Compliance Update, Fourth Quarter 2022

By September 29, 2022Industry Updates

Supervisory Guidance on Multiple Re-Presentment Non-Sufficient Funds (NSF) Fees

The Federal Deposit Insurance Corporation (FDIC) is issuing guidance to FDIC-supervised institutions to address certain consumer compliance risks associated with assessing multiple NSF fees arising from the re-presentment of the same unpaid transaction. Additionally, the FDIC is sharing its supervisory approach when a violation of law is identified, as well as expectations for full corrective action.

Statement of Applicability: The contents of, and material referenced in, this financial institution letter (FIL) apply to all FDIC-supervised financial institutions.

Highlights:

  • Many financial institutions charge NSF fees when checks or automated clearing house (ACH) transactions are presented for payment, but cannot be covered by the balance in a customer’s transaction account. After being declined, merchants may subsequently resubmit the transaction for payment.
  • Some financial institutions charge additional NSF fees for the same transaction when a merchant re-presents a check or ACH transaction on more than one occasion after the initial unpaid transaction was declined. In these situations, there is an elevated risk of violations of law and harm to consumers.
  • The FDIC has identified violations of law when financial institutions charged multiple NSF fees for the re-presentment of unpaid transactions because disclosures did not fully or clearly describe the financial institution’s re-presentment practice, including not explaining that the same unpaid transaction might result in multiple NSF fees if an item was presented more than once.
  • Practices involving the charging of multiple NSF fees arising from the same unpaid transaction result in heightened risks of violations of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices (UDAP). Third parties, including core processors, often play significant roles in processing payments, identifying and tracking re-presented items, and providing systems that determine when NSF fees are assessed. Such third-party arrangements may also present risks if not properly managed. There may also be heightened litigation risk. Numerous financial institutions, including some FDIC-supervised institutions, have faced class action lawsuits alleging breach of contract and other claims because of the failure to adequately disclose re-presentment NSF fee practices in their account disclosures.
  • Financial institutions are encouraged to review their practices and disclosures regarding the charging of NSF fees for re-presented transactions. The FDIC has observed some risk-mitigation practices financial institutions implemented to reduce the risk of consumer harm and potential violations.
  • The FDIC will take appropriate action to address consumer harm and violations of law when exercising its supervisory and enforcement responsibilities regarding re-presentment NSF fee practices.

https://www.fdic.gov/news/financial-institution-letters/2022/fil22040.html

Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence (CDD)

The FDIC, the Board of Governors of the Federal Reserve System, the Financial Crimes Enforcement Network, the National Credit Union Administration, and the Office of the Comptroller of the Currency (collectively, the Agencies), are issuing a joint statement to remind banks of the risk-based approach to assessing customer relationships and conducting CDD.

Statement of Applicability: The contents of, and material referenced in, this FIL apply to all FDIC-supervised financial institutions.

Highlights:

  • The Agencies are reinforcing a longstanding position that no customer type presents a single level of uniform risk or a particular risk profile related to money laundering (ML), terrorist financing (TF), or other illicit financial activity.
  • Customer relationships present varying levels of ML, TF, and other illicit financial activity risks, and the potential risk to a bank depends on the presence or absence of numerous factors, including facts and circumstances specific to the customer relationship. Banks must apply a risk-based approach to CDD when developing the risk profiles of their customers.
  • Banks that operate in compliance with applicable Bank Secrecy Act/anti-money laundering (BSA/AML) legal and regulatory requirements, and effectively manage and mitigate risks related to the unique characteristics of customer relationships, are neither prohibited nor discouraged from providing banking services to customers of any specific class or type.
  • The Agencies do not direct banks to open, close, or maintain specific accounts as a general matter. The Agencies continue to encourage banks to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers.
  • This statement applies to all customer types referenced in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual as well as those customer types not specifically addressed in this manual. The FFIEC BSA/AML Examination Manual, including sections on certain customer types, provides guidance to examiners for carrying out BSA/AML examinations and assessing a bank’s compliance with the BSA; it does not establish requirements for banks. Further, the inclusion of sections on specific customer types in this manual is not intended to signal that certain customer types should be considered uniformly higher risk.

https://www.fdic.gov/news/financial-institution-letters/2022/fil22028.html

Notice and Request for Comment on Proposed Interagency Policy Statement on Prudent Commercial Real Estate Loan Accommodations and Workouts

The Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration (collectively, the Agencies) published a request for comment on a proposed interagency policy statement on commercial real estate loan accommodations and workouts.

