Posts

By WBA Legal

In late August, the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) issued a new resource titled, Conducting Due Diligence on Financial Technology Companies, A Guide for Community Banks (Guide), which was intended to help community banks in conducting due diligence when considering relationships with fintech companies.

Use of the Guide is voluntary, and it does not anticipate all types of third-party relationships and risks. Therefore, a community bank can tailor how it uses relevant information in the Guide, based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity (herein, activities) offered by the fintech company.

While the Guide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships. Due diligence is an important component of an effective third-party risk management process, as highlighted in the federal banking agencies’ respective guidance; which, for FRB-regulated banks is SR Letter 13-19, for FDIC-regulated banks is FIL-44-2008, and for OCC banks is Bulletin-2013-29.

During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements. The scope and depth of due diligence performed by a community bank will depend on the risk to the bank from the nature and criticality of the prospective activity. Banks may also choose to supplement or augment their due diligence efforts with other resources as appropriate, such as use of industry utilities or consortiums that focus on third-party oversight.

The Guide focuses on six key due diligence topics, including relevant considerations and a list of potential sources of information. The following is a summary of the key due diligence topics within the Guide.

Business Experience and Qualifications

The agencies have identified that by evaluating a fintech company’s business experience, strategic goals, and overall qualifications, a community bank can better consider a fintech company’s experience in conducting the activity and its ability to meet the bank’s needs. Review of operational history will provide insight into a fintech company’s ability to meet a community bank’s needs, including, for example, the ability to adequately provide the activities being considered in a manner that enables a community bank to comply with regulatory requirements and meet customer needs.

Review of client references and complaints about a fintech company may provide useful information when considering, among other things, whether a fintech company has adequate experience and expertise to meet a community bank’s needs and resolve issues, including experience with other community banking clients. Review of legal or regulatory actions against a fintech company can be indicators of the company’s track record in providing activities.

When a community bank is considering a third-party relationship, discussing a fintech company’s strategic plans can provide insight on key decisions it is considering, such as plans to launch new products or pursue new arrangements (such as acquisitions, joint ventures, or joint marketing initiatives). A community bank may subsequently consider whether the fintech company’s strategies or any planned initiatives would affect the prospective activity. Further, inquiring about a fintech company’s strategies and management style may help a community bank assess whether a fintech company’s culture, values, and business style fit those of the community bank.

The agencies further instruct that understanding the background and expertise of a fintech company’s directors and executive leadership may provide a community bank useful information on the fintech company’s board and management knowledge and experience related to the activity sought by the community bank. A community bank may also consider whether the company has sufficient management and staff with appropriate expertise to handle the prospective activity.

For example, imagine that a fintech company, its directors, or its management have varying levels of expertise conducting activities similar to what a community bank is seeking. A fintech company’s historical experience also may not include engaging in relationships with community banks. As part of due diligence, a community bank may therefore consider how a fintech company’s particular experiences could affect the success of the proposed activity and overall relationship. Understanding a fintech company’s qualifications and strategic direction will help a community bank assess the fintech company’s ability to meet the community bank’s expectations and support a community bank’s objectives. When evaluating the potential relationship, a community bank may consider a fintech company’s willingness and ability to align the proposed activity with the community bank’s needs, its plans to adapt activities for the community bank’s regulatory environment, and whether there is a need to address any integration challenges with community bank systems and operations.

Financial Condition

Another step the agencies identified is for a bank to evaluate a fintech company’s financial condition to help the bank assess the company’s ability to remain in business and fulfill any obligations created by the relationship. Review of financial reports provide useful information when evaluating a fintech company’s capacity to provide the activity under consideration, remain a going concern, and fulfill any of its obligations, including its obligations to the community bank. Understanding funding sources provide useful information in assessing a fintech company’s financial condition. A fintech company may be able to fund operations and growth through cash flow and profitability or it may rely on other sources, such as loans, capital injections, venture capital, or planned public offerings.

Additionally, information about a fintech company’s competitive environment may provide additional insight on the company’s viability. Review of information on a fintech company’s client base can shed insight into any reliance a fintech company may have on a few significant clients. A few critical clients may provide key sources of operating cash flow and support growth but may also demand much of a fintech company’s resources. Loss of a critical client may negatively affect revenue and hinder a fintech company’s ability to fulfill its obligations with a community bank. A community bank may also consider a fintech company’s susceptibility to external risks, such as geopolitical events that may affect the company’s financial condition.

For example, some fintech companies, such as those in an early or expansion stage, have yet to achieve profitability or may not possess financial stability comparable to more established companies. Some newer fintech companies may also be unable to provide several years of financial reporting, which may impact a community bank’s ability to apply its traditional financial analysis processes. When audited financial statements are not available, a community bank may want to seek other financial information to gain confidence that a fintech company can continue to operate, provide the activity satisfactorily, and fulfill its obligations. For example, a community bank may consider a fintech company’s access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect a fintech company’s overall financial performance.

Legal and Regulatory Compliance

The Guide further outlines how in evaluating a fintech company’s legal standing, its knowledge about legal and regulatory requirements applicable to the proposed activity, and its experience working within the legal and regulatory framework, better enables a community bank to verify a fintech company’s ability to comply with applicable laws and regulations.

A bank may want to consider reviewing organizational documents and business licenses, charters, and registrations as such documentation provides information on where a fintech company is domiciled and authorized to operate (for example, domestically or internationally) and legally permissible activities under governing laws and regulations. Reviewing the nature of the proposed relationship, including roles and responsibilities of each party involved, may also help a community bank identify legal considerations. Assessing any outstanding legal or regulatory issues may provide insight into a fintech company’s management, its operating environment, and its ability to provide certain activities.

A bank could also consider reviewing a fintech company’s risk and compliance processes to help assess the fintech company’s ability to support the community bank’s legal and regulatory requirements, including privacy, consumer protection, fair lending, anti-money-laundering, and other matters. A fintech company’s experience working with other community banks may provide insight into the fintech company’s familiarity with the community bank’s regulatory environment. Reviewing information surrounding any consumer-facing applications, delivery channels, disclosures, and marketing materials for community bank customers can assist a community bank to anticipate and address potential consumer compliance issues. Considering industry ratings (for example, Better Business Bureau) and the nature of any complaints against a fintech company may provide insight into potential customer service and compliance issues or other consumer protection matters.

For example, some fintech companies may have limited experience working within the legal and regulatory framework in which a community bank operates. To protect its interests, community banks may consider including contract terms requiring (a) compliance with relevant legal and regulatory requirements, including federal consumer protection laws and regulations, as applicable; (b) authorization for a community bank and the bank’s primary supervisory agency to access a fintech company’s records; or (c) authorization for a community bank to monitor and periodically review or audit a fintech company for compliance with the agreed-upon terms. Other approaches could include (1) instituting approval mechanisms (for example, community bank signs off on any changes to marketing materials related to the activity), or (2) periodically reviewing customer complaints, if available, related to the activity.

Risk Management and Controls

The agencies have also identified that by banks evaluating the effectiveness of a fintech company’s risk management policies, processes, and controls, such review helps a community bank to assess the company’s ability to conduct the activity in a safe and sound manner, consistent with the community bank’s risk appetite and in compliance with relevant legal and regulatory requirements.

Banks should consider reviewing a fintech company’s policies and procedures governing the applicable activity as it will provide insight into how the fintech company outlines risk management responsibilities and reporting processes, and how the fintech company’s employees are responsible for complying with policies and procedures. A community bank may also use the information to assess whether a fintech company’s processes are in line with its own risk appetite, policies, and procedures. Information about the nature, scope, and frequency of control reviews, especially those related to the prospective activity, provides a community bank with insight into the quality of the fintech company’s risk management and control environment. A community bank may also want to consider the relative independence and qualifications of those involved in testing. A fintech company may employ an audit function (either in-house or outsourced). In these cases, evaluating the scope and results of relevant audit work may help a community bank determine how a fintech company ensures that its risk management and internal control processes are effective.

Banks should also consider the findings, conclusions, and any related action plans from recent control reviews and audits as the information may provide insight into the effectiveness of a fintech company’s program and the appropriateness and timeliness of any related action plans. Evaluating a fintech company’s reporting helps a community bank to consider how the fintech company monitors key risk, performance, and control indicators; how those indicators relate to the community bank’s desired service-level agreements; and how the fintech company’s reporting processes identify and escalate risk issues and control testing results. A community bank may also consider how it would incorporate such reporting into the bank’s own issue management processes. Review of information on a fintech company’s staffing and expertise, including for risk and compliance, provide a means to assess the overall adequacy of the fintech company’s risk and control processes for the proposed activity.

Information on a fintech company’s training program also assists in considering how the fintech company ensures that its staff remains knowledgeable about regulatory requirements, risks, technology, and other factors that may affect the quality of the activities provided to a community bank.

