In September 2018, five federal agencies issued an interagency statement explaining the role of supervisory guidance for regulated financial institutions. The five agencies include the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Bureau of Consumer Financial Protection, which are collectively responsible for regulating the safety and soundness and compliance with consumer federal laws and regulations at their respective supervised financial institutions. These agencies issue various types of supervisory guidance, among which include: interagency statements, advisories, bulletins, policy statements, questions and answers, and frequently asked questions.
In the interagency statement, the agencies emphasize that supervisory guidance does not have the force and effect of a law or regulation. Accordingly, the agencies state they will not take enforcement action based on supervisory guidance. The interagency statement clarifies that supervisory guidance is intended to outline supervisory expectations or priorities and provide examples of practices that the agencies generally consider consistent with applicable laws and regulations.
To further clarify the role of supervisory guidance, the agencies committed to the following ongoing efforts:
- Limit the use of numerical thresholds and other “bright-lines” in describing expectations in supervisory guidance. The use of numerical thresholds will be considered exemplary and not suggestive of requirements.
- Abstain from criticizing a supervised financial institution for a “violation” of supervisory guidance. Rather, any citations will be for violations of law, regulation, or non-compliance with enforcement orders or other enforceable conditions.
- Seek public comment on supervisory guidance, where helpful, to improve the agencies’ understanding of an issue, gather information on institutions’ risk management practices, or seek ways to achieve a supervisory objective most effectively and with the least burden on supervised institutions.
- Reduce the issuance of multiple supervisory guidance documents on the same topic.
- Clarify the role of supervisory guidance to examiners and supervised institutions.
It should be noted that the interagency statement does not diminish the importance of supervisory guidance. Financial institutions should continue to utilize applicable supervisory guidance to understand the expectations of their respective regulators, including examples of safe and sound conduct, appropriate consumer and risk management practices, and other actions for addressing compliance with laws and regulations. While the agencies indicated that they will no longer cite their respective supervised institutions for “violations” of or “non-compliance” with supervisory guidance, they are not precluded from citing violations or non-compliance with the applicable law, regulation or sound practice to which supervisory guidance may refer or from taking actions where they determine the “safety and soundness” of the financial institution is threatened. Accordingly, financial institutions should continue to understand the general views and expectations their regulators communicate through supervisory guidance.
One of the provisions of the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) that was signed into law in May 2018 added a new section to the Fair Credit Reporting Act (FCRA) requiring nationwide consumer reporting agencies (CRAs) to enable consumers to “freeze” others’ access to their consumer reports, free of charge. In addition, the summary of rights provided by the CRAs to consumers (including the right to obtain a copy of a consumer report, when and how often consumers are entitled to receive a free consumer report, the right to dispute information in the consumer file, and the right to obtain a credit score), as required by the FCRA, must now include a notice regarding the consumer’s right to obtain a security freeze for instances such as identity theft or fraud. These changes became effective in September 2018.
A security freeze placed on a consumer report prevents a financial institution (among others) from accessing the report. Highlights of the provision include the following:
- In terms of timing, CRA response times vary depending on how the consumer contacts the agency with a request to place a security freeze on their credit report. For example, CRAs are required to place a freeze within one day if the consumer requests the freeze via phone or online. If the consumer requests the security freeze via mail, the CRA must place the freeze on the credit report within three business days.
- The CRA is required to provide the consumer with a personal identification number (PIN) which can be used to lift the freeze. This PIN service would also be extended to the consumer for free. When the consumer requests that the freeze be lifted, the CRA is required to lift it within one hour.
While security freezes were previously available to consumers, the requirement that they now be offered as a free service will most likely increase their usage, an impact that financial institutions should be prepared to address. Traditionally, financial institutions access a consumer report for purposes of extending new or increased amounts of credit and opening deposit accounts for new consumers, among other permissible purposes. To prepare, financial institutions should assess the operational impacts of these security freezes where consumer reports are accessed. Areas for compliance consideration should include:
- Whether a notification will be provided to an applicant regarding which CRA the financial institution uses with a reminder for the consumer to lift a freeze, if applicable, before making an application with the institution;
- What type of notice will be generated if a freeze is encountered while processing an application for credit or a new deposit account;
- How automated systems will respond if credit freezes are encountered while processing an application;
- If and when the financial institution should consider that identity theft should be suspected, and how to respond operationally;
- Preparation of customized job aids and training for staff that outlines specific language to handle a security freeze; and
- If applicable, how to manage consumer complaints should consumers reach out to financial institutions providing feedback regarding their experience when applying for a loan when a security freeze has been placed by the consumer on their consumer report.
Institutions should also evaluate the impacts of this new requirement on their compliance management systems (CMS), including policies, processes, procedures, systems and training, as these areas may require updates to comply with the new requirement. Compliance functions should review their overall CMS and areas where related regulatory requirements (e.g., Equal Credit Opportunity Act/Regulation B, Home Mortgage Disclosure Act/Regulation C) and business line operations may be impacted.
In September 2018, the Bureau of Consumer Financial Protection (BCFP) sued a California-based company, the president of the company, and sixteen related entities for potentially deceptive acts or practices under the Consumer Protection Financial Act of 2010 (CPFA) and violations of the Truth in Lending Act (TILA) related to pension advance products. Pension advance products are lump-sum cash payouts to retirees in exchange for some or all the retiree’s monthly pension payments for a specified time. The products often have high interest rates, fees, and pledge deposit accounts requirements. The BCFP alleged that the defendants:
- Misrepresented to consumers that the pension advance product was not a loan;
- Misrepresented to consumers that the products did not have an interest rate when in fact the difference between the lump sum consumers received and the installment amounts due (payable when the consumers received their disability, pension or other payments), referred to as a “discount,” may be akin to an interest rate charged to the consumer;
- Misrepresented to consumers that the product was comparable to or cheaper than a credit card account; and
- Misled consumers in stating there was no prepayment penalty.
Additionally, the complaint alleges that defendants did not provide required closed-end credit-related disclosures, including the finance charge and annual percentage rates, to these consumers, in violation of TILA. The BCFP’s suit joins that of several other states that have already taken action against the defendants.
The suit follows other actions taken by the BCFP regarding pension advance products and the potential for unfair, deceptive or abusive acts or practices (UDAAP) associated with such products. Such products, and others that offer advances against future income streams (such as litigation funding) pose unique risks to consumers that underscore the importance of monitoring promotional materials, customer contracts, and disclosures to ensure that such items adequately describe the terms and conditions of products. Institutions that offer or are considering offering such products should be aware of the risks associated with such products, and carefully assess such products for potential UDAAP-related risks.