BCLP Banking Blog

Main Content

Conversations about Banking: An Interview with Greg Morse

This month we continue our “Conversations about Banking” series. The series will consist of video conversations with leaders and influencers in the banking industry about topics of current interest. We hope you will enjoy and find benefit in this new aspect of BankBCLP.

In this session of Conversations about Banking  Jim McAlpin speaks with Greg Morse, CEO of Worthington National Bank in Ft. Worth, Texas. Worthington National is a business oriented bank serving the Ft. Worth and Arlington, Texas communities. Greg is a native Texan who is as comfortable in a saddle as he is in a board room, and his observations about banking are both pragmatic and insightful. During the conversation Greg also describes the community outreach that is at the core of his bank’s culture, including financial literacy education for those in need. Please join us for this enjoyable 25 minute discussion.

Read More

Lessons Learned from New York’s Second Cybersecurity Action

The New York Department of Financial Services (NYDFS) has announced its second regulatory enforcement action against a regulated entity (a New York licensed mortgage banker and loan servicer) for violating NYDFS’s Cybersecurity Regulations. The action involved the mortgage banker’s failure to report a data breach – a breach caused by an employee overriding the company’s multi-factor authentication (MFA) protocol – enabling intruder access. The company agreed to pay a $1.5 million fine and take several actions to bolster its cyber risk and assessment practices.

The unusual data breach, detailed in the Consent Order between the NYDFS and mortgage banker, highlights the need for companies to use more advanced, creative and multi-layered training to prevent their personnel from opening the door to outside intrusions.

The data breach started with a phishing email to an employee who routinely collects large amounts of sensitive personal data from mortgage applicants. The email – which appeared to be from a business partner – directed the employee to a malicious website that asked for a username and password which the employee provided. The data breach still could have been avoided, however, because the company utilized MFA which required the employee to respond affirmatively to an alert on her smartphone. The employee provided the secondary authentication – and did so four times that evening after she left work – each time allowing access to her email files. After a fifth attempt the following day, the employee reported the incident.

An internal investigation by the company confirmed the unauthorized access, which it blocked, but that was it. The company did not investigate further, did not ascertain whether customer information had been compromised, and did not report the incident to outside authorities or the NYDFS. Additionally, the breach was not included in the next Certification of Compliance filed by the company’s Chief Information Security Officer with the NYDFS. The NYDFS discovered the breach during a routine cybersecurity investigation of the company. The examination also revealed that the company didn’t have a comprehensive cybersecurity risk assessment, which is required by the Cybersecurity Regulations.

This cautionary tale shows the importance of having training practices that are frequent and varied. Breaches cannot be prevented solely through software security, MFA, company protocols and basic personnel training. The company in this instance did have many protocols, such as MFA, and required network access through Active directory with strong, complex passwords. The company utilized both anti-virus and end-point protection software on end-user devices and automated detection rules were in place for transmission of private consumer data, like social security numbers, and the automatic blocking of e-mail redirects by unauthorized actors. Still, none of these protocols were able to prevent this data breach. 

Companies will need to be more creative with their training techniques and double down on the frequency of training exercises, adding incentives and disincentives throughout. More advanced training is crucial, as hackers become more sophisticated in the ways they attempt to trick users to override security protocols. Companies may also need to install automatic warning and filtering systems that identify phishing emails before they reach end users and implement IP address filtering systems to block access from suspicious locations. Companies might further consider employing systems that detect anomalies or changes in employees’ normal use patterns (e.g., after-hours access) and issue alerts when such anomalies are detected.

As the instant case, however, demonstrates, a well-trained and vigilant work force, at all levels of an organization, will continue to be a crucial line of defense.

For more information about best practices related to the NYDFS Cybersecurity Regulations, see our prior Client Alert.

