Financial Services Law

CFPB Fines Bank $7.5M for Overdraft Violations, With $49M More in Redress

Why it matters

In its first action targeting overdraft fees, the Consumer Financial Protection Bureau (CFPB) fined Regions Bank $7.5 million for charging customers overdraft fees when they had not chosen to receive overdraft coverage. Regions will also refund customers at least $49 million, the Bureau said. “We take the issue of overdraft fees very seriously and will be vigilant about making sure that consumers receive the protections they deserve,” CFPB Director Richard Cordray said in a statement about the action. Alabama-based Regions not only failed to obtain the required opt-ins for charging overdraft fees, but also compounded the problem by delaying a fix for almost one year after discovering that it was violating the federal rule, the Bureau alleged. In addition, the bank charged overdraft and nonsufficient funds fees for a deposit advance product called Regions Ready Advance—despite telling customers the product did not have fees. The consent order between the parties requires Regions to pay the fine, correct errors on customers’ credit reports and provide refunds to all affected customers. In a press call about the enforcement action, Director Cordray reiterated the Bureau’s concerns about the “heavy costs” imposed on consumers by overdraft protection, referencing the CFPB’s report issued last July. “That Regions Bank violated the law raises definite concerns worthy of note by all depository institutions,” Cordray cautioned.

Detailed discussion

Headquartered in Birmingham, Alabama, Regions Bank operates roughly 1,700 retail branches and 2,000 ATMs in 16 states. With more than $119 billion in assets, it is “one of the country’s biggest banks,” the Consumer Financial Protection Bureau (CFPB) said.

Regions offers its customers deposit advance products in connection with checking accounts and loans, where the borrower authorizes the bank to withdraw a repayment when the next qualifying electronic deposit is received. The bank also offers overdraft services with its checking accounts.

According to the CFPB, Regions took advantage of its overdraft services and violated Regulation E, which prohibits banks and credit unions from charging overdraft fees on ATM and one-time debit card transactions absent affirmative, opt-in consent from the customer. The opt-in rule was created by an amendment to Regulation E that took effect on July 1, 2010, for new accounts and Aug. 15, 2010, for existing accounts.

Regions allowed customers to link their checking accounts to lines of credit or savings accounts. The linked account would automatically transfer money in the event of a shortage in the customer’s checking account. Based on its determination that the opt-in rule did not apply to linked accounts, Regions (a) did not obtain opt-ins from its customers with linked accounts, and (b) did not reprogram its systems to prevent linked accounts from being assessed overdraft fees (i.e., fees for paying an overdraft due to an ATM or one-time debit card transaction that exhausted the balances of both the customer’s checking and linked secondary account). Instead of declining a transaction that exhausted the balances of both the customer’s checking and linked secondary account and not charging a fee, Regions paid for overage transactions and then charged customers a fee of up to $36.

Regions only made the problem worse when the bank discovered the problem during an internal review 13 months after the mandatory compliance date for the opt-in rule and failed to stop the overdraft charges for almost another year, the Bureau said. In April 2012, senior executives reported the error to the CFPB and the bank reprogrammed its systems to halt the fees.

In addition to the overdraft fees, the Bureau alleged that Regions deceived customers by claiming that one of its deposit advance products—known as Regions Ready Advance—did not charge overdraft or nonsufficient fund fees. However, the bank charged both types of fees for the product. For example, if a payment amount collected from a customer’s checking account dropped the balance below zero, Regions either covered the transaction and charged an overdraft fee or rejected its own transaction and charged a nonsufficient funds fee. According to the CFPB, these fees were charged to more than 36,000 customers during the period of November 2011 through August 2013, and totaled at least $1.9 million.

Alleging violations of the Electronic Fund Transfer Act and that Regions engaged in unfair, deceptive, or abusive acts or practices, the Bureau brought an enforcement action against the bank. Although Regions neither admitted nor denied the allegations, the parties entered into a consent order.

