Last week, the OCC released its Semiannual Risk Assessment for Fall 2017 highlighting credit, operational, and compliance risks to the federal banking system.  In addition to easing in commercial credit underwriting processes, the increasing complexity of cybersecurity threats, and ongoing challenges in complying with Bank Secrecy Act (BSA) requirements, the other key risks identified by the OCC were increasing concentration in third-party service providers for critical operations and challenges in consumer compliance risk management for banks due to the increasing complexity in consumer compliance regulations.  Among the report’s important takeaways is that, despite the CFPB’s recent deregulatory initiatives, financial institutions, particularly banks, continue to face enforcement and supervisory risk resulting from insufficient attention to regulatory compliance.

Operational risk resulting from use of third-party service providers.  The OCC indicated that banks’ increasing use of third-party service providers and the emergence of new products and services offered through financial technology companies or other industry collaborations warrant heightened supervisory focus. The OCC observed that many banks have become increasingly reliant on third-party service providers to support key operations and, as a result of increased consolidation among significant providers, large numbers of banks, especially community banks, are relying on a smaller group of third parties providing critical applications.

The OCC stated that its examiners have identified instances of concentration of third-party services for specialized services, such as merchant card processing.  The OCC acknowledged that banks can achieve greater economies of scale and better manage operations than they could do individually by having access to technical resources provided by third-party service providers.  At the same time, the OCC cautioned that increased use of a limited number of such providers “can create concentrated points of failure resulting in systemic risk to the financial  sector that banks can address through appropriate due diligence and oversight.”

Compliance risk.  The OCC observed that new or amended regulations create challenges to bank change management processes and increase operational, compliance, and reputation risks.  As examples of such changes, the OCC identified the integrated mortgage disclosure requirements under the Truth in Lending Act and the Real Estate Settlement Procedures Act, as well as the new requirements under the amended regulations implementing the Home Mortgage Disclosure Act (HMDA) and the Military Lending Act (MLA).

The OCC also noted the continued challenge for banks to comply with BSA requirements persists due to dynamism of money laundering and terrorism-financing methods. The OCC stated that bank offerings using new or evolving delivery channels may increase customer convenience and access to financial products and services, but banks need to maintain a focus on refining or updating BSA compliance programs to address any vulnerabilities created by these new offerings, which criminals can exploit.

The OCC noted that the TILA, RESPA, and MLA requirements apply to the majority of OCC-supervised institutions.  It stated that despite the integrated mortgage disclosure requirements’ October 2015 effective date, the OCC continues to identify instances where banks have not fully implemented such requirements.  It noted that common supervisory concerns include the accuracy of loan estimates and closing disclosures and inaccurate timing and tolerance violations.

With regard to HMDA, the OCC commented that changes to HMDA require banks to significantly enhance their data collection and reporting systems in 2017 and 2018 to meet their compliance obligations.  It also stated that the CFPB’s recent announcement that it intends to engage in a rulemaking to reconsider various aspects of the revised HMDA rules could result in further HMDA-reporting change management by banks.

With regard to the MLA, the OCC observed that the amended MLA regulation expands the protections provided to servicemembers and their families, covers a wider range of credit products, and is more inclusive than TILA “finance charges” for purposes of the types of charges that must be counted toward the MLA 36 percent rate limit.  It noted that the amendments have the potential for significant compliance, credit, and reputation risk exposure, including the voiding of the credit agreement.

The OCC also made the observation that banks have increasing operational and compliance risk exposure due to strains on the resources needed to effectively support the volume and frequency of regulatory changes and manage existing compliance programs.  The OCC reminded management of the need to identify and understand the risk exposure associated with these resource challenges and address them appropriately.  It warned that failure to do so could have negative impacts on the effectiveness of compliance risk management systems to ensure regulatory compliance and fair treatment of customers and also reminded management of the need to conduct sound due diligence and maintain sufficient oversight when relying on third parties to provide or service bank products.

 

The DOJ has filed a response to the emergency motion filed by Leandra English with the U.S. Court of Appeals for the D. C. Circuit requesting expedited briefing and oral argument in her appeal from the district court’s denial of her preliminary injunction motion.

