Legal Briefs Archive – Page 2 – Oklahoma Bankers Association

Legal Briefs

March 2023 OBA Legal Briefs

Reputation risk and theft
Deposit mismatches and liability

Reputation risk and theft

By Andy Zavoina

I think I’ve always been fascinated by “the con” and the way some people will steal, and others will be gullible. That fed a degree of interest and intrigue in me for many years and led me to a hobby of magic (where lying and stealing is for entertainment) and my first job in law enforcement. I was then involved in security at my bank, but my full-time duty was compliance. In the bigger picture, however, as an officer of the bank, my first responsibility was to the bank. That means I was always interested in the safety and soundness and reputation of the bank. I believe all our readers share those same interests and all of this was the inspiration for this month’s Legal Briefs. First, we’ll take a deep dive into much of the information available to you in several court cases and enforcement orders and then we’ll use the pertinent facts to provide the information needed to assist in improving policies and procedures in your bank to avoid similar instances, when warranted.

Maguire: On the 24th of February 2023, the United States Attorney’s Office for the Northern District of Florida posted a notice about Nicole Maguire. She was just sentenced to three years in federal prison after she pleaded guilty to conspiracy to commit bank fraud, bank fraud, and aggravated identity theft charges. That issue would involve the safety and soundness of the bank. The fact that I also had it show up in my alerts because there was also a story about her in The News & Observer, and I’m certain many other online and paper-based publications also ran the story, made it a bank reputation-related issue.

Nicole Maguire sold the names of bank customers, their identification card numbers, and bank account numbers to others who then stole more than $125,000 from those customers, and ultimately from the bank, in 2019. Yes, the wheels of justice turn slowly. But I’m sure the case is still of interest to customers of Regions Bank in Florida, Alabama, Iowa, and Missouri where the victims were.

Maguire was obviously not alone in this. Her co-defendants were Desmond Brannon, who was sentenced to four years in prison after pleading guilty to conspiracy to commit bank fraud and bank fraud charges; Steven Mussington, who was sentenced to 1 year and 1 day in prison for conspiracy to commit bank fraud and bank fraud charges; and Chelsie Worthen, who pleaded guilty to conspiracy to commit bank fraud, bank fraud, and aggravated identity theft charges. Then there were co-conspirators Darrell Wells and Georgia Ward who both reside in New York and were or are being prosecuted in the Southern District of New York under a separate but related indictment. Ward pleaded guilty to conspiracy to commit bank fraud and was sentenced to time served and an additional nine months of home confinement. Wells is awaiting trial on charges of conspiracy to commit bank fraud and aggravated identity theft.

The FBI and police departments in Florida, Iowa, and Missouri, along with the bank’s security investigators, were all involved in the case as well. It was far-reaching and I’m certain complex to unravel. At the end of the day, the short story is Maguire was the insider who sold the IDs and information and another woman had fake IDs made with others’ photos and the customers’ information to make withdrawals. They also passed some fake money orders and checks.

When a Regions customer, especially those in the four states specifically mentioned in this case, reads this story they will do one of three things— check their own accounts and worry about the security of their money, know this person was caught and that no customer lost any money, or worry that next time the perpetrator won’t be caught and the customer will be unaware of a loss from their own account. In any scenario, we do not want customers to worry. And while I said “no customer lost money” that is a supposition. There was no statement from the bank for whatever reason.

If your bank were to suffer such a loss, the bank should have a reaction plan in place. You should be able to fill in the blanks and put together an official statement in short order to demonstrate control of the situation and to instill confidence in the public and your customers. The bank should always look to emphasize that the bad actors were caught, and that no customer has lost money, not one dime. There are customers and customers-to-be who may need to be reassured.

This is the most recent case I have read about. But there are many others, and we want to explore some of those this month. When we pay particular attention to what happened, how and sometimes why, we learn valuable lessons about things that can be done in our own banks to avoid such problems. One common fact we see in internal cases is that they can take years to discover. This is especially so when the thief is going to “take a little, leave a little” and has the knowledge and authority, to cover their tracks. This is a key reason areas like security and audit need unfettered access when it comes to internal audits and investigations and staff need to speak up when they see transactions outside the ordinary. It is also a reason your bank should have a vacation or “period of absence” policy that will take a person away from their desk and out of control of internal accounts for a period long enough for discrepancies to show up. Those discrepancies should not be explained away but understood, accepted, or corrected. Questioning transactions and documents should be viewed as a constructive and protective act. If nothing wrong is found, it is a reassurance, and if something is amiss, the review is money saved overall and an opportunity to improve procedures.

Torgerson: In another recent case, Brady Daniel Torgerson from Beulah, North Dakota, was sentenced in February 2023 to two years in federal prison, three years of supervised release and a $200 special assessment. Torgerson pleaded guilty to two separate counts of bank fraud against financial institutions located in Beulah. This case also went back to 2019 and extended to 2021. Torgerson was employed as the president of First Security Bank-West and separately as a loan officer at the Union Bank. He used these positions of authority to conduct transactions that caused harm to both the banks he was working at and their customers.

While employed at First Security Bank-West, Torgerson funded loans which should have raised red flags with the most basic of controls. These questionable loans lacked necessary financial information, security interest documentation and even promissory notes. He created deceptive transactions by falsifying records in the bank’s computer system, increasing loans which then exceeded the original approved loan amounts, and extended maturity dates of loans to keep them off the past due listings and therefore anyone’s radar.

When he was working at the Union Bank, Torgerson created fraudulent loans in the amounts of $225,487.44 and $225,487.45 in the names of three separate individuals who neither knew about these loans nor received the funds. Torgerson had three co-defendants who were sentenced to both short jail terms which included one day of time served and a year of supervised release plus a monetary fine for each and $98,ooo restitution from one. I believe one of these was his father and the other two likely friends. You can almost hear the offer of something for nothing and them making a quick buck to help him out.

Anything that is transacted on the bank’s systems should be traceable to an employee based on logon credentials. An employee doing account maintenance at the direction of a superior should remember what was done and why, and their credentials should never be shared. When someone leaves a terminal, they should sign off. This helps protect everyone and promotes the integrity of the systems in place. Similarly, when loans are funded and booked without the standard security agreements and collateral documentations, and especially without executed note forms, questions must be asked, and the notification chain accelerated upward as that is a serious issue that would be difficult to explain.

On that same note, I remember “back in the day” when I was on the loan desk. This was at a military bank and predated internet banking. A young lieutenant who banked with us called from a large city about three hours away. He had found a car he just had to have. I got the necessary information from him and already knew his father was a retired colonel and his grandfather was a retired general, both West Point graduates. Of key interest was that fact that he would be back in town in two or three days, and he promised to come in and sign his contract. I provided the dealership with draft instructions so I as good as made the loan. I proudly informed my boss because I knew this was excellent customer service and would help build loyalty of this up-and-coming military officer. Unfortunately, after day three I had not heard from him. I waited nervously on day four and called him on day five. Even after all these years, I still remember his answering machine as he introduced himself and he said he was “either out rescuing a damsel in distress or a cat from a tree.” I just knew at that moment I had a nutcase for an almost borrower. But he came in shortly thereafter, the paperwork was done, and the loan paid as agreed. I never did that again. But it would explain what happened and there was no loan being booked without a note and collateral.

Seck: A case as recent as we can get was published February 27, 2023, by the U.S. Attorney’s Office, District of Maryland. In this case Diape Seck, of Rockville, Maryland, was at the time of the bad acts a customer service representative at a bank. He and his eight co-conspirators stole or attempted to steal almost $2 million by fraud, including by stealing checks from the mail of churches and religious institutions. Seck was the ringleader.

Seck fraudulently opened bank accounts using fake identities. He took cash bribes for his efforts. Among other illegal acts, his accomplices then deposited stolen checks from churches and other religious institutions into the fraudulent new bank accounts. The co-conspirators withdrew and spent those funds as compensation for their efforts.

There were more than 400 accounts opened in just over a year beginning in January 2019. Identification relied on was often Romanian passports and driver’s license information. Generally, the deposits were made to ATMs the bank owned. From those deposits cash withdrawals would be made and debit cards associated to the fraudulent accounts would be used for purchases.

Seck’s sentencing is scheduled for June. He faces up to 30 years in prison. The accomplices generally are facing three to five years each. One in Dania Beach, Florida, and another in Baltimore are the only two facing restitution with each exceeding $1 million. Raise your hand if you think the restitution will actually be paid. I’m not raising mine.

What might have helped stop this sooner than a year into the scheme? Sending new account verification letters could have helped alert an auditor that an address was bad if that was the case here. So would address scrubs where the bank compares accounts with the same address and different owners. That could show as an example multiple owners using the same post office box address.

Schroeder: Let’s turn our attention to Ronald Wayne Schroeder and the Bank of San Antonio where he was the bank president. His crime dated back to before 2020, but it was August 2022 when he was sentenced to 97 months in federal prison as his fraudulent activities cost the bank $13 million.

Schroeder himself took nearly $3.2 million. He and his co-defendants conspired to defraud various banks of money through the factoring of false and fraudulent invoices. They began with Southwest Bank, then included Schroeder’s bank, Bank of San Antonio, and finally included the TransPecos Bank.

Schroeder sent false and fraudulent invoices of companies owned or controlled by the other defendants in the case, to be factored by these financial institutions. This is a process where a company sells its receivables to a third party, in this case the victim banks. Factoring is intended to provide a quick capital injection into the business selling the receivables as they are sold at a discount which provides an immediate short-term gain and allows for a profit margin to the buyer as the receivables pay back over time. Schroeder and other co-defendants would then use that money for their own personal enrichment or to pay off old invoices owed to the banks much like a Ponzi scheme where money from new investors is used to pay old investors. Schroeder used his $3.2M to buy a beach house, airplane, boat, and vehicles.

Schroeder and the others obviously knew what they were doing. It was a definite abuse of authority by Schroeder and that certainly would have influenced the first bank they factored with. Once they got the first bank in place, they were able to leverage credibility and get a second and then a third victim bank. Like all Ponzi schemes it would reach a point where there was not enough money coming in to support the debt already established. When the receivables stop paying and they are discovered to be fraudulent, the house of cards falls and, in this case, there were $13 million of them.

As you can imagine, based on this case and others, an abuse of position was a contributing factor. Staff must be able and willing to question transactions, loans, and arrangements where the bank is paying some high-ranking officer or board member or someone or a company associated with that person. When it is an unusual arrangement, it deserves to be questioned and that person, if legitimate, really should not mind so everything is transparent and above reproach.

Romero: Orlando Romero worked at Deutsche Bank as a client service specialist. Always wanting to improve his position he was seeking employment opportunities in the banking field. He received a written employment offer from another bank. While that offer was good, he knew he could do better. He decided to look within his current bank, and he doctored that offer by adding to the salary the competitor bank was offering him. He presented this “modified” offer to his supervisor at Deutsche Bank who agreed to meet that offer and Romero received a $28,000 increase to his annual salary. One might believe the bank must have been under-compensating him to provide such a hefty increase all at once. But Romero left Deutsche Bank some thirty months later when his prior deception became known. Romero was deemed By the Federal Reserve to have violated the bank’s internal policies and committed violations of law or regulation, unsafe or unsound practices, or breaches of fiduciary duty. He was ordered to cease and desist and has been banned from banking.

Many are of the opinion that the bank made the decision to pay him presumably what he was worth as an employee. But the way he went about it was deemed unacceptable. Staff needs to be aware that ethics policies do have teeth.

Ratcliff: James Ratcliff worked at the First National Bank and Trust Company of Vinita for 20 years. He was an executive vice president and vice-chairman and chairman of the board at his bank at different times. Abusing his position, he had the bank engage and pay entities owned by him as third-party vendors. This in itself is not the violation, but the manner in which the relationship was handled was. He set up financial arrangements between the bank and the entities he owned. There should have been someone else managing that relationship just as tellers should not complete transactions for relatives. Work was not tracked or verified but was paid for. There was little evidence that what was billed for was actually done, which causes doubts as to the validity of the billing. Because of his insider status and long standing at the bank, he was not sufficiently challenged by others in management. He failed to ensure employee compensation was commensurate with the employees’ responsibilities and actual work performed for the bank.

Ratcliff also directed employees and contractors to perform work for the entities he owned, at the bank’s expense. He made unsafe and unsound loans. The OCC noted in its consent order that delinquent borrowers were instructed to form new entities and Ratcliff had the debt transferred to that new entity without correcting the problems leading to the delinquency, which only hid those past due accounts from accurate recordkeeping., These loans were also made without sufficient documentation such as financial statements.

Ratcliff was handed a $100,000 civil money penalty and was banned from banking. Here again, we see officers in high positions run a bank as though it was their personal piggybank and they had unfettered control. That is not how it should ever appear and internally the bank requires a culture of separation and transparency.

Fritz: Ratcliff was not doing everything alone at First National Bank and Trust Company of Vinita. Tony Fritz was the former chief lending officer and a director at the bank.

Fritz was cited for failing to ensure that credit administration and risk management practices and controls were effective and commensurate with the risk and complexity of the loan portfolio. He failed to develop a system to ensure ongoing monitoring of complex commercial credits and to ensure the bank kept adequate loan documentation. He failed to formalize loan review and approval processes and failed to properly document lending decisions. He failed to provide credible challenge to members of senior management who maintained loan portfolios and failed to maintain adequate oversight over their portfolios. Fritz approved and/or originated multiple unsafe or unsound loans that were liberally underwritten and included inaccurate credit memorandums containing insufficient financial statement and cash flow analysis. He originated loans to cover customers’ overdrafts and overdraft fees. He extended additional loans to borrowers who were not creditworthy, sometimes through creating new entities, in order to make payments on such borrowers’ non-performing loans. In short, Fritz was a key officer whose authority and duties were in part to balance the scale for what others might do and to ensure controls were in place and functioning as they were designed to. That did not happen in this case. Sometimes staff can only do so much, and when bad acts are committed willingly by the most senior of officers, the regulators take action. Fritz was cited with a $20,000 civil money penalty.

While these last two enforcement orders from late 2022, the bad acts were from years before. BancFirst purchased this bank early 2021.

Deposit mismatches and liability

By Andy Zavoina

Continuing with the theme of fraudulent transactions but changing to liability, let’s review a new case that screams “what you do know, can hurt you,” especially if a bank turns a blind eye to the obvious.

This is a legal case, Studco Building System U.S., LLC, plaintiff, V. 1st Advantage Federal Credit Union, (Studco) Civil Action No: 2:20-cv-417 in Virginia. This case began about August 2018 when 1^st Advantage opened an account for an individual. In the court documents he is referenced as “John Doe.” The court does not know who the actual account holder is. With Bank Secrecy Act regulations, 1^st Advantage would have had to follow basic requirement to know the customer. But it did not verify John Doe’s identity, physical or mailing address, prior banking history, whether John Doe was eligible to be a member, nor did it verify the source of funds intended for the account.

This is not a case of an account takeover but a BEC or Business Email Compromise. The end result is similar, as the scammer gets the victim’s money. But in a BEC there is hacking or social engineering to get into a corporate email account. Once inside, the scammer looks for some discussion about a project and bill for that project that is due or will be soon. Studco Building Systems sounds like a company that would buy large amounts of materials and then pay the large bills they receive for them. Once he finds one of those the scammer is halfway there.

In this case, about two months after opening his account, Doe impersonated Olympic Steel out of Ohio. He sent Studco instructions to make an ACH payment to the 1^st Advantage account he opened. 1st Advantage received those funds and was aware that Olympic Steel was not a depositor of theirs. Beginning in October 2018, Studco sent one ACH to 1st Advantage to the account number of Doe in the amount of $156,834.55. That transfer identified Studco as the originator and Olympic Steel as the intended receiver. This did not match any account holder with 1st Advantage. The ACH credit identified a personal account number, but the transfer was coded commercially as a “CCD” meaning it was a “Corporate Credit or Debit.” In this case NACHA rules require CCD payments to be restricted to transactions that involve only businesses. Any CCD payments directed to personal accounts are required to be rejected by the receiving bank. In this case 1st Advantage did not do that. A short time later 1st Advantage accepted three more large commercial ACH credits for Doe’s personal account totaling nearly $559,000.

Doe wasted no time as he began transferring the funds out. Typically, when these funds reach John Doe’s account, the valid originating bank’s customer and the originating bank have to take fast action as Doe will be getting that cash out of the account. Doe’s goal is to beat any reclamation claim by the originating bank or the company paying its bill. Sophisticated scammers may send these funds through several banks and then convert it to crypto or have it sent to a foreign bank. In this case, Doe was taking the funds incrementally — all $559,000 — and he did it in person and with the assistance of 1^st Advantage staff. It took him more than a month as 1st Advantage employees issued thirteen cashier’s checks and wire transfers to move the funds out. Nine of the thirteen withdrawals were reportedly to an individual or entity known to the 1^st Advantage staff who assisted him. This added validity to his transfers.

When there is a BEC you may find yourself with many of the same questions you would have for a takeover:

Who may be responsible for the loss?
Did the bank that sent the funds following the company’s orders (Studco) follow the instructions precisely?
Was this an unusual transaction for Studco?
Is Studco liable for the loss, what were their actions, and how did they protect themselves?
Was the hacker using an actual vendor’s system, and if so, does that vendor have liability?

The FBI in Rochester, New York, initiated the investigation. During the investigation, Studco alleged that 1st Advantage intentionally concealed, and continued to conceal, material information from Studco related to John Doe and the account. That both hindered the investigation and aided John Doe in his theft. Studco initiated actions against 1st Advantage in November 2019.

You may be surprised how the Virginia court ruled in this case. 1st Advantage, the credit union that received the funds, would have liability under Article 4A of the UCC. The credit union had AML software and that software provided alerts on mismatch between the account name and the name in the ACH transfers, but no one acted on those alerts. 1^st Advantage certainly did not follow BSA requirements to know its customer. There was no indication that 1st Advantage had actual knowledge of John Doe’s illegal activities. But the court found that there was certainly an inference the bank should have made, as its AML software generated several alerts pertaining to account discrepancies, fraudulently diverted payments, and withdrawals by the John Doe himself. There were many indications that the account was being used for fraudulent purposes.

The court’s order effectively said there exists a “should-have-known” standard under the relevant provision of UCC Article 4A, but this is in contrast to many other court decisions that required proof of actual knowledge by the receiving bank of the discrepancy between named payee and actual account holder at the time the payment was credited to the account. Other courts have yielded to part of Article 4A stating, “If the beneﬁciary’s bank has both the account number and name of the beneﬁciary supplied by the originator of the funds transfer, it is possible for the beneﬁciary’s bank to determine whether the name and number refer to the same person, but if a duty to make that determination is imposed on the beneﬁciary’s bank the beneﬁts of automated payment are lost.”

The court hearing the Studco case reviewed both the UCC and NACHA rules requiring a commercially reasonable manner or exercise of ordinary care when processing ACH payments. The court held 1st Advantage fell short of this standard in the way it opened the account and ignored red flags generated from its own software. The court stated that 1st Advantage “did not maintain reasonable routines for communicating signiﬁcant information to the person conducting the transaction. If 1st Advantage had exercised due diligence, the misdescription would have been discovered during the ﬁrst ACH transfer.”

Finally, while it is an unusual finding, it is one that bank customers would likely agree with. The red flag warnings would have been triggered based on criteria 1^st Advantage defined, yet it failed to do anything when the alerts were generated.

Let’s look at a basic argument that many banks rely on — if we have a valid account number, deposit the funds. We in the Compliance team hear this question regularly and thoroughly expect to again this year as tax refunds begin to be deposited. What do you do when there is a known mismatch in a tax refund between the name in the direct deposit ACH record and the name of the account holder? This is sometimes complicated because the person named on the deposit may be a convenience signer on the account, but not an owner. They may be a known associate of the owner, but not an owner. Could this person be hiding assets from a creditor and shielding those funds in an account that could not be touched legally because that person is not the account owner? What if the account owner takes the funds? Technically the funds are their property, but does the bank want to be involved in that? What if the account owner is served a garnishment and the other person’s funds are taken as a result? Again, it is their property by virtue of account ownership, but does the bank want to be involved? Would it not be more responsible to require that even with personal accounts, the account number and name in the deposit record must match? Based on this Studco opinion, could your bank find itself with liability? And lastly, how much is the bank willing to spend to find out?

February 2023 OBA Legal Briefs

Signage management
SCRA and a new best practice recommended?
The child support levy moratorium is over

Signage management

By Andy Zavoina

As we enter the new year, let’s continue from last month on getting the little things squared away so we can focus on a new year of compliance work. Let’s talk about signage requirements. In our main branch we had a “Fed wall” which was one area which had the federally required (and state, as applicable) notice requirements. It should be in an area that is highly visible to meet the intent of the posted notice requirements. It does no good to put these on the wall behind a door that stays open and prevents viewing them. You will not get credit during an exam for posting them where they cannot be seen. Similarly, when the branch manager thinks your Fed wall is an eyesore and puts the plastic Ficus trees in front of your detailed work – no points. If there was a remodel done and the signage was taken down for maintenance, ensure it goes back up.

As to being unsightly, beauty is in the eye of the beholder. If you put courier font printed pages in a $2 frame and nailed it to the wall, that is what it will look like. What we did was to lay out all the applicable disclosures and we bought one large frame, had a mat cut for all these in one space and then everything was accounted for in one space. As a new branch was opened, we ordered another of the same design. This ensured that everything was easily accounted for and posted easily on the wall rather than trying to lay out several frames, especially if those frames were each different giving a hodgepodge appearance. It was also a simple task to pull the frame down, remove the backing and switch out the disclosures when necessary. As a tip, there is a transparent and removable tape that uses the same type of glue as sticky notes have. It will hold your documents to the mat securely yet provide the flexibility to switch them out without destroying the mat or other documents.

Here are suggestions and justifications for your Fed wall and other required signage.

Additional signage requirements while you are auditing these:

Customer Information Program procedures require providing adequate notice the bank is requesting information to verify customer identities prior to opening account. May be given or posted. 31 CFR 1020.220(a)(5)
FDIC Deposit Insurance Notices are to be displayed at each station or window (including drop boxes, teller windows, New Accounts, drive-ups) where insured deposits are normally received, excluding automated service facilities such as ATMs, night depositories and POS. These signs must be 3″X7″ in size. 12 CFR 328.2 & FDIC 93-42, 94-17. [Editor’s note: The FDIC has a proposed rule out for comment through April 7, 2023, that could affect this requirement]
Funds Availability Policy is for banks routinely delaying availability of any deposited item. Disclosure is required of several items in a conspicuous place in each location where deposits are accepted. This includes abbreviated text on ATMs but excludes drive-ups. These disclosures are contained in our Facts About Funds Availability brochure that can double as the posted notice. 12 CFR 229.18
ATM Surcharge Notice requirements apply if your bank, as an ATM owner/operator, imposes a fee to complete a transaction or inquiry. The bank must disclose on the ATM or ATM screen that a fee may be imposed. 12 CFR 1005.16(c).
Rate Board requirements under TISA/Reg DD are that indoor signs are exempt from many advertising requirements. But if a rate is stated it will use the term “annual percentage yield” or “APY” and contain a statement advising consumers to contact an employee for further information on terms and fees. 12 CFR 1030.8(e)(2)

And for employees there are several other requirements.

5-in-1 Employment Poster is required to be visible to job applicants and employees, 42 USC 2000e-10(a).
This poster should include five parts, and if not in a combined poster, individual signs must be posted in the manager’s office or lobby. The five laws are: Equal Employment Opportunity Act, Fair Labor Standards Act, Employee Polygraph Protection Act, Family Medical Leave Act, and OSHA’s Plain Language “It’s The Law”. Refer to 29 USC 201, 29 USC 2003, 29 CFR 825.300, and 29 CFR 1903.2(a)(3)
Notice of Employee Rights has two requirements; 1) Executive Order 13496 is a Notice of Employee Rights under the National Labor Relations Act, the primary law governing relations between unions and employers in the private sector. See 29 CFR Part 471. Banks need to follow this for various reasons including due to FDIC insurance, savings bond transactions, TTL accounts and government contracts. Post the notice conspicuously in offices where employees covered by the NLRA perform contract-related activity, including all places where notices to employees are customarily posted both physically and electronically. 2) Employee Rights under the NLRA See section 7 of the NLRA, 29 U.S.C. 157

SCRA and a new best practice recommended?

By Andy Zavoina

The Servicemembers Civil Relief Act (SCRA) has been around a very long time. It has existed under several names and can trace its origins to the Civil War. Prior versions were enacted and would terminate, but the Soldiers’ and Sailors’ Civil Relief Act has been in force since 1940. It was modified and became the current SCRA in December 2003.

The premise of the law has not changed. The intent of Congress was to give peace of mind to the servicemember by granting special protections to their rights and property interests while they are in the service of our country. The provisions of the SCRA allow servicemembers to have their legal rights secured until they can return from the military to defend themselves, when necessary, and to better afford existing debt which may be more difficult to service with a reduced income from military service.

Many banks misunderstand the SCRA and believe it is a wartime protection, but the SCRA is in effect at all times – not just when the country is at war. Many SCRA protections affecting the banking relationship your customer has with you apply to debts incurred prior to military service. That is the 6 percent maximum rate many bankers are aware of.

You will find the actual law at 50 U.S.C. 3901 and it is conveniently located in the “Other / Misc Regulations” section of the BankersOnline Regulations pages. There is no implementing regulation. Often when looking for guidance a banker should review the SCRA workpapers of its overseeing agencies, court cases, and enforcement actions published by any of the banking agencies. There are also guidance documents that may be issued. The agency with “key” enforcement powers is the Consumer Financial Protection Bureau (CFPB). Although it is responsible for the larger banks (with assets over $10 billion) it is very connected to the SCRA and even has a department dedicated to servicemembers. This department provides many updates each year about the treatment of servicemembers, although each of the prudential agencies has oversight as well. In fact, most have established rigorous exam schedules to ensure the SCRA is being adhered to, and it is not uncommon to read of enforcement actions by any of them. These may be for repossessions that were not following SCRA requirements, and also for violating that six percent rule. That rule is what this article is really about as the CFPB has issued its opinion that may be read as guidance, and practically requires banks to be proactive on providing the interest rate reduction even when a servicemember does not request it. In a nutshell, it is recommended that banks seek out possible opportunities to reduce interest rates and do so at any indication that there may be SCRA protections available.

Servicemembers do receive training on the availability of these protections and in many cases I have read that there are articles and training available periodically to remind them of this law. In fact, recruiters “sell” the rate reductions as a benefit of military service. But as I have studied the law and its evolution, I understand that it was intended to offer the thanks of a grateful nation for their service. This six percent interest rate reduction was offered (read – required) by law but at the expense of lenders, not taxpayers. That is what politicians call a win – win.

Here is an example. Assume your customer has a civilian occupation earning $63,000 annually. This person has an annual debt service requirement of $42,000 which yields a debt ratio of 67 percent. Now let’s have your customer called up for active duty. He is an E-6 with over six years of service. His annual income is now $44,544 for 2023 and his debt service jumps to 94 percent. It seems like he might benefit from an interest rate reduction.

This reduction in income is not always the case. When the law originated there was a draft and military pay was not competitive with the same jobs’ civilian counterparts. There was an article in 2006 that cited a RAND National Defense Research Institute study which revealed 72 percent of servicemembers surveyed were making more money in the service than as civilians. The original law’s intent was to assist a servicemember when needed and it was not an automatic protection. It was to be requested based on a lower income due to military service. A classic example is Gene Autry, the Singing Cowboy in the 1940s. He enlisted to serve in WW II. His income went from $400,000 a year to $1,008.

Where did the six percent rate originate? I honestly do not know how Congress arrived at that number in 1940, but that was it. The rate allowed does not fluctuate and is not adjusted with the cost of living. The prime rate in 1940 was 1.5 percent so there was a margin of 4.5 percent. In January 2023 the prime rate is 7.50 percent which with that same margin would yield an SCRA adjusted rate of 12.00 percent – double what is currently allowed.

A general rule of thumb is that a person being paid by Uncle Sam is “in the military.” The recent high school graduate who enlists in the military is being paid by the military the day they report for basic training. This is an easy and clear-cut test but there are always other possibilities. Based on definitions in the SCRA, a servicemember (reservist) being called up is afforded protections upon receipt of their orders. Further, the definitions tell us that a servicemember is “in the military” when they are employed full-time in this capacity and further, that debts incurred prior to that are subject to SCRA Section 3937, which provides the 6 percent rate cap. These are two different events, the date of being protected, and being “in the military” and paid by the U.S. government (Uncle Sam). When the debt was incurred and when the person was protected can be exclusive of one another. It is possible that a reservist will receive their orders, borrow, and later claim protected status and want a rate reduction. I discussed this with an Army Judge Advocate General officer (JAG attorney) and he said while that was not the intent, it does seem to be the result.

What is happening in theory is a person has that civilian debt ratio and all is fine. There is a national emergency, and this person wants to go into the military and serve their country. Loan rates are reduced, and this makes that government paycheck stretch a bit farther. A servicemember borrowing after they are in the service is not required to be given a rate of no more than 6 percent because they know what their income is now and should borrow responsibly, only when they know they can afford to repay it. This supports my understanding of why this exists and it is not to be a benefit and reason to serve but rather one less inhibitor for those wanting to serve.

The protections under Sec. 3937 apply to debts incurred by the servicemember, or the servicemember and their spouse, jointly. This is a clarification from the old law, the SSCRA. Industry practices then were to apply the protections against any loan on which the servicemember was obligated. The new law specifies who is covered. As reassuring as this may be, it can also be troubling as there would be reputational risks if you refused to lower the rate on a loan to the servicemember and their parents or children, as an example. The same debt service standards may apply, but the law isn’t written to protect other borrowing relationships.

Pre-service debt is a key factor. The interest rate on a pre-service credit card balance today of a servicemember must be reduced if it exceeds 6 percent. Charges made tomorrow (or at any time during military service) are not pre-service and thus not subject to the cap.

The SCRA made it very clear that a bank’s knowledge alone that a customer was now a servicemember was not sufficient to justify any adjustment to the loan rate. The SCRA required the servicemember to provide a written request for relief and provide a copy of their military orders as well as any extensions of those orders. Keep in mind, however, that the servicemember may invoke their rights under this section at any time up to 180 days after their release from military service. The application of the six percent rate becomes retroactive. Even if the debt was paid in full before the servicemember invoked their rights, a re-amortization and refund could be owed based on the date they were under protection of the SCRA until their release.

Notification requirements were changed a little by Public Law No. 115-232 on August 13, 2018. The SCRA now says the servicemember shall provide to the creditor written notice and a copy of—

military orders calling the servicemember to military service and any orders further extending military service; or
any other appropriate indicator of military service, including a certified letter from a commanding officer.
a creditor may use, in lieu of notice and documentation under 1 or 2 above, information retrieved from the Defense Manpower Data Center (DMDC) database through the creditor’s normal business reviews for purposes of obtaining information indicating that the servicemember is on active duty.

So, item 2 provides a more flexible notice and a third option was added for, “normal business reviews.” So, a safe harbor was introduced for a creditor that uses the information retrieved from the DMDC with respect to a servicemember if—

a. such information indicates that, on the date the creditor retrieves such information, the servicemember is not on active duty; and

b. the creditor has not, by the end of the 180-day period, received the written notice and documentation required requesting protection. (There is no six percent rate requirement.)

4. A substitute for copies of the servicemembers orders is a certified letter from the servicemembers’ commanding officer. This term, “certified letter” is not defined but in its purest United States Postal Service form would be “a special USPS service that provides proof of mailing via a receipt to the sender. With electronic USPS Tracking, the sender is notified when the mailing was delivered or that a delivery attempt was made.” This is not Registered Mail which has different handling and security features from Certified Mail.

The existing SCRA, 3937(b)(1) already included the 180-day period, but the certified letter from a commanding officer is a new alternative for invoking the rate reduction.

Many banks can verify individual servicemembers as well as batch process requests with the DMDC SCRA database. Many banks adopted the batch processing method and check the bank’s CIF records against it on a monthly or other regular basis. New hits could show active duty status and immediately bank records would be adjusted or a relationship manager would contact the customer and verifications would be initiated or protections would go in effect. They could be reversed later if in error.

In December 2022, the CFPB published an analysis of servicemembers not getting the benefits of interest rate reductions for various reasons. “Protecting Those Who Protect Us” discusses those Guard and Reserve servicemembers who are activated but are not receiving these benefits.

Here are some points brought out in the publication:

Reserve and National Guard members called to active duty are paying an extra $9 million in interest every year because they are not always receiving the benefit of their right to rate reduction.
In an odd selection of a time period, the CFPB estimates that between 2007 and 2018, data show fewer than 10 percent of auto loans and 6 percent of personal loans received a reduced interest rate and it is believed this reflects lower numbers than should exist.
It is estimated the underutilization amounted to $100 million of interest that was paid unnecessarily to lenders for auto and personal loans.

Who is entitled to these protections? The regulators expect banks to use the DMDC database which has proven accurate enough to warrant a safe harbor when used for verifications under the SCRA and the Military Lending Act. (Note, the SCRA has one database, and the MLA has another. You would expect that the servicemembers themselves would be on both and dependents would be on the MLA. So, if you are checking on the servicemember, either should suffice, right? When I spoke to someone at the DMDC they could not explain a servicemember difference but were emphatic to check the respective database based on the purpose of the inquiry. I believe one difference may be that some SCRA benefits extend beyond the period of military service but not for MLA use. The results of the query may include that. The DMDC has a manual that among other things denotes “Title 32 outlines the role of the United States National Guard; normally Title 32 members are not covered under SCRA. Those Title 32 members and others who meet the criteria referenced in Title 50 USC App. §§ 3901 below are accurately represented on the SCRA website.

In order to be considered for SCRA coverage a Title 32 member must be called “…to active service authorized by the President or the Secretary of Defense for a period of more than 30 consecutive days under section 502(f) of title 32, United States Code, for purposes of responding to a national emergency declared by the President and supported by Federal funds.””

The CFPB says in its 39-page publication, “Existing literature suggests that the interest rate reduction benefit is underutilized, and continued enforcement efforts suggest that some creditors continue to violate protections against repossession, despite efforts to increase awareness of SCRA protections and improve information about servicemember eligibility for those protections. There is also limited information on utilization rates, making the development and evaluation of public policy efforts to increase benefit utilization difficult.” The paper indicates servicemembers are not receiving the protections they are entitled to for various reasons, that banks (that is my term as the CFPB refers to financial institutions, creditors, finance companies, etc. but I am writing for banks) are violating the SCRA and that servicemembers must jump through too many hoops to get these protections. Further the CFPB complains that banks are not thorough in retroactively applying the interest rate reductions.

The law is clear that the servicemember can request protections, but the CFPB wants to emphasize option 3 above where banks will voluntarily use the DMDC database. It actually goes further and attacks creditors who insist on following the law’s stated requirements, saying in the publication: “However, creditors could just as easily access a Department of Defense system [the Defense Manpower Data Center SCRA website] that checks any borrower for active-duty status.” This raises two issues bankers need to consider. First, how much would be involved in the bank regularly batch processing its CIF files against the database, and second, would this be a cost-effective use of resources? Positive hits would require additional procedures to verify the status with the customer. That is, a positive hit could be verified before progressing, or the bank could take that positive hit and respond with a confirmation letter. The bank could explain how it made its discovery, that the customer’s loan has been reduced in rate, the effective date, the reamortization of those applicable payments and the deposit or attached check for the refund of interest that had been paid and is being refunded. The letter will explain the new payment amount as it will be reduced and what to expect if the servicemember’s protections end before the loan is repaid in full. This is also an opportunity to thank them for their service, point out the benefits of internet banking and request a copy of the person’s orders if the bank wants them for their files. The CFPB recommends the best practice is to provide the rate discount without burdening the servicemember with any requests. Your bank needs to determine if it agrees with that. At the very least it is an opportunity to verify the bank has the correct mailing address as we all know it is typically a requirement in account agreements, but typically a completely ignored requirement as well.