Pursuant to the consent order, Regions promised to reimburse all affected customers. The bank has voluntarily provided almost $35 million to approximately 200,000 customers for the overdraft fees in December 2012, and an additional $12.8 million was paid in December 2013. Regions will also hire an independent consultant to ensure that all affected customers are identified and receive appropriate refunds.

The bank will also identify and fix any negative credit reporting that resulted from the fees and make a $7.5 million payment to the CFPB’s Civil Penalty Fund. The Bureau noted that “Regions’ violations and its delay in escalating them to senior executives and correcting errors could have justified a larger penalty, but the Bureau credited Regions for making reimbursements to consumers and promptly self-reporting these issues to the Bureau once they were brought to the attention of senior management.”

To read the consent order in In the Matter of Regions Bank, click here.

back to top

Eleventh Circuit: National Bank Act Preempts State Whistleblower Law

Why it matters

The National Bank Act (NBA) preempts a lawsuit filed by a bank vice president seeking to recover under Florida’s Whistleblower Act, the Eleventh Circuit Court of Appeals has ruled. The VP claimed that he was terminated in violation of the state statute after he objected to what he believed were improper banking practices at a U.S. Bank branch office. Affirming a district court’s dismissal of the suit, a majority of the federal appellate panel found a “significant conflict” between the Florida statute and the NBA, which permits banks to dismiss officers “at pleasure.” The majority held that the “at pleasure” language precludes any “limitation on the power of a bank to remove its officers” pursuant to the NBA, finding support in similar decisions from the Fourth, Sixth and Ninth Circuits. A dissenting opinion expressed serious concerns about the finding that a few words from a federal law passed in 1864 could “reemerge—like mummies from their tomb” to preempt a state law 150 years later, writing that the majority “vastly overestimates” congressional intent. The decision leaves national banks—at least in the Eleventh Circuit and in other circuits following the same line of reasoning—free from liability under state whistleblower statutes, although employees may still bring suit under federal law. This is significant, given the growing popularity of whistleblower claims by terminated employees throughout the country. Retaliatory terminations for reporting noncompliance to regulators is still likely to be alleged in state bank wrongful termination cases. Whistleblower claims pursued by current employees who have not yet been terminated should not be directly impacted.

Detailed discussion

Marc Wiersum was hired on March 15, 2013, as a vice president and wealth management consultant for the Naples office of U.S. Bank. During his two-month employment at the federally chartered bank, Wiersum claimed to have witnessed credit conditioned upon asset management, in violation of 12 U.S.C. Section 1972.

Wiersum objected to what he believed were “unlawful tying arrangements” and refused to participate in them. He was terminated by U.S. Bank in May 2013. He then filed a single-count complaint in Florida federal court alleging that the bank wrongfully terminated him in violation of the Florida Whistleblower Act (FWA).

U.S. Bank moved to dismiss the suit. The bank argued that the case was preempted by the National Bank Act (NBA), which permits federally chartered banks to dismiss officers “at pleasure” pursuant to 12 U.S.C. Section 24 (Fifth). A federal court judge agreed, dismissing the suit with prejudice, and Wiersum appealed.

A panel of the Eleventh Circuit Court of Appeals affirmed the dismissal in a split decision, finding that the FWA is in “direct conflict” regarding the at-pleasure termination provision of the NBA and, therefore, preempted by the federal law.

“[W]e hold the at-pleasure provision of the NBA preempts Wiersum’s claim under the FWA for wrongful discharge under Florida law, because the FWA is in direct conflict with the NBA,” the majority wrote.

The panel first examined the language of both statutes. The NBA states: “a national banking association … shall have power … [t]o elect or appoint directors, and by its board of directors to appoint a president, vice president, cashier, and other officers, define their duties, require bonds of them and fix the penalty thereof, dismiss such officers or any of them at pleasure, and appoint others to fill their places.”

As for the FWA, the relevant provision provides “[a]n employer may not take any retaliatory personnel action against an employee because the employee has … [o]bjected to, or refused to participate in, any activity, policy, or practice of the employer which is in violation of a law, rule, or regulation.”

