Financial Services Law

Prepaids in Focus: Federal Regulators Clarify CIP Rules

The federal banking agencies and the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) have issued guidance to banks to clarify how the Bank Secrecy Act's customer identification program (CIP) requirements apply to several types of prepaid access. In a separate release several days later, FinCEN issued five FAQs to provide additional guidance under its prepaid access rules addressing closed loop prepaid access and sellers of prepaid access.

What happened

For years, questions have been raised about how the CIP requirements apply to several types of prepaid card products issued by federally regulated banks and credit unions. In the face of an expanding international debate about the perceived anonymity of certain forms of prepaid access following the Paris terrorist attacks, and recognizing that "[f]unctionalities that make prepaid cards attractive to consumers also pose risks for banks that issue prepaid cards and process prepaid card transactions," on March 21, 2016, the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC) with FinCEN issued Interagency Guidance to Issuing Banks on Applying Customer Identification Program Requirements to Holders of Prepaid Cards.

The agencies clarify in the guidance how the CIP requirements, added to the BSA by Section 326 of the USA PATRIOT Act, apply to certain prepaid cards, "including those that are sold and distributed by third-party program managers, as well as cards used to provide employee wages, healthcare, and government benefits."

The CIP rule, issued by the agencies in 2003, requires federally insured depository institutions to obtain information sufficient to form a reasonable belief regarding the identity of each "customer" opening a new "account." In addition to collecting four specific pieces of data about a customer at account opening (name, date of birth, address, and government identification number), the CIP must also include procedures for verifying the customer's identity verification, maintaining specific records and providing required notices.

To determine whether and how the CIP requirements apply to purchasers of prepaid cards, the bank must first determine whether the issuance of the prepaid card to a purchaser results in the creation of an account. This determination depends on the functionalities of the prepaid card issued. The guidance reviews prepaid card characteristics that are analogous to deposit accounts and states that those "prepaid cards that provide a cardholder with (1) the ability to reload funds or (2) access to credit or overdraft features should be treated as accounts."

Where general purpose prepaid cards are sold without the reloadable functionalities activated or credit or overdraft features enabled, the agencies said "an account is not established until a reload, credit, or overdraft feature is activated by a cardholder registration."

Once an account has been established, how does a bank identify who the customer is for purposes of the CIP rule? The CIP rule provides that a person who opens a new account is deemed the customer, but different types of prepaid cards complicate the process of determining who is the customer.

"When a general purpose prepaid card issued by a bank allows the cardholder to conduct transactions evidencing a formal banking relationship, such as by adding monetary value or accessing credit, the cardholder should be considered to have established an account with the bank for purposes of the CIP rule," the guidance explained. "Further, the cardholder should be treated as the bank's customer for purposes of the CIP rule, even if the cardholder is not the named accountholder, but has obtained the card from an intermediary who uses a pooled account with the bank to fund bank-issued cards."

Third-party program managers should generally be treated as agents of the bank for purposes of the CIP rule, rather than as the bank's customer, the agencies said. For payroll cards, if an employer is the only person that may deposit funds into the payroll card account, then the employer should be considered the bank's customer for purposes of the CIP rule and the bank is not required to apply its CIP to each employee. However, if the employee is permitted access to credit through the card, or has the ability to reload the payroll card account from sources other than the employer, the employee is the customer of the bank and the bank should apply its CIP to the employee, according to the guidance. A similar analysis applies to government benefit cards and health benefit cards.

With regard to third-party program managers, banks are reminded that they "should enter into well-constructed, enforceable contracts . . . that clearly define the expectations, duties, rights, and obligations of each party" in a manner consistent with the guidance, the agencies said. At a minimum, a binding contract should outline the CIP obligations of the parties, ensure the right of the bank to transfer, store, or otherwise obtain immediate access to CIP information collected by the third-party program manager, and provide for the issuing bank's right to audit the third-party program manager and monitor its performance.