In her motion, Ms. English argued that even without the “special circumstances” presented by her case, her appeal is entitled to expedited consideration under federal law (28 U.S.C. section 1657(a)) and D.C. Circuit rules.  While agreeing that the authorities cited by Ms. English provide for expedited consideration of her appeal and stating that it has no objection to the Court scheduling oral argument “as expeditiously as possible,” the DOJ asserts in its response that “expedited consideration does not require an abbreviated briefing schedule.”

Under the briefing schedule proposed by Ms. English in her motion, the DOJ would have 14 days to respond to her opening appellate brief.  The DOJ opposes her proposed schedule, arguing that it should be allowed the normal 30-day period to respond to her opening brief.

It further argues that even if there is reason to shorten the DOJ’s briefing time, it should not have less than 20 days because Ms. English proposes that she be given 20 days [after the district court issued its decision] to file her opening brief.  (The district court issued its decision denying Ms. English’s preliminary injunction motion on January 10.  Under her proposed briefing schedule, she would be required to file her opening brief by January 30.)

 

 

We are pleased to announce that Ballard Spahr has launched CyberAdviser, a new blog focused on the latest news and developments in privacy and cybersecurity law.  It will offer insights into the latest transactional, governance and compliance matters, investigations, civil and criminal litigation, regulatory and legislative developments, industry trends, emerging technologies, and other cyber issues.

CyberAdviser is produced by the members of Ballard’s Privacy and Data Security Group—a nationwide team of more than 50 attorneys who provide a wide range of legal services to help clients identify, manage, and mitigate cyber risk.  Please visit the blog and subscribe to receive regular updates.

 

Last week, the OCC released its semiannual risk report highlighting credit, operational, and compliance risks to the federal banking system.  The report focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended to be used as a resource by those financial institutions to address the key concerns identified by the OCC.  Specifically, the OCC placed cybersecurity and anti-money laundering (AML) issues among the three top concerns highlighted in the report.

The OCC called for banks to remain vigilant against the operational risks that arise from efforts to adapt business models, transform technology and operating processes, and respond to increasing cybersecurity threats.  The OCC stated that:

  • “The speed and sophistication of cybersecurity threats are increasing. Banks continually face threats seeking to exploit bank personnel, processes, and technology. These threats target large quantities of personally identifiable information and proprietary intellectual property and facilitate fraud and misappropriation of funds at the retail and wholesale levels.”
  • “Phishing is a primary method for breaching data systems and often leads to other malicious activity, such as installing ransomware, compromising internal systems to effect payments, or conducting espionage. Effective user awareness campaigns and training help prevent phishing attacks. Timely and thorough software patch and system update management, strong risk-based authentication, employee training, and effective network segmentation can prevent further damage if intrusions succeed.”
  • “The number, nature, and complexity of third-party relationships continue to expand, increasing risk management challenges for banks. Financial technology companies providing innovative financial products and services introduce opportunities, as well as potential risk, for banks.”
  • “Consolidation among larger service providers has increased third-party concentration risk, in which a limited number of providers service large segments of the banking industry for certain products and services. Operational events at these larger service providers can potentially affect wide segments of the financial industry.”
  • “The volume of products and services and the complexity of end-to-end processes for delivery in larger, complex banks are key drivers influencing the current level of operational risk. Insufficient monitoring and limited internal testing have failed to detect product and service delivery disruptions, resulting in slowed responses by banks and prolonged impact to customers. This condition is especially true of banks with legacy or disparate management information systems and risk management programs that may be ineffective.

