Compliance Insights – July 2017

CFPB Proposes Further Changes to Prepaid Rule

In June 2017, the Consumer Financial Protection Bureau (CFPB) issued proposed changes to its October 2016 Prepaid Rule, which prescribed substantial new requirements for institutions offering prepaid financial products. The new requirements are intended, in part, to promote greater transparency in account disclosures and to extend certain error resolution rights, liability limitations and overdraft protection requirements to prepaid financial products.

The proposed changes, which follow on the heels of the CFPB’s recently announced delay in the effective date of the Prepaid Rule to April 1, 2018 and mounting feedback from financial services institutions regarding complications related to the implementation of the required changes, reflect the CFPB’s consideration of and intent to address these concerns.

The proposed amendments to the Prepaid Rule address two focal points of industry concern, specifically:

• Applicability of Regulation E Error Resolution Requirements: The Prepaid Rule amended the CFPB’s Regulation E to extend error resolution requirements and consumer liability limits to all prepaid accounts. These requirements establish specific procedures and timeframes for the investigation and resolution of errors alleged by consumers and limit the extent to which consumers may be held liable for such errors. Financial institutions had expressed concern that the investigation and resolution of alleged errors may be restricted in cases where the prepaid card has not been registered by the consumer and the institution is consequently unable to verify the consumer’s identity. In consideration of this, the CFPB proposes to require the provision of these protections to consumers of registered accounts. Significantly, the amendment would still require resolution in accordance with Regulation E requirements for instances in which alleged errors occurred prior to registration for a now registered account.
• Exceptions for Digital Wallets: The Prepaid Rule amended the CFPB’s Regulation Z to require financial institutions to provide certain overdraft protection disclosures to customers obtaining products referred to as hybrid pre-paid cards (prepaid cards with a credit feature that is activated when the prepaid account balance becomes negative). Financial institutions had expressed concern that digital wallets (e.g., devices such as smartphones linked to credit card accounts and used to transact electronically) could be subject to similar disclosure requirements in the Prepaid Rule as well as Regulation Z’s open-ended credit card rules. As such, the CFPB proposes an exception for digital wallets, which effectively excludes these products from related requirements within the Prepaid Rule.

The CFPB is also proposing several minor clarifications and amendments to the Prepaid Rule, such as the specification of certain exclusions from the definition of “prepaid account,” pre-acquisition disclosure requirements and requirements related to the submission of prepaid account agreements to the CFPB. As a supplement, the CFPB also issued a Compliance Guide for small entities that reflects the revised effective date of the Prepaid Rule.

While the proposed changes and the recently delayed effective date of the Prepaid Rule may alleviate some of the burden associated with industry adoption, financial institutions still face a significant effort to implement the new requirements. Financial institutions that offer prepaid products should review and evaluate the CFPB’s proposed changes in order to better understand potential compliance obligations, as well as consider potential implementation challenges and strategies to address these new requirements once they are made effective.

Go to top

The Next Frontier in AML Compliance Programs: Artificial Intelligence

Today’s criminals and terrorist organizations are utilizing sophisticated tools and technology to launder money and have proven at times to outpace the innovation and effectiveness of anti-money laundering (AML) compliance programs of some of the largest global financial institutions. In the current environment, financial institutions are faced with the need (and confronted by regulatory expectations) for increasingly enhanced customer screening and transaction monitoring. As a result, they must begin exploring the idea of using more innovative methods, not only to help reduce the regulatory cost burden but also to improve the speed, transparency, and reliability of internal AML compliance controls.

While some regulators have publicly challenged the application of rules governing national bank charters to non-bank fintech, or financial technology, companies, others have signaled a growing openness to, and support of, entrepreneurship in regulatory technology, (regtech) and fintech. One such innovative solution includes the use of artificial intelligence (AI) – defined generally as the ability of machines to execute tasks and solve problems in ways traditionally attributed to human workers – within AML compliance functions.