I may have downplayed the CFPB’s intention as it actually encourages bank employees to be whistleblowers, “Employees who believe their companies have violated federal consumer financial protection laws are encouraged to send information about what they know to whistleblower@cfpb.gov. To learn more about reporting potential industry misconduct, visit the CFPB’s website.“ This is not in the published document but the online news release. https://www.consumerfinance.gov/about-us/newsroom/cfpb-finds-members-of-the-reserves-and-national-guard-paying-millions-of-dollars-in-extra-interest-each-year/

Here is a takeaway list for banks to consider:

Should it be batch checking CIF files?
What follow-up if any with the servicemember is desired?
Will protections be applied automatically?
Procedures should already be to retroactively apply the rate reduction to the date of protected status.
When the borrower has one or more loans, the benefits should apply to all.

The SCRA does allow in Section 3937(c) for a challenge to the rate reduction. A court may grant a creditor relief from the limitations of this section (3937) if, in the opinion of the court, the ability of the servicemember to pay interest upon the obligation or liability at a rate in excess of 6 percent per year is not materially affected by reason of the servicemember’s military service. As an example, let’s assume the bank makes a car loan to a college student who is working their way through college on scholarships and delivering pizza. The student is not making a lot of money but enough to survive and make a small car payment. Come graduation day the student graduates and becomes a military officer and doctor, receiving a huge increase in their income. They request a rate reduction because “it is their right.” That was not the intent of the law initially, but it has become so political. The bank has the right to contest the request, but the reputation risk is severe, and the bank could appear unpatriotic.

I believe a challenge to protections would require an extraordinary case and we have yet to see a deserving one. But the CFPB is promoting a new best practice which is not called for in the law. Bankers should understand, what is requested by the CFPB is purely optional and would come at a cost. Banks individually must determine if it is a reasonable cost or not.

The child support levy moratorium is over

By Pauli D. Loeffler

During COVID-19, the Oklahoma Child Support Service (“OCSS”) took a break from issuing levies. The moratorium has ended, and banks are receiving levies again. I covered child support levies in the February 2018 OBA Legal Briefs, which you can access online once you register an account through the My OBA Member Portal. Here are few bullet points to keep in mind.

The levy is exempt from the Garnishment of Federal Benefits rule.
The levy attaches to all deposit accounts OWNED by the Obligor/customer whether or not the account number is included on the levy. That includes accounts held in sole ownership, joint ownership, sole proprietorships, grantor trusts, CDs, MMDAs, IRAs, retirement, annuities, 401Ks, and HSAs. It will NOT reach accounts owned by an LLC (even if it uses a sole member’s SSN), a corporation, partnership, a limited partnership, IOLTA, insurance premium trust account, etc.
The levy is effective for 60 days after receipt and subsequent deposits will be captured. The bank may cash “on-us” checks payable to the account owner but should not cash checks drawn on other financial institutions.
A copy of the levy will be mailed to the account owner by OCSS, so the bank does not mail a copy. The bank is free to let the owner know of the levy as soon as it locks the account down.
OCSS may release or partially release the levy prior to 60 days. The release must be signed by an attorney.

January 2023 OBA Legal Briefs

Has your bank suddenly become a HMDA reporter?
Minutiae matter
Joint owners’ signatures on new joint accounts

Has your bank suddenly become a HMDA reporter?

By John S. Burnett

A recent federal court decision has lowered the loan reporting threshold for closed-end mortgage loans under the Home Mortgage Disclosure Act-implementing Regulation C from 100 to 25 closed-end mortgage loans in each of the two preceding calendar years. If your bank has been routinely making 50 or 60 closed-end mortgage loans and very few open-end mortgage loans each year for the last several years, you might have been planning to enjoy another year in 2023 of not being a HMDA reporter.

All that has changed. And if you haven’t realized that yet, you’ve got some scrambling to do.

Background

In a final rule that became effective in 2015 (the “2015 final rule”), the CFPB set the HMDA reporting threshold for closed-end mortgage loans at 25 in either of the two preceding calendar years.

On May 2, 2019, the Bureau issued a proposal to, among other things, increase the 25 closed-end mortgage loan reporting threshold to either 50 or 100 such loans in either of the two preceding calendar years.

On May 12, 2020, the CFPB issued a final rule (the “2020 final rule”) that, among other things, increased the closed-end mortgage loan reporting threshold to 100 such loans in either of the two preceding calendar year. The change was effective July 1, 2020.

After the adoption of the 2020 rule, the National Community Reinvestment Coalition, Montana Fair Housing, Texas Low Income Housing Information Service, Empire Justice Center, the Association for Neighborhood & Housing Development, and the City of Toledo, Ohio, filed a lawsuit challenging the changes to the closed-end reporting thresholds (and other provisions) in the 2020 final rule, asserting that the 2020 final rule was arbitrary and capricious, contrary to law, and in excess of the Bureau’s statutory authority under the Administrative Procedure Act.

On September 23, 2022, the U.S. District Court for the District of Columbia issued an order vacating (nullifying) only the portions of the 2020 final rule that increased the closed-end mortgage loan reporting threshold. The court found that the “CFPB failed adequately to explain or support its rationales for adoption of the closed-end reporting thresholds under the 2020 Rule, rendering this aspect of the rule arbitrary and capricious.”

The court cited the preamble to the 2015 final rule in noting that the CFPB explained that “the loss of data in communities at closed-end mortgage loan-volume thresholds higher than 25 would substantially impede the ability of the public and public officials in these locales and others to understand access to credit in their communities.”

The CFPB offered no comment on the court’s ruling until December 6, 2022, when an article, “Changes to HMDA’s closed-end loan reporting threshold,”[https://www.consumerfinance.gov/about-us/blog/changes-to-hmda-closed-end-loan-reporting-threshold/] was posted to the Bureau’s blog. The article simply said, “The [court’s] decision means that the threshold for reporting data on closed-end mortgage loans is now 25 loans in each of the two preceding calendar years, which is the threshold established by the 2015 HMDA Final Rule, rather than the 100-loan threshold set by the 2020 HMDA Final Rule.”

The Blog article went on to say that the “CFPB recognizes that financial institutions affected by this change may need time to implement or adjust policies, procedures, systems, and operations to come into compliance with their reporting obligations. In these limited circumstances, in allocating the CFPB’s enforcement and supervisory resources, the CFPB does not view action regarding these institutions’ HMDA data as a priority. Thus, the CFPB does not intend to initiate enforcement actions or cite HMDA violations for failures to report closed-end mortgage loan data collected in 2022, 2021, or 2020 for institutions subject to the CFPB’s enforcement or supervisory jurisdiction that meet Regulation C’s other coverage requirements and originated at least 25 closed-end mortgage loans in each of the two preceding calendar years but fewer than 100 closed-end mortgage loans in either or both of the two preceding calendar years.”

On December 21, 2022, the CFPB published a final rule at 87 FR 77980 [https://www.federalregister.gov/d/2022-27204] with technical amendments to Regulation C that changed each mention of the 100 closed-end mortgage loans reporting threshold in subsections 1003.2(g) [definition of financial institution] and 1003.3(c) [excluded transactions] and the Official Interpretations of those subsections to 25 closed-end mortgage loans. The amendments became effective on publication.

What this all means

When the District Court vacated the portion of the 2020 final rule that increased the reporting threshold for closed-end mortgage loans from 25 to 100 such loans in either of the preceding two calendar years, it put those portions of the regulation and official interpretations back to their 2015 final rule wording, as if they were not changed by the 2020 final rule.

In the Bureau’s Blog article described just above, the Bureau acknowledged that the court’s ruling could HMDA filing requirements for applications and loans dated in 2020 (from July 1), 2021, and 2022, for financial institutions that made at least 25 but fewer than 100 closed-end mortgage loans in the two previous calendar years. It went on to say that it doesn’t intend to initiate enforcement actions or cite HMDA violations for failures to report closed-end mortgage loan data collected in 2020 through 2022 for institutions subject to Bureau enforcement or supervisory jurisdiction.

There have been no similar statements of intent not to initiate enforcement actions or cite HMDA violations from the Federal Reserve Board, FDIC, OCC, or NCUA. It would seem that those regulators will have to issue a similar statement because it is next to impossible for many bankers to go back over their applications and loans to find the data to back-file because they weren’t collecting HMDA data during that period.

Let’s assume that the other regulators issue such a statement. What does your bank need to do if it originated 25 or more closed-end mortgage loans in both 2021 and 2022 but hasn’t had to file since 2015?

1. If your bank never obtained a Legal Entity Identifier (LEI) or let its LEI lapse, jump on the task of getting one (or renewing or replacing the old one). You need it to create the unique loan numbers that have to be assigned to each entry on the HMDA LAR.

2. Make sure the bank has the right application forms to collect HMDA data

3. Quickly get lenders and loan assistants spun up on any changes in loan interview scripts and the necessity for checking that HMDA data are being collected with applications

4. Remember that each HMDA-related loan application received after December 31, 2022, will need to include HMDA data added as it gets processed and originated, denied, or withdrawn.

5. For loans already in the pipeline on January 1, 2023, check to see what HMDA data are missing, and take steps to obtain it.

Some industry trade groups have asked the CFPB and prudential regulators to formally declare a one-year amnesty on enforcement for small-volume lenders impacted by the court’s ruling. As of this writing, many such lenders are uncertain they can adapt their procedures by January 1, 2023, and we haven’t heard more from the Bureau or the prudential regulators.

Minutiae matter

By Andy Zavoina

Welcome to 2023. As I pen this month’s article one of my inbox emails is from Apple News and it is about 2023 horoscopes and what is in the stars for me. It is time to look forward, which may require looking back. I remember sitting at my compliance desk at 6:30 p.m., after having been there since 6:30 a.m., that a new year should come with a fresh start, a clean slate, a new beginning. All those audits I had not gotten to should be erased and I should be able to start with a fresh calendar. After all, I made it another year. But that is not how life works. It is not like a sporting event and the last game is over, start your game plan for the next one. Well – you do have to prepare for the future and that is what this article is about. But there was no “last game” and what was not finished still needs to get done. It is like the saying says, this is not a sprint, it is a marathon. That is when I consider coming in at 6 a.m. tomorrow to get an earlier start.

One thing to always consider as you begin planning your year is what are the major events you are aware of?

• Are we a HMDA reporter or now will be and what ramifications does that bring? If applicable, are we ready for the March 1 filing deadline this year? Do we have only the final quarter’s LAR entries to scrub or more, and how long will that take?

• The Regulation B small business data gathering rule will be coming out this first quarter. The CFPB has said it will, and in fact has promised it will be to both Congress and a court. But the final rule is not here yet and I will worry directly about that when we have the new rule. It will be a lot of preparation work. I am aware of that, and it is in the back of my mind as I start planning major events for 2023. But my focus now is what do I need to get done and on my “completed list” before that new requirement begins taking my time and attention.

• When is my next compliance exam? That is a compliance officers’ direct responsibility. What has been done to prepare for it and depending on when that is expected, more importantly, what has not been done? Start making that list if your exam is eminent. What other exams do you contribute to – Bank Secrecy, Safety and Soundness which may include Reg O, any fair lending or mortgage origination and servicing requirements? When we had a separate mortgage loan origination department, HUD and the VA. separately examined it You may have similar issues. And while we follow regulatory requirements typically to ensure consumer protections are in place, the fact is that exams are where our success or failure is often judged and scored. In preparation for those, we may have internally and externally completed audits done. When are these on the calendar and what preparation is needed for them?

Let’s look at the future, and to do that we have to reflect on the past. Let’s eliminate some of the small things, the minutiae. These are minimal tasks that need to be sorted and ensure there are no issues with compliance. It’s the little things sometimes that surprise you and bite you on the backside. So, let’s strive to eliminate as many of those as we can.

Now that signage requirements are addressed, let’s ensure “annual” tasks have been completed.

Reg BB (CRA), Content and availability of Public File Reg H § 228.43 – Your Public Files must be updated and current as of April 1 of each year. Many banks update this continuously, but it’s good to check. You want to ensure you have all written comments from the public from the current year plus each of the two prior calendar years. These are comments relating to the bank’s efforts in meeting community credit needs (your SBA loans may play a key role here) as well as any responses to comments. You also want a copy of the last public section of the CRA Performance Evaluation. That actually is to be placed here within 30 days of receipt. Ensure you are keeping up with branch locations and especially ATMs as those may fluctuate. The regulation has more on the content of this file. It may be best to review it with an audit workpaper to use as a checklist to avoid missing any required items.

CRA Notice and Recordkeeping § 228.42, 228.44, 1003.5 – CRA data, which can include small business and small farm as well as home mortgages are gathered based on specific reporting requirements for the Loan Application Registers (LAR). CRA and HMDA information, if applicable, must be submitted by March 1, for the prior calendar year. If you are a reporter of either LAR, you should start verifying the data integrity now to avoid stressing the process at the end of February. HMDA mortgage data should be compiled quarterly so this should not be a huge issue, but a thorough scrubbing as the new year starts and submission preparation readies is always warranted.

Pertaining to this, national banks should ensure they have reviewed and updated as needed the CRA, FHA and ECOA notices in accordance with the Aug. 5, 2021, OCC Bulletin 2021-35. This bulletin provided updated content for the appropriate names and addresses for notices required by the Community Reinvestment Act and Equal Credit Opportunity Act, and for posters under the Fair Housing Act. National banks were required to make the appropriate changes to their notices and posters within 90 days of the issuance which then had a mandatory compliance date of Nov. 3, 2021.

Reg C – HMDA Notice and Recordkeeping § 1003.4, 1003.5 – HMDA data are gathered as home mortgage loans are applied for and are compiled quarterly if your bank is a HMDA reporter. There are specific and detailed reporting requirements for the Loan Application Register (LAR) itself. The LAR must be submitted by March 1, for the prior calendar year. If you are a reporter, you should start verifying the data integrity now and this is of vital importance if you have a large volume of records to report.

Reg E § 1005.8– If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement. If you’ve used this, you are done with this one. But if you send the longer version that is sent annually, it is time to review it for accuracy and ensure it has been sent or is scheduled to be. Electronic disclosures under E-SIGN are allowed here.

This is also a good time to review §1005.7(c) (additional electronic fund transfer services) and determine if any new services have been added and if they were disclosed as required. Think Person-to-Person transfers like Zelle, Venmo or Square.

Reg G – Annual MLO Registration § 1007.102 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. If this hasn’t been completed, don’t push it to the back burner and lose track during the holidays and then have to join a year-end rush to complete this task. This is also a good time to plan with management and Human Resources any MLO bonus plans. Reg Z Section 1026.36(d)(1)(iv)(B)(1) allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses.

Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.

Reg P § 1016.5 –There are exceptions allowing banks which meet certain conditions to forgo sending annual privacy notices to customers. The exception is generally based on two questions; does your bank share nonpublic personal information in any way that requires an opt-in under Reg P, and have you changed your policies and practices for sharing nonpublic personal information from the policies and procedures you routinely provide to new customers? Not every bank will qualify for the exception, however. John Burnett wrote about the privacy notice conundrum in the July 2017 Legal Briefs. That article has more details on this.

When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. If you don’t qualify for the exception described above, you must repeat that disclosure annually as well. Ensure that your practices have not changed and that the form you are sending accurately describes your practices.

For Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.

It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for your web-based disclosures. You can use e-disclosures on your bank web site when the customer uses the web site to access financial products and services electronically and agrees to receive notices at the web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the web site. So, the demonstrable consent requirements and others in E-SIGN’s 15 USC Sect. 7001(c) do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request this method is acceptable.

Fair Credit Reporting Act – FACTA Red Flags Report – Section VI (b) (12 CFR 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level.
This report should contain information related to your bank’s program, including the effectiveness of the policies and procedures you have addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, as well as service provider arrangements, specifics surrounding and significant incidents involving identity theft plus management’s response to these and any recommendations for material changes to the bank’s program. Times change, customers’ habits change, and importantly criminals change, and each may require tweaks to the bank’s program.

Reg V, Fair Credit Reporting Act – Affiliate Marketing Opt-Out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions and opt out requirements on you. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, you must know if there are there any expiration dates for the opt-outs and have these consumers been given an opportunity to renew their opt-out?

RESPA Reg X, Annual Escrow Statements § 1024.17 – For each escrow account you have, you must provide the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year. This need not be based on a calendar year. You must also provide them with the previous year’s projection or the initial escrow account statement, so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against next year’s escrow payments.

Reg Z Thresholds and Updates § 1026.3(b) – These changes are effective January 1, 2023. You should ensure they are available to staff or correctly hard coded in your systems. The exemption for Reg Z disclosures will increase from $61,000 to $66,400, meaning consumer loans over that amount (less real or personal property expected to be used as the consumer’s principal dwelling or a private education loan) will be exempt.

BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions. The other financial institution must certify annually to your bank that it has implemented its AML program. Also, banks must report all blockings to OFAC within ten days of the event and annually by September 30, concerning those assets blocked.

Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee at least annually. The report should describe the overall status of the information security program and the bank’s compliance with regulatory guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your bank’s Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.

Similar to the Compliance Officer reporting to the board, this may include a personal presentation, or it may not. I recommend that it is because this is an opportunity to express what is being done to control security events from the recent past as well as foreseeable events and why these are important issues. These facts can assist Security in getting the budget and assets necessary for the coming year. There is no prescribed period during which the report must be made other than “annually,” and this may be based off the timing of the prior report, give or take a month. Annual presentations such as this are better done when the directors can focus more on the message so try to avoid quarter ends, and especially the fourth quarter. This is not a “how-to” on the annual security report, but you can find more on the topic, free, on the BankersOnline Tools by searching on “annual security program.”

Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).

• BSA (31 CFR §1020.210(b)(4), and 12 CFR §208.63(c)(4) Provide training for appropriate personnel.
• Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii)) Provide initial & periodic training
• Reg CC (12 CFR §229.19(f) Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee)
• Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information), training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
• FCRA Red Flag (12 CFR 222.90(e)(3)) Train staff, as necessary, to effectively implement the Program;)
• Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.

MISCELLANEOUS – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, following records retention requirements and destruction of expired records, and a designation by the bank’s board of the next year’s holidays. And finally, has there been a review of those staffers who have not yet taken vacation or “away time” to the five consecutive business days per the Oklahoma Administrative Code 85:10-5-3 “Minimum control elements for bank internal control program”?

Joint owners’ signatures on new joint accounts

By John S. Burnett

We on the OBA Compliance Team were reminded in recent weeks of the problems that can arise when a bank has opened a joint account without obtaining all of the joint owners’ signatures on the account signature card or other deposit contract. It’s our sense that banks aren’t allowing this to happen as often now as it did years ago. But a quick review of the subject may help keep it at “top of mind” when opening joint accounts.

First, a bank account agreement, whether it’s on the signature card itself or in a separate document, is a legal contract between the bank and the owner(s) of the bank account. When there are two or more owners, the agreement is also a contract between or among the joint owners. In most cases, each joint owner agrees that each owner has a right to all of the funds in the account, and, for most banks, each owner agrees to be responsible for any overdraft balance, regardless of which owner causes it.

But in order to have the right to the funds in the account or to be responsible for an overdraft in the account or have the right to request information on or statements of the account, each person has to formalize their participation in the agreement by signing the signature card. Furthermore, to be FDIC insured as a joint account, each owner must have signed, or there must be other evidence of the intent that the account be jointly owned.

Banks should have a tight policy and procedure for managing the opening of a joint account when an owner isn’t present. Assuming they have the ability, they could obtain electronic signatures for account agreements from owners absent from the account opening. If that is not possible, they should consider including in the deposit contract, atter consulting legal counsel, a provision that, if a person identified as a joint owner has not signed the signature card within ___ days after the opening of the account, the account’s ownership will change to eliminate that person’s interest in the account. They should also do a proactive (effective) job of following up with the customer who failed to sign in the days after the account was opened.

December 2022 OBA Legal Briefs

Insider Abuses

Insider Abuses

By Andy Zavoina

Bert Lance.

Many, or most of you will not know that name, but all of you know Regulation O. Briefly, this reg was implemented to prevent bank directors, executive officers, and principal shareholders from benefiting from favorable credit terms and treatment in a bank. This group we refer to as “insiders” is not to be treated to better terms than similarly qualified “civilians” we can refer to as the public. Lance and Reg O are a cause and an effect of an insider abusing their authority and position.

Before we discuss the details of Reg O, we need to set the stage on events attributed to the development of Reg O. Bert Lance was the central figure on that stage. He considered himself a country banker from Georgia. His claim to fame was that he went to Washington as President Jimmy Carter’s budget director at the Office of Management and Budget (OMB). Carter took office in 1977. As one of Carter’s closest advisers for almost two decades, he was approved for his political appointment with ease, but not without some criticism. William Proxmire, chairman of the Senate Banking Committee, opposed Lance’s nomination, saying, “He has had none — zero, zip, zilch, not one year, not one week, not one day” of experience at managing a federal budget then estimated at $400 billion.

Perhaps this was demonstrated in Lance’s financial condition at the time. Lance was a banker and his bank had $5 million in loans to Carter’s family business. Carter was known as a peanut farmer when he became president. As to financial condition, Lance had a net worth of almost $3 million but with that he carried more than $5 million in debt. Lance lived well as he owned three large homes in Georgia and rented a house in Georgetown as he worked in Washington, DC. His annual interest payments on the various loans amounted to $370,000. To cover this debt service, he had his public service salary as budget director of $57,500. It did not take long for the speculation and criticisms to start of Lance’s performance, but was this legitimate criticism, or politics? Federal investigators questioned his appointment process and eventually the Senate Governmental Affairs Committee questioned Lance over allegations that he had misused bank funds, obtained loans at favorable rates, and used a company plane to fly to University of Georgia football games, all abusing his position in the bank and living a lifestyle beyond his means.

Several senators called for his resignation, and under increasing pressure Lance did resign less than nine months after taking his position at the OMB. This was the first major internal scandal of the Carter presidency. One could still question if this was deserved or political, but it got worse.

Lance was arraigned on twelve federal charges that could have sent him to prison for 95 years for conspiracy, fraud, and assorted violations of banking laws. This was pre-Reg O and insider abuses were considered as contributing factors to the violations. Lance and three other conspirators were charged with illegally obtaining 383 loans for themselves, their families, and associates from 41 banks stretching from Atlanta to New York and Chicago and from there to Luxembourg and Hong Kong.

The 1979 indictment alleged Lance and three others showed a “reckless disregard for the safety of the banks” that extended credit to them when there was “no reasonable expectation of repayment.” The indictment alleged that Lance repeatedly used a “false and misleading” personal financial statement to obtain loans, including one for $3.4 million from the First National Bank of Chicago. That same financial statement, dated Jan 7, 1977, was the one submitted to the Senate Governmental Affairs Committee for his confirmation to head the OMB.

To illustrate the issues prompting increased regulation, Lance’s financial statement failed to reflect a $14,000 loan that the National City Bank of Rome, Ga., had made to Lance’s wife. After he became budget director, the grand jury said, Lance got the Rome bank to transfer the loan from his wife’s name to Lancelot, which was a partnership actually consisting of Lance and his wife.

In one of his many legal cases, Lance was acquitted on nine of twelve charges and the remaining three were eventually dropped. Lance had also been charged with twenty-one other felonies, including misapplication of bank funds as president of the National Bank of Georgia (NBG) and the First National Bank of Calhoun, falsification of personal financial statements and making false entries on NBG records. The indictment indicated that Lance and two others used their positions in a few small Georgia banks to acquire the stock of still other banks by lending each other money without adequate collateral and, in some cases, no collateral at all.

It came out that in 1974 and 1975, Lance “caused Calhoun First National Bank” to make a total of $79,530 in unsecured loans to his son, David Lance, who was then a twenty-year-old student. On May 27, 1976, Lance got a $150,000 loan from the Chemical Bank of New York, putting up 14,811 shares of stock as collateral. However, that stock was already pledged as part of the collateral of another loan Lance had, this one for $2.6 million from the Manufacturers Hanover Trust Co. of New York.

As a side note, several years later, Lance was still in trouble and under investigation by a federal grand jury and the Securities and Exchange Commission after being charged with “unsafe and unsound” banking practices and misappropriation of funds. In this case he was fined $50,000 and barred from banking by the Office of the Comptroller of the Currency.

With the abundance of accusations and cases, such poor banking practices achieved a national spotlight. Sounds like the reason for the birth of a regulation, right?

Reg O is somewhat of a standard to follow. The case examples below are from consent orders from the Office of the Comptroller of the Currency (OCC) which has an “Insiders Activities” section in its Comptroller’s Handbook. This section includes various discussions of risk but also refers to the Federal Reserve’s Reg O as requirements which must be followed. The Handbook states, “Various state and federal laws and regulations govern insider activities. Unlike the broad standards of fiduciary duties, these laws and regulations are specific about how insiders are to conduct themselves. Since the statutory and regulatory restrictions on insider transactions do not apply uniformly to all insiders, the board and management must become familiar with each restriction and must pay careful attention to the scope and requirements of each.” This may well be stated by other regulatory agencies as it would be good advice for all banks other than national banks.

Reg O established reporting requirements for bank insiders which were included in previous financial laws. The Financial Institutions Regulatory and Interest Rate Control Act of 1978 contributed significantly to the first iteration of Reg O which was originally established in 1980. It later incorporated the Depository Institutions Act of 1982 and has been revised many times since.

Reg O set forth a new set of rules to stop the preferred treatment that Bert Lance and others took advantage of. Abuses such as was described above can threaten the safety and soundness of a bank in large or small ways, but a threat is a threat. This article will recap pertinent sections of Reg O requirements but is not an in-depth review. I will not address recordkeeping, executive officer requirements or risk management issues.

Reg O applies to insiders, which includes executive officers, directors, and principal shareholders and the related interests of these individuals of the bank and its affiliates. Reg O further defines executive officer as any person who participates or has the authority to participate in major policy making functions, regardless of title or compensation, though it specifically lists the chairman of the board, the president, every vice president, the cashier, the secretary, and the treasurer as executive officers, unless excluded through bylaws or by a resolution of the board of directors and in practice the individual does not participate in major policy making functions. Most banks’ boards of directors define the insiders in their Reg O policy. Those listed should meet the test of a “person who participates or has the authority to participate” in the major policymaking activities and the bank needs to ensure someone who meets this test is in fact listed.

Related interests of the insider include any company controlled by the insider. For Reg O, this results from directly or indirectly owning, controlling, or having the power to vote 25 percent or more of any class of voting securities of a company. It also includes controlling the election of a majority of the directors of a company or having the power to exercise a controlling influence over the management or policies of a company. There is a presumption of control for any director or officer of a company who directly or indirectly owns, controls, or has the power to vote more than 10 percent of any class of voting securities of that company, or for any person who directly or indirectly owns, controls, or has the power to vote more than 10 percent of any class of voting securities if no other person owns a greater percentage.

The bank needs to be able to track loans to insiders and the related interest of those insiders. Recordkeeping requires this but the accuracy is the burden of the bank, knowing the insiders and having them understand and identify their related interests.

This information is also useful when the bank is employing any of these related interests. While not directly related to Reg O, as you will read below if there are issues with paying an insider’s “side business” for work not completed, that is a safety and soundness issue as well as a violation of ethics requirements the bank should have. The related interest list can be used in the vendors due diligence process to identify the players. In a small town and transparent bank environment the bank will know who they are dealing with. It is not a violation to employ them, but the purpose here is not only to avoid a problem, but to avoid any appearance of a problem or preferential treatment.

There are limits placed on the loans to insiders both on an individual and an aggregate basis. The lending limit to an individual, including their related interests, is 15 percent of the bank’s unimpaired capital and surplus for loans that are not fully secured, and an additional 10 percent for loans that are fully secured by readily marketable collateral. Loans fully secured by obligations of the U.S. government or agencies, or loans secured by deposits held at the bank are not counted toward the limit. On an aggregate basis, loans to insiders are limited to the equivalent of the bank’s unimpaired capital and surplus, or up to two times unimpaired capital and surplus for banks with less than $100 million in deposits, as long as a signed resolution by the bank’s board justifies the higher limit. The higher limit for smaller banks is also conditioned on the bank meeting applicable capital requirements and having a satisfactory CAMELS rating from the bank’s most recent examination.

Reg O includes general prohibitions based on terms and creditworthiness. Loans made to insiders must be on substantially the same terms, such as interest rates and collateral, as loans made to non-insiders, with the same underwriting standards applied at origination. This is not to say if the bank made one other loan under similar terms, it could use that as justification to provide a credit product with otherwise more favorable terms to its directors. The comparisons must be real and authentic. In addition, the loan must not involve more than the normal risk of repayment or present other unfavorable features. Any loan to an insider of an amount more than $25,000 or 5 percent of unimpaired capital and surplus, whichever is higher, must be preapproved by a majority vote of the board of directors, and the insider must abstain from the approval process. Prior approval is required when an extension of credit, regardless of the amount, results in aggregate debt to the individual and their related interests exceeding $500,000.

An extension of credit includes making or renewal of a loan, a line of credit, or extending credit in any manner. Overdrafts are included in Reg O. Overdrafts of $5,000 or less are not considered extensions of credit when made pursuant to a written, preauthorized, interest-bearing extension of credit plan, or a written, preauthorized transfer of funds from another account.

Banks are prohibited from paying overdrafts to executive officers and directors. The prohibition on overdrafts does not apply to the payment of inadvertent overdrafts if the aggregate amount of overdrafts on an account does not exceed $1,000, the account is not overdrawn for more than five business days, and the executive officer or director is charged the same fee as any other customer. The prohibition on the payment of overdrafts does not apply to principal shareholders who are not also an executive officer or director, or to the related interests of insiders.

Reg O is designed to add controls to loan related issues even though it includes a lot of recordkeeping, and the focus is on preferential treatment of those in control of the bank. Deposit rates to employees and insiders is not a Reg O issue but could be preferential treatment issue. I will draw your attention to 12 U.S.C. Sec. 376 which says, no member bank shall pay to any director, officer, attorney, or employee a greater rate of interest on the deposits of such director, officer, attorney, or employee than that paid to other depositors on similar deposits with such member bank.” Note this rule applies to member banks. Nonmember banks may consider it a good practice, but not a regulatory requirement.

The following cases are real and are public information by virtue of regulatory enforcement orders. In some cases, the reader may make assumptions to fill in gaps not otherwise in the enforcement orders. Nonetheless as is commonly stated in a consent order, these were done by the subject who, “without admitting or denying any wrongdoing, desires to consent to the issuance of this Consent Order…”

James Ratcliff

Considering the abuses that lead to Reg O and its intended protections for bank deposits, the first case to exemplify why these protections need to be adhered to, monitored, and enforced is one in which the OCC took against James Ratcliff.

Ratcliff was an Executive Vice President and Vice Chairman at an Oklahoma bank which had $285 million in assets as of December 2020. The bank has since been acquired. Ratcliff was an Executive Vice President from 2000 to 2020. He held the position of Vice-Chairman of the Board of Directors from 2016 until mid-2020, when he became Chairman of the Board. He then served as Chairman until November 2020. He was most certainly an insider and empowered by virtue of his position to direct the bank and its activities on a daily basis.

The enforcement order (AA-ENF-2022-32) says Ratcliff, “caused the Bank to engage and pay numerous entities owned by Respondent as third-party vendors. Respondent participated in setting the financial arrangements between the Bank and the entities he owned.” These are issues that involve self dealing and while these may not violate any lending issues, the practices should certainly be scrutinized by the bank under its ethics policy. This does not mean that may not be done, but if they are transparency should prevail. Again, there should be no impropriety and no appearance of any impropriety.

In this case, Ratcliff (and presumably the bank itself) failed to ensure that the services that were to be provided were in fact done. In fact, in these instances there are often no contracts to compare the work or services to be completed to, yet there were payments made and therefore this long seasoned employee, officer, insider was receiving payment directly or indirectly with no evidence of work performed.

Also cited in the enforcement order was the fact that Ratcliff failed to ensure employee compensation was commensurate with that person’s responsibilities and actual work performed for the bank. But mostly that he also directed bank employees and contractors to perform work for his non-bank entities at the expense of the bank. Here again, it can be difficult to challenge a senior officer in the bank, yet there are times for the good of the bank that a challenge is required.

On to the issue of lending, Ratcliff approved and/or made multiple unsafe or unsound loans that were “liberally underwritten” and included inaccurate credit memorandums which then contained insufficient financial statement and cash flow analysis. Ratcliff himself participated in the practice of helping borrowers create new corporate entities and transferred existing debt to these new entities without any positive change in that borrower’s ability to repay. Similar to the prohibited practice of flipping loans, here the intent was to disguise who the debt was owed to, and it may have been a tactic to avoid debt service requirements.

The bank extended loans to entities owned in whole or in part by Ratcliff. In this process he failed to disclose his ownership interest in any of these entities to the bank or the board. During loan approval processes he also did not recuse himself from approvals of these loans. Was the bank at fault? If Ratcliff failed to disclose his ownership interest the bank had no idea that his recusal was required. From a compliance perspective I would at this point want to know when the insiders were last trained or reminded of their responsibilities. While ignorance of the law is no excuse for a violation, it may serve as a defense. Compliance should note to itself that periodically formal or informal training is conducted even if it serves only as a reminder to insiders as to their responsibilities. Similarly, staff in the bank need to be reminded that they have an obligation to the bank, and not the insiders, to notify others in management if they happen to be aware of any violation such as these.

In this case Ratcliff was deemed to have, “engaged in violations of law, regulation, or order, recklessly engaged in unsafe or unsound practices, and breached his fiduciary duty to the Bank; which violations, practices, or breaches were part of a pattern of misconduct, caused or were likely to cause more than a minimal loss to the Bank; and demonstrated willful or continuing disregard for the safety and soundness of the Bank. loans.”

As a result of this consent order, Ratcliff was essentially banned from banking. Among other prohibitions, he may not participate in any manner in the conduct of an insured bank’s affairs, solicit, procure, transfer, attempt to transfer, vote, or attempt to vote any proxy, consent, or authorization with respect to any voting rights or vote for a director, or serve or act as an “institution-affiliated party.” That is part of the standard order used in such cases.

What is more, and imposes individual liabilities for his actions, is the civil money penalty Ratcliff has to pay off $100,000. The amount of money the bank may have lost paying third party vendors for services not provided is not known. Any losses due to questionable loans when Ratcliff had borrowers create a new entity to takeover the debt of a different borrower but essentially with the same beneficial owner is not known. Any problems with loans to Ratcliff’s own companies in which he failed to disclose his ownership is not known. And the costs the bank incurred auditing all of its records for many, many years trying to unravel all of these violations, is not known. Even though the bank in question was acquired between the events above and this consent order in August 2022, the order stipulates Ratcliff, “shall not cause, participate in, or authorize the Bank (or any subsidiary or affiliate of the Bank) to incur, directly or indirectly, any expense relative to the negotiation and issuance of this Order except as permitted by 12 C.F.R. § 7.2014 and Part 359.” Those sections define the limited circumstances under which a bank may indemnify an employee or offer a golden parachute. With the acquisition of the bank in the interim between the acts and the order, any possibility of that happening would seem unlikely.

Contrast some of Ratcliff’s activities to those of Bert Lance and others and we see similar breakdowns. The abuse of authority both against the bank and the bank’s employees hurts the bank and the banking industry. We may believe what is often referred to as “the good old boys’ network” is a thing of the past. But 1977 is really not that long ago when compared to abuses that were allowed to happen.

