On January 27, 2015, the Consumer Financial Protection Bureau (“CFPB”) issued Compliance Bulletin 2015-01 as a “reminder” of certain confidentiality and disclosure requirements related to CFPB examinations and investigations.  Though the CFPB’s Bulletin did not cite examples of historic violations, those subject to the CFPB’s authority should assess their practices, particularly in litigation, with respect to the disclosure of information and be sensitive to the Bulletin’s message in doing so.

The Bulletin provides warnings of two types of potential violations.  One type arises out of a financial institution’s obligations with respect to “confidential supervisory information (CSI).” Examples of CSI include but are not limited to:

• CFPB examination reports and supervisory letters;
• All information contained in, derived from, or related to those documents, including an institution’s supervisory Compliance rating;
• Communications between the CFPB and the supervised financial institution related to the CFPB’s examination of the institution or other supervisory activities; and
• Other information created by the CFPB in the exercise of its supervisory authority.

Specifically, according to the Bulletin, a supervised entity may commit a violation if it discloses CSI or other “confidential information”  to a third party without CFPB consent.  This is true even if the supervised entity enters into a non-disclosure agreement with a third party.

On October 28, 2014, the CFPB amended the consumer privacy rules of Regulation P to allow financial institutions to post privacy notices online rather than mailing the required annual notice each year.  Some institutions are already taking advantage of this alternate delivery method.  There are conditions to this option, however, and some institutions might not be satisfying those conditions.  It is important to confirm that your institution is meeting the following conditions if you have decided to take advantage of the new rule:

1. No Opt Outs.  The alternate delivery method can be used only if you do not share your customers’ information in any way for which the customer has the right to opt out under Regulation P or Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA).  This provision of the FCRA is the one under which information that otherwise would be a “consumer report,” such as credit experience with third parties, may be shared with an affiliate for other than marketing purposes so long as the consumer is given an opt-out right.
2. Satisfy the FCRA Affiliate Sharing Rules.  You must have previously satisfied the affiliate sharing rules of Section 624 of the FCRA or you do so other than by delivery of the annual Regulation P privacy notice.  This provision seems to cause some confusion.  Section 624 of the FCRA is the provision under which an affiliate of a financial institution that receives certain information (such as transaction information) may not use that information for marketing purposes unless the consumer is notified of such use and given a chance to opt out.  The Section 624 notice would only need to be given one time so long as an institution honors consumers’ opt outs indefinitely, or could be delivered other than as part of a Regulation P privacy notice.  Therefore, so long as you are not relying on the annual Regulation P privacy notice to satisfy Section 624, you satisfy this condition to the alternate method for delivery of your annual Regulation P notice.
3. No Changes to the Notice.  The privacy notice you post online cannot have changed since consumers received the immediately previous notice, other than to eliminate categories of information that you disclose or categories of third parties to whom you disclose information.  So, for example, if you previously shared information in a way that required that you to offer the consumer an opt-out right, you could stop such sharing.  This would allow you to satisfy the no opt-out rule described above and post your modified privacy notice online.
4. Model Notice.  You must use the model form of privacy notice included in Regulation P.
5. Notify Consumers of the Posting.  You must notify your customers each year that your privacy notice is available online and that it will be mailed to customers who request it by telephone.  This notice can be provided on an account statement, coupon book, or any other notice or disclosure that you are required or expressly and specifically permitted to issue to the customer under any other provision of law.
6. Post the Notice Continuously in a Public Location.  Your privacy notice must be posted continuously and in a clear and conspicuous manner on a page of your Web site that consists only of the privacy notice and that can be accessed by consumers without having to log in, provide a password or agree to any conditions.
7. Mail Upon Request.  If any customer requests a copy of the privacy notice by telephone, you must mail it to him or her within 10 days.

This alternate method for delivery of the annual Regulation P privacy notice will be attractive to many financial institutions, but don’t forget these conditions to this method.

