Trending publication

Nutter Bank Report: September 2021

Print PDF
| Legal Update


  1. Division of Banks Warns of Risks from Representments Causing Multiple NSF Fees
  2. Federal Reserve Publishes Guidance for Community Banks on Partnering with Fintechs
  3. CFPB Releases Proposed Rule on Reporting Requirements for Small Business Lending
  4. OFAC Warns of Potential Liability for Facilitating Ransomware Payments
  5. Other Developments: Marijuana Businesses and Community Reinvestment Act

1. Division of Banks Warns of Risks from Representments Causing Multiple NSF Fees

The Massachusetts Division of Banks has issued a supervisory alert letter to warn banks about certain legal risks and risks of regulatory scrutiny that may arise from charging consumer accountholders multiple non-sufficient funds (NSF) fees for representment of unpaid transactions. According to the supervisory alert letter released on September 23, when a merchant payment transaction is declined due to insufficient funds and the merchant attempts to present the same transaction again in an effort to obtain the declined funds, the representment can trigger the assessment of multiple NSF fees. The supervisory alert letter warns that class action lawsuits have been brought recently against banks for charging multiple NSF fees in such cases even though the banks cannot control whether a merchant represents a declined transