Weekly Fintech Focus

  • The CFPB orders a bank to pay over $100 million to resolve a pattern of violations of EFTA, UDAAP, and FCRA related to the bank’s overdraft services.
  • The CFPB issues an RFI seeking information about the effect of the CARD Act on small entities.
  • FinCEN provides clarification about bank customer due diligence flexibility for onboarding and servicing PEP customers.
  • The CFPB is still on track to issue its small business data rule outline of proposals in September.
  • The OCC clarifies how credit card issuers choose which state’s interest rate can be used with its credit cards based on where the bank makes the loan.

Bank Ordered to Pay Over $100 Million to Resolve Bank Overdraft Service Violations

The Consumer Financial Protection Bureau (CFPB) recently issued a consent order with TD Bank regarding the bank’s overdraft and furnishing activities.  TD Bank offered a service called Debit Card Advance (DCA) that was advertised to customers as a free feature of TD Bank checking accounts.  In reality, according to the CFPB, the DCA service was optional and cost the customers $35 for each overdraft transaction.  Under the consent order, TD Bank is required to pay $97 million in restitution to over 1.4 million customers and a $25 million civil money penalty.

According to the order, TD Bank’s actions committed the following violations of law:

  • Charged overdraft fees for ATM and one-time debit card transactions without obtaining affirmative consent in violation of the Electronic Funds Transfer Act and its implement Regulation E. For in-person account enrollment, store employees would obtain a customer’s oral consent to the DCA service and check a box on a computer for the customer, and then the customer would not see any disclosure or a checked box until the end of the account-opening process. To obtain affirmative consent, the customer must receive written notice prior to giving consent orally during the enrollment process.
  • By not obtaining affirmative consent to the DCA service and misrepresenting the DCA services cost, TD Bank violated the CFPB’s prohibition on unfair, deceptive, or abusive practices. The CFPB held that it was abusive to obtain oral consent without giving written notice and preselecting the customer’s enrollment in the DCA service.  The CFPB also held that TD Bank committed deceptive practices by not accurately describing the DCA service as covering more transactions than it actually covered.
  • TD Bank also failed to establish and implement policies and procedures concerning the accuracy and integrity of the information furnished to certain consumer reporting agencies in violation of the Fair Credit Reporting Act.

CFPB Issues RFI for CARD Act Changes with a Focus on Small Entities 

The CFPB issued a request for information (RFI) to consider the rules that implement the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act).  The CARD Act covers credit cards, gift certificates, store gift cards, and general purposed prepaid cards.  This review of the CARD Act is required by both the Regulatory Flexibility Act (requiring a review of certain rules within 10 years of publication and to consider the effect of the rule on small entities) and the CFPB’s requirement under the CARD Act to conduct a biennial review of the credit card market.  The primary focus of the RFI is to receive comments on the economic impact of the CARD Act’s compliance requirements on small entities and how those impacts may be reduced.

Additionally, the CFPB is seeking comment on the following topics:

  • Card features like credit card rewards, balance transfers, and promotional rates
  • Debt relief and debt collection practices
  • Disclosure requirements, with a focus on disclosures made digitally
  • Safety and soundness risk factors for card issuers
  • Risk-based pricing practices
  • The impact of innovation through technological advances like AI

Bank Regulators Provide Clarification on Due Diligence of Politically Exposed Persons

On August 21, 2020, U.S. bank regulators (Federal Reserve, FDIC, FinCEN, NCUA, and the OCC) issued a joint statement clarifying due diligence requirements under Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) regulations for customers who may be considered politically exposed persons (PEPs).  Although the interagency guidance is directed specifically at banks, the directive to create risk-based procedures for conducting customer due diligence related to PEPs provides a baseline for evaluating BSA/AML compliance more generally and may be referenced by other U.S. regulatory and enforcement agencies when evaluating corporate compliance programs as those programs apply to doing business with PEPs.  This joint statement may be of particular interest to non-bank Fintech and digital asset companies maintaining custody of client funds or digital assets.

PEPs are generally considered to be foreign persons who are or have been entrusted with a prominent public function or government position, as well as their immediate family members and close associates.  The new guidance highlights that PEPs may present a higher risk that their funds may be proceeds of corruption or illicit activity but recognizes that not all PEPs pose these risks.  PEPs include a broader set of customers and should not be confused with the already defined and more narrow category of “senior foreign political figures” under the BSA.