On October 28, 2014, the Consumer Financial Protection Bureau (“CFPB”) issued a final rule amending Regulation P (the “Amendment”), which implements the consumer privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”).  In most cases prior to the amendment, Regulation P required financial institutions to mail paper copies of the annual privacy disclosure, which many in the financial industry felt was overly costly and needlessly burdensome.  The new rule permits covered institutions to publish privacy notices electronically on their websites, but only after satisfying the following conditions:

1. The financial institution does not disclose nonpublic personal information to nonaffiliated third parties other than for the exception purposes that do not allow for consumer opt-outs, such as for servicing or processing the consumer’s account;
2. The financial institution’s information sharing practices do not trigger opt-out rights pursuant to Regulation P or Section 603 of the Fair Credit Reporting Act (“FCRA”);
3. The requirements of the affiliate sharing provisions of FCRA Section 624, as applicable, were previously satisfied or the annual privacy notice is not the only notice provided to satisfy those requirements;
4. The information contained in the privacy notice has not changed since the customer received the previous notice, except for changes to eliminate categories of information the institution disclosures or categories of third parties to whom the information is disclosed;
5. The financial institution uses the model form provided in Regulation P as its annual privacy notice;
6. The financial institution must make its customers aware that its privacy notice is available on its website, that it will mail a paper copy of the notice to customers who request it by calling a specific number, and that the notice has not changed since the prior year’s version.  The financial institution can satisfy this requirement by inserting, at least once per year, a clear and conspicuous statement on an account statement, a coupon book, or on a notice or disclosure required by any provision of law.  The statement must include a specific URL that can be used to access the website;
7. The financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice; and
8. The financial institution must mail, within ten days of a request, a paper copy of the notice to any customer who makes such request by telephone.

Importantly, if the financial institution changes its privacy practices or engages in information-sharing activities for which customers have a right to opt-out, it must use one of the permissible delivery methods that predated the rule change (paper notices or electronic with E-Sign consent).

State and federal law enforcement agencies are now taking aim, on both the consumer protection and fraudulent loan securitizations fronts, at what they consider to be questionable practices by automobile lenders.

On the consumer protection front, the Consumer Financial Protection Bureau (CFPB) initially dipped a toe into this area through a bulletin in May 2013, claiming that lenders that offer auto loans through dealerships are responsible for unlawful, discriminatory pricing. According to the CFPB, the main culprits are indirect auto lenders that allow the dealer to charge a higher interest rate than the rate the lender offers the dealer, with the result that the lender shares a portion of this markup with the dealer. Under the Dodd Frank Act, such a practice would be illegal if it involved payments to mortgage brokers that sell their customers into higher rate mortgage loans. The auto lending industry, however, was not similarly regulated by Dodd Frank. The CFPB suggests it will seek to attack such practices in the auto loan industry as illegal discrimination if it finds that protected minorities have been charged higher rates as a result.

In September 2014, the CFPB proposed rules that would extend its supervision authority to the larger participants of the nonbank auto finance market. The proposal would allow the CFPB to supervise finance companies with respect to federal consumer financial laws if those companies make, acquire, or refinance 10,000 or more loans or leases in a year. The CFPB estimates 38 auto finance companies, which originate about 90 percent of nonbank auto loans and leases, would be subject to this new jurisdiction.

On the securitization front, subprime auto lender Consumer Portfolio Services disclosed earlier this month that it had received a subpoena from the U.S. Department of Justice (DOJ) requesting documents relating to its auto lending and securitization activities. In December 2014, Ally Financial Inc. had received a similar request from the DOJ, and in October, the Securities and Exchange Commission (SEC) began an investigation into Ally’s lending and securitization practices. GM Financial announced in November that it had received document requests from the SEC relating to its securitization practices. Santander Consumer USA Holdings Inc. announced in August that it also was under DOJ investigation, and in November the New York Department of Consumer Affairs announced that it was looking into Santander’s lending practices.

It appears that these investigations, which include potential criminal enforcement, are looking into whether these lenders are securitizing and packaging loans for sale to investors without ensuring the quality of loans or fully disclosing their risks. If so, this would suggest that they may be engaging in some of the same practices that were alleged against the mortgage industry. Those ultimately led to numerous settlements between prosecutors and many of the large mortgage lenders.

Auto loan quality and risks could be impacted by lending discrimination, failure to comply with consumer protection regulations, or lax underwriting standards. If these risks are not being appropriately disclosed to investors, auto lenders could face the same enforcement liability as were a number of the mortgage lenders.