The OCC also called for banks to address the compliance risks related to managing money laundering risks in an increasingly complex risk environment. The OCC stated that:

  • “The challenge for banks to comply with Bank Secrecy Act (BSA) requirements persists due to dynamism of money laundering and terrorism-financing methods. Also, bank offerings using new or evolving delivery channels may increase customer convenience and access to financial products and services, but banks need to maintain a focus on refining or updating BSA compliance programs to address any vulnerabilities created by these new offerings, which criminals can exploit.”
  • “In addition, BSA and anti-money laundering AML compliance risk management systems may not keep pace with evolving risks, constraints on resources, changes in business models, and an increasingly complex risk environment.”
  • “New and amended regulations strain bank change management processes and compliance management systems, which increases operational, compliance, and reputation risks. These changes include the integrated mortgage disclosures under the Truth in Lending Act (TILA) and the Real Estate Settlement Procedures Act (RESPA), as well as the new requirements under the amended regulations implementing the HMDA and the MLA.”
  • “Many banks face difficulties validating processes and systems that rely on software, automated tools, disclosure forms, and third-party relationships to process loan applications, create and distribute disclosures, and underwrite and close loans. Sound risk management practices should include maintaining processes and systems that are sufficient to identify covered borrowers and loan products, producing accurate calculations and required disclosures, and incorporating other required protections.”
  • “Some banks have difficulty fully and accurately implementing the significant system and operational changes necessary for the integrated mortgage disclosure forms—Loan Estimate and Closing Disclosure—required for most mortgage loans secured by real property… Banks need consumer compliance risk management and audit functions sufficient to promote ongoing compliance with the regulation.”

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras).  In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017.  The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call.

The FTC also highlighted its advocacy efforts, workshops, and publications, many of which focus on what are likely future areas of FTC enforcement, such as privacy and security concerns with IoT devices, payment systems, artificial intelligence and blockchain technologies, connected cars, and student privacy.  One of the FTC’s new publications of note is its Stick with Security blog series, which offers periodic insights into key takeaways from recent law enforcement actions, closed investigations, and experiences of companies.  The FTC report also demonstrated that the agency is attempting to be flexible in light of the changing nature of identity theft, informational injuries, and modern technologies while remaining vigilant in its mission to protect consumers.  Companies should similarly remain cognizant of the FTC’s role as “one of the most active privacy and data security enforcers in the world.”

On December 1, 2018, three Democrat and three Republican members of the House of Representatives introduced a joint resolution under the Congressional Review Act (H.J. Res. 122) to override the CFPB’s final payday/auto title/high-rate installment loan rule.  The CRA is the vehicle used by Congress to overturn the CFPB’s arbitration rule in a party-line vote.

In a new blog post entitled “7 Reasons to Oppose the Federal Payday Loan Rule,” a policy analyst at the Competitive Enterprise Institute supports use of the CRA to overturn the payday loan rule.  Among the seven reasons discussed in the blog are that the rule leaves low-to-middle income consumers without access to credit, payday loan users overwhelmingly approve of the product, and the rule is built on a flawed theory of consumer harm.

The CFPB’s final payday became “effective” this past Tuesday, January 16, 2018.  However, the compliance date for the rule’s substantive requirements and limits (Sections 1041.2 through 1041.10), compliance program/documentation requirements (Section 1041.12), and prohibition against evasion (Section 1041.13) is August 19, 2019.  While the CFPB announced yesterday that it intends to engage in a rulemaking process to reconsider the final rule, it normally cannot do so without following the time-consuming notice and comment procedures of the Administrative Procedure Act.  In addition, since any changes made by the CFPB are likely to be challenged in litigation, the CFPB will need to successfully defend a revised rule or its withdrawal of the existing rule.

Given the hurdles created by the rulemaking process, the CRA provides a “cleaner” and quicker vehicle for overturning the final rule.  Republican Congressman Dennis Ross, one of the CRA resolution’s sponsors, is reported to have said that despite the CFPB’s announcement, he intends to continue to seek passage of the resolution by Congress.

Both high-rate loans covered by the final rule and the final rule itself are highly controversial.  Accordingly, there can be no assurance that the majorities needed to override the rule under the CRA can be assembled in both the House and the Senate.  Nevertheless, whether through the CRA, new rulemaking, or litigation, we continue to expect that the final rule adopted under former CFPB Director Richard Cordray will not be implemented in anything approaching its current form.