Why it matters

The guidance's CIP clarification for prepaid access-issuing banks contains no surprises. In fact, there are questions as to why the agencies decided to issue it now as there is really nothing new in it. For those banks whose CIP procedures may not have been consistent with the guidance, there may be questions as to whether remedial efforts or program enhancements may be required to ensure that they are in compliance with the requirements of the CIP regulation before their next examination. The guidance also should be a useful reminder for banks as to their BSA obligations as they digest the final prepaid access rule expected from the Consumer Financial Protection Bureau in the near future.

To read the interagency guidance on prepaid cards, click here and here.

back to top

Drive to Regulate Auto Lenders Continues With $7.4M Deal

The latest regulator to take on an auto lender: Massachusetts Attorney General Maura Healey reached a $7.4 million deal with American Credit Acceptance LLC (ACA) and Westlake Services LLC over allegations of excessive interest rates on subprime auto loans.

What happened

AG Healey targeted the guaranteed auto protection coverage, or GAP fees, charged by ACA and Westlake, which were sold as an add-on product by the lenders and financed in the indirect auto loan. GAP fees are "a product that is intended to limit the shortfall between the payment on an auto insurance claim and the amount the borrower owes on a car loan in the event the financed vehicle is totaled," the AG explained.

However, the inclusion of GAP fees in the calculation of interest on the ACA and Westlake indirect auto loans, as required by the Massachusetts retail installment contract law, caused the effective interest rates to exceed the state's 21 percent interest cap, Healey alleged. To settle the charges, the national indirect auto lenders agreed to eliminate interest on certain loans they purchased that included excessive rates due to the inclusion of the GAP coverage, forgive outstanding interest on the loans and reimburse consumers for the interest already paid on the loans.

Pursuant to the terms of the assurances of discontinuance filed in Suffolk Superior Court, additional audit work will be performed on ACA's and Westlake's indirect auto loan portfolios to determine if other loans are subject to refunds as well.

ACA promised to pay $1.7 million and Westlake will chip in roughly $5.7 million for its loans. The lenders will also pay $225,000 for implementation of the agreements. The Attorney General estimated that more than 2,000 Massachusetts consumers will benefit from the settlements, each receiving an average of $3,000 in relief.

"There are protections in place to ensure that consumers who take out auto loans are treated fairly and not forced to pay illegal and excessive interest rates," AG Healey said in a statement. "Our office will continue to make sure that these protections under state law are applied properly so that consumers are not exploited by predatory practices."

The actions arose as part of an ongoing subprime loan review initiative by the Massachusetts AG's Office. The $7.4 million in relief tips the total recovered by the program to more than $12 million after a prior $5.4 million deal with Santander USA Holdings Inc. last November. That case also centered on allegations of GAP fees and excessive interest.

Why it matters

AG Healey is not alone in her focus on the auto industry, however. Federal regulators have also trained their headlights on auto loans, from the Federal Trade Commission, which launched Operation Ruse Control last year to tackle issues including deceptive advertising, fraudulent add-ons, and auto loan modification to the Consumer Financial Protection Bureau (CFPB). In late 2015, the Bureau expanded its oversight to encompass larger participants in the nonbank auto-financing ecosystem in late 2015 and most recently, ordered a "Buy Here, Pay Here" car dealer to pay $700,000 in restitution to customers with a $100,000 suspended civil penalty.

To read the Massachusetts AG Office's press release about the settlement, click here.

back to top

Repeat BSA Violations Cited for Two FinCEN Fines

Repeat violations of the Bank Secrecy Act (BSA) are cited by the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) for a $1 million penalty against a casino and a $10,000 fine against a money services business (MSB) and its owner. In both cases, there are lessons for all entities subject to the BSA and their compliance officers.

What happened

The MSB's path to a civil money penalty began with a 2009 exam by the Internal Revenue Service (IRS).

