Inside CFPB Semi-annual Report: Final Rules Expected

This week Bank Risk and Compliance Writer has been analyzing the CFPB’s Semi-annual Report, which was published on April 2. Monday’s post discussed the CFPB Acting Director’s call for remodeling the Bureau, which includes changing how it is funded and its level of independence. Tuesday’s post covered the CFPB’s plans for upcoming proposed rules, which leads us to today’s post–Final Rules Expected from the CFPB.

Upcoming Final Rules Per CFPB’s Semi-Annual Report

According to its report, there are three proposed rules that the CFPB anticipates finalizing in the near term.

  1. Proposed Rule to Amend the Gramm-Leach-Bliley Act (GLBA): This rule was originally proposed by the CFPB on July 1, 2016 to correspond to Congress’ amended changes to GLBA in connection with passage of Fixing America’s Surface Transportation Act (FAST Act) in December 2015. As proposed, it would mirror the FAST Act in exempting financial institutions meeting certain conditions from sending annual privacy notices to customers as per GLBA. Financial institutions “can use the annual notice exemption if it limits its sharing of customer information so that the customer does not have the right to opt out and has not changed its privacy notice from the one previously delivered to its customers.” When finalized, this should provide some compliance relief for institutions that meet the exempting criteria.
  2. Amendments Relating to Disclosure of Records and Information: Originally published in the Federal Register on August 24, 2016, this rule was proposed by the CFPB to revise its original 2011 rule protecting the confidentiality and disclosure of information. The CFPB’s stated purpose for the revision was “to clarify, correct, and amend certain provisions based on its experience over the last several years.” As proposed, the rule would revise and/or clarify these items: 1) rule’s definitions; 2) practices related to the Freedom of Information Act; 3) procedures for requests for information; 4) protection and disclosure of confidential information generated or received by the CFPB in its work; and 5) the Chief Privacy Officer’s authority.
  3. Amendment to the Federal Mortgage Disclosure Requirements under TILA (Reg Z): The CFPB published this proposed amending rule on August 11, 2017. According to the proposal’s summary, this rule relates “to when a creditor may compare charges paid by or imposed on a consumer to amounts disclosed on a Closing Disclosure, instead of a Loan Estimate, to determine if an estimated closing cost was disclosed in good faith.” It goes on to indicate, “Specifically, the proposed amendments would permit creditors to do so regardless of when the Closing Disclosure is provided relative to consummation.” In its comment letter of October 10, 2017 the American Bankers Association expressed its general support of the amendment relieving unintended consequences of the TILA-RESPA Rule. It also summarized its understanding of the amendment for further clarification.

Tomorrow, in the final post of this series, look for an analysis of recent CFPB enforcement actions outlined in the Semi-annual Report.


One Month to Legal Entity Customer Due Diligence Requirements Taking Effect

DepositoryBank Risk and Compliance Writer is taking a brief break today from its series on the CFPB’s Semi-annual Report to remind banks that there is one month remaining before FinCEN’s Customer Due Diligence Requirements for Financial Institutions takes effect.

On May 11, 2018, financial institutions will be required to complete customer due diligence tasks on any legal entity customer opening a new account. This includes identifying and verifying the identity of any person or entity with 25 percent ownership (ownership prong of the rule), as well as one person in a significant role, such as CEO or CFO (control prong of the rule).

To help financial institutions understand the rule, FinCEN originally published a CDD Frequently Asked Questions (FAQ) bulletin in July 2016 that covered 26 questions. With the deadline looming, FinCEN added a second CDD FAQ last week, this time covering 37 questions.

