CFPB Proposes to Expand Certain Remittance Transfer Safe Harbors

To reduce compliance costs for certain banks, credit unions and other insured financial institutions, the Consumer Financial Protection Bureau (CFPB) proposed amendments to Regulation E to increase the safe-harbor available to insured financial institutions that provide a limited amount of remittance transfers from being categorized as a remittance transfer service provider.  Under the proposal, the limit on remittances would be raised from the current limit of 100 or fewer transfers in the prior year to 500 or fewer transfers.  Remittance transfers are generally defined as electronic transfers of money from a consumer in the United States to an international location.

Additionally, the CFPB is proposing to expand and make permanent a statutory exception that allows insured financial institutions to disclose estimates of the exchange rate and covered third-party fees instead of exact amounts.  The proposal would allow insured financial institutions that provide 1,000 or fewer remittance transfers in the prior year to a given country in that country’s local currency to disclose an estimated exchange rate to consumers, rather than provide an exact exchange rate.  It would also allow insured financial institutions that provide 500 or fewer remittance transfers to a given institution in the prior calendar year to estimate covered third-party fees associated with transfers to that institution.

The CFPB is accepting comments from the public, and comments are due 45 days after the date of publication of the proposed rule in the Federal Register.

Multiple Agencies Issue Joint Statement on the Use of Alternative Data for Credit Underwriting

The Board of Governors of the Federal Reserve System (Federal Reserve), the CFPB, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration, and the Office of the Comptroller of the Currency (OCC) (collectively, Agencies) issued an interagency statement on the use of alternative data for credit underwriting and for fraud detection, marketing, pricing, servicing and account management purposes.

The Agencies recognize that the use of alternative data may improve the accuracy and efficiency in making credit decisions and could further help consumers who would not ordinarily be able to obtain credit from traditional methods.  The Agencies note that the use of alternative data raises questions relating to how it can be used while remaining consistent with consumer protections laws such as fair lending laws, prohibitions against unfair, deceptive, or abusive acts or practices, and the Fair Credit Reporting Act.  Moreover, the Agencies highlight that a robust compliance program will ensure that lenders understand the opportunities, risks and compliance requirements associated with using alternative data.

In addition to consumer protection issues, the Agencies are concerned that any usage of alternative data for these purposes by regulated entities comports with the safe and sound operation of the institution, and that appropriate data controls are used, including rigorous assessment of the quality and suitability of the data to the institution’s operations.  The Agencies point to the Federal Reserve, OCC and FDIC’s model risk management guidance as guideposts for use of alternative data.

Comments may be submitted to the Agencies through the contact addresses provided in the interagency statement.

New York Law Prohibits Certain Alternative Data from Use in Credit Decisions

States are also responding to the development of alternative data usage in credit decisions.  On November 25, 2019, New York Governor Andrew Cuomo signed into law S.2302, a bill that limits credit reporting agencies and licensed lenders from collecting, evaluating, reporting, or maintaining in a consumer file “the credit worthiness, credit standing or credit capacity of members of the consumer’s social network for purposes of determining the credit worthiness of the consumer” or the “average credit worthiness, credit standing or credit capacity of members of the consumer’s social network; or any group score that is not the consumer’s own credit worthiness, credit standing or credit capacity.”  For purposes of the law, “members of a consumer’s social network” means a group of individuals authorized by the consumer to be a part of his or her social media communications and network.  Finally, the law prohibits licensed lenders from using a consumer’s internet viewing history as part of the formula for determining a consumer’s credit worthiness.

Banking Regulators Say Hemp Transactions Not Inherently “Suspicious”

The 2018 Farm Bill removed hemp from its Schedule I status under the Controlled Substances Act.  Despite some positive steps, like the National Credit Union Administration (NCUA) issuing interim guidance for credit unions regarding hemp, businesses involved in the burgeoning hemp industry have largely struggled to secure banking services despite legalization.  This difficulty has, in part, been driven by uncertainty in the financial industry over whether Suspicious Activity Reports (SARs), which financial institutions are required to file to report known or suspected violations of law or suspicious activity, must be filed for transactions involving hemp-related businesses.

In a joint statement earlier this month, the OCC, the Federal Reserve, the FDIC, and the Financial Crimes Enforcement Network (FinCEN), joined by the Conference of State Bank Supervisors, resolved the issue.  The regulators stated that financial institutions are no longer required to file SARs for customers only because they are engaged in the legal growth or cultivation of hemp.  Instead, “[f]or hemp-related customers, banks are expected to follow standard SAR procedures, and file a SAR if indicia of suspicious activity warrants.”  Financial institutions must still follow FinCEN guidance related to the filing of Marijuana Limited or Marijuana Priority SARs regarding other types of marijuana businesses.

This statement also indicated that FinCEN plans on issuing additional guidance once the USDA interim final rule on Establishment of a Domestic Hemp Production Program has been further reviewed and evaluated.

FSOC Discusses Cloud Computing at the November Executive Session and its Annual Report

During its November executive session, the Financial Stability Oversight Council (FSOC) addressed, among other things, financial institutions’ use of cloud service providers.  FSOC discussed the question of whether FSOC should consider designating certain cloud service providers as systemically important financial market utilities (SIFMUs).  Based on the minutes of the meeting, it appears that FSOC is comfortable with financial institutions and their regulators managing cloud service providers under available regulatory authority granted under the Bank Services Company Holding Act and various banking agencies interagency supervision programs and guidance.  The presenter at the meeting noted that section 804 of the Dodd-Frank Act gives FSOC the authority to designate a cloud service provider as a financial market utility (FMU) should it conduct FMU activities under state statute, such as managing or operating a multilateral system for the purpose of transferring, clearing, or settling payments, securities, or other financial transactions among or between financial institutions and another person.  However, at this time, the presenter explained that no cloud service provider would currently qualify as an FMU under the plain meaning of the statute.

FSOC’s annual report also briefly discussed outsourcing third-party service providers, including emerging technologies like cloud service providers as well as artificial intelligence technology.  FSOC recommends that financial regulators consider how they will supervise and regulate emerging technologies.  For cloud service providers in particular, FSOC recognizes that many financial institutions have increased their use of cloud computing services for data storage, redundancy and for additional computational capacity.  The annual report notes the technical and cost advantages of outsourcing to cloud service providers, but also cautions that there have been recent instances of unauthorized access to client data at cloud service providers.  Further, FSOC notes that certain concentration risks exist when many institutions rely on a single vendor.  Although noted in the annual report, such concerns by FSOC are not unique to cloud service providers or new to issues related to third-party service providers generally.