Read More

Conversations about Banking: An Interview with Jon Winick

This month we continue our “Conversations about Banking” series. The series will consist of video conversations with leaders and influencers in the banking industry about topics of current interest. We hope you will enjoy and find benefit in this new aspect of BankBCLP.

In this session of Conversations about Banking, Jim McAlpin speaks with Jon Winick, CEO of Chicago based Clark Street Capital. Jon is also the editor and main contributor to the BAN Reports, a widely read banking industry newsletter. During our conversation, Jon shares his candid observations on a wide range of trends and developments impacting the financial services industry. This is a quick paced and entertaining 30 minute video discussion.

Read More

Conversations about Banking: An Interview with Bill Easterlin

This month we continue our “Conversations about Banking” series. The series will consist of video conversations with leaders and influencers in the banking industry about topics of current interest. We hope you will enjoy and find benefit in this new aspect of BankBCLP.

In this second installment of our new “Conversations about Banking” series Banking group partner Jim McAlpin speaks with Bill Easterlin, CEO and President of Queensborough National Bank & Trust Co. Bill is the fourth generation leader of a $1.5 billion family owned bank in eastern Georgia.

Read More

Stimulus Bill Creates Second Draw PPP Loans

On December 27, 2020, President Trump signed the 2021 Consolidated Appropriations Act, which also contained the latest stimulus relief bill. Part of that bill was the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act, which made changes to all Paycheck Protection Program (PPP) loans, re-opened the PPP program for new loans, and allowed certain borrowers to obtain a second PPP loan.

This post specifically looks at the changes implemented by the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act (the “Act”) that affects new PPP borrowers. The changes previously discussed that will affect all PPP borrowers will also generally affect Second Draw PPP loans, and the changes previously discussed that only affect new PPP loans will also generally apply. The discussion below is based on the text of the Act, and may be further modified or clarified by subsequent regulations or guidance.

Ability to Apply for a Second PPP Loan. While the CARES Act originally limited eligible small businesses to one PPP loan, Section 311 of the Act creates a new opportunity for certain PPP borrowers (including those that received a PPP loan in 2020 or that will receive a new PPP loan in 2021) to apply for one additional PPP loan, a so-called “second draw” loan. In order to apply for a second draw loan, the PPP borrower will need to have utilized 100% of their prior PPP loan prior to distribution of the second draw loan. This requirement should presumably not be particularly burdensome for those that obtained their PPP loan in 2020, but may limit the ability of new PPP borrowers to obtain both a PPP loan and a second draw PPP loan in 2021.

The Act provides for up to $259 billion for second draw PPP loans, with $25 billion set aside for second draw PPP loans to entities with no more than 10 employees (in individual loan amounts not to exceed $250,000 and made to an entity in a low or moderate income neighborhood). Second draw PPP loans are to be available through March 31, 2021.

Eligibility – Number of Employees. In order to be eligible for a second draw loan, the small business may have no more than 300 employees (down from 500 employees for general PPP loan eligibility). Based on the language in the Act, it appears that the other means of eligibility for a small business to have qualified for a PPP loan, namely the revenue standards or the alternative size standard, will not be available to qualify for a second draw loan.

Eligibility – Revenue Decline. Unlike a primary PPP loan, eligibility for a second draw PPP loan is also conditioned on specific evidence that the business has been harmed by the pandemic. Specifically, to be eligible for a second draw loan, a small business will need to show that gross receipts during at least one quarter in 2021 was down at least 25% from the comparable 2019 quarter. The Act provides that for loans up to $150,000, borrowers may merely attest certification to this revenue standard, but would then be required to provide supporting documentation before submitting forgiveness.

Loan Size. Like the primary PPP loan, the size of the loan is generally set to be an amount equal to 2.5 times monthly payroll costs, however the maximum size of a second draw PPP loan will be $2 million. (As over 995 of the original PPP loans were for $2 million or less, this small size cap should not affect most borrowers.) In addition, the Act provides that small businesses that are classified under NAICS 72 code (generally those in the accomodation and food services sector) are eligible for a larger PPP loan, namely up to 3.5 times their monthly payroll costs (but still capped at $2 million).

