Employees hired in May could feel resentment as a strict reading says they are eligible for five days of vacation in December and would have to take those days then to achieve the “each calendar year” requirement. The bank would then have to consider that is what is required, or an exception be granted or that vacations are simply not allowed in the first calendar year except by special permission.

Note next that the actual requirement is not that an employee take vacation days, but that they be absent for at least five consecutive days. In that this is an internal fraud control procedure the five days are business days – days in which problematic transactions such as those noted in the actual cases above could be detected. This means we do not count non-banking days such as weekends, holidays, or days when the bank is otherwise closed. This brings up an exception to consider. Say an employee is on a five-day vacation break and a winter storm closes your bank for two days. If there is no item processing, the intent of this break may not be met. The bank needs to consider extending that employees time off to accomplish the five-day break. Since the bank was closed those shouldn’t be vacation days anyway, but the employee may not have enough vacation days remaining for a five-day absence. If the vacation is not extended at that time, consider noting it as an unintended and unavoidable exception caused by an act of God.

Let’s consider another exception. Say an employee has a severe illness and has used their personal and vacation days. Some policies allow other employees to donate their days off to that sick employee. That may exhaust the donating employees vacation days and not allow the five-day absence requirement to be met. Such a policy should allow all but five days to be donated, unless the absence requirement has or will otherwise be met, so keep reading.

The real point here is that the issue is a five-day absence. Let’s assume the bank’s CFO is travelling out of town on Monday for a conference to be held Tuesday through Thursday. She then will travel home on Friday. All 5 of those days were business days. The 5 days of absence can be met with her not performing any of her duties in the bank – that is, if she was absent.

Now let’s consider what “absence” means. Remember that one motivating factor here is fraud detection. This means that employee is not conducting any of their functions or advising on issues while away. They should not be calling, texting, or emailing anyone about their job. Any message such as “Do not worry if it does not balance. Leave it as out and I will fix it/figure it out when I get back. No one will know” would completely defeat the purpose of the rule from an internal control perspective. Similarly, the bank should consider suspending the logon credentials of the absent employee. This protects the bank and the employee as the employee will without question not be able to go into the bank’s systems and make any changes, and any other employee using those credentials will be locked out. The bank’s IT department would be able to track attempted logons and determine if these credentials were compromised. That would be a separate issue, but an important internal control, nonetheless.

Exceptions can be allowed. These may require the approval of the bank’s bonding company, and the board of directors. The latter should be noted in the board meeting minutes. I was a common exception in my bank. It was a smaller bank, and I was the Compliance Department. This is a field requiring precise knowledge of laws and regulations and I was not easily replaceable. There were subject matter experts in various departments of the bank who could answer questions about their areas, but I tied it all together. I never worked on any general ledgers, debits or credits or handled cash or checks for processing. I did not grant or close loans. This put my position at a very low risk of conducting internal fraud and especially any fraud that would be detected because of my absence.

In a very small bank, another potential solution is cross-training. Two employees may switch positions, but it is imperative that they not conduct or advise each other about their duties as this could defeat the purpose of being absent. This is not ideal but may be permissible under certain circumstances.

Other Rules

The FDIC addressed this issue in FIL-52-95. Yes, that is from 1995 and it is still valid. In part it says, “The FDIC endorses the concept of a vacation policy that allows active officers and employees to be absent from their duties for an uninterrupted period of no less than two weeks.” Some larger banks do hold to a ten-day period but because of staffing issues, five days is often considered adequate to detect wrongdoing. The FIL is guidance, not a requirement. It states that if a bank is not following this guide, examiners should encourage the board of directors to annually review and approve the policy followed and the exceptions allowed. The March 2015 Internal Routine and Controls exam manual includes a section recommending a bank have a policy requiring employees (which includes officers) be absent for a two consecutive week period. I understand examiners will inquire about this, but that little else is done when risk management practices and strong internal controls exist. The exam manual calls for only a discussion with management when such a policy does not exist. It also states, “Any significant deficiencies in an institution’s vacation policy or compensating controls should be discussed in the ROE and reflected in the Management component of the Uniform Financial Institutions Rating System (UFIRS).” The exam manual also refers to the rotation of staff as an effective internal control and a valuable part of an employee’s training.

The Federal Reserve issued SR 96-37 in December 1996 discussing required absences. This was a guidance document. The FRB later issued Circular 10923 on February 10, 1997, where it provided guidance and recommended a ten-day absence. It is specific to sensitive positions and allows for well document exceptions.

I was in a national bank for over 20 years, and it was not an event during any of our exams. I have read that as national banks get bigger, the examiners do pay more attention and do point it out as a strong internal control. So, like the FDIC and FRB, they encourage a policy requiring absence, but it is not a requirement. It is mentioned in the OCC’s Internal Controls Manual. This references sensitive positions or risk-taking activities and asks, “Is there periodic unannounced rotation of duties for employees or vacation requirements that ensure their absence for at least a two-week period?” This is a question, but not a stated requirement.

The bank may opt to prioritize which positions would require a consecutive five- or ten-day absence from their positions and those handling cash and checks, approving and processing loans and similar “at-risk” tasks and positions may be the only ones required, or they may require a higher bar to request and have approved any exception. Risk rating the employee’s positions will not please all of them, but some may be happier than others. Changes to a position’s duties could influence this risk status, so remember to add that to a checklist, if applicable.