For example, a fintech company’s audit, risk, and compliance functions will vary with the maturity of the company and the nature and complexity of activities offered. As a result, a fintech company may not have supporting information that responds in full to a community bank’s typical due diligence questionnaires. In other cases, a fintech company may be hesitant to provide certain information that is considered proprietary or a trade secret (for example, their development methodology or model components). In these situations, a community bank may take other steps to identify and manage risks in the third-party relationship and gain confidence that the fintech company can provide the activity satisfactorily.

For example, a community bank may consider on-site visits to help evaluate a fintech company’s operations and control environment, or a community bank’s auditors (or another independent party) may evaluate a fintech company’s operations as part of due diligence. Other approaches could include (a) accepting due diligence limitations, with any necessary approvals and/or exception reporting, compared to the community bank’s normal processes, commensurate with the criticality of the arrangement and in line with the bank’s risk appetite and applicable third-party risk management procedures; (b) incorporating contract provisions that establish the right to audit, conduct on-site visits, monitor performance, and require remediation when issues are identified; (c) establishing a community bank’s right to terminate a third-party relationship, based on a fintech company’s failure to meet specified technical and operational requirements or performance standards. Contract provisions may also provide for a smooth transition to another party (for example, ownership of records and data by the community bank and reasonable termination fees); or (d) outlining risk and performance expectations and related metrics within the contract to address a community bank’s requirements

Information Security

In understanding a fintech company’s operations infrastructure and the security measures for managing operational risk, a community bank may better evaluate whether the measures are appropriate for the prospective activity. A community bank may evaluate whether the proposed activity can be performed using existing systems, or if additional IT investment would be needed at the community bank or at the fintech company to successfully perform the activity. For example, a community bank may evaluate whether the fintech company’s systems can support the bank’s business, customers, and transaction volumes (current and projected). A fintech company’s procedures for deploying new hardware or software, and its policy toward patching and using unsupported (end-of-life) hardware or software, will provide a community bank with information on the prospective third party’s potential security and business impacts to the community bank.

For example, fintech companies’ information security processes may vary, particularly for fintech companies in an early or expansion stage. Community banks may evaluate whether a fintech company’s information security processes are appropriate and commensurate with the risk of the proposed activity. Depending on the activity provided, community banks may also seek to understand a fintech company’s oversight of its subcontractors, including data and information security risks and controls.

For a fintech company that provides transaction processing or that accesses customer data, for example, community banks may request information about how the fintech company restricts access to its systems and data, identifies and corrects vulnerabilities, and updates and replaces hardware or software. The bank may also consider risks and related controls pertaining to its customers’ data, in the event of the fintech company’s security failure. Also, contractual terms that authorize a community bank to access fintech company records can better enable the bank to validate compliance with the laws and regulations related to information security and customer privacy.

Operational Resilience

A community bank may evaluate a fintech company’s ability to continue operations through a disruption. Depending on the activity, a community bank may look to the fintech company’s processes to identify, respond to, and protect itself and customers from threats and potential failures, as well as recover and learn from disruptive events. It is important that third-party continuity and resilience planning be commensurate with the nature and criticality of activities performed for the bank.

Evaluating a fintech company’s business continuity plan, incident response plan, disaster recovery plan and related testing can help a community bank determine the fintech company’s ability to continue operations in the event of a disruption. Also, evaluating a fintech company’s recovery objectives, such as any established recovery time objectives and recovery point objectives, helps to ascertain whether the company’s tolerances for downtime and data loss align with a community bank’s expectations. A community bank that contemplates how a fintech company considers changing operational resilience processes to account for changing conditions, threats, or incidents, as well as how the company handles threat detection (both in-house and outsourced) may provide a community bank with additional information on incident preparation. Discussions with a fintech company, as well as online research, could provide insights into how the company responded to any actual cyber events or operational outages and any impact they had on other clients or customers.

Understanding where a fintech company’s data centers are or will reside, domestically or internationally, helps a community bank to consider which laws or regulations would apply to the community bank’s business and customer data. Another matter for a community bank to consider is whether a fintech company has appropriate insurance policies (for example, hazard insurance or cyber insurance) and whether the fintech company has the financial ability to make the community bank whole in the event of loss.

Service level agreements between a community bank and a fintech company set forth the rights and responsibilities of each party with regard to expected activities and functions. A community bank may consider the reasonableness of the proposed service level agreement and incorporate performance standards to ensure key obligations are met, including activity uptime. A community bank may also consider whether to define default triggers and recourse in the event that a fintech company fails to meet performance standards.

A fintech company’s monitoring of its subcontractors (if used) may offer insight into the company’s own operational resilience. For example, a community bank may inquire as to whether the fintech company depends on a small number of subcontractors for operations, what activities they provide, and how the fintech company will address a subcontractors’ inability to perform. A community bank may assess a fintech company’s processes for conducting background checks on subcontractors, particularly if subcontractors have access to critical systems related to the proposed activity.

For example, as with previous due diligence scenarios, fintech companies may exhibit a range of resiliency and continuity processes, depending on the activities offered. Community banks may evaluate whether a fintech company’s planning and related processes are commensurate with the nature and criticality of activities performed for the bank. For example, community banks may evaluate a fintech company’s ability to meet the community bank’s recovery expectations and identify any subcontractors the fintech company relies upon for recovery operations. A fintech company may have recovery time objectives for the proposed activity that exceed the desired recovery time objectives of a community bank. If a fintech company can meet the community bank’s desired recovery time objectives, the bank may consider including related contractual terms, such as a contract stipulation that the community bank can participate in business continuity testing exercises and that provides appropriate recourse if the recovery time objective is missed in the event of an actual service disruption.

A community bank may also consider appropriate contingency plans, such as the availability of substitutable service providers, in case the fintech company experiences a business interruption, fails, or declares bankruptcy and is unable to perform the agreed-upon activities. In addition to potential contractual clauses and requirements, a community bank’s management may also consider how it would wind down or transfer the activity in the event the fintech company fails to recover in a timely manner.

Conclusion

The agencies have outlined a number of relevant considerations, non-exhaustive lists of potential sources of information, and illustrative examples to assist community banks with identifying strengths and potential risks when considering relationships with fintech companies. The voluntary Guide helps provide a starting point for banks with their due diligence efforts. The Guide may be viewed here.

Highlighted Special Focus From the October 2021 Compliance Journal

The long awaited proposed rule regarding the collection and reporting of small business lending data as required by Section 1071 of the Dodd-Frank Act has finally been released by the Bureau of Consumer Financial Protection (CFPB). Unfortunately, the proposed rule is as broad and onerous as the industry expected it to be as it will be costly to train, implement, and monitor. The proposal would revise Regulation B, which implements the Equal Credit Opportunity Act (ECOA), to require the collection and reporting to CFPB certain data on applications for credit by small businesses. The proposal is substantial; however, below is a brief summary of the proposed rule.

Who Must Collect Data

The first step of analysis for any proposal is to identify whether it will apply to the bank. In this case, the proposal is broad and will very likely apply to all banks in Wisconsin. As proposed, if a bank originates at least 25 credit transactions that are considered “covered credit transactions” to “small businesses” in each of the two preceding years, the proposed rule will apply to the bank. Generally, a “small business” under the proposal is a business that had $5 million or less in gross annual revenue for its preceding fiscal year.

What CFPB has proposed be considered a “covered credit transaction” is a bit trickier an analysis but is generally the same as what is considered an application under the existing Regulation B definition of “application.” The proposed term does; however, exclude reevaluation requests, extension requests, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts; also excluded is an inquiry or prequalification request.

What Data is to be Collected

Next, the data to be collected. Dodd-Frank Act Section 1071 identified certain data that must be collected by CFPB; the law also gave CFPB discretion to collect additional data. CFPB has incorporated all Dodd-Frank Act required data and several discretional data into its proposal. In particular, banks must collect a unique identifier of each application, application date, application method, application recipient, action taken by bank on the application, date action taken, denial reasons, amount applied for, amount originated or approved, and pricing information including interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, and prepayment penalties.

Banks must also collect credit type, credit purpose, information related to the applicant’s business such as census tract, NAICS code and gross annual revenue for applicant’s preceding fiscal year, number of applicant’s non-owner workers, applicant’s time in business, and number of applicant’s principal owners.

There is also demographic information about the applicant’s principal owners to collect. These data points include minority- and women-owned business status, and the ethnicity, race, and sex of the applicant’s principal owners. The proposal also requires banks to maintain procedures to collect applicant-provided data at a time and in a manner that is reasonably designed to obtain a response, addresses how banks are to report certain data if data are not obtainable from an applicant, when banks are permitted to rely on statements made by an applicant, when banks must verify applicant’s responses to certain data collected, and when banks may reuse certain data collected in certain circumstances such as when data was collected within the same calendar year as a current covered application and when the bank has no reason to believe the data are inaccurate.

When and How Data Must be Reported

Banks would be required to collect data on a calendar-year basis and report the data to CFPB by June 1 of the following year. CFPB has proposed to provide technical instructions for the submission of data in a Filing Instructions Guide and related materials.

