Financial Services Law

Surprises in OCC's Examination Priorities for 2016? Careful Innovation, Cybersecurity, Criminal Avoidance, Nonbank FI Lending

Why it matters

Comptroller Thomas J. Curry underscored key 2016 supervisory concerns for his agency in a mid-December industry call discussing the OCC's latest Semiannual Risk Perspective report. His list includes the "usual" risks related to strategic, compliance, and interest rates as well as cybersecurity and underwriting standards. He urged national banks and federal thrifts to address strategic challenges of a slow-growth, low interest rate environment by continuing to evolve, adapting their business models, offering new products and venturing into new markets while performing appropriate due diligence. The report also highlighted continuing Bank Secrecy Act and anti-money laundering (BSA/AML) risk as criminal behavior and the use of technology evolve, and concern about the easing of credit underwriting standards and practices by banks and thrifts, particularly in markets such as indirect auto and commercial real estate lending. Resiliency planning for cyber threats remains a worry for the agency, as well as the ongoing low interest rate environment.

Detailed discussion

Summarizing the financial performance of national banks and federal savings associations through June 30, 2015, the Office of the Comptroller of the Currency (OCC) noted several positive trends in its latest Semiannual Risk Perspective. As compared to the first six months of 2014, financial institutions were stronger and experienced a 7% increase in net income, with a rise in profitability as measured by return on equity for both small and large banks.

While acknowledging the growth, the regulator said its primary supervisory concerns remain "generally unchanged," with strategic, underwriting, cybersecurity, compliance, and interest rate risks the top issues for the agency.

In remarks accompanying the release of the report, Comptroller Thomas J. Curry emphasized "the growing risk" posed by weakening credit standards.

"As the economic cycle turns, we see banks and thrifts reaching for yield and growth, sometimes extending their reach at the expense of sound underwriting, strong risk management, and adequate loan loss provisioning," he said. "OCC examiners will be paying close attention to each of those areas in the coming months," as "the warning lights are flashing yellow" in the area of credit risk. "Regulators and bank management need to act now to prevent those risks from becoming reality. We can't afford to wait until the warning lights turn red."

The report documented the third consecutive year of underwriting standards slipping, with banks and thrifts relaxing their requirements, layering risks in consumer and commercial lending products, and accumulating concentrations, particularly in commercial real estate and the indirect auto lending market.

This trend is due in part to the competitive pressures of the banking industry and the current slow-growth, low interest rate environment, with some financial institutions struggling with the strategic challenge of growing their revenue, the OCC recognized.

"Generally, we are seeing banks continue to make concessions on pricing, weaker or non-existent loan covenants, and maturities lengthening," Curry said, introducing risk at origination. "Bankers with long memories will remember the worst loans are made in the best of times, and the growing credit risk in their banks should be managed very closely."

The OCC recommended that banks assess their interest rate risk exposure under a variety of scenarios specific to the bank's own risk and complexity as well as consider the risk that the large deposit growth that occurred during the recession could potentially change quickly as rates rise. "The ongoing low interest rate environment continues to lay the foundation for future vulnerability," the report cautioned.

Curry highlighted the "dramatic increase" in lending to nondepository financial institutions as an area that has the agency's attention, with such loans increasing by more than 217 percent over the past three years. Because these borrowers engage in activities that are similar to the bank's own lending, "the risk from these loans can be highly correlated to the banks' risk and lead to concentrations," the Comptroller noted. "That is why we are encouraging bankers to monitor any concentration risk from these loans and ensure they clearly understand the underlying business model of these companies."

Another area of concern: oil prices. After hitting a pricing low not seen in years, the OCC said it expects to see losses from energy loans in the coming months, with certain regions (such as Colorado, Louisiana, North Dakota, Oklahoma, Pennsylvania, Texas, and Wyoming) hit harder than others.

Banks and thrifts cannot lose sight of the continued risk associated with cybersecurity and compliance, including BSA/AML requirements, the OCC noted, as technology and criminal behavior continue to evolve.

The report summarized the steady decline in enforcement actions from a peak in 2009, with matters requiring attention (MRA) also being reduced for the third consecutive year. For large banks, the top five categories for MRA are credit, capital markets, BSA/AML, consumer compliance, and information technology. The list for community banks is the same, with the addition of enterprise governance and exclusion of capital markets.

