Financial Services Law

We’re From the Government and We’re Here to Ease Your Regulatory Burden

Why it matters

The Office of the Comptroller of the Currency (OCC) is trying to make life easier for community banks, Comptroller Thomas J. Curry recently explained in a speech, working on legislation that would lighten both regulatory and supervisory burdens. Curry said the OCC’s efforts are focused on three areas: creating a Volcker Rule exemption, reducing the frequency of exams for “healthy, well-managed community banks,” and making charters more flexible in a fashion similar to Massachusetts state law. He also encouraged community banks to take part in the information sharing of cyber threats and vulnerabilities through organizations like the Financial Services Information Sharing and Analysis Center. “[C]ommunity banks face many common challenges,” Curry said, emphasizing his agency’s “commitment to ensuring that regulatory compliance is no more burdensome than it must be to keep financial institutions, and the financial system generally, safe and sound. We recognize that regulatory burden is a pressing concern for resource-constrained community banks, which means practically all community banks.”

While the Comptroller has good intentions, these compliance tweaks do not address the real goal of community banks—to have immunity from almost all things Washington.

Detailed discussion

Addressing the Depositors Insurance Fund in Framingham, Massachusetts, the Comptroller of the Currency Thomas J. Curry shared three different areas in which the Office of the Comptroller of the Currency (OCC) is working to ease the regulatory burden on community banks.

First up: The flexibility of banking charters. During the 1980s, the Massachusetts State Legislature tweaked the code “to make powers and investment authorities, as well as supervisory requirements, the same or comparable regardless of the type of banking charter,” Curry explained, allowing all Massachusetts-chartered banks to exercise those powers while retaining their own corporate structure.

“This flexibility enables Massachusetts banks to adapt their business strategies to changing business conditions and markets without having to go through the costly and time-consuming process of a charter conversion,” Curry told attendees. “It has given Massachusetts bankers the freedom to build a business on the traditional foundation of mortgage lending or to engage primarily in commercial lending, or some combination of the two. It has been your choice to make, based on the business strategy you see fit to adopt.”

To make the same system available to federal thrifts, the OCC has been working with congressional lawmakers to draft legislation “that would modify the provision of existing law that requires every savings association to devote a fixed percentage of its balance sheet to home mortgages,” Curry said. The change would enable federal thrifts to “diversify their loan portfolio, maintain their federal charter, and retain the OCC as their regulator.”

This change is limited to those now-OCC leftover charters from the old savings and loan industry where S&Ls received more favorable regulatory treatment if they met Congress’s homeownership goals by hitting the minimum “qualified thrift lender” percentages. Meanwhile, national and most state banks already have the flexibility to change their products and services to meet their business strategies—unless, of course, they stray into new loan or fee income products that their regulators (including the CFPB) don’t take kindly to, such as auto lending.

In addition to the initiative modeled on Massachusetts, Curry said the OCC has also been advocating for two additional items that would ease the regulatory pressure on community banks.

The agency supports a recently introduced bill that would raise the asset threshold from $500 million to $750 million, a move that would qualify more than 100 OCC-supervised banks and thrifts—and several hundred other institutions—for the extended 18-month examination cycle.

“We have long believed that healthy, well-managed community banks ought to qualify for the 18-month examination cycle,” the Comptroller noted, and the proposed legislation “would not only reduce the burden on those well managed institutions, it would also allow the federal banking agencies to focus our supervisory resources on those banks and thrifts that may present capital, managerial, or other issues of supervisory concern.”

This proposal is less of a regulatory relaxation than a recognition of the facts that growth happens and size changes. The old barometers for what was a community bank have moved over the decades from under $100 million in assets to $250 million, $500 million and more often now $1 billion and even $10 billion. Many community banks that were under $500 million in assets have grown in size precisely because they are well managed.

The third area “ripe for congressional action”: a community bank exemption from the Volcker Rule. “We do not believe it is necessary to include smaller institutions under the Volcker Rule in order to realize congressional intent, and we have recommended exempting banks and thrifts with less than $10 billion in assets,” Curry said. While there are no doubt a few aggressive outlier community banks dabbling in things Volcker, this exemption finally saves community banks the “prove the negative” compliance costs of confirming that Volcker rarely ever applied in any way to the operations of the typical community bank.

Curry also emphasized the importance of collaboration for community banks, whether working together with other community banks to obtain cost efficiencies in areas like marketing and employee benefits, or in sharing information about cyber threats and vulnerabilities.