The submitted data is also to be made available to the public on an annual basis. Banks would be required to make the reported data available on their website, or otherwise upon request, or must provide a statement that the bank’s small business lending application register is available on CFPB’s website. Model language for such statement has been proposed by CFPB.

Limit of Certain Bank Personnel’s Access to Certain Data

The proposed rule implements a requirement under Section 1071 that banks limit certain employees’ and officers’ access to certain data. CFPB refers to this as the “firewall.” Pursuant to the proposed rule, an employee or officer of a bank or bank’s affiliate who are involved in making any determination concerning the applicant’s covered application would be prohibited from accessing an applicant’s responses to inquiries that the bank made regarding whether the applicant is a minority- or woman-owned business. Such employees are also restricted from information about an applicant’s ethnicity, race, and sex of the applicant’s principal owners.

There are exceptions to the requirement if it is not feasible to limit such access, as that factor is further set forth in the proposal. If an exception is permissible under the proposal, notice must be given to the application regarding such access. Again, CFPB has created model language for such notice.

Recordkeeping and Enforcement

The proposal establishes certain recordkeeping requirements, including a three year retention period for small business lending application registers. The proposal also includes a requirement to maintain an applicant’s responses to Section 1071 inquiries regarding whether an applicant is a minority- or women-owned business, and responses regarding the ethnicity, race, and sex of the applicant’s principal owners, separate from the rest of the application and accompanying information.

The proposal does include enforcement for violations of the new rules, addresses bona fide errors, and provides for a safe harbor.

Learn More and Get Involved

The proposal and additional information, including a chart of the proposed data collection points, may be viewed at: https://www.consumerfinance.gov/rules-policy/rules-under-development/small-businesslending-data-collection-under-equal-credit-opportunity-act-regulation-b/

WBA will comment on the proposal and will create a template letter for bankers to use in providing their own comments to CFPB regarding the impact the proposal will have on the bank. Comments are due 90 days from publication of the proposed rule in the Federal Register. At time of publication of the article, the proposal had not yet been published. CFPB has proposed mandatory compliance of a final rule be eighteen months after its effective date. WBA Legal is creating a working group to collect data and concerns from Wisconsin’s bankers on the proposal. If you wish to be part of the working group, please contact WBA Legal at wbalegal@wisbank.com.

This article originally ran in the September 2021 edition of the WBA Compliance Journal, to view the entire publication, click here.

The Wisconsin Supreme Court (Court) recently decided two cases to allow the Wisconsin Department of Natural Resources (DNR) to place permit restrictions on large livestock farms and high-capacity wells as a way to protect Wisconsin’s water. The issue in both cases is whether DNR had the authority under Wisconsin law to issue permits with conditions. 

In both cases, the Court looked to language used in Sec. 227.10(2m) Wis. Stats. and determined that (1) agencies’ actions under administrative law need be supported by explicit, not specific, statutory or regulatory authority; and (2) that explicit authority can be broad in scope. As a result of the two decisions, DNR was given broader authority than many believed was permissible since enactment of 2011 Wisconsin Act 21 (Act 21) because the agency actions authorized by the Court are not specifically stated in the statute sections in question. The following is a summary of the two cases.   

Kinnard Farms  

In the first case, Kinnard operates a large, concentrated animal feeding operation (CAFO). Kinnard wanted to expand its dairy operations by building a second site and adding 3,000 dairy cows. The expansion required Kinnard to apply to DNR for reissuance of its Wisconsin Pollutant Discharge Elimination System (WPDES) permit to include both the original site and the proposed expansion. DNR approved the application and reissued Kinnard’s WPDES permit.  

Persons (petitioners) living near the CAFO sought review of the reissued WPDES permit because of their proximity to the farm, had private drinking wells, and were concerned the proposed expansion would exacerbate current groundwater contamination issues. The petitioners alleged that the reissued WPDES permit was inadequate because, among other things, it did not set a “maximum number of animal units” or “require monitoring to evaluate impacts to groundwater.”  

DNR granted the petitioners a contested case hearing and the matters were referred to an administrative law judge (ALJ). Kinnard filed for summary judgment alleging DNR lacked statutory authority to impose the conditions, citing Act 21. The ALJ denied the motion and conducted a four-day evidentiary hearing during which community members who lived or worked near the CAFO testified about contamination of well water and the impact the contamination had on their businesses, homes, and daily lives. Based upon evidence presented by residents and experts, the ALJ determined that DNR had “clear regulatory authority” to impose the two conditions disputed upon Kinnard’s reissued WPDES permit.  

Ultimately the matter was argued to the Court. The issue in the case involved sec. 227.10(2m), Wis. Stats., which dictates that “[n]o agency may implement or enforce any standard, requirement, or threshold…unless that standard, requirement, or threshold is explicitly required or explicitly permitted by statute or by a rule that has been promulgated in accordance with this subchapter.” (emphasis added). The parties disputed the meaning of “explicitly required or explicitly permitted” in the context of DNR imposing conditions upon Kinnard’s reissued WPDES permit.  

Kinnard asserted that explicit means specific, and that in the absence of statutory or administrative authority, DNR must first promulgate a rule in order to impose the conditions upon its reissued WPDES permit. The DNR and petitioners counter that such a reading of “explicitly required or explicitly permitted” was too narrow, and that Kinnard had overlooked the explicit, but broad, authority given to DNR in Secs. 283.31(3) – (5) Wis. Stats. to prescribe such conditions.  

The Court first looked to dictionary definitions of the term “explicit” and revised Sec. 227.10(2m) in context and determined explicit authority can be broad in scope. The court next examined the text of Secs. 283.31(3) – (5), and related regulations, to determine whether DNR had explicit authority to impose an animal unit maximum and off-site groundwater monitoring conditions upon Kinnard’s reissued WPDES permit. The Court held that while the statute sections do not specifically state an animal unit limit or off-site ground water monitoring, DNR did have explicit authority to prescribe both conditions when it reissues the WPDES permit.  

The Court determined that (1) agencies’ actions under administrative law need be supported by explicit, not specific, statutory or regulatory authority; and (2) that explicit authority can be broad in scope.   

High-Capacity Wells 

In a second case, the Court also reviewed whether Sec. 227.10(2m) Wis. Stats. allowed for DNR to consider the potential environmental effects of proposed high-capacity wells when such consideration is not required under Sec. 281.34(4) Wis. Stats.  

For some types of wells, DNR is required to follow a specific process in its environmental review of a well application. For other types of wells, a specific process is not required; however, DNR often still considers the potential environmental impact of a proposed well when considering a well application. Eight well applications in dispute in the case where the type that no specific environmental review was required. DNR did have information that the wells would negatively impact the environment. DNR approved the eight applications knowing of the wells impact having concluded it did not have the authority to consider the proposed wells’ environmental impact. 

Clean Wisconsin and the Pleasant Lake Management District (collectively, Clean Wisconsin) appealed DNR’s action arguing DNR’s decision was contrary to the Court’s decision in the Lake Beulah Management District v. DNR (2011 WI 54, 335 Wis. 2d 47, 799 N.W.2d 73) case. In Lake Beulah, the Court held that DNR had the authority and discretion to consider the environmental effects of all proposed high-capacity wells under the public trust doctrine when it determined that a proposed well would harm other waters in Wisconsin.  

DNR argued the Lake Beulah court case was no longer good law because Act 21 had since become law and the law limits an agency’s action to only those “explicitly required or explicitly permitted to state or by a rule.” The eight well applications were for the type of wells for which there was no formal environmental review under Sec. 281.34 Wis. Stats. DNR had also relied on a past Attorney General opinion which stated the agency could not rely on the public-trust authority and could not rely upon the Lake Beulah case as that would not withstand the requirements under Wis. Stats. Sec. 227.10(2m) (OAG-01-16).   

With respect to the high-capacity well applications, the Court ruled in favor of Clean Wisconsin having determined DNR has explicit authority, based upon its broad public trust authority under Secs. 281.11 and 281.22 Wis. Stats., to determine the environmental impact of high-capacity wells despite the fact that Sec. 281.34 does not specifically state such requirement. The Court’s finding reaffirmed the Court’s Lake Beulah decision despite enactment of Act 21.  

Take Away from Cases 

The interesting and concerning parts of the decisions is that after the passage of Act 21, many took the revised language of Sec. 227.10(2m) Wis. Stats. to mean that for an agency to act, the action had to be specifically stated or provided for within statutory language or administrative rule. If the action was not within such language, the agency would first have to promulgate a rule or otherwise change statutory language for the agency to take the actions desired.  

However, given how the Court has interpreted “explicit” in the two cases, that may not be the case. It is possible that because of the two Court decisions, an agency make act regardless of the action not being stated within statutory language or administrative rule. Instead, it is possible an agency may rely on its broader authority for action.  

Financial institutions should keep the decisions of the two Court cases in mind when considering whether an agency has the authority to act in a particular manner. Financial institutions should be cautious that just because an action is not specifically found within statute or rule, the action may still be authorized under a broader, explicit authority. Despite the passage of Act 21, agency action could be broad.  