The risks to the global economy of risky auto loan securitizations may not be as high as they were for mortgage loan securitizations, given that it is easier to repossess a car than it is to foreclose on a mortgage, and given the generally smaller dollar amounts involved. This time, however, it appears that federal regulators will not be waiting until an economic crash before attempting to address the problems the problems they suspect, and costly criminal and civil actions may be more aggressive and occur more quickly.

As we begin 2015, it is worth noting the various federal regulations that will or might take effect. This article summarizes the key regulations that took effect late in 2014, that will take effect in 2015, and that have at least some potential of taking effect in 2015. We focus here on those regulations directly impacting consumer financial services.

Rules Taking Effect in 2015 (and Late 2014)

Integrated Disclosures under the Real Estate Settlement Procedures Act (Regulation X) and Truth in Lending Act (Regulation Z)

Perhaps the most significant new consumer regulations to take effect in 2015 are the integrated disclosure regulations under the Real Estate Settlement Procedures Act (Regulation X) and Truth in Lending Act (Regulation Z) (the Final Integrated Disclosure Rule). Released on November 20, 2013, by the CFPB, the Final Integrated Disclosure Rule will be effective on August 1, 2015. 78 Fed.Reg. 79730, December 31, 2013. For loan applications received prior to August 1, 2015, the existing Regulation X and Regulation Z rules would apply and, for loan applications received on or after August 1, 2015, the new disclosure requirements would apply.

The Final Integrated Disclosure Rule consolidated the RESPA and TILA initial disclosures, and the RESPA and TILA loan closing disclosures for most closed-end consumer mortgage transactions, resulting in a single Loan Estimate disclosure and a single Closing Disclosure. The new rules do not apply to home equity lines of credit, reverse mortgages, or loans secured by a mobile home or other dwelling that is not attached to real property.

Countless articles and seminars have provided details of the Final Integrated Disclosure Rule, and vendors have stepped into the breach to provide the forms and systems needed to create new disclosures. This article therefore does not address the new Integrated Disclosure Rules in detail. However, a proposal issued on October 10, 2014, (the “October Proposal”) should be noted.

On May 6, 2014, the CFPB issued proposed amendments to the mortgage rules under the Truth in Lending Act (TILA) affecting Regulations Z and X.  The proposed amendments affect the small servicer/small creditor exceptions to the mortgage rules and the “Qualified Mortgage” determination.  The CFPB proposes to partially re-define who may qualify as a “small servicer” under § 1026.41 of Regulation Z (incorporated by cross reference in Regulation X), revise the scope of the nonprofit small creditor exemption from the ability-to-repay rule in § 1026.43(a)(3)(v)(D) of Regulation Z, and establish a limited cure procedure where a creditor inadvertently exceeds the “Qualified Mortgage” points and fees limits.

Amendment to the “Small Servicer” Definition:  The CFPB originally presumed that most nonprofits would qualify for the “small servicer” exemptions.  However, during implementation of the mortgage rules, the CFPB learned that certain nonprofits might not qualify as “small servicers” because they were part of a larger association of nonprofits that are separately incorporated but that may operate under mutual contractual obligations, share a charitable mission, and use a common name or trademark.  In order to save resources, such associations sometimes consolidate servicing activities, with one of the associated entities providing loan servicing to one or more others, for a fee.  Under current rules, such nonprofit servicers would not qualify for the “Small Servicer” exemptions because they service, for a fee, loans on behalf of a non-“affiliated” entity.  The CFPB proposes to amend the definition of “Small Servicer” so as not to exclude qualified nonprofit entities within such formal associations where certain requirements are met.  Related changes to the section’s formal comments are also proposed.

Both Banks and Their Vendors Must Pay Attention

Introduction

First there was the bulletin about third-party vendors issued by the Consumer Financial Protection Bureau (CFPB) in April 2012. Then it was the FFIEC’s guidance on IT service providers in October 2012.  Next came the FDIC’s September 2013 Financial Institution Letter about payment-processing relationships with high-risk merchants.  Then there was the news on October 30, 2013 about the OCC’s guidance on third-party relationships, followed shortly by the Federal Reserve Board’s guidance on managing outsourcing risks in December 2013.

