WBA Legal has prepared a new toolkit to help senior management, commercial lenders, loan processors, compliance officers, and others involved with small business lending to better understand the impact of CFPB’s recently proposed small business rule on the bank. Once finalized, the requirement to collect and report certain data about small business credit applicants will have a dramatic impact on current application and processing operations and record retention.  

A PowerPoint summarizing CFPB’s proposed rule has been created for use by staff who seek to present the main components of the proposal to lending and processing staff. The PowerPoint provides a background, proposed compliance dates, information regarding covered financial institutions, definition of small business, minority-owned and women-owned business, definition of covered application and covered credit transaction, what data must be collected, and reporting information.  

In addition to the PowerPoint, the toolkit also includes a complete outline of the proposed rule, including the proposed commentary and several appendices. CFPB’s proposed rule summary and a data point chart are also included.  

CFPB is accepting comments regarding its proposal. WBA hopes each bank will take into consideration the information provided in this toolkit, assess the proposal’s impact on the bank, and provide comment to CFPB regarding such impact.  

WBA Legal will be creating a draft comment letter for use by members to reply to CFPB regarding concerns and impact of the proposal on banks. WBA encourages each bank to consider submitting its own letter reflecting bank-specific information.  

Feel free to contact WBA Legal at wbalegal@wisbank.com regarding CFPB’s proposal.

Triangle Background

The federal banking agencies (FRB, FDIC, and OCC) have issued their final rule to require banks to notify their primary federal regulatory of any “computer-security incident” that rises to the level of a “notification incident”, as soon as possible and no later than 36 hours after the bank determines that a notification incident has occurred.  

The rule defines a “computer-security incident” as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.  

“Notification incident” is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: 

(i) Ability to carry out banking operations, activities, or processes, or deliver banking products  and services to a material portion of its customer base, in the ordinary course of business;  

(ii) Business line(s), including associated operations, services, functions, and support, that upon  failure would result in a material loss of revenue, profit, or franchise value; or  

(iii) Operations, including associated services, functions and support, as applicable, the failure or  discontinuance of which would pose a threat to the financial stability of the United States.  

The final rule is effective April 1, 2022 and has a compliance data of May 1, 2022. The full final rule may be viewed here.

Q: Does Wisconsin Require Delivery of Instruments to Mortgage Borrowers after Payoff?

A: Yes. Wisconsin requires delivery of the instrument, and, depending on the transaction, other payoff requirements.

WBA is frequently asked whether banks must provide a copy of a note to the borrower at time of payoff. Wisconsin law requires provision of a payoff statement, and for Wisconsin Consumer Act transactions, the bank must provide a copy of the “instrument.” A copy of the note would meet that requirement.

Wisconsin’s payoff statement requirements can be found under Wis. Stat. section 708.15(3). That section requires that the bank must file and give the secured creditor notification within 30 days after receiving full payment or performance of the secured obligation. Additionally, for loans covered by the Wisconsin Consumer Act, Wis. Stat. section 422.306 provides several requirements regarding receipts, accounting, and evidence of payment. One such requirement is that the bank must give or forward to the customer instruments which acknowledge payment in full. It also requires release of any security interest when there is no outstanding secured obligation.

“Instrument” is a defined term under Uniform Commercial Code Article 9. An “instrument” means a negotiable instrument or any other writing that evidences a right to the payment of a monetary obligation, is not itself a security agreement or lease, and is of a type that in ordinary course of business is transferred by delivery with any necessary endorsement or assignment.

A note would meet the definition of “instrument” under Article 9. WBA is also frequently asked whether it must be the “original” instrument or a reproduction of such item provided to the borrower. This question is not addressed within the statutes. Thus, the bank should check with its practices in relation to the requirements. For example, it could be that the bank has a practice of providing the original stamped “paid,” to provide the borrower with documentation that the obligation has had been paid directly on the original. It might also be a decision which is made as a matter of best practice, as then there can be no question as to whether the original was paid.

If you have any questions on this topic or other matters of compliance, contact WBA’s legal call program at 608-441-1200 or wbalegal@wisbank.com.