The application of AI to a financial institution’s AML compliance function should both create and support efficient, accurate and transparent key AML compliance processes. This includes, for example, performing ongoing transaction monitoring and conducting enhanced customer screening and investigations. To capture this value, key stakeholders in AML compliance functions might consider process areas in which to apply AI-based solutions as follows:

• Fully Automated Processes: Certain activities within a financial institution’s compliance function are repetitive, utilize rule-based decision making, and require minimal human analysis. Integration of AI presents a practical and cost-effective solution to automate such processes. Tasks that may well integrate AI include customer identification program information verification, customer due diligence information gathering (at account opening and throughout periodic reviews), and enhanced due diligence screening and monitoring. Use of AI for these processes affords opportunities to improve resource management and re-allocate advanced skill sets to support less repetitive and more strategic tasks.
• Semi-Automated Processes: Even in instances where institutions are not in a position to integrate AI on a fully automated basis, some AML process areas require significant human analysis and decision-making in which AI integration, even on a semi-automated basis, can be beneficial. For example, a critical area where AI can further supplement human capital on a semi-automated basis is transaction monitoring. AI can alleviate common challenges of information gathering by 1) automatically compiling customer and transactional data, 2) assisting with performing time series and cluster analyses to understand better and predict customer activity, and 3) improving logic and matching techniques to reduce volumes of false positives and improve consistency and quality of investigations and suspicious activity reporting.

AML compliance functions can benefit from technological innovations by adopting AI-based solutions to assist in the war against financial crime. Financial institutions embarking on the journey to integrate AI into AML compliance functions should ensure that AI-based solutions operate appropriately in the context of the AML compliance function’s existing system and technology environment. To implement AI successfully, financial institutions should 1) carefully consider the benefits and challenges of investing in AI, 2) apply proper due diligence to ensure the appropriate business processes are being supplemented with AI, 3) deploy adequate training to ensure the new AI-solution commingles well with human operators, and 4) align AI capabilities with evolving and emerging regulatory requirements.

Go to top

CFPB Focuses on Credit Card Promotional Offers

In June 2017, the CFPB issued letters to top retail credit card companies strongly encouraging them to offer consumers more transparent deferred interest promotions that carry less risk.

Deferred interest promotions are arrangements where consumers are not required to pay interest for a certain period if the underlying balance is paid in full by the end of the period – an arrangement most frequently offered to consumers on larger purchases of appliances and furniture, as well as medical and dental services.

The CFPB cites concerns with the back-end pricing such products feature, where interest may be assessed retroactively on the full (not remaining) balance after the promotional period ends, and with the degree to which consumers are aware of such implications at the time the offer is accepted.

The letters were issued nearly two years after the CFPB conducted an analysis of the consumer credit card market. In the analysis, the CFPB noted that consumers generally recognized that they would be subject to a significant interest charge unless they paid their full promotional balance during the period; however, they appeared to have much less of an understanding of how deferred interest charges would be calculated in the instance where the balance is not paid in full at the end of the promotional period:

• Data from the analysis showed that a large portion of consumers who fail to repay their entire promotional balance by the required timeframe still manage to repay the balance shortly thereafter. Specifically, the CFPB found that approximately 25 percent of customers do not fully pay off balances subject to deferred interest in a timely manner, but that data suggests that customers may be confused by the terms of the deferred interest agreement. For instance, approximately 50 percent of those customers then do pay off the balance in full within four months after the expiration of the promotional period.
• The CFPB found that more than one-third of consumers who incur deferred interest charges and have other purchases on their account pay more than 150 percent of the full amount of their promotional balance during the promotional period. This potentially indicates that there may be confusion about which charges are part of the promotional balance and which are not.

The CFPB emphasizes that consumers should be able to understand completely the terms of credit card promotions and the consequences of not meeting promotional terms. In the letters, the CFPB outlines concerns with these practices and suggests that the credit card issuers consider offering zero- percent-interest promotions, where interest is not assessed retroactively if the promotional balances are not paid in full, as opposed to deferred interest promotions. The CFPB stops short, however, of requiring credit card issuers to cease offering deferred interest promotions.