Looking to enforcement efforts in the coming year, Comptroller Curry said the agency will hew closely to the concerns expressed in the report. "[O]ur priorities for large bank examiners include governance and oversight, credit and underwriting, and in the area of compliance, we'll focus on cyber, BSA/AML, fair access, and operational risk," he explained. "For community banks, examiner priorities include strategic planning and governance, underwriting, interest rate risk, as well as the compliance issues mentioned for large banks."

To read the Semiannual Risk Perspective, click here.

To read OCC Comptroller Curry's remarks, click here.

back to top

Regulators Caution Banks About CRE Lending

Why it matters

In a statement expressing concern about the growth of commercial real estate (CRE) lending, the federal banking agencies stressed the need to utilize "prudent risk-management practices." The Board of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency explained in FIL-62-2015 that they have observed "substantial growth" in CRE asset and lending markets, increased competitive pressures, rising CRE concentrations in banks, and an easing of CRE underwriting standards. To counter potential failure, the regulators advised banks to stay on top of the trend, emphasizing existing guidance for CRE risk management. "Financial institutions should maintain underwriting discipline and exercise prudent risk-management practices to identify, measure, monitor, and manage the risks arising from CRE lending," the agencies wrote. "Financial institutions should have risk-management practices and maintain capital commensurate with the level and nature of their CRE concentration risk." Examiners will be looking closely at CRE lending in the coming year, the joint statement noted, and institutions with inadequate practices may be required to tighten their underwriting standards, raise more capital, or create plans for better CRE portfolio monitoring.

Detailed discussion

The federal banking agencies—the Board of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC)—ended 2015 with a warning to financial institutions: don't forget regulatory guidance on prudent risk management practices for commercial real estate lending (CRE) activity during all stages of the economic cycle.

A CRE loan refers to a loan "where the use of funds is to acquire, develop, construct, improve, or refinance real property and where the primary source of repayment is the sale of the real property or the revenues from third-party rent or lease payments," the agencies explained in FIL-62-2015. CRE loans do not include ordinary business loans or lines of credit in which real estate is taken as collateral.

Why the concern? The regulators have observed "substantial growth" in many CRE asset and lending markets combined with increased competitive pressures that are contributing to historically low capitalization rates and rising property values. Between 2011 and 2015, multifamily loans increased 45 percent at insured depository institutions, according to the agencies, and composed 17 percent of all CRE loans held by financial institutions. The result: an increase in CRE concentrations at many institutions.

At the same time, examiners have noticed an easing of CRE underwriting standards, such as less restrictive loan covenants, extended maturities, longer interest-only payment periods, and limited guarantor requirements. Coupled with a rise in exceptions to underwriting policies for CRE loans and insufficient monitoring of market conditions to assess the risks associated with CRE concentrations, the Fed, FDIC, and OCC felt the need to remind banks about their regulatory obligations.

To avoid weak risk management and remain consistent with supervisory expectations, the agencies offered financial institutions a refresher on existing guidance. For example, financial institutions should have established adequate and appropriate loan policies, underwriting standards, credit risk management practices, and concentration limits that were approved by the board or a designated committee.

Lending strategies (including plans to increase lending in a particular market or property type) should be carefully considered and reevaluated in light of changing market conditions, with strategies in place to ensure capital adequacy and allow for loan losses, consistent with the level and nature of inherent risk in the CRE portfolio.

The agencies recommended that the CRE portfolio undergo market and scenario analyses to quantify the potential impact of changing economic conditions on asset quality, earnings, and capital, with additional analyses conducted on global cash flow based on reasonable rental rates, sales projections, and operating expenses to understand whether the borrower has sufficient repayment capacity to service all loan obligations.

Boards and management need to be kept apprised of the need to change lending strategies and policies in light of market conditions, with continuing assessments of the borrower and the project during different stages of the loan, from interest only to amortizing payments and periods of rising interest rates. Procedures should be in place to monitor potential volatility in the market, the regulators said, such as the supply and demand for lots, retail and office space, and multifamily units.

"[F]inancial institutions should review their policies and practices related to CRE lending and should maintain risk management practices and capital levels commensurate with the level and nature of their CRE concentration risk," the agencies wrote. "In particular, financial institutions should maintain underwriting discipline and exercise prudent risk management practices that identify, measure, monitor, and manage the risks arising from their CRE lending activity."

Supervisors from the banking agencies will pay "special attention" to potential risks associated with CRE lending during 2016, the Fed, FDIC, and OCC warned.