Triangle Background

The White House has just released the Occupational Safety and Health Administration’s (OSHA’s) emergency temporary standard (ETS) meant to protect unvaccinated employees of large employers (100 or more employees) from the risk of contracting COVID-19 by strongly encouraging vaccination. Under the ETS, covered employers must develop, implement, and enforce a mandatory COVID-19 vaccination policy, with an exception for employers that instead adopt a policy requiring employees to either get vaccinated or elect to undergo regular COVID-19 testing and wear a face covering at work in lieu of vaccination.

Under the ETS, employees of covered employers must receive the vaccine or be required to produce a negative test on “at least a weekly basis.” Employers “must remove from the workplace any employee who receives a positive COVID-19 test or is diagnosed with COVID-19 by a licensed healthcare provider.”

Highlights from the ETS:

Explanation of Who is Included in the 100-Employee Threshold:  

The applicability of the ETS is based on the size of an employer, in terms of number of employees, rather than on the type or number of workplaces. Part-time employees do count towards the company total, but independent contractors do not. For a single corporate entity with multiple locations, all employees at all locations are counted for purposes of the 100-employee threshold for coverage under the ETS. The determination as to whether a particular employer is covered by the standard should be made separately from whether individual employees are covered by the standard’s requirements. For example,

  • If an employer has 75 part-time employees and 25 full-time employees, the employer would be within the scope of the ETS because it has 100 employees.
  • If an employer has 150 employees,100 of whom work from their homes full-time and  50 of whom work in the office at least part of the time, the employer would be within the scope of the ETS because it has more than 100 employees. (NOTE: See the  information below regarding mandatory vaccination not being applicable to some employees.)
  • If an employer has 102 employees and only 3 ever report to an office location, that employer would be covered.

January4 Deadline to Begin Weekly Testing of Unvaccinated Employees: 

Employees of covered employers have until January 4 to become fully vaccinated (either two doses of Pfizer or Moderna, or one dose of Johnson & Johnson). After that date, employers must ensure that any employees who have not received the necessary shots begin producing a verified negative test to their employer on at least a weekly basis. Therefore, employers with unvaccinated workers need to have a testing regime in place by January 4, unless the ETS is enjoined.

Paid Time Off to Get Vaccinated:

Covered employers must provide four hours of paid time off for employees to get vaccinated.

Unvaccinated Employees Must be Masked: 

Unvaccinated employees of covered employers must wear a face mask while in the workplace.

Proof of Vaccination Status and Record Retention:

Covered employers must require employees to provide proof of vaccination status, which can take the form of immunization record, COVID-19 vaccination record card, or other official medical record documenting the vaccine. The employer must maintain a “record” of that  vaccination and a roster of each employee’s vaccination status. There is no suggestion that the employer must copy the vaccination document presented by the employee to show proof of vaccination.

Mandatory Vaccination Not Applicable to Certain Employees: 

Employers are not required to mandate vaccination by employees for whom a vaccine is  medically contraindicated, for whom medical necessity requires a delay in vaccination (e.g., the  vaccine is in conflict with other medical treatment received by the employee), or those legally entitled to a reasonable accommodation under the Americans with Disabilities Act or other federal civil rights law because the employee has a disability or sincerely-held religious belief, practice, or observance that conflicts with the vaccination requirement.

The vaccination requirement also does not apply to employees who do not report to a workplace where other individuals (such as coworkers or customers) are present, employees while they are working from home, or employees who work exclusively outdoors. An employee who switches back and forth from teleworking from home to working from the office is covered by the ETS.

ETS Not Applicable to Workplaces Subject to E.O. 14042:

The ETS does not apply to workplaces covered by Executive Order 14042, which requires federal  contractors to have employees whose work relates to a federal contract be vaccinated against COVID-19. (This provision differs from the administration’s prior suggestion that employers subject to both the ETS and executive order would need to comply with both actions.)

The requirement to test unvaccinated employees weekly begins on January 4. Compliance with all other requirements of the ETS is required by December 5. It is WBA’s understanding that several state attorneys general and private entities are expected to file lawsuits in the coming days that seek to enjoin the ETS from taking effect.

View the full ETS here.

By WBA Legal

In late August, the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) issued a new resource titled, Conducting Due Diligence on Financial Technology Companies, A Guide for Community Banks (Guide), which was intended to help community banks in conducting due diligence when considering relationships with fintech companies.

Use of the Guide is voluntary, and it does not anticipate all types of third-party relationships and risks. Therefore, a community bank can tailor how it uses relevant information in the Guide, based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity (herein, activities) offered by the fintech company.