As is often the case, one should read the dissenting opinions of both cases. The dissenting opinions outline the concerns of many regarding how broad an agency may act despite Act 21, despite the fact the agency’s actions were not specifically stated within statute or administrative rule in connection with reissuing an WPDES permit or when approving the type of well applications involved in the high-capacity well case, and despite the Court’s previous decision under Tetra Tech EC Inc. v. Wisconsin Dep’t of Revenue, 2018 WI 75, 373 Wis.2d 2387, 890 N.W.2d. 598. The decisions appear to give back to agencies potentially broad authority.  

Conclusion 

In both cases, the Court looked to language used in Wis. Stats. Sec. 227.10(2m) and determined that (1) agencies’ actions under administrative law need be supported by explicit, not specific, statutory or regulatory authority; and (2) that explicit authority can be broad in scope. As a result of the two decisions, DNR was given broader authority than many believed was permissible since enactment of Act 21 and Tetra Tech. Financial institutions need be aware of the Court decisions and be cautious that just because an action is not specifically found within statute or rule, the action may still be authorized under an agency’s broader, explicit authority. 

Clean Wisconsin et. Al v. Wis. Dep’t of Natural Resources, 2021 WI 71 (Kinnard Farm) decision may be viewed at: https://www.wicourts.gov/sc/opinion/DisplayDocument.pdf?content=pdf&seqNo=386188  

Clean Wisconsin and Pleasant Lake Mgmt. Dist. v. Wis. Dep’t of Natural Resources, 2021 WI 72 (High-Capacity Wells) decision may be viewed at: https://www.wicourts.gov/sc/opinion/DisplayDocument.pdf?content=pdf&seqNo=385454  

By, Ally Bates

This article originally appeared in the January 2021 edition of the WBA Compliance Journal, click here to view the full edition.

On December 15, 2020, the Federal Deposit Insurance Corporation (FDIC) finalized rules designed to modernize its existing brokered deposit rules. Brokered deposits are funds managed by a deposit broker. Meaning, an individual who accepts and places funds in investment instruments at financial institutions, on behalf of others. 

The final rule establishes a new framework for determining who is a “deposit broker.” It also amends the methodology for calculating the national rate, national rate cap, and the local market rate cap. Lastly, it explains when nonmaturity deposits are accepted and when nonmaturity deposits are solicited for purposes of applying the brokered deposits and interest rate restrictions. This article provides background information on what brokered deposits are, and focuses on two aspects of the final rule: the definition of “deposit broker” and interest rate restrictions.

Background

Significance of Regulation under Current Rules

Brokered deposits are a significant source of assets for some institutions. However, despite being a potential source of liquidity, many institutions avoid brokered deposits entirely due to complex regulation that often renders them impractical despite their utility as a deposit tool.

Application of the brokered deposit regulation is sweeping and complex, including sub-categories such as sweep programs, reciprocal deposits, and general purpose prepaid cards. FDIC has broad discretion in application of its rules, which involves complex methodologies for determining and adjusting rates. Furthermore, during the period of rulemaking, FDIC issued nearly 100 interpretations, advisories, and studies attempting to clarify who is a deposit broker. 

As technologies continue to evolve, and the financial industry follows those trends, the brokered deposit regulation, designed before the age of online banking, has become outdated. For example, the sweeping coverage of the regulation means institutions seeking deposits through the internet could be subject to interest rate caps.

At first glance, the regulation’s rate cap limitations may only seem to harm community banks, but it is an issue that affects banks both small and large. On the community bank side, FDIC bases the caps on what larger banks offer. In reality, the result can easily become a cap based on factors beyond what the community bank may be able to offer. By rule, the rate caps only apply to less than well capitalized institutions. However, regulators have looked to the limits during exams, regardless of capital levels, pointing to potential volatility. Furthermore, under its 2009 calculation method, current rate caps lag behind what a customer may obtain from other sources, such as the Treasury.

Legal Background

As a matter of statutory framework, Section 29 of the Federal Deposit Insurance Act (FDI Act) restricts the acceptance of deposits by certain insured depository institutions (IDIs) from a deposit broker. In summary, the law’s original restrictions include:

  1. Limiting acceptance of brokered deposits to well capitalized IDIs.
  2. Less than well capitalized institutions may only offer brokered deposits under certain circumstances, and with restricted rates.

The inception of brokered deposits came with the ability to transfer funds electronically. Technologies made it quick, easy, and cheap to access un-reached markets. With brokered deposits came greater bank liquidity and growth. After the 1980 financial crisis, FDIC’s study of brokered deposits lead to rules written in 1989 and amended in 1991 as the product and its use was believed to be riskier than traditional core deposits. 

In 2018, the Economic Growth, Regulatory Relief, and Consumer Protection Act amended Section 29 of the FDI Act to except a capped amount of certain “reciprocal deposits” from treatment as brokered deposits. On February 6, 2019, FDIC published an advance notice of proposed rulemaking and request for comment on unsafe and unsound banking practices: brokered deposits and interest rate restrictions (ANPR). A proposed rule followed on February 10, 2020. WBA commented on both the ANPR and the proposed rule. FDIC has now issued a final rule. The final rule takes effect on April 1, 2021, with mandatory compliance by January 1, 2022.

Summary of Final Rule

The final rule establishes a new framework for analyzing certain provisions of the “deposit broker” definition, including “facilitating” and “primary purpose.” In the final rule, FDIC designates certain business relationships as meeting the primary purpose exception and allows IDIs and third parties that wish to utilize the primary purpose exception but do not meet one of the designated exceptions to apply for a primary purpose exception.

The final rule’s interest rate restrictions relate to less than well capitalized IDIs. Under the final rule, FDIC amended the methodology for calculating the national rate and national rate cap for specific deposit products. The national rate would be the weighted average of rates paid by all IDIs on a given deposit product, for which data are available, where the weights are each institution’s market share of domestic deposits. 

Definition of “Deposit Broker”

Section 29 of the FDI Act provides that a person is a “deposit broker” if they are engaged in the business of placing deposits, or facilitating the placement of deposits, of third parties with IDIs or the business of placing deposits with IDIs for the purpose of selling interests in those deposits to third parties. The definition also includes an agent or trustee who establishes a deposit account to facilitate a business arrangement with an IDI to use the proceeds of the account to fund a prearranged loan. The statute does not further define the categories that make up the definition of “deposit broker.” The final rule defines “deposit broker” as follows:

  • Any person engaged in the business of placing deposits of third parties with IDIs; 
  • Any person engaged in the business of facilitating the placement of deposits of third parties with IDIs;
  • Any person engaged in the business of placing deposits with IDIs for the purpose of selling those deposits or interests in those deposits to third parties; and
  • An agent or trustee who establishes a deposit account to facilitate a business arrangement with an IDI to use the proceeds of the account to fund a prearranged loan.

The discussion below elaborates on the first three bullet points of the final rule’s definition of deposit broker.

Engaged in the Business of Placing Deposits

The amended definition provides that a person is engaged in the business of placing deposits of third parties if that person receives third party funds and places those funds at more than one IDI. FDIC considers a person to be engaged in the business of placing deposits if that person has a business relationship with its customers, and as part of that relationship, places deposits with IDIs on behalf of the customer. Thus, the final rule amended the first bullet point of the “deposit broker” definition by providing that the person must have a business relationship with its customers, and as part of that relationship, receive customer funds and place those funds with IDIs on behalf of the customer. 

Engaged in the Business of Facilitating the Placement of Deposits

The “facilitation” part of the definition refers to activities where the person does not directly place deposits on behalf of its customers with IDIs. Under the final rule, a person is engaged in the business of facilitating the placement of deposits of third parties with IDIs, by, while engaged in business, with respect to deposits placed at more than one IDI, engaging in one or more of the following activities: 

  • The person has legal authority, contractual or otherwise, to close the account or move the third party’s funds to another IDI; 
  • The person is involved in negotiating or setting rates, fees, terms, or conditions for the deposit account; or 
  • The person engages in matchmaking activities.

The activities that result in a person being “engaged in the business of facilitating the placement of deposits” is intended to capture activities that indicate that the third party takes an active role in the opening of an account or maintains a level of influence or control over the deposit account even after the account is open. Having a certain level of influence over account opening or retaining a level of control over the movement of customer funds after the account is open, indicates that the deposit relationship is between the depositor and the person rather than the depositor and the IDI.

It is worth discussing a portion of the proposed rule to better understand why FDIC has finalized certain aspects of the rule as discussed above. Under the proposed rule, a number of entities, such as financial technology companies that partner with financial institutions through the regular course of business including data processing, web servicing, consulting, and advertising would have met the “deposit broker” definition. A number of groups, including WBA, commented that inclusion of such businesses would be inappropriate. In the final rule, FDIC agreed this was an unintended consequence. 

Thus, under the final rule, any person that has an exclusive deposit placement arrangement with one IDI and is not placing or facilitating the placement of deposits at any other IDI, will not be “engaged in the business” of placing, or facilitating the placement of, deposits and therefore will not meet the “deposit broker” definition. FDIC notes that under these arrangements, the third party has developed an exclusive business relationship with the IDI and, as a result, is less likely to move its customer funds to other IDIs in a way that makes the deposits less stable.