Tony Fritz

Was Ratcliff alone in this enforcement action? No. It would seem that there was another in his bank that in many ways facilitated the wrongdoing whether knowingly, inadvertently, or through acts of negligence. Tony Fritz is the former Chief Lending Officer and Director at Ratcliff’s bank.

In his Consent Order (AA-ENF-2022-34) it is noted that Fritz worked for the bank as a credit analyst from 2014 to 2015 and was promoted, and from 2015 through December 2019 he was both a Chief Lending Officer and a director. In his position, Fritz was expected to uphold certain standards, which was not done. He failed to ensure that credit administration and risk management practices and controls were effective and commensurate with the risk and complexity of the loan portfolio. Fritz also failed to develop a system to ensure ongoing monitoring of complex commercial credits and to ensure the bank kept adequate loan documentation. And he failed to formalize loan review and approval processes and failed to properly document lending decisions. From these comments in the consent order, it appears many loans, including those in Ratcliff’s portfolio or under his direct supervision were “rubber stamped” for approval and were not questioned if deficiencies were noted, or should have been noted.

In fact, the consent order goes on to say, Fritz, “failed to provide credible challenge to members of senior management who maintained loan portfolios and failed to maintain adequate oversight over their portfolios. And it goes on to say, Fritz, “approved and/or originated multiple unsafe or unsound loans that were liberally underwritten and included inaccurate credit memorandums containing insufficient financial statement and cash flow analysis. (Fritz) originated loans to cover customers’ overdrafts and overdraft fees. (Fritz) extended additional loans to borrowers who were not credit-worthy, sometimes through creating new entities, in order to make payments on such borrowers’ non-performing loans.” Here again, a process of rubber stamping does not offer the checks and balances that are required, nor the controls to all but ensure compliance with banking regulations and requirements.

What Fritz did, or more correctly did not do was a dereliction of duty. It was considered an unsafe or unsound banking practice and breached his fiduciary duty to the bank. It stated that this misconduct caused more than a minimal loss to the bank. Fritz was personally assessed a civil money penalty but his was less than Ratcliff’s, at $10,000. He also has additional prohibitions placed upon him essentially banning him from banking. Before he could accept a position of responsibility in a bank, he would be required to provide that bank’s president or chief executive officer with a copy of the consent order describing the above.

Orlando Romero

On this topic of insider activities and Reg O, I want to mention a third case which is from the Federal Reserve (Docket No. 22-002-B-1) against Orlando Romero. This is an order involving ethics more than traditional insiders’ activities. In this case the banker was not fined but was banned from banking because of his misconduct which violated internal bank policies and constituted violations of law or regulation and were considered unsafe or unsound practices and breaches of fiduciary duty.

This case is special in several ways. Firstly, when I have discussed this with many bankers, most have not heard of such an enforcement before, and many do not see it as a fundamental problem. It is something that many have heard of or done to some extent.

Romero was a client service specialist in a Global Technology area of his large bank. He had received a job offer letter from a competing institution. That letter provided him with some specific terms of employment one of which was his salary. I would assume it offered him an increase, but that would not seem to be enough for Romero. He altered the letter and increased the starting salary above that which was actually offered.

Romero added $28,000 to his current salary and presented that to his current bank in hopes for a raise and he would then remain at his current bank. That amount is significant to me. In this case his bank met that amount and Romero’s annual salary was increased. This is where many bankers would proclaim a “win” for the employee. Questions bankers may ask include, “if the bank thought he was worth that amount when a competitor offered it to him, why wasn’t he worth that before?” In fact, he was not offered that amount by a competitor. There would seem to be a fine line between ethically asking for a raise and fraudulently stating that a competitor has valued your work at more than your current employer. Regardless, some bankers take the position that Romero’s bank had a decision to make regardless of where an offer came from: “Was he worth that much considering his job duties, his performance, and the costs associated with bringing in a new employee to fill that position?” If the bank paid him the increase, then its answer was that he was worth it.

But in the end, somehow the bank discovered the scheme. Romero resigned from his bank two and a half years after receiving his increased salary. That would amount to $70,000 in “additional” income. The order did not state if the resignation was triggered by this knowledge, or it was learned afterward. As noted above what he did was deemed to be in violation of several policies, laws and or regulations. Before he could work at another bank there were certain requirements he would have to meet. This includes providing the Managing Director/Senior Vice President or equivalent level in the reporting line of the institution with notice and a copy of the Fed’s cease and desist order against him and fully familiarize himself with the policies and procedures of the institution that pertain to his duties and responsibilities, including, but not limited to, the employee Code of Conduct, and provide written notice to the Board of Governors, along with a written certification of his compliance with each provision required in his order. It may not be a permanent, but it would take a lot to meet this, in my opinion.

At the end of the day, I hope you will ensure that management, the board, and all bank staff are both informed or reminded of their responsibilities and duties under applicable laws, regulations, and policies. As we close 2022 and enjoy the holiday season, ethics is a good topic to revisit as gifts may be offered to staff and prohibitions should apply.

November 2022 OBA Legal Briefs

HMDA Changes Un-Changing?
Defunding the CFPB
New “Junk Fees”

HMDA Changes Un-changing?

By Andy Zavoina

As a part of your Compliance Management Program, you should meet periodically with senior management and/or the board of directors and keep them informed of changes that are or may be coming down at you. This is especially the case as we approach budget talks. You absolutely do not want to submit your compliance budget only to advise senior management a month after it is approved that you already need an increase for 2023 because of a new requirement you had not factored in. And that is just one of the topics you should be briefing them about.

You may be thinking, “Well, Andy, we don’t think the Reg B small business data gathering will be completely in place and certainly not for the whole year, so what “new” requirement are you talking about?” In a nutshell, the Home Mortgage Disclosure Act (HMDA). Many HMDA reporters received benefit of a threshold change for reporting a HMDA Loan Application Register. The floor amount was raised in 2020 and the threshold for reporting was increased from 25 to 100 closed-end loans. More details on that in a minute, but the Consumer Financial Protection Bureau’s (CFPB) methodology for justifying this change was challenged in court and the CFPB “lost” meaning the Court is declaring the change to be invalid. Those banks taking advantage of the increased threshold may find themselves scrambling to complete HMDA LARs again.

Now some details for a better understanding. The case was between the National Community Reinvestment Coalition and the CFPB in the U.S. District Court for the District of Columbia. It was a federal judge who moved to vacate the HMDA changes by the CFPB to lower the reporting requirements by increasing the closed-end loan threshold.

HMDA rules require a lender to review two preceding years of mortgage loan activity to determine if reporting requirements apply. There is one threshold for closed-end loans and another for open-end. In 2015 the closed-end threshold for required reporting was 25 or more and the open-end threshold was 100 or more. Additional qualifications such as asset size and location are not addressed here but would still apply.

In 2020 the CFPB opted to reduce the reporting burden by increasing the threshold of reportable closed-end loans from 25 to 100. In theory this reduces the smaller, low volume reporters and still retained the bulk of the active HMDA reporters. In May 2020, the CFPB estimated there are about 4,860 financial institutions required to report their closed-end mortgage loans and applications under HMDA. These were banks and credit unions and together in 2018 they accounted for 6.3 million closed-end loans. The CFPB further noted that the total number of institutions that were engaged in closed-end mortgage lending in 2018, regardless of whether they met all HMDA reporting criteria, was about 11,600, and the total number of closed-end mortgage originations in 2018 was about 7.2 million. In other words, under the current 25 closed-end loan threshold, about 41.9 percent of all mortgage lenders are required to report HMDA data, and they account for about 87.8 percent of all closed-end mortgage originations in the country. Further, 3,250 of these insured depository institutions and insured credit unions were already partially exempt for closed-end mortgage loans under the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA), and thus were not required to report a subset of the data points currently required by Reg C for these transactions. So, the percentage of loans and lenders receiving the benefits of the exemption was small. The CFPB estimated that when the closed-end threshold would increase to 100 under this final rule, the total number of financial institutions required to report closed-end mortgage loans would drop to about 3,160, a decrease of about 1,700 financial institutions.

The plaintiffs were referred to as the National Community Reinvestment Coalition (“NCRC”), but actually also included Montana Fair Housing (“MFH”), Texas Low Income Housing Information Service (“TxLIHIS”), Empire Justice Center (“EJC”), and the Association for Neighborhood & Housing Development (“ANHD”)—and the City of Toledo, Ohio. They said that HMDA data have been invaluable in “uncovering and addressing redlining, fair lending violations, and other inequitable lending practices” over the decades and the CFPB did not dispute that claim. It was noted that open-end loans were reported after a 2015 HMDA change to the rule, but eventually that, “22 percent of depository institutions” that had previously been required to report HMDA data, were exempted and this resulted in a significant loss of data in certain census tracts.

The burden on low volume lenders to file HMDA reports did not justify the costs to complete that task, the CFPB heard and accepted as evidenced by changes in 2020. The CFPB increased the threshold from 25 to 100 closed-end loans in April of that year and it required the collection of HMDA data through June 30, for institutions that would no longer be subject to HMDA requirements for closed-end loans. These institutions no longer had to collect data starting July 1, 2020, and the reporting of any closed-end loan data collected in 2020 was optional for them.

The plaintiffs stated that each of them “use HMDA data in their research, education, and advocacy to promote access to credit, and thus to housing opportunities” in minority and rural communities. Not having the data from these low-volume lenders leaves holes and unanswered questions and could allow these lenders to violate fair lending laws because the controls are no longer in place to police them.”

The District Court ruled in favor of the plaintiffs and invalidated the closed-end loan exemption expansions but let stand the of 200 open-end lines threshold. Remember reporting of those lines had been optional until these changes began. The court vacated and remanded the closed-end mortgage loan reporting threshold to the CFPB.

Now there are two questions we do not have the answers to, but banks must begin to prepare for in any case. What action will the CFPB take, and when will it take it? The CFPB could take the case to a higher court and seek to justify the changes it made, or it could reverse the closed-end loan reporting threshold back to the 25 closed-end loan limit. It is reasonable to assume that they will let the record stand for 2021 and 2022 and could enforce the new – old – limit effective for 2023. That is to me a logical plan but the CFPB’s intention has not yet been made public as of this writing. If that is the option they will select, those estimated 1,700 banks that fell out of reporting and any others who controlled their application counts with product restrictions need to consider training, systems and controls to get back up to speed with these new – old – rules. If this is less than two months away, HMDA reporters who were exempt deserve time to evaluate and react to their needs. If your bank may fall into this category, you must make some determinations and meet with senior management to advise them of your situation and action plan if one is needed.

Defunding the CFPB

By Andy Zavoina

Another legal case the CFPB is involved in may bring additional changes to the “keeper of the consumer protection regs.” In mid-October 2022, a three-judge panel of the United States Court of Appeals for the Fifth Circuit ruled on a pending case, Community Financial Services of America vs Consumer Financial Protection Bureau.

In this case, Community Financial sued the Bureau in 2018 on behalf of payday lenders and other small lending businesses. They wanted to set aside the 2017 Payday Lending Rule which affected personal loans with short term or balloon-payment structures, typically including payday, vehicle title loans and many high-cost installment credit products.

Community Financial alleged that the CFPB exceeded its statutory authority, and it further attacked the CFPB claiming that the rulemaking authority violated the Constitution’s separation of powers. Remember, the CFPB is set up to request its funding each year from the Federal Reserve. The amount is determined by the CFPB’s Director, and the Federal Reserve must approve the request so long as it does not exceed 12 percent of the Federal Reserve’s total operating expenses. Unlike other federal government agencies, the CFPB determines its own needs, and it automatically gets that funding from the Federal Reserve – bypassing Congressional appropriation steps. This limits Congressional control and makes the agency’s structure unconstitutional in the Court’s view.

This multi-pronged attack was not new. In Seila Law, LLC v. Consumer Financial Protection Bureau, the Supreme Court ruled that the CFPBs structure of being a single director agency who was only removable by the President “for cause” violated the separation of powers requirements. The Court found that provision to be severable, and simply invalidated the “for cause” requirement in the Dodd-Frank Act meaning the President could replace the CFPB director at will. The Court did not invalidate actions taken by the CFPB. This new case with Community Financial differs in that the Fifth Circuit leaves the funding mechanism and the CFPBs actions connected.

In this case the Court ruled that the CFPB’s funding structure violates the Constitution’s Appropriations Clause and separation of powers. Because the funding used by the CFPB to create the Payday Lending Rule was drawn through the unconstitutional funding structure, the Court ordered the Rule vacated. In this case the Court stated that the “Bureau’s perpetual insulation from Congress’s appropriations power, including the express exemption from congressional review of its funding, renders the Bureau no longer dependent and, as a result, no longer accountable to Congress and, ultimately, to the people.” The three-judge panel noted that this constitutional problem is even more of a problem given the CFPB’s authority. The panel then quoted the Supreme Court in the Seila Law case as the CFPB “acts as a mini legislature, prosecutor, and court, responsible for creating substantive rules for a wide swath of industries, prosecuting violations, and levying knee-buckling penalties against private citizens.”

The debate goes on as to funding because not all agencies are covered by the Congress’s appropriations power. The FDIC as an example assesses fees to stakeholders in the industry. The CFPB does not. It gets funding as noted, from the Federal Reserve from funds that would normally be remitted to the Treasury Department. Treasury is itself appropriated under federal law. So, in a roundabout way the CFPB’s funding comes at the expense of the Treasury Department and therefore Congress is forced to appropriate more to Treasury than it otherwise would.

The Fifth Circuit panel then connected the dots. The Court explained that the remedy is based on “the distinction between the Bureau’s power to take the challenged action and the funding that would enable the exercise of that power.” Because Congress “plainly (and properly)” authorized the CFPB to promulgate the Payday Lending Rule, it is not per se invalid. Instead, Community Financial has to show that the unconstitutional funding provision of the law “inflicted harm.” The Court said that showing that was easy, because the CFPB used the unconstitutional funding to promulgate the Payday Lending Rule. The Court therefore held the Plaintiffs were entitled to “a rewinding of the [the Bureau’s] action.” The Court rendered judgment for Community Financial, vacating the Payday Lending Rule “as the product of the Bureau’s unconstitutional funding scheme.”

So, what does all this mean? As Yogi Berra said, “it’s never over till it’s over.” The CFPB is expected to request an “en banc” hearing where all the judges of the Fifth Circuit Court of Appeals will hear the case instead of the three-judge panel. If that is not successful, it could then go to the Supreme Court.

In this case the Payday Lending Rule was defeated, but remember the court did not say the law itself was not valid, just the way it got there. Still, that opens the door to other challenges. Community Financial’s case, if it becomes final, would only be binding on federal district courts in in Texas, Louisiana, and Mississippi. But the door is open and less than one week after this ruling by the Fifth Circuit we have seen a challenge on an Illinois case, the CFPB v. TransUnion, in which the CFPB alleges that TransUnion violated a prior consent order with the CFPB entered into in 2017, citing the Community Financial case. There is also now a Utah case, CFPB v. Progrexion Marketing, Inc., in which the CFPB alleges that the methods used by the defendants to market credit repair services violated the Telemarketing Sales Rule and the Consumer Financial Protection Act. Again, attributes of the Community Financial case are being used here. And there is a third case in the Ninth Circuit, the CFPB v Nationwide Biweekly Administration again following a similar argument. In this case a California district court imposed a $7.9 million civil penalty against Nationwide for allegedly misleading marketing practices but did not award the nearly $74 million in restitution sought by the CFPB. The CFPB is still pursuing that remedy in the court system.

As to the pending TransUnion case, the CFPB filed an immediate response saying the Fifth Circuit ruling was “neither controlling nor correct” and “mistaken.” The CFPB maintains the court cited no case law holding that Congress violates the appropriations clause or separation of powers when it authorizes spending by statute, that the funding through the Federal Reserve contains checks and balances via audits, reports and appearances it makes to Congress among other arguments.

There is no projecting how long this Community Financial case or those new cases with similar arguments will take to become final. One ruling may quickly resolve all the satellite cases coming from it and it is doubtful that everything the CFPB has done will be invalidated with one decision, but management does need to be apprised of the case and understand this is not a final word and that business cannot revert to a pre-CFPB era based on the Fifth Circuit ruling.

New “Junk Fees”

By Andy Zavoina

I had a frantic message on Slack the morning of October 26, 2022, from one of my bosses. President Biden was on national television talking about banks charging “junk fees” which is a new and derogatory term in many cases for fees consumers agreed to pay, but which are now, to use a phrase, “politically incorrect” to charge. These are unjust or unearned fees which take advantage of a consumer. It makes me wonder sometimes how many fees are justified and really good to a consumer. If a bank charges a fee for paying someone into an overdraft, rather than charging a fee and returning the check to another entity which might then charge a fee for the returned check, add a late fee and then refuse to accept any personal checks from that person again for the next six months, that first bank fee does not sound too bad. But hey, remove all these “junk fees” and the consumer will be happier and at no cost, right? It is like a toll-free telephone line, “don’t cost nobody nothing.” Well, except the bank paying for the toll-free calls that are not free at all.

I do take offense when it is said that if a bank charges “surprise overdraft fees … they may be breaking the law.” Firstly, what law prohibits the imposition of this agreed upon fee? Is it that subjectively someone decided that fee is “unfair” and hey again, “unfair” is in a law so it must be illegal. The Unfair, Deceptive or Abusive Acts or Practices (UDAAP) law is becoming the catch-all law many were afraid it could be. Classifying a fee as unfair just seems politically correct for a number of reasons – mostly because the majority does not like to pay them.

Here is my analogy. A person with tritanomaly has a hard time telling the difference between blue and green, and between yellow and red. Should yellow and red be deemed junk colors? Should yellow cabs be outlawed because they do not appear yellow to everyone? Should the government revise the colors at traffic lights because they can cause confusion to some color-blind people? Well, no. But if there were more people with this color blindness and they had a hard time with the order of stop lights red, yellow, and green vertically, top to bottom, or horizontally, left to right, banning these colors might be “politically correct” and they would be used less when colors matter. There one could cite the Americans with Disabilities Act more than UDAAP, but it is subjective nonetheless.

It is important that many agencies of the U.S. government are headed up by political appointees who are there to serve the president. That is their job, in addition to serving the people of the United States. In this national broadcast President Biden appeared at the White House with CFPB Director Rohit Chopra, the FTC Director and others proclaiming his administration was taking action to eliminate all “junk fees.” These include fees for deposited checks that are returned unpaid, surprise banking overdraft fees, and other non-bank fees like hidden hotel booking fees and termination charges to stop people from changing cable plans. President Biden said that this was about making fees for depositing a check that bounces and overdraft fees for transactions that are authorized into a positive balance but later settle into a negative balance “illegal” and he wants to save consumers over $1 billion each year. The CFPB is developing rules and guidance that will reduce credit card late fees that cost credit card holders $24 billon each year. And his administration has “encouraged” banks to reduce the fees they charge consumers across-the-board and that the CFPB is developing rules that will require banks to go further in addressing additional types of junk fees.

The CFPB then provided guidance on two new fees often charged by banks that it classifies as “junk fees,” which is certainly a derogatory sounding fee label regardless of the fact that the fees have been around a very long time, and both disclosed to and accepted by consumers. In fact, the consumer opts in. The guidance document is Circular 2022-06, “Unanticipated overdraft fee assessment practices.” The circular even points this out in the Analysis section subtitled, “Violations of the Consumer Financial Protection Act,” as it states, “consumers generally cannot reasonably be expected to understand and thereby conduct their transactions to account for the delay between authorization and settlement—a delay that is generally not of the consumers’ own making but is the product of payment systems. Nor can consumers control the methods by which the financial institution will settle other transactions—both transactions that precede and that follow the current one—in terms of the balance calculation and ordering processes that the financial institution uses, or the methods by which prior deposits will be taken into account for overdraft fee purposes.” This is augmented by footnote 23, which states, “While financial institutions must obtain a consumer’s ‘opt-in’ before the consumer can be charged overdraft fees on one-time debit card and ATM transactions, 12 CFR 1005.17(b), this does not mean that the consumer intended to make use of those services in these transactions where the consumer believed they had sufficient funds to pay for the transaction without overdrawing their account.”

In a nutshell, the justification says a consumer agreed to it, but that was before they knew they would be responsible for their own actions and have to pay for it. I can understand that consumers have a difficult time with payment priority of items. Bankers do as well. When a check is written it is presented through payment channels and it may have had sufficient funds when it was written, but the cash withdrawal at an ATM reduced the balance and now that check will not pay. Disclosures a bank gives would have a hard time making sense of all the different channels that can add and subtract from a consumer’s balance. But at the end of the day, if I rely not on what the computer says I have available but rather on my account register, if I started with $100 and wrote a check for $80, I know I should not take $60 from the ATM regardless of what the computer says I have available.

The Circular does make it clear that UDAAP is the enforcement action of choice. It asks one question: “Can the assessment of overdraft fees constitute an unfair act or practice under the Consumer Financial Protection Act(CFPA), even if the entity complies with the Truth in Lending Act (TILA) and Regulation Z, and the Electronic Fund Transfer Act (EFTA) and Regulation E?” and answers this with 13 pages of explanation.

The short answer is Yes, and that is because it is a UDAAP violation to charge such fees because “overdraft fees assessed by financial institutions on transactions that a consumer would not reasonably anticipate are likely unfair.” At the risk of sounding redundant, would an account register help the consumer understand they can not spend more than has gone into the account? Is relying on what a computer says the balance is what we used to call “playing the float,” and is not writing a check for funds not on deposit still “theft by check”? In my state it is a Class C or Class B Misdemeanor. But nowadays a consumer has more ways to access funds and it is a UDAAP violation of law by a bank.

One key concern in the circular are accounts that “authorize positive, settle negative” (APSN). That is, an unanticipated overdraft is charged because the consumer would not reasonably anticipate a fee because there were sufficient funds when an authorization was made.

The Circular differentiates between an overdraft which is a negative balance created when the bank pays an item for which there was not enough money to pay the item presented, and non-sufficient funds where the bank incurs no credit risk when it returns a transaction unpaid for insufficient funds. The overdraft is a loan which involves credit risk and banks charge fees for paying these items. The fee is typically a flat amount and is not based on the amount of the overdraft.

Two areas of concern are:

A fee banks have not seen targeted by the CFPB before—one imposed on a depositor when a bank charges back a check that has “bounced” (that is, it was returned unpaid) by the paying bank, and

“Surprise” fees, including overdraft fees charged when a consumer had enough money in their account to cover a debit charge at the time the bank authorized it.

In the first case (addressed in Compliance Bulletin 2022-06, issued the same day as Circular 2022-06), when the consumer deposits a check into their account, they assume these are good funds. We would believe this is less of a problem today as more payments are made electronically through Zelle, Venmo and the like. But while checks have declined in volume, they have not been eliminated. People are not accustomed to the potential bouncing and reversal of a check that they deposited whether a Reg CC hold notice was provided or not. These are not typically bad customers unless they played a role in the deception and no matter how meticulous they are at keeping a check register, they truly could not prevent the reversal and declining balance that would result from a deposited item coming back. The bank, however, dedicated staff time, decisioning, and technical resources to this process, so a fee for compensation is both disclosed and charged. Your bank accepted the deposit and never participated in the decision to pay or return the item. That was the paying bank’s decision.

According to the CFPB, while charging these fees across the board potentially violates existing law – UDAAP, banks may opt to have a targeted fee policy that charges depositor fees only in situations where a depositor could have avoided the fee. One such situations is when that depositor repeatedly accepts checks from the same originator who has paid them with checks which have bounced before. It would appear this process, while deserving of a fee, would be even more cumbersome and labor intensive to research and present to a depositor.

The second area of concern (covered in Circular 2022-06) are the surprise overdraft fees. The CFPB believes that these overdraft fees occur when a bank account balance reflects that a customer has sufficient funds to complete a debit card purchase at the time of the transaction, but the consumer is subsequently charged an overdraft fee because additional payments/withdrawals arrived possibly through a variety of channels which cause the balance to now be insufficient to cover that debit card withdrawal. The CFPB’s discussion here references the practice of using APSN (referenced above) to assess overdraft fees.

The CFPB asserts that a recent consent order entered into by the CFPB related to APSN overdrafts is applicable industrywide. It noted actions and discussions on these types of fees going back to 2010 by the CFPB, the Federal Reserve and the FDIC. It notes the FDIC cautioned banks on this in 2010 when it issued its Final Overdraft Payment Supervisory Guidance. In 2015, and the CFPB issued public guidance explaining how banks acted unfairly and deceptively when they charged certain overdraft fees. And in 2016, the Federal Reserve publicly discussed issues with unfair fees related to transactions that authorize positive and settle negative. They mentioned it again in 2018 in an issue of the Consumer Compliance Supervision Bulletin, describing it in terms of UDAP and Section 5 of the FTC Act. Then, in June 2019, the FDIC issued its Consumer Compliance Supervisory Highlights and raised risks regarding certain use of the available balance method. And finally in September 2022, the CFPB found that a financial institution had engaged in unfair and abusive conduct when it charged APSN fees and that is the case which is applicable to the industry. This was, of course, the Bureau’s action against Regions Bank where the bank was ordered to reimburse $141 million to customers, pay a civil money penalty of $50 million, and forgo charging any Authorized-Positive Overdraft Fees going forward.

The CFPB opined that, under the circumstances described, these “unanticipated” overdraft fees likely violate the Consumer Financial Protection Act(UDAAP) as they “are likely to impose substantial injury on consumers that they cannot reasonably avoid and that is not outweighed by countervailing benefits to consumers or competition.”

This is an area Compliance is involved in but needs to work with Operations and management to determine the extent of the circumstances in your bank described here. How often does it happen? What are the fees imposed and paid and the losses incurred? What are the risks of facing a regulatory enforcement action as a result? From there budget considerations can be made after a plan of action has been determined along with a policy change, if necessary.

October 2022 OBA Legal Briefs

Concerns about overdrafts and fees grow (Part 2)
2022 OK legislative changes
A Reg O FAQ

Concerns about overdrafts and fees grow — Part 2

By John S. Burnett

In Part 1 of this article, I began a review of the FDIC’s August 18, 2022, “Supervisory Guidance on Multiple Re-Presentment NSF Fees,” issued with FIL-40-2022 (https://www.fdic.gov/news/financial-institution-letters/2022/fil22040.html). I ended Part 1 of that review with a comment summarizing what the Guidance had suggested in the section on Consumer Compliance Risk.

Part 2 of this article starts with a restatement of that closing comment, with some added thoughts.

Comment: Thus far, the Guidance has suggested that banks need to ensure that their disclosures reflect what actually happens in the case of multiple re-presentments for a single transaction, and that something may need to be done about better notifying customers when an item is returned and an NSF is assessed and/or banks may want to consider setting some limit on how many times re-presentments of items derived from the same transaction will trigger another NSF fee.

On the first point — agreement between disclosures and practice —that can be approached from different directions. If a bank is charging an NSF fee for multiple presentments derived from the same transaction, the bank can formulate the right words to relate those facts to its consumer customers. On the other hand, if the bank isn’t disclosing that multiple re-presentments will trigger multiple NSF fees, it may determine a way to detect multiple re-presentments and not charge for more than one. Another possible option could be to stop charging NSF fees altogether so as not to mention them at all in disclosures. Could this be what 16 of the 20 banks included in the CFPB’s report on the top 20 banks by overdraft-related income decided to do?

Let’s move on to the next topic in the Guidance.

Third-Party Risk: The FDIC’s Guidance also expresses the agency’s concerns about risks that can be presented by third-party arrangements with core processors and others who may play significant roles in processing payments, identifying and tracking re-presented items, and assessing NSF fees when items are returned for insufficient funds. If not properly managed, such third-party arrangements can present risks for client financial institutions.

The FDIC expects (as all the regulators do) that financial institutions maintain adequate oversight of third-party actions and appropriate quality control over the products and services provided through third-party arrangements. Institutions are responsible for identifying and controlling such risks to the same extent as if the institution itself were handling the activity.

More succinctly, banks are responsible for what the third parties do for (or to) the bank’s customers. In that regard, banks should review and understand the risks presented by their core processing system settings related to multiple NSF fees, as well as the capabilities of such systems, such as identifying and tracking re-presented items and maintaining data on such transactions.

Litigation Risk: Cases involving Bank of America and the Navy Federal Credit Union are evidence there is litigation risk involved in multiple NSF fee practices. Class action lawsuits may allege breach of contract and raise other claims because of a failure to adequately disclose re-presentment NSF fee practices in bank account disclosures. Some cases have already resulted in substantial settlements, including customer restitution and legal fees.

Risk mitigation

The FDIC encourages banks to review their practices and disclosures concerning charging NSF fees for re-presented transactions. The agency shared these risk-mitigation actions banks have taken to reduce the potential risk of consumer harm and avoid potential violations of law:

Eliminating NSF fees
Charging no more than one NSF fee for a transaction, regardless of whether there are re-presentments
Conducting a comprehensive review of policies, practices, and monitoring activities related to re-presentments and making appropriate changes and clarifications, including providing revised disclosures to all existing and new customers
Clearly and conspicuously disclosing the amount of NSF fees to customers and when and how such fees will be imposed, including:
- Information on whether multiple fees may be assessed in connection with a single transaction when a merchant submits the same transaction multiple times for payment
- The frequency with which such fees can be assessed\o The maximum number of fees that can be assessed in connection with a single transaction
Reviewing customer notification or alert practices related to NSF transactions and the timing of fees to ensure customers are provided with an ability to effectively avoid multiple fees for re-presented items, including restoring their account balance to a sufficient amount before subsequent NSF fees are assessed

If your bank finds issues …

If your bank reviews its NSF fee practices surrounding multiple re-presentments and finds issues, what does the FDIC expect the bank to do about it?

Doing nothing and waiting for the FDIC to demand action is not an option. The FDIC expects a bank with issues to self-initiate corrective action, to include restitution to affected consumers consistent with the approach described in the Guidance. Such banks should also:

Promptly correct NSF fee disclosures and account agreements for both existing and new customers, including providing revised disclosures and agreements to all customers
Consider whether additional risk mitigation practices are needed to reduce potential unfairness risks
Monitor ongoing activities and customer feedback to ensure full and lasting corrective action

The FDIC’s Supervisory Approach

The Guidance indicates the FDIC intends to take appropriate action to address consumer harm and violations of law. It will focus on identifying re-presentment-related issues and ensuring correction of deficiencies and remediation to harmed customers. They consider such issues serious.

They will recognize a bank’s proactive efforts to self-identify and correct violations. They generally will not cite UDAP violations that have been self-identified and fully corrected before the start of a consumer compliance exam. The FDIC will also consider a bank’s record keeping practices and any challenges a bank may have with retrieving, reviewing, and analyzing re-presentment data, on a case by case basis when evaluating the lookback time period used for customer remediation. But failing to provide restitution for harmed customers when information on re-presentments is reasonably available will not be considered full corrective action.

If examiners find violations of law that have not been self-identified and fully corrected before an exam, the FDIC will consider appropriate supervisory or enforcement actions, which could include civil money penalties and restitution.

In simpler terms, this is not a concern that FDIC-supervised institutions can ignore and hope it goes away.

Is your bank’s overdraft program ‘dynamic’?

The March 2022 edition of the FDIC’s Consumer Compliance Supervisory Highlights includes compliance exam observations concerning automated overdraft programs that have been converted from static to dynamic overdraft limits.

Static limits are usually set at account opening and seldom change. Institutions use limits ranging from $100 to over $1,000 that may vary by account type. Some banks assign the same limit to all customers. Those limits are usually communicated to customers at account opening, in subsequent disclosures (particularly when participating in an overdraft program is delayed for a period after account opening) or through some other method, such as online or mobile banking channels.

Dynamic limits, on the other hand, vary for each customer and may change periodically (daily, weekly, monthly, for example) as a customer’s usage or bank relationship changes. In some cases, a customer’s assigned overdraft limit might be $1,000 one day and reduced to zero within a few days.

Changes are often controlled by an algorithm (a set of system rules) that attempt to manage risk by weighing variables and customer behaviors. Variables involved often include account age, balance, overdraft history, deposit amounts and frequency and other customer relationships with the bank. Algorithms may be adjusted based on policy changes, competition, customer behavior, etc. And, based on examination observations, banks do not always communicate limit changes to their customers.

Failures to communicate: In 2021, the FDIC identified several banks that converted their programs from a static limit to a dynamic limit. Examiners had concerns with how some of the conversions were implemented and cited violations of section 5 of the Federal Trade Commission Act due for deceptive acts or practices. Those institutions failed to disclose enough information about the change to a dynamic limit. Some institutions did not communicate with their customers about the change at all. In many cases, banks failed to disclose some or all of these key changes:

Replacement of the fixed amount with an overdraft limit that may change and could change as frequently as daily
Use of a new overdraft limit that may be lower or higher, at times, than the fixed amount to which the customer had become accustomed
Suspension of the overdraft limit when it falls to zero and how such a change may result in transactions being returned unpaid to merchants/third parties due to insufficient funds.

Those omissions were considered material by the FDIC. They included necessary information customers needed to make informed decisions about how the new dynamic limit program operated. Customers were not able to understand how to avoid fees associated with an overdraft or fees for transactions declined for payment. The FDIC determined that changes without adequate disclosure resulted in consumer harm.

Mitigating risk: As with its guidance to banks concerning assessing NSF fees for multiple re-presentations derived from the same transaction, the FDIC included in the “observations” article on implementation of overdraft program dynamic limits a list of risk-mitigating activities banks can consider to reduce the risk involved in implementing such limits:

Providing clear and conspicuous information to existing customers so they have advance notice of how the change from a fixed overdraft limit to a dynamic limit will affect them. This is especially important when the bank previously disclosed the amount of the fixed overdraft limit to customers.
Disclosing changes to overdraft limits in real time to consumers, as these vary, with the opportunity for consumers to adjust their behavior
Reviewing and revising account opening disclosures or other communications used to inform new customers about the automated overdraft program to avoid engaging in deceptive practices
Explaining that the dynamic limit is established based on algorithms, or a set of rules, that weigh numerous variables and customer behaviors, how the limit may change (including the frequency of change), and how the limit may be suspended or reduced to zero when eligibility criteria are no longer met
Training customer service and complaint processing staff to explain the features and terms of the automated overdraft program’s dynamic features. This training should be provided to staff who work with new customers as well as those who work with existing customers.

2022 OK Legislative Changes

By Pauli D. Loeffler

Title 12 O.S. § 1190

Garnishment fee increase

A history of garnishment fees in Oklahoma: Going back as far as 1996, and perhaps even before, a garnishee holding the judgment debtor’s funds was only allowed to deduct a fee in the amount of § 10.00 from funds of the judgment debtor as payment for processing the garnishment. Keep in mind that the Oklahoma statutes require the federally insured depository garnishee to:

Maintain a garnishment and note the receipt of the garnishment summons
Mail or deliver the garnishment packet to the judgment debtor
Segregate funds of the judgment debtor on deposit at the time the garnishment summons is serve
Determine whether the judgment debtor leases a safe deposit box, and if so, seal the box from entry for 30 days (Banking Code § 1312)
Respond to the garnishment summons by filling out the Garnishee’s Affidavit/Answer and filing it with the court within 10 business days (days the court issuing the garnishment is open, not the days the bank is open for business
Provide a copy of the Affidavit/Answer to the creditor’s attorney or the creditor
Remit a check to the creditor

If the judgment debtor does not have an account or lease a safe deposit box, the garnishee must still comply with the last three bullets and request the $10.00 fee. Law firms whose practice is representing creditors usually are very good about remitting the fee, but some collection firms, creditor’s representing themselves, and attorneys that rarely did collections would ignore the garnishee’s request. The $10.00 fee is pretty paltry, and if the creditor didn’t send the fee upon request, it isn’t efficient to take action against the creditor.