While the Guide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships. Due diligence is an important component of an effective third-party risk management process, as highlighted in the federal banking agencies’ respective guidance; which, for FRB-regulated banks is SR Letter 13-19, for FDIC-regulated banks is FIL-44-2008, and for OCC banks is Bulletin-2013-29.

During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements. The scope and depth of due diligence performed by a community bank will depend on the risk to the bank from the nature and criticality of the prospective activity. Banks may also choose to supplement or augment their due diligence efforts with other resources as appropriate, such as use of industry utilities or consortiums that focus on third-party oversight.

The Guide focuses on six key due diligence topics, including relevant considerations and a list of potential sources of information. The following is a summary of the key due diligence topics within the Guide.

Business Experience and Qualifications

The agencies have identified that by evaluating a fintech company’s business experience, strategic goals, and overall qualifications, a community bank can better consider a fintech company’s experience in conducting the activity and its ability to meet the bank’s needs. Review of operational history will provide insight into a fintech company’s ability to meet a community bank’s needs, including, for example, the ability to adequately provide the activities being considered in a manner that enables a community bank to comply with regulatory requirements and meet customer needs.

Review of client references and complaints about a fintech company may provide useful information when considering, among other things, whether a fintech company has adequate experience and expertise to meet a community bank’s needs and resolve issues, including experience with other community banking clients. Review of legal or regulatory actions against a fintech company can be indicators of the company’s track record in providing activities.

When a community bank is considering a third-party relationship, discussing a fintech company’s strategic plans can provide insight on key decisions it is considering, such as plans to launch new products or pursue new arrangements (such as acquisitions, joint ventures, or joint marketing initiatives). A community bank may subsequently consider whether the fintech company’s strategies or any planned initiatives would affect the prospective activity. Further, inquiring about a fintech company’s strategies and management style may help a community bank assess whether a fintech company’s culture, values, and business style fit those of the community bank.

The agencies further instruct that understanding the background and expertise of a fintech company’s directors and executive leadership may provide a community bank useful information on the fintech company’s board and management knowledge and experience related to the activity sought by the community bank. A community bank may also consider whether the company has sufficient management and staff with appropriate expertise to handle the prospective activity.

For example, imagine that a fintech company, its directors, or its management have varying levels of expertise conducting activities similar to what a community bank is seeking. A fintech company’s historical experience also may not include engaging in relationships with community banks. As part of due diligence, a community bank may therefore consider how a fintech company’s particular experiences could affect the success of the proposed activity and overall relationship. Understanding a fintech company’s qualifications and strategic direction will help a community bank assess the fintech company’s ability to meet the community bank’s expectations and support a community bank’s objectives. When evaluating the potential relationship, a community bank may consider a fintech company’s willingness and ability to align the proposed activity with the community bank’s needs, its plans to adapt activities for the community bank’s regulatory environment, and whether there is a need to address any integration challenges with community bank systems and operations.

Financial Condition

Another step the agencies identified is for a bank to evaluate a fintech company’s financial condition to help the bank assess the company’s ability to remain in business and fulfill any obligations created by the relationship. Review of financial reports provide useful information when evaluating a fintech company’s capacity to provide the activity under consideration, remain a going concern, and fulfill any of its obligations, including its obligations to the community bank. Understanding funding sources provide useful information in assessing a fintech company’s financial condition. A fintech company may be able to fund operations and growth through cash flow and profitability or it may rely on other sources, such as loans, capital injections, venture capital, or planned public offerings.

Additionally, information about a fintech company’s competitive environment may provide additional insight on the company’s viability. Review of information on a fintech company’s client base can shed insight into any reliance a fintech company may have on a few significant clients. A few critical clients may provide key sources of operating cash flow and support growth but may also demand much of a fintech company’s resources. Loss of a critical client may negatively affect revenue and hinder a fintech company’s ability to fulfill its obligations with a community bank. A community bank may also consider a fintech company’s susceptibility to external risks, such as geopolitical events that may affect the company’s financial condition.

For example, some fintech companies, such as those in an early or expansion stage, have yet to achieve profitability or may not possess financial stability comparable to more established companies. Some newer fintech companies may also be unable to provide several years of financial reporting, which may impact a community bank’s ability to apply its traditional financial analysis processes. When audited financial statements are not available, a community bank may want to seek other financial information to gain confidence that a fintech company can continue to operate, provide the activity satisfactorily, and fulfill its obligations. For example, a community bank may consider a fintech company’s access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect a fintech company’s overall financial performance.

