Trending publication

10.31.2022 | Legal Update

Headlines

1. New CFPB Guidance Identifies Fee Practices That Constitute UDAAP Violations
2. SEC Rule Will Require Compensation Clawback Policies and Disclosures
3. FFIEC Updates Cybersecurity Guidance to Address Ransomware Attacks
4. FDIC Finalizes Plans to Increase Deposit Insurance Assessment Rates for All Banks
5. Other Developments: Personal Financial Data Rights and Crypto Asset Risks

1. New CFPB Guidance Identifies Fee Practices That Constitute UDAAP Violations

The CFPB has issued new guidance about what it pejoratively characterizes as “junk fee” practices by banks that the agency believes are likely to violate the prohibition against unfair, deceptive, and abusive acts or practices (“UDAAP”) in Section 1036 of the Consumer Financial Protection Act (“CFPA”). The CFPB’s Consumer Financial Protection Circular 2022-06, published on October 26, discusses how unanticipated overdraft fee assessment practices may violate the CFPA. According to the circular, overdraft fees assessed by banks on transactions that a consumer would not reasonably anticipate likely constitute UDAAP violations of the CFPA. The circular includes examples of situations that may cause unexpected overdraft fees that violate the CFPA, such as “authorize positive, settle negative” (“APSN”) transactions. An APSN transaction arises when a bank assesses an overdraft fee for a debit card transaction in which the consumer had a sufficient available balance in their account at the time the transaction was initiated and the bank authorized it, but at the time of settlement the bank determines the available balance was insufficient due to the order of settlement of other transactions. The CFPB believes that overdraft fees resulting from APSN transactions are likely to be UDAAP violations because banks “use processes that are unintelligible for many consumers and that consumers cannot control” to determine when an overdraft occurs, so that consumers may not reasonably anticipate the fees even if they closely monitor their account balances and spending. Click here for a copy of the circular on unanticipated overdraft fees.

Nutter Notes:  The CFPB also released a compliance bulletin on October 26 in which the CFPB concludes that “[b]lanket policies of charging Returned Deposited Item fees to consumers for all returned transactions irrespective of the circumstances or patterns of behavior on the account” create a substantial risk of violating the UDAAP prohibitions under the CFPA. The compliance bulletin defines a Returned Deposited Item as a check that a consumer deposits and that is returned unpaid because it could not be processed against the maker’s account. According to the compliance bulletin, a consumer depositing a check is likely to be unaware of and have no control over factors that may result in the depository bank’s inability to collect on a check. Such factors may include that the maker of the check has insufficient funds available to cover the check, or has issued a stop payment order, or has closed the account. The CFPB also found that Returned Deposited Item fees are not “well-tailored to recoup costs from the consumers actually responsible for” losses that depository banks may incur when the funds made available to the depositor on a check that is later returned cannot be recouped. The compliance bulletin points out that such fees are charged to depositors even when that the depository bank incurs no such loss from the returned check. The CFPB concluded that “blanket Returned Deposited Item polices are not targeted to address patterns of behavior indicative of fraud or other circumstances where the consumer reasonably should have anticipated that the check would be returned,” and are therefore likely to be considered unfair under the CFPA. Click here for a copy of the compliance bulletin on Returned Deposited Item fees.

2. SEC Rule Will Require Compensation Clawback Policies and Disclosures

The SEC has adopted a final rule that requires national securities exchanges to adopt listing standards that will require publicly traded companies, including banking organizations, to develop and implement policies to recover erroneously awarded incentive-based compensation received by current or former executive officers, also known as “clawback policies.” The final rule released on October 26 implements a provision of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) that directs securities exchanges to establish listing standards that require exchange-listed companies to adopt and comply with clawback policies and to disclose those policies to the public. The final rule requires specific disclosure of the company’s clawback policy and information about actions taken under the clawback policy. The final rule also requires all exchange-listed companies to file their clawback policies as exhibits to their annual reports, and to indicate whether the financial statements included in the annual reports reflect correction of an error to previously issued financial statements and whether any of those error corrections are restatements that required a compensation recovery analysis under the clawback policy. The final rule on clawback policies will become effective 60 days after publication in the Federal Register, which is expected shortly. Click here for a copy of the final rule.