Handling garnishments became even more time and labor intensive with the U.S. Treasury Fiscal Services Garnishment of Accounts Containing Federal Benefit Payments, 31 C.F.R., Part 212 (“the Federal Benefits Rule”} effective May 1, 2011. In addition to requirements of Oklahoma law, the Federal Benefits Rule came with new and more onerous requirements:

The bank had to determine whether it has an account holder as defined in § 212.3: “Account holder means a natural person against whom a garnishment order is issued and whose name appears in a financial institution’s records as the direct or beneficial owner of an account.” Accounts held by corporations, LLCs, partnerships, limited partnerships, etc., even if they, for some reason, were receiving federal benefits by direct deposits, are not subject to the Federal Benefits Rule. On the other hand, revocable trust accounts and sole proprietorship accounts receiving federal benefits ARE subject to the Federal Benefits Rule.
The bank had to determine whether a federal benefit payment was paid by direct deposit to an account of an account holder. If so, the bank was required to determine the amount of benefits directly deposited during the lookback period, and
Establish the amount of protected funds, and
Provide the Notice to account holder under § 212.7. Under the 2013 revision, If ALL funds ae protected, the notice is not required.

Bankers ask whether Oklahoma has a maximum fee amount that can be charged customers for garnishments. Oklahoma has no limit the bank can charge a customer for a garnishment. The low-end fee is generally $25 while some banks charge two or three times that much particularly for garnishments on commercial accounts. If the amount in the judgment debtor’s account exceeds the judgment, the bank can satisfy its fee, but this is rarely the case. The bank can take the account negative to grab the fee if and when the account receives a deposit.

However, for accounts subject to the Federal Benefits Rule, banks were wholly prohibited from collection of their fee other than from unprotected funds. The bank could not collect under the original 2011 § 212.6 (h), which prohibited the bank from charging or collecting a garnishment fee against a protected amount or collecting a garnishment fee after the date of account review. This was modified in 2013 to allow the bank to “charge or collect a garnishment fee up to five business days after the account review if funds other than a benefit payment are deposited to the account within this period, provided that the fee may not exceed the amount of the non-benefit deposited funds.”

Scatter-gun garnishments

In addition to the garnishment fee remaining the same amount for two decades, banks were receiving more and more garnishments where the judgment debtor never was a customer of the bank. I envisioned the creditor took an Oklahoma map and used a compass to draw a circle around the judgment debtor’s home or place of business and sent garnishments to all banks within a 50-mile radius. OBA and several reputable collection attorneys held discussions regarding a proposed amendment to 12 O.S. § 1171 to require the creditor to exhibit good faith with some factual basis to believe the debtor has or previously had a relationship with the garnishee such as an inquiry, loan or account with the bank from a credit report or checks from the judgment debtor drawn on the bank. The collection attorneys had no objection to increasing the fee and mailing a check with the garnishment summons but did not support language that the service without the check allowed the garnishee to delay attachment of the fund. Their concern was due to their practice of providing the court clerk with the affidavit, garnishment summons, etc., together with a stamped and a pre-addressed envelope for mailing to the garnishee after filing done by the court clerk. If the garnishee claimed the check was not provided, there was no way to determine whether the creditor didn’t include it, the court clerk mislaid it, or it was mislaid by the garnishee.

Amendment clarifying bank’s duties if the fee doesn’t accompany the garnishment

One question I could not confidently answer under the 2016 amendment was: “What does the bank do if the check is NOT provided with the garnishment summons? “My belief was that while it was possible that the bank might misplace the check after receiving the garnishment, the person logging the garnishment should note the details of the check in the log. Further, the creditor was responsible for making sure the check was in the envelope with the garnishment summons, and if the court clerk mislaid it, s/he was the agent for the attorney. While I believed that if the check wasn’t provided, the bank wasn’t required to freeze the judgment debtor’s funds, I cautioned our members that a court could construe the provision differently. The statute effective for garnishments issued on and after November 1, 2022, not only increases the fee to $35.00 but also removes the uncertainty:

2. A judgment creditor shall remit a fee of Thirty-five Dollars ($35.00) as reimbursement for costs incurred in answering a garnishment issued pursuant to subparagraph d of paragraph 2 of subsection B of Section 1171 of this title to garnishees which are federally insured depository institutions. Such fee shall be delivered to the garnishee with the garnishment summons, and the garnishee shall not be required to attach funds of the judgment debtor until such fee is received. Any fee paid to a garnishee pursuant to this paragraph shall be taxed and collected as costs.

This language also works well as far as the Garnishment of Federal Benefit Payments is concerned. No funds of an account holder will be frozen until the check is received. The account review, lookback period, and determination of protected amount will be triggered upon receipt of the check. Further, the mailing or delivery of the garnishment package to the judgment debtor can and probably should be delayed until the check is received. Garnishments are public record, so the judgment debtor may learn of the garnishment before the bank receives the check and freezes the account, but I would not advise the bank to notify the customer until the check is received. The time to file the garnishee’s answer, mail the answer to the creditor or creditor’s attorney, and remit the judgment debtor’s funds to the creditor will be determined by the date the check is received.

I have been in contact with the Administrative Office of the Courts (the AOC), which is responsible for promulgating the Official Garnishment Forms. The revised non-continuing Pre- and Post-Judgment Garnishment forms will clearly state below the signature line: (Pursuant to 12 O.S. § 1190 a judgment creditor must remit a Thirty-five Dollar ($35.00) fee for costs to any federally insured depository institution garnishee. Fee must be delivered with the garnishment summons. Garnishee is not required to attach the funds of the judgment debtor until such fee is received.)
The AOC is responsible for drafting legal forms for use under a number of Oklahoma statutes. and the categories of forms is accessible at this link: https://www.oscn.net/static/forms/AOCforms.asp. The Garnishment Forms required to be used under the various statutes are available at https://www.oscn.net/static/forms/aoc_forms/garnishment.asp and several are available in both Microsoft Word and PDF formats.

The first time I had the pleasure of working with the AOC was in 2011 in making changes to the forms with regard to the Garnishment of Federal Benefit Payments rule. The Federal Benefits Rule flew under the radar of the AOC because it wasn’t a change in state law, but it did require the revision of the garnishment summons and the garnishment Affidavit/Answer. On the other hand, when § 1190 was amended in 2016, the AOC had the revised forms ready to post on the website, removed the old forms on November 1, 2016, the date the amendment became effective, and removed the outdated forms.

Issues to expect

Based on past experience, banks should expect there will be some problems at first with the most recent changes. Banks should not expect garnishment summons issued on and after November 1, 2022, to contain the language on the AOC form. The majority of attorneys keep templates of the forms on their computers. With the 2011 revision to the AOC forms, a fair number of creditors’ attorneys were oblivious to the Federal Benefits Rule and didn’t revise their forms. When § 1190 became effective November 1, 2016, based on emails from OBA members, the OBA Compliance Team learned that some attorneys still hadn’t updated their forms more than five years later. I don’t expect it will be any different this time around. Note that when an outdated garnishment summons is used, the Garnishee’s Affidavit/Answer will likewise be an outdated form. That was an issue with regard to use of the Garnishee’s Affidavit/Answer for garnishments on and after the May 1, 2011, effective date of the Garnishment of Accounts Containing Federal Benefit Payments, so book marking the AOC webpage is a good idea not only for this reason but also when the garnishment packet doesn’t include the Claim for Exemption and Request for Hearing Form.

The majority of garnishments filed by pro se creditors (creditors representing themselves rather than through an attorney) also used the old forms for several months after the AOC issued revised forms in 2011 and again in 2016. Not all court clerks were aware of the changes, and court clerks tend to be a frugal bunch. Most clerks maintain packets of garnishment forms used by pro se creditors. Either to save money, time and labor, or to avoid killing trees, some clerks didn’t print the new forms until they ran out of the old ones. Court clerks are the primary forms source for pro se creditors. There is nothing to prohibit filing an outdated form. Clerks will file it if it is properly captioned, i.e., includes the names of the court, the plaintiff, the defendant, the case number, and the filing fee is paid.

Unlike the 2016 amendment to § 1190, the bank doesn’t need to do more than log the garnishment and note that the $35 did not accompany the garnishment Summons. I suggest contacting the creditor’s attorney or creditor and advise of the change to § 1190. If the bank receives the fee, I don’t believe that the creditor/creditor’s attorney needs to file a new or amended affidavit and garnishment summons.

Uniform Consumer Credit Code Amendments Effective November 1, 2022

Title 14A O.S. § 1-106

Effective November 1, 2022, § 1-106 Change in Dollar Amount Used in Certain Sections which includes late fees, $ 3-508A lender’s closing fee, § 3-511, and other sections is amended. The amendment removes § 3-508B loans from subsection (1) of this section. Subsection (2) provides the manner and index for adjustments to amounts under § 3-508B loans. Former Subsection (2) is renumbered as Subsection (3) and covers Sections under Subsection (1). Subsection (3) is renumbered as Subsection (4) and covers Sections under Subsection (2) i.e., § 3-508B. Subsection (4) is renumber Subsection (5), Subsection (5) is renumbered Subsection (6), and Subsection (6) is renumbered Subsection (7).

Title 14A O.S. § 3-508B

Sec. 3-508B provides an alternative method of imposing a finance charge to that provided for Sec. 3-508A loans. Late or deferral fees and convenience fees as well as convenience fees for electronic payments under § 3-508C are permitted, but other fees cannot be imposed. No insurance charges, application fees, documentation fees, processing fees, returned check fees, credit bureau fees, nor any other kind of fee is allowed. No credit insurance, even if it is voluntary, can be sold in connection with in § 3-508B loans. If a lender wants or needs to sell credit insurance or to impose other normal loan charges in connection with a loan, it will have to use § 3-508A instead. Existing loans made under § 3-508B cannot be refinanced as or consolidated with or into § 3-508A loans, nor vice versa. The statute as amended is available on the OBA’s Legal Links web page.

Oklahoma’s Telephone Solicitation Act of 2022 effective November 1, 2022

The June 2022 OBA Legal Briefs has in-depth information on this Act.

Reg O FAQ

By Pauli Loeffler

We often get asked what happens when a borrower becomes an insider or an executive officer of the bank? The Federal Reserve covers this in one of its FAQs:

Q2: When do the requirements of Regulation O apply to extensions of credit to a person that becomes an insider after the member bank made the extension of credit (transition loans)?

A2: Transition loans need not conform to the requirements of Regulation O until such extensions of credit are renewed, revised, or extended, at which time the extensions of credit would be treated as a new extension of credit and therefore subject to all of the requirements of Regulation O. However, transition loans must be counted toward the individual and aggregate lending limits of Regulation O as soon as the borrower becomes an insider.

This same treatment would apply to extensions of credit to a director or principal shareholder that later becomes an executive officer. Such extensions of credit need not conform to the provisions of Regulation O that apply only to executive officers until such extensions of credit are renewed, revised, or extended. However, the amount of any such extensions of credit count toward the quantitative limits for loans to executive officers in section 215.5 of Regulation O as soon as the director or principal shareholder becomes an executive officer.

Many lines of credit by a member bank to an insider must be approved by the bank’s board of directors every 14 months. Each such approval constitutes a new extension of credit. Accordingly, transition loans that are lines of credit generally must conform to the requirements of Regulation O within 14 months of the borrower becoming an insider.

Notwithstanding the general principles noted above, the treatment described here does not apply to extensions of credit made by a member bank in contemplation of the borrower becoming an insider or executive officer. Under such circumstances, the extension of credit should comply with all requirements of Regulation O at the time it is made.

September 2022 OBA Legal Briefs

Concerns about overdrafts and fees grow (Part 1)
Repossessions and the SCRA

Concerns about overdrafts and fees grow — Part 1

By John S. Burnett

Regulators have run hot and cold on the topics of overdraft programs and associated fees for well over a decade. A few landmark issuances along that rocky road were:

The 2005 Interagency Joint Guidance on Overdraft Protection Programs
The FDIC’s Final Overdraft Payment Supervisory Guidance in November 2010
F AQ from FDIC in April 2011
A 2014 letter from the Kansas City FDIC’s Division of Depositor and Consumer Protection on Fees Associated with Extended Overdrafts

Enter the CFPB

The subjects of overdrafts and associated fees have been studied and written about by the CFPB almost since the Bureau opened its doors in 2011. The Bureau’s first Director, Richard Cordray, was a harsh critic of then-current overdraft programs and fees during his tenure at the Bureau. He advocated for “safer” accounts designed to prevent overdraft fees, and even suggested the use of prepaid cards as an alternative to expensive checking accounts and their fees. In August 2017, in a press call on overdrafts, Cordray spoke of a study that found frequent overdrafters who have opted in to debit card and ATM overdraft service typically pay almost $450 more in overdraft fees per year comparted to frequent overdrafters who had not opted in. The Bureau issued updated model disclosure prototypes to replace the Regulation E Model A-9 disclosure form with that study

In April 2015, the Bureau issued a consent order in an administrative proceeding against Regions Bank for failing to obtain required opt-ins from customers who had linked their savings accounts to checking accounts to cover overdrafts, but charging the customers overdraft fees when the savings account was wiped out by ATM or one-time debit card transactions, but had not obtained an opt-in for overdraft service as required by Reg E. For that violation and others, Regions Bank was fined $7.5 million and refunded over $47 million to customers before the order was issued, and was ordered to identify any other customers who were owed a refund.

In July 2016, the Bureau ordered Santander Bank, N.A., to pay a $10 million fine for illegal overdraft service practices. This case involved a telemarketing vendor that deceptively marketed the service and signed some of the bank’s customers up without their consent.

In January 2017, a federal district court approved a Bureau settlement with TCF National Bank regarding its marketing and sale of overdraft services. The Bureau had alleged that, when attempting to obtain consent for OD service as required by Reg E, TCF obscured the fees it charged and made consenting to fees seem mandatory for new customers. TCF agreed to pay $25 million in restitution and a penalty of $5 million.

In August 2020, the Bureau issued a consent order against TD Bank, N.A. regarding its marketing and sale of its optional overdraft service, Debit Card Advance (DCA). The Bureau found that TD Bank’s overdraft enrollment practices violated the Electronic Fund Transfer Act (EFTA) and Regulation E by charging consumers overdraft fees for ATM and one-time debit card transactions without obtaining their affirmative consent. The Bureau found that TD Bank violated the Consumer Financial Protection Act (CFPA) prohibition against deceptive acts or practices by making misleading representations to consumers regarding DCA while offering that service to consumers in person, over the phone, and through mailed solicitations. The Bureau also found that TD Bank violated the CFPA’s prohibition against abusive acts or practices by materially interfering with consumers’ ability to understand the terms and conditions of DCA. . TD Bank paid a $25 million penalty and was ordered to pay an estimated $07 million in restitution.

Recent CFPB activity

One of the first actions taken by the Bureau’s newest director, Rohit Chopra, has been an ongoing campaign against “junk fees,” with an undisguised disdain for bank overdraft and NSF fees.

In December 2021, the CFPB released research on OD and NSF revenue, which reached an estimated $15.47 billion in 2019. Three banks (JPMorgan Chase, Wells Fargo, and Bank of America) brought in 44 percent of the total OD and NSF income reported in 2019 by banks with assets over $1 billion. The CFPB also said that while small institutions with overdraft programs charged lower fees on average, consumer outcomes were similar to those found at larger banks. The research also notes that, despite a drop in fees collected, many of the fee harvesting practices persisted during the COVID-19 pandemic,

In February 2022, the Bureau posted a blog article comparing overdraft fees and policies across the top 20 banks ranked by 2019 reported overdraft income. The article noted significant changes by several of the banks. In an update of the table provided in that blog. The Bureau now reports that, since the 2021 review, 15 of the banks have eliminated NSF fees (you will see a possible reason for that change later in this article). Fifteen reported no sustained OD fee (up from 12 in 2021). Two banks (up from one), reported they charge no OD fees at all. Four banks (up from three) reported they don’t charge OD fees on debit card purchases, and eight banks don’t charge OD fees on ATM withdrawals (up from four in 2021).

The Bureau is highlighting these changes to demonstrate that some big banks are paying attention to regulatory saber-rattling, or are just plain tired of fighting the battle over what the Bureau has termed “junk fees.”

Multiple NSF fees and the FDIC

There has been growing regulator concern over the practice of charging multiple NSF fees for multiple presentments of items for a single transaction. Briefly, this can happen when a bank charges a first NSF fee for a check drawn on insufficient funds and returns the check, and, when the check is presented a second time against insufficient funds, returns the check again, assessing a second NSF fee. In some cases, checks get presented more than twice, or they are converted to ACH debits (a re-presented check or RCK entry), which can be used once if the check has been returned twice, or twice if the check has only been returned once. Imagine a $50 check being bounced three times at $35 an event!

Regulators have been voicing their concerns over the practice and point to recent litigation in which banks and a very large federal credit union have been sued for charging multiple NSF fees for a single transaction. A class action suit against Navy FCU was dismissed, but when the lead complainant appealed, the CU agreed to a settlement.

The FDIC issued “Supervisory Guidance on Multiple Re-Presentment NSF Fees” with FIL-40-2022 (https://www.fdic.gov/news/financial-institution-letters/2022/fil22040.html) on August 18, 2022, “to address certain consumer compliance risks associated with assessing multiple non-sufficient funds (NSF) fees arising from the re-presentment of the same unpaid transaction.” In the Guidance, the FDIC also shared “its supervisory approach when a violation of law is identified, as well as expectations for full corrective action.”

According to the Guidance, during consumer compliance examinations, the FDIC has “identifies violations of law when financial institutions charged multiple NSF gees for the re-presentment of unpaid transactions.” The FDIC found that “some disclosures provided to customers did not fully or clearly describe e the institution’s re-presentment practice, including not explaining that the same unpaid transaction might result in multiple NSF fees if an item was presented more than once.”

Comment: Some banks might be tempted at this point to pull out Regulation DD’s commentary to section 1030.4(b)(4) – Account disclosures; Content of account disclosures; Fees— and run down the page to comment 4(b)(4)-5, Fees for overdrawing an account, which says, “Under § 1030.4(b)(4) of this part, institutions must disclose the conditions under which a fee may be imposed. In satisfying this requirement institutions must specify the categories of transactions for which an overdraft fee may be imposed. An exhaustive list of transactions is not required. It is sufficient for an institution to state that the fee applies to overdrafts ‘created by check, in-person withdrawal, ATM withdrawal, or other electronic means,’ as applicable. Disclosing a fee ‘for overdraft items’ would not be sufficient.”

The point being made by the FDIC, however, isn’t that the banks that charged multiple fees for re-presentments violated the Truth in Savings Act or Regulation DD; it’s that not disclosing that multiple NSF fees may be charged if multiple items for the same transaction are presented and not explaining how that can occur creates “a heightened risk of violations of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices (UDAP).” The Guidance continues, “While specific facts and circumstances ultimately determine whether a practice violates a law or regulation, the failure to disclose material information to customers about re-presentment and fee practices has the potential to mislead reasonable customers, and there are situations that may also present risk of unfairness if the customer is unable to avoid fees related to re-presented transactions.”

In a footnote, the FDIC suggests that these practices may also violate Section 1036(a)(1)(B) of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (12 U.S.C. § 5536(a)(1)(B)), which prohibits any covered person or service provider from engaging in, among other things, abusive acts or practices in connection with a consumer financial product or service. That portion of the Dodd-Frank Act is also referred to as the Consumer Financial Protection Act.

Deceptive practices: The guidance continues: “In a number of consumer compliance examinations, the FDIC determined that if a financial institution assesses multiple NSF fees arising from the same transaction, but disclosures do not adequately advise customers of this practice, the misrepresentation and omission of this information from the institution’s disclosures is material. The FDIC found that if this information is not disclosed clearly and conspicuously to customers, the material omission of this information is considered to be deceptive pursuant to Section 5 of the FTC Act.”

Unfair Practices: On this topic, the Guidance offers, “In certain circumstances, a failure to adequately advise customers of fee practices for re-presentments raises unfairness concerns because the practices may result in substantial injuries to customers; the injury may not be reasonably avoidable; and there may be no countervailing benefits to either customers or competition. In particular, a risk of unfairness may be present if multiple NSF fees are assessed for the same transaction in a short period of time without sufficient notice or opportunity for customers to bring their account to a positive balance in order to avoid the assessment of additional NSF fees. While revising disclosures may address the risk of deception, doing so may not fully address the unfairness risks.

Watch for Part 2: In Part 2 of this article, we’ll look at third-party risk and what the FDIC expects of a bank that discovers it has problems like those described in the Guidance. We will also look at another relatively new regulatory concern about overdraft programs.

Repossessions and the SCRA

By Andy Zavoina

I want to share a recent issue that a compliance officer consulted me on. This is your opportunity to realize that even when you train and have sound policies and procedures, people can – and will — still make mistakes.

I had a disturbing call recently from a banker who appears to have a good compliance program. I say the program is “good” not because I have audited it, but because she was auditing files from three months prior and she found a questionable repossession. As you will read, she was right to question it, and that is why I say that part of her Compliance Management Program is working. Detecting errors leads to an earlier correction when that may be possible, and to fewer repeat problems because a part of any corrective action typically involves re-training. Very often an auditor reviews a file, scans it to understand what has happened and explains the actions away as a way of justification.

In this case, the lender had a car loan that was past due and was ready for a repossession order. Having recently had some training on repossession procedures and the Servicemembers Civil Relief Act (SCRA), he checked the DMDC database to verify the borrower was not covered.

In my SCRA training materials I recommend that banks “Design [their] foreclosure procedures to ensure counsel is following all requirements, to include completion of all background research and proper notice as expected by the regulators. This includes repossession of personal property as well. When you check the SCRA database you will enter a date in a field for ‘Active Duty Status Date’ and the response you will receive based on that date, is the status of the individual – whether or not the individual was actively serving, received a notice to serve, or was serving – for a period of 367 days prior to the given date. So when you check this, you are getting the status for the last year.” The yearlong lookback allows for real property foreclosure protections that last for a year after discharge. That does not apply to vehicle repossessions.

In this case the lender checked, received a negative response and put the car out for repossession by a third-party agent. This is where it gets questionable. I do not know how much time elapsed, but on the day of the repossession itself, the lender checked again. As you can predict, the response was now affirmative. As of that day the borrower was a servicemember and afforded all the protections under section 302 of the SCRA (50 U.S.C. 3952).

“After a servicemember enters military service, a contract by the servicemember for–

(A) the purchase of real or personal property (including a motor vehicle); or

(B) the lease or bailment of such property,

may not be rescinded or terminated for a breach of terms of the contract occurring before or during that person’s military service, nor may the property be repossessed for such breach without a court order.

This section applies only to a contract for which a deposit or installment has been paid by the servicemember before the servicemember enters military service.”

I do not know if the car was repossessed before or after the second verification was done. If it was done before, repo order should have been rescinded. If it was not possible to do immediately it should have been done as soon as possible. Now that the car could not technically be repossessed, those expenses will be paid for by the bank and without the ability to collect them as a collection cost. Add to that the bank may now have to pay to return the car to the servicemember which adds to the cost of the already delinquent loan. The benefit here would be that a recent check did not indicate a protected status but one on the day of the repossession did. The car could be retuned and the bank could claim “no harm, no foul” so long as there is no claim of damage to the car from the repossession. But it did not stop there. That would not be an interesting lesson.

This repo occurred three months before. Regardless of the above recommendation to immediately return the car and undo a bad situation, that advice is too late. The lender, now knowing the borrower was protected, proceeded to sell the car and apply the proceeds against the loan balance. Why?

As an auditor there are now more questions to be asked. This file escalates from a routine audit to damage control.

When was the protected status known?
Why was the car sold?
Was this a commercially reasonable sale, were personal items returned, were notifications of the sale sent and was the borrower provided an ample period to cure the default?
When was the lender last trained on the bank’s policy and procedure?
Was the training thorough?
Was the second DMDC check a standard procedure (I would say it would be a good one) or did the lender suspect the borrower was going to be protected and wanted to “beat the clock” so to speak and get the car before protections were actually in effect?
What was the cost of the repo?
What was the sale price and was there a deficit?
Has the borrower contacted anyone at the bank?

The Compliance Officer also has immediate work to do, and it was needed yesterday.

Review training records to verify the lender was appropriately trained. If he was not, why not?
Advise all lenders/collectors of the requirements to immediately prevent a repeat violation. It would move to catastrophic to have the same thing happen after the bank is aware of this instance.
Was this an anomaly? Realistically all repossessions need to be reviewed for a period of (my recommendation) three years. After the most recent six months is done management needs to be aware of the problem. Since there have been no other alarms, attorney calls, anyone from JAG or the borrower, the issue is thus far contained, but now must be controlled.
Discuss the case with management. Advise them of the case and the fact that a review is being conducted and so far, how it looks.
The Compliance Officer is not Human Resources, but assuming training was done, and policies and procedures were provided, HR may have to be involved. Disciplinary action may well be called for.

Some readers may be asking why all this work, what’s the big deal if the borrower has not claimed any protections after three months? Here is the deal, and it can be costly. SCRA violations are reviewed by the Department of Justice (DOJ), not your banking regulator, although they will likely be involved if the case is worth pursuing.

There was one very similar case to this. On March 28, 2018, the United States vs California Auto Finance (CAF), Case No. 8:18-cv-00523 was filed. CAF is a large sub-prime lender in Southern California and the Southwest. The suit alleges CAF repossessed a servicemember’s car after being made aware the borrower was in the service.

Andrea Starks purchased a car in Glendale, Arizona, in September 2015. She made her first payment in October 2015 which was pre-service and meets the requirements for SCRA protection. She enlisted in April 2016 and reported for active duty on May 9, 2016, the same day her vehicle was repossessed. Two days after enlisting, she provided CAF with a copy of her orders. She would not have been protected as a reservist being called to active duty based on receipt of her orders, but rather when she met the definition of “military service” which, in this case, would be when she was paid by Uncle Sam.

Had the vehicle been repossessed the day before, Starks would not have been technically protected. In any case, it was taken on the same date as she reported for duty. CAF sold the vehicle on or about May 25, 2016.

This was the single complaint against CAF made by Starks to the DOJ in November 2016. There were no other complaints against CAF mentioned. In describing the violations committed by CAF, the DOJ explains the facts it reviewed in its investigation that began in December 2016.

The Defense Manpower Data Center (DMDC) is a free database allowing lenders to determine if a person is protected under the SCRA. The CAF did not verify her status prior to repossessing the vehicle. (It would be interesting to know if Starks would have been shown as currently serving, it being her first day.) Regardless, CAF had already been given a copy of Starks orders by Starks herself.
This was pre-service debt under the SCRA.
No court order was obtained prior to the act of repossessing the vehicle.
The CAF believed at the time, and still as of this court filing, that only deployment orders would have provided protections to a servicemember. (This is incorrect. It is the act of serving, whether that be in the continental United States or overseas.)
The CAF had and still has no policies or procedures to provide staff with SCRA compliance guidance.
Because of a demonstrated lack of knowledge and guidance (the policy or procedures) the DOJ stated they “may have repossessed motor vehicles without court orders from other servicemembers” and as such viewed this as a pattern or practice of violating the SCRA protections and requirements of the SCRA. This means that Starks and other servicemembers have suffered damages.
The actions of CAF were “intentional, willful, and taken in disregard for the rights of servicemembers.”

The bank has obviously done more than CAF had and is aware of the protections the servicemember had. But it seems the violation was blatant and willful and because the lender represents the bank, the bank is at fault. The bank repossessed the car and knowing the borrower was protected, sold the car anyway.

In the Starks case there was $30,000 paid to Martinez, the only other violation the DOJ found after scrubbing years’ worth of repossession files and a $50,000 penalty. We do not know how much Starks was paid but I would be confident in estimating that in addition to the $80,000, plus the cost of attorneys, motions, court expenses, and employee cost on the CAF side of the file reviews, that CAF spent $125,000 because of that one repossession, which turned into two. Two is not excessive, but it is two too many.

In May 2017 Wells Fargo repossessed the car of Jin Nakamura. He was protected by the SCRA and paying, but the bank repossessed and sold his car. That launched an investigation, and a pattern was found. The bank paid $5,125,000 plus a third of the legal expenses for its violations. Each servicemember was paid $12,300 from the settlement except for Nakamura, who received a greater share as he instigated the case, which was settled in May 2019.

In our recent case the bank should immediately involve counsel who is familiar with the SCRA and enforcement actions. The bank should consider settling with the borrower if possible. That might avoid DOJ involvement. Servicemembers are trained on their benefits when they enlist, but it may have gone in one ear and out the other. But the military periodically retrains them, and the matter will likely come up again. Any amount of research and the borrower could decide that car was special and worth far more than the bank sold it for. The bank needs to consider zeroing the loan balance, removing the credit rating in total or certainly the repossession, and reimbursing the agreed value of the car to the servicemember. These costs combined would be far less than a DOJ investigation and the reputational risk the bank would suffer.

Here is an example/article from “Housing Wire” of a foreclosure that happened in 2010, but the complaint was not made for six years. The DOJ was heavily involved, and the complaint was years after the foreclosure.

In late 2017, Northwest Trustee Services, the “largest foreclosure trustee in the Pacific Northwest,” illegally foreclosed on dozens of military veterans and servicemembers over the last few years, the DOJ claimed in its lawsuit. According to the DOJ, in the prior six years, Northwest had foreclosed on at least 28 homes owned by servicemembers without the necessary court orders.

The lawsuit came after the DOJ launched an investigation into Northwest’s foreclosure practices at the urging of Marine veteran Jacob McGreevey of Vancouver, Washington, who submitted a complaint to the DOJ’s Servicemembers and Veterans Initiative in May 2016.

Portland’s The Oregonian has been all over McGreevy’s story, previously chronicling his fight against Northwest and PHH Mortgage, his mortgage servicer, for foreclosing on his home shortly after he returned from active duty.

According to the DOJ, Northwest foreclosed on McGreevey’s home in August 2010, less than two months after he was released from active duty in Operation Iraqi Freedom.

In 2016, McGreevey sued both PHH and Northwest, but a U.S. District Court Judge accepted PHH and Northwest’s argument that McGreevy had waited too long to file his case and dismissed the case on that basis.

Here’s how the Oregonian described that process in one of its reports:

Altogether, he served four tours in either Iraq or Afghanistan. In between deployments, McGreevey would return to Vancouver, where he bought a house on Northeast 24th Court. But he fell behind on payments.

PHH Mortgage repossessed his house in June 2010. Knowing next to nothing about the consumer protections afforded him as a member of the military, McGreevey didn’t contest it. The foreclosure became final the following September.

McGreevey had advanced from private to staff sergeant by the time his final deployment ended in 2012. Though diagnosed 80% disabled with post-traumatic stress syndrome, hearing loss and a back injury, he set about reinventing himself for civilian life. He earned a business degree from Portland State University and got a job at a bank.

That’s when he learned about consumer protection laws, including the Servicemembers Civil Relief Act.

From there, McGreevy sued Northwest and PHH. But McGreevy’s case was dealt a blow earlier that year, when the DOJ sided with Northwest and PHH in McGreevy’s lawsuit.

But later, the DOJ reversed its position and cites McGreevy’s case as the impetus for its lawsuit against Northwest. It should be noted that the DOJ had taken no action against PHH in this case, to this point.

According to the DOJ, its investigation revealed that, beyond McGreevey, Northwest foreclosed on other homes of SCRA-protected servicemembers in violation of the SCRA since 2010.

“The loss of a home is a devastating blow for anyone – but far worse for active duty service members often called to war zones far from Western Washington,” said U.S. Attorney Annette Hayes.

Our investigation revealed that Northwest Trustee Services repeatedly failed to comply with laws that are meant to ensure our service members do not have to fight a two-front war – one on behalf of all of us, and the other against illegal foreclosures,” Hayes continued. “My office will continue to work closely with our colleagues in the Civil Rights Division in Washington, D.C. to protect Western Washington service members from this kind of misconduct.”

According to the DOJ, it is seeking monetary damages for affected servicemembers, as the SCRA provides for civil monetary penalties of up to $60,788 for the first offense and $121,577 for each subsequent offense.

But Sean Ridell, who served in the Marines and is McGreevy’s lawyer, told the Oregonian that he wants much more than just money.

“I want Northwest Trustee and PHH put out of business, their buildings burned down, and the ground salted so that nothing ever grows for what they did to veterans,’ Ridell said.

As you can see, historically these violations do not end well for the bank whether it is a home foreclosure or auto repossession and there can be years between the violation and the final reckoning. During that time there are expenses and distractions, none of which are good for the bank. The actions of the lender may have cost the bank six figures. If it acts proactively, it will emerge smarter and only at a five-figure expense. This is a real case, and all bankers should assess their own situation and ask, “Could this have happened here?”

Legal Briefs Index

August 2022 OBA Legal Briefs

COVID coughs up and update
FCRA is on the front burner

COVID coughs up an update

by Andy Zavoina

Perhaps your staff is all back in the bank, some are travelling for summer vacation, masks are seen sparsely, and COVID-19 seems to be something viewed only in the rearview mirror. But that does not mean the pandemic is over, or that your pandemic procedures can be put back on the shelf as life moves forward once again. In addition to yet another variant, some things “pandemic” are still in motion and your bank needs to be aware. Your Human Resources department may need a copy of this update if they haven’t seen the information already. You may recall our covering the U.S. Equal Employment Opportunity Commission (EEOC) rules addressing pandemic procedures in the May 2021 Legal Briefs. This is an update to that article.

On July 12, 2022, the EEOC revised the informal guidance (https://www.eeoc.gov/laws/guidance/covid-19-pandemic-and-caregiver-discrimination-under-federal-employment). The EEOC has updated employee testing protocols and any mandates imposed for vaccine requirements as well as a few other related issues. Depending on what your bank was doing, there may be less justification for it today.

The EEOC revised its position on COVID-19 screening of employees. Screening or testing is no longer considered automatically a “business necessity” in order to operate day-to-day as it was at the beginning of the pandemic. Instead, your bank should evaluate your local conditions and individual circumstances to determine if continued screening or testing is justified as a business necessity, or if it is doing so today based on a potentially outdated policy or procedure.

The EEOC guidance provides eight factors to consider in determining whether circumstances indicate continued screening or testing would be considered a business necessity in your bank and branches:

1. The level of community transmission
2. The vaccination status of employees
3. The accuracy and speed of processing for different types of COVID-19 tests deemed acceptable
4. The degree to which breakthrough infections are possible for employees who are “up to date” on vaccinations
5. The ease of transmissibility of the current variants
6. The possible severity of illness from the current variants
7. What types of contacts employees may have with others in the workplace or elsewhere that they are required to work (e.g., working with medically vulnerable individuals)
8. The potential impact on operations if an employee enters the workplace with COVID-19.

Note: many of the terms used above are explained in greater detail with links on the EEOC site linked in this article. In making these assessments, the bank should check the latest CDC guidance as well as other relevant sources and determine whether screening or testing is appropriate for these employees.

If your branches are all in one area, it may be easy to handle them all the same. If, however, they are spread across many miles, it may be appropriate to tailor procedures to the outlying branches separately, based on the local conditions of each branch. In any case it is time to review the policy and procedures followed for the extreme circumstances a pandemic requires and ensure there is flexibility in screening and testing requirements as the threat level has been lowered and there are fewer protections from violations of the Americans with Disabilities Act.

FCRA is on the front burner

by Andy Zavoina

The Fair Credit Reporting Act (FCRA) is shifting to your front burner, at least until you complete a review and ensure your bank is completely compliant. Rarely is a compliance process one that you can “set and forget.” Procedures need controls that provide checks and balances and on occasion we get little reminders that at least some in our industry were slacking, or just plain doing it wrong.