Legal and Regulatory Compliance

The Guide further outlines how in evaluating a fintech company’s legal standing, its knowledge about legal and regulatory requirements applicable to the proposed activity, and its experience working within the legal and regulatory framework, better enables a community bank to verify a fintech company’s ability to comply with applicable laws and regulations.

A bank may want to consider reviewing organizational documents and business licenses, charters, and registrations as such documentation provides information on where a fintech company is domiciled and authorized to operate (for example, domestically or internationally) and legally permissible activities under governing laws and regulations. Reviewing the nature of the proposed relationship, including roles and responsibilities of each party involved, may also help a community bank identify legal considerations. Assessing any outstanding legal or regulatory issues may provide insight into a fintech company’s management, its operating environment, and its ability to provide certain activities.

A bank could also consider reviewing a fintech company’s risk and compliance processes to help assess the fintech company’s ability to support the community bank’s legal and regulatory requirements, including privacy, consumer protection, fair lending, anti-money-laundering, and other matters. A fintech company’s experience working with other community banks may provide insight into the fintech company’s familiarity with the community bank’s regulatory environment. Reviewing information surrounding any consumer-facing applications, delivery channels, disclosures, and marketing materials for community bank customers can assist a community bank to anticipate and address potential consumer compliance issues. Considering industry ratings (for example, Better Business Bureau) and the nature of any complaints against a fintech company may provide insight into potential customer service and compliance issues or other consumer protection matters.

For example, some fintech companies may have limited experience working within the legal and regulatory framework in which a community bank operates. To protect its interests, community banks may consider including contract terms requiring (a) compliance with relevant legal and regulatory requirements, including federal consumer protection laws and regulations, as applicable; (b) authorization for a community bank and the bank’s primary supervisory agency to access a fintech company’s records; or (c) authorization for a community bank to monitor and periodically review or audit a fintech company for compliance with the agreed-upon terms. Other approaches could include (1) instituting approval mechanisms (for example, community bank signs off on any changes to marketing materials related to the activity), or (2) periodically reviewing customer complaints, if available, related to the activity.

Risk Management and Controls

The agencies have also identified that by banks evaluating the effectiveness of a fintech company’s risk management policies, processes, and controls, such review helps a community bank to assess the company’s ability to conduct the activity in a safe and sound manner, consistent with the community bank’s risk appetite and in compliance with relevant legal and regulatory requirements.

Banks should consider reviewing a fintech company’s policies and procedures governing the applicable activity as it will provide insight into how the fintech company outlines risk management responsibilities and reporting processes, and how the fintech company’s employees are responsible for complying with policies and procedures. A community bank may also use the information to assess whether a fintech company’s processes are in line with its own risk appetite, policies, and procedures. Information about the nature, scope, and frequency of control reviews, especially those related to the prospective activity, provides a community bank with insight into the quality of the fintech company’s risk management and control environment. A community bank may also want to consider the relative independence and qualifications of those involved in testing. A fintech company may employ an audit function (either in-house or outsourced). In these cases, evaluating the scope and results of relevant audit work may help a community bank determine how a fintech company ensures that its risk management and internal control processes are effective.

Banks should also consider the findings, conclusions, and any related action plans from recent control reviews and audits as the information may provide insight into the effectiveness of a fintech company’s program and the appropriateness and timeliness of any related action plans. Evaluating a fintech company’s reporting helps a community bank to consider how the fintech company monitors key risk, performance, and control indicators; how those indicators relate to the community bank’s desired service-level agreements; and how the fintech company’s reporting processes identify and escalate risk issues and control testing results. A community bank may also consider how it would incorporate such reporting into the bank’s own issue management processes. Review of information on a fintech company’s staffing and expertise, including for risk and compliance, provide a means to assess the overall adequacy of the fintech company’s risk and control processes for the proposed activity.

Information on a fintech company’s training program also assists in considering how the fintech company ensures that its staff remains knowledgeable about regulatory requirements, risks, technology, and other factors that may affect the quality of the activities provided to a community bank.