Nutter Notes: The SEC’s final rule requires that each exchange-listed company’s clawback policy must provide that, in the event the company is required to prepare an accounting restatement, the company will also recover incentive-based compensation paid to its current or former executive officers based on any misstated financial reporting measure. The final rule also requires that such a clawback policy must require the company to recover from such executive officers any incentive-based compensation that was erroneously awarded during the three years preceding the date such a restatement was required. According to the final rule, the amount of incentive-based compensation received in excess of the amount that otherwise would have been received had it been determined based on the restated financial measure is the amount that must be recovered. Erroneously awarded compensation need not be recovered in circumstances where: certain expenses paid to assist in recovery would exceed the amount of compensation to be recovered and the company has made a reasonable attempt to recover; recovery would violate a law that existed at the time of adoption of the final rule, and the company provides a legal opinion to that effect to its securities exchange; or recovery would “likely cause an otherwise tax-qualified retirement plan to fail to meet the requirements of the Internal Revenue Code.” Companies subject to the final rule will be required to adopt a clawback policy within 60 days after the date on which its exchange’s clawback listing standards become effective, and must begin to comply with the applicable disclosure requirements in proxy and information statements and annual reports filed on or after the clawback policy is adopted.

3. FFIEC Updates Cybersecurity Guidance to Address Ransomware Attacks

The Federal Financial Institutions Examination Council (“FFIEC”) has updated its Cybersecurity Resource Guide for Financial Institutions, which was originally issued in 2018, to include ransomware–specific resources among other things. The updated cybersecurity guide released on October 3 now includes links to a number of recent Cybersecurity and Infrastructure Security Agency (“CISA”) resources, including the Ransomware Readiness Assessment module of its Cyber Security Evaluation Tool and CISA’s Ransomware Guide. The updated cybersecurity guide also includes the Conference of State Bank Supervisors’ Ransomware Self-Assessment Tool, along with updated resource links for the Assessment, Exercise, Information Sharing, and Response and Reporting categories. The purpose of the updated cybersecurity guide is to help banks and other financial institutions meet their security objectives and prepare to respond to information security incidents according to the FFIEC. Click here for a copy of the updated cybersecurity guide.

Nutter Notes: CISA’s Ransomware Guide contains two modules: the Ransomware Prevention Best Practices and the Ransomware Response Checklist. Recommendations for best practices include maintaining offline, encrypted backups of bank data that is regularly tested. According to the guide, maintaining backups offline is important because many ransomware attacks attempt to find and delete any backups. Offline, current backups are an effective hedge against ransomware attacks because there is no need to pay a ransom for data that is readily accessible to a bank from its offline backup. Other best practices include creating, maintaining, and exercising a cyber incident response plan, and conducting regular vulnerability scanning of information systems to identify and address vulnerabilities, particularly on internet-connected devices. The guide also recommends that financial institutions implement cybersecurity user awareness training that includes education on how to identify and report suspicious activity, and conducting enterprise-wide phishing tests to assess user awareness and emphasize the importance of identifying potentially malicious emails.

4. FDIC Finalizes Plans to Increase Deposit Insurance Assessment Rates for All Banks

The FDIC has adopted a final rule to increase initial base deposit insurance assessment rate schedules uniformly for all insured depository institutions by 2 basis points, beginning in the first quarterly assessment period of 2023. According to the FDIC, the rate increase implemented by the final rule release on October 18 is intended to improve the likelihood that the reserve ratio of the Deposit Insurance Fund (“DIF”) reaches the statutory minimum of 1.35% by the statutory deadline of September 30, 2028. The FDIC stated that the final rule also reduces the probability that the FDIC would need to consider raising assessment rates at a time when banking and economic conditions may be less favorable. The FDIC believes that the increase in assessment rates will not have a significant impact on bank’s capital levels. According to the FDIC, the increase is estimated to annual reduce income on average by 1.2%, and is not expected to affect lending or credit availability in a substantial way. Revised assessment rate schedules for all banks will take effect January 1, 2023, and will be applicable to the first quarterly assessment period—January 1 through March 31—with an invoice payment date of June 30, 2023. Click here for a copy of the final rule.