The Consumer Financial Protection Bureau (CFPB) released an Advisory Opinion on July 7, 2022, on the FDCRA and Regulation V. The reality is that the CFPB is extending its authority in this case to emphasize data protection requirements and privacy. On July 26, 2022, we read an enforcement action from the CFPB against Hyundai for – yes – FCRA violations. The enforcement action included some language that alleged Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) in addition to the FCRA and Reg V violations. “Piling on” is seen more often in these enforcement actions and this one cost Hyundai over $19 million.

So, let’s discuss some of the FCRA reminders from the Advisory Opinion and the lessons learned from the enforcement action, so you can review your FCRA practices and ensure compliance is in order.

In fact, the enforcement action carries lessons far beyond the FCRA, as it says a lot about compliance management. In this case, deficiencies were found. But it took years for the fixes to be put in place and therein lies part of problem leading to the penalty. Problems were found, plans were made to address the issues, but it never really got done. “Follow through” is an important part of the compliance management and audit process and it did not work here.

This Advisory Opinion, “Fair Credit Reporting; Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports,” is an interpretation of the existing rules and is not intended to change the law or Reg V, but rather to provide guidance in your efforts to comply with the existing rules. This information should be preserved with your regulatory materials as a future reference for use in audits, training, and development of policies and procedures.

This Advisory Opinion applies to Credit Reporting Agencies (CRA) as providers of credit reports as well as users of those reports. Our emphasis here is on the latter but we must also appreciate the former and be aware that changes could result from this. As it relates to the Advisory Opinion, 604(a)(3) of the FCRA is consumer-specific and requires a CRA to ensure that only a specific consumer’s data is released when a credit report is requested. This data protection rule provides that John A Smith’s credit information should not be released when John A Smith Jr.’s file is accessed. It seems some CRAs have been lax in matching up just a name instead of several data points such as a Social Security number, date of birth or addresses to better narrow down the file actually requested.

As to name only matching, one CRA stated when providing a consumer report: “This record is matched by First Name, Last Name ONLY and may not belong to your subject. Your further review of the State Sex Offender Registry is required in order to determine if this is your subject.” That disclaimer sends up several red flags. This is a problem for the CRA as the provider of the report and for the bank as a user of the report. The Advisory Opinion makes it clear that any disclaimer from the CRA that the file “could” have someone else’s information is not sufficient to protect them from penalties resulting from the release of this information. It also does the bank no good to have information on John A Smith when it is Junior who is applying for a loan. Similarly, if the bank requested the file on John A Smith instead of Junior, it would have violated the FCRA because it had no permissible purpose to request that file. And because the bank’s contract with the CRA will require it only requests files when it has a permissible purpose, that contract would be violated.

Congress enacted the FCRA with particular goals, including, “to ensure f air and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” There were concerns that the contents of a credit file were not kept confidential. The FCRA is intended to protect the individual’s privacy by controlling both the collection and dissemination of credit information. The CFPB is respecting the privacy goals of the FCRA with its Advisory Opinion.

Section 604 of the FCRA is, “Permissible purposes of consumer reports,” and it identifies an exclusive list of “permissible purposes” under which a CRA can release the credit report including in accordance with the written instructions from the consumer to whom the report relates and for purposes relating to credit, employment, and insurance. Let’s place emphasis here on the fact that the consumer has to authorize the bank to request this report from the CRA and the fact that this is an exclusive list, meaning these are the only reasons allowed. Obviously if there is another person’s information in the file, which contributes to a violation. Among the key reasons a bank would access this includes, 604(a)(3)(A),” in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer,” and, “(F) otherwise has a legitimate business need for the information (i) in connection with a business transaction that is initiated by the consumer; or (ii) to review an account to determine whether the consumer continues to meet the terms of the account.” These are the direct banking issues. This section includes other reasons such as employment and insurance as well. Paragraph (F) seems broad with its use of having a legitimate business need and to review an account. In fact, these are not as broad as some lenders or collectors may think as the purposes can be narrow.

There is A LOT of content in the FCRA that cannot be covered here today. Suffice it to say that when the CFPB took the FCRA regulation from the Federal Reserve it inherited the consumer protection provisions. When you research the FCRA, be sure to look at what the FRB retained https://www.bankersonline.com/regulations/12-222-000 as well as what the CFPB has ownership of (https://www.bankersonline.com/regulations/12-1022-000), and the FCRA itself (https://www.bankersonline.com/regulations/fcra-000). The last link includes a link to a document, “FTC Staff Report – July 2011”. The FCRA and Reg V do not have an Official Staff Commentary with explanations and interpretations. But there were guidance opinions issued by the Federal Trade Commission (FTC) as it had a key role in FCRA oversight and enforcement.

One of the major changes to the FCRA was the FACT Act which provided the FTC with specific rulemaking authority. The FTC issued more than 430 opinion letters to act as compliance guidance. This 117-page document assembles many of these opinions to act as a proxy for a Commentary. This is a must read for FCRA compliance as it defines the difference between using a credit report for a loan request, and then also using it to prequalify the consumer for another loan product. Such a use violates the permissible use requirements as access was not granted for that cross-sale. These are the nuggets you will find in this booklet. It may be 11 years old as of this writing, but the information there is still pertinent.

Back to the Advisory Opinion itself. The CFPB places emphasis on the use of consumer reports and the circumstances under which they may be accessed – “and no other.” It drives this home by reminding the reader that Section 620 carries with criminal liability for any employee or officer of a CRA who knowingly and willfully provides an unauthorized report. This triggers two points which need to be mentioned. First, this could cause some CRAs to tighten up controls and requirements that users must follow so that the CRA can comply. Second, if the bank were to release this information to another party, it could be deemed to be acting as a CRA and now it would be subject to these penalties as well. That is why the bank must ensure staff be aware of when credit reports may be accessed and for what purposes.

FCRA section 604(f) provides that “a person shall not use or obtain a consumer report for any purpose unless” the consumer report “is obtained for a purpose for which the consumer report is authorized to be furnished under [FCRA section 604]” and “the purpose is certified in accordance with FCRA section 607 by a prospective user of the report through a general or specific certification.” FCRA section 619 imposes criminal liability on any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses. I remember early in my banking days when there was an incident of single person in the loan area looking at credit reports of customers who had asked her out. Certainly, that would not be an authorized use and if the credit report was pulled for that purpose, well in today’s FCRA environment that would have to be a terminable offense.

Having a permissible purpose is at the core of the FCRA’s protections. When a credit report is provided to unauthorized persons and for unauthorized purposes the consumer can suffer harm in a number of ways. It is an invasion of one’s financial privacy and as the Advisory Opinion puts it, this is a “reputational, emotional, physical and economic harm.” That’s from the CFPB, I will not try to interpret each. Suffice it to say, these harms are on the record and violations may include these points in the justification of a penalty. Take each seriously. There are some examples cited which explains some of the reasoning. “For example, in a case that resulted in a 2006 settlement with a consumer reporting agency, the FTC alleged that the agency violated the FCRA’s permissible purpose provisions by providing consumer reports to persons without a permissible purpose, resulting in at least 800 cases of identity theft. More recently, in 2020, a group of companies and individuals settled Bureau allegations that they obtained consumer reports without a permissible purpose when they obtained consumer reports for use in marketing debt relief services. Also in 2020, a mortgage broker settled FTC allegations that it used consumer reports for other than a permissible purpose when, in response to negative reviews on a website, it publicly posted information it had obtained from a consumer report about the reviewer.”

Recognizing the importance of permissible purposes, when was the last time staff with access to credit reports, being accessed or in credit files, were reminded of the requirements and the potential penalties for unauthorized access? A resource for teaching includes a booklet published by the CFPB in 2020, “List of Consumer Reporting Companies “ as it includes not just who is considered a CRA and therefore a major part of this topics discussion, but information for a consumer on who can see their credit reports, how to review them for free, how to dispute information and more on uses such as for credit, employment, check screening and more. (https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-companies-list.pdf). This is good information for staff to be aware of as a banker and a consumer. Staff should be trained on this topic before they are granted access to credit reports just as tellers get Bank Secrecy Act training before operating a teller drawer on their own. It could be a requirement in the vendor contract with your CRAs and based on the Advisory Opinion, it may be something these vendors emphasize in the future as well.

Under 604(a)(3)(A) of the FCRA, a CRA may provide a consumer report “to a person which it has reason to believe . . . intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or 18 15 U.S.C. 1681b(a).review or collection of an account of, the consumer.” Similarly, FCRA section 604(a)(3)(F) permits a CRA to provide a consumer report “to a person which it has reason to believe . . . has a legitimate business need for the information . . . in connection with a business transaction that is initiated by the consumer or to review an account to determine whether the consumer continues to meet the terms of the account.” These are a few of the teachable points which deserve emphasis.

Note one particular phrase, “reason to believe.” The CFPB is directing this to users of consumer reports who lack a permissible purpose and want to rely on this as justification. The Advisory Opinion specifically rejects some judicial decisions that have applied a “reason to believe” standard to FCRA Section 604(f)’s permissible purpose requirement for users. Instead, the CFPB used a plain language approach to impose a prohibition on using a consumer report without a justifiable permissible purpose. The “reason to believe” standard will not provide an excuse for innocent mistakes. The CFPB appears to be taking a strict liability approach to permissible purpose requirements. With a high risk of enforcement by all federal agencies and state attorneys’ general who have been reminded, and almost invited by the CFPB to join in enforcement actions, plus the ability for private plaintiffs to obtain significant monetary relief, banks are advised to practice risk management and mitigate this with training.

The bank is a user of consumer reports and must ensure that it does not violate consumer privacy by obtaining consumer reports when it lacks a permissible purpose. From the CFPB, “For example, in 2018 a company settled Bureau allegations that it violated FCRA section 604(f) when its agents obtained consumer reports for consumers who were not seeking an extension of credit from the company and the company had no other permissible purpose for the consumer reports it obtained. In some instances, for example, the company’s agents initiated credit applications for the wrong consumer by incorrectly inputting consumer information into the company’s application system or by selecting the wrong consumer from a list of possible consumers identified in the system. When these applications were initiated in error, the company obtained a consumer report for a consumer with respect to which it had no permissible purpose, violating the FCRA’s permissible purpose provisions and the privacy of the consumers that were the subject of those reports, and also generating an inquiry on the consumers’ credit reports.” Making a choice from a list of possible customers and ensuring that the correct identifying information is input will help prevent violations and inadequate controls.

Hyundai Capital America

What are the ramifications of non-compliance? Let’s look at a Consent Order between Hyundai Capital America and the CFPB. This may seem like an extreme case, but there are lessons here that extend beyond the FCRA, and this is a good case to discuss with management and potentially your board.

On July 27, 2022, prompted initially by numerous consumer complaints over credit reporting problems, the CFPB investigated Hyundai for FCRA and Reg V. It expanded into UDAAP as well.

Violations cited indicated Hyundai:

1. Failed to promptly update and correct information it furnished to CRAs that it determined was not complete or accurate, and continued to furnish this inaccurate and incomplete information, in violation of the FCRA, 623(a)(2).
2. Furnished information about severely delinquent and charged-off accounts but failed to provide the “date of first delinquency” (623(a)(5)) which is a key date because it triggers several FCRA requirements.
3. After determining its reporting was inaccurate as to consumer accounts, failed to correct or delete it.
4. Lacked reasonable procedures to respond to notifications from CRAs indicating information Hyundai provided was the result of identity theft and therefore must be blocked from a victim’s credit report. It violated 623(a)(6) by reporting this information after notices from consumers without any validation process.
5. Failed to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information provided to CRAs, or to consider and incorporate the guidelines in Appendix E (in the CFPB’s Reg V link, App. E is “Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies”)

Note, while cited as a violation, the FCRA and Reg V do not explicitly require a policy and procedure for the FCRA. It could be argued however, that there was a genuine need by Hyundai based on the array of violations and lack of direction provided by management and the board.

Some of the above were cited a second time as violations of the Consumer Financial Protection Act (CFPA) which incorporates UDAAP. It was noted Hyundai used ineffective manual processes and systems containing known logic errors to furnish information to CRAs and therefore willfully violated the FCRA.

The “relevant period” for this action is cited as January 2016 through March 2, 2020. That’s going back nearly 7 years ago, however, evidence of problems as you will read date back to 2013. The “affected consumers” refers to those with inaccurate information that they were 30 or more days past due.

To establish a foundation here are some figures used in the consent order.

• Hyundai services approximately 2 million customers and has assets in excess of $45 billion as of 2021.

• The credit reporting format was Metro 2, which is very common in the finance industry.

• Inaccurate payment histories were reported 8.7 million times across 2.2 million accounts.

• In approximately 570,000 instances, Hyundai inaccurately inserted codes showing delinquent or no payments in the payment history.

• Due to coding errors related to lease accounts, in 1.4 million instances, payment history codes indicating that the consumer’s payment history was disputed by the consumer or that no data were available when neither of these things was true. This error affected the entire lease portfolio.

• When credit reporting disputes were made, a manual tradeline correction could be made, but then the auto-reporting systems overrode the corrections and reinserted the errors.

• In over 537,000 instances across more than 168,000 accounts, Hyundai furnished date of first delinquency (DOFD) information regarding consumer accounts that Hyundai itself had determined was inaccurate.

• Compounding the problem, Hyundai delayed fixes for errors affecting the DOFD reporting for nearly a year due to prioritization of allotted resources for the new credit furnishing system planned for release over the then-existing systems that were being replaced.

• An inaccurate DOFD may be particularly problematic for consumers because use of the DOFD field in the Metro 2 format reflects the existence of an ongoing delinquency and the date itself shows how recently the delinquency occurred, both of which could negatively affect a consumer’s credit profile if the DOFD field is inaccurate.

• In tens of thousands of instances, Hyundai reported an inaccurate DOFD, which changed from month to month due to system issues, making some delinquencies appear more recent than was accurate.

• For thousands of delinquent accounts, they failed to furnish any DOFD at all.

• In over 2.2 million instances for over 1.2 million accounts, they furnished inaccurate amounts as to the highest credit or original loan amount.

• After furnishing the correct original loan amount (a field that should not change), they furnished increased amounts for the “original loan amount,” making it appear that a consumer had taken out a larger loan than they had actually taken out.

• In over 2.9 million instances on more than 189,000 accounts, they reported consumers’ accounts as delinquent, but also reported there was no amount past due

• For paid accounts, more than 17,000 reported a negative payment rating that was inaccurate.

• In at least 29,000 instances for approximately 3,900 accounts, they failed to report a DOFD where it reported other information instead, such as the accounts were placed for collection, charged-off, or at least 120 days delinquent.

The issue in this case is that Hyundai repeatedly furnished information to CRAs knowing it to be inaccurate. The company was making little attempt to correct the errors. A basic tenant of the FCRA is that a creditor is not required to report accounts but must report accurately when they do. In an audit report in March 2013, it was determined that required data in the Metro 2 fields was not always fully complete, accurate, or consistently reported. These appeared to be systemic logic issues and Hyundai lacked subject matter experts or a process to ensure accuracy and integrity of data reported. The audit also identified issues relating to the processing, monitoring, and tracking of direct disputes between processing units, and those policies and procedures reviewed as current did not accurately reflect actual practices.

When deficiencies are found compliance management systems call for a response that should be agreed upon as suitable, and a timeline under which corrective actions should occur. This is how repeat violations are avoided. In this case the corrective actions were going to be coordinated with an outside consulting firm. Hyundai initiated a “Credit Bureau Project” in July 2015, more than two years after the audit noted problems.
Completion of the Credit Bureau Project occurred in June 2016 for its vehicle retail installment portfolio and in February 2017 for its vehicle lease portfolio. However, the logic changes failed to address or resolve some of the issues identified in the 2013 audit, and created new, additional problems for both portfolios.

In October 2017, Hyundai began working on a different project to address credit report furnishing logic issues. It started work on a “next generation system” to support credit report furnishing across both lease and retail portfolios as one system. The rollout for this new system was not planned to occur until 2020.

In January 2018, the internal audit team concluded that its furnishing and dispute management controls remained unsatisfactory. It cited the same 2013 errors that remained unresolved. Additionally, there were other issues across its legacy credit report furnishing systems.

The 2018 audit also found that one upgrade to the company’s furnishing systems caused almost 18,000 consumers who were paid-in-full on their retail installment contracts to be erroneously reported as delinquent because Hyundai still lacked an adequate test environment for accuracy and logical consistency before the data was released to CRAs. In internal emails they acknowledged that this error may have caused significant drops in consumers’ credit scores.

As work continued on the “next generation system,” from 2017 until its rollout in March 2020, upgrades to the legacy credit report furnishing systems were deprioritized, and, as a result, many issues identified in the 2013 and 2018 audits, were not resolved until 2020.

So, for a period of years inaccurate information was reported and consumers were harmed as a result. Lower credit scores may have prevented a consumer from borrowing, borrowing at a preferred rate, obtaining a home loan or receiving promotional offers for which they may have qualified. Hyundai lacked policies and procedures that would have provided much needed guidance. Correcting errors and reducing harm to consumers was moved to a lower priority and the problems only grew.

In addition to many added compliance and reporting requirements, Hyundai was ordered to pay a $6 million civil penalty and at least $13.2 million in restitution to current and former customers as well as to take steps to correct all inaccurate account information.

July 2022 OBA Legal Briefs

What’s new with Reg B? – A Lot!
Electronic liens

What’s new with Reg B? – A lot!

by Andy Zavoina

In a world where Reg B has essentially been around since 1974 when Congress passed the Equal Credit Opportunity, after all these years there can’t be much new to it – right? WRONG! While it has not changed recently, Reg B has been in the news – a lot!

In this issue we will examine an advisory opinion from the CFPB on Reg B which describes some protections that apparently some creditors, “just don’t get” as to who is protected by Reg B and ECOA and deserving of required notices when adverse action is taken. Then we will look at another gray area involving adverse action notices and what information is not just a good idea to provide, but your legal requirement.

First, you may be asking if there is nothing new, why is Reg B worthy of this space and more importantly, your time? We need to start with a court case, Fralish v Bank of America. I will recap that case in a moment because it is what lead to a 16-page Advisory Opinion from the Consumer Financial Protection Bureau (CFPB). Understanding this requires some background on Reg B and this was described in detail in the Advisory Opinion. This background will also help you understand a second topic which pertains to a discussion clarifying why adverse action notices are given. Understanding their purpose helps us understand why there are content requirements for these disclosures. And last, we will do a little analysis on adverse action notices and what should be there, perhaps in moderation but in a misunderstood way, not necessarily.

Define Applicant

Fralish v. Bank of America (3:20-CV-418 RLM-MGG, United States District Court, Northern District of Indiana) is a suit brought by John Fralish in which he alleged Bank of America violated his rights under the Equal Credit Opportunity Act, which is implemented by Reg B. The suit actually cites the law at 15 USC § 1691(d) which addresses adverse action and notice requirements. Fralish had an existing loan account with Bank of America. That credit line was terminated. Fralish was not informed of the reasons for the adverse action and initiated a lawsuit for violations of the ECOA and Reg B.

In the U.S District Court, Bank of America moved for a judgment based on the pleadings as it contended that Fralish had no standing to sue under ECOA because he was not an “applicant” as defined in the law. Under ECOA, 15 USC 1691a(b), an applicant is defined as “any person who applies to a creditor directly for an extension, renewal, or continuation of credit, or applies to a creditor indirectly by use of an existing credit plan for an amount exceeding a previously established credit limit.” Bank of America was defending itself based on this definition maintaining that Fralish had not applied for any credit.

Reg B at § 1002.2(e) defines an applicant as, “any person who requests or who has received an extension of credit from a creditor, and includes any person who is or may become contractually liable regarding an extension of credit.”

The court also reviewed “adverse action.” as Fralish maintains he received no notification as to Bank of America’s reasoning for its action. “For purposes of this subsection, the term ‘adverse action’ means a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the amount or on substantially the terms requested. Such term does not include a refusal to extend additional credit under an existing credit arrangement where the applicant is delinquent or otherwise in default, or where such additional credit would exceed a previously established credit limit.” Key terms here are “revocation of credit, a change in the terms of an existing credit arrangement.” Must there be an application pending for a revocation of credit to be adverse action deserving a formal notice? That was one of the legal questions requiring an answer.

Bank of America maintained Fralish needed to show four points to continue his suit. That:

(1) Bank of America is a “creditor”;
(2) Mr. Fralish is an “applicant”;
(3) The Bank took adverse action with respect to his application for credit; and
(4) The Bank failed to provide Mr. Fralish with a notification that complied with the ECOA.

While Bank of America believes that to be an applicant as the term is defined, there must be a request for credit pending. The September 29, 2021, final decision from the court notes, “The vast majority of courts that have addressed the issue have found that the statutory definition of “applicant” is not ambiguous, and that existing account holders, like Mr. Fralish, aren’t “applicants” within the plain meaning of the ECOA because they weren’t applying for an extension, renewal, or continuation of his existing credit when the alleged violation (in this case the alleged failure to provide the notice of adverse action required under the statute) occurred, and don’t have standing to bring a claim under the ECOA’s notice provisions. The court finds the reasoning of those cases persuasive.”

This seemed to set of a bit of a compliance firestorm. By December the CFPB, the Federal Trade Commission, the U.S. Department of Justice and the Board of the Federal Reserve filed friend of the court (amicus) briefs with the United States Court of appeals for the Seventh Circuit. The CFPB said it was standing up for civil rights protections.

The CFPB’s premise is that if Bank of America argues, and a court agrees that the creditor can disregard ECOA provided rights for existing customers, it undermines the intended antidiscrimination protections. Acceptance of this could mean that a bank could offer a credit card, as an example, to a protected class and the law is complied with. It could then revoke that credit line because of the applicant’s demographics and because the consumer was not an applicant, it would still be compliant with the law.

Now fast forward to May 18, 2022, when the CFPB issued an Advisory Opinion on this topic. For the management version, succinctly it says that to comply with the spirit and intent as well as the commonly accepted definitions, a bank must provide ECOA and Reg B protections to the applicant throughout the life of the loan. An applicant’s rights do not end upon approval of a credit request.

Now the longer explanation adapted from the Advisory Opinion because these details must be understood by those who manage compliance in your bank.
To begin with, the Advisory Opinion applies to all “creditors” as this is a defined term under section 15 USC 1691a(e). It includes, “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” Yes, your bank is definitely a creditor.

And now let’s look at what an Advisory Opinion actually is. The CFPB is the agency empowered to interpret Reg B and, in this case, the Advisory Opinion is an interpretive rule under the Administrative Procedure Act (APA) that responds to a specific need for clarity on a statutory or regulatory interpretive question. It is not a change in a law or regulation and therefore requires no advance notice or comment period. It is the official interpretation. Period. As you will read the CFPB is providing the interpretation as an instructive document for banks, but it also seems to be directed to at least some courts. I recall a bit of a quip from a TV judge who said, “he wasn’t last because he was right, he was right because he was last.” The CFPB believes this is the last word.

The summary of the Advisory Opinion affirms Reg B protects those actively seeking credit as well as those who sought and received credit. To support this position the document states ECOA made it unlawful for “any creditor to discriminate against any applicant on the basis of sex or marital status with respect to any aspect of a credit transaction.” From the beginning, this prohibition has protected both those actively seeking credit and those who sought and have received credit.

ECOA has always defined “applicant” to mean “any person who applies to a creditor directly for an extension, renewal, or continuation of credit, or applies to a creditor indirectly by use of an existing credit plan for an amount exceeding a previously established credit limit.”

Here I must emphasize that ECOA’s prohibition on discrimination “applies to all credit transactions including the approval, denial, renewal, continuation, or revocation of any open-end consumer credit account.” I was always taught and do teach that Reg B applies to the entire life of a credit transaction. This is stated at § 1002.4(a) of Reg B, “A creditor shall not discriminate against an applicant on a prohibited basis regarding any aspect of a credit transaction.” “Any aspect” means the application, the credit decision process, terms, collections, etc. “All aspects” means all aspects. In the Bank of America case better legal minds than mine are arguing that the definition in ECOA is more limiting. As bankers we know we must follow Reg B which implements it. It makes me wonder if the attorneys are arguing their point because they must for their client, or because they believe that is a correct interpretation and action, with no regard for Reg B.

When ECOA first passed, the Federal Reserve had rule-writing and interpretive authority. To substantiate that the CFPB’s opinion is not new, it states “Reg B made clear that the new law’s protections against credit discrimination cover both those currently applying to receive credit and those who have already received it. It did so by defining ‘applicant’ to expressly include not only ‘any person who applies to a creditor directly for an extension, renewal or continuation of credit’ but also, ‘[w]ith respect to any creditor[,] . . . any person to whom credit is or has been extended by that creditor.’”

The original ECOA prohibited discrimination based on sex or marital status. Two years after ECOA passed, Congress added to the prohibited bases six more items, race, color, religion, national origin, age, and receipt of public assistance. It also added, “[e]ach applicant against whom adverse action is taken shall be entitled to a statement of reasons for such action from the creditor.” The amendments defined “adverse action” as “a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the amount or on substantially the terms requested.” Going back many years to compliance school in Norman we learned that adverse action notices were required when, as an example, a borrower did something and was no longer qualified for their credit. Applicants, (read that also as borrowers) are entitled to an explanation when adverse action is taken.

This explanation meets two objectives for ECOA and Reg B. It protects the consumer when an explanation must be provided because the bank knows it will have to provide a reasonable explanation. Reg B was enacted before my time on a compliance desk, but I heard stories from the old-timers who were there. I recall one who said he knew “a good ol’ boy” on the loan desk who swore if he had to make a loan to an unmarried woman he’d retire. And he did – retire. We could not fathom such an attitude today and would never expect to read as a reason for denial, “single woman.” Providing actual reasons for a declination of a loan request helps protect the applicant from an illegal discrimination-based decision.

The second objective is informing the applicant. When John Smith Sr. is denied a loan due to bad credit, he is told why that decision was made. Senior is also advised that a credit report was used and under the Fair Credit Reporting Act he knows which agency provided the information and can contact them to find out what was reported. Senior might then confirm the report with the creditor only to discover that it was actually John Smith Jr’s account that was bad. Very similar name, same address, erroneous reporting. Senior can then reapply and the corrected credit report should no longer be an obstacle. The same holds for debt-to-income ratios or too short a period of employment. When an applicant is informed as to the reasons for adverse action, they may be able to correct an error or have known parameters that must be met to qualify for credit with your bank. When the person can fix these issues, they are more likely to return to you because they believe they have overcome the stated objections to their last application.

The 1976 ECOA amendments not only included in adverse action the termination of an account or an unfavorable change in terms that does not affect all or substantially all of a class of the creditor’s accounts, but it required a statement of reasons. These are required to be specific and indicate the principal reasons causing the adverse action. We will discuss the reasons in more depth in a few minutes. For this Advisory Opinion and the Fralish case, suffice it to say that a reason must be provided and here, Bank of America failed to provide any because it maintains Fralish was not protected by the ECOA.

During this amendment, the Federal Reserve Board made a “minor editorial change” to Regulation B’s definition of “applicant.” The intent was to “express more succinctly the fact that the term includes both a person who requests credit and a debtor,” a debtor being one who has already requested and received credit.

Reg B originally defined “applicant” to include anyone who “applies to a creditor directly for an extension, renewal or continuation of credit” as well as, “with respect to any creditor . . . any person to whom credit is or has been extended by that creditor,” the revised definition clearly stated that “applicant” includes “any person who requests or who has received an extension of credit from a creditor.”

Bank of America was not alone in its stance on ECOA’s definition and application of the term “applicant.” The CFPB noted that other creditors also did not agree that both ECOA and Reg B apply to that debtor after an extension of credit is made and includes treatment when there is a revocation of credit or an unfavorable change to the terms of that credit agreement. It went on to say, “some creditors fail to provide applicants with required notifications that include a statement of the specific reasons for the adverse action taken or disclose an applicant’s right to such a statement.” As further explanation, a footnote stated,

Credit cards are one of the most commonly held and widely used financial products in America—over 175 million Americans hold at least one credit card. During the COVID-19 pandemic, credit cards played a vital role as both a source of credit in emergencies and a payment method as more transactions occurred online. According to the CFPB’s 2021 Credit Card Report, about 2%, or over 10 million credit card accounts, were closed in 2020 and consumers with low credit scores are two to three times more likely to have their accounts closed than those with a higher credit score. See Bureau of Consumer Fin. Prot., The Consumer Credit Card Market (Sept. 2021). Additionally, the same report shows that over 10 million accounts experienced a credit line decrease in 2020. See also 5 Reasons Credit Card Companies Close Accounts Without Notice – And How to Fix Them, USA TODAY (July 13, 2021).

To reinforce its opinion that the protections an applicant receives extend beyond the granting of a loan, it drew a parallel to a Supreme Court case, Robinson v. Shell Oil Co., where the Court held the use of “employees” in the Civil Rights Act of 1964, Section 704(a) included former employees who were subjected to discriminatory treatment as well. Justice Thomas explained in the decision that, “at first blush, the term ‘employees’ . . . would seem to refer to those having an existing employment relationship with the employer in question,”… that “initial impression … does not withstand scrutiny in the context of § 704(a).”

The Court observed, there is “no temporal qualifier in the statute such as would make plain that § 704(a) protects only persons still employed at the time of the retaliation.” The same reasoning applies to the term “applicant” in ECOA, which is not expressly limited to those currently in the process of seeking credit.

The Advisory adds to this that,

Reading ECOA’s definition of “applicant” alongside the Act’s other provisions makes clear that the term includes applicants who have received credit and become existing borrowers. For example, ECOA’s core anti-discrimination provision protects “applicant[s]” from discrimination “with respect to any aspect of a credit transaction”—not just during the application process itself. The phrase “any aspect of a credit transaction” is most naturally read to include both the initial formation of a credit agreement as well as the performance of that agreement. Consistent with this ordinary meaning, Regulation B has always defined the term “credit transaction” to encompass “every aspect of an applicant’s dealings with a creditor,” including elements of the transaction that take place after credit has been extended.”

Adverse action notices

Let’s spend a moment now on the notification of adverse action to an applicant. ECOA’s disclosure provision requires that creditors give a statement of reasons to “each applicant” against whom they take “adverse action.” In ECOA, adverse action is defined to include a “revocation of credit” as well as a “change in the terms of an existing credit arrangement.” Connecting the dots, the CFPB points out these are actions that can be taken only with respect to persons who have already received credit.

ECOA’s private right of action points in the same direction. It allows an aggrieved “applicant” to bring suit against creditors who fail to comply with ECOA or Reg B. These references to “applicant[s]” cannot be interpreted then, to refer only to those with credit applications awaiting decisions. Otherwise, a person whose application was denied on a prohibited basis would have no recourse under ECOA’s private right of action.

The point of the Advisory Opinion is to clarify any misunderstandings of these terms and the CFPB is pointing that out to courts and the judges who make rulings. The CFPB states, “Those courts that have properly read the term “applicant” in its statutory context, including the only court of appeals to have addressed the issue, have agreed that the statute protects existing borrowers.” Obviously then, it is stating there are courts which have ruled otherwise, and those lower courts were wrong. The Advisory goes on to say,

The Bureau acknowledges that a few other district court decisions have interpreted “applicant” to include only persons actively seeking credit, but the Bureau does not believe this interpretation is persuasive. No court of appeals has endorsed these district courts’ narrow reading. These district court decisions read “applicant” in isolation instead of reading this statutory term in context, as required by the Supreme Court. For example, these decisions did not attempt to square their interpretation with ECOA’s requirement that “applicants” receive an explanation when their existing credit is terminated or modified. Nor did they grapple with the clear loophole their interpretation would create or the degree to which it would frustrate the Act’s remedial purposes.

The point is to be clear that no court of appeals has disagreed with this interpretation of the term “applicant.”

In researching “John Fralish,” in addition to the suit against Bank of America in 2021, I also found John Fralish v Digital Media Solutions, (CASE NO. 3:21-CV-00045-JD-MGG) in 2021 dealing with spam calls to Fralish after his cell phone was on the Do Not Call list. There is also a class action suit against Early Warning Services, LLC in 2021 for violation of the Fair Credit Reporting Act. Early Warning Services is a consumer reporting agency out of Scottsdale, Arizona. It describes itself as being bank-owned and it sells credit reports to over 2,500 financial institutions. Fralish requested copies of his credit reports after being denied credit with one or more of his creditor banks. He claims to have not been advised by the lender why his credit was denied and he requested a copy of his credit report to review what his bank may have seen. This would allow him to have incorrect entries fixed but he was not provided with the information Early Warning Systems had on him.

I cannot render any opinions on the lawsuits involving John Fralish as I have no idea how much merit any of them has. But I will emphasize that compliance with the letter of the law, and the banking regulation, will help a bank avoid becoming the subject of a lawsuit, especially from a consumer looking for that single violation and an opportunity to file an action or class action suit. Often a bank will settle with a litigant to make the case go away and avoid the expense of a protracted lawsuit. The alternative may be to defend what your interpretation is and to pay for those legal defense costs for potentially years to come. Yes, your bank has to worry about that litigious consumer, but there is less worry if you stay current on the compliance requirements, train staff, and follow sound policies and procedures. I’m hoping your bank did not pass on studying this Advisory Opinion as it is the CFPB that has the last word on interpretating ECOA and its implementing Reg B. And the CFPB is not afraid to tell that to the courts as well. For a bank to challenge that it would need a very strong case and six or seven digits to the left of the decimal place in the legal defense section of its budget.

Recommended action

We recommend that banks take this opportunity to review Reg B and fair lending policies and procedures to ensure they are clear as to protections a customer has and that these are considered throughout all aspects of the life of a loan.

As you have read in prior Legal Briefs the CFPB has also opined that discriminatory acts are unfair. Read that to say that your deposit customers who are not protected under fair lending laws are protected under the prohibition on Unfair, Deceptive, or Abusive Acts or Practices (UDAAP), so broadly review fair lending more in the terms of fair banking.

We expect to see the CFPB continue to expand its supervisory and enforcement actions going forward. This is especially so in the area of fair lending/banking as the current administration has made fair access, including to credit, and equal treatment of all people a priority.

Reasons for Adverse Action

We have established that adverse action notices may be required to be given to an applicant and the purpose of such a disclosure includes stating the reason or reasons for denial. It is time to explore two facets of what this can mean.

To begin, Reg B § 1002.9(a)(2) requires that adverse action notices (in most cases, and here emphasis is on consumer loans) shall be in writing and contain four specific things, one of which includes a statement of specific reasons for the action taken. The Commentary to this section goes on to explain that “A creditor must disclose the principal reasons for denying an application or taking other adverse action. The regulation does not mandate that a specific number of reasons be disclosed, but disclosure of more than four reasons is not likely to be helpful to the applicant.” We will break this into two parts for discussion here, principal reasons, and then the number of reasons stated.

On May 26, 2022, the CFPB released a document titled, “CFPB Acts to Protect the Public from Black-Box Credit Models Using Complex Algorithms.” This emphasized that Reg B and ECOA, a federal antidiscrimination law, require specific reasons for taking adverse action. Above we described that is helps keep a creditor honest and informs the applicant. This notice is to emphasize that these rules apply even when using credit models which rely on complex algorithms.

In 1974, when ECOA and Reg B were conceived, a loan decision was based on an application for credit. A lender typically learned the five Cs of credit — character, capacity, capital, collateral and conditions — and applied them against the application. A human being made a decision and Reg B required that in the case of a denial, the reason would be given. It was not enough to say, “you do not meet our requirements for a loan,” as that was not a specific reason. The denial had to specify something about a debt ratio or excessive debt or length of employment. Remember part of the intent here is to inform the applicant so they can fix what is wrong and then reapply and receive credit.