Highlights:

The agencies seek comment on the proposed interagency policy statement, which

  • addresses risk management elements for short-term commercial real estate loan accommodations.
  • addresses risk management elements for longer-term, and more complex loan workout accommodations.
  • explains loan classifications for loans with workout accommodations.
  • addresses preparation of regulatory reports and accounting considerations for reporting modified loans.
  • provides appendixes that explain
    • examples of loan workout arrangements.
    • valuation concepts for income-producing real estate.
    • relevant accounting and regulatory guidance on the incurred loss and current expected credit loss (CECL) methodologies.

https://www.occ.gov/news-issuances/bulletins/2022/bulletin-2022-19.html

Consumer Financial Protection Bureau (CFPB) Takes Action to Protect the Public from Shoddy Data Security Practices

Financial companies may be held liable for unfairly putting customers’ data at risk.

The CFPB confirmed in a circular published August 11, 2022, that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data. The circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols.

“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” said CFPB Director Rohit Chopra. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”

The CFPB is increasing its focus on potential misuse and abuse of personal financial data. As part of this effort, the CFPB circular explains how and when firms may be violating the Consumer Financial Protection Act with respect to data security. Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents.

Past data security incidents, including the 2017 Equifax data breach, have led to the harvesting of the sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in addition to other laws. For example, in 2019, the CFPB charged Equifax with violating the Consumer Financial Protection Act to address misconduct related to data security.

The circular also provides examples of widely implemented data security practices. It does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act. However, the circular notes some examples where the failure to implement the following data security measures might increase the risk that a firm’s conduct triggers liability under the Consumer Financial Protection Act, including:

  • Multi-factor Authentication: Multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. Multi-factor authentication can protect against credential phishing, such as those using the Web Authentication standard supported by web browsers.
  • Adequate Password Management: Unauthorized use of passwords is a common data security issue, as is the use of default enterprise logins or passwords. Username and password combinations can be sold on the dark web or posted for free on the internet, creating risk of future breaches. For firms that are still using passwords, password management policies and practices allow for ways to monitor for breaches at other entities where employees may be reusing logins and passwords.
  • Timely Software Updates: Software vendors and creators, including open-source software libraries and projects, often send out patches and other updates to address continuously emerging threats. Upon announcement of these updates to address vulnerabilities, hackers immediately become aware that firms using older versions of software are potential targets to exploit. Protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.

https://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-to-protect-the-public-from-shoddy-data-security-practices/

Financial Crimes Enforcement Network (FinCEN) Issues Advisory on Elder Financial Exploitation: Urges Financial Institutions to Aid in Combatting Growing Threat

FinCEN is issuing an advisory to alert financial institutions to the rising trend of elder financial exploitation (EFE). EFE involves the illegal or improper use of an older adult’s funds, property, or assets, and is often perpetrated either through theft or scams. The advisory highlights new EFE typologies and red flags since FinCEN issued its first advisory on the issue in 2011.

“FinCEN is proud to support World Elder Abuse Awareness Day and call attention to a concerning and tragic rise in elder financial exploitation. Older adults should not have to endure abuse by criminals who seek to defraud them of their lifelong savings, or who wish to lure them into scams or schemes under false pretenses,” said FinCEN Acting Director Himamauli Das. “Financial institutions serve on the frontlines in protecting their older customers’ finances, and can play a critical role in helping to identify, prevent, and report suspected elder financial exploitation. Financial institutions’ vigilance matters. Their reporting matters.”

In 2021, financial institutions filed 72,000 Suspicious Activity Reports (SARs) related to EFE. As referenced in the advisory, this represents an increase of 10,000 SARs over the previous year’s filings. The Consumer Financial Protection Bureau (CFPB)’s estimate of the dollar value of suspicious transactions linked to EFE has similarly increased—from $2.6 billion in 2019 to $3.4 billion in 2020. This is the largest year-to-year increase since 2013.

FinCEN’s EFE advisory highlights behavioral and financial red flags to aid financial institutions with identifying, preventing, and reporting suspected EFE. In line with the risk-based approach to compliance with the Bank Secrecy Act, financial institutions should perform additional due diligence where appropriate and remain alert to any suspicious activity that could indicate that their customers are perpetrators, facilitators, or victims of EFE.

In addition to filing a SAR, FinCEN recommends that financial institutions refer their older customers who may be victims of EFE to the Department of Justice’s National Elder Fraud Hotline at 833-FRAUD-11 or 833-372-8311 for assistance with reporting suspected fraud to the appropriate government agencies. For educational resources on EFE and scams targeting older adults, please see the CFPB’s Office for Older Americans.

https://www.fincen.gov/news/news-releases/fincen-issues-advisory-elder-financial-exploitation