All in Regulatory Update

On 10/15/2020, the CFPB released a new HMDA reference chart titled “Reportable HMDA Data: A Regulatory and Reporting Overview Reference Chart for HMDA Data Collected in 2021.” In the chart, the CFPB explains that the chart is intended to be used as a reference for data points that must be collected, recorded, and reported under HMDA rules. The chart includes applicable regulation and commentary sections as well as parts of the Filing Instruction Guide. In addition, the chart helps to explain when to report not applicable or exempt, including the codes used for reporting not applicable or exempt.

On 10/15/20, FinCEN released advisory FIN-2020-A008 - which is titled “Supplemental Advisory on Identifying and Reporting Human Trafficking and Related Activity” - to “help save lives, and to protect the most vulnerable in our society from predators and cowards who prey on the innocent and defenseless for money and greed.” This advisory provides new information relating to human trafficking and supplements FinCEN’s 2014 Guidance on Recognizing Activity that May be Associated with Human Smuggling and Human Trafficking - Financial Red Flags. The advisory provides an overview of human trafficking, new typologies of human trafficking, behavioral and financial red flag indicators of human trafficking, case studies, and guidance to U.S. financial institutions. When reporting suspicious activity related to this advisory, FinCEN requests that financial institutions include the key term “HUMAN TRAFFICKING FIN-2020-A008” in SAR field 2 (Filing Institution Note to FinCEN) to indicate a connection between the suspicious activity being reported and the activities highlighted in the advisory.

On 10/14/2020, the Office of the Comptroller of the Currency (OCC) fined USAA, Federal Savings Bank $85 million due to failures in their compliance risk management program as well as their information technology risk governance program. In their release, the OCC explains that these deficiencies resulted in violations of law, including but not limited to violations of the Military Lending Act and the Servicemembers Civil Relief Act. This civil money penalty appears to be related to the January 2019 Consent Order with the OCC.

On 10/13/2020, the CFPB issued a consent order against Nissan Motor Acceptance Corporation for a number of issues relating to debt collection and repossession practices. In their release, the CFPB found that Nissan:

  • wrongfully repossessed vehicles;

  • kept personal property in consumers’ repossessed vehicles until consumers paid a storage fee;

  • deprived consumers paying by phone of the ability to select payment options with significantly lower fees; and,

  • in its loan extension agreements, made a deceptive statement that appeared to limit consumers’ bankruptcy protections.

In their release, the CFPB asserts that these practices resulted in UDAAP violations and the consent order requires Nissan to provide up to $1 million of cash redress to affected consumers, credit any outstanding account charges associated with wrongful reposession, and to pay a CMP of $4 million.

On 10/5/2020, the joint agencies (OCC, FDIC, NCUA, Federal Reserve, and FinCEN) issued an order to exempt CIP (customer identification program) requirements for loans extended by banks to facilitate purchases of property and casualty insurance policies. This order comes after a group of banks jointly submitted letters in 2016 and 2017 requesting an exemption or interpretation regarding the application of the CIP rules to insurance premium finance lending. These letters asserted that CIP was not needed for insurance premium finance lending because this activity presents a very low risk of money laundering because of the purpose for which the loans are extended and the limitations on the ability of a customer to use such funds for any other purpose. On 9/27/18, an initial exemption was granted by the joint agencies specifically for commercial customers. This new order extends the exemption to all customers, not just commercial customers.

On 10/8/20, the Small Business Administration (SBA) released a simpler loan forgiveness application for Paycheck Protection Program (PPP) loans of $50,000 or less. In a release by the US Department of the Treasury, it was explained that this action “streamlines the PPP forgiveness process to provide financial and administrative relief to America’s smallest businesses while also ensuring sound stewardship of taxpayer dollars.”

On October 7, 2020, the Office of the Comptroller of the Currency (OCC) announced that they had assessed a $400 million civil money penalty (CMP) against Citibank due to deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls. In their release, the OCC explained that these measure were taken “based on the bank’s unsafe or unsound banking practices for its long-standing failure to establish effective risk management and data governance programs and internal controls.”

On 10/7/2020, the CFPB released fourteen new frequently asked Questions (FAQs) on their website. These FAQ are divided into four main categories including sections on general information, section 8(a), gifts and promotional activity, and marketing services agreements. In conjunction with the release of these FAQs, the CFPB also explained - in a blog post - that it is rescinding Compliance Bulletin 2015-05, RESPA Compliance and Marketing Services Agreements. In the blog post, the CFPB explained that the compliance bulletin does not provide the regulatory clarity needed on how to comply with RESPA and Reg X so, therefore, this guidance is being rescinded.

On October 1, 2020, the US Department of the Treasury issued a pair of advisories regarding ransomware. The first advisory was issued by FinCEN and is titled Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. This advisory provides information on the role of financial intermediaries in payments, ransomware trends and typologies, and related financial red flags.

The second advisory was issued by OFAC and is titled Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. This advisory explains the sanctions risks associated with making ransomware payments. For example, some individuals or entities who install ransomware and demand payment are actually found on the OFAC list, making it illegal for businesses who get ransomware on their computers to pay these entities and regain access to their systems and data.