For example, a fintech company’s audit, risk, and compliance functions will vary with the maturity of the company and the nature and complexity of activities offered. As a result, a fintech company may not have supporting information that responds in full to a community bank’s typical due diligence questionnaires. In other cases, a fintech company may be hesitant to provide certain information that is considered proprietary or a trade secret (for example, their development methodology or model components). In these situations, a community bank may take other steps to identify and manage risks in the third-party relationship and gain confidence that the fintech company can provide the activity satisfactorily.

For example, a community bank may consider on-site visits to help evaluate a fintech company’s operations and control environment, or a community bank’s auditors (or another independent party) may evaluate a fintech company’s operations as part of due diligence. Other approaches could include (a) accepting due diligence limitations, with any necessary approvals and/or exception reporting, compared to the community bank’s normal processes, commensurate with the criticality of the arrangement and in line with the bank’s risk appetite and applicable third-party risk management procedures; (b) incorporating contract provisions that establish the right to audit, conduct on-site visits, monitor performance, and require remediation when issues are identified; (c) establishing a community bank’s right to terminate a third-party relationship, based on a fintech company’s failure to meet specified technical and operational requirements or performance standards. Contract provisions may also provide for a smooth transition to another party (for example, ownership of records and data by the community bank and reasonable termination fees); or (d) outlining risk and performance expectations and related metrics within the contract to address a community bank’s requirements

Information Security

In understanding a fintech company’s operations infrastructure and the security measures for managing operational risk, a community bank may better evaluate whether the measures are appropriate for the prospective activity. A community bank may evaluate whether the proposed activity can be performed using existing systems, or if additional IT investment would be needed at the community bank or at the fintech company to successfully perform the activity. For example, a community bank may evaluate whether the fintech company’s systems can support the bank’s business, customers, and transaction volumes (current and projected). A fintech company’s procedures for deploying new hardware or software, and its policy toward patching and using unsupported (end-of-life) hardware or software, will provide a community bank with information on the prospective third party’s potential security and business impacts to the community bank.

For example, fintech companies’ information security processes may vary, particularly for fintech companies in an early or expansion stage. Community banks may evaluate whether a fintech company’s information security processes are appropriate and commensurate with the risk of the proposed activity. Depending on the activity provided, community banks may also seek to understand a fintech company’s oversight of its subcontractors, including data and information security risks and controls.

For a fintech company that provides transaction processing or that accesses customer data, for example, community banks may request information about how the fintech company restricts access to its systems and data, identifies and corrects vulnerabilities, and updates and replaces hardware or software. The bank may also consider risks and related controls pertaining to its customers’ data, in the event of the fintech company’s security failure. Also, contractual terms that authorize a community bank to access fintech company records can better enable the bank to validate compliance with the laws and regulations related to information security and customer privacy.

Operational Resilience

A community bank may evaluate a fintech company’s ability to continue operations through a disruption. Depending on the activity, a community bank may look to the fintech company’s processes to identify, respond to, and protect itself and customers from threats and potential failures, as well as recover and learn from disruptive events. It is important that third-party continuity and resilience planning be commensurate with the nature and criticality of activities performed for the bank.

Evaluating a fintech company’s business continuity plan, incident response plan, disaster recovery plan and related testing can help a community bank determine the fintech company’s ability to continue operations in the event of a disruption. Also, evaluating a fintech company’s recovery objectives, such as any established recovery time objectives and recovery point objectives, helps to ascertain whether the company’s tolerances for downtime and data loss align with a community bank’s expectations. A community bank that contemplates how a fintech company considers changing operational resilience processes to account for changing conditions, threats, or incidents, as well as how the company handles threat detection (both in-house and outsourced) may provide a community bank with additional information on incident preparation. Discussions with a fintech company, as well as online research, could provide insights into how the company responded to any actual cyber events or operational outages and any impact they had on other clients or customers.

Understanding where a fintech company’s data centers are or will reside, domestically or internationally, helps a community bank to consider which laws or regulations would apply to the community bank’s business and customer data. Another matter for a community bank to consider is whether a fintech company has appropriate insurance policies (for example, hazard insurance or cyber insurance) and whether the fintech company has the financial ability to make the community bank whole in the event of loss.

Service level agreements between a community bank and a fintech company set forth the rights and responsibilities of each party with regard to expected activities and functions. A community bank may consider the reasonableness of the proposed service level agreement and incorporate performance standards to ensure key obligations are met, including activity uptime. A community bank may also consider whether to define default triggers and recourse in the event that a fintech company fails to meet performance standards.