In the MSB case, Thriftway Food Mart in Lexington, Kentucky, sold money orders and performed check cashing services, cashing approximately $1 million worth of checks each month. The 2009 examination found systemic anti-money laundering (AML) program violations, as well as recordkeeping and reporting violations. FinCEN issued a warning letter to Thriftway and its owner, Kustandy Rayyan, advising them that the regulator expected them "to implement appropriate corrective actions to ensure a satisfactory AML program" and that "the Bank Secrecy Act compliance history of [Thriftway] will be factored into any matters that come to our attention in the future."

In 2013, when the regulators returned to Thriftway to conduct a follow-up examination, they found that Rayyan and the MSB had continued to violate the BSA's program and reporting requirements.

FinCEN found that the MSB had failed to establish and implement an effective written anti-money laundering program by failing to implement policies, procedures, and internal controls reasonably designed to assure ongoing compliance, failing to designate an adequate compliance officer, failing to provide adequate training, and failing to conduct independent testing of its compliance program. It also failed to file accurate and timely currency transaction reports (CTRs).

FinCEN noted that even after an examiner had assisted the owner in drafting a written AML program during the 2009 exam, the owner failed to implement a program that satisfied even the minimum requirements. Moreover, the program had not been updated to include regulatory changes to BSA regulations and failed to implement its program as written. FinCEN also noted that "Mr. Rayyan informed examiners during the 2009 examination that he did not request identification from his regular customers because he feared losing their business." Likewise, training was nonexistent at Thriftway, either for employees or for Rayyan, who had designated himself as the AML compliance officer for his company. In addition, FinCEN noted that the 2009 examination indicated that Thriftway had never conducted an independent review and although examiners instructed Rayyan to do so at that time, there was no independent review until March 2013—after the regulators started their follow-up examination.

FinCEN criticized Rayyan's effort as a compliance officer, noting that "During the 2013 exam, Mr. Rayyan was unfamiliar with various parts of Thriftway's AML program. . . ." For example, during an interview with examiners, he claimed to have forgotten that the AML program provided for an independent review. Moreover, Mr. Rayyan stated that he believed that the AML program manual covered only money order sales, and not check cashing activities—a remarkable fact given that Thriftway's money order sales averaged between $10,000 and $16,000 every month, while check cashing accounted for about a million dollars each month.

Thriftway found that of the 43 CTRs filed by the MSB, more than one-third of those were filed late and 95 percent of them were filed with incomplete or inaccurate information, including "critical identification information" such as a Social Security number, type and number of identification reviewed, and date of birth. Thriftway also failed on multiple occasions to aggregate transactions conducted by or on behalf of the same individual that totaled more than $10,000 in any one business day and neglected to file 12 CTRs for reportable cash transactions during the examination scope.

In the casino case, Sparks Nugget, Inc., was assessed a $1 million civil money penalty in connection with violations of the BSA incurred by the casino it operated until its sale in 2013. The casino was cited for a lack of a culture of compliance. In particular, the person designated for managing the compliance functions was "routinely disregarded" by management even after management had been informed that BSA compliance was "too much for one person to handle." FinCEN's order cites a number of ways in which the employee was ignored and management's instructions not to talk to examiners during an examination.

FinCEN also noted that the casino had sophisticated information systems that were used for gathering large amounts of information about customers for business risk management and marketing purposes but was not used for BSA/AML compliance purposes. It said, "Sparks Nugget's willful failure to take advantage of the valuable information about its customers that it was already gathering and using to improve its profit and minimize its business risks contributed to the casino's failure to file required Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs)."

Why it matters

FinCEN continues to focus on repeated shortcomings in the compliance efforts of entities subject to the BSA, from establishing and implementing an effective written AML program to a complete lack of training and independent testing to unsatisfactory efforts with regard to filing reports and required recordkeeping.

To read the Assessment of Civil Money Penalty in In the Matter of: Rayyan, click here.

See also In the Matter of Sparks Nugget, Inc. d/b/a John Ascuaga's Nugget Sparks, Nevada.

back to top

CFPB Gives Debt Relief Company Targeting Students a Failing Grade

Continuing its focus on the student loan industry, the Consumer Financial Protection Bureau (CFPB) ordered a debt relief company to shut down operations and pay a penalty for allegedly scamming borrowers and misrepresenting an affiliation with the Department of Education (DOE).