The issuance of the letters is another indication of the CFPB’s increased focus on and attention to deferred interest promotional practices. The CFPB suggests that offering such programs requires robust compliance and third-party risk management programs to ensure that consumers are fully informed as to the terms and costs of such financing arrangements. As part of their responsible banking initiatives, credit card issuers that offer such promotions should take steps to conduct a thorough review of the manner in which such programs are developed, marketed and serviced, paying particularly close attention to payoff metrics and consumer complaints so as to mitigate and manage associated risks.

Go to top

OCC Releases Third-Party Risk Management FAQs

In June 2017, the Office of the Comptroller of the Currency (OCC) released Bulletin 2017-21, which contains 14 frequently asked questions (FAQ) to supplement its 2013 risk management guidance for managing third-party relationships (OCC Bulletin 2013-29). When released, OCC Bulletin 2013-29 defined the OCC’s expectations of national banks to assess and manage risks associated with third parties across the lifecycle of the relationships, including defining the strategy related to engaging third parties, contracting and engagement, monitoring and oversight, and termination. The FAQs are intended to provide additional information to national banks related to third-party risk management.

Notable items the OCC addresses in the FAQs include:

• Definition of “Third-Party Relationships”: The OCC provides the definition of “third- party relationships” in the FAQs as it had done in the original bulletin. The reiteration of the definition suggests that the OCC finds continued clarification for the industry on this topic to be necessary. Third-party relationships, which include any relationship where a national bank has a relationship with another party (including affiliates, subsidiaries, and joint ventures), should be included in the scope of a bank’s third-party risk management program. In addition, the OCC highlights that it expects all third-party relationships to be subject to due diligence and ongoing monitoring based on the associated risk level with the relationship.
• Impact of Fintechs and Third-Party Risk Management: Reflecting the agency’s recent focus on financial innovation, the OCC highlights in particular relationships with fintech providers where the fintech firm performs services or delivers products on behalf of a bank. The OCC dedicates four of the FAQs to the impact fintechs have on national banks and third-party risk management, focusing one FAQ specifically on marketplace lenders. Those arrangements with fintechs that involve “critical activities,” as defined in the earlier bulletin, should be identified by management and banks should apply more rigorous oversight to these relationships as necessary.

The OCC clarifies that banks engaging with start-up fintechs may proceed with caution, but do not necessarily have to limit their relationships to those fintech firms to whom the bank would otherwise extend credit and that meet the bank’s underwriting/credit criteria. The OCC reminds institutions that collaboration with fintech companies to provide products and services to underbanked or underserved customers still constitutes a third-party relationship subject to its risk management guidelines.

• Risk Management and Cyber Threats Collaboration: The OCC notes that national banks may collaborate to meet third-party risk management expectations when engaging a common third-party service provider; however, each national bank must still assess its own risk profile and consider the types of unique risks present between the bank and the third party.

The OCC also indicates that banks may engage with various information-sharing organizations to better understand cyber threats related to third parties with which they have relationships.

The OCC suggests the Financial Services Information Sharing and Analysis Center (FS-ISAC), the U.S. Computer Emergency Readiness Team (US-CERT) and InfraGard, among others, to facilitate such information sharing.

• Risk Management Structure: The OCC notes that there is not a preferred risk-management structure but highlights the need for the business lines, control functions and the board of directors to be involved in the risk management process. The OCC indicates that a bank’s board is ultimately responsible for overseeing the development and implementation of an effective risk management program.
• Due Diligence Resources: The OCC indicates that banks are allowed to request technology service provider (TSP) reports from the OCC only if they have a contractual relationship with the TSP. In addition, a bank may utilize a third party’s Service Organization Control (SOC) report prepared in accordance with the AICPA’s SSAE 18 standards as part of its due diligence on the effectiveness of the third party’s risk management program.

National banks should review the FAQs together with the OCC’s third-party risk management exam procedures released in January 2017 to self-assess the scope and structure of their third-party risk management programs and procedures. Banks should review their current third-party risk management programs against the FAQs to confirm alignment of their programs against the procedures and related regulatory guidance and address proactively any potential gaps ahead of a regulatory examination, particularly related to the scope of their program and unique relationships with fintech companies. In addition, non-bank entities that provide services to national banks should also take steps to review the FAQs and be responsive to requests they may receive from their bank partners.

Click here to access all series