As chairman of the Federal Financial Institutions Examination Council (FFIEC), Curry helped guide a 2014 pilot assessment of cyber security readiness at community institutions. This year, the FFIEC has developed an agenda based on the findings, he explained, including a formal position of encouraging financial institutions to join the Financial Services Information Sharing and Analysis Center (FS-ISAC) and share information about cyber threats.

Taking a page from the circumstances of the FFIEC’s founding, Curry said regulators “have learned that the challenges confronting the financial system require that all of us—state and federal supervisors alike—to work together, and that is what we are doing today. I would encourage financial institutions to embrace that lesson as well.”

Directing, not just encouraging the sharing of data breach information with other banks and law enforcement agencies, is long overdue and was hung up on privacy and sometimes national security concerns. Banks should also be able to share expertise and costs in other compliance areas where competition should not be an issue—such as the extremely costly enforcement world of BSA/AML compliance.

To read Comptroller Curry’s prepared remarks, click here.

back to top

Stepping on the Gas: FTC Operation Targets Auto Industry

Why it matters

Continuing its efforts to accelerate enforcement actions against fraudulent practices in the auto industry, the Federal Trade Commission (FTC) recently reported the results of its Operation Ruse Control. The new suits tackle issues, including deceptive advertising, fraudulent add-ons, and auto loan modification, with alleged violations ranging from the Federal Trade Commission Act to the Truth in Lending Act to the Consumer Leasing Act. Two of the new cases represent the first legal challenges filed by the agency involving add-ons as part of the FTC’s expanded authority over auto dealers under the Dodd-Frank Wall Street Reform and Consumer Protection Act. “For most people, buying a car is one of the largest purchases they’ll make,” Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said in a statement. “Car ads must be truthful, loan terms must be clear, and dealer practices must be honest. That’s why our partners are working together to crack down on deceptive marketing about car sales, leasing and financing.” The auto industry has been on the radar of several regulators recently, from a suit filed by the Department of Justice alleging discriminatory lending to a proposal from the Consumer Financial Protection Bureau to begin supervising large, nonbank automobile lenders. Operation Ruse Control should remind all financial product providers, regardless of industry, that advertisements are being closely analyzed for potentially misleading or deceptive statements.

Detailed discussion

Working together with 32 other law enforcement authorities both in the United States and Canada, the Federal Trade Commission (FTC) has targeted lenders in the automobile industry with Operation Ruse Control. The agency has been involved in a total of 252 enforcement actions as part of the operation—187 in the U.S. and 65 in Canada.

With the goal of protecting consumers when purchasing or leasing a car, the authorities have made both civil and criminal charges ranging from deceptive marketing of car title loans to automotive loan application fraud to deceptive add-on fees.

Announcing the filing of six new cases, the FTC made use of its expanded authority over auto dealers under the Dodd-Frank Wall Street Reform and Consumer Protection Act for the first time in suits against National Payment Network, Inc. (NPN) and Matt Blatt Inc. (MB).

California-based NPN violated the Federal Trade Commission Act with a deceptive auto payment program, the FTC charged. Both in its network of dealerships as well as online, the defendant claimed that the program would save consumers money—but failed to disclose that it tacked on various “significant” fees that cancelled out any possible savings from the program, according to the administrative complaint. The fees averaged $775 on a standard five-year loan for items like a “Deferred Enrollment Fee” and a processing fee for every debit from a customer’s bank account.

As for the MB case, the Commission said the New Jersey dealerships similarly ran afoul of the FTC Act by failing to disclose the fees associated with its add-on service, despite claims that the payment program would save consumers money. For each consumer that enrolled in the program, MB dealerships received a commission, pressuring the defendant to sign consumers up, the agency said.

To settle the charges, NPN and MB agreed to consent orders prohibiting them from future misrepresentations that a payment program will save consumers money unless the amount of savings is greater than the total amount of fees and costs. Deceptive statements that the program can “improve, repair, or otherwise affect” a consumer’s credit record are also banned.

In addition, MB will pay $184,000 to the FTC while NPN promised to provide $1.5 million in refunds to consumers and waive $949,000 in fees to current customers.

Of the four other new cases filed by the FTC, three involve deceptive advertising. Cory Fairbanks Mazda, Jim Burke Nissan, and Ross Nissan tricked consumers with ads featuring attractive sales, leasing, or financing options. Fine print disclaimers revealed that the deals weren’t as good as they sounded, the agency said, and in some ads, the disclaimers failed to disclose relevant terms.