What happened

The DOE offers several plans for borrowers with federal student loans, including options that let borrowers set their monthly payments based on their income. The DOE does not charge any fees to apply for or enroll in such plans.

But California-based Student Aid Institute and CEO Steven Lamont charged borrowers a fee to participate in the federal student loan programs, the CFPB said, marketing itself to student loan borrowers and misrepresenting that the fees were required to participate in the program, reaping "millions of dollars" in advance fees from consumers.

In addition to misrepresenting that the fees were required, charging the fees violated the Consumer Financial Protection Act, which requires that at least one debt be renegotiated, settled, or reduced before a fee can be collected for debt relief services, the Bureau added. Going back to December 1, 2012, Student Aid typically collected an upfront fee of $395 or $495, plus a $39-per-month maintenance fee. During the relevant time period, Student Aid brought in approximately $3.6 million, causing harm to about 4,300 consumers, the Bureau said.

In addition, required privacy notices were not provided to borrowers, as mandated by Regulation P, the CFPB alleged, and the company also falsely represented an affiliation with the DOE, implying that it was affiliated with or endorsed by the federal government. Student Aid's marketing contained other misrepresentations, the Bureau charged: student loan borrowers were deceived about how much they would save, whether they were eligible for loan forgiveness, and whether they had been preapproved for specific programs.

For example, the company represented to a consumer that "You are eligible to reduce your current payment of $595 to $63 which may save you $63,900 over the term of your student loan," even though Student Aid had no basis for making such a statement. Similarly, consumers were "routinely" told that "[l]oan forgiveness and forbearance are available on most federal loans," when in reality consumers are only entitled to loan forgiveness under certain conditions, which Student Aid failed to explain to consumers, the CFPB alleged.

Pursuant to the consent order, Student Aid Institute was directed to shut down its debt relief operations and immediately stop charging customers any fees for its services, as well as canceling all contracts. Both Lamont and Student Aid Institute were prohibited from offering or receiving any payments from debt relief services going forward and must pay a $50,000 penalty.

The CFPB also ordered Student Aid Institute to help borrowers with their annual certification for the DOE. Each year, the Department mandates that student loan borrowers recertify income-driven repayment plans. For any borrowers enrolled in any income-driven repayment or forgiveness plan with a renewal or recertification deadline within 30 days of the entry of judgment, Student Aid must "prepare, process, and mail all paperwork necessary to maintain enrollment in the plan."

Why it matters

"We see more and more companies and websites demanding large upfront fees to help student loan borrowers enroll in income-driven plans that are available for free," CFPB Director Richard Cordray said in a statement about the action. "These practices bear a disturbing resemblance to the mortgage crisis where distressed consumers were preyed upon with false promises of relief. We will continue to shut down illegal scams and address sloppy servicing practices that victimize consumers." The action against Student Aid and Lamont builds on prior actions by the CFPB and state attorneys general taken against illegal student debt relief operations, the Bureau noted, reminding the industry that illegal student loan servicing practices is one of its top priorities.

To read the Consent Order in In the Matter of: Student Aid Institute, click here.

back to top

Bank Culture in the Trenches

By Harold P. Reichwald

Institutional or corporate culture is much in the news lately, both inside and outside of banking. Amidst the uproar over Volkswagen's intentional compliance failure relating to emission standards, senior company management felt compelled to admit that the company's culture favored misconduct, not compliance or even a timely admission that significant errors had been made. A tolerance for rule breaking gave way to a "chain of errors" because of this institutional attitude.

In short, Volkswagen lacked a "culture" that favored compliance over misconduct, even if the errors of judgment were eventually uncovered and damaged the company's reputation, sales and standing. The company's extraordinary admission of compliance failure and subsequent press reports seemed to reveal widespread knowledge of the cheating but no tolerance for exposing it and challenging superiors. Senior management claimed to have had no knowledge of these misdeeds, but ongoing investigations will ultimately determine the extent to which the management and the supervisory board have responsibility for the scandal that happened on their watch.