Congress made the policy decision granting banks broad discretion to dismiss bank officials, in an effort to maintain public trust without state regulatory interference, the court said. And in conflict preemption cases where federal law is found to be in irreconcilable conflict with state law such that compliance with both statutes results in a physical impossibility, federal law wins.

Or, as the majority wrote, “There is no contest. The NBA is the congressional act that governs all national banks in the United States. The ability of the board of directors of a national bank to dismiss its officers ‘at pleasure’ is clear and unequivocal, as the federal-circuit courts that have addressed this issue have concluded.”

Arguing that the “majority’s holding works to disrupt the careful balance between state and federal interests,” the dissenting opinion took issue with the passage of time between the two laws. “Today’s majority holds that when Congress passed the National Banking Act (NBA) in 1864, it intended—150 years later—for the three words ‘dismiss at pleasure’ to preempt Marc Wiersum’s retaliation claim under the Florida Whistleblower’s Act. If the majority is right, those three words will also serve to preempt every state employment-law protection not mirrored in federal law for thousands of bank officers in this Circuit.”

Judge Beverly B. Martin said the majority “vastly overestimates Congress’s limited intent when it included those three words,” as “a careful analysis of the historical context of the NBA’s enactment suggests that its purpose was ‘quite narrow.’” The “at pleasure” language was an attempt to deal with typical terms of employment in the 19th century, the dissent said, and should not be used to rebut the presumption against preemption.

“The consequences of the majority’s ruling are worrying,” the dissent added. “The majority denies bank officers—of which there are thousands nationwide—the protection of state employment laws. Most obviously, bank officers are no longer protected by anti-retaliation statutes like the Florida law at issue here. But neither will bank officers any longer enjoy the protection of state and local anti-discrimination laws that offer protections the federal anti-discrimination regime does not.”

To read the opinion in Wiersum v. U.S. Bank, click here.

back to top

DOJ Settles Criminal Charges and FinCEN Takes First Civil Action in Virtual Currency Arena

Why it matters

The Financial Crimes Enforcement Network (FinCEN) announced its first civil enforcement action involving virtual currency, ordering Ripple Labs and a subsidiary to pay a $700,000 fine for failure to register as a money services business, failure to comply with certain reporting requirements and failure to implement an effective anti-money laundering (AML) compliance program. The action—which also includes a settlement with a U.S. Attorney’s Office in California where Ripple agreed to forfeit $450,000 to avoid criminal charges—was triggered by the company’s violations of the Bank Secrecy Act when, according to government documents, it sold its virtual currency without registering as a money services business and failed to put in place an effective AML compliance program. In addition to the forfeiture and fine, Ripple agreed to several remedial actions, such as strengthening its AML compliance efforts and conducting a three-year “look back” for possible suspicious transactions, that provide a template for other virtual currency companies on how to conduct business. “We hope that this [action] sets an industry standard in the important new space of digital currency,” U.S. Attorney Melinda Haag said in a statement.

Detailed discussion

Taking the lead in a criminal investigation, the U.S. Attorney’s Office for the Northern District of California was joined by FinCEN in this action against Ripple Labs Inc. and its wholly owned subsidiary, XRP II, for three sets of Bank Secrecy Act violations. In addition to a $450,000 asset forfeiture to the Department of Justice and the $700,000 civil money penalty assessed by FinCEN, the DOJ ordered remedial action.

Headquartered in San Francisco, Ripple provides virtual currency exchange transaction services and facilitates transfers of virtual currency. After Bitcoin, Ripple is the second-largest cryptocurrency by market capitalization.

On March 18, 2013, FinCEN released guidance that clarified the applicability of Bank Secrecy Act (BSA) regulations to participants in the virtual currency arena. Importantly, the Guidance stated that two categories of participants—“exchangers” and “administrators” of virtual currencies—are money services business (MSBs) under the statute and are required to register with FinCEN as such.

According to the enforcement action, Ripple acted as an MSB and sold XRP—its virtual currency—without registering with FinCEN after the effective date of the Guidance; Ripple also failed to implement and maintain an adequate AML program. After XRP II assumed Ripple Labs’ functions in 2013 until Oct. 1, 2014, it too violated the BSA by failing to implement an effective AML program and acting as an MSB without registering with FinCEN, as well as failing to report suspicious activity related to several financial transactions.