Engaged in the Business of Placing Deposits with IDIs for the Purpose of Selling Interests

This part of the definition specifically captures brokered certificates of deposit (CDs). These are typically deposit placement arrangements where brokered CDs are issued in wholesale amounts by an institution seeking to place funds under certain terms and sold through a registered broker-dealer to investors, typically in fully insured amounts. 

FDIC noted in the final rule that it intends that third parties that assist in the placement of brokered CDs, or any similar deposit placement arrangement with a similar purpose, will continue to be considered deposit brokers under this part of the deposit broker definition, regardless of any future innovations or re-structuring in the brokered CD market.

Exceptions to the Definition of “Deposit Broker”

FDI Act Section 29 provides nine statutory exceptions to the definition of deposit broker and FDIC has previously established one regulatory exception to the definition. Originally, FDIC had proposed revisions to the following two exceptions:

  • The exception for an IDI, with respect to funds placed with that depository institution (IDI exception). 
  • The exception for an agent or nominee whose primary purpose is not the placement of funds with depository institutions (primary purpose exception).

The final rule takes a different approach than the proposed rule, as discussed below.

IDI Exception

The final rule did not adopt the proposed changes to the IDI exception. However, the final rule does provide some discussion with regard to why, including treatment of “dual-hatted” employees, which is worth noting.

The IDI exception excludes an IDI from the definition of deposit broker when it, or its employee, places funds at the institution. FDIC proposed changes to expand the IDI Exception to permit wholly owned subsidiaries that meet certain criteria to be eligible for the exception. As discussed above, the final rule’s definition of deposit broker does not include third parties that have an exclusive deposit placement arrangement with one IDI. Thus, wholly owned subsidiaries that would have met the proposed IDI exception, will not meet the “deposit broker” definition under the final rule. Thus, FDIC determined that expansion of the IDI exception was no longer necessary.

However, FDIC did take a moment in the final rule to discuss applicability of the IDI exception to “dual-hatted” or “dual” employee. FDIC noted that the statutory “employee” exception applies solely to an “employee” who satisfies the definition of an employee provided by the statute. The statute defines an “employee” as any employee: 

  • Who is employed exclusively by the IDI; 
  • Whose compensation is primarily in the form of a salary; 
  • Who does not share such employee’s compensation with a deposit broker; and 
  • Whose office space or place of business is used exclusively for the benefit of the IDI, which employs such individual.

FDIC stated that the exception does not apply to a contractor or dual employee because they are not employed exclusively by IDIs. The exception would, however, apply to “dual-hatted” employees that are employed exclusively by the institution so long as the employees meet each of the other statutory elements of the “employee” definition.

Primary Purpose Exception

Under the final rule, the primary purpose exception applies when, with respect to a particular business line, the primary purpose of the agent’s or nominee’s business relationship with its customers is not the placement of funds with depository institutions, and whether an agent or nominee qualifies for the primary purpose exception will be based on analysis of the agent’s or nominee’s relationship with those customers.

The final rule also identifies a number of specific business relationships, known as “designated business exceptions,” as meeting the primary purpose exception. Additionally, businesses that do not qualify for a designated exception may submit an application to FDIC for consideration under the primary purpose exception. Please refer to the final rule for the full list of business relationships that qualify for the designated exceptions.

Interest Rate Restrictions

Under Section 29 of the FDI Act, well capitalized institutions are not subject to any interest rate restrictions. However, the statute imposes interest rate restrictions on IDIs that are less than well capitalized, as defined in Section 38 of the FDI Act. The statutory interest rate restrictions generally limit a less than well capitalized institution from offering rates on deposits that significantly exceed rates in its prevailing market.

Under current regulations, an institution that is not well capitalized generally may not offer deposit rates more than 75 basis points above the national rate for deposits of similar size and maturity. The national rate is currently defined as a simple average of rates paid by all IDIs and branches that offer and publish rates for specific products. If an institution believes that the posted national rates do not represent the actual rates in the institution’s local market area, the institution may present evidence to FDIC that the prevailing rate in a particular market is higher than the national rate. If FDIC agrees with the evidence, the institution would be permitted to pay as much as 75 basis points above the local prevailing rate for deposits solicited in its local market area. 

The final rule amends FDIC’s methodology for calculating the national rate, the national rate cap, and the local rate cap. The final rule also provides a new simplified process for institutions that seek to offer a competitive rate when the prevailing rate in an institution’s local market area rate exceeds the national rate cap. The following highlights changes made by the final rule.

National Rate Methodology and National Rate Cap

The final rule adopts the national rate methodology generally as proposed but revised it to include the rates offered by credit unions. 

The national rate cap now is the higher of: 

  1. The national rate (weighted average of rates paid by all IDIs and credit unions on a given deposit product, where the weights are each institution’s market share of deposit deposits), plus 75 basis points; or
  2. 120 percent of the current yield on similar maturity U.S. Treasury obligations, plus 75 basis points, or in the case of nonmaturity deposits, the federal funds rate plus 75 basis points. 

Local Market Rate Cap

The final rule adopts a local market rate cap of 90 percent of the highest offered rate in the institution’s local market geographic area. A less than well capitalized institution would be permitted to provide evidence that any bank or credit union with a physical presence in its local market area offers a rate on a particular deposit product in excess of the national rate cap. The local market area could include the State, county, or metropolitan statistical area, in which the IDI accepts or solicits deposits. 

The final rule also eliminates the current two-step process where less than well capitalized institutions request a high rate determination from FDIC and, if approved, calculate the prevailing rate within local markets. Instead, a less than well capitalized institution would be required to notify FDIC that it intends to offer a rate that is above the national rate cap and provide evidence that an IDI or credit union with a physical presence in the less than well capitalized institution’s normal market area is offering a rate on a particular deposit product in its local market area in excess of the national rate cap.

Conclusion

The final rule represents long-awaited changes to brokered deposit rules. As discussed above, the final rule establishes a new framework for the definition of who is a “deposit broker” and methodology for calculating the national rate and national rate cap for certain deposit products. 

The final rule is effective on April 1, 2021. The mandatory compliance date is January 1, 2022. Entities may begin relying upon the provisions of the final rule as of April 1, 2021, and will have to comply with any applicable reporting requirements. It is also worth noting that the mandatory compliance date of January 1, 2022, permits entities to continue reliance upon existing staff advisory opinions or other interpretations until that date. However, upon January 1, 2022, previous staff advisory opinions will be moved to inactive status.

It is also important to note that due to the recent change in the federal administration, it is possible a delay in the implementation of the final rule may occur as a result of the new administration reviewing the rule. The review of a rule that has been finalized but not yet published, or is not yet effective, is a routine review any time there is a change in administration. WBA will continue to monitor the status of this and other rules under review. The notice may be viewed at: www.whitehouse.gov/briefing-room/presidential-actions/2021/01/20/regulatory-freeze-pending-review/ 

The final rule may be viewed at: https://www.govinfo.gov/content/pkg/FR-2021-01-22/pdf/2020-28196.pdf

By, Ally Bates

The Board of Governors of the Federal Reserve System and the Financial Crimes Enforcement Network (agencies) issued a joint notice of proposed rulemaking on October 27, 2020 to lower the threshold for rules related to recording and transmitting information on certain funds transfers and transmittals of funds. The Recordkeeping Rule requires financial institutions to collect and retain information related to funds transfers and transmittals. The Travel Rule requires financial institutions to transmit information on certain funds transfers and transmittals of funds to other financial institutions participating in the transmittal. Both Rules apply to amounts of funds in amounts of $3,000 or more. The agencies have proposed to reduce this threshold to $250. 
 
WBA submitted comments to oppose the threshold reduction, pointing to increased burdens it would create as a result of necessary procedure and software changes. The proposal would also redefine the term “money” for purposes of defining “payment order” and “transmittal order” in order to clarify those terms include convertible virtual currency. Because Wisconsin law does not define virtual currency, WBA requested the agencies provide a better definition of virtual currencies. Click here to view the letter. 

By, Ally Bates

This is the Special Focus section of the September 2020 edition of Compliance Journal, click here to view the entire edition.

The Bureau of Consumer Financial Protection (CFPB) has proposed the creation of a new category of qualified mortgages (QM) named Seasoned QM.  

As a general matter, the Ability-to-Repay/Qualified Mortgage Rule (ATR Rule) requires a creditor to make a reasonable, good faith determination of a consumer’s ability to repay a residential mortgage loan according to its terms. Loans that meet the ATR Rule requirements for QMs obtain certain protections from liability. CFPB stated it created the Seasoned QM category to complement existing QM definitions and to help ensure access to responsible, affordable mortgage credit—especially given the upcoming sunset of the temporary GSE QM category. CFPB also stated it seeks to encourage safe and responsible innovation in the mortgage origination market, including for certain loans that are not QMs or are only rebuttable presumption QMs under existing QM categories. 