A Quick Glimpse at Latest FAQ’s First 10 Questions

Here is a quick recap of the topics covered in the first 10 questions in FinCEN’s most recent FAQ, along with a summary of some of its answers:

  1. Beneficial Ownership Threshold: FinCEN indicates that financial institutions may use a lower ownership threshold than the rule’s stated 25 percent if it deems that appropriate for its risk profile. In other words, institutions can choose to be more stringent than the rule.
  2. Beneficial Ownership and other AML requirements
  3. Complex Ownership Structures: According to the FAQ, “Covered financial institutions must obtain from their legal entity customers the identifications of individuals who satisfy the definition, either directly or indirectly through multiple corporate structures.” FinCEN provides a written and graphic example of this that is helpful for explaining the rule to employees who will be responsible for this task.
  4. Methods for Identification and Verification: FinCEN notes that, “Covered financial institutions must verify the identity of each beneficial owner according to risk-based procedures that contain, at a minimum, the same elements financial institutions are required to use to verify the identification of individual customers under applicable customer identification program (CIP) requirements.”
  5. Beneficial Owner Address: Banks may gather either a residential or business address for beneficial owners.
  6. Legal Entity Representative
  7. Existing Customer as Beneficial Owner of New Legal Entity Customer Account: Per the rule, financial institutions must identify and verify the beneficial owners at the time the new account is opened. The FAQ provides some additional nuance to this requirement, stating that, “If the individual identified as the beneficial owner is an existing customer of the financial institution and is subject to the financial institution’s CIP, a financial institution may rely on its possession to fulfill the identification and verification requirements, provided the existing information is up-to-date, accurate, and the legal entity customer’s representative certifies or confirms (verbally or in writing) the accuracy of the pre-existing CIP information.”
  8. Use of Certification Form: FinCEN clarifies in the FAQ that banks are not required to use its Certification Form, which is available in a Word format and a fillable format. If choosing not to use FinCEN’s form, just make sure to capture all the information it does.
  9. Multiple Sets of Beneficial Ownership Certification Documents
  10. Single Entity Customer Opening Multiple Accounts

As you prepare for next month’s implementation date, make sure to review FinCEN’s most recent FAQ and include it in your employee training on the rule.

Tomorrow, Bank Risk and Compliance Writer will return to discussing the CFPB’s Semi-annual Report, specifically the anticipated Final Rules expected from the Bureau in the near term.

Inside CFPB Semi-annual Report: Proposed Rules in the Pipeline

cfpb_seal_blog_270x270.originalIn dissecting the CFPB’s recently published Semi-annual Report, which included Acting Director Mick Mulvaney’s recommended changes for imposing “meaningful accountability” on the regulatory agency, one of the most critical pieces of information for bank risk and compliance management is the list of proposed and final rules the CFPB anticipates working on in the near term.

Upcoming Proposed Rules Per CFPB Semi-annual Report

The report highlighted four regulatory areas in which the CFPB plans to issue proposed rules:

  1. Payday, Vehicle Title, and Certain High-Cost Installment Loans Rule: This rule, also known as the Payday Lending Rule, was issued under former CFPB Director Richard Cordray on October 5, 2017 and published in the Federal Register on November 11, 2017. On the final rule’s effective date of January 16, 2018, the CFPB, under Acting Director Mulvaney, announced plans to begin the rulemaking process to reconsider the Payday Lending Final Rule. On March 27, Democratic Senators sent Mulvaney a letter opposing this action. The compliance date for most provisions in the Payday Lending Final Rule is August 19, 2019, giving covered financial institutions a reprieve from taking any further action to implement the rule until the CFPB specifies its exact plans for it.
  2. The Expedited Funds Availability Act (Reg CC): According to the Semi-annual Report, “The Bureau will work with the Board of Governors of the Federal Reserve System to issue jointly a rule that includes provisions within the Bureau’s authority.”
  3. Debt Collection: This issue has been on the CFPB’s radar for some time. The Bureau has conducted surveys and analyzed comments regarding the communication and disclosure practices of debt collectors. In its Spring 2017 Rulemaking Agenda, the CFPB noted plans to propose a debt collection rule in late 2017. While that did not happen prior to Cordray’s resignation, the Semi-annual Report makes clear that this issue remains a priority for the CFPB under Mulvaney, albeit the extent to which any proposed rule goes is still uncertain.
  4. Home Mortgage Disclosure Act (Reg C): The HMDA Final Rule of October 2015 went into effect on January 1, 2018, however, on December 21, 2017, the CFPB announced plans to “open a rulemaking to reconsider various aspects of the 2015 HMDA rule.” The Semi-annual report reiterates this intention, indicating that the institutional and transactional coverage tests along with the rule’s discretionary data points will be a part of this reconsideration process. While financial institutions likely welcome possible changes to the coverage tests, covered institutions have already invested heavily to enable themselves to gather the HMDA Final Rule’s new slate of data points, making fuzzy the potential benefit of changes to this aspect of the rule.