In 2022 there is often less human being and more artificial intelligence involved. In a time of automation and analytics computer models use predictive analysis based on data input to compute credit scores, and to make loan decisions very quickly. “Companies are not absolved of their legal responsibilities when they let a black-box model make lending decisions,” said CFPB Director Rohit Chopra. “The law gives every applicant the right to a specific explanation if their application for credit was denied, and that right is not diminished simply because a company uses a complex algorithm that it doesn’t understand.”

What the CFPB is cautioning lenders about is technology is driving the reasons for adverse action back to a nondescript, “you do not meet our requirements for a loan.” These lenders understand less of what went into the computer’s loan decision than they do about how to compute a credit score. And “the computer model said No” is not informing the applicant, nor is it keeping the lender honest. The CFPB has accused artificial intelligence models of discrimination already. If a lender cannot explain the principal reasons for a decision, it needs a different way to make the decision. Computer models’ reasons for denial must be specific for the lender to comply with Reg B.

Lastly, I want to revisit the required number of reasons for denial. The Commentary says, “The regulation does not mandate that a specific number of reasons be disclosed, but disclosure of more than four reasons is not likely to be helpful to the applicant.” Many lenders read this to say you cannot quote more than four reasons but that isn’t so. It says it does not mandate the number of reasons. If you are criticized for providing five or more, consider challenging the critic. But if you have four reasons that will be difficult for the applicant to overcome, you do not need to pile on more reasons. What you do not want is to have (say) six reasons but list only four which are easily fixable. The applicant corrects those and comes back in only to be refused for two others that are very difficult to correct. It’s like kicking them when they’re down. List the most severe and exceed four reasons when necessary.

Electronic liens

By Pauli Loeffler

The PowerPoint presentation from the informational session presented by the Oklahoma Tax Commission covering electronic liens is accessible through this link: https://www.oba.com/wp-content/uploads/2022/07/OK-Tax-Commission-power-point.pdf. It is also available on the OBA’s Legal Links Webpage.

June 2022 OBA Legal Briefs

Please help us to help you (Part 2)
Oklahoma Mini-TCPA
Tit. 47 O.S. § 1110 (Perfection of Security Interest)
Tit. 47 O.S. § 427A/§ 1105A (Electronic filing, etc., of Titles) – REVISED
Changes in UCCC amounts effective 7/1/22

Please help us to help you (Part 2)

by Andy Zavoina

Last month, Pauli asked you to include certain information in your signature block when emailing us a question. This month, we ask you to avoid sending unnecessarily encrypted emails. We often find they are used for basic questions without information requiring such safeguards. It takes more time to register with an email provider and establish an acceptable password than to answer some questions. In many of these situations it may be faster just to call us.

When you do call, you may have to leave a voice mail. Please provide a detailed description of your question so that the appropriate person can call or email you and have the necessary resources available. And please, take the time to state clearly your questions, and especially your name, bank name and location, and call-back number.

[Editor’s note: In early May, an email security change at OBA locked the OBA Compliance Team out of the OBA email system, and we had to set up a temporary email account very quickly for the team. We are very happy to report that we regained access to our compliance@oba.com mailbox after only a few days. If any of you changed our email address in your contacts lists, please change it back. We appreciate your patience while we worked with the temporary setup.]

Oklahoma Mini-TCPA

By Andy Zavoina

The federal Telephone Consumer Protection Act (TCPA) was passed in 1991 and is well seasoned and understood by some and misunderstood by others. (“Your car warranty is expiring. This is your final notice.” Yeah, you wish it was final.) The law restricts certain telemarketing phone calls, text messages, and facsimiles. I’m not sure who is still using a fax so for the purposes of this article I will refer to telephone calls and text messages. Include faxes if your bank is using that delivery channel.) It also places restrictions on the use of automatic dialing systems and artificial or prerecorded voice messages.

In 2021 states began showing more interest by adding to the consumer protections. In particular, Florida passed its Florida Telephone Solicitation Act (FTSA). This included new and broader restrictions on telemarketing operations. Oklahoma has largely copied the FTSA in passing its own Oklahoma Telephone Solicitation Act. The Oklahoma version is often referred to as the mini-TCPA. It was signed by Governor Stitt in May and will be effective about five months later, beginning November 1, 2022. It will be codified in the Oklahoma Statutes as Section 775C.3 of Title 15.

There are a few key provisions we will focus on this month. The intent is consumer protection for Oklahoma residents, so the mini-TCPA expands on telemarketing restrictions. As with most telemarketing laws, this requires telemarketers to have a prior express written consent before they contact a consumer. This is a term that is defined and means there is a written agreement that:

bears the signature of the called party,
clearly authorizes the person making or allowing the placement of a commercial telephonic sales call by telephone call, text message, or voicemail transmission to deliver or cause to be delivered to the called party a commercial telephonic sales call using an automated system for the selection or dialing of telephone numbers, the playing of a recorded message when a connection is completed to a number called, or the transmission of a prerecorded voicemail,
includes the telephone number to which the signatory authorizes a commercial telephonic sales call to be delivered, and
includes a clear and conspicuous disclosure informing the called party that:

(1) by executing the agreement, the called party authorizes the person making or allowing the placement of a commercial telephonic sales call to deliver or cause to be delivered a commercial telephonic sales call to the called party using an automated system for the selection or dialing of telephone numbers or the playing of a recorded message when a connection is completed to a number called, and

(2) he or she is not required to sign the written agreement directly or indirectly or to agree to enter into such an agreement as a condition of purchasing any property, goods, or services; and

This signature may be electronic as well as traditional wet ink.

In addition, telemarketers should pay special attention to four provisions of the Oklahoma law in particular. Let’s look at those four provisions.

One – There is no clarification over what is defined by the term “auto-dialer.” This has caused great concern and fueled litigation. The recent Supreme Court case of Facebook v Duguid established a limited definition to only the equipment which produces numbers using a random or sequential number generator. Without clarity the mini-TCPA could be more broadly interpreted making it more onerous on banks with marketing programs using applicable technologies. This new law refers only to, “an automated system for the selection or dialing of phone numbers.” This definition could refer to virtually any device which is not dialed manually.

Two – The mini-TCPA will limit the number of telephone calls and text messages which a telemarketer can send to any one consumer in a day. More specifically it limits contacting a consumer more than three times in a 24-hour period pertaining to the same subject matter or issue. This means the telemarketer must either track the calls and text messages to a given number based on the subject matter or have a system in place, be it software or some form of a database, that tracks and prevents any fourth or subsequent telephone or text message. If you ask me to define the “same subject matter or issue,” I cannot do that. It could be broadly or narrowly defined just as an auto-dialer may be. If a consumer was contacted once about opening a deposit account to take advantage of great rates and low fees, once about a new checking product, and then about a new savings account, could those three be bundled as one subject – deposit accounts? This may be up to legal interpretations and/or the courts.

Three – Although the “day” means a 24-hour period, the mini-TCPA passed for Oklahoma is a bit more limiting than many other states when it comes to time limits when the consumer may actually be contacted. The mini-TCPA limits contact to the 12-hour period from 8 a.m. until 8 p.m., local time. That is the consumer’s local time, not the bank’s. This has been a contentious issue in the past and will continue to be, because with mobile phones you have no idea where your consumers actually are. The area codes are not necessarily an indicator of your consumer’s local time, and this is especially true with military customers and those who travel and work or go to school in another time zone. Be sure to review item four (below) on this issue. Many other state laws and the federal TCPA allow contact from 8 a.m. until 9 p.m., so this new law is a bit more limiting.

Four – The new law does include a rebuttable presumption that your telephone calls and text messages to an Oklahoma area code are being made to an Oklahoma resident. So, for any of the state’s five area codes there is a defensible position as to when it is the customer’s local time. But unlike land lines that are geographically limited, your customer travels with their mobile phone and may permanently reside elsewhere. Be sure to cross reference addresses on file, because having sent bank statements to a consumer’s address in any other time zone may eliminate your rebuttable presumption.

Exemptions

The new mini-TCPA does provide exemptions that may apply to your bank. There are a number of exemptions, but I will draw your attention to number 20. It specifically exempts a “person soliciting business from prospective consumers who have an existing business relationship with or who have previously purchased from the business enterprise for which the solicitor is calling if the solicitor is operating under the same business enterprise.” This exemption alone may be enough to cause you to dismiss the mini-TCPA as a non-event but ensure you are familiar with it to avoid problems. And while this may be an exemption from the mini-TCPA, the bank may not enjoy the same exemptions from the federal TCPA.

Recommended actions

We recommend the bank evaluate all current telemarketing activities. There may be a concerted marketing effort in-house or outsourced for solicitations, or a branch may have taken upon itself an effort to contact new customers for sales in an effort to achieve periodic goal requirements. It happens and some employees will take the initiative. But a violation would be a violation regardless of the motivating factors. Know what is happening in and on behalf of your bank.

The bank should update policies and procedures addressing telemarketing activities even if called by another name, marketing, officer call programs, etc. that are impacted by the mini-TCPA.

Train staff so they all understand the basic requirements of the new mini-TCPA. Specifically focus on what activities are included and what they must do to comply both with the law itself and with the bank’s policies and procedures. This may include obtaining permission from customers as well as management to conduct any activities and following established procedures to comply with the new requirements.

Review and update any outsourcing agreements. Call centers that provide such marketing activities will be subject to the mini-TCPA whether they are a third party or part of the bank making “cold calls.” The bank may delegate authority to third parties, but it cannot delegate responsibilities. It is still the bank’s burden to ensure compliance and the bank has the ultimate responsibility. That said, any agreements may be reviewed to displace as much responsibility to a third party as possible for the actions of that third party.

Penalties

The mini-TCPA does contain a private right to action for consumers. The per call or text message penalties range from between the lesser of actual damages to $500 and to $1,500 for a willful violation. And with regulatory agencies using all possible penalties in enforcement actions, a problem or series of telemarketing problems could result in both state and federal TCPA actions. If the problem is large enough this could result in a class action suit.

There is time, but …

With several months between the date of this article and the November 1, 2022, effective date, there is time to accomplish these actions even with the summer months running interference. But banks are urged not to wait until the last minute and be forced to play catchup.

You will find HB3168 here,

Tit. 47 O.S. § 1110 (Perfection of Security Interest)

by Pauli Loeffler

Sec. 1110 was amended effective May 4, 2022, with regard to transfers of title when there is a lien entry filed by a commercial lender on a vehicle. The amendment provides:

…

8. When there is an active lien from a commercial lender in place on a vehicle, motor license agents shall be prohibited from transferring the certificate of title on that vehicle until the lien is satisfied, except when the title is transferred:

a) to a person whose name is included on the loan for which the lien is placed pursuant to an agreement by the lender and any party to the title,

b) to a trust created by a person whose name is included on the loan for which the lien is placed, or

c)from a person who has died, upon the submission of a death certificate.

The provisions of this paragraph shall not be construed to release any lien or debt based solely upon a transfer of certificate of title.

The only way to perfect a security interest in a vehicle is by lien entry. As long as the lien remains on the title, the bank can repo the collateral, get a repo title, and sell the collateral. The original borrowers or their estates if the borrower is deceased will remain liable on the note regardless of whether they retain title or not.

Under the amendment if a co-borrower is NOT on the title to the vehicle, the title may only be transferred to the co-borrower if s/he provides proof of status as a co-borrower. Likewise, if the borrower is a natural person, title may be transferred to his or her trust subject to the lien. Note that a garnishment or levy will reach the settlor’s trust,

8.c. covers the situation where the borrower is deceased. The rationale for 8.c. is intended to cover the situation when the sole owner/borrower dies, and there is no other borrower, and no one is making loan payments, so the loan is in default. The problem facing the bank in repossessing and selling the vehicle is determining who must receive notice of the sale. If there is a probate, the bank can deal with the person appointed to represent the estate, but when there is no probate, things get messy.

If the owner provided a Transfer on Death Application (Tit. 47, Sec. 1107.5), title can be transferred to the named person, but such transfer is not allowed as long as the lien remains unsatisfied. Basically, 8.c. would allow the transfer provided payment of the loan has either been made, or the bank is willing to allow the individual named as Transfer on Death beneficiary to assume the loan. Note that if the TOD beneficiary neither pays off the loan nor assumes the loan, the bank can still repossess the vehicle, however, the TOD beneficiary will have no personal liability.

If the deceased owner/borrower had a will, then the title can be transferred using the OTC’s Affidavit of Small Estate. Again, as long as the lien remains on the title, there isn’t a problem, and the loan will have to be paid or provided for, e.g., the heir will assume the note or refi the loan. If there is no will, then the affidavit can’t be used. If the owner died intestate (no will), and there is no probate, then the bank has to determine who the deceased owner’s known heirs are and mail them notice of sake as well as provide publication notice to the unknown heirs. This is time and labor intensive which makes it more expensive to repo the vehicle and sell it. It remains to be seen whether 8.c. allows OTC to transfer title subject to the lien in such case. I believe that in order for this to be permitted, the OTC will need to promulgate new rules and forms.

Tit. 47 O.S. § 427A/§ 1105A (Electronic filing)

by Pauli Loeffler

I covered this in the October 2021 OBA Legal Briefs, but as we draw closer to its effective date on July 1, 2022, we need to review its provisions. This statute covers Electronic Filing, Storage and Delivery of Motor Vehicle Certificates of Title – Procedures. It provides for certificates of title and liens filed after June 30, 2022. Two provisions banks need to know are:

A. On or before July 1, 2022, the Oklahoma Tax Commission shall implement a program which will permit the electronic filing, storage and delivery of motor vehicle certificates of title and allow a lienholder to perfect, assign and release a lien on a motor vehicle in lieu of submission and maintenance of paper documents as otherwise provided in the provisions of Section 1101 et seq. of Title 47 of the Oklahoma Statutes…

B. The program authorized under subsection A of this section shall include, but not be limited to, procedures: 1. For the delivery of a certificate of title, on a paper document or in an electronic format, to the secured party having the primary perfected security interest in a vehicle in lieu of delivery to the record owner, notwithstanding the provisions of Section 1101 et seq. of Title 47 of the Oklahoma Statutes. Provided, when electronic transmission of liens and lien satisfactions is used, a certificate of title need not be issued or printed until the last lien is satisfied and a clear certificate of title is issued to the owner of the vehicle at their request…

First, the Oklahoma Tax Commission will continue to offer both electronic and paper process on and after July 1, just as they do now. Second, instead of the vehicle’s owner receiving the title, the primary lien holder will receive the title. Since the OTC allows multiple lien entries on the title, lenders with inferior liens presumably have to request a copy of the title for their records, Finally, when all liens are released, it seems the owner will have to request a copy of the title.

Prior to July 1, 2022, the effective date of this legislation, there were only nine nontitle-holding states: Kentucky, Maryland, Michigan, Minnesota, Missouri, Montana, New York, Oklahoma, Wisconsin. In these states, the title is issued to the registered owner/operator of the vehicle, regardless of whether there is as a lien holder. In the other 41 states, titles are issued to the lien holder of the vehicle, who will hold the title until the loan is paid off. Oklahoma joins these title-holding states on July 1, 2022.

Changes in UCCC amounts effective 7/1/22

by Pauli D. Loeffler

Sec. 1-106 of the Oklahoma Uniform Consumer Credit Code in Title 14A (the “U3C”) makes certain dollar limits subject to change when there are changes in the Consumer Price Index for Urban Wage Earners and Clerical Workers, compiled by the Bureau of Labor Statistics, U.S. Department of Labor. You can download and print the notification from the Oklahoma Department of Consumer Credit by clicking here. It is also accessible on the OBA’s Legal Links page under Resources once you create an account through the My OBA Member Portal. You can access the Oklahoma Consumer Credit Code as the changes in dollar amounts for prior years on that page as well.

Increased Late Fee

The maximum late fee that may be assessed on a consumer loan is the greater of (a) five percent of the unpaid amount of the installment or (b) the dollar amount provided by rule of the Administrator for this section pursuant to § 1-106. As of July 1, 2020, the amount provided under (b) will increase by $2.00 to $29.00

Late fees for consumer loans must be disclosed under both the UC3 and Reg Z, and the consumer must agree to the fee in writing. Any time a loan is originated, deferred, or renewed; the bank has the opportunity to obtain the borrower’s written consent to the increased late fee set by the Administrator of the Oklahoma Department of Consumer Credit. However, if a loan is already outstanding and is not being modified or renewed, a bank has no way to unilaterally increase the late fee amount if it states a specific amount in the loan agreement.

On the other hand, the bank may take advantage of an increase in the dollar amount for late fees if the late-fee disclosure is worded properly, such as:

“If any installment is not paid in full within ten (10) days after its scheduled due date, a late fee in an amount which is the greater of five percent (5%) of the unpaid amount of the payment or the maximum dollar amount established by rule of the Consumer Credit Administrator from time to time may be imposed.”

§ 3-508A

This section of the “U3C” sets the maximum annual percentage rate for certain loans. It provides three tiers with different rates based on unpaid principal balances that may be “blended.” It also has an alternative maximum rate that may be used rather than blending the rates. The amounts under each tier are NOT subject to annual adjustment by the Administrator of the Oklahoma Department of Consumer Credit under §1-106. However, a new subsection (4) was added allowing the lender to charge a closing fee which IS subject to adjustment under § 1-106. The closing fee of $28.85 was effective for loans made on and after November 1, 2021. This amount has increased as follows:

(4) In addition to the loan finance charge permitted in this section and other charges permitted in this act, a supervised lender may assess a lender closing fee not to exceed One Hundred Sixty-seven Dollars and thirty-three ($167.33) upon consummation of the loan.

Note that the closing fee, while not a finance charge under the OK U3C, and therefore not considered for purposes of Oklahoma usury IS a finance charge under Reg Z. Most banks use Reg Z disclosures. This means that it is possible that the fee under Reg Z disclosures will cause the APR to exceed the usury rate under § 3-508A. If that happens, document the file to show that the fee is excluded under the U3C in order to show that the loan does not in fact violate Oklahoma’s usury provisions. Please note that the bank is NOT required to charge a closing fee at all, and I know that at least one bank has stated it has decided to charge an amount less than the amount permitted under the statute.

You can access the § 3-508A Matrix here.

§ 3-508B Loans

Some banks make small consumer loans based on a special finance-charge method that combines an initial “acquisition charge” with monthly “installment account handling charges,” rather than using the provisions of § 3-508A with regard to maximum annual percentage rate.

The permitted principal amounts for § 3-508B is adjusting from $1,6200.00 to $1,740.00 for loans consummated on and after July 1, 2022.

Sec. 3-508B provides an alternative method of imposing a finance charge to that provided for Sec. 3-508A loans. Late or deferral fees and convenience fees as well as convenience fees for electronic payments under § 3-508C are permitted, but other fees cannot be imposed. No insurance charges, application fees, documentation fees, processing fees, returned check fees, credit bureau fees, nor any other kind of fee is allowed. No credit insurance even if it is voluntary can be sold in connection with in § 3-508B loans. If a lender wants or needs to sell credit insurance or to impose other normal loan charges in connection with a loan, it will have to use § 3-508A instead. Existing loans made under § 3-508B cannot be refinanced as or consolidated with or into § 3-508A loans, nor vice versa.

As indicated above, § 3-508B can be utilized only for loans not exceeding $1,740.00. Further, substantially equal monthly payments are required. The first scheduled payment cannot be due less than one (1) calendar month after the loan is made, and subsequent installments due at not less than 30-day intervals thereafter. The minimum term for loans is 60 days. The maximum number of installments allowed is 18 months calculated based on the loan amount as 1 month for each $10.00 for loan amounts between $173.94 and $580.00 and $20 for loan amounts between $580.01 – $1,740.00.

Lenders making § 3-508B loans should be careful and promptly change to the new dollar amount brackets, as well as the new permissible fees within each bracket for loans originated on and after July 1st. Because of peculiarities in how the bracket amounts are adjusted, using a chart with the old rates after June 30 may result in excess charges for certain small loans and violations of the U3C provisions.

Since §3-508B is “math intensive,” and the statute whether online or in a print version does NOT show updated acquisition fees and handling fees, you will find a modified version of the statute with the 2022 amounts toward the bottom of the Legal Links page here. Again, you will need to register an account with the OBA in order to access it.

The acquisition charge authorized under this statute is deemed to be earned at the time a loan is made and shall not be subject to refund, if the loan is prepaid in full, refinanced or consolidated within the first sixty (60) days, the acquisition charge will NOT be deemed fully earned and must be refunded pro rata at the rate of one-sixtieth (1/60) of the acquisition charge for each day from the date of the prepayment, refinancing or consolidation to the sixtieth day of the loan. The Department of Consumer Credit has published a Daily Acquisition Fee Refund Chart for prior years with links on this page, (https://www.ok.gov/okdocc/Licenses_We_Regulate/Supervised_Lender/index.html) but had not done so at the time this article was written. Note if a loan is prepaid, the installment account handling charge shall also be subject to refund. A Monthly Refund Chart for handling charges for prior years can be accessed on the page indicated above, as well as § 3-508B Loan Rate (APR) Table. I expect the charts and table for 2022 to be added shortly.

NOTE: Sec. 3-508B was amended this last legislative session with changes that are effective November 1, 2022. I will cover the changes in a future Legal Briefs article prior to the effective date.

§ 3-511 Loans

I frequently get calls when lenders receive a warning from their loan origination systems that a loan may exceed the maximum interest rate. Nearly always, the banker says the interest rate does not exceed the alternative non-blended 25% rate allowed under § 3-508A according to their calculations. Usually, the cause for the red flag on the system is § 3-511. This is another section for which loan amounts may adjust annually. Here is the section with the amounts as effective for loans made on and after July 1, 2022, in bold type.

Supervised loans, not made pursuant to a revolving loan account, in which the principal loan amount is $5,800.00 or less and the rate of the loan finance charge calculated according to the actuarial method exceeds eighteen percent (18%) on the unpaid balances of the principal, shall be scheduled to be payable in substantially equal installments at equal periodic intervals except to the extent that the schedule of payments is adjusted to the seasonal or irregular income of the debtor; and

(a) over a period of not more than forty-nine (49) months if the principal is more than $1,740.00, or

(b) over a period of not more than thirty-seven (37) months if the principal is $1740.00 or less.

The reason the warning has popped up is due to the italicized language: The small dollar loan’s APR exceeds 18%, and it is either single pay or interest-only with a balloon.

Dealer Paper “No Deficiency” Amount

If dealer paper is consumer-purpose and is secured by goods having an original cash price less than a certain dollar amount, and those goods are later repossessed or surrendered, the creditor cannot obtain a deficiency judgment if the collateral sells for less than the balance outstanding. This is covered in Section 5-103(2) of the U3C. This dollar amount was previously $5,400.00 and increases to $5,800.00 on July 1.

May 2022 OBA Legal Briefs

Please help us help you
Lender credits on the TRID closing disclosure
MLA and GAP
Overdraft fees are not interest

Please help us help you

By Pauli D. Loeffler

You may have missed the notice on the Oklahoma Bankers Association’s webpage regarding issues the OBA Legal and Compliance team is experiencing with emails sent to us. Regardless of the fact that we hope to have the issue resolved shortly, we found that many bankers fail to provide vital contact information in their email signature blocks. This delays or prevents us from providing a quick response.

Specifically, the signature block needs to have not only your name and the name of the bank but also your email address, phone number (with extension, if any), and the city where you are located. There are times when a phone call to get additional information to answer a question is better than a series of emails. We certainly can look up the phone number for the main bank, but most banks have branches which results in making additional calls.

We appreciate your understanding and patience during the resolution of the email issue and look forward to answering your legal and compliance questions.

Lender credits on the TRID closing disclosure

By John S. Burnett

There are two types of lender credits that are disclosed under Regulation Z’s “TRID” disclosure requirements. In this discussion, we will review how those two types of lender credits should be used and disclosed.

First, however, let’s review what lender credits include. They are (1) payments, such as credits, rebates, and reimbursements, that a creditor provides to a consumer to offset closing costs the consumer will pay as part of the mortgage loan transaction; and (2) premiums in the form of cash that a creditor provides to a consumer in exchange for specific acts, such as for accepting a specific interest rate, or as an incentive, such as to attract consumers away from competing creditors. (https://www.consumerfinance.gov/compliance/compliance-resources/mortgage-resources/tila-respa-integrated-disclosures/tila-respa-integrated-disclosure-faqs/#lender-credits)

Another way of separating lender credits into two types is to use the terms “specific lender credits” and “general lending credits.” These are the ways in which lender credits are disclosed that our discussion is focused on.

General lender credits

Your bank may decide, for example, that it will pay up to $1,000 in borrower third-party closing costs, without specifying which third-party costs are included. Because you want the lender credit to appear on the loan estimate, you show that lender credit as a negative amount in the estimated closing costs on page one and in section J on page 2. You also disclose your good faith estimates of closing costs for the loan your applicant has applied for – the origination charges, title work costs, taxes and recording fees, prepaids and all the rest – that collectively will most likely be paid in connection with the loan, without indicating which of those costs your promised $1,000 will cover. The “calculating cash to close” box starts with the total closing costs reduced by the general lender credit, so it flows through to the Estimated Cash to Close – the approximation of what the applicant can expect to bring to (or receive from) the closing.

Note: Completing the loan estimate this way does present a risk that the closing costs to be covered end up totaling less than the general lender credit amount at closing time. Because lender credits are considered “negative closing costs,” a lender cannot reduce the general lender credit that appears on the loan estimate unless the lender credit is directly affected by a changed circumstance affecting the lender credit as part of the pricing of the loan. However, this is the usual way to complete a loan estimate when the lender intends to provide a general lender credit toward closing costs.

General lender credits for tolerance violations

We just discussed an example of a planned or intentional general lender credit. There’s also the chance that your bank will have to provide an unexpected general lender credit if its closing costs estimates fall short of the actual closing costs, and the differences are more than permitted under the tolerance limits in Regulation Z §§ 1026.19(e)(3)(i) and 1026.19(e)(3)(ii) — the zero percent and ten percent tolerance rules, respectively.

When a lender determines that it has exceeded the tolerance limits under either or both of those sections, it has to adjust the amount due to or from the consumer by the amount by which the tolerance limits were exceeded. A general lender credit (or an increase to a general lender credit already provided) is one way to get that done.

In such a case, the amount of the excess closing costs will appear (itself or as part of a Lender Credits amount) in three places on the closing disclosure:

On the Lender Credits line in section J on page 2, the amount of the excess closing costs will appear in parentheses in the label after the words “Lender Credits.” The statement in the parentheses will read “(Includes $XXX credit for increase in Closing Costs above legal limit)” and the total Lender Credit amount (including the excess closing costs and any other planned general lender credit) appears as a negative amount in the Borrower Paid At Closing column.
On the Total Closing Costs line of the Calculating Cash to Close table on page 3, if the actual closing costs exceed the estimated closing costs, and tolerance violations have occurred, the total amount of the tolerance violations will appear in a second bullet list entry in the “Did this change?” response, saying “Increase exceeds legal limits by $XXX. See Lender Credits on page 2.”
On page 1, on the Closing Costs line of the Costs at Closing table, the amount of the total tolerance violations (the amount to be credited in the general lender credit) appears as part of the Lender Credits after the minus sign and before the words “in Lender Credits,” so the statement to the right of the total closing costs figure reads: “Includes $XXXX.xx in Loan Costs + $XXXX.xx in Other Costs = $XXXX.xx in Lender Credits.”

Specific lender credits

If your bank wants to pay selected closing costs that consumers are typically charged as part of your residential mortgage lending strategy, there are two ways to prepare the loan estimate. You can simply omit those selected costs that the consumer will not be charged from the loan estimate completely (your applicants won’t be charged for these services, so they don’t have to be included on the loan estimate). Make sure you disclose any costs that the consumer will be charged (an application fee, for example).

Another way to complete the loan estimate is to include all the costs the lender estimates will be involved (including those the lender intends to absorb) and show a general lender credit. In that way, the consumer sees all those costs, but also sees the amount of those costs the lender plans to cover.

But this section is about specific lender credits, you’re thinking. That’s right, it is. Because when it’s time to issue the closing disclosure, you get down to specifics. For each loan cost or other cost on page 2 that the lender intends to cover, insert the amount of that cost in the Paid By Others column and (optionally) identify it as a lender credit by including “(L)” before the dollar amount (without the quotation marks, of course). That reduces the costs due from the consumer because there’s no cost for the service in the Borrower Paid column. You’ve correctly disclosed a specific lender credit. Now, do the same for each cost that the lender is absorbing.

Suppose that the loan estimate for the loan included a general lender credit. The total of specific lender credits and general lender credits on the closing disclosure must equal or exceed the amount of the general lender credit on the loan estimate. What do you do if you overestimated a cost on the loan estimate, or one of the services listed there was not used, and now your loan estimate has a general lender credit amount that’s $50 more than the total specific lender credits on the closing disclosure? You include a general lender credit of $50 on the closing disclosure in Section J on page 2 and in the Costs at Closing table at the bottom of page 1.

What about tolerance violations?

Earlier, we said that a lender can issue a loan estimate without including the costs that the lender intends to absorb. When it’s time for closing, you must include all costs, regardless of who pays them. We’ve described above the way to avoid tolerance violations, by putting the costs to be absorbed in the Paid by Others column on the closing disclosure. Just to make it interesting, let’s assume that the lender did not intend to absorb the cost of the appraisal, and included that service on the loan estimate in section B as “not shoppable,” with a cost estimate of $750. For whatever reason, the actual cost of the appraisal ends up at $900, and the lender did not elect to issue a revised loan estimate for a changed circumstance. So there is a $150 tolerance violation (it is a 0 percent tolerance service cost). Does the lender have to treat that as an “increase exceeding legal limits” and include that $150 in Section J and in the Costs at Closing table?

No. There’s an easier (and better, in this author’s view) way to handle it. Just break the cost of the appraisal into two parts: $750 goes in the Borrower Paid column and (L) $150 goes in the Paid by Others column.

The same strategy can be used for a cost omitted by mistake from the loan estimate or any other cost that would become a tolerance violation if paid by the consumer. If the lender is facing an excessive increase in 10-percent limit costs, enough costs to bring the “10 percent bucket” back to a 10 percent increase or less can be shifted from the Borrower Paid column to the Paid by Others column.

Whichever method is used, the total paid by the consumer will be the same. The only difference is how the lender credits are shown – as general or specific lender credits.

One important caveat – don’t use the specific lender credit method if you’re dealing with a prepaid finance charge. For some loan origination systems, doing so can alter the finance charge amounts and affect the APR.

MLA and GAP

By Andy Zavoina

It is no surprise that the Department of Defense is not a fan of GAP coverage on loans to service members. When the Military Lending Act regulation (MLA) was revised and later clarified with guidance in Q&A form, the DoD essentially said that an automobile loan was exempt from MLA restrictions when the funds from the loan were used for the purchase of the collateral, but if there were additional funds such as for non-essential items, the loan would lose the exemption.

This could then require more disclosures on a loan and attention to the 36 percent Military Annual Percentage Rate (MAPR) cap which is the Annual Percentage Rate on steroids. The MAPR is inclusive of such fees as GAP and credit insurance and the 36 percent rate is easily within reach with these fees included. This is a reason those financing vehicles want the exclusion from disclosures and the 36 percent usury rate. The DoD dislikes GAP insurance as well as some other costs like credit life insurance. Many banks like them as they can be profitable for the banks especially in competitive low-rate environments.

The DoD views many costs as unnecessary and expensive to the service member borrower. Banks and auto dealers do make a profit on these add-ons and many of these serve a key and important role, when needed. As to insurance, more than once I have seen a service member who had no equity in the collateral be saved from a deficit balance when a car was totaled or an estate saved from a debt when a service member passed. If the insurance is never needed it may seem expensive. But for those who paid a fraction of what was later paid out in a claim, it was worthwhile. The DoD sees the payouts as an exception and greed, or unnecessary costs to a service member anyway, as the rule.

In 2016 the DoD attempted to clarify the wording of the MLA exemption requirements with Guidance instead of revising the regulation itself. In the text below you can read that the exemption was lost with certain additional items being financed, a hybrid loan, but not others. Cash out being included in the loan would clearly void the exemption. GAP was not directly discussed and many lenders believed it was an essential component of a loan.

Here is Question 2 from the original August 2016 Guidance from the DoD:

Does credit that a creditor extends for the purpose of purchasing personal property, which secures the credit, fall within the exception to “consumer credit” under 32 CFR 232.3(f)(2)(iii) where the creditor simultaneously extends credit in an amount greater than the purchase price?

Answer: No. Section 232.3(f)(1) defines “consumer credit” as credit extended to a covered borrower primarily for personal, family, or household purposes that is subject to a finance charge or payable by written agreement in more than four installments. Section 232.3(f)(2) provides a list of exceptions to paragraph (f)(1), including an exception for any credit transaction that is expressly intended to finance the purchase of personal property when the credit is secured by the property being purchased. A hybrid purchase money and cash advance loan is not expressly intended to finance the purchase of personal property, because the loan provides additional financing that is unrelated to the purchase. To qualify for the purchase money exception from the definition of consumer credit, a loan must finance only the acquisition of personal property. Any credit transaction that provides purchase money secured financing of personal property along with additional “cash-out” financing is not eligible for the exception under § 232.3(f)(2)(iii) and must comply with the provisions set forth in the MLA regulation

In December 2017 that question was modified to include the section on personal property as well as on vehicles. They mirror one another, and it always seemed odd they separated the two forms of collateral but treated them exactly the same, less the original Guidance which discussed just vehicles. The revised Guidance was more detailed as you can read below, and was specific to state GAP would in fact void the MLA exemption.

Does credit that a creditor extends for the purpose of purchasing a motor vehicle or personal property, which secures the credit, fall within the exception to “consumer credit” under 32 CFR 232.3(f)(2)(ii) or (iii) where the creditor simultaneously extends credit in an amount greater than the purchase price of the motor vehicle or personal property?

Answer: The answer will depend on what the credit beyond the purchase price of the motor vehicle or personal property is used to finance. Generally, financing costs related to the object securing the credit will not disqualify the transaction from the exceptions, but financing credit-related costs will disqualify the transaction from the exceptions.

Section 232.3(f)(1) defines “consumer credit” as credit offered or extended to a covered borrower primarily for personal, family, or household purposes that is subject to a finance charge or payable by written agreement in more than four installments. Section 232.3(f)(2) provides a list of exceptions to paragraph (f)(1), including an exception for any credit transaction that is expressly intended to finance the purchase of a motor vehicle when the credit is secured by the vehicle being purchased and an exception for any credit transaction that is expressly intended to finance the purchase of personal property when the credit is secured by the property being purchased.

A credit transaction that finances the object itself, as well as any costs expressly related to that object, is covered by the exceptions in § 232.3(f)(2)(ii) and (iii), provided it does not also finance any credit-related product or service. For example, a credit transaction that finances the purchase of a motor vehicle (and is secured by that vehicle), and also finances optional leather seats within that vehicle and an extended warranty for service of that vehicle is eligible for the exception under § 232.3(f)(2)(ii). Moreover, if a covered borrower trades in a motor vehicle with negative equity as part of the purchase of another motor vehicle, and the credit transaction to purchase the second vehicle includes financing to repay the credit on the trade-in vehicle, the entire credit transaction is eligible for the exception under § 232.3(f)(2)(ii) because the trade-in of the first motor vehicle is expressly related to the purchase of the second motor vehicle. Similarly, a credit transaction that finances the purchase of an appliance (and is secured by than appliance), and also finances the delivery and installation of that appliance, is eligible for the exception under § 232.3(f)(2)(iii).