In one ad, Cory Fairbanks Mazda touted a 2014 Mazda for $12,995 with $0 down and monthly payments of just $169. But the fine print on the ad explained that the offer was contingent upon $3,000 down plus various fees.

For their alleged violations of the FTC Act, the Truth in Lending Act, and the Consumer Leasing Act, the dealerships must clearly and conspicuously disclose the terms of any deals and are prohibited from misrepresentations about any material facts related to the price, sale, financing, or leasing of a vehicle, such as purchase cost.

In the final case, the Commission filed a complaint in Florida federal court requesting a halt to the operations of Regency Financial Services and its CEO. The defendants charged customers up-front fees to negotiate an auto loan modification on their behalf and provided nothing in return in violation of the FTC Act and the Telemarketing Sales Rule, the agency claimed. Granting the motion, the court also froze the defendants’ assets. The FTC said it will pursue a permanent injunction against the defendants and attempt to recover ill-gotten gains for consumer refunds.

To read the complaints, consent decrees, and other court documents in the six cases, click here.

back to top

CFPB Proposes Regulation of Small Loans

Why it matters

The Consumer Financial Protection Bureau (CFPB) introduced a new proposal that would increase regulation of not only payday loans but also vehicle title loans and some types of installment loans. The sweeping proposal created two categories of loans within its scope: short-term credit products, which require full payback within 45 days, and longer-term loans if the lender has access to repayment from the borrower’s deposit account or paycheck or holds a security interest in the consumer’s vehicle and the annual percentage rate (APR) exceeds 36 percent. The Bureau suggested that for each category, lenders can choose between following preventative rules or complying with protective requirements. Preventative terms would mandate that lenders determine at the outset whether a consumer can repay the loan (including interest, principal, and fees) without reborrowing or defaulting. Under the protective option, lenders would face caps on the number of loans extended to borrowers and in some cases, limits on terms like the APR. Payment collection would also be impacted, with a rule setting a three-day advance notice requirement before a lender could submit a transaction to a consumer’s bank and only two consecutive unsuccessful attempts to collect allowed. CFPB Director Richard Cordray called the “strong consumer protections” proposed “an important step toward ending the debt traps that plague millions of consumers across the country.” Although the Bureau recognized “consumers’ need for affordable credit,” the agency expressed concern “that the practices often associated with these products—such as failure to underwrite for affordable payments, repeatedly rolling over or refinancing loans, holding a security interest in a vehicle as collateral, accessing the consumer’s account for repayment, and performing costly withdrawal attempts—can trap consumers in debt.” However, a Small Business Review Panel will convene to consider the proposals and gather feedback from small lenders as the next step in the rulemaking process, and it is unclear what form final rules will ultimately take.

Detailed discussion

The Consumer Financial Protection Bureau (CFPB) released proposals to regulate various types of loans, including payday loans, certain installment loans, and vehicle title loans.

The Bureau’s proposal adopted two approaches—prevention and protection—to regulate two categories of loan: short-term products and longer-term products. Lenders have the option to “either prevent debt traps at the outset of each loan, or they could protect against debt traps throughout the lending process,” the CFPB explained.

Short-term credit products are defined as those that consumers must pay back in full within 45 days (such as deposit advance products, payday loans, and some open-end lines of credit and vehicle title loans). In the prevention category, lenders would be required to make a determination at the outset that a consumer can repay the loan, including interest, principal, and fees, without defaulting or reborrowing.

Lenders would need to verify various information about consumers, such as income, borrowing history, and major financial obligations, to make such a determination, the CFPB said. A 60-day cooling-off period between loans would be the general rule; for a second or third loan to occur within the two-month window, a lender must be able to document that a borrower’s financial circumstances have improved so that a new loan to reborrow money is not required. Lending would be halted for a 60-day period after three loans in a row.

In the protection option, lenders would be forced to limit the number of loans a borrower could take out in a row and within a yearlong period. For example, a borrower could not remain in debt on short-term loans for more than 90 days in a 12-month period and rollovers would be capped after three total loans with a 60-day cooling-off period to follow.

To fall under the scope of the CFPB’s regulations, longer-term credit products must last more than 45 days with the lender collecting payments through access to the consumer’s deposit account or paycheck or by holding a security interest in the consumer’s vehicle, with the all-in annual percentage rate (APR) topping 36 percent. The Bureau expects that certain vehicle title loans as well as installment and open-end loans will meet the criteria.