"When conducting examinations that include a review of CRE lending activities, the agencies will focus on financial institutions' implementation of the prudent principles in the Concentration Guidance as well as other applicable guidance relative to identifying, measuring, monitoring, and managing concentration risk in CRE lending activities," the regulators said. "In particular, the agencies will focus on those financial institutions that have recently experienced, or whose lending strategy plans for, substantial growth in CRE lending activity, or that operate in markets or loan segments with increasing growth or risk fundamentals."

If a financial institution is found to have inadequate risk management practices and capital strategies, examiners may require the bank "to develop a plan to identify, measure, monitor, and manage CRE concentrations, to reduce risk tolerances in their underwriting standards, or to raise additional capital to mitigate the risk associated with their CRE strategies or exposures."

To read FIL-62-2015, click here.

To read the agencies' joint Statement on Prudent Risk Management for CRE Lending, click here.

back to top

CFPB Warns About "Heightened Risk" of In-Person Debt Collections, Settles Case Against Lender for $10.5 Million

Why it matters

In conjunction with the announcement of a $10.5 million agreement with a lender that allegedly engaged in illegal debt collection practices, the Consumer Financial Protection Bureau (CFPB) issued a bulletin warning the financial services industry about potential unlawful conduct during in-person collections. Going to consumers' homes and workplaces to collect debt presents a "heightened risk" for lenders, according to Compliance Bulletin 2015-07, raising concerns about engaging in unfair or deceptive acts and practices that violate both the Fair Debt Collection Practices Act and the Dodd-Frank Wall Street Reform and Consumer Protection Act. As an example, the CFPB pointed to its enforcement action against Texas-based EZCORP, a small-dollar lender that visited borrowers' homes and places of employment. The Bureau alleged the company ran afoul of federal law by disclosing consumers' debts to third parties and causing adverse employment consequences to consumers such as disciplinary actions or termination. To settle the charges, EZCORP agreed to change its practices, pay a $3 million civil penalty, and provide $7.5 million in refunds to consumers.

Detailed discussion

A recent enforcement action by the CFPB triggered a Compliance Bulletin from the Bureau about the risks of in-person collection of consumer debt.

Intended to provide guidance to creditors, debt buyers, and third-party collectors, Compliance Bulletin 2015-07 sets forth collection activities prohibited by federal laws such as the Dodd-Frank Wall Street Reform and Consumer Protection Act and the Fair Debt Collection Practices Act (FDCPA). Despite the ban on actions such as contacting third parties or engaging in harassing conduct, the Bureau said it has recently observed such practices in its supervisory examinations and enforcement investigations, resulting in the need to remind lenders about the scope of proper activities.

First- or third-party debt collectors "run a heightened risk of committing unfair acts or practices in violation of the Dodd-Frank Act when they conduct in-person debt collection visits, including to a consumer's workplace or home," the CFPB wrote. Pursuant to the statute, an act or practice is unfair "when it causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers and is not outweighed by countervailing benefits to consumers or competition."

Depending on the facts and circumstances, in-person collections can easily meet this definition, the CFPB said. Arriving in person at a consumer's home or workplace may result in third parties (such as coworkers, supervisors, customers, roommates, landlords, or neighbors) learning that the consumer has a debt in collection.

"When such information is revealed to such third parties, it could harm the consumer's reputation and, with respect to in-person collection at a consumer's workplace, result in negative employment consequences," the Bureau said. Even if such information is not revealed to third parties, injury could still occur, the agency added, if "a collector goes to a consumer's place of employment when the consumer's employer prohibits the consumer from having personal visitors there, which could also result in negative employment consequences."

In-person collection raises multiple concerns under the FDCPA as well. Section 805(a)(1) and (3) of the statute makes it illegal for those collectors subject to the Act to communicate with a consumer in connection with the collection of any debt "at an unusual time or place or a time or place known or which should be known to be inconvenient to the consumer" or at a place of employment if the debt collector knows or has reason to know the employer prohibits the consumer from receiving such communication.

"Consumers may find in-person collection visits to be inconvenient and collectors may know or should know of this inconvenience; similarly, collectors may know or have reason to know that a consumer's employer prohibits the consumer from receiving such communication at the workplace," the CFPB said.

