In June 2017, the Consumer Financial Protection Bureau (CFPB) issued proposed changes to its October 2016 Prepaid Rule, which prescribed substantial new requirements for institutions offering prepaid financial products. The new requirements are intended, in part, to promote greater transparency in account disclosures and to extend certain error resolution rights, liability limitations and overdraft protection requirements to prepaid financial products.
The proposed changes, which follow on the heels of the CFPB’s recently announced delay in the effective date of the Prepaid Rule to April 1, 2018 and mounting feedback from financial services institutions regarding complications related to the implementation of the required changes, reflect the CFPB’s consideration of and intent to address these concerns.
The proposed amendments to the Prepaid Rule address two focal points of industry concern, specifically:
The CFPB is also proposing several minor clarifications and amendments to the Prepaid Rule, such as the specification of certain exclusions from the definition of “prepaid account,” pre-acquisition disclosure requirements and requirements related to the submission of prepaid account agreements to the CFPB. As a supplement, the CFPB also issued a Compliance Guide for small entities that reflects the revised effective date of the Prepaid Rule.
While the proposed changes and the recently delayed effective date of the Prepaid Rule may alleviate some of the burden associated with industry adoption, financial institutions still face a significant effort to implement the new requirements. Financial institutions that offer prepaid products should review and evaluate the CFPB’s proposed changes in order to better understand potential compliance obligations, as well as consider potential implementation challenges and strategies to address these new requirements once they are made effective.
Today’s criminals and terrorist organizations are utilizing sophisticated tools and technology to launder money and have proven at times to outpace the innovation and effectiveness of anti-money laundering (AML) compliance programs of some of the largest global financial institutions. In the current environment, financial institutions are faced with the need (and confronted by regulatory expectations) for increasingly enhanced customer screening and transaction monitoring. As a result, they must begin exploring the idea of using more innovative methods, not only to help reduce the regulatory cost burden but also to improve the speed, transparency, and reliability of internal AML compliance controls.
While some regulators have publicly challenged the application of rules governing national bank charters to non-bank fintech, or financial technology, companies, others have signaled a growing openness to, and support of, entrepreneurship in regulatory technology, (regtech) and fintech. One such innovative solution includes the use of artificial intelligence (AI) – defined generally as the ability of machines to execute tasks and solve problems in ways traditionally attributed to human workers – within AML compliance functions.
The application of AI to a financial institution’s AML compliance function should both create and support efficient, accurate and transparent key AML compliance processes. This includes, for example, performing ongoing transaction monitoring and conducting enhanced customer screening and investigations. To capture this value, key stakeholders in AML compliance functions might consider process areas in which to apply AI-based solutions as follows:
AML compliance functions can benefit from technological innovations by adopting AI-based solutions to assist in the war against financial crime. Financial institutions embarking on the journey to integrate AI into AML compliance functions should ensure that AI-based solutions operate appropriately in the context of the AML compliance function’s existing system and technology environment. To implement AI successfully, financial institutions should 1) carefully consider the benefits and challenges of investing in AI, 2) apply proper due diligence to ensure the appropriate business processes are being supplemented with AI, 3) deploy adequate training to ensure the new AI-solution commingles well with human operators, and 4) align AI capabilities with evolving and emerging regulatory requirements.
In June 2017, the CFPB issued letters to top retail credit card companies strongly encouraging them to offer consumers more transparent deferred interest promotions that carry less risk.
Deferred interest promotions are arrangements where consumers are not required to pay interest for a certain period if the underlying balance is paid in full by the end of the period – an arrangement most frequently offered to consumers on larger purchases of appliances and furniture, as well as medical and dental services.
The CFPB cites concerns with the back-end pricing such products feature, where interest may be assessed retroactively on the full (not remaining) balance after the promotional period ends, and with the degree to which consumers are aware of such implications at the time the offer is accepted.
The letters were issued nearly two years after the CFPB conducted an analysis of the consumer credit card market. In the analysis, the CFPB noted that consumers generally recognized that they would be subject to a significant interest charge unless they paid their full promotional balance during the period; however, they appeared to have much less of an understanding of how deferred interest charges would be calculated in the instance where the balance is not paid in full at the end of the promotional period:
The CFPB emphasizes that consumers should be able to understand completely the terms of credit card promotions and the consequences of not meeting promotional terms. In the letters, the CFPB outlines concerns with these practices and suggests that the credit card issuers consider offering zero- percent-interest promotions, where interest is not assessed retroactively if the promotional balances are not paid in full, as opposed to deferred interest promotions. The CFPB stops short, however, of requiring credit card issuers to cease offering deferred interest promotions.
The issuance of the letters is another indication of the CFPB’s increased focus on and attention to deferred interest promotional practices. The CFPB suggests that offering such programs requires robust compliance and third-party risk management programs to ensure that consumers are fully informed as to the terms and costs of such financing arrangements. As part of their responsible banking initiatives, credit card issuers that offer such promotions should take steps to conduct a thorough review of the manner in which such programs are developed, marketed and serviced, paying particularly close attention to payoff metrics and consumer complaints so as to mitigate and manage associated risks.
In June 2017, the Office of the Comptroller of the Currency (OCC) released Bulletin 2017-21, which contains 14 frequently asked questions (FAQ) to supplement its 2013 risk management guidance for managing third-party relationships (OCC Bulletin 2013-29). When released, OCC Bulletin 2013-29 defined the OCC’s expectations of national banks to assess and manage risks associated with third parties across the lifecycle of the relationships, including defining the strategy related to engaging third parties, contracting and engagement, monitoring and oversight, and termination. The FAQs are intended to provide additional information to national banks related to third-party risk management.
Notable items the OCC addresses in the FAQs include:
The OCC clarifies that banks engaging with start-up fintechs may proceed with caution, but do not necessarily have to limit their relationships to those fintech firms to whom the bank would otherwise extend credit and that meet the bank’s underwriting/credit criteria. The OCC reminds institutions that collaboration with fintech companies to provide products and services to underbanked or underserved customers still constitutes a third-party relationship subject to its risk management guidelines.
The OCC also indicates that banks may engage with various information-sharing organizations to better understand cyber threats related to third parties with which they have relationships.
The OCC suggests the Financial Services Information Sharing and Analysis Center (FS-ISAC), the U.S. Computer Emergency Readiness Team (US-CERT) and InfraGard, among others, to facilitate such information sharing.
National banks should review the FAQs together with the OCC’s third-party risk management exam procedures released in January 2017 to self-assess the scope and structure of their third-party risk management programs and procedures. Banks should review their current third-party risk management programs against the FAQs to confirm alignment of their programs against the procedures and related regulatory guidance and address proactively any potential gaps ahead of a regulatory examination, particularly related to the scope of their program and unique relationships with fintech companies. In addition, non-bank entities that provide services to national banks should also take steps to review the FAQs and be responsive to requests they may receive from their bank partners.
Click here to access all series