In contrast, a credit transaction that also finances a credit-related product or service rather than a product or service expressly related to the motor vehicle or personal property is not eligible for the exceptions under § 232.3(f)(2)(ii) and (iii). For example, a credit transaction that includes financing for Guaranteed Auto Protection insurance or a credit insurance premium would not qualify for the exception under § 232.3(f)(2)(ii) or (iii). Similarly, a hybrid purchase money and cash advance credit transaction is not expressly intended to finance the purchase of a motor vehicle or personal property because the credit transaction provides additional financing that is unrelated to the purchase. Therefore, any credit transaction that provides purchase money secured financing of a motor vehicle or personal property along with additional “cash out” financing is not eligible for the exceptions under § 232.3(f)(2)(ii) and (iii) and must comply with the provisions set forth in the MLA regulation.

In this 2017 Guidance the DoD says a loan that finances the purchase of a motor vehicle and is secured by that vehicle can also finances optional leather seats, negative equity and an extended vehicle warranty as an example of a loan that would be eligible for the MLA exemption. In contrast the Guidance used a credit transaction which includes financing for GAP insurance or a credit insurance premium as examples of a credit transaction that would not be exempt from the MLA.

Many banks and auto dealers stopped offering GAP coverage to those subject to the MLA, even when the loan was under the 36 percent usury cap. Some lenders’ systems were not ready to make all the other MLA disclosures that would be required. The wording of the MLA has been interpreted by some to understand that the MLA does not allow the financing to be secured by the purchased vehicle’s title. This caused further doubts as to lending to covered service members.

In 2019 many banking and vehicle trade groups tried to assist their members in dealing with the Guidance and the loss of exemptions citing reports of actual harm to the service members themselves as they now had limited options for loans and the ancillary products they historically had access to. Several trade organizations wrote and asked for clarity.

Then, in 2020, the DoD withdrew its earlier interpretation and it opened the window for GAP by removing the explicit statement that it voided the exemption. The question was again re-phrased, now using just the term personal property apparently to include vehicles and other household items with the answer as follows:

Does credit that a creditor extends for the purpose of purchasing personal property, which secures the credit, fall within the exception to “consumer credit” under 32 CFR 232.3(f)(2)(iii) where the creditor simultaneously extends credit in an amount greater than the purchase price?

Answer: No. Section 232.3(f)(1) defines ‘‘consumer credit’’ as credit extended to a covered borrower primarily for personal, family, or household purposes that is subject to a finance charge or payable by written agreement in more than four installments. Section 232.3(f)(2) provides a list of exceptions to subparagraph (f)(1), including an exception for any credit transaction that is expressly intended to finance the purchase of personal property when the credit is secured by the property being purchased. A hybrid purchase money and cash advance loan is not expressly intended to finance the purchase of personal property, because the loan provides additional financing that is unrelated to the purchase. To qualify for the purchase money exception from the definition of consumer credit, a loan must finance only the acquisition of personal property. Any credit transaction that provides purchase money secured financing of personal property along with additional ‘‘cash- out’’ financing is not eligible for the exception under § 232.3(f)(2)(iii) and must comply with the provisions set forth in the MLA regulation.

So if the GAP example was removed, that must mean that financing the GAP product was now allowed, right? Many banks and other lenders jumped on that bandwagon and resumed financing such purchases. In the 2020 announcement what the DoD said was that it was withdrawing its answer because of “unforeseen technical issues” and, “absent additional analysis, (the DoD) takes no position on any of the arguments or assertions advanced as a basis for withdrawing” its 2017 guidance.

The on again, off again and still without clarity roller coaster brings us to today. A 2021 court case decided by the U.S. District Court for the Eastern District of Virginia involves the MLA and GAP. In Davidson v. United Auto Credit, Davidson was a covered borrower under the MLA when he purchased and financed a vehicle with GAP coverage included at a cost of $350. The complaint was that the retail installment contract violated the MLA because it did not disclose the MAPR plus it had other MLA defects.

The trial court ruled that GAP being added to the contract did not void the MLA exemption. The judge said the clear language in the law and regulation did not void the exemption while Davidson argued the 2016 Guidance was not affected by withdrawal of the 2017 revision and that the loan for the vehicle purchase was still subject to the MLA requirements. The judge found Davidson’s argument unpersuasive, stating that the GAP coverage was “inextricably” tied to the purchase of the vehicle.

So far, this is good news for the banks and other lenders. But the case has been appealed to the U.S. Court of Appeals for the Fourth Circuit. In January 2022 the Consumer Finance Protection Bureau (CFPB) filed an amicus brief in favor of Davidson. The CFPB takes the position that when GAP coverage is included in the vehicle’s financing the exemption is voided and the loan requires complete compliance with the MLA. The DoD, joined in the CFPB’s amicus brief. The DoD said it “strongly concurs” with the CFPB on the issue. Now it is established that the CFPB as well as the DoD do not look favorably to the financing of GAP coverage on vehicle loans.

It is unknown what or when the court will rule. We have seen the CFPB take very proactive consumer protection positions and itself reversing Trump period provisions which were deemed “pro business.” The DoD controls and interprets 32 CFR 232. Many do not believe it would get back on the roller coaster and again revise its guidance, but its position is clear. GAP is not as prevalent, but this case is service member specific. I doubt we would see a retroactive reversal of loans with GAP coverage being impacted but as future plans are considered for loan products, banks with high volumes of loans to service members, with GAP may opt to temper any high sales penetration goals or at least recognize that what the DoD gave, it can take back.

Overdraft fees are not interest

By Andy Zavoina

It was a split decision at the U.S. Court of Appeals for the Tenth Circuit as it ruled on Walker v. BOKF, Nat’l Ass’n, (10th Cir. April 8, 2022). Oklahoma is in the Tenth Circuit. This court affirmed a lower court’s dismissal of a suit claiming that the bank was charging usurious interest on overdrafts.

In this case Walker created an overdraft in his checking account in the amount of $25. The bank paid the item and added to that a fee of $34.50. The bank also charges a daily fee of $6.50 per business day after five days that the account remains in the overdraft. This is disclosed as an “extended overdraft charge.” There were 36 daily overdraft charges accrued before the deposit account reached a positive balance. The original NSF fee plus 36 daily fees total to $268.50.

Walker maintains that these fees equate to interest charged on the original $25 overdraft and that this amount is usurious. BOKF is a national bank. The National Banking Act of 1864 allows a national bank to charge an interest rate no greater than the rate allowed by the state in which the bank is chartered. In the case of Oklahoma this allows a rate of 6 percent. Doing the math, 6 percent per annum on $25 is $.00411 per day which is a lot less than the fee charged by BOKF.

The bank moved for dismissal and the District Court granted that motion. The District Court held that overdraft fees are fees for deposit account services and were not interest and therefore not subject to the National Banking Act or the 6 percent rate allowed by the state. “Back in the day,” paper items were presented and reviewed against deposit balances and manual decisions were made to pay or return an item. There were people involved and hard costs in addition to the opportunity costs of the funds themselves. The process has been automated today but the theory remains the same.

The District Court’s ruling was appealed to the Tenth Circuit Court where there was a dissenting opinion. This argued that the banking regulation was not ambiguous and that overdraft fees do meet the definition of interest. The dissenting opinion maintains that “When [the Bank] decides to cover a customer’s overdraft, it pays for the item and expects to be paid back. For example, despite [Plaintiff’s] inability to afford the original charge due to insufficient funds, [the Bank] made money available to him by purchasing the item for him. [The Bank] deducted the cost from [Plaintiff’s] account and charged him an overdraft fee, which it also deducted. But the bank expected to be paid back. By covering an overdraft, [the Bank] thus makes a temporary provision of money with the expectation of repayment. In other words, [the Bank] makes a loan.” Others may also see a daily fee as being a time-price differential or a cost for the use of the funds on that daily basis and consider that akin to an interest charge.

The majority of the Tenth Circuit judges did not agree. They affirmed the lower court’s findings based on Interpretive Letter 1082 issued in 2001, in which the OCC maintains that overdraft fees are designed to compensate the bank for “services directly connected with the maintenance of a deposit account,” and “therefore the bank was not creating a ‘debt’ that it then ‘collected’ by recovering the overdraft and the overdraft fee from the account. Instead, the bank was ‘providing a service to its depositors’ that the accountholder had agreed to pay for.” So, the OCC determined 21 years ago that fees for “deposit account services” (under 12 CFR 7.4002(a)) were not interest and were fees for agreed upon services which were offered, accepted and performed. The majority agreed that IL 1082 was entitled to an “Auer deference” — agency’s interpretation of its own ambiguous regulation is controlling unless plainly erroneous or inconsistent with the regulation — because 12 CFR 7.4001(a) addresses interest and is ambiguous.

April 2022 OBA Legal Briefs

Nacha warranties and old unauthorized ACH debits
P2P complaints
Fair banking

Nacha warranties and old unauthorized ACH debits

By John S. Burnett

Your bank just wrapped up its investigation of a consumer’s Regulation E claim involving a series of unauthorized ACH debits made by a gymnasium. Your customer, Sam, got a notice that the gym was being closed “temporarily” on August 10, 2019, for some major renovation work. He assumed the gym would suspend charging his account for his monthly membership fee, but the regular $39.95 charge showed up on his account on August 26, 2019. So, Sam emailed the gym’s owner/manager on August 27, 2019, to cancel the authorization for the monthly changes and got an emailed response that no further charges would be made to his account, and the August 26 charge would be credited to his membership for the first month when the gym was allowed to reopen.

For whatever reason, Sam didn’t check his account again until March 10, 2022, when he wasn’t able to withdraw $50 at the bank’s ATM. Those of you who are used to handling Reg E claims know what he found – the gym didn’t stop charging his account, and there was a series of 30 monthly debits from September 25, 2019, through February 25, 2022, that he was not expecting to see. On March 11, Sam, rightfully embarrassed by his lack of attention to his account, brought copies of his statements (which had been made available to him on the bank’s online banking portal on the last day of each month) into his local bank branch, each with a $39.95 ACH debit from the gym circled in red, along with a copy of his August 27, 2019, email to the gym manager and the manager’s response, and asked what the bank could do about getting his money back.

Your branch manager checked with the bank’s deposit operations manager, who suggested that Sam could get back the January 25 and February 25, 2022, debits quickly if the branch manager got him to complete and sign a Written Statement of Unauthorized Debit (WUSD) on those two transactions, but Operations would need to handle the Reg E claim on the earlier debits. Sam signed two WSUDs while the branch manager was copying the statements Sam had brought in. One WSUD covered the two most recent debits (totaling $79.90), as requested by the operations manager, and the other covered the 28 earlier debits (which totaled $1,118.60).

Sam’s documentation made it easy for Operations to complete a speedy investigation, and they agreed that all 30 of the ACH debits were unauthorized. Then they plugged the dates and amounts into their Regulation E Consumer Liability Calculation spreadsheet and determined that Sam should be reimbursed for the unauthorized transactions that posted to his account on or before November 29, 2019 (60 days after the September 2019 statement was available). That would include the September 25, October 25, and November 25, 2019, debits, for a total of 3 times $39.95, or $119.85. Operations also returned the ACH debits that hit Sam’s account on January 25 and February 25, 2022. Within three business days of filing his claims, Sam received credits of $119.85 and $79.90 to his account, and a couple of days later he got a letter explaining that the bank agreed that all thirty of the disputed debits were unauthorized, the bank had refunded only $119.85 for the first three debits, and Sam was responsible for the rest of them because he had failed to review his account statements and promptly notify the bank of the unauthorized debits. The letter then explained that, because he had provided the WSUD covering the two transactions that were less than 60 days old, the bank had been able to return them, and had credited him with $79.90. That leaves Sam with a loss of $998.75 due to his lack of attention to his account.

Using Nacha’s authorization warranty to recover more

The operations manager had done some further research and discovered that Nacha rules include a warranty of authorization that’s given by the Originating Depository Financial Institution (ODFI) in favor of the Receiving Depository Financial Institution (RDFI). That warranty covers two periods for consumer accounts — (11) the first 95 days from the settlement date of the first unauthorized entry to the consumer’s account (which generally corresponds to the period of time the RDFI would be responsible for unauthorized entries under Regulation E § 1005.6(b)(3)); and (2) after the first 95 days but with settlement dates less than two years old. [For non-consumer accounts, the Nacha warranty covers entries with Settlement Dates no more than one year old.]

Buoyed by what she found, the operations manager checked with the bank’s legal department, which suggested she:

Identify the ODFI and its head office address.
Compose a letter stating a claim for breach of warranties under section 2.4.1.1 of Nacha Rules (Warranty that the entry is authorized by the Originator and Receiver) with respect to the unauthorized entries on September 25, 2019, and during the 95 days following that date (that would include the transactions through December 29, 2019), and the entries with Settlement Dates later than two years ago but before January 1, 2022 (the two entries occurring later than January 1, 2022, had been returned).
Include a schedule of the posting dates and amounts of the entries covered by the claim.
Include a statement in the claim letter that the Receiver (Sam, your customer) revoked the authorization and the Originator had acknowledged and accepted that revocation on August 27, 2019.
Include copies of the August 27, 2019, emails between Sam and the gym owner/manager.

She completed the claim letter and faxed it to the ODFI on March 24, 2022.

What happens next depends on how the ODFI treats the warranty claim. This is, of course, a contrived story designed to illustrate the fact that the ability to make an “extended return” of an unauthorized ACH debit up to 60 days after its Settlement Date is not the “last resort” attempt at recovering funds for the bank or its depositor. Nacha Rules warranty provisions provide this additional tool. In fact, Nacha has a handy tool to explain its warranty at https://www.nacha.org/content/warranty-claims-tool

Let’s suppose the ODFI honors the claim and sends full payment for 4 unauthorized debits during the 95-day period (9/25/19 through 12/29/19) and 22 debits covered under the two-year period (3/24/20 through 3/24/22, but the January and February 25, 2022, debits aren’t part of the claim because they had been successfully returned earlier). What should the operations manager do with the $1,038.70 check?

The RDFI gets reimbursed for the three early debits that it had to return to Sam. And, because the RDFI can’t profit from the warranty claim, it credits the remaining $918.85 to Sam’s account, which covers most of his loss. He’s still out $79.90 for the January and February 2020 debits, which fall into the gap between the two Nacha warranty periods.

Of course, not every ODFI would honor such a claim. If the claim is denied, the RDFI can file a rules violation case with Nacha or press the claim in a civil court suit after weighing the cost/benefit of such a course. In our contrived example, however, the ODFI reviewed a strong claim that the debits were clearly unauthorized and decided not to fight it.

P2P complaints

By Andy Zavoina

In December 2021, the Consumer Financial Protection Bureau released an updated Compliance Aid for Reg. E, in the form of FAQs. We wrote about the FAQs extensively this last January and February. Central to these FAQs were P2P, or Peer-to-Peer payment programs from companies like Venmo, Zelle and Cash App. About a week after the updated FAQs were released 33 state attorneys general wrote to CFPB Director Rohit Chopra wanting stronger safeguards for consumers using these P2P apps. Oklahoma’s Attorney General was not on the letter.

It is estimated that in 2023 more than $1 trillion in transactions will happen using these apps. Usage has increased during the pandemic and the public seems to have accepted these programs for many uses. Some people see them as an extension of their bank accounts and it makes it easy to split a dinner bill, pay for a Pampered Chef order or pay a vendor for services rendered.

But when a transaction goes south, whom do they call? It could be your bank, who will refer them to the P2P vendor for customer service. With the updated FAQs we now know that the concerns of the attorneys general were partially answered in the FAQs as the CFPB opined that in many cases banks will have to shoulder the burden of handling claims, however. We covered that in January and February but as a short recap, if a bank has an agreement with a P2P vendor handling transactions the bank cannot deflect a claim for unauthorized use to the vendor. The CFPB opined that if the bank and P2P vendor share a credit card agreement such as both accept Visa or Mastercard, that constitutes “an agreement.”

Aside from banks now shouldering the claims burden, the letter to the CFPB complained that the P2P vendors have poor customer service. It was noted that reaching an actual person was difficult and usually included long hold times. It was also difficult to email or use a chat program to work out problems. Consumers found an inability to use their funds at times without warning when the P2P vendor held them. Restricted use could include paychecks from an employer or government benefits. Likely many of these people were unbanked and using the P2P service for banking. Lastly there were scammers stealing funds with various ruses. “Grandma, I was in an accident. I’m OK but we came to Mexico on spring break. Mom and dad can’t know, but I need $500 to get out of this jam,” is an example.

The CFPB’s mission is to protect consumers. Certainly, after reading about the three common complaints from consumers cited by the attorneys general, you will agree that banks strive not to have such issues and perform better than the P2P vendors. It was noted in the letter to the CFPB that the unbanked were often the more damaged consumers. Regardless, the claims problem has largely been handed to banks and that may be viewed a spart of the solution to the problem.

Some takeaways include banking the unbanked when they are qualified to have a bank account. While banks do not typically have rigorous qualification criteria for deposit accounts, some of these consumers may have burned their bridges with banks with charge-offs or poorly handled accounts. Still, there are some good consumer relationships out there that banks can market to and experience a win-win relationship with. These new and existing customers need to be reminded of security issues. We’ve expanded on some BBB tips for using a P2P payment app safely:

Only use it with someone you know and trust. Consider sending a test transfer of say $1 before sending the other $99 for that purchase. Scammers do this to see if an account is good and our customers can learn from this.
Take your time entering payment information and double-check it before hitting send. It is usually possible to talk to a person and get the instructions as the data is being entered.
Enable security settings and other measures offered by the app, including multifactor authentication that requires another form of verification besides just a username and password. And use a unique password.
Remember that public Wi-Fi at places like coffee shops or libraries may not be secure for use in conducting financial transactions.
Be wary of any business that only accepts P2P payment apps.
When using a mobile device like a smartphone or tablet, lock the device when not in use and do not lend the device to someone to make a call who may then be able to access a P2P app and conduct any transfer using the owners account.
When any device, be it a smartphone, tablet, game console or similar device has financial data stored on it, wipe the device before it is sold, donated or otherwise repurposed.

These tips need to be given repeatedly to bank customers just as they should be routinely reminded not to write a PIN on their debit card. Drive the point home. The dollars saved may be the bank’s money.

The last item here is a deliverable to bank management. Whoever is best suited to review Reg E claims for the last year or two should analyze the claims, both approved and denied (including those referred to a P2P vendor). Use this information to estimate what increase the bank may see based on the CFPB’s FAQs and the placement of responsibility on the bank for many of the P2P claims you would not have paid in the past. Management should be aware if this will be substantial. Some banks have reported seeing a significant increase and we can now assume that the pressure is on for banks to make up for these vendors’ shortcomings.

Any time bank management has the ear of a legislative influencer, it may be worth asking why, based on the above, Reg E cannot require the P2P vendors to be responsible for claims they are involved in. It is that vendor who has all the transaction information pertinent to a claim and who profited from the transaction, not your bank. And that vendor doesn’t even have to assist in any investigation. The CFPB should have the ability to police those vendors, not to shift the vendors’ responsibilities to banks.

Fair banking

By Andy Zavoina

In March, the CFPB announced it would be targeting unfair discrimination in consumer finance. “Consumer finance” seems like a broad term and it is. It takes in all types of consumer financial products, not just those involving credit. Banks will certainly be included in the Bureau’s reach, as we have the lion’s share of deposit accounts, and it is important to recognize how these changes will apply.

For years we have been asked questions related to deposit accounts. A customer complained and said the bank was discriminating based on race or gender but only had a savings account, or Marketing was asking if ads for new checking accounts needed to have the same pictorial diversification as home loan ads, showing both men and women and with various racial characteristics. Often the safe answer was “there is no fair lending equivalent for deposits.” While that is true, I and others have argued for years that “fair banking” should always be considered, and I believe most banks do keep that in mind. But under the heading of “what gets checked, gets done” this fair banking procedure will be going to a much higher level.

What the CFPB said was, “In the course of examining banks’ and other companies’ compliance with consumer protection rules, the CFPB will scrutinize discriminatory conduct that violates the federal prohibition against unfair practices. The CFPB will closely examine financial institutions’ decision-making in advertising, pricing, and other areas to ensure that companies are appropriately testing for and eliminating illegal discrimination.”

Note what that statement said — the CFPB will examine for discriminatory conduct, as this would be an unfair practice. Unfair is the “U” in UDAAP — Unfair, Deceptive or Abusive Acts or Practices. We have seen large UDAAP penalties, and because there is no statute of limitations, we have seen enforcement orders that went back for many years. While we often associate UDAAP enforcement actions with the CFPB, the prudential agencies still enforce UDAP as was the case in 2021 when the FDIC penalized Umpqua Bank. The FDIC determined that Umpqua Bank engaged in Section 5 violations (that’s UDAP in the FTC Act) related to collection practices involving commercial equipment financing through its wholly owned subsidiary, Financial Pacific Leasing, Inc. (FinPac). The FDIC determined that FinPac’s collection fee practices were unfair and deceptive. Specifically, FinPac charged various undisclosed collection fees to 17,000 borrowers whose accounts were past due, such as collection call and letter fees and third-party collection fees. So, the bank was fined for what its subsidiary was doing and paid restitution of $1.7 million and a civil money penalty of $1.8 million. (FDIC-20-0156k)

From July to October 2020 there were nine separate advertising enforcement actions against mortgage lenders totaling $4.446 million. Triggering terms were missed, ads were poorly arranged which made them misleading and in some cases the numbers were just wrong, or payments quoted were not obtainable. There were also instances of products being offered which were not being made at the time they were advertised.

While UDAAP and UDAP can bring a high dollar penalty and restitution amounts, this is in part based on how many consumers were disadvantaged and to what dollar amounts. As an example, a 2018 enforcement action included Community Trust Bank, Inc. of Pikesville, Kentucky, as it was hit with a UDAP penalty. Key points in this Federal Reserve enforcement action are that the bank would pay at least $4.75 million in penalties and restitution. The penalty arises from add-on products of a minimal cost, but it reached back to 1994. That was 24 years prior to the action taken. If there is a product and it has a UDAAP/UDAP defect since inception, the next question is when did it launch? From that date forward consumers with that product were harmed and compensation must be paid to the consumer harmed, reimbursements for unfair charges, and civil money penalties to the agency.

We have seen UDAAP used as an enforcement tool on other regulatory requirements such as Reg E where disclosures were made but additional requirements imposed, like requiring a police report to file a claim. Banks are not permitted to add requirements like that and UDAAP has more severe consequences that Reg E itself, so it became the enforcement tool of choice.

(1) CFPB Director Rohit Chopra stated, “When a person is denied access to a bank account because of their religion or race, this is unambiguously unfair,” and “We will be expanding our anti-discrimination efforts to combat discriminatory practices across the board in consumer finance.” So, no time limit and high dollar penalty amounts are associated with UDAAP actions. With this announcement of discriminatory practices on non-loan issues the CFPB released its revised UDAAP section of its exam manual. [https://files.consumerfinance.gov/f/documents/cfpb_unfair-deceptive-abusive-acts-practices-udaaps_procedures.pdf]

The Equal Credit Opportunity Act (ECOA) and its implementing Regulation B, along with the Fair Housing Act and data gathering requirements under the OCC’s Fair Housing Home Loan Data System and the Home Mortgage Disclosure Act have long been bundled together as anti-discrimination requirements for general loan and home mortgage loans. The revisions to the UDAAP examination manual coupled with a definitive tying of “unfair” to any discrimination, even involving non-loan related products and services, adds an enforcement tool.

The March 2022 Legal Briefs looked at UDAAP in some detail. That was published before this action by the CFPB. We refer you back to that edition for the details, but here I will point out that under the section of some act or practice “causing substantial harm” to a consumer, we find in the exam procedures that this, “may result from discriminatory behavior.”

Discrimination or discriminatory behavior is referenced 25 times in this 19-page document. It is used as an example under collections activities, under the section where a consumer cannot avoid an injury, such as a discriminatory practice, and elsewhere. With a discriminatory practice being unfair, both unintentional discriminatory practices and practices that fall outside the scope of ECOA now meet the test for being unfair. So, there is a longer reach. It also notes that what is discriminatory may be unfair, violating UDAAP, and at the same time violate other laws such as ECOA. Remember the CFPB does not have to pick one or the other of these laws to use for enforcement action, it can compound them and cite both as each is being violated if you have a loan or home mortgage product.

The revised UDAAP section states, “A discriminatory act or practice is not shielded from the possibility of being unfair, deceptive or abusive even when fair lending laws do not apply to the conduct. For example, not allowing African-American consumers to open deposit accounts or subjecting African-American consumers to different requirements to open deposit accounts, may be an unfair practice even in those instances when ECOA does not apply to this type of transaction.” This brings us to a new awareness level of UDAAP.

When Compliance or Legal has been involved in the development or revision of a product or service, UDAAP and risks have been examined from many perspectives. Traditionally ECOA and Reg B were included in a mindset when a loan was mentioned — Who does it appeal to? Where will it be offered? How will it be advertised? — and the focus was on marital status, race, gender, gender identification and similar topics. Those demographics were considered for loans while deposit products and services would have considered different demographics, potential deposit product appeal based on income, balances on deposit, services required to support the deposit relationship, etc. Now the latter requires the same mindset, or perspective if you will, as the loan discussions.

When reviewing loan products, the bank has demographic information for its lending area and on its home mortgages. The bank can easily review HMDA and other data points to determine if there are any disparities in where applications are coming from, for homes in certain areas, from applicants based on gender, race, marital status and other key categories. This is not as easy when the bank wants to know if there are any discriminatory concerns on auto loans, unsecured loans or other products which exclude the gathering of any demographics.

If the bank wants to generate a fair lending or fair banking analysis it will have to use a proxy for that information that it does not specifically have. This is not a new technique, but it may be one the bank wants to employ against various loan and deposit products as well as complaints. Here is an excerpt from a 2013 CFPB blog post on the topic.

Let’s say a responsible auto lender wanted to make sure that their female customers are not paying more for a loan than similarly situated men. Before analyzing the pricing patterns, the lender needs to calculate the likelihood that a borrower is male or female. Without actually recording the gender of each borrower, to substitute, or “proxy,” for gender, responsible lenders often rely on a first name database from the Social Security Administration. The public database contains counts of individuals by gender and birth year for first names occurring at least five times for a particular gender in a birth year. Using statistics, they can determine a probability that a particular applicant is male or female based on the distribution of the population across gender categories for the applicant’s first name. [https://www.consumerfinance.gov/about-us/blog/preventing-illegal-discrimination-in-auto-lending/]

The above cites a first name database that should be available at minimal or no cost. There may well be others or established programs available complete with databases for various checks and verifications. The CFPB published a 37-page booklet in 2014, “Using publicly available information to proxy for unidentified race and ethnicity – A methodology and assessment” [https://files.consumerfinance.gov/f/201409_cfpb_report_proxy-methodology.pdf] which may also help control costs while accomplishing a large project.

The CFPB has used this methodology many times in the past on the files it has from banks and consumers. If the bank can extract certain field from its CIF files, once that process is established many different products and services could be analyzed. Having multiple uses for the one-time costs of establishing the program can prove beneficial. The results of this analysis may prove useful for fair lending, fair banking and have a positive impact on the Community Reinvestment Act file and exams as well. The methodology should be well documented and proven for accuracy.

Naturally if there are shortcomings the bank would need a strategy to correct them. Any corrective actions would be based on the specific product or service and the results of the bank’s analysis. This could be any solution from adjusting marketing media, to community outreach, to a branch or mobile branch serving an under-banked area. Similar to some fair lending strategies, the bank may also consider using bank counsel to facilitate some of this analysis for confidentiality and discovery reasons. That is obviously at the bank’s discretion. It may also be something to only explore at this point and to commit to as fair banking issues develop and mature within regulatory agencies and the industry. It should be worth exploring at this point to know what the time and cost requirements would be, and how it might integrate with future expansion and strategic plans of the bank.

Your bank may not have the CFPB examining it. But as a lead agency, and with other agency’s following it, this is something all banks should prepare for. The CFPB manual has redefined “unfair acts or practices” and this is the mindset banks should begin adopting across the board.

Borrowing from UDAAP, one element of an unfair act or practice is whether a consumer is “reasonably able to avoid the injury. “ As noted above, this includes examples that the “consumer cannot reasonably avoid discrimination” and “typically cannot avoid the harms of discrimination.” Expect that as the CFPB expands its scope of exams that it will find and address cases of “unfairness” when it feels a consumer was harmed, or could be harmed by such a practice, product or service. Think outside the loan box. Examiners have new marching orders, and your bank should also, to ensure that:

The bank has a process to prevent discrimination in relation to all aspects of consumer products or services it offers. Evaluate all policies, procedures and processes for discrimination prior to implementation or making changes and continue monitoring for discrimination after implementation.

The bank’s compliance management program includes an established process for periodic analysis and monitoring of all decision-making processes used in connection with consumer products or services and a process to take corrective action to address any potential UDAAP concerns including discrimination.

The bank has established policies and procedures to review, test, and monitor any decision-making processes used for potential UDAAP concerns, including discrimination.

The bank has established policies and procedures to mitigate potential UDAAP concerns, including discrimination.

The bank’s policies, procedures and practices do not target or exclude consumers from products and services, or offer different terms and conditions, in any discriminatory way.

The bank has appropriate training for customer service personnel to prevent all forms of illegal discrimination.

Banks should be proactive in internal audits and test, as examiners will, to:

Evaluate any product targeted to particular demographics to ensure the marketing, disclosures, and other materials are designed for the target market and will be understood by that market. Appropriateness of the product or service to a consumer is a key.

Ensure there is equal treatment among qualified consumers as to terms and conditions of products and services offered without bias based on demographics.

Avoid offering or provide more products or services to one customer demographic as compared to another.

Customer service representatives should treat all customers the same meaning they provide the same level of assistance and service to all. In the past, paired testing used for loan discrimination cases included criticisms when one applicant was offered beverages while another was not.

Review all targeted advertising for potential discrimination.

Determine whether the bank uses any decision-making processes to determine eligibility, underwriting, pricing, servicing or collection actions which could result in illegal discrimination.

See whether the bank periodically evaluates for, and takes corrective actions to prevent, illegal discrimination.

March 2022 OBA Legal Briefs

The Beneficial Ownership Rule hasn’t gone away
UDA(A)P is becoming all the rage!

The Beneficial Ownership Rule hasn’t gone away

By John S. Burnett

The Corporate Transparency Act of 2021 (CTA) was enacted by Congress on January 1, 2021, as Title XIV of the William M. Thornberry National Defense Authorization Act for 2021, Public Law 116-283. It added a new section 31 U.S.C. 5336 to the Bank Secrecy Act.

The CTA requires that most private domestic U.S. entities formed on or after January 1, 2021, must self-report to FinCEN certain basic information about themselves, their beneficial owners and those individuals authorized to act on their behalf. The stated purpose of the CTA is to “discourage the use of shell corporations as a tool to disguise and move illicit funds” as part of the broader federal attempts to prevent and combat money laundering, tax fraud and terrorist financing.

The CTA requires FinCEN to promulgate regulations implementing the Act. No entity reporting to FinCEN can start until the final implementing regulations are issued and effective, and the structure for that reporting (presumably an online portal and a huge database) is completed.

What’s been completed so far?

FinCEN has begun the process of promulgating the regulations. In fact, FinCEN appears to be moving on the CTA requirements fairly quickly.

On April 1, 2021, FinCEN issued an Advance Notice of Proposed Rulemaking— a form of “heads up” that it was working on the rules and an invitation for stakeholders to offer suggestions and comments on the process.

On December 8, 2021, FinCEN published its proposed rules in the Federal Register [86 FR 69920], with a comment period ending February 7, 2022. There were 250 public comments submitted through Regulations.gov. We don’t know how many comments were sent directly to FinCEN itself.

As of this writing (early March 2022) no final regulation has been issued.

The CTA and financial institutions

Financial institutions have been required since May 11, 2018, to comply with 31 CFR 1010.230 (Beneficial ownership requirements for legal entity customers). The CTA has not changed that fact, and the regulations are still in effect.

It is true that the CTA was enacted with the intent to shift some of the burdens of gathering beneficial ownership information away from financial institutions and make it a government responsibility. It is also true that at some future time — FinCEN has unofficially suggested it will be a year or more after implementation of its final CTA beneficial ownership regulations — there will be a change for financial institutions, which will probably begin verifying entity ownership information against the CTA database, rather than gathering certifications of ownership information repeatedly during the existence of entity customer relationships.

To get to that time, FinCEN will first need to set up a secure and confidential portal through which financial institutions can make those verifications. How that will be done, or what information they will be required to verify, and what will happen if they are not able to successfully verify the information, has yet to be determined.

And yet, we have heard that bank examiners have identified financial institutions that totally misinterpreted — was this wishful thinking? — what FinCEN has so far done as a license to discontinue obtaining beneficial ownership certifications and stopped obtaining them around the time FinCEN announced the December 2021 proposed rule. If it is true that examiners have found financial institutions that made such an error, I can only imagine the sinking feeling the management, BSA officer or compliance officer at those institutions must have had when confronted with their error.

What to do about it

I sincerely hope your institution was not one of those making that mistake. But if it is, it is fortunate that only about three months have passed since the FinCEN proposed rule was published (in December 2021). If that’s when your institution stopped complying with § 1010.230, you can limit the damage by doing a look-back to identify each of the occasions on which you should have obtained beneficial ownership certification (or certification that information you were provided earlier was still correct) and start communicating with the entity customers involved to get those missing certifications.

If, instead, your institution made the wrong decision back in April 2021 when the advance notice of proposed rulemaking was published, you have a bit more digging to do — almost a year’s worth of account openings, renewals, etc.

Don’t assume that, once FinCEN finally eliminates § 1010.230 (remember there will be a different rule replacing it that you will have to follow), it will not matter that your institution jumped too soon to stop complying with § 1010.230. It will matter, so don’t postpone your remedial action to collect those missing certifications.

UDA(A)P is becoming all the rage!

By Andy Zavoina

I was recently reviewing enforcement actions published over approximately the last 18 months and saw what I believe is a trend not too many bankers are talking about. As an example, on a mortgage servicing topic the Consumer Finance Protection Bureau (CFPB) used the phrase, “…identified various Regulation Z and Regulation X violations, as well as unfair and deceptive acts or practices.” As past due fees were charged it was noted, “Examiners found that mortgage servicers engaged in unfair acts or practices…” and “Examiners found that lenders engaged in unfair acts or practices when they debited or attempted one or more additional, identical, unauthorized debits from consumers’ bank accounts after consumers called to authorize a loan payment by debit card and lenders’ systems erroneously indicated the transactions did not process.” In this article we will examine in more detail some of these violations that were made public. Like an iceberg, we know there is much more to it that we can not see, and we are not certain how much is there. But we do know we don’t want to run into it ourselves.

First, let’s cover some of the rules involving Unfair, Deceptive, or Abusive Acts or Practices so we can understand how broadly they can be applied in different scenarios.

UDAAP penalties can go up to $5,000 per day and if they are deemed “reckless” violations they could be $25,000 per day. Yes, it gets worse. Knowingly violating UDAAP can run a penalty of $1 million a day. Do we expect to see these maximum penalties? That would be a “no.” But the penalties can be severe. Consider that there are civil money penalties for the violations, and we have seen these go back for years and years.

Say a bank creates an add-on product to a deposit account. This product requires the customer to enroll with the bank and provide some affirmation such as that they are in good health, and they need to sign and return this form. But they fail to do this for one reason or another. The bank was diligent however, in charging the customer each month for a service that was never provided and technically could not be. That is a UDAAP violation. It may violate another law or regulation as well, and that law or regulation may also be referenced, but UDAAP has big teeth as we already mentioned the fines available. Because there seems to be no statute of limitations, UDAAP penalties at only hundreds of dollars a month add up quickly when a problem goes back 5 or 10 years.