In addition, Section 805(b) of the FDCPA prohibits third-party debt collectors and others subject to the FDCPA from communicating with any person other than the consumer in connection with the collection of any debt; in-person collection poses a real threat to violate this provision, the Bureau suggested.

Sections 806 and 808 of the statute ban a debt collector from engaging in any conduct the natural consequence of which is to harass, oppress, or abuse any person, and from using unfair or unconscionable means to collect or attempt to collect any debt. "In-person collection visits may pose a heightened risk that collectors will violate these provisions," the CFPB said.

"If the CFPB determines that a company has engaged in acts or practices that violate the Dodd-Frank Act, the FDCPA, or other Federal consumer financial law, it will take appropriate supervisory or enforcement actions to address the violations and seek all appropriate corrective measures, including remediation of harm to consumers and assessment of civil money penalties," the Bureau promised.

Demonstrating the intent to make good on its promise of enforcement, the CFPB announced a settlement with a debt collector that allegedly engaged in unlawful in-person collections, reaching a $10.5 million deal.

A small-dollar lender based in Texas, EZCORP engaged in illegal debt collection practices, including visits to consumers at their homes and workplaces, false threats of legal action, lying about consumers' rights, and unlawful electronic withdrawals resulting in bank fees for borrowers, the CFPB alleged.

Specific violations of the Dodd-Frank Act's prohibition against unfair, deceptive or abusive acts or practices occurred when the company disclosed consumers' debts to third parties and caused adverse employment consequences to consumers such as disciplinary actions or termination. The company called consumers at their place of business despite being asked to stop and made repeated, false threats to sue borrowers for nonpayment.

EZCORP also violated the Electronic Fund Transfer Act, requiring many consumers to repay installment loans through electronic withdrawals from their bank accounts. Consumers were subject to bank fees when the company made multiple withdrawals for a single payment or made withdrawals earlier than scheduled, the CFPB said.

To settle the suit, EZCORP agreed to refund $7.5 million to about 93,000 consumers and halt collection of remaining debts for another 130,000 borrowers, as well as pay $3 million in penalties. In addition, the company promised to abide by federal law going forward, with a ban on in-person debt collection.

To read Compliance Bulletin 2015-07, click here.

To read the consent order in In the Matter of EZCORP, click here.

back to top

FTC Touts Record Yield in Payday Lending Case

Why it matters

A pair of online payday lenders will pay the Federal Trade Commission (FTC) $4.4 million to settle charges that they tricked consumers by failing to disclose inflated fees in what the agency said was its largest recovery to date in a payday lending case. Red Cedar Services Inc. and SFS Inc. have each paid $2.2 million and collectively waived $68 million in fees to consumers that were not collected, the Commission said. In combination with collection from other defendants in the case, the FTC said it has recovered roughly $25.5 million, with an estimated $353 million in waived debt. The agency charged that the defendants violated the Federal Trade Commission Act by misrepresenting how much loans would cost consumers, promising that a $300 loan would cost $390 to repay and then actually charging consumers $975, for example. Red Cedar and SFS also ran afoul of the Truth in Lending Act and the Electronic Funds Transfer Act, the FTC added. Pursuant to the settlement agreement, the defendants are prohibited from misrepresenting the terms of any loan product going forward, in addition to the monetary recovery.

Detailed discussion

A case against multiple defendants engaged in online payday lending has provided the FTC with a record yield. According to the agency, the Commission has recovered about $25.5 million in connection with the case, which has also resulted in an estimated $353 million in waived debt, "making this already the largest FTC recovery in a payday lending case, with litigation still continuing against other defendants."

"Payday lenders need to be honest about the terms of the loans they offer," Jessica Rich, Director of the FTC's Bureau of Consumer Protection, said in a statement. "These lenders charged borrowers more than they said they would. As a result of the FTC's case, they are paying a steep price for their deception."

In the most recent development in the case, the Commission reached a deal with Red Cedar Services Inc. and SFS Inc., entities chartered under the Modoc Tribe of Oklahoma and Santee Sioux Nation of Nebraska, respectively. Both entities illegally charged consumers undisclosed and inflated fees in violation of Section 5 of the Federal Trade Commission Act, the agency alleged, as well as failed to accurately disclose key loan terms mandated by the Truth in Lending Act (TILA), such as the annual percentage rate. Preauthorized debits from consumers' bank accounts were a condition of the loans, the FTC said, in violation of the Electronic Funds Transfer Act (EFTA).