Nutter Notes:  The FDIC stated that it continues to project that the reserve ratio is at risk of not reaching the statutory minimum of 1.35% by September 30, 2028. The FDIC adopted an Amended Restoration Plan on June 21, which incorporates the proposed 2-basis point increase in assessment rates. The Federal Deposit Insurance Act requires that the FDIC adopt a restoration plan if the DIF reserve ratio falls below the statutory minimum of 1.35%. The law also requires that the restoration plan must restore the reserve ratio to the statutory minimum within eight years, absent extraordinary circumstances. The FDIC determined at that time that slowing growth in the DIF balance combined with the expectation that insured deposit levels will continue to grow have reduced the likelihood that the reserve ratio will meet the statutory minimum by September 30, 2028. The FDIC stated that its long-term goal of increasing the DIF reserve ratio to 2% is intended to increase the likelihood that the DIF would remain positive through possible future periods of significant losses due to bank failures.

5. Other Developments: Personal Financial Data Rights and Crypto Asset Risks

• CFPB Announces Beginning of Personal Financial Data Rights Rulemaking Process

The CFPB on October 27 outlined options it is considering under a new personal financial data rights rulemaking initiative to strengthen consumers’ access to, and control over, their financial data as a first step before issuing a proposed data rights rule that would implement section 1033 of the Dodd-Frank Act. The proposals that the CFPB is considering, if finalized, would require certain Dodd-Frank Act covered persons, including banks, to make consumer financial information available to a consumer or an authorized third party. Click here for a copy of the CFPB’s Outline of Proposals and Alternatives Under Consideration.

Nutter Notes:  The Dodd-Frank Act authorizes the CFPB to prescribe rules requiring banks and other consumer financial services providers to make available certain information they collect about a consumer upon request by that consumer. The information subject to such a request could including any information in the control or possession of the financial services provider about a consumer financial product or service that the consumer obtained from the provider, including information relating to a transaction, series of transactions, or to the consumer’s account, including costs, charges, and usage data.

• Acting OCC Chief Emphasizes Crypto Asset Risk Mitigation in Recent Remarks

Acting Comptroller of the Currency Michael Hsu discussed the importance of identifying and monitoring crypto risks to protect consumers and the financial system in remarks delivered on October 11 at DC Fintech Week 2022. He noted that recent events in crypto markets have “exposed severe weaknesses in the risk management practices at a range of crypto firms,” and have “revealed the scope of risks to consumers, the hidden interconnectedness between many crypto participants, and the risk of contagion.” Click here for a copy of his remarks.

Nutter Notes:  Acting Comptroller Hsu discussed how national banks and savings associations that seek OCC permission to engage in certain crypto-asset activities must first obtain a supervisory non-objection, which includes demonstrating to the OCC’s satisfaction that the institution “can conduct the proposed activity safely, soundly, and fairly.” He noted that the FDIC and Federal Reserve have adopted a similar approach, but argued that additional, “structured and recurring gathering of quantitative data” that targets the intersection of banks and crypto firms may be necessary to “ensure that regulators have an accurate and complete view of the risk.”

Nutter Bank Report

Nutter Bank Report is a monthly electronic publication of the Banking and Financial Services Group of the law firm of Nutter McClennen & Fish LLP. Chambers and Partners, the international law firm rating service, after interviewing our clients and our peers in the profession, has ranked Nutter’s Banking and Financial Services practice among the top banking practices in the nation. Visit the U.S. rankings at Chambers.com. The Nutter Bank Report is edited by Matthew D. Hanaghan. Assistance in the preparation of this issue was provided by Heather F. Merton. The information in this publication is not legal advice. For further information, contact:

Kenneth F. Ehrlich kehrlich@nutter.com Tel: (617) 439-2989	Matthew D. Hanaghan mhanaghan@nutter.com Tel: (617) 439-2583	Michael K. Krebs mkrebs@nutter.com Tel: (617) 439-2288

This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.