“Seems outlandish, never going to happen,” you might say. Consider the penalty assessed against First Tennessee Bank by the Office of the Comptroller of the Currency (OCC). The bank sold an add-on product which required two things from the customer. They needed to enroll, and they needed to provide personal verification information. With this service, they would have credit monitoring services. Customers who failed to provide the verification information for whatever reason were charged a monthly fee for a service that was not performed for them. This penalty was in 2016, and the product was launched in 2000. The bank needed to look at 16 years of records. The bank paid a $1 million civil money penalty.

But UDAAP does not stop there. The CFPB can require that agreements be amended or terminated, that customers are refunded for charges that were improper, that restitution be ordered so that the bank understands the severity of the penalty, that profits from the act in question are surrendered and that the government be repaid for the time and effort put into the case. This is all on top of the work spent trying to review 16 years of files and responding to every customer and former customer who claims to have had that product and wants a refund.

There are some basic things that are considered a UDAP issue (one “A,” which omits “Abusive” which was added by the Dodd-Frank Act and is an addition the CFPB enforces) while prudential regulators still look at the Federal Trade Commission Act Section 5 rules for Unfair or Deceptive Acts or Practices. Some basic issues blatantly considered UDAP include prohibited provisions in agreements:

a confession-of-judgment;
a waiver of exemption in which the consumer relinquishes rights protecting their home and other necessities from seizure to satisfy a judgment,
a n assignment of wages; and
the taking of household goods as loan collateral.

Also prohibited is the pyramiding of late fees. If you are not familiar with that concept, assume a borrower is late on a loan payment. They send the exact payment, and the bank applies it by first taking the late fee owed, then interest due and the remainder to principal. But the principal payment is short because of the late fee, so another late fee is accrued. And when the exact scheduled payment is made on time the following month, another late fee is paid and so on. That is pyramiding. I’m sure it doesn’t happen in your bank because automated routines control how payments are applied and interest and principal are always collected first, then fees.

But consider a case discussed more below where the borrower rounded up their payment. The extra principal was simply deposited to escrow. That is an improper application and has a similar impact as late fee pyramiding. The bank has certain remedies it can follow and compliance and/or audit needs to ensure the proper actions are taken.

Lastly, UDAP addresses the Holder in Due Course rule which involves the buying and selling of credit contracts and specifically also prohibits a bank from misrepresenting a co-signer’s liability and requires the bank to give a co-signer, prior to becoming obligated in a consumer credit transaction, a disclosure notice which explains the nature of the co-signer’s obligations and liabilities under the contract.

As already noted, it was the Dodd-Frank Act which empowered the CFPB to prevent unfair, deceptive, or abusive acts or practices. The other agencies enforce the FTC Act, Section 5. Rest assured for all intents and purposes they are similar as it pertains to the ability to right a perceived wrong.

The CFPB has definitions bankers must be familiar with to navigate compliance with UDAP and UDAAP. These are definitions that must be applied broadly when the bank is designing a new product, service, or policy.

Unfair: a practice that is “unfair” is one that:

a) Causes or is likely to cause substantial injury to consumers;

(Substantial injury usually involves monetary harm. Monetary harm includes, for example, costs or fees paid by consumers as a result of an unfair practice. An act or practice that causes a small amount of harm to a large number of people may be deemed to cause substantial injury.

Actual injury is not required in every case. A significant risk of concrete harm is also sufficient. However, trivial or merely speculative harms are typically insufficient for a finding of substantial injury. Emotional impact and other more subjective types of harm also will not ordinarily amount to substantial injury. Nevertheless, in certain circumstances, such as unreasonable debt collection harassment, emotional impacts may amount to or contribute to substantial injury.)

b) The injury is not reasonably avoidable by consumers;

An act or practice is not considered unfair if consumers may reasonably avoid injury. Consumers cannot reasonably avoid injury if the act or practice interferes with their ability to effectively make decisions or to take action to avoid injury. Normally the marketplace is self-correcting; it is governed by consumer choice and the ability of individual consumers to make their own private decisions without regulatory intervention. If material information about a product, such as pricing, is modified after, or withheld until after, the consumer has committed to purchasing the product, however, the consumer cannot reasonably avoid the injury. Moreover, consumers cannot avoid injury if they are coerced into purchasing unwanted products or services or if a transaction occurs without their knowledge or consent.

A key question is not whether a consumer could have made a better choice. Rather, the question is whether an act or practice hinders a consumer’s decision-making. For example, not having access to important information could prevent consumers from comparing available alternatives, choosing those that are most desirable to them, and avoiding those that are inadequate or unsatisfactory. In addition, if almost all market participants engage in a practice, a consumer’s incentive to search elsewhere for better terms is reduced, and the practice may not be reasonably avoidable.

The actions that a consumer is expected to take to avoid injury must be reasonable. While a consumer might avoid harm by hiring independent experts to test products in advance or by bringing legal claims for damages in every case of harm, these actions generally would be too expensive to be practical for individual consumers and, therefore, are not reasonable.

and,

c) The injury is not outweighed by countervailing benefits to consumers or to competition.

To be unfair, the act or practice must be injurious in its net effects — that is, the injury must not be outweighed by any offsetting consumer or competitive benefits that also are produced by the act or practice. Offsetting consumer or competitive benefits of an act or practice may include lower prices to the consumer or a wider availability of products and services resulting from competition.

Costs that would be incurred for measures to prevent the injury also are taken into account in determining whether an act or practice is unfair. These costs may include the costs to the institution in taking preventive measures and the costs to society as a whole of any increased burden and similar matters.

In determining whether an act or practice is unfair, the CFPB may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.

UDAP’s unfairness prong applies not only to overt acts and practices, but also to those that unreasonably impair a consumer’s ability to make an informed decision, such as withholding material information until after a consumer has purchased a product. But a bevy of UDAP case law creates nuances. For instance, “substantial injury” can be monetary or reputation harm, but there must be a significant risk of concrete harm rather than a speculation that harm might occur. An act is not considered unfair if its benefits outweigh any injuries caused. Some examples of benefits include lower prices or the availability of products and services to a wider range of consumers.

A representation, omission, act or practice is deceptive when—

The representation, omission, act, or practice misleads or is likely to mislead the consumer;
The consumer’s interpretation of the representation, omission, act, or practice is reasonable under the circumstances; and
The misleading representation, omission, act, or practice is material. This applies when it misleads or is likely to mislead the consumer.

Written disclosures may be insufficient to correct a misleading statement or representation, particularly where the consumer is directed away from qualifying limitations in the text or is counseled that reading the disclosures is unnecessary. Likewise, oral or fine print disclosures or contract disclosures may be insufficient to cure a misleading headline or a prominent written representation. Similarly, a deceptive act or practice may not be cured by subsequent truthful disclosures.

Acts or practices that may be deceptive include making misleading cost or price claims; offering to provide a product or service that is not in fact available; using bait-and-switch techniques; omitting material limitations or conditions from an offer; or failing to provide the promised services.

The FTC’s “four Ps” test can assist in the evaluation of whether a representation, omission, act, or practice is likely to mislead:

Is the statement prominent enough for the consumer to notice?
Is the information presented in an easy-to-understand format that does not contradict other information in the package and at a time when the consumer’s attention is not distracted elsewhere?
Is the placement of the information in a location where consumers can be expected to look or hear?
Finally, is the information in close proximity to the claim it qualifies?

A representation may be deceptive if the majority of consumers in the target class do not share the consumer’s interpretation, so long as a significant minority of such consumers is misled.

Exaggerated claims or “puffery” are not deceptive if a reasonable consumer would not take the claims seriously.

A representation, omission, act, or practice is material if it is likely to affect a consumer’s choice of, or conduct regarding, the product or service. Information that is important to consumers is material.

Certain categories of information are presumed to be material such as costs, benefits, or restrictions on the use or availability.

Express claims made with respect to a financial product or service are presumed material. Implied claims are presumed to be material when evidence shows that the institution intended to make the claim (even though intent to deceive is not necessary for deception to exist).

Claims made with knowledge that they are false are presumed to be material. Omissions will be presumed to be material when the financial institution knew or should have known that the consumer needed the omitted information to evaluate the product or service.

If a representation or claim is not presumed to be material, it still would be considered material if there is evidence that it is likely to be considered important by consumers.

The Dodd-Frank Act makes it unlawful for any covered person or service provider to engage in an “abusive act or practice.” This is an act or practice which—

materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or
takes unreasonable advantage of—

a) a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;

b) the inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or

c) the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

Combined, this definition of “abusive” indicates terms, disclosures and advertisements for products need to be clear and easily understood without reliance on micro-font footnotes or other disclosures that may be “legalese” or have “hidden” terms. It also tells us that the more complex a product or service is, the more it may need to be explained and this will also depend on the market it is provided for. Lastly it says the bank has to act in the best interest of the consumer. It will not be enough to say, “we made the full disclosure, so we are covered for liability.”

Consumer complaints play a key role in the detection of unfair, deceptive, or abusive practices. As a general matter, consumer complaints can indicate weaknesses in elements of the institution’s compliance management system, such as training, internal controls, or monitoring. Complaints against subsidiaries, affiliates and third parties which pertain to your institution and its products and services are included in this analysis. While the absence of complaints does not ensure that unfair, deceptive, or abusive practices are not occurring, complaints may be one indication.

Now let’s examine some recent penalties and while I will use one specific example, as you read this and contemplate the issues, think broadly. As an example, this first penalty involves a credit card product. Do not discount it because it is a credit card, and your bank may not offer them but pay attention to it because it is about the advertising of the product, the training of staff, and the failure to deliver what was advertised.

The advertisement was targeted to sell new credit card accounts. Both existing customers and new ones were the target market. The intent was to have them qualify for the new card and then to meet prescribed spending requirements to qualify for a bonus. The plain terms on the face of the advertisement stated what was required as to the spending threshold. The bonus was central to the advertisement. Remembering the criteria for UDAAP compliance, in this case a consumer could reasonably conclude that if they qualified for the new card and met the spending limit, they would receive the bonus.

The issuers of the product failed to state that the bonus would be offered only to consumers who applied online. This made the advertisements misleading as they were incomplete. Staff were not correctly trained on how to program these accounts, which further lead to bonuses not being paid. And because not all consumers would qualify for the bonus because of how they applied, the ads were deceptive. This is like many of the UDAAP enforcement actions taken on add-on products. That is poor marketing, poor training and charging fees without ensuring that all the qualifications were disclosed, programmed, and understood by both staff and the consumer.

A second case examines debt collection and the Fair Debt Collections Practices Act (FDCPA). Do not skip this section because you do not believe that the FDCPA does not apply to your bank because you collect your own debts. I believe the CFPB could connect the FDCPA to UDAAP dots in this manner. The FDCPA states in many places that certain acts or practices can be unfair or deceptive. As an unfair or deceptive act, UDAAP can then apply and using this proxy, UDAAP is violated while collection one’s own debt because of how it was done. I have not yet seen this in practice, but is it worth testing the action? I would not.

The FDCPA prohibits the use of any false representation or deceptive means to collect or attempt to collect any debt. What examiners found was debt collectors proposing an alternate payment plan with past due borrowers. It was noted the new payment plan, when repaid, would improve the borrower’s credit because they paid the revised plan and extinguished the debt. That has to be better and lead to an improved credit rating, right? But there are many factors affecting creditworthiness and a person’s credit score, including repayment of the debt. Saying that paying just this loan would improve their credit score and lead to increased borrowing power could be misleading. Examiners found that the least sophisticated consumer could conclude from this discussion was that deleting derogatory information by paying this loan would result in improved creditworthiness, and this created the risk of a false representation and was a deceptive means to collect the debt. This is then defined as a UDAAP issue. You may not be subject to the FDCPA, but you are to UDAP and UDAAP.

Mortgage servicing is a hot issue as many borrowers are exiting pandemic protection forbearance plans on their home loans and may be ill equipped to resume payments. Mortgage servicing exams have identified various Reg Z and X violations, as well as UDAP problems. Remember UDAAP is brought up when a product or service: (1) causes or is likely to cause substantial injury; (2) the injury is not reasonably avoidable by consumers; and (3) the substantial injury is not outweighed by countervailing benefits to consumers or to competition.

Examiners found that mortgage servicers engaged in the following unfair acts or practices by:

charging delinquency-related fees to borrowers in CARES Act forbearance plans. (Refer to the Coronavirus Aid, Relief, and Economic Security Act, Section 4022(b)(3) prohibits a mortgage servicer from imposing fees, penalties, or interest beyond the amounts scheduled or calculated as if the borrower made all contractual payments on time and in full under the terms of the mortgage contract);
failing to stop electronic fund transfers after receiving notice that the consumer’s bank account was closed, and an NSF fee had been assessed; and
assessing fees for services that exceeded the actual cost of the services performed.

Read this and look for those UDAAP buzzwords. The CFPB report said that consumers experienced substantial injury in the form of illegal fees, which were considered significant because these are the consumers experiencing hardships from the pandemic. The mortgage servicers failed to refund some of the fees until almost a year after they were assessed. These consumers likely suffered further harm when because of these fees, they could not pay other expenses they had. The injury was to a large number of consumers. The consumers could not reasonably avoid the injury because they could not anticipate that the mortgage servicers would assess unlawful fees and they had no reasonable means to avoid the fees from being charged. Charging the illegal fees did not provide any countervailing benefit to consumers.

Expanding on the second bullet above, what examiners found were mortgage servicers that engaged in unfair acts or practices by failing to terminate preauthorized EFTs that the servicer should have realized were from closed or inactive accounts. Examiners found that servicers received notices of account closures but continued to initiate EFTs from the closed accounts each month until the consumer affirmatively canceled the preauthorized EFT. Borrowers experienced substantial injury because the mortgage servicers’ practices resulted in repeated NSF charges. Borrowers could not reasonably avoid the injury because they could not anticipate that the mortgage servicers would continue to attempt the EFTs, even where the EFT agreement disclosed that the EFTs would terminate when the “from” account was closed. The continued attempts to withdraw payment from closed accounts and fees associated with the subsequent NSF transactions did not provide any countervailing benefit to consumers.

Another issue examiners found was that mortgage servicers engaged in deceptive acts by incorrectly disclosing transaction and payment information in borrowers’ online mortgage loan accounts. They found violations of Reg X (RESPA) requirements to evaluate a borrower’s complete loss mitigation applications within 30 days of receipt. Reg Z requirements relating to overpayments to borrowers’ escrow accounts and Homeowners Protection Act (HPA) requirements to automatically terminate PMI as required were subtopics found with the online statement errors.

Still on the topic of mortgage servicing, some practices were deemed deceptive because inaccurate descriptions of payment and transaction information was provided in online mortgage statements. The inaccurate descriptions and information were likely to mislead borrowers because the information was false. It would be reasonable for borrowers to rely on their mortgage servicers to report accurate mortgage payments and account transaction histories wherever the information was offered. The inaccurate descriptions and information were material because they were likely to affect borrowers’ conduct regarding their mortgage payments.

February 2022 OBA Legal Briefs

Reg E FAQs – Part II

Reg E FAQs – Part II

By Andy Zavoina

Last month I introduced you to the updated Reg E FAQ Guidance issued by the Consumer Financial Protection Bureau (CFPB). The FAQ is a Compliance Aid as defined by the CFPB. It is not a new rule, but guidance on compliance with an existing rule. When a Compliance Aid such as an FAQ is issued, it can be periodically revised as is the case here. In this instance the existing rules are addressing Reg E concerns. Unlike the first iteration of Reg E FAQs issued in June 2021 this update addresses new concerns and not just what bankers were getting wrong. In this iteration, issued December 13, 2021, there are several issues addressed on Person-to-Person payments and specifically on liability. The interpretation is not favorable for banks.

The purpose of the Compliance Aid is not to write new rules, but to clarify how the CFPB interprets what is already in the laws, regulations and official interpretations without having to go through a rule writing process.

In January’s Reg E FAQ – Part I, we explained how the CFPB was going back to the bare definitions of what is an electronic fund transfer (EFT) and what is a financial institution. Briefly, EFTs are electronic transfers to or from a consumer’s account. Financial institutions include banks and can include P2P providers. And if a P2P provider does not hold the consumer’s account, issues its own access device such as the logon for an app, and has no agreement with a bank to do such transfers, under 1005.14 that vendor has Reg E liability and responsibility. Lastly, we ended last month’s Part 1 with the CFPB interpretation that if the bank and the P2P vendor have an ACH agreement to move funds and share another agreement such as each accepting the others debit cards, then the exception at 1005.14 placing error resolution liability on the P2P provider does not apply. The fact that each entity will accept the other’s debit cards satisfies the need for an “agreement.” We also noted the CFPB expressed this opinion to bankers at least nine months in advance of issuing the FAQ, so it was a somewhat accepted opinion within the CFPB.

Now, let’s continue a review of the third and fourth sections of the Reg E FAQs as updated in December 2021 and we will add a few compliance recommendations.

Error Resolution

In this section the CFPB restates much of what the regulation and prior iteration of the FAQ had with two of the questions shown as new.

1, What is an error for purposes of EFTA and Regulation E?

While shown as a new question, the information is not changed from the regulatory verbiage, but this is intended to be a foundational topic on which claims will build.

An error under EFTA and Regulation E includes any of the following:

An unauthorized EFT.
An incorrect EFT to or from the consumer’s account.
The omission from a periodic statement of an EFT to or from the consumer’s account that should have been included.
A computational or bookkeeping error made by the financial institution relating to an EFT.
The consumer’s receipt of an incorrect amount of money from an electronic terminal.
An EFT not identified in accordance with the requirements of 12 CFR 1005.9 or 1005.10(a).
A consumer’s request for any documentation required by 12 CFR 1005.9 or 1005.10(a) or for additional information or clarification concerning an EFT

(12 CFR 1005.11(a)(1)).

The term “error” does not include:

A routine inquiry about the consumer’s account balance;
A request for information for tax or other recordkeeping purposes; or
A request for duplicate copies of documentation.

(Comment 11(a)-6).

2. What are a financial institution’s error resolution obligations under Regulation E?

Again, this is not new information but is necessary to build on in the following FAQs.

In general, Regulation E requires that after a financial institution receives oral or written notice of an error from a consumer, the financial institution must do all of the following:

Promptly investigate the oral or written allegation of error.
Complete its investigation within the time limits specified in Regulation E.
Report the results of its investigation within three business days after completing its investigation.
Correct the error within one business day after determining that an error has occurred.

12 CFR 1005.11(c)(1).

The investigation must be reasonable, including a reasonable review of relevant information within the financial institution’s own records. 2019-BCFP-0001. The Bureau found that a financial institution did not conduct a reasonable investigation when it summarily denied error disputes if consumers had prior transactions with the same merchant, and the financial institution did not consider other relevant information such as the consumer’s assertion that the EFT was unauthorized or for an incorrect amount. 2019-BCFP-0001. If the error is an unauthorized EFT, certain consumer liability limits apply. 12 CFR 1005.6.

3. If private network rules provide less consumer protection than federal law, can a financial institution rely on private network rules?

The CFPB indicates this is not an update. It does reiterate what has been noted in practice for many years, that a consumer’s rights may not be adversely affected by an agreement.

Although private network rules and other agreements may provide additional consumer protections beyond Regulation E, less protective rules do not change a financial institution’s Regulation E obligations. [See 15 USC 1693l. For example, some network rules require consumers to provide notice of an error within 60 days of the date of the transaction, even though Regulation E, 12 CFR 1005.11(b)(1)(i), allows consumers to provide notice within 60 days after the institution sends the periodic statement showing the unauthorized transaction. Other network rules allow a financial institution to require a consumer to contact the merchant before initiating an error investigation, even though 1005.11(b)(1) triggers error investigation obligations upon notice from the consumer. The Bureau discussed instances where examiners found financial institutions had violated the 60-day notice requirement in the Summer 2020 edition of Supervisory Highlights.

4. Can a financial institution require a consumer to file a police report or other documentation as a condition of initiating an error resolution investigation?

This is not updated from June 2021 but is reposted here so as to be a complete reference to the reader.

No. A financial institution must begin its investigation promptly upon receipt of an oral or written notice of error and may not delay initiating or completing an investigation pending receipt of information from the consumer. See Comments 11(b)(1)-2 and 11(c)-2. In the past, Bureau examiners found that one or more financial institutions failed to initiate and complete reasonable error resolution investigations pending the receipt of additional information required by the institution. These examples can be found in the Bureau’s Summer 2020 edition of Supervisory Highlights and Fall 2014 edition of Supervisory Highlights. The Bureau cited similar violations in 2019-BCFP-0001.

Error Resolution: Unauthorized EFTs

With EFT errors defined and some basic responsibilities set, the FAQ looks deeper at unauthorized transfers and provides guidance banks will need to evaluate their practices and procedures.

1. What is an unauthorized EFT?

While the CFPB’s answer has a December date as a new addition, it is regulatory verbiage that has not changed, so accept it as a reminder of the rules as it helps express the duties and liabilities of the bank.

An unauthorized EFT is an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m). Unauthorized EFTs include transfers initiated by a person who obtained a consumer’s access device through fraud or robbery and consumer transfers at an ATM that were induced by force. Comments 2(m)-3 and 4.

The term unauthorized EFT does not include an EFT initiated through any of the following means:

(1) By a person who was furnished the access device to the consumer’s account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized. 12 CFR 1005.2(m)(1). This exclusion does not apply to transfers initiated by a person who obtained a consumer’s access device through fraud or robbery. Comment 2(m)-3.

(2) With fraudulent intent by the consumer or any person acting in concert with the consumer. 12 CFR 1005.2(m)(2); or

(3) By the financial institution or its employee, 12 CFR 1005.2(m)(3).

This FAQ is important and often misunderstood by claims investigators. It is important to understand that a consumer loaning their debit card to someone does not provide evergreen authorization for use until the consumer reports to the bank that the person is no longer authorized to use the card. Essentially that person given the card is authorized until the consumer customer retrieves the card or notifies the bank. Once the customer re-secures the card the authorization has ended. If that authorized user remembers the PIN and steals the card, that’s fraud or robbery and not authorized use. If a bank has a problem with these types of losses remind the users of security precautions, the ability to get a new card or change the PIN, and the possibility that the bank will rescind the card and not re-issue it if the bank chooses. There is no legal right to have a debit card. That is a feature of having a deposit account at your bank. Many bankers have also not read the back of the debit cards they issue. All I have looked at specifically states the card is the property of the bank. That provides the bank with the option to rescind that card and make it non-usable.

2. If a transfer meets the Regulation E definition of unauthorized EFT, how does a financial institution determine the consumer’s liability, if any?

Not an updated response from the first FAQ – but in short if the claim is valid, § 1005.6 is used to determine liability based on when the transfers happened, if an accepted access device was used, and when the bank was notified. The response is as follows:

“If a consumer has provided timely notice of an error under 12 CFR 1005.11(b)(1) and the financial institution determines that the error was an unauthorized EFT, the liability protections in Regulation E section 1005.6 would apply. Depending on the circumstances regarding the unauthorized EFT and the timing of the reporting, a consumer may or may not have some liability for the unauthorized EFT. See 12 CFR 1005.6(b).”

The three basic tiers of liability are up to $50 for a timely notice of the claim within 2 business days of the consumer learning of the loss or theft [of an access device], up to $500 if the notice is beyond 2 business days and potentially unlimited for those transfers occurring after 60 days after the first statement was sent to the consumer reflecting an unauthorized transfer.

3. Is an EFT from a consumer’s account initiated by a fraudster through a non-bank P2P payment provider considered an unauthorized EFT?

Shown as a new question and using P2P as an example, the CFPB states, “Yes. Because the EFT was initiated by a person other than the consumer without actual authority to initiate the transfer – i.e., the fraudster – and the consumer received no benefit from the transfer, the EFT is an unauthorized EFT. 12 CFR 1005.2(m). This is true even if the consumer does not have a relationship with, or does not recognize, the non-bank P2P payment provider.”

Succinctly, in this case it is a basic theft because the consumer did not do, authorize, or benefit from the transaction. Whether the customer had a relationship already with the P2P provider is immaterial.

4. Does an EFT initiated by a fraudster using stolen credentials meet the Regulation E definition of an unauthorized EFT?

The response is still a basic example of a theft but specifically uses stolen credentials to execute the transfer.

“Yes. As discussed in Electronic Fund Transfers Error Resolution: Unauthorized EFT Question 1, Regulation E defines an unauthorized EFT as a transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m). When a consumer’s account access information is obtained from a third party through fraudulent means such as computer hacking, and a hacker uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.

For example, the Bureau is aware of the following situations involving unauthorized EFTs:

A consumer shares their account access information in order to enter into a transaction with a third party, such as a merchant, lender, or employer offering direct deposit, and a fraudster obtains the consumer’s account access information by hacking into the computer system of the third party. The fraudster then uses a bank-provided P2P payment application to initiate a credit push payment out of the consumer’s deposit account.
A consumer shares their debit card information with a P2P payment provider in order to use a mobile wallet. A fraudster then hacks into the consumer’s phone and uses the mobile wallet to initiate a debit card transfer out of the consumer’s deposit or prepaid account.
A thief steals a consumer’s physical wallet and initiates a payment using the consumer’s stolen debit card.

See Electronic Fund Transfers Error Resolution: Unauthorized EFTs Question 5 for more examples of unauthorized EFTs.

All of the financial institutions in these examples, including any non-bank P2P payment provider or deposit account holding financial institution, must comply with the error resolution requirements discussed in Electronic Fund Transfers Error Resolution Question 2, as well as the liability protections for unauthorized transfers in 12 CFR 1005.6.

5. A third party fraudulently induces a consumer into sharing account access information that is used to initiate an EFT from the consumer’s account. Does the transfer meet Regulation E’s definition of an unauthorized EFT?

A key to this June 2021 question is that the consumer was duped into providing account access information and the while the consumer did provide it, it was not with the intent of creating a transfer. That was done fraudulently, and Reg E is a consumer protection regulation. The CFPB provided the following guidance:

“Yes. As discussed in Electronic Fund Transfers Error Resolution: Unauthorized Fund Transfers Question 1, Regulation E defines an unauthorized EFT as an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m). Comment 1005.2(m)-3 explains further that an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery. Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.

For example, the Bureau is aware of the following situations where a third party has fraudulently obtained a consumer’s account access information, and thus, are considered unauthorized EFTs under Regulation E: (1) a third-party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.”

6. If a third-party fraudulently induces a consumer to share account access information, are subsequent transfers initiated with the fraudulently obtained account information excluded from Regulation E’s definition of unauthorized electronic fund transfer because they are initiated “[b]y a person who was furnished the access device to the consumer’s account by the consumer”?

As in the example above, the subsequent transfers were not the intent of the consumer. Even if the consumer authorized one transfer, the intent was for that one transfer, not any additional. Perhaps more to the exact question, any and all transfers that use fraudulently obtained access can be part of a valid EFT claim because there was no intent for the transfers and the consumer received no benefit. So, the CFPB states, “No. A consumer who is fraudulently induced into providing account information has not furnished an access device under Regulation E. As explained above in Electronic Fund Transfers Error Resolution: Unauthorized EFTs 3, 4, and 5, EFTs initiated using account access information obtained through fraud or robbery fall within the Regulation E definition of unauthorized EFT. See Comment 1005.2(m)-3.”

7. Can a financial institution consider a consumer’s negligence when determining liability for unauthorized EFTs under Regulation E?

The regulation has never allowed a consumer’s negligence to be used in denying a claim of unauthorized use. The Reg commentary even uses the example of a consumer writing their PIN on the card. In that case the claim would still be valid because there was no intended use allowed. Some vendors may offer enhanced liability protections such as zero liability and some of those enhancements may be reduced because of negligence. But the basic requirements of Reg E do not change, only the enhanced protections.

The June FAQ stands, “No. Regulation E sets forth the conditions in which consumers may be held liable for unauthorized transfers, and its commentary expressly says that negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. 12 CFR 1005.6; Comment 6(b)-2. For example, consumer behavior that may constitute negligence under state law, such as situations where the consumer wrote the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer’s liability for unauthorized transfers under Regulation E. Comment 1005.6(b)-2.”

8. If a financial institution’s agreement with a consumer includes a provision that modifies or waives certain protections granted by Regulation E, such as waiving Regulation E liability protections if a consumer has shared account information with a third party, can the institution rely on its agreement when determining whether the EFT was unauthorized and whether related liability protections apply?

This restated response further illustrates that rights granted under Reg E may not be taken away. I will add that there are times a consumer will call and make a claim. Perhaps they are on vacation and a great distance away and when told the card will be canceled and reissued in a few days, they protest. They say they will accept the liability because they cannot be without their card while away. That is not an option. The consumer cannot accept that additional liability because to do so would amount to the bank taking away the consumer’s legal rights.

“No. EFTA includes an anti-waiver provision stating that “[n]o writing or other agreement between a consumer and any other person may contain any provision which constitutes a waiver of any right conferred or cause of action created by [EFTA].” 15 U.S.C. § 1693l. Although there may be circumstances where a consumer has provided actual authority to a third party under Regulation E according to 12 CFR 1005.2(m), an agreement cannot restrict a consumer’s rights beyond what is provided in the law, and any contract or agreement attempting to do so is a violation of EFTA.”

9. If a consumer provides notice to a financial institution about an unauthorized EFT, can the financial institution require that the consumer first contact the merchant about the potential unauthorized EFT before the financial institution initiates its error resolution investigation?

Remember that the consumer has basic requirements to file a claim with the bank, and the bank is required to determine if it was an unauthorized use and to investigate and determine liability. The only things the consumer is required to do is indicate who they are and why they believe their account had an unauthorized transfer. Nothing allows the bank to refuse a claim and impose additional requirements beyond what the EFTA has required.

The CFPB’s response: “No. A financial institution must begin its investigation promptly upon receipt of an oral or written notice of error and may not delay initiating or completing an investigation pending receipt of information from the consumer. See Comments 11(b)(1)-2 and 11(c)-2. For example, in 2019-BCFP-0001, the Bureau found that the practice of requiring a consumer to contact the merchant before initiating an error resolution investigation was a violation of Regulation E. Similarly, the Fall 2014 edition of Supervisory Highlights discussed instances where examiners found that one or more financial institutions had instructed consumers to contact the merchant instead of promptly initiating an error investigation.”

10. Do private network rules, such as provisions that a transfer is final and irrevocable, impact whether a P2P credit-push transfer meets the Regulation E definition of unauthorized EFT?

This is a new question and addresses specifically a P2P payment. Many P2P agreements indicate that when a transfer is sent and is based on, for example, a cell phone number, the transfer is completed and not reversible once it is accepted by the recipient. There is no process to reverse the transfer from the recipient. This question emphasizes that the bank’s consumer is protected regardless of any network rules. This is a question demonstrating additional liability on the bank. There is no process requiring the consumer to contact the cell number that received the funds and demand the return of those funds. The bank or P2P vendor may attempt this as a part of the investigation but likely there would be no response from the receiver of the funds, especially if the transfer was part of a fraud transaction.

“No. Although private network rules and other commercial agreements may provide for interbank finality and irrevocability, they do not reduce consumer protections against liability for unauthorized EFTs afforded by the Electronic Fund Transfer Act. See 15 USC 1693g(e). Moreover, no agreement between a consumer and any other person may waive any right provided by the EFTA. See 15 USC 1693l. Accordingly, any financial institution in this transaction must comply with the error resolution requirements discussed in Electronic Fund Transfers Error Resolution Question 2, as well as the liability protections for unauthorized transfers.”

11. A fraudster initiates an EFT through a non-bank P2P payment provider that the consumer does not have a relationship with from the consumer’s account with a depository institution. Is the depository institution considered a financial institution with full error resolution obligations under Regulation E?

This is another new and P2P specific question. If a fraudster sets up an account using someone else’s identity and account information, transfers can be valid claims.

The Bureau’s response:

“Yes. As discussed in Electronic Fund Transfers Coverage: Financial Institutions Question 1, the definition of financial institution includes a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide EFT services. 12 CFR 1005.2(i). Here, the account-holding financial institution holds the consumer’s account, and is thus considered a financial institution under Regulation E. Any entity defined as a financial institution under Regulation E has error resolution obligations in the event that a consumer notifies the financial institution of an error, with limited exceptions. 12 CFR 1005.11. As discussed in Electronic Fund Transfers Error Resolution: Unauthorized Transfers Question 4, since the transaction is an unauthorized EFT, the depository institution must comply with any applicable liability protections for unauthorized transfers in 12 CFR 1005.6.”

Expectations:

Based on this interpretation in the FAQs regarding P2P transactions and liability, we can expect more examiner scrutiny on any claim pertaining to P2P losses by consumers. Prior to the FAQs many in the industry interpreted the needed “agreement” under 1005.14 to be a specific agreement defining the duties of the P2P vendor and the bank and this could have included liability. It may have also addressed daily transactions limits and many P2P vendors allow greater limits on transactions than banks do. Banks consciously keep daily limits low to protect the consumer’s balances and reduce losses. Exceptions are generally granted upon request and verification by the consumer. With the bank having to bear the burden of claims processing and payment liability the P2P vendor’s transaction limitations now control the amount of losses banks may have.

Under Reg E and the Electronic Fund Transfer Act (EFTA) consumers are granted certain rights. While the bank and a vendor may have separate agreements addressing some of these same rights – such as monetary liability for unauthorized transactions, the consumers rights always stand and may not be adversely limited by any of these agreements. You can always treat a consumer better, but never worse than the law or regulation provides.

In many cases, because of the CFPB’s interpretation pertaining to a broad definition of what an agreement with the bank is, banks will see an increase in liability for Reg E claims involving P2P transfers reported as unauthorized if the banks were pushing these claims to the P2P vendors in the past. If the P2P vendor allows a $1,200 daily limit and the bank has a $400 daily limit, two similar transfers will arrive at the bank in different ways. The P2P vendor will ACH the funds but a consumer would have directly been allowed say only $400 using their debit card. If the transfer is claimed as unauthorized, the bank now has a greater chance of losing $1,200 rather than $350. Remember the consumer typically has liability for the first $50 when an accepted access device is used. An ACH directly from the consumer’s account is not using an accepted access device between the consumer and the bank. It is easy to see how, in an example such as this, losses could grow over prior years.

Recommended Actions:

If the data is readily available, your bank may want to review EFT claims to determine, based on the new guidance, how many and what amount of EFT claims were P2P related in the past year or two and what new liability the bank may have. This may be a budgeting issue that needs to be addressed depending on the volumes you have seen. You must recognize if this will be a complication and how severe it may be.

Bank staff involved in any part of the claims process may require training to recognize P2P claims as valid EFT claims on which the bank is now deemed responsible. Where these may have been referred to the P2P vendor in the past, that may no longer be allowed.

Advise customers of ways to protect themselves – and the bank. Do not write PINs on debit cards. Secure their cell phones. Use multifactor authentication. Review balances and transactions regularly and even advertise services the bank has where it can advise a consumer of their balance and/or large transactions, etc.

When using P2P transfers, the consumer needs to absolutely verify the recipient that funds will be going to is the intended recipient. And watch out for fraudsters. If a consumer will buy hundreds or thousands of dollars in gift cards and send that information to a fraudster, they will certainly take the convenient track and P2P the funds to an unknown person.

For now, we have Reg E guidance that will, for many banks, increase Reg E liability for more valid claims than in the past. Bank management and the industry as a whole will need to determine if these are valid risks banks want to accept, or if the banks want to find other ways to reduce these claims without disadvantaging consumers and certainly without reducing any Reg E rights. Can ACH transfers require sone customer authentication or verification? Can a limit be placed on daily transfers or each transfer over a given amount?

Lastly, determine if this guidance will require any changes to bank policies and procedures and react appropriately.

Page 2 of 16«123 4 5 »10...Last »