To meet its obligations under the BSA, a bank must apply a risk-based approach to customer due diligence, which includes written policies and procedures reasonably designed to identify and verify the identities of the bank’s customers.  The new joint statement provides that banks should conduct their customer due diligence measures commensurate with the risk profiles of their customers and the risks posed by the relationship, and while not required, may choose to include consideration of whether a customer is a PEP at account opening or as part of ongoing monitoring if the bank determines that the information is necessary for developing the customer risk profile.  The statement notes that PEPs are not high risk solely due to their status, and just like any customer relationship, should be evaluated on the specific facts and circumstances of that relationship.

When developing a customer risk profile of a PEP, the bank may take into consideration (i) the customer’s public office or position of public trust (or that of the customer’s family member or close associate); (ii) any indication that the PEP may misuse or abuse his or her authority for personal gain; (iii) the type of products and services used; (iv) the volume and nature of transactions; (v) geographies associated with the customer’s activity and domicile; (vi) the customer’s official government responsibilities; (vii) the level and nature of the customer’s authority or influence over government; (viii) the customer’s access to government assets or funds; and (ix) the overall nature of the customer relationship.

CFPB On Track to Release Small Biz Data Rule Outline of Proposals in September

On August 24, 2020, the CFPB entered its latest filing in an ongoing court case confirming that the agency is “on track” to release an outline of proposals for an upcoming small business loan data rule.  The CFPB still intends to issue this outline by September 15, 2020, and to convene a Small Business Regulatory Enforcement Fairness Act (SBREFA) panel by October 15, 2020, with meetings of the panel and small entity representatives during the week of October 19, 2020.  The anticipated completion date of the SBREFA panel’s report would be December 14, 2020.  We previously discussed this case on our blog here.

OCC Clarifies How a Credit Card Issuer Chooses Its Applicable Interest Rate

When a bank issues a credit card, the bank must set the interest rates for the charges made to the credit card at rates that comply with applicable usury caps.  For national banks, the Office of Comptroller of the Currency (OCC) recently issued an interpretive letter that clarifies what jurisdiction’s law governs the card’s interest rate (the bank’s home state or a state where the bank has other locations (a host state)), and concludes that a national bank may elect to charge interest based on where the loan is made.

An interstate national bank with a main office in one state (State Y) and branches in several other states (including State X), merged with and into another bank that had a main office in State X.  The other bank had a credit card business that was operated out of State X, including charging interest as permitted by State X.  The credit card business activities that occurred in State X included the development and approval of the bank’s credit risk policy, decisions about the content of communications reflecting the approval of a credit card application, and establishment and approval of credit risk rules that govern the review of individual transactions.  After this merger, the bank sought an interpretive opinion from the OCC to confirm, under 12 U.S.C. § 85 (National Bank Act), that it may continue to charge credit card borrowers State X interest rates.

The OCC stated that the bank could continue to charge State X interest rates.  The important clarification in the interpretive letter relates to what it means to “make” a loan.  The OCC stated that under the National Bank Act, a loan is made “where the three non-ministerial functions associated with making the loan occur.”  The non-ministerial functions are (1) approving the loan; (2) extending the credit; and (3) disbursing the loan proceeds.

A bank may charge interest in accordance with the laws of its home state unless the three non-ministerial functions occur at a bank’s branches in a single host state.  If all three non-ministerial functions occur in a host state, then the bank must use the host state’s permissible interest rates.  If, however, only some of the non-ministerial functions occur in a host state, then the bank may elect to use the host states rates, provided that there is a clear nexus between the loan and the host state, or choose to use the home state rates.  If there are not sufficient contacts to establish a clear nexus between the loan and a host state, then the bank must use its home state’s rates.

In this interpretive letter, the OCC found that the bank made the loan in State X because a loan is made “where Bank executives and employees exercise skill and judgment to establish the non-discretionary underwriting criteria in the credit risk policy.”  In prior interpretive letters, the OCC held that loan approval occurs where the person making the loan decision is located (i.e., where bank personnel are applying subjective underwriting criteria and exercising discretion on loan applications).  If the approval or denial is based on non-discretionary criteria that is applied mechanically, then the loan approval occurs where the decision establishing those non-discretionary criteria is made.  For the bank in this interpretive letter, credit decisions are made uniformly in accordance with non-discretionary underwriting criteria set by the bank’s credit risk policy.  Almost all credit decisions were made through an electronic system governed by these non-discretionary underwriting criteria.  Applying the OCC’s framework, the OCC concluded that the non-ministerial functions of the loan occurred in State X.