Under the proposed rule, a covered transaction would receive a safe harbor from ATR liability at the end of a 36-month seasoning period as a Seasoned QM if it satisfies certain product restrictions, points-and-fees limits, and underwriting requirements. The following is an overview of the restrictions and requirements of the proposed Seasoned QM. 

Product Restrictions and Underwriting Requirements 

A covered transaction must meet the following product restrictions to be eligible to become a Seasoned QM: 

  1. The loan is secured by a first lien; 
  2. The loan has a fixed rate, with fully amortizing payments, and no balloon payment; 
  3. The loan term does not exceed 30 years; and 
  4. The total points and fees do not exceed 3 percent of the loan amount.  

For a loan to be eligible to become a Seasoned QM, the proposal requires that the bank consider the consumer’s debt-to-income (DTI) ratio or residual income and verify the consumer’s debt obligations and income. Similar to the existing Small Creditor QM category, the proposal does not specify a DTI limit. Additionally, the bank is not required to use Appendix Q to Regulation Z in calculating and verifying debt and income. The proposed commentary provides that a loan that complies with the consider and verify requirements of any other QM definition is deemed to comply with the consider and verify requirements of the Seasoned QM.  

Portfolio Requirement 

The proposed rule also sets forth a portfolio requirement for the new category. To be a Seasoned QM, the covered transaction cannot be subject, at consummation, to a commitment to be acquired by another person; and, legal title to the covered transaction cannot be sold, assigned, or otherwise transferred to another person before the end of the seasoning period. The proposal provides for two exemptions from this portfolio requirement in that the covered transaction may be sold, assigned, or otherwise transferred to another person pursuant to a capital restoration plan or prompt correction action, other action or instruction from a person acting as conservator, receiver, or bankruptcy trustee, or an order of the bank’s state or federal regulator. The covered transaction may also be sold, assigned, or otherwise transferred pursuant to a merger or acquisition of the bank with another person. 

The exemptions to the portfolio requirement apply not only to an initial sale, assignment, or other transfer by the originating creditor, but to subsequent sales, assignments, and other transfers as well. For example, assume Bank A originates a covered transaction that is not a QM at origination. Six months after consummation, the covered transaction is transferred to Bank B pursuant to merger of the two banks. The transfer does not violate the portfolio requirements of the proposed rule because the transfer is as a result of a merger. If Bank B sells the covered transaction before the end of the seasoning period, the covered transaction is not eligible to season into a QM under the Seasoned QM rules unless the sale falls within one of the two listed exemptions.  

As outlined, a covered transaction sold pursuant to a capital restoration plan under a prompt corrective action before the end of the seasoning period does not violate the proposed rule’s portfolio requirements. However, if the bank simply chose to sell the same covered transaction as one way to comply with general regulatory capital requirements in the absence of supervisory action or agreement, then the covered transaction cannot become a QM as a Seasoned QM, though it could qualify under another definition of QM.  

Seasoning Period 

The “seasoning period” means a period of 36 months beginning on the date on which the first periodic payment is due after consummation of the covered transaction, except that if there is a delinquency of 30-days or more at the end of the 36th month of the seasoning period, the seasoning period does not end until there is no delinquency. The seasoning period also does not include any period during which the consumer is in a temporary payment accommodation extended in connection with a disaster or pandemic-related national emergency, provided that during or at the end of the temporary payment accommodation there is a qualifying change or the customer cures the loan’s delinquency under its original terms.  

If during or at the end of the temporary payment accommodation in connection with a disaster or pandemic-related national emergency there is a qualifying change or the consumer cures the loan’s delinquency under its original terms, the seasoning period consists of the period from the date on which the first periodic payment was due after consummation of the covered transaction to the beginning of the temporary payment accommodation and an additional period immediately after the temporary payment accommodation ends, which together must equal at least 36 months.  

The proposed rule defines a “qualifying change” to mean an agreement that: (a) is entered into during or after a temporary payment accommodation in connection with a disaster or pandemic-related national emergency and must end any pre-existing delinquency on the loan obligation when the agreement takes effect; (b) the amount of interest charged over the full term of the loan does not increase as a result of the agreement; (c) there is no fee charged in connection with the agreement; and (d) all existing late fees, penalties, stop payment fees, or similar charges are promptly waived upon the consumer’s acceptance of the agreement.  

A “temporary payment accommodation in connection with a disaster or pandemic-related national emergency” is defined to mean temporary payment relief granted to a consumer due to financial hardship caused directly or indirectly by a presidentially declared emergency or major disaster under the Robert T. Stafford Disaster Relief and Emergency Assistance Act or a presidentially declared pandemic-related national emergency under the National Emergencies Act. Examples of temporary payment accommodations in connection with a disaster or pandemic-related national emergency include, but are not limited to, a trial loan modification plan, a temporary payment forbearance program, or a temporary repayment plan.  

Consumer Payment Performance Requirements 

The proposed rule also requires certain payment performances by the consumer. To be a Seasoned QM, the covered transaction must have no more than two delinquencies of 30 or more days and no delinquencies of 60 or more days at the end of the seasoning period. “Delinquency” is defined in the proposed rule to mean the failure to make a periodic payment (in one full payment or in two or more partial payments) sufficient to cover principal, interest, and, if applicable, escrow by the date the periodic payment is due under the terms of the legal obligation. Other amounts, such as any late fees, are not considered for this purpose. The “due date” is the date the payment is due under the terms of the legal obligation, without regard to whether the consumer is afforded a period after the due date to pay before being accessed a late fee.  

Further, a periodic payment is 30 days delinquent when it is not paid before the due date of the following scheduled periodic payment. A periodic payment is 60 days delinquent if the consumer is more than 30 days delinquent on the first of two sequential scheduled periodic payments and does not make both sequential scheduled payments before the due date of the next scheduled periodic payment after the two sequential scheduled periodic payments. For example, assume a loan is consummated on October 15, 2022, that the consumer’s periodic payment is due on the 1st of each month, and that the consumer timely made the first periodic payment due on December 1, 2022. For purposes of determining delinquency under the proposed rule, the consumer is 30 days delinquent if the consumer fails to make a payment (sufficient to cover the scheduled January 1, 2023 periodic payment of principal, interest, and, if applicable, escrow) before February 1, 2023. The consumer is 60 days delinquent if the consumer then fails to make two payments (sufficient to cover the scheduled January 1, 2023 and February 1, 2023 periodic payments of principal, interest, and, if applicable, escrow) before March 1, 2023.  

For any given billing cycle for which a consumer’s payment is less than the periodic payment due, a consumer is not delinquent as defined in the proposed rule if: (a) the servicer chooses not to treat the payment as delinquent for purposes of RESPA, Regulation X, if applicable; (b) the payment is deficient by $50 or less; and (c) there are not more than three such deficient payments treated as not delinquent during the seasoning period.  

Conclusion  

CFPB has proposed the creation of a Seasoned QM category as means to complement existing QM definitions and to help ensure access to responsible, affordable mortgage credit. A covered transaction would receive a safe harbor from ATR liability at the end of a 36-month seasoning period as a Seasoned QM if it satisfies certain product restrictions, points-and-fees limits, and underwriting requirements as outlined above.  

CFPB has proposed that a final rule relating to the proposal would take effect on the same date as a final rule to amend the General QM definition. Comments regarding the proposed Seasoned QM category were initially due September 28, 2020; however, CFPB has
since extended the comment period until October 1, 2020. WBA plans to file comments in general support of the proposal while offering several recommendations of change for CFPB to consider. Click here to view the proposal.

By, Ally Bates

On July 7, 2020, the Bureau of Consumer Financial Protection (CFPB) issued two new frequently asked questions regarding Regulation C, Home Mortgage Disclosure Act (HMDA), reporting requirements for financial institutions. The FAQs discuss reporting of multiple data points when certain factors are relied upon in making a credit decision. 

Multiple Data Points 

The first question asks whether financial institutions are required to report the credit score, debt-to-income ratio (DTI), and combined loan-to-value ratio (CLTV) relied on in making a credit decision when such data is not the dispositive factor? CFPB responds that yes, credit underwriting data such as credit score, DTI, and CLTV must be reported if they were a factor relied on in making a credit decision—even if the data was not the dispositive factor.  
 
For purposes of Regulation C, it does not matter whether the application is approved or denied; if certain data was relied on in making a credit decision, such data must be reported. For example, if the credit score was relied on in making a credit decision, the credit score must be reported. If the financial institution denied the application because the application did not satisfy one or more underwriting requirements other than the credit score, the financial institution is still required to report the credit score relied on. The same analysis applies to the reporting of CLTV and DTI.  

The second question asks if, when income and property value are factors in the credit decision, though not the dispositive factor, should such data points be reported? CFPB responds that yes, when a credit decision is made, Regulation C requires reporting of the data “relied on in making the credit decision.” Hence, if these data are relied on in making a credit decision, such data must be reported.  