But what does the Volkswagen diesel engine scandal have to do with the business of banking? Everything, it would seem. Since the financial crisis of 2008, the culture of banks at the center of the crisis has been cited as both a contributing factor to the financial meltdown and as a symbol of the need for attitudinal change at banks generally. In response, regulators have encouraged banks to take steps to establish appropriate risk and compliance cultures and to encourage them to step forward and "partner" with governmental agencies in the name of "compliance." Each of these efforts, more of which are likely to come, bears some scrutiny by bank boards of directors and senior management.

In a 2014 speech, William Dudley, the President of the Federal Reserve Bank of New York, described an organization's culture as "implicit norms that guide behavior in the absence of regulations and compliance rules—and sometimes despite those explicit restraints . . . .Like a gentle breeze, culture may be hard to see, but you can feel it. Culture relates to what 'should' I do, and not to what I 'can' do."1 For all its ephemeral qualities, industry leaders recognize that a strong risk culture throughout an organization—from the very top to the lowest staff position—is a necessary adjunct to regulatory review in rooting out bad behavior.2

The most comprehensive and formal effort to codify a risk culture is the Office of the Comptroller of the Currency's (OCC) adoption of Guidelines establishing a heightened risk governance structure for national banks, thrifts and federal branches of foreign banks with $50 billion or more in consolidated assets. While limited in scope to larger federally chartered institutions, these Guidelines are likely to be informally absorbed into the regulatory consciousness of the other federal and state banking regulators and become "best practices" for banks of all sizes.3

The Guidelines acknowledge that there is no relevant definition of "risk culture." However, it is recognized that it can be considered as "shared values, attitudes, competencies and behaviors present throughout the covered bank that shape and influence governance practices and risk decisions."4 In terms of compliance with rules and regulations, it is that which infuses a sense of responsibility for compliance at every level and at every desk within the financial institution, not merely for those whose stated responsibility is compliance or internal audit. By all accounts, Volkswagen's culture was just the opposite, namely, one that out of fear for job security or an unwillingness to admit failure, tolerated breaking the rules.5

FinCEN on "Culture of Compliance"

Under U.S. banking rules, such tolerance for rule breaking is not accepted or justified. For example, in August of 2014, the Financial Crimes Enforcement Network (FinCEN) of the Treasury Department issued an advisory to financial institutions that targeted BSA/AML compliance but spoke of the need for a "culture of compliance" at every institution, without specifically defining what that would be.6 However, the advisory made it clear that nothing less than full adherence to federal anti-money rules was required without regard to "revenue interests." Moreover, a "culture of compliance" requires a well-functioning system of sharing information within the institution and sufficient human and technological resources dedicated to compliance along with an independent monitoring function.

FinCEN made it clear that the responsibility for the establishment and maintenance of a "culture of compliance" starts with the board of directors and senior management and also includes owners and "operators." The commitment to such a culture has to be visible throughout the institution so as to influence all employees in the organization and to have compliance with the rules in mind as they carry out their daily responsibilities.7

This "culture of compliance" (at least as FinCEN sees it) requires information sharing across the entire institution. Removing silos and encouraging a broad degree of information integration among all units of the institution may be the key to risk culture analyses.8 Moreover, most recently, the OCC endorsed this view in an enforcement action which specifically required that front-line staff, such as relationship managers, monitor and assist in the identification of unusual or suspicious activity in accordance with specific procedures, in addition to those employees regularly engaged in compliance oversight.9

With these regulatory attitudes in place, it is important to understand how the larger picture of risk management at a financial institution should lead to an overall "risk culture" that would stop a Volkswagen-type scandal of noncompliance from forming in the first place. Obviously, the highly regulated world of banking should act as a brake against such aberrant behavior but some would argue that the financial crisis was born out of a lack of risk culture and that the regulatory oversight alone was not sufficient to prevent the practices that led to the crisis.10

Leadership Sets the Tone

It is generally agreed that the tone of an institution's cultural values—particularly its risk culture attitudes—begins at the top with the leadership of its Board of Directors and senior management. Every bank board must take the lead in establishing and promoting the proper risk culture for the institution, its values and awareness of the hazards of the business in which it operates, the importance of institutional communications and transparency and the maintenance of discipline.