One contract cited by the Commission informed borrowers that a $300 loan would cost them $390 to repay. But the actual cost of the loan from Red Cedar was $975, the FTC said, because the defendants typically withdrew partial payments on multiple days, assessing a finance charge each time.

The defendants initially argued that they were immune from the FTC's oversight because of their tribal affiliations. But in March 2014 a federal court judge in Nevada ruled that the agency had the authority to bring suit against payday lenders affiliated with American Indian tribes, a decision hailed by the FTC as "a strong signal to deceptive payday lenders that their days of hiding behind a tribal affiliation are over."

Soon after, the defendants began to reach deals with the agency.

To settle the charges, Red Cedar and SFS agreed to pay the Commission $2.2 million each and waive borrower fees totaling around $68 million. In addition, the defendants are now prohibited from misrepresenting the terms of any loan product, including the payment schedule and interest rate, the total amount the consumer will owe, annual percentage rates or finance charges, and any other material facts. Future violations of TILA and EFTA are also banned.

To read the stipulated final orders with Red Cedar and SFS in FTC v. AMG Services, click here.

back to top

New Bill Would Require Cybersecurity Disclosures by Publicly Traded Companies

Why it matters

In the continuing efforts to enact cybersecurity legislation and advise the public about cybersecurity preparedness, a new bill introduced in the Senate would mandate that publicly traded companies disclose the cybersecurity expertise or experience found on the board of directors—or lack thereof. Alternatively, the bill would require that the company share what other steps it has taken to identify or evaluate cybersecurity awareness for board members. The Cybersecurity Disclosure Act of 2015, introduced by Sens. Jack Reed (D-R.I.) and Susan Collins (R-Maine), joins a long list of cybersecurity and data breach-related legislation pending in Congress. But the tweak of adding board disclosure requirements—intended to "strengthen and prioritize cybersecurity" at publicly traded companies—is a new twist.

Detailed discussion

Over the last few years, a myriad of cybersecurity and data breach legislation has been introduced in both the Senate and the House of Representatives, ranging from proposals to create a uniform standard for data breach notification in lieu of the current patchwork of state laws to a proposal that would provide liability protections to entities that voluntarily share lawfully obtained cyber threat information with an Information Sharing and Analysis Organization.

In a new development, two lawmakers introduced a bill that would make cybersecurity personal for publicly traded companies. The Cybersecurity Disclosure Act of 2015, introduced by Sens. Jack Reed (D-R.I.) and Susan Collins (R-Maine), would require the disclosure of cybersecurity expertise or experience represented on a publicly traded company's board of directors or the sharing of other steps the company has taken to identify or evaluate nominees at the board level.

The proposed measure seeks to "strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies," the legislators explained in a press release about their bill, citing statistics from the National Association of Corporate Directors that just 11 percent of public company boards questioned in 2015 reported a high-level understanding of cybersecurity.

Pursuant to the bill, covered entities would be required to disclose in their Securities and Exchange Commission (SEC) annual reports or proxy statements "whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience."

In addition, "if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee."

Together with the National Institute of Standards and Technology, the SEC would be tasked to define what constitutes "expertise and experience" in cybersecurity, with the bill considering résumé items such as qualifications in administering information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats.

The lawmakers noted that the legislation does not require companies to take any actions other than to provide the specified disclosure. The proposed legislation follows on currently required disclosures for public companies about why individuals are proposed nominees for directorships in the first place and whether one or more directors qualifies as an "audit committee financial expert."

Introduced in late 2015, the bill was referred to the Senate Committee on Banking, Housing, and Urban Affairs.

Reaction to the proposed law was mixed. In their press release, Sens. Reed and Collins included support from educators. For example, Harvard Law School professor John Coates praised the bill as providing "a light touch 'disclose or comply' approach, preserving flexibility for companies to respond to cyber threats in a tailored and cost-effective way," while John Coffee, a professor at Columbia Law School, characterized the legislation as a "moderate and reasonable 'regulatory nudge' that pushes public companies to give greater attention to cybersecurity issues without mandating an inflexible board structure or insisting that 'one size fits all.'"

On the other end of the spectrum, critics have argued that experts of many kinds are valuable to a board of directors and that the legislation doesn't solve the problem of getting companies to allocate the necessary resources to address cybersecurity threats.

To read the Cybersecurity Disclosure Act of 2015, click here.

back to top