In one example found in the Statement of Facts, Ripple failed to follow its own internal “know your customer” requirements in September 2013 and negotiated a $250,000 transaction with an individual who had prior felony convictions for dealing in explosive devices and had been sentenced to prison. A curious aspect of this example was the fact that the person was already known to the company as an investor.

For these willful violations of the BSA, the $450,000 forfeited to the DOJ was used to offset part of FinCEN’s assessment of the $700,000 civil money penalty against both Ripple and XRP II.

The DOJ action also included an agreement between Ripple and XRP setting forth a series of remedial and future steps to enhance their compliance with AML obligations. Going forward, Ripple and XRP will only transact XRP and “Ripple Trade” activity through a registered MSB, comply with the Funds Transfer and Funds Travel Rules, and implement and maintain an effective AML program (including an AML compliance officer and conducting AML compliance training for employees). In addition, the companies promised to conduct a three-year “look back” for suspicious activity and retain external, independent auditors to review their BSA compliance every two years until 2020.

“Virtual currency exchangers must bring products to market that comply with our anti-money laundering laws,” FinCEN director Jennifer Shasky Calvery said in a statement about the action. “Innovation is laudable but only as long as it does not unreasonably expose our financial system to tech-smart criminals eager to abuse the latest and most complex products.”

To read FinCEN’s assessment of a civil money penalty, click here.

To read the Statement of Facts and Violations, click here.

To read the Remedial Framework, click here.

To read the settlement agreement with the U.S. Attorney’s Office, click here.

back to top

New York’s DFS Grants First Charter to a Virtual Currency Company

Why it matters

In another virtual currency first, New York’s Department of Financial Services (DFS) granted the first limited-purpose trust charter to a virtual currency company to itBit Trust Co. LLC, a Bitcoin exchange. The company underwent a review by the state regulator of its anti-money laundering, capitalization, consumer protection and cybersecurity standards. The charter to operate as a limited-purpose trust company under New York State banking law permits itBit to begin operations immediately, subject to continued supervision by the DFS, which in many ways is more rigorous than regulation under the proposed BitLicense proposal expected to be finalized later this month. “We have sought to move quickly but carefully to put in place rules of the road to protect consumers and provide greater regulatory certainty for virtual currency entrepreneurs,” DFS Superintendent Benjamin M. Lawsky said in a statement. “The technology behind Bitcoin and other virtual currencies could ultimately hold real promise and it is critical that we set up appropriate rules of the road to help safeguard customer funds. Indeed, we believe that regulation will ultimately be important to the long-term health and development of the virtual currency industry.” The DFS noted that it is continuing to review and accept applications and proposals from other virtual currency companies, with the finalized BitLicense regime to be released soon.

Detailed discussion

In August 2013, the New York Department of Financial Services (DFS) began the process of drafting regulatory guidelines for virtual currencies. After fact findings and public hearings in January 2014, the DFS released its BitLicense regulatory framework for public comment.

The framework includes “consumer protection, anti-money laundering compliance, and cyber security rules tailored for virtual currency firms.” The initial proposal was tweaked based on public comment (with the addition of a two-year transitional BitLicense geared toward startups) and DFS said it expects to issue final regs by the end of this month.

During this process, the DFS has suggested that a trust charter might be an alternative to a BitLicense. Just ahead of the release, the DFS granted a charter to itBit Trust Co. LLC to operate as a limited-purpose trust company under state banking law. To receive the charter, the New York City-based Bitcoin exchange underwent “a rigorous review of [its] application, including, but not limited to, the company’s anti-money laundering, capitalization, consumer protection, and cyber security standards,” by the regulator.

DFS approved the charter on May 7.

Charter in hand, itBit can begin operations immediately in New York, subject to ongoing supervision by the state regulator. While the company is subject to the heightened regulatory compliance necessary to operate under a trust charter (abiding by the anti-money laundering, capital and other requirements that apply to a more traditional bank’s operations), the DFS noted that the company will also be required to meet the obligations under the final BitLicense regulations.

back to top

U.K. Version of Choke Point is Different: Banks Must Serve Customers!