The process must start with an assessment of the organization's "risk appetite," taking into account future plans, strategic emphasis, capital blueprints and financial projections. The focus then must shift to the institution's capacity for risk given geography, market sectors, legal and regulatory restraints and institutional size. These considerations—coupled with strong compliance and internal audit functions—set the framework for the development of a strong and long-term risk culture. It is then up to management to embody these concepts and determinations throughout the organization with compensation plans, performance reviews and other business unit supports.

These steps are not one-time occurrences but part of an ongoing dynamic that must be reexamined, refreshed and repositioned on a regular, periodic basis. The world of financial services is in a constant state of flux and the enterprise must respond quickly and decisively to those changes.

With this in mind, here are three takeaways from this commentary. First, self-policing is the best defense against misbehavior or failures, and thus an organization's employees must feel empowered to speak up without fear of retribution. Second, prompt self-reporting of identified deficiencies or failures up the management chain allows for expeditious reporting to the regulatory authorities and active remediation where necessary. Third, senior management and the Board should continually ask the question, "Could an announced cultural failure at another institution happen here?"

Reproduced with permission from BNA's Banking Report, Vol. 106 No. 15, 04/11/2016. Copyright 2016 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com.

1See Speech by William C. Dudley at the Workshop of Reforming Culture and Behavior in the Financial Services Industry, Federal Reserve Bank of New York, October 20, 2014.

2See, e.g., Speech by Charles L. Evans, President of the Federal Reserve Bank of Chicago at the Chicago Banking Symposium, June 3, 2015.

3See 12 CFR Parts 30 and 170, adopted in September 2014 and effective at varying dates stated in the Guidelines. These Guidelines are encompassing and include the OCC's expectations of standards of behavior for boards of directors. These Guidelines are enforceable under the powers granted to the OCC under "safety and soundness" standards.

4See Statement accompanying the adoption of the Guidelines at page 58.

5See News Release of Volkswagen, AG, dated December 10, 2015. See also The Wall Street Journal, December 11, 2015, and The New York Times, December 14, 2015.

6See FinCEN Advisory FIN-2014-A007, August 11, 2014.

7Remarks of Stephanie Booker at Bank Secrecy Act Conference in Las Vegas on June 18, 2015, available at www.fincen.gov/news_room/speech/html/20150618. The Department of Justice has made it clear that going forward, wrongdoing will now focus more heavily on individual misdeeds, in the hope and expectation that holding individuals personally accountable will change a compliance culture that might otherwise have been seen as tolerating individual failures and treating corporate wrongdoing as a mere cost of doing business. See Remarks by Deputy Attorney General Sally Quillian Yates delivered at New York University School of Law on September 10, 2015, available at www.justice.gov/opa/ speech.

8From FinCEN's perspective, and its goal of enforcing BSA/AML rules and tracking cybersecurity threats, this type of internal sharing of information ultimately benefits law enforcement, particularly if it leads to the sharing of information with law enforcement authorities, either formally or informally. However, from the institution's perspective, information sharing strengthens risk management and reinforces the "culture of compliance."

9See In the Matter of Wells Fargo Bank, National Association, Consent Order, Comptroller of the Currency, AA-EC-2015-79, entered on November 19, 2015.

10Lest one think that these suggested structures are only for "big" banks, it is likely that given the apparent regulatory emphasis on all banks for specific credit quality issues and governance-related matters, the issues of "risk culture" or "culture of compliance" will be a significant part of supervisory attention. See, e.g., Joint Statement on Prudent Risk Management for Commercial Real Estate Lending issued on December 18, 2015, at FDIC FIL-62-2015.

back to top