Compliance Insights (Your monthly compliance news roundup - Oct 2016)
In October 2016, the U.S. Court of Appeals for the District of Columbia Circuit issued a notable ruling in the case of PHH Corporation (PHH) v. Consumer Financial Protection Bureau (CFPB). In this case, PHH brought action against the CFPB in relation to a June 2015 CFPB final order related to Real Estate Settlement Procedures Act (RESPA) anti-kickback violations alleged by the CFPB. The CFPB had ordered the disgorgement of $109 million in reinsurance premiums related to mortgage insurance premiums charged to borrowers that a PHH subsidiary received from other subsidiaries. PHH appealed the case on the grounds that the arrangements were permissible, and that the CFPB applied a retroactive interpretation of a long-standing and accepted practice, and more broadly challenging the constitutionality of the CFPB itself.
Substantively, the appellate court ruled in favor of PHH on the following major points:
- The CFPB violated due process standards in invalidating historical guidance from the Department of Housing and Urban Development (HUD) on Section 8 of RESPA and then penalizing PHH for historical actions that were otherwise consistent with HUD’s guidance at the time.
- The CFPB’s position that the statute of limitations did not apply to administrative actions was invalid generally, and the three-year statute of limitation under RESPA should be applied to this matter.
- The CFPB’s structure violates the constitutional separation-of-powers doctrine because it was established, under the Dodd-Frank Act, as an independent agency but led by a single director rather than a board or group of commissioners, which constitutes unprecedented and potentially inappropriate concentration of power in a single person as far as the court is concerned.
The final remaining point that was remanded to the CFPB was whether the reinsurance premiums collected by the PHH affiliate exceeded fair market value, which would potentially be a violation, even under the historical HUD guidance.
The ruling was unexpectedly harsh in terms of criticism of the CFPB’s enforcement approach and structure. From an enforcement perspective, the ruling represents a victory for the financial services industry, which is concerned about open-ended liability for RESPA matters, and the apparent retroactive application of new interpretations of the law by the CFPB.
The court held that statutes of limitations apply not only to RESPA but also to all 19 of the consumer protection statutes that the CFPB has been assigned responsibility to administer.
Secondly, for the time being, this ruling provides some certainty to the industry regarding its ability to rely on historical guidance of federal agencies previously responsible for the administration of these consumer protection statutes (in this case, HUD), and arguably sent a message to the CFPB to enforce its priorities prospectively through the rule-making process.
Finally, and from a structural standpoint, the court did not accept the PHH’s request to shut the agency down until Congress could legislatively fix the constitutional concerns; rather, the remedy is that the CFPB’s director should now serve at the will of the president, making it an executive rather than independent agency.
The ultimate impacts of the ruling are unclear, especially in this election year and in light of the likelihood that the case will be further appealed by the CFPB. Financial institutions should continue to monitor developments in this case closely.
FDIC Issues Draft Guidance on Third-Party Lending
Recent events, such as the increased partnership of insured depository institutions with marketplace lenders as well as challenges encountered by such institutions implementing complex lending and servicing regulatory requirements (such as the TILA-RESPA rule made effective in October 2015), are drawing increased regulatory scrutiny of the third-party relationships banks maintain related to their lending activities. In July 2016, the Federal Deposit Insurance Corporation (FDIC) issued proposed examination guidance regarding third-party arrangements, which are arrangements in which banks rely on a third party to perform a significant aspect of the lending process (e.g., underwriting, origination, servicing and debt collection).
Such arrangements include situations in which FDIC-insured depository institutions 1) originate loans for third parties (including, for example, loans originated for nonbank lenders, including marketplace lenders) 2) originate loans through or jointly with third-party lenders (such as correspondent lending), and 3) originate loans using platforms developed by third parties (such as through the use of a loan-origination system purchased or licensed from a third-party software developer). While the FDIC acknowledges the benefits that such arrangements provide depository institutions, it also highlights that institutions face numerous unique risks and the consequence that may arise from ineffective management of these risks.
The proposed guidance supplements and expands on the FDIC’s 2008 guidance on third-party risk management (FIL-44-2008, Guidance for Managing Third-Party Risk), and addresses the specific risks associated with these lending arrangements in the categories outlined in the 2008 guidance (e.g., strategic, operational, transactional, credit and consumer compliance risks), as well as unique risks related to these arrangements (e.g., pipeline and liquidity risk and model risk).
For instance, the FDIC highlights that banks effectively “integrate” the internal processes of the third parties with which they have lending arrangements, which may increase their overall operational complexity and risk profile. Transaction risks are increased when considering assignee liability. Consumer compliance risk is impacted by the extent to which the third party has established an effective compliance management system.
To mitigate these risks, the FDIC emphasizes that institutions should implement a risk management program to provide appropriate oversight of third-party lending arrangements, and robust processes to evaluate and monitor these relationships. A risk management program should be supported by:
- Strategic planning processes that incorporate third-party lending activities, establish clear risk tolerances, and consider the adequacy of staffing and expertise to provide appropriate oversight, contingencies planning, operational and technology capacity and risks, capital planning, etc.