Mick Mulvaney, President Trump’s appointee as CFPB Acting Director, has sent a letter to Fed Chair Janet Yellen “to inform [her] that for the Second Quarter of Fiscal Year 2018, the Bureau is requesting $0.” (emphasis included).

Pursuant to Section 1017(a)(1) of the Dodd-Frank Act, subject to the Act’s funding cap, the Fed is required to transfer to the CFPB on a quarterly basis “the amount determined by the [CFPB] Director to be reasonably necessary to carry out the authorities of the Bureau under Federal consumer financial law, taking into account such other sums made available to the Bureau from the preceding year (or quarter of such year.)”

In his letter, Mr. Mulvaney states that he has been assured that the current balance of the CFPB’s fund at the Federal Reserve Bank of New York is sufficient for the CFPB “to carry out its statutory mandates for the next fiscal quarter while striving to be efficient, effective, and accountable.”  Mr. Mulvaney indicates that the CFPB’s projected second quarter expenses are approximately $145 million and its current balance at the New York Fed is $177.1 million.

Mr. Mulvaney suggests that there is no statutory support for the CFPB’s practice under former Director Cordray of maintaining a “reserve fund” for possible financial contingencies.  He states further that he sees “no practical reason for such a large reserve, since I have been informed that the Board has never denied a Bureau request for funding and has always delivered requested funds in a timely fashion” and that he intends “to spend down the reserve until it is of a much smaller size.”

Mr. Mulvaney concludes his letter with the observation that while the approximately $145 million in CFPB expenses he plans to pay from the CFPB’s reserve rather than seek new funding for “may not make much of a dent in the deficit, the men and women at the Bureau are proud to do their part to be responsible stewards of taxpayer dollars.”

 

 

 

The Department of Education, in an issue paper submitted as part of negotiated rulemaking on its final “borrower defense” rule, is proposing to require schools that use pre-dispute arbitration agreements and class action waivers in agreements with students to provide disclosures to students regarding their use of such agreements and waivers.

The ED’s proposed approach represents a reversal of the ED’s position under the Obama Administration.  In its final “borrower defense” rule issued in November 2016, the ED banned the use of pre-dispute arbitration agreements by schools receiving Title IV assistance under the Higher Education Act.  The final rule also prohibited a school from relying on such an agreement to block the assertion of a borrower defense claim in a class action lawsuit.

In November 2017, the ED announced that it was postponing “until further notice” the July 1, 2017 effective date of various provisions of the final rule, including the rule’s provisions banning the use of arbitration agreements and reliance on such agreements to block class claims.  At that time, the ED also announced that it planned to establish two negotiated rulemaking committees, with one committee to develop proposed regulations to revise the “borrower defense” rule and the other to develop proposed revisions to the “gainful employment” rule that became effective in July 2015 and includes requirements for schools to make various disclosures such as graduation rates, earnings of graduates, and student debt amounts. [link to blog]

 

The U.S. District Court for the Southern District of New York recently held oral argument regarding the pending motions in the Lower East Side People’s Federal Credit Union v. Trump and Mulvaney.  Pending before the Court are the credit union’s motion for a preliminary injunction, and the government’s motion to dismiss.  As we’ve reported previously, this is the second lawsuit challenging the appointment of Mick Mulvaney as CFPB Acting Director.

At the beginning of the proceeding, Judge Paul G. Gardephe indicated that he would like the parties to focus on the standing issue.  Standing is, of course, a threshold issue because the judicial power under Article III of the U.S. Constitution extends only to a “case or controversy” involving an alleged “injury-in-fact” that is “fairly traceable to the challenged action” and redressable by a favorable decision.  According to the brief filed by the DOJ, “[a]ll Plaintiff’s [opening] brief offers on standing is six words in a footnote: ‘Plaintiff is regulated by the CFPB.’”  The DOJ’s brief and the credit union’s reply brief devoted significant attention to the standing issue.