In the next post in this Series, Inside CFPB’s Semi-annual Report, I’ll tackle the upcoming Final Rules indicated by the CFPB.

Inside CFPB’s Semi-Annual Report – Part 1

cfpb_seal_blog_270x270.originalOn April 2, 2018, Mick Mulvaney issued the Consumer Financial Protection Bureau’s (CFPB) Semi-annual Report, his first such report since being named the CFPB’s Acting Director by President Trump on November 24, 2017. The report covers the period of April 1, 2017 to September 30, 2017.

It begins with an unsurprising recommendation from Mulvaney to rein in the power of the CFPB, an agenda which has been evident since the start of his tenure as acting director and is in accordance with the Trump administration’s deregulation stance and in line with the philosophy of many majority members of Congress.

“As has been evident since the enactment of the Dodd-Frank Act, the Bureau is far too powerful, and with precious little oversight of its activities.” 

Mick Mulvaney, Acting Director of the Consumer Financial Protection Bureau

In his message, Mulvaney also outlined his recommendation for recalibrating the CFPB:

  1. Fund the CFPB through Congressional appropriations – This is an idea that has been advocated by other critics of the Dodd-Frank Act. For comparison, some other federal financial regulators are not funded this way, including the Office of the Comptroller of the Currency (OCC), which is funded primarily by assessments on the institutions it supervises.
  2. Require legislative approval of CFPB major rules – Again, by comparison, the OCC does not require such approval. According to the OCC’s mission statement, it “has the power to” among other things “issues rules and regulations.”
  3. Ensure that the CFPB Director answers to the President in exercising and executing executive authority.
  4. Create an independent Inspector General for the CFPB.

Stay tuned for Part 2 of this series to learn about what the CFPB’s Semi-annual report says about its upcoming rule proposals and final rules.



Recent Bank and Fintech Disclosures Deemed Unfair and Deceptive by Federal Regulators


By Mary Crotty, freelance writer for banks and third-party service providers

Over the course of the last nine days, two financial institutions have settled allegations by federal regulators that their disclosures consisted of unfair and deceptive acts or practices, otherwise known as UDAP.

FDIC Settles with The Bancorp Bank

On March 7, the Federal Deposit Insurance Corporation (FDIC) published a settlement agreement with The Bancorp Bank, an issuer of prepaid cards to non-bank entities. In addition to a $2 million civil money penalty, the institution must also pay almost $1.3 million in restitution to approximately 243,000 impacted consumers.

The alleged violations of unfair and deceptive practices, which the bank neither admits nor denies as part of the settlement agreement, involve multiple laws and regulations.

First and foremost is the violation of “Section 5 of the Federal Trade Commission (FTC) Act as a result of practices regarding the disclosure and assessment of transaction fees for point-of-sale signature-based transactions without a personal identification number” for debit and other reloadable cards. Specifically, “transactions assessed on behalf of the Bank by the Bank’s third party payment processor for PINless transactions were greater than the Bank disclosed to consumers for such transactions.”

In addition, the settlement order claims that the alleged unfair and deceptive practices violated the Electronic Funds Transfer Act, Regulation E, the Truth in Savings Act, Regulation DD, and the Electronic Signatures in Global and National Commerce Act.

This case also underscores the importance of financial institutions implementing and maintaining adequate vendor management risk programs. The FDIC noted the bank’s ultimate responsibility for compliance in its press release, saying that, “As the issuing bank for these various prepaid cards, The Bancorp Bank was responsible for ensuring that these programs were operating in compliance with all applicable laws.”

FTC Proposes Settlement with Paypal

On February 27, the Federal Trade Commission (FTC) issued a press release announcing its Consent Order against fintech Paypal in regard to consumer disclosures related to its peer-to-peer payment service known as Venmo. The order, published in the Federal Register on March 5, requests comment from the public through March 29. Based on the comments collected, the FTC will either move forward with the Consent Order or “withdraw it and take appropriate action.”