There is no requirement in Regulation C for either of these data points to be the dispositive factor in order to be reported. Specifically, the commentary explains that when a financial institution evaluates income as part of a credit decision, it must report the gross annual income relied on in making the credit decision. For example, if an institution relies on the verified gross income of an applicant to make a credit decision, the institution is required to report the verified gross income. The comment does not state that verified gross annual income must be dispositive in the credit decision.  

The commentary also provides a similar narrative for property value. Income and property value apply the relied-on standard in a similar way to credit score, DTI, and CLTV and should, therefore, be reported if relied on in making a credit decision.  

Conclusion 

The FAQs emphasize specific factors that, when relied upon in making a credit decision, must be reported. The data points are required even when the information is not the dispositive factor in a credit decision. 
 
The FAQs can be found here. 

By, Ally Bates

The below article is the Special Focus section of the August 2020 Compliance Journal. The full issue may be viewed by clicking here.

On August 3, 2020, the Financial Crimes Enforcement Network (FinCEN) issued three new frequently asked questions regarding customer due diligence (CDD) requirements for financial institutions. The new FAQs clarify the regulatory requirements related to obtaining customer information, establishing a customer risk profile, and performing ongoing monitoring of the customer relationship. 
 
Risk-Based Procedures 
 
The first question in the FAQs asks whether financial institutions must request certain information at account opening and on an ongoing basis. Specifically, must a financial institution: 

  • collect information about expected activity on all customers at account opening, or on an ongoing or periodic basis; 
  • conduct media searches or screening for news articles on all customers or other related parties, such as beneficial owners, either at account opening, or on an ongoing or periodic basis; or  
  • collect information that identifies underlying transacting parties when a financial institution offers correspondent banking or omnibus accounts to other financial institutions (i.e., a customer’s customer)? 

FinCEN responds that the CDD Rule does not categorically require: 

  1. the collection of any particular customer due diligence information (other than that required to develop a customer risk profile, conduct monitoring, and collect beneficial ownership information);  
  2. the performance of media searches or particular screenings; or 
  3.  the collection of customer information from a financial institution’s clients when the financial institution is a customer of a covered financial institution.  

FinCEN explains that a financial institution must make a risk assessment of the customer to determine whether additional information is necessary in order to develop its understanding of the nature and purpose of the customer relationship. Financial institutions must establish policies, procedures, and processes for determining whether and when, on the basis of risk, to update customer information to ensure that customer information is current and accurate.  

Customer Risk Profile 

The second question asks whether covered financial institution must: 

  • use a specific method or categorization to risk rate customers; or 
  • automatically categorize as “high risk” products and customer types that are identified in government publications as having characteristics that could potentially expose the institution to risks? 

FinCEN responds that it is not a requirement for financial institutions to use a specific method or categorization to establish a customer risk profile. Further, financial institutions are not required or expected to automatically categorize as “high risk” products or customer types listed in government publications.  
 
Various government publications provide information and discussions on certain products, services, customers, and geographic locations that present unique challenges and exposures regarding illicit financial activity risks. However, even within the same risk category, a spectrum of risks may be identifiable and due diligence measures may vary on a case-by-case basis. 

A covered financial institution should have an understanding of the money laundering, terrorist financing, and other financial crime risks of its customers to develop the customer risk profile. Furthermore, the financial institution’s program for determining customer risk profiles should be sufficiently detailed to distinguish between significant variations in the risks of its customers. There are no prescribed risk profile categories, and the number and detail of these categories can vary. 
 
Ongoing Monitoring of the Customer Relationship 

The third question asks whether it is a requirement that financial institutions update customer information on a specific schedule. FinCEN answers that there is no categorical requirement that financial institutions update customer information on a continuous or periodic schedule.  

The requirement to update customer information is risk-based and occurs as a result of normal monitoring. Should a financial institution become aware, as a result of its ongoing monitoring of a change in customer information (including beneficial ownership information) that is relevant to assessing the risk posed by the customer, the financial institution must update the customer information accordingly. Additionally, if the customer information is relevant to assessing the risk of a customer relationship, then the financial institution should reassess the customer risk profile/rating and follow its established policies, procedures, and processes for maintaining or changing the customer risk profile/rating. However, financial institutions, on the basis of risk, may choose to review customer information on a regular or periodic basis. 
 
Conclusion 

The FAQs help to further shape the requirements of the CDD rule. In summary, they provide that financial institutions are not automatically required to collect particular categories of information, perform screenings, or gather information for a customer’s customer (when working with another financial institution). The rule also does not set a method for establishing risk profile, or require certain risk profiles based upon listings in government publications. Lastly, there is no requirement to update customer information on a continual basis. 

While the FAQs clarify certain activities that are not specifically required, it is important to note that under certain circumstances, the concepts discussed above might be appropriate. Financial institutions must set policies and procedures to meet CDD requirements. Those policies must guide, in accordance with the considerations above, determinations as to what information the financial institution collects at account opening, how a customer relationship is risk-weighted, and what, if any, ongoing monitoring is performed. Thus, financial institutions should still review existing CDD policies and procedures considering the new FAQs. 
 
The FAQs can be found here.

By, Ally Bates

The below article is the Special Focus section of the August 2020 Compliance Journal. The full issue may be viewed by clicking here.

The Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and National Credit Union Administration (NCUA) (collectively, the agencies) recently issued a joint statement to provide prudent risk management and consumer protection principles for financial institutions to consider while working with borrowers as loans near the end of initial loan accommodation periods applicable during the Coronavirus Disease 2019 (COVID event). The principles are consistent with the agencies’ Interagency Guidelines Establishing Standards for Safety and Soundness and are generally applicable to both commercial and retail loan accommodations. The principles are intended to be tailored to a financial institution’s size, complexity, and loan portfolio risk profile, as well as the industry and business focus of its customers. The following is a summary of the release.  

In the new guidance, the agencies recognize that while some borrowers will be able to resume contractual payments at the end of an accommodation, others may be unable to meet their obligations due to continuing financial challenges. The agencies also recognize that some financial institutions may face difficulties in assessing credit risk due to limited access to borrower financial data, COVID event-induced covenant breaches, and difficulty in analyzing the impact of COVID event-related government assistance programs. 

The agencies provide several principles to illustrate prudent practices for financial institutions in working with borrowers as loans near the end of accommodation periods, including: prudent risk management practices, well-structured and sustainable accommodations, consumer protection, accounting and regulatory reporting, and internal control systems.   

As outlined by the agencies, prudent risk management practices include identifying, measuring, and monitoring the credit risks of loans that receive accommodations. Sound credit risk management practices include applying appropriate loan risk ratings or grades and making appropriate accrual status determinations on loans affected by the COVID event. Further, the agencies believe effective management information systems and reporting helps to ensure that bank management understands the scope of loans that received an accommodation, the types of initial and any additional accommodations provided, when the accommodation periods end, and the credit risk of potential higher-risk segments in the portfolios.  

When working with borrowers who continue to experience financial challenges after an initial accommodation, the agencies believe it may be prudent for a financial institution to consider additional accommodation options to mitigate losses for the borrower and the financial institution. The effectiveness of accommodations improves when they are based on a comprehensive review of how the hardship has affected the financial condition and current and future performance of the borrower.  

When considering whether to offer additional accommodation options to a borrower, the agencies stated it is generally appropriate for the institution to assess each loan based upon the fundamental risk characteristics affecting the collectability of that particular credit. The new guidance further identifies what financial institutions should consider in its evaluation of the borrower’s financial condition and repayment capacity. The agencies also note that the COVID event may have a long-term adverse impact on a borrower’s future earnings and therefore bank management may need to rely more heavily on projected financial information for both commercial and retail borrowers when making underwriting decisions as supporting documentation may be limited, and cash flow projections may be uncertain.  
The agencies also encourage financial institutions to provide consumers with available options for repaying any missed payments at the end of their accommodation to avoid delinquencies or other adverse consequences. The agencies also encourage institutions, where appropriate, to provide consumers with options for making prudent changes to the terms of the credit product to support sustainable and affordable payments for the long term. Eight examples of generally effective approaches to risk management in this context are included in the guidance.  

The new guidance also includes a discussion regarding accounting and regulatory reporting that financial institutions need to consider for all loan modifications, including additional modifications for borrowers who may continue to experience financial hardship at the end of the initial accommodation period. Institutions are reminded to consider regulatory reporting instructions, section 4013 of the CARES Act regarding temporary relief from troubled debt restructuring, and the Interagency Statement on Loan Modifications and Reporting for Financial Institutions Working with Customers Affected by the Coronavirus (Revised).  

Lastly, the guidance sets forth the importance of internal control functions, commensurate with the size, complexity, and risk of a financial institution’s activities. The internal control functions typically include appropriate targeted testing of the process for managing each stage of the accommodation. Included in the new guidance are six examples of the type of activity the agencies believe can be confirmed through prudent testing by a financial institution’s internal control functions.  