Read More

Stimulus Bill Changes to New PPP Loans

On December 27, 2020, President Trump signed the 2021 Consolidated Appropriations Act, which also contained the latest stimulus relief bill. Part of that bill was the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act, which made changes to all Paycheck Protection Program (PPP) loans, re-opened the PPP program for new loans, and allowed certain borrowers to obtain a second PPP loan.

This post specifically looks at the changes implemented by the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act (the “Act”) that affects new PPP borrowers. The changes previously discussed that will affect all PPP borrowers will also affect new borrowers. The changes below only affect new PPP borrowers, and do not affect existing outstanding PPP loans. The changes below are based on the text of the Act, and may be further modified or clarified by subsequent regulations or guidance.

Applications Re-Opened through March 31, 2021. The Act authorizes a renewed opportunity for eligible small businesses to apply for a PPP loan. The Act authorizes up to $259 billion in new PPP loans, although some of that money could also be utilized for second draw PPP loans. The prior authorization for new PPP loans ended on August 8, 2020. The terms of these new (first) PPP loans remain essentially the same… up to $10 million, based on monthly payroll costs, with a cap of $20 million for any affiliated corporate group. Eligibility is also generally unchanged: less than 500 employees and ability to certify that due to economic uncertainty the PPP loan is necessary.

Public Companies Ineligible. If a company has securities listed on an exchange registered with the SEC, then it is ineligible for a covered loan on or after December 27, 2020.

Expanded Non-Profit Eligibility. Section 318 of the Act slightly expands eligibility for non-profit entities to include 501(c)(6) and “destination marketing organizations.”

Read More

Stimulus Bill Changes to All PPP Loans

On December 27, 2020, President Trump signed the 2021 Consolidated Appropriations Act, which also contained the latest stimulus relief bill. Part of that bill was the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act, which made changes to all Paycheck Protection Program (PPP) loans, re-opened the PPP program for new loans, and allowed certain borrowers to obtain a second PPP loan.

This post specifically looks at the changes implemented by the Economic Aid to Hard-Hit Small Businesses, Nonprofits and Venue Act (the “Act”) that affects all PPP borrowers. The changes below are based on the text of the Act, and may be further modified or clarified by subsequent regulations or guidance.

Tax Treatment. Most importantly, Section 276 of the Act reverses the prior Internal Revenue Service guidance and provides significant tax relief to all PPP borrowers. Not only does the Act confirm that any cancellation of debt income obtained from forgiveness of the PPP loan is tax exempt (as provided for in the CARES Act), but now any tax deductible expenses used to generate such forgiveness may still be taken to reduce taxable income.

Covered Period Flexibility. Section 306 of the Act provides PPP borrowers with the flexibility of setting the length of the “Covered Period” for purposes of PPP loan forgiveness and FTE representations at any length between 8 and 24 weeks. The Covered Period will begin on the date of the origination of the PPP loan, and end on the date selected by the borrower that occurs between 8 weeks and 24 weeks after origination.

EIDL Advance Does Not Affect Forgiveness. Section 333 of the Act repeals a prior CARES Act provision that said that any forgiveness would be reduced by the amount of the EIDL Advance. We understand that newly processed forgiveness remittances from the Small Business Administration (SBA) already reflect this change, but we are awaiting SBA guidance for how they will handle previous EIDL Advance-based forgiveness reductions.

Read More

New CFPB Consent Decree May Highlight Loss Mitigation Issues for 2021

December 23, 2020

Categories

What’s old is new again. 2021 will bring a new U.S. Administration and hopefully positive developments with regard to the COVID-19 pandemic, but it also is likely to see further adverse economic impacts. Various financial models are predicting differing trajectories for potential recession and economic recovery. What we do know is that 2020 has resulted in sizeable income loss and employment interruption for many. In the face of all this challenge, the CFPB is likely to focus in 2021 on consumer loss mitigation process and transparency. Getting it right is paramount for lenders and servicers as 2021 customer contact volumes will increase with the potential sunset of COVID-19 relief measures.