A fintech company’s monitoring of its subcontractors (if used) may offer insight into the company’s own operational resilience. For example, a community bank may inquire as to whether the fintech company depends on a small number of subcontractors for operations, what activities they provide, and how the fintech company will address a subcontractors’ inability to perform. A community bank may assess a fintech company’s processes for conducting background checks on subcontractors, particularly if subcontractors have access to critical systems related to the proposed activity.

For example, as with previous due diligence scenarios, fintech companies may exhibit a range of resiliency and continuity processes, depending on the activities offered. Community banks may evaluate whether a fintech company’s planning and related processes are commensurate with the nature and criticality of activities performed for the bank. For example, community banks may evaluate a fintech company’s ability to meet the community bank’s recovery expectations and identify any subcontractors the fintech company relies upon for recovery operations. A fintech company may have recovery time objectives for the proposed activity that exceed the desired recovery time objectives of a community bank. If a fintech company can meet the community bank’s desired recovery time objectives, the bank may consider including related contractual terms, such as a contract stipulation that the community bank can participate in business continuity testing exercises and that provides appropriate recourse if the recovery time objective is missed in the event of an actual service disruption.

A community bank may also consider appropriate contingency plans, such as the availability of substitutable service providers, in case the fintech company experiences a business interruption, fails, or declares bankruptcy and is unable to perform the agreed-upon activities. In addition to potential contractual clauses and requirements, a community bank’s management may also consider how it would wind down or transfer the activity in the event the fintech company fails to recover in a timely manner.

Conclusion

The agencies have outlined a number of relevant considerations, non-exhaustive lists of potential sources of information, and illustrative examples to assist community banks with identifying strengths and potential risks when considering relationships with fintech companies. The voluntary Guide helps provide a starting point for banks with their due diligence efforts. The Guide may be viewed here.

Highlighted Special Focus From the October 2021 Compliance Journal

By Scott Birrenkott

WBA filed comments this week with FRB, FDIC, and OCC (agencies) on their proposed guidance on managing risks associated with third-party relationships (proposal).

Over the years, the agencies have issued guidance on third-party management for their respective supervised institutions. The agencies have issued the proposal in an effort to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management. The proposal is based on the OCC’s existing third-party risk management guidance from 2013.

WBA commented that the proposal presents a welcome opportunity to consolidate and update each agency’s individual existing guidance, and generally supported the effort. In addition to general comments reflecting member experiences in third-party management, WBA did recommend that the agencies consider specific examination procedures in accordance with the guidance, and provide banks with sufficient time to adapt to any final guidance.

Click here to view the letter.

Triangle Background

By Scott Birrenkott

Q: Does RESPA Prohibit Kickbacks for Referrals Related to Settlement Services?

A: Yes. WBA has received a few inquiries recently regarding Real Estate Settlement Procedures Act’s prohibition against kickbacks and unearned fees, and has created this summary as a quick refresher.

RESPA Section 8 prohibits certain actions related to federally related mortgage loans, including a prohibition against giving or accepting a fee, kickback, or thing of value pursuant to an agreement or understanding (oral or otherwise), for referrals of business incident to or part of a settlement service involving a federally related mortgage loan. There are definitions within that prohibition which help determine what might be covered.

“Thing of value” is defined broadly and can include a number of arrangements. “Settlement service” is also defined broadly and includes any service provided in connection with a real estate settlement. Referrals include oral or written action directed to a person that has the effect of affirmatively influencing a person’s selection of a provider of a settlement service or business incident to or part of a settlement service. For example, if a settlement service provider gives referral sources tickets to attend professional sporting events in exchange for referrals as part of an agreement or understanding, such conduct violates RESPA Section 8.

Certain arrangements, such as affiliated business arrangements and marketing services agreements are not violations of RESPA Section 8. Such determinations are fact-specific, however, and may require discussion with a bank’s legal counsel.

Further resources are available in CFPB’s helpful Real Estate Settlement Procedures Act FAQs.

If you have any questions on this topic or other matters of compliance, contact WBA’s legal call program at 608-441-1200 or wbalegal@wisbank.com.