Let’s face it. There has always been guidance and concern about banks and their relationships with third-party service providers. But in recent years it has become quite obvious that the bar has been raised on how banks relate to their third-party processors, program managers, and other service providers. These changes have occurred over time, by a matter of degrees. But it is increasingly plain that we are seeing a significant sea change in how regulators approach the relationships between banks and their third-party vendors. Examiners are digging deeper — especially into the content of bank contracts — and the scope of review is extending to more and more vendors.

In recent months, public commentary from some of the regulators has revealed even more clearly how this recent guidance will impact banks and their vendors. In this article we will describe the regulatory developments and provide some practical guidance as to what this will mean — not only for banks, but for their processors and other service providers.  (A print-friendly version is also available.)

Recent Regulatory Developments

Banks and other financial institutions have always been expected to choose their vendors carefully and to monitor the performance of those vendors. Most institutions have done a reasonably good job in this regard. However, recent regulatory publications and the focus of recent regulatory examinations and enforcement actions indicate that the standards and expectations are now much higher.

The CFPB issued a bulletin on April 13, 2012 regarding the use of service providers, accompanied by a press release stating, “CFPB to Hold Financial Institutions and their Service Providers Accountable.”  This bulletin, CFPB Bulletin 2012-03 (the CFPB Bulletin), states that the CFPB “expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law.” (emphasis added).

While the issue of vendor oversight and management is not new to the financial services industry, recent enforcement actions by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) manifest heightened attention by federal regulators.  A bank’s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution.

Federal regulators traditionally have looked with an understanding, yet skeptical, eye towards the issue of outsourcing. Current guidance is clear, however, as to where the responsibility lies. As summarized by the Federal Deposit Insurance Corp. (FDIC) in FIL-44-2008, “An institution’s board of directors and senior management are ultimately responsible managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

Meet the New Boss

Armed with its mandate by Title X of the Dodd-Frank Act to protect consumers, the CFPB entered the vendor management fray by issuing Bulletin 2012-03. Although the message contained in the bulletin was nearly identical to previously issued guidance by the OCC and FDIC, it did provide additional insight. First, the bulletin noted that Title X of Dodd-Frank provides a definition of a “service provider,” which includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Although the legislation did not specifically define the word material, bankers should assume such subjectivity will be interpreted broadly by federal regulators.)  Secondly, and more importantly, the bulletin provided banks a non-exhaustive list of “steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers,” which include:

• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
• Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
• Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive act or practices;
• Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and
• Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

Expect 2014 to be a banner year for enforcement actions under the Unfair or Deceptive Acts or Practices law (UDAP) and the new Unfair, Deceptive or Abusive Acts and Practices law (UDAAP).  While predicting regulatory trends can be difficult, we believe this to be a safe bet in light of the trends in 2013 and early indications in bank examinations already this year.

Below are some of the enforcement trends from last year and tips highlighting what can be done to reduce the risks of UDAP and UDAAP enforcement actions in 2014.

In 2013, the FDIC imposed civil money penalties against banks in 89 instances, 16 of which were for UDAP violations and many of those also required consumer restitution.  The only compliance area triggering more civil money penalties in 2013 was the Flood Disaster Protection Act, accounting for 27 of the 89 cases, which is roughly consistent with the percentages in that area since Katrina.

Prior to Dodd-Frank, Section 701(e) of the Equal Credit Opportunity Act provided that a loan applicant had the right to request copies of any appraisals used in connection with his or her application for mortgage credit.  Section 1474 of Dodd-Frank amended Section 701(e) to require that lenders affirmatively provide copies of appraisals and valuations to loan applicants at no additional cost and without requiring applicants to affirmatively request such copies.

The appraisal documentation must be provided to the loan applicant in a timely manner and no later than three days prior to the loan closing unless the applicant waives the timing requirement.  The lender must provide a copy of each written appraisal or valuation at no additional cost to the applicant, though the creditor may impose a reasonable fee on the applicant to reimburse the creditor for the cost of the appraisal.

In September of 2013 the Consumer Financial Protection Bureau adopted final regulations amending Regulation B to implement the statutory changes. The amendments to Regulation B went into effect on January 18, 2014. Among other things, the revised Regulation requires lenders to provide a notice to a loan applicant not later than the third business day after the creditor receives an application for credit that is to be secured by a first lien on a dwelling, a notice in writing of the applicant’s right to receive a copy of all written appraisals developed in connection with the application.