Recently, the CFPB announced a consent decree with Seterus, Inc. and its successor-in-interest Kyanite Services, Inc. The clear priority is helping consumers avoid foreclosure, a risk we know will continue throughout 2021.  The lengthy consent decree covers loss mitigation conduct from 2014 through 2018, years in the past. But the violations asserted and the consent Decree conclusions preview 2021 priorities and hot buttons. Transparency and accountability are two themes that should serve consumer lenders and servicers well and mitigate regulatory and litigation risk.  Importantly, the Order highlights risks associated with process automation in servicing. In addition to laser focus on requirements and process, lenders and servicers may want to consider adopting customer experience approaches like ombudspeople or “secret shoppers” to get a real sense of how employees and systems are interacting with and serving customers.

Read More

Conversations about Banking: An Interview with Bobby Nix

This month we begin a new series “Conversations about Banking.” The series will consist of video conversations with leaders and influencers in the banking industry about topics of current interest. We hope you will enjoy and find benefit in this new aspect of BankBCLP.

In the first installment of “Conversations about Banking” our partner and Banking practice group leader Jim McAlpin speaks with Philadelphia based entrepreneur Bobby Nix. Mr. Nix has served on the boards of several community banks over the past four decades. As an African American he has a perspective on diversity within banks and bank boards that is timely to hear within our industry. As a successful entrepreneur he is also a champion of the positive impact that community banks can have on small businesses. Mr. Nix currently serves as the chair of the Loan Committee and the ALCO Committee of Hyperion Bank, which has offices in Philadelphia and Atlanta.  

Read More

Happy Holidays: CFPB Advisory Opinions!

On November 30, 2020, the Consumer Financial Protection Bureau (“CFPB”) set forth procedures for the issuance of advisory opinions provided as interpretive rules to resolve regulatory uncertainty, effective immediately. Under this new advisory opinion schema, the CFPB concurrently released two advisory opinions: one on earned wage access products and one on private education loans.

Advisory Opinions

A request for an advisory opinion must include:

  • Identity of the person or entity seeking the opinion, or the person or entity submitted a request on behalf of a third part (e.g., outside counsel, in which case clients need not be identified);
  • Statement about the absence of investigation or litigation;
  • All material facts about an actual fact or course of action that is (a) within the CFPB’s purview and (b) that the person or entity is engaged in or is planning to engage in;
  • A description of the uncertainty or ambiguity, including (a) identification of the regulatory or statutory provision at issue; (c) a proposed interpretation of the law or regulation; and (d) an explanation of why that proposed interpretation is an appropriate resolution of the uncertainty or ambiguity;
  • Identification of information that should be treated as confidential.

Each advisory opinion will be specific to the facts provided, which the CFPB will not generally investigate independently, making it important that the request include a clear description of any material facts. Where the advisory opinion permits for a safe harbor, as provided for in the Truth in Lending Act (“TILA”), Equal Credit Opportunity Act, Electronic Fund Transfer Act, Real Estate Settlement Procedures Act, and Fair Debt Collection Practices Act, that fact will be explained in the advisory opinion. The scope and terms of an advisory opinion will be set out in the advisory opinion itself.

The CFPB will weigh multiple factors in determining whether to issue an advisory opinion on a specific topic, including issues that it has previously noted that are of significant importance or where clarification would provide significant benefit, and where the CFPB has not previously addressed a highlighted ambiguity. Conversely, the CFPB may decide an advisory opinion is not the appropriate tool for responding to an inquiry. In particular, issues where the CFPB is actively investigating or enforcing a related matter or a rulemaking is proposed or being planned.

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.