Why it matters

For many financial institutions, derisking has become the name of the game. Seeking to avoid unwanted examination scrutiny by regulators, banks have terminated customer relationships with entities that are viewed as high-risk—payday lenders, cannabis companies, third-party payment processors and Bitcoin exchanges, just to name a few. In stark contrast to criticism by banks in the U.S. that Operation Choke Point and regulatory pressure have caused them to terminate the provision of banking services to certain types of businesses, the United Kingdom’s Financial Conduct Authority (FCA) recently said the opposite in a statement on derisking, making it clear that heightened regulatory risk will not suffice as a reason to drop a customer relationship. The U.K. regulator noted that it was aware some banks “are no longer offering financial services to entire categories of customers,” particularly fintech companies, money transmitters and charities. “Banks have told us that this helps them comply with their legal and regulatory obligations in the UK and abroad,” the FCA said. “However, we are clear that effective money-laundering risk management need not result in wholesale derisking.”

The FCA then went one step further, hinting that it would consider taking action against financial institutions that terminate relationships resulting in a negative impact on consumers. Ironically, U.K. financial institutions hoping to avoid regulatory attention by derisking may now be inviting it. The FCA cautioned U.K. financial institutions that derisking strategies will now be examined during a regulatory examination. Whether or not U.S. regulators will follow the FCA’s lead remains to be seen.

Detailed discussion

In the wake of the financial crisis, regulatory oversight increased and institutions reacted by trying to lower their risk portfolio. Dropping customers with riskier anti-money laundering (AML) or terrorist funding problems seemed like the right thing to do.

Banks sought to avoid ending up on the receiving end of an Operation Choke Point action as CommerceWest Bank and Plaza Bank had, accused of facilitating consumer fraud by allowing third-party payment processors to make millions of dollars of unauthorized withdrawals from consumer accounts, and paying $4.9 million and $1.225 million, respectively, or agreeing to pay $1.2 million, in the case of Four Oaks Bank & Trust, which the Department of Justice said turned a blind eye to $2.4 billion in loans made by online lenders that were processed by a third-party payment processer that contracted with the bank.

The FCA has instead taken a different tack. “While the decision to accept or maintain a business relationship is ultimately a commercial one for the bank, we think that there should be relatively few cases where it is necessary to decline business relationships solely because of anti-money-laundering requirements,” the FCA said in the statement. “As a result, we now consider during our [anti-money-laundering] work whether firms’ derisking strategies give rise to consumer protection and/or competition issues.” Consumer protection and/or competition issues could arise when banks cut off dealings with an entire industry—payday lenders, for example—freezing entire business lines out of the market and leaving consumers with limited choices.

Banks should “put in place and maintain policies and procedures to identify, assess and manage money-laundering risk,” according to the statement. “But the risk-based approach does not require banks to deal generically with whole categories of customers or potential customers: instead, we expect banks to recognize that the risk associated with differing individual business relationships within a single broad category varies, and to manage that risk appropriately.”

In a response to an inquiry into whether the Federal Deposit Insurance Corporation (FDIC) is considering adopting a stance similar to that of the FCA, a spokesperson for the regulator told American Banker, “The FDIC encourages supervised institutions to take a risk-based approach in assessing customer relationships, rather than declining to provide banking services to entire categories of customers without regard to the risks presented by an individual customer or the financial institution’s ability to manage the risk.” Unfortunately, this backtracking by the FDIC after fallout over Choke Point comes too late for many legitimate businesses seeking to meet consumer needs that have already been dumped by skittish banks and are challenged in finding new ones.

Last November, David Cohen, deputy director of the Central Intelligence Agency, gave a speech in which he expressed concern about derisking in this country. “We are keenly engaged with this issue because we recognize that ‘derisking’ can undermine financial inclusion, financial transparency and financial activity, with associated political, regulatory, economic and social consequences,” Cohen said.

To read the FCA’s statement on derisking, click here.

back to top