As published within the Federal Register, the order outlines five key areas where the alleged unfair and deceptive practices violated Section 5 of the FTC Act and the Gramm-Leach-Bliley Act (GLBA).

  1. Timing of Credited Funds: The FTC alleges that Venmo “represented to consumers that money is credited to their Venmo account and can be transferred to an external bank account after other Venmo users have sent funds to those consumers but failed to disclose, or failed to disclose adequately, that funds could be frozen or removed because Venmo has not yet approved the underlying transaction.”
  2. Privacy Settings: The order asserts that the Fintech “failed to disclose material information to consumers about the operation of Venmo’s privacy settings.”
  3. Security Systems: “Venmo represented until approximately March 2015 that it protected consumers’ financial information with ‘bank grade security systems’ but in fact failed to implement basic safeguards necessary to secure consumer accounts from unauthorized transactions and did not provide ‘bank grade security’.”
  4. Privacy Notice: Among other things, Venmo failed “to provide users with a clear and conspicuous initial privacy notice” in violation of the GLBA Privacy Rule and Regulation P.
  5. Information Security: Finally, the FTC claims that Venmo “violated GLBA’s Safeguards Rule by failing to have a comprehensive written information security program before August 2014,” and by “failing to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of consumer information.”

The FTC order requires that Paypal implement various measures within Venmo to remediate the alleged violations going forward. These include the prohibition of further disclosure misrepresentations and violations of the GLBA’s Privacy and Safeguards rules. It also requires Venmo to provide “clear and conspicuous” disclosures about the availability of funds and consumer privacy, as well “obtain biennial data security assessments for 10 years.” The order is to remain in effect for 20 years.

UDAP and UDAAP Violations Frequently Intersect with Those of Other Regulations

In both of these cases, the underlying violation of UDAP within consumer disclosures coincided with violations of several other laws. This is not unusual with UDAP or it’s Dodd-Frank mandated cousin–Unfair, Deceptive and Abusive Acts or Practices (UDAAP). Ultimately, UDAP and UDAAP provide federal regulators an additional vehicle through which they can impose monetary and/or reputational punishments for alleged unfair and misleading actions toward consumers.


SEC Issues Interpretive Guidance on Cybersecurity Disclosures

By Mary Crotty, freelance writer for banks and third-party service providers

Despite our best efforts, cyber attacks continue to plague U.S. businesses, including those in the financial services industry. Even large and globally sophisticated entities fall prey, as witnessed by the Equifax breach last summer. Just as advancements in science often require new ethical standards, the latest developments in and incidents of cybercrime often result in new or updated regulatory guidance.

Although the Interpretive Guidance on cybersecurity posted in the Federal Register yesterday by the Securities and Exchange Commission (SEC) does not mention the Equifax breach, its focus on disclosure requirements and director/officer/insider ethics suggest that last summer’s extensive and embarrassing incident at one of the three major credit reporting agencies may have influenced the content and timing of this guidance.

Setting the Stage

In explaining its reason for issuing the February 26, 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC notes that, “In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission.”

It goes on to note that, “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” While this reliance on data and technology spurs growth and opportunity in our world, it also exposes organizations to the risk of harm to or theft of both. The preventative and mitigation efforts used to fight cybercrime extol a heavy cost.

Therefore, “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber attack.”

Expansion of 2011 Guidance

This latest guidance expands upon original SEC guidance on cybersecurity disclosures issued in October 2011. The guidance published and effective as of February 26, 2018,  discusses two topics not specifically covered in that 2011 guidance:

  1. Disclosure Policies and Procedures: “This release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities law.”
  2. Director/Officer/Insider Ethics: “We also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”

More from the SEC Cybersecurity Disclosure Guidance

In addition, the guidance indicates the following:

  • The SEC understands that not all information may be initially available or that an investigation may still be in process, “However, an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
  • Companies bound by this guidance are required to correct previous disclosures as needed due to additional or different information coming to light.
  • There is a list of factors that can help a company evaluate its cybersecurity risk for disclosure purposes, including, but not limited to, the severity and frequency of past cyber incidents, the probability and potential magnitude of future occurences, and the adequacy of preventative measures.
  • The financial impact of cybersecurity incidents and defense measures must be “incorporated into financial statements on a timely basis.”