- Comprehensive policies developed by management and approved by the institution’s board, addressing topics such as responsibilities, authorities and approval requirements, monitoring and reporting processes, training and underwriting and administration standards, among others.
The FDIC also highlights the elements necessary to evaluate and monitor third-party relationships, including:
- Formally assess the risks associated with each third-party lending relationship when initiating the relationship, when the third party’s operations change significantly or when the institution’s own lending operations change over time
- Conduct both initial due diligence and ongoing oversight of each relationship
- Understand and conduct detailed reviews of the models used by third parties in these arrangements
- Know your third party’s vendors by fully assessing the third-party relationship chain (i.e., the relationships a bank’s vendors have with their service providers and partners)
- Appropriately establish written contractual agreements clearly outlining the roles, responsibilities and rights of each party.
Additionally, the FDIC outlines several supervisory considerations for banks entering into such arrangements, including the responsibilities for setting credit underwriting and administration standards, recognizing timely loss, adherence to existing regulatory guidance on subprime lending, maintaining adequate capital and liquidity, conducting ongoing profitability analyses, and monitoring the third parties for compliance (including anti-money laundering and information safeguarding).
The FDIC indicates that the examination cycle for institutions with significant third-party lending relationships will be at least every 12 months and will include concurrent risk management and consumer protection examinations. Targeted examinations of certain relationships are also possible.
All institutions, including those subject to the FDIC’s supervision should prepare for the increased regulatory scrutiny by evaluating closely the FDIC’s guidance and how third-party lending relationships are managed in practice today. Financial institutions should take steps to validate that their current third-party management programs specifically address the unique and specific risks posed by these lending relationships, and that their contractual arrangements with, and ongoing oversight of, third parties are appropriate.
The Bahamas Leak and the Call for Global Transparency
In September 2016, the International Consortium of Investigative Journalists (ICIJ) released a set of approximately 1.3 million documents from the Bahamas corporate registry, revealing the names of individuals – including politicians and business leaders from around the world – associated with more than 175,000 companies, trusts, and foundations registered in the Bahamas. The leak, while revealing information on a substantial number of Bahamian companies, is significantly smaller than the behemoth Panama Papers scandal, which stemmed from the unprecedented leak of documents from a law firm specializing in creating offshore companies.
The ICIJ added information obtained from the official corporate registry of the Bahamas to the Offshore Leaks Database, which now contains information on nearly 500,000 offshore entities and is one of the largest online repositories of offshore information.
The Bahamas is a notorious offshore tax haven that has a reputation for lack of regulatory standards, oversight, enforcement, and internal controls, specifically as it relates to transparency of ownership information.
While traditional tax havens, such as the Bahamas, afford financial opportunities to corporations regarding reduced or no taxes on company profits and capital gains, they also present opportunities for money launderers and terrorist financiers to hide potentially illicit funds. This documentation leak prompts the question of why so many corporations are registered, even if for legitimate reasons, in a country that does not have the economy, population or rigorous regulatory framework to support it this level of commerce.
In addition, the leak (coupled with other such incidents) raises ongoing concerns about the hiding of beneficial ownership information, that is, information on the ultimate, controlling owner(s) of a corporate vehicle – in an attempt to conceal financial crime, and how institutions should implement effective measures to prevent misuse. To that end, financial institutions should be aware of recent regulatory developments aimed to improve transparency of beneficial ownership, including:
- The Financial Crimes Enforcement Network (FinCEN) finalized a new rule in May 2016 requiring U.S. financial institutions to identify and verify the identity of beneficial owners. The rule, effective in May 2018, creates a fifth “pillar” for AML programs and requires covered institutions to adopt due diligence procedures to identify and verify beneficial owner(s) of legal entity customers at the time a new account is opened.
- The Financial Action Task Force (FATF), an international anti-money laundering standards body, released a report in October 2016 to the G-20 presenting its ongoing work to improve the implementation of international transparency standards, including the availability and exchange of beneficial ownership information. The FATF issued its initial standards on beneficial ownership in 2003, updated the standards in 2012 and has revised them once again to include “comprehensive measures” on the issue. FATF noted that, in its current assessment cycle, many countries still do not implement beneficial ownership requirements effectively. For example, even though the Bahamas has bilateral agreements in place to share information with financial intelligence units, the agreements prevent investigators from receiving information about an individual unless they already have the name of the Bahamas bank or the offshore company, which creates barriers for law enforcement investigating potentially illegal activities.
Countries failing to implement FATF standards on beneficial ownership run the risk of being labeled as high-risk or non-cooperative jurisdictions, making it more costly for them to do business and more difficult for them to transact with their global partners.
At a local level, U.S. financial institutions can expect a growing emphasis on beneficial ownership in regulatory examinations. Together, the recent documentation leaks are casting light on the existing and increasing risks of maintaining relationships when customer information is not easily obtainable.
In lieu of de-risking, a separate concern of U.S. regulators when banks close accounts or restrict access to new clients due to heightened terrorist financing and money laundering concerns, financial institutions should consider reviewing and enhancing their risk-based controls for maintaining accounts where regulatory risk and ownership uncertainty is high.