Ilann M. Maazell, arguing on behalf of the credit union, asserted that the primary source of standing was the credit union’s status as an entity regulated by the CFPB.  He relied, in part, on State National Bank of Big Spring v. Lew, a 2015 decision of the D.C. Circuit involving, inter alia, a constitutional challenge by State National Bank to the CFPB’s structure and Richard Cordray’s recess appointment as CFPB Director.  In State National Bank, the D.C. Circuit observed that “[t]he Supreme Court has stated that ‘there is ordinarily little question’ that a regulated individual or entity has standing to challenge an allegedly illegal statute or rule under which it is regulated.”  The Court inquired, however, whether the D.C. Circuit had subsequently “walked that back” in John Doe Co. v. CFPB, 849 F.3d 1129 (D.C. Cir. 2017).

In John Doe, the recipient of a CFPB non-self-executing civil investigative demand sought to challenge the constitutionality of the Bureau’s structure without objecting to any regulatory measure taken by the Bureau or identifying other regulatory burdens to which it objected.  The district court denied John Doe’s request for a preliminary injunction, holding that the plaintiff had not met its burden of demonstrating a likelihood of success on the merits or irreparable harm.  John Doe then filed with the D.C. Circuit an emergency motion for an injunction pending appeal.  In John Doe, the D.C. Circuit quoted Supreme Court precedent for the proposition that standing is not dispensed “in gross” but, rather, a plaintiff “must demonstrate standing for each claim he seeks to press and for each form of relief that is sought.”  It stated that the plaintiff had failed “to demonstrate that the action of merely requesting information from private entities subject to regulation is . . . exclusively confined to the Executive Branch, and thus that issuance of this CID by the Bureau violates separation of powers.”

Plaintiff’s counsel asserted that it was not clear that the plaintiff in John Doe, a company engaged in the business of purchasing and selling income streams, was a regulated entity.  He further argued that John Doe involved a pre-enforcement challenge in which the question presented was whether the district court had abused its discretion in determining that the plaintiff had not demonstrated a likelihood of success on the merits and irreparable harm.  With respect to the notion that “standing is not dispensed in gross,” Plaintiff’s counsel asserted that this is not the case with respect to a regulated entity, and suggested that the holding in John Doe was not based upon a lack of standing.  He further argued that the credit union was not required to violate the law in order to create standing.

The other decisions cited by Plaintiff’s counsel were Olympic Fed. Savs. & Loan Ass’n v. Dir., Office of Thrift Supervision, 732 F. Supp. 1183 (D.D.C.), appeal dismissed and remanded, 903 F.3d 837 (D.C. Cir. 1990), and Free Enter. Fund v. Pub. Co. Accounting Oversight Board, 561 U.S. 447 (2010).  In its reply brief, the credit union had cited Olympic Fed. Savs. & Loan Ass’n for the proposition that a regulated entity was directly harmed by the assertedly unconstitutional appointment of an Acting Director of the Office of Thrift Supervision (OTS).  According to the credit union’s reply brief, the district court awarded injunctive relief that “was rendered moot by the subsequent constitutional appointment of the OTS Director.”

Free Enterprise Fund involved a challenge to the constitutionality of the Sarbanes-Oxley Act provision that created the Public Company Accounting Oversight Board and, in particular, the issue of whether the district court had jurisdiction over the proceeding notwithstanding a Securities Exchange Act provision that only allowed aggrieved parties to challenge a final SEC order or rule in a court of appeals.  In its reply brief, the credit union cited Free Enterprise Fund for the proposition that it need not select and challenge a rule at random while simultaneously noting that Free Enterprise Fund involved a general challenge that was collateral to any agency rules from which review might be sought.  Its reply brief also argued that John Doe had distinguished Free Enterprise Funding as a case where “denying standing would ‘foreclose all meaningful judicial review,’ as it would here, where plaintiff has no other forum.”

Plaintiff’s counsel also referred to another source of standing, namely amendments to Regulation C, the implementing regulation for the Home Mortgage Disclosure Act, that became effective on January 1, 2018.  Although the  Regulation C amendments were not adopted under Acting Director Mulvaney, Plaintiff’s counsel stated that they are being implemented by the Acting Director and would cause the credit union to incur additional compliance costs.  In response to a question from the Court, Plaintiff’s counsel indicated that the credit union did not object to the regulation.  He asserted, however, that a regulated entity does not need to object to a regulation in order to have standing.  The credit union was granted permission to submit a declaration regarding its standing allegations relating to Regulation C.