To adhere to the debt trap prevention requirements, longer-term products would similarly consider at the outset the consumer’s ability to repay without defaulting or reborrowing to ensure enough money exists to cover other major financial obligations and living expenses. If a consumer demonstrates problems affording the current loan, a lender would be prohibited from refinancing into another loan absent documentation that the consumer’s financial circumstances have improved enough to repay the loan.

On the protection end of the spectrum, the Bureau presented two approaches for longer-term products, with a minimum duration of 45 days and maximum of six months for the loan. One option would require lenders to provide roughly the same protections under the National Credit Union Administration’s program for “payday alternative loans,” such as a cap on interest rate at 28 percent and a limit of $20 for application fees. The second choice would allow a longer-term loan if the consumer’s monthly repayment amount is no more than 5 percent of the consumer’s gross monthly income, limited to two such loans within a 12-month period.

The CFPB also proposed restrictions on payment collection practices for both short-term and longer-term credit products. Three business days’ advance notice before submitting a transaction to a consumer’s bank, credit union, or prepaid account for payment would be instituted, a change the Bureau said “would help consumers better manage their accounts and overall finances.” Notice of impending payments made by electronic means—e-mail, text message, or via a mobile app—is under consideration.

In addition, lenders would be limited to two consecutive unsuccessful attempts to collect money from a consumer’s account absent consumer authorization, the Bureau proposed, which would limit fees incurred by multiple transactions “that exacerbate a consumer’s financial woes.”

To read a fact sheet summarizing the proposals, click here.

To read an outline of the proposals, click here.

To read the list of questions to provide feedback on the proposals, click here.

back to top

New York’s DFS Reports on Third-Party Cyber Security

Why it matters

A new report released by New York’s Department of Financial Services (DFS) detailed the vulnerabilities found in the relationships that many financial institutions have with their third-party vendors. Almost 1 in 3 of the 40 banking organizations surveyed do not require third-party vendors to notify the bank of cyber security breaches, the report found, while less than half conduct any on-site assessment of vendors. In a press release accompanying the report, DFS Superintendent Benjamin Lawsky said the regulator intends to move forward—in “the coming weeks”—with regulations “strengthening” the cyber security standards for third-party vendors, including possibilities related to the representations and warranties that banks receive from vendors about cyber security. “A bank’s cyber security is often only as good as the cyber security of its vendors,” Lawsky said in a statement. “Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter.” The DFS’s concern about vendors and third-party relationships is not unique to the agency—the Office of the Comptroller of the Currency issued guidance on the topic in December 2013 and took joint action with the Federal Deposit Insurance Corporation (FDIC) against two technology service providers based on “unsafe or unsound banking practices” in the performance of their services.

Detailed discussion

Last October, the New York DFS sent letters to 40 covered entities seeking information about their data security practices. The letters expressed concern about the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers,” and requested any policies and procedures established by the bank as well as “any and all” protections against loss incurred as a result of an information security failure by a third-party service provider.

After compiling the responses, the Department “noted a number of common issues and concerns” and released the report to highlight the most critical points, breaking down its observations into the following four categories: (a) due diligence, (b) policies and procedures, (c) safeguarding sensitive data, and (d) loss protection. Of the 40 institutions surveyed, the report characterized those banks with less than $100 billion in assets as “small,” those with between $100 billion and $1 trillion as “medium,” and any bank with assets above $1 trillion as “large.”

The DFS requested information from each banking organization about any due diligence processes used to evaluate the adequacy of third-party service providers’ information security practices. Nearly all of the banks classified the vendors by risk, and 95 percent of those surveyed conduct risk assessments of at least the vendors considered to be high risk.

Typical classifications include high risk or material (those with access to sensitive bank or customer information, such as check or payment processors), while janitorial services and providers of office supplies are examples of low-risk vendors. Some banking organizations exempt individual consultants and professional service providers—such as lawyers—from their customary due diligence, the report noted.

While the specific requirements vary, 90 percent of those surveyed have information security requirements for their third-party vendors. Large institutions may mandate actions like data encryption and access controls while small institutions may institute more general standards, the DFS found.

On-site assessments of third-party vendors—even those classified as high risk—remain a requirement at a minority of institutions, according to the report, although almost all of the banks have policies and procedures that require reviews of information security practices both during vendor selection and as part of a periodic review.

Considering the policies and procedures governing relationships with third-party service providers, the DFS said all of the institutions surveyed have written vendor management policies, with most written and/or updated “within the last several years.” The majority of the banks mandate that vendors represent that they have established minimum information security requirements, but just 36 percent extend that requirement to subcontractors of third-party vendors.