CFPB Wins Tribal Lending-Related Case Against Nonbank Servicer
In August 2016, a federal judge ruled that CashCall, a nonbank online loan servicer, appeared to violate federal law by offering high-interest-rate, small-dollar loans in states where such loans are prohibited. This ruling is significant because it confirmed the findings of the Consumer Financial Protection Bureau (CFPB) about the potential misuse of American Indian tribal lenders, and overruled the company’s argument that the CFPB had exceeded its authority in filing the complaint.
The CFPB first took action against the company by filing a complaint in court in December 2013 against the servicer alleging that the defendants engaged in unfair, deceptive and abusive practices. In particular, the CFPB alleged that CashCall, which purchased, serviced and collected the consumer installment loans in question, illegally debited consumer checking accounts of borrowers to repay loans that were otherwise void under state law because they exceeded applicable state usury restrictions when they were originated and/or were made without a license.
The CFPB found that CashCall had entered into an arrangement with an online lender based on an American Indian reservation, licensed to do business by an American Indian tribe and owned by a member of the tribe.
The online lender was created for the purpose of originating online loans to be purchased, serviced and collected by the company. Under this tribal lending arrangement, the online lender originated the loans, and within days after the loans were originated and funded, CashCall then acquired and began servicing the loans. The CFPB alleged that CashCall effectively used the online lender to avoid obtaining the consumer lending licenses required in numerous states, as well as to lend above the prescribed usury rates in those states.
The court concluded that CashCall had the “predominant economic interest” in the transactions and was the true lender. As a result, the loans were determined to be subject to the laws of the states in which the borrowers resided, not to the laws of the tribe, as stated in the loan agreements. The court further ruled that CashCall engaged in deceptive practices by servicing and collecting on these loans because they were void and/or the borrowers were not obligated to pay under state law. The court also reinforced the CFPB’s jurisdiction over a wide array of companies offering financial products and services to consumers as established in the Dodd-Frank Act.
While this case illustrates that state law compliance is not necessarily within the purview of the CFPB to enforce, a violation of state law may also be considered a violation under the Dodd-Frank Act and be sufficient for the CFPB to take action. Consumer lenders should review the circumstances of the case, particularly if they engage in third-party lending arrangements, to determine whether and how state laws and regulations could affect their activities. Strategies aimed at reducing a company’s regulatory burden can still result in violations of the Dodd-Frank Act and/or state and federal laws.
HMDA Implications of the Updated Uniform Residential Loan Application
In August 2016, the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac), government-sponsored entities (GSEs) that purchase many consumer home mortgage loans originated by residential mortgage lenders in the United States, issued a new Uniform Residential Loan Application (URLA) form, the standardized form used by many lenders when taking applications from consumers for home mortgage loans, and a corresponding dataset.
The GSEs re-designed the format of the URLA to facilitate more accurate and efficient data collection and expanded it to capture additional loan application information as well as government monitoring information (GMI) required by the forthcoming changes mandated by the October 2015 amendments to the Home Mortgage Disclosure Act (HMDA), and they simplified the loan application instructions for consumers completing the form.
Under the CFPB’s Regulation B, which implements the Equal Credit Opportunity Act (ECOA), residential mortgage lenders are required to take written applications, and the CFPB states that the use of the model URLA form – while optional – affords a lender “safe harbor” compliance with certain requirements under the regulations.
In September 2016, the CFPB issued a notice extending protections under the ECOA and its Regulation B to residential mortgage lenders seeking to utilize the recently updated URLA. Lenders may begin collecting the new information on the updated URLA beginning January 1, 2017, and lenders using previous versions of the URLA will continue to be deemed in compliance with ECOA and Regulation B.
Notable in the CFPB’s notice and approval of the use of the revised URLA in January 2017 is that the URLA includes the updated data collection categories for race and ethnicity under the forthcoming HMDA changes, which residential mortgage lenders will be required to collect beginning in January 2018. Ahead of this time, collection of such data would otherwise appear to be prohibited by ECOA/Regulation B. The CFPB, in its approval, noted that there are benefits to residential mortgage lenders deciding to use the new URLA in 2017 in that they will have an additional year to implement the HMDA data-collection changes. Accepting the new, and more complicated, data points early could improve institutions’ abilities to comply when the updated HMDA requirements become mandatory in 2018. As a result, institutions should evaluate their readiness to adopt the new URLA in 2017 and begin testing revisions to policies, procedures, and controls will eventually be necessary to institute these changes.
Institutions, however, should be prepared for the fact that they will still be required to report their HMDA data for 2017 using the existing data-reporting requirements, not the new data-collection points, and would need to run a dual process in 2017 for collection and reporting. As such, institutions will need to carefully consider the benefits of an extended HMDA implementation period against the complications of an interim, dual HMDA data-collection and data-reporting process.
It is important to note that this newsletter is provided for general information purposes only and is not intended to serve as legal analysis or advice. Companies should seek the advice of legal counsel or other appropriate advisers on specific questions and practices as they relate to their unique circumstances.