Note: The above information is not intended to provide legal advice; rather, it is intended to provide general information about banking issues. Consult your institution’s attorney for special legal advice or assistance. 

Vaccination Card

By Jennifer Mirus, Boardman Clark, a WBA Gold Associate Member

On September 24, 2021, the Biden Administration released guidance regarding the scope of Executive Order 14042 which mandates that employees of covered federal contractors demonstrate proof of full vaccination against COVID-19 by December 8, 2021That guidance is available here.

The guidance lists several categories which, if applicable to an employer, will trigger its obligation to ensure its employees have been fully vaccinated. The guidance defines “contract” broadly to include: “all contracts and any subcontracts of any tier thereunder, whether negotiated or advertised, including any procurement actions, lease agreements, cooperative agreements, provider agreements, intergovernmental service agreements, service agreements, licenses, permits, or any other type of agreement, regardless of nomenclature, type, or particular form, and whether entered into verbally or in writing.” 

This broad guidance left certain questions unanswered regarding which entities qualify as a covered federal contractor. Notably, it is unclear whether banks are considered federal contractors due to their FDIC relationship with the federal government. Because the guidance is written in broad terms, it could be construed to mean that banks are considered federal contractors because they obtain a “service” from the federal government in the form of FDIC insurance and thus have a “service agreement” for the purposes of the vaccination requirement. However, this is a very literal reading of the guidance which may not be how the Executive Order and guidance are intended to be interpreted. Additionally, an earlier executive order regarding minimum wage used a similar definition of “contract,” and there is no clear guidance or rulings that banks were subject to that order.  

Thus, at this time, it is a reasonable conclusion that banking institutions are not covered federal contractors that must comply with the vaccination mandate. More guidance and clarification will be needed before it is clear whether banks are considered federal contractors under the Executive Order.  Banks that have explicit contracts with the federal government likely do qualify as federal contractors, even if they are not federal contractors by virtue of FDIC programs.  

Banks with 100 or more employees might be subject to the anticipated emergency temporary standard under the Occupational Health and Safety Administration (OSHA) that will require COVID-19 testing or vaccination. Details on OSHA’s standard are anticipated in the near future. 

The long awaited proposed rule regarding the collection and reporting of small business lending data as required by Section 1071 of the Dodd-Frank Act has finally been released by the Bureau of Consumer Financial Protection (CFPB). Unfortunately, the proposed rule is as broad and onerous as the industry expected it to be as it will be costly to train, implement, and monitor. The proposal would revise Regulation B, which implements the Equal Credit Opportunity Act (ECOA), to require the collection and reporting to CFPB certain data on applications for credit by small businesses. The proposal is substantial; however, below is a brief summary of the proposed rule.

Who Must Collect Data

The first step of analysis for any proposal is to identify whether it will apply to the bank. In this case, the proposal is broad and will very likely apply to all banks in Wisconsin. As proposed, if a bank originates at least 25 credit transactions that are considered “covered credit transactions” to “small businesses” in each of the two preceding years, the proposed rule will apply to the bank. Generally, a “small business” under the proposal is a business that had $5 million or less in gross annual revenue for its preceding fiscal year.

What CFPB has proposed be considered a “covered credit transaction” is a bit trickier an analysis but is generally the same as what is considered an application under the existing Regulation B definition of “application.” The proposed term does; however, exclude reevaluation requests, extension requests, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts; also excluded is an inquiry or prequalification request.

What Data is to be Collected

Next, the data to be collected. Dodd-Frank Act Section 1071 identified certain data that must be collected by CFPB; the law also gave CFPB discretion to collect additional data. CFPB has incorporated all Dodd-Frank Act required data and several discretional data into its proposal. In particular, banks must collect a unique identifier of each application, application date, application method, application recipient, action taken by bank on the application, date action taken, denial reasons, amount applied for, amount originated or approved, and pricing information including interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, and prepayment penalties.

Banks must also collect credit type, credit purpose, information related to the applicant’s business such as census tract, NAICS code and gross annual revenue for applicant’s preceding fiscal year, number of applicant’s non-owner workers, applicant’s time in business, and number of applicant’s principal owners.