Seventy-nine percent of the banking institutions maintain the right to audit their third-party vendors, but just over half (56 percent) require a warranty of the integrity of the third-party vendor’s data or products, with larger institutions more likely to ask for such a guarantee.

Of those institutions surveyed by the DFS, 30 percent “do not appear to require their third-party vendors to notify them in the event of an information security breach or other cyber security breach,” the report found.

In the category of protections for safeguarding sensitive data, the Department discovered that 90 percent of the banking organizations encrypt data transmitted to or from third parties. However, only 38 percent use encryption for data at rest, the DFS said. Multi-factor authentication (MFA) is more commonly used at large, foreign institutions, and generally required for third-party vendors that remotely access sensitive data or banking systems.

Finally, the DFS analyzed the surveyed institutions’ protections against loss incurred by third-party information security failures. Sixty-three percent of the surveyed banks (and 78 percent of large institutions) carry insurance that would cover cyber security incidents, according to the report, although less than half (47 percent) have policies that would cover information security failures by a third-party vendor. Only half of the banks surveyed require indemnification clauses in their agreements with third-party vendors.

“Based on the responses that the Department received, banking organizations appear to be working to address the cyber security risks posed by third-party service providers, although progress varies depending on the size and type of institution,” the report concluded.

To read the DFS report, click here.

back to top

eBay Facing Possible CFPB Lawsuit

Why it matters

A recent filing by eBay with the Securities and Exchange Commission (SEC) included some litigation news: the company may be facing a lawsuit from the Consumer Financial Protection Bureau (CFPB) over the lending services offered by its PayPal Credit unit (PayPal Credit was formerly known as Bill Me Later). The company revealed that the Bureau has been investigating PayPal Credit since 2013, including its “online credit products and services, advertising, loan origination, customer acquisition, servicing, debt collection and complaints handling practices.” The credit arm—which offers same-day credit to consumers making online purchases—has received multiple Civil Investigative Demands (CIDs) from the Bureau and could be facing an enforcement action and/or a consent order prior to June 30, 2015. Any CFPB enforcement action could have implications for other online lenders, including those relying on bank partner relationships, as PayPal Credit does.

Detailed discussion

In October 2013, eBay revealed in a filing with the Securities and Exchange Commission (SEC) that the Consumer Financial Protection Bureau (CFPB) had launched an investigation into the company’s Bill Me Later feature.

While the Bureau declined to take public action at that point, the company reported in an April SEC filing that in August 2014 and January 2015 the CFPB made additional Civil Investigative Demands (CIDs) requesting testimony and documents related to “the acquisition, management, and operation of our PayPal Credit products, including online credit products and services, advertising, loan origination, customer acquisition, servicing, debt collection, and complaints handling practices.”

The company said it has worked with the Bureau but could be facing a lawsuit as soon as the second quarter, with possibilities ranging from fines, penalties, legal fees, and other substantial costs.

“We are cooperating with the CFPB in connection with the CIDs and exploring whether we may be able to resolve these inquiries,” the company said in the filing. “Resolution of these inquiries could require us to make monetary payments to certain customers, pay fines and/or change the manner in which we operate the PayPal Credit products, which could adversely affect our financial results and results of operations.”

eBay acquired PayPal Inc. for $1.5 billion in 2002. In 2008, eBay purchased Bill Me Later, Inc., for $945 million, which became known as PayPal Credit. The service offers instant credit for customers engaged in online transactions and charges no annual fee, offering promotional rates with no interest; the standard interest rate is 19.99 percent with the possibility of additional fees.

The company faced a class action from consumers after the acquisition of Bill Me Later contending the purchase created a monopoly for the online bidding site. A subsequent civil suit claimed that eBay and Bill Me Later violated consumer protection laws by charging usurious interest rates and illegal penalty fees. A Utah federal court judge dismissed the suit last year, finding the claims were preempted by the Federal Deposit Insurance Act.

A potential lawsuit isn’t the only problem eBay may have with the CFPB. The filing also noted that PayPal—which will separate from eBay to form two publicly traded companies later this year—faces increased regulatory oversight as a result of new Bureau regulations on companies that make at least one million international money transfers annually. An initial exam by the CFPB is expected in the current quarter. In addition, the Bureau’s prepaid card rule proposed by the Bureau last November would also apply to PayPal.

To read eBay’s SEC filing, click here.

back to top



pursuant to New York DR 2-101(f)

© 2022 Manatt, Phelps & Phillips, LLP.

All rights reserved