As financial institutions work to determine whether certain borrowers need additional accommodations due to the effects of the COVID event, and in preparation of federal and state examinations resuming, the new guidance provides examples of prudent risk management and consumer protection principles that each financial institution need weigh. Additionally, the new guidance provides factors to consider when working through accounting and regulatory reporting requirements as it relates to each particular credit. The new interagency statement may be viewed at: www.ffiec.gov/press/PDF/Statement_for_Loans_Nearing_the_End_of_Relief_Period.pdf

By, Ally Bates

The below article is the Special Focus section of the July 2020 Compliance Journal. The full issue may be viewed by clicking here.

The Bureau of Consumer Financial Protection (CFPB) issued an interim final rule in late June to amend Regulation X, which implements the Real Estate Settlement Procedures Act (RESPA), to temporarily permit mortgage servicers to offer a loss mitigation option based on the evaluation of an incomplete loss mitigation application. This article provides a summary of the interim rule.  

Background and Rationale for New Rule 

A general understanding of the current compliance requirements of loss mitigation and recent mortgage servicing activity which has resulted due to the pandemic is necessary to better understand the nuances for the newly created mitigation option under the interim final rule. As a requirement of the Dodd-Frank Act, Regulation X (Reg X) was revised in 2013 to create a uniform set of procedures that mortgage servicers must follow when offering loss mitigation options to borrowers who have failed to meet the contractual obligations of their mortgage loan. The loss mitigation procedures are found in Reg X section 1024.41.  

Under current Reg X loss mitigation procedures, servicers are required to first obtain a complete loss mitigation application from the borrower before evaluating a borrower for a loss-mitigation option, such as a loan modification or short sale. Reg X defines a “complete loss mitigation application” to mean an application in connection with which a servicer has received all the information that the servicer requires from a borrower in evaluating applications for the loss mitigation options available to the borrower. A servicer is required to exercise reasonable diligence in obtaining documents and information to a complete loss mitigation application; failure to do so could result in compliance exam violations and potential civil money penalties.  

Reg X compliance requirements aside, financial institutions have now had to deal with various responses to the national emergency due to the novel coronavirus disease (COVID-19) including actions taken by mortgage owners, investors, and insurers of mortgage loans under payment forbearance programs. In particular, the Federal National Mortgage Association (Fannie Mae), Federal Home Loan Mortgage Company (Freddie Mac), Federal Housing Administration (FHA), Federal Home Loan Bank Chicago, and other owners or insurers of mortgage loans previously announced forbearance loan programs to assist borrowers with mortgage payments knowing many would not be able to work due to the steps taken under the COVID-19 national emergency. These parties also then created payment deferral programs for borrowers once they exit forbearance to help those borrowers who are unable to afford full reinstatement or a repayment plan at that time.  

Additionally, section 4022 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) allows borrowers who are experiencing financial hardship due, directly or indirectly, to the COVID-19 emergency and who have a federally-backed mortgage to have access to payment forbearance programs if the borrower submits a request to their mortgage servicer and affirms that they are experiencing a financial hardship during the COVID-19 emergency. Unfortunately, the CARES Act does not specify how borrowers who received a CARES Act forbearance must repay forborne payments. 

Given the actions by Fannie Mae, Freddie Mac and other investors/insurers to utilize forbearance and deferral programs and the requirements under the CARES Act, mortgage servicers need to reconcile those actions and requirements with the Reg X loss mitigation compliance rules to ensure no compliance violations are cited.  

As stated above, Reg X requires mortgage servicers to offer loss mitigation options only after the servicer has evaluated a complete loss mitigation application. To further ensure servicers comply with the requirement, Reg X section 1024.41(c)(2)(i) contains what is generally referred to as the “anti-evasion” rule whereby mortgage servicers cannot evade the requirement to evaluate a complete loss mitigation application for all loss mitigation options available to the borrower by offering a loss mitigation option based upon the evaluation of any information provided by a borrower in connection with an incomplete loss mitigation application except for in only two instances: 

  1. borrower delays completing a loss mitigation application for a significant period of time; and
  2. for a “short-term” mitigation plan.  

The programs being offered by mortgage owners/insurers and under the CARES Act were typically programs that would not fall within the Reg X 1024.41(c)(2) exceptions to allow a mortgage servicer to offer a loss mitigation option after review of an incomplete loss mitigation application.  

The federal banking supervisory agencies attempted to bring clarity to the issue in a joint statement issued on April 3, 2020. In that statement, the agencies, in recognizing the impact the COVID-19 emergency was having on borrowers and on the operations of mortgage servicers, explained that, when a borrower requests a CARES Act forbearance and reaffirms that the borrower has experienced financial hardship during the COVID-emergency, it constitutes an incomplete loss mitigation application under Reg X. The agencies further stated that although receipt of an incomplete loss mitigation application generally triggers a mortgage servicer’s good faith obligations under Reg X sec. 1024.41, the joint statement provided that a CARES Act forbearance qualifies as a short-term payment forbearance program under Reg X, so certain loss mitigation requirements under Reg X do not apply. This position, however, was only in a jointly issued statement, not in Regulation.

In recognizing the unique environment created as a result of COVID-19 and all that has been outlined above, CFPB has amended the Reg X loss mitigation rules to create a third exception. New Reg X section 1024.41(c)(2)(v) allows a mortgage servicer to offer a loss mitigation option that meets certain criteria based on the evaluation of an incomplete application, and that servicers need not comply with certain Reg X requirements once a borrower accepts that option. To participate, the interim final rule requires certain criteria be met as is outlined next; CFPB structured its criteria to align with Fannie Mae/Freddie Mac COVID-19 payment deferral and other comparable programs, including FHA’s COVID-19 partial claim. 

Eligibility Requirements of New Exception 

The interim final rule conditions eligibility for the new exception on the loss mitigation option satisfying three criteria:  

  • First, the loss mitigation option must permit a borrower to delay paying certain amounts until the mortgage loan is refinanced, the mortgaged property is sold, the term of the mortgage loan ends, or for a mortgage insured by FHA, the mortgage insurance terminates.  

    These amounts include, without limitation, all principal and interest payments forborne under the payment forbearance program made available to borrowers experiencing a financial hardship due directly or indirectly to COVID-19 emergency, including one made pursuant to the CARES Act.   

    These amounts also include, without limitation, all other principal and interest payments that are due and unpaid by the borrower experiencing financial hardship due, directly or indirectly, to the COVID-19 emergency.  

    For this criterion, the term of mortgage loan means the term of the mortgage loan according to the obligation between the parties in effect when the borrower is offered the loss mitigation option.
     

  • Second, any amounts that the borrower may delay paying through the loss mitigation option do not accrue interest; servicer does not charge any fee in connection with the loss mitigation option; and the servicer waives all existing late charges, penalties, stop payment fees, or similar charges promptly upon the borrower’s acceptance of the loss mitigation option. The interim final rule provides no definition or clarity by what is meant by “or similar charges” under this criterion. 
     
  • Third, the borrower’s acceptance of the loss mitigation offer must resolve any prior delinquency.  

Reg X Mitigation Steps Servicer is Exempt From Under New Rule  

If a borrower accepts an option offered pursuant to the new exception, the servicer is not required to continue the reasonable diligence efforts under Reg X section 1024.41(b)(1) or send the acknowledgment notice Reg X section 1024.41(b)(2) would otherwise require for those who are not considered a small servicer under Reg X loss mitigation rules.  

Items Mortgage Servicers Should Consider 

There are a number of items compliance officers of mortgage servicers may want to consider in connection with CFPB’s interim final rule. First being that the rule was effective July 1st. Is the bank ready to implement the interim final rule should it determine the interim rule is a desired process? If bank decides the option is something it will implement, for which mortgage loans will the option be made available? The interim rule allows the new mitigation option for Fannie Mae or Freddie Mac loans as well as other loans, including bank’s own portfolio loans.  

Also, note that it is not a requirement that the bank offer this option to its borrowers. The bank can certainly follow its normal loss mitigation process established under Reg X section 1024.41 and proceed to collect a complete loss mitigation application and follow its normal protocol established to meet its reasonable diligence in obtaining documents and information to a complete loss mitigation application from borrowers.  

If implementing the new mitigation option, how will bank record or validate that the borrower’s financial hardship is COVID-19 related? A criterion is that the deferred amounts are not to accrue interest, how will bank code or program its loan operating system to ensure that treatment is applied? What steps will be implemented to ensure those fees that are required to be waived under the rule are waived?  
While the rule is effective now, will bank wait until a final rule is issued before it implements this option? If implementing now, bank will need to reevaluate when the rule is finalized to ensure any change made in the promulgation process are implemented into bank’s own procedures.  

Conclusion 

CFPB has created a new exemption under Reg X loss mitigation rules to allow mortgage servicers to offer a particular loss mitigation option to borrowers so long as the criterion in the interim final rule are met, including waiving fees and bringing the loan current. The rule allows servicers to offer the loss mitigation option without having to first receive a complete loss mitigation application. The interim final rule is effective July 1, 2020 and may be viewed at this link. Comments regarding the new option are due August 14th.  

By, Ally Bates