Finally, in its reply brief, the credit union had argued that it was unable to engage in long-range planning concerning its HMDA reporting obligations due to uncertainty stemming from the Bureau’s recent announcement that it intends to reconsider various aspects of  Regulation C.  Plaintiff’s counsel asserted that none of the cases cited by the DOJ for the proposition that uncertainty does not confer standing involved a regulated entity.

Matthew J. Berns, arguing for the DOJ, asserted that no case cited by the credit union supports the proposition that uncertainty confers standing and, in response to the Plaintiff’s contrary assertion, noted that one of the cases cited by the defendant, New England Power Generators Ass’n, Inc. v. FERC, 707 F.3d 364 (D.C. Cir. 2013), did, in fact, involve a regulated entity.  He also disputed the assertion that State National Bank was predicated solely on the status of the bank as a regulated entity.  Defense counsel asserted, rather, that the decision acknowledged that the bank incurred compliance costs as a result of the CFPB Remittance Rule.  (State National Bank noted that “[t]he Bank indeed alleged that it must now monitor its remittances to stay within the safe harbor [under the CFPB Remittance Rule], and the monitoring program causes it to incur costs.”)

Defense counsel also noted that the plaintiff in John Doe had not objected to any CFPB regulation.  (In John Doe, the D.C. Circuit appears to distinguished State Bank on the basis that John Doe did not object to any regulatory action or identify any regulatory burdens other than “the harm occasioned by having to respond to a non-self-executing CID.”)   Finally, he emphasized that Supreme Court standing jurisprudence requires that an injury-in-fact that is concrete and particularized, and actual or imminent.  Whereas plaintiff’s counsel had characterized this as a quintessential standing case in which the injury consisted of being regulated by a person without the authority to regulate the credit union, defense counsel argued that this type of asserted injury was too generalized to constitute an “injury-in-fact.”

The Court asked defense counsel who would have standing to challenge the appointment of Mulvaney as Acting Director if the credit union did not have standing.  Defense counsel responded by noting that the defendants had not asserted a lack of standing in the counterpart challenge filed by Leandra English in the District of Columbia.  He further noted that a proper party could litigate the issue in a pre-enforcement challenge to a regulation or regulatory action.

Although the Court did not hear argument on the merits issues, the credit union was granted permission to submit a short letter addressing the decision by Judge Timothy J. Kelly denying the motion for a preliminary injunction by Leandra English in the D.C. lawsuit.  This submission, and the credit union’s supplemental standing declaration relating to the HMDA regulation, are due to be filed by January 19, 2018; the Defendants’ reply is due to be filed on January 24, 2018.  The Court indicated that it would rule as expeditiously as possible once the record closes.

 

 

The CFPB announced that, in coming weeks, it plans to publish in the Federal Register a series of Requests for Information (RFIs) seeking comment on its enforcement, supervisory, rulemaking, market monitoring, and educational activities.

Describing its plans as “a call for evidence to ensure the Bureau is fulfilling its proper and appropriate functions to best protect consumers,” the CFPB stated that the RFIs are intended to provide “an opportunity for the public to submit feedback and suggest ways to improve outcomes for both consumers and covered entities.”

The CFPB also announced that its first RFI will seek comment on Civil Investigative Demands (CIDs), and the comments received will be used to evaluate current CID processes and procedures and determine whether any changes are needed.

According to Mick Mulvaney, President Trump’s appointee as Acting Director, the RFIs are part of the CFPB’s efforts “under new leadership…to critically examine its policies and practices to ensure they align with the Bureau’s statutory mandate.”  Mr. Mulvaney also stated that “[m]uch can be done to facilitate greater consumer choice and efficient markets, while vigorously enforcing consumer financial law in a way that guarantees due process.”