Cybersecurity Should Be a Priority for All Businesses

Public companies regulated by the SEC are not the only ones at material risk from cybercrime. In today’s world, all companies are at risk, including community banks, credit unions, regional banks, and national and multi-national financial institutions. The cost of defending against cybercrime maybe be high, but the cost of not doing so is potentially much higher.

2018 BSA/AML Fines Already Equal $1.246 Billion

By Mary Crotty, freelance writer for banks and third-party service providers

It has been a busy year so far for federal regulators scrutinizing compliance with the Bank Secrecy Act (BSA) and other anti-money laundering (AML) regulations. They have already meted out a combined $1.246 billion in both civil money penalties (CMPs) and criminal fines related to BSA/AML deficiencies at various financial institutions.

BSA/AML Civil Money Penalties So Far in 2018

From the Office of the Comptroller of the Currency (OCC)

The OCC has levied a total of $195 million in CMPs since the start of the year, including $125 million in fines just in the last week. All three of these enforcement actions relate to prior Cease and Desist or Consent Orders regarding the offending institutions’ BSA/AML compliance programs.

  • $75 Million CMP Against U.S. Bank N.A.: On February 15, the OCC issued an enforcement action, which noted that the bank “failed to adopt and implement a compliance program that adequately covered the required BSA/AML program elements due to an inadequate system of internal controls, ineffective independent testing, and inadequate training, and the Bank failed to file all necessary Suspicious Activity Reports (SARs) related to suspicious customer activity.”
  • $50 Million CMP Against Rabobank, N.A.: On February 7, the OCC issued an enforcement action for deficiencies in this institution’s BSA/AML program.
  • $70 Million CMP Against Citibank: On January 4, the OCC issued an enforcement action for Citibank’s failure to comply with a 2012 Consent Order related to BSA/AML deficiencies.

From the Financial Crimes Enforcement Network (FinCEN)

While FinCEN has only issued one BSA/AML-related fine so far this year, at $185 million it almost equaled the total amount of the OCC’s three such fines.

  • $185 Million CMP Against U.S. Bank N.A.: On the same day that the OCC fined this bank, FinCEN did too, noting that it “willfully violated the BSA’s program and reporting requirements from 2011 to 2015.”

From the Federal Reserve (FED)

The Fed has issued two enforcement actions since the start of the year for a total of $44 million in CMPs.

  • $15 Million CMP Against U.S. Bancorp: While the OCC and FinCEN punished the subsidiary, on February 14, the FED issued this action against the parent corporation and ordered it “to improve risk management and oversight of its banking subsidiaries’ compliance with U.S. economic sanctions, and Bank Secrecy Act and anti-money laundering requirements.”
  • $29 Million CMP against U.S. Operations of Mega International Commercial Bank: On January 17, the Fed issued an enforcement action for anti-money laundering violations and “required the firm to improve its anti-money laundering oversight and controls.”

BSA/AML Criminal Actions So Far in 2018

In conjunction with the above-mentioned civil action by the Fed against U.S. Bancorp, the U.S. Attorney for the Southern District of New York announced criminal charges against the institution for two felony violations of the Bank Secrecy Act by its subsidiary. It imposed a $453 million forfeiture in addition to the $75 million CMP by the OCC for a total combined penalty of $528 million.

Rabobank also faced criminal charges from the Department of Justice (DOJ) in addition to the CMP imposed on it by the OCC. The bank “pleaded guilty to a felony conspiracy charge for concealing deficiencies in its AML program and obstructing the OCC’s examination of it.” The DOJ imposed a $368,701,259 forfeiture on the bank.

Expect Intense Regulatory Scrutiny of BSA/AML Compliance Throughout 2018

These civil and criminal actions suggest that federal regulators are increasing their focus on BSA/AML compliance, especially at institutions that have previously been cited for deficiencies in their programs. In addition to preparing for FinCEN’s Customer Due Diligence Rule, which goes into effect on May 11, financial institutions would be wise to review their overall BSA/AML compliance programs to ensure they are effective enough to stand up to such heightened examiner scrutiny.