There is also demographic information about the applicant’s principal owners to collect. These data points include minority- and women-owned business status, and the ethnicity, race, and sex of the applicant’s principal owners. The proposal also requires banks to maintain procedures to collect applicant-provided data at a time and in a manner that is reasonably designed to obtain a response, addresses how banks are to report certain data if data are not obtainable from an applicant, when banks are permitted to rely on statements made by an applicant, when banks must verify applicant’s responses to certain data collected, and when banks may reuse certain data collected in certain circumstances such as when data was collected within the same calendar year as a current covered application and when the bank has no reason to believe the data are inaccurate.

When and How Data Must be Reported

Banks would be required to collect data on a calendar-year basis and report the data to CFPB by June 1 of the following year. CFPB has proposed to provide technical instructions for the submission of data in a Filing Instructions Guide and related materials.

The submitted data is also to be made available to the public on an annual basis. Banks would be required to make the reported data available on their website, or otherwise upon request, or must provide a statement that the bank’s small business lending application register is available on CFPB’s website. Model language for such statement has been proposed by CFPB.

Limit of Certain Bank Personnel’s Access to Certain Data

The proposed rule implements a requirement under Section 1071 that banks limit certain employees’ and officers’ access to certain data. CFPB refers to this as the “firewall.” Pursuant to the proposed rule, an employee or officer of a bank or bank’s affiliate who are involved in making any determination concerning the applicant’s covered application would be prohibited from accessing an applicant’s responses to inquiries that the bank made regarding whether the applicant is a minority- or woman-owned business. Such employees are also restricted from information about an applicant’s ethnicity, race, and sex of the applicant’s principal owners.

There are exceptions to the requirement if it is not feasible to limit such access, as that factor is further set forth in the proposal. If an exception is permissible under the proposal, notice must be given to the application regarding such access. Again, CFPB has created model language for such notice.

Recordkeeping and Enforcement

The proposal establishes certain recordkeeping requirements, including a three year retention period for small business lending application registers. The proposal also includes a requirement to maintain an applicant’s responses to Section 1071 inquiries regarding whether an applicant is a minority- or women-owned business, and responses regarding the ethnicity, race, and sex of the applicant’s principal owners, separate from the rest of the application and accompanying information.

The proposal does include enforcement for violations of the new rules, addresses bona fide errors, and provides for a safe harbor.

Learn More and Get Involved

The proposal and additional information, including a chart of the proposed data collection points, may be viewed at: https://www.consumerfinance.gov/rules-policy/rules-under-development/small-businesslending-data-collection-under-equal-credit-opportunity-act-regulation-b/

WBA will comment on the proposal and will create a template letter for bankers to use in providing their own comments to CFPB regarding the impact the proposal will have on the bank. Comments are due 90 days from publication of the proposed rule in the Federal Register. At time of publication of the article, the proposal had not yet been published. CFPB has proposed mandatory compliance of a final rule be eighteen months after its effective date. WBA Legal is creating a working group to collect data and concerns from Wisconsin’s bankers on the proposal. If you wish to be part of the working group, please contact WBA Legal at wbalegal@wisbank.com.

This article originally ran in the September 2021 edition of the WBA Compliance Journal, to view the entire publication, click here.

Person holding Covid 19 Vaccination card

As was first reported in the September 10 WBA Wisconsin Banker Daily, President Biden released a plan on September 9 meant to reduce the number of unvaccinated Americans.

By way of background, to implement the plan, Department of Labor’s Occupational Safety and Health Administration (OSHA) is developing a rule that will require all employers with 100 or more employees to ensure their workforce is fully vaccinated or require any workers who remain unvaccinated to produce a negative test result on at least a weekly basis before coming to work. OSHA will issue an Emergency Temporary Standard (ETS) to implement the requirement.

OSHA is also developing a rule that will require employers with more than 100 employees to provide paid time off for the time to takes for workers to get vaccinated or to recover if they are under the weather post-vaccination. This requirement will also be implemented through an ETS.

President Biden executed a second order to take similar steps to require vaccinations for all federal workers and federal contractors that do business with the federal government. The Safer Federal Workforce Task Force had until this past Friday to describe new safety protocols, per the order.

Guidance was released last Friday; however, it unfortunately did not clarify whether banks are considered federal contractors under the vaccine mandate. WBA will continue to closely monitor the developing law and update the membership once coverage of the order is clarified.

Safer Federal Workforce Task Force COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors

Path Out of the Pandemic Order

Order of COVID Safety for Federal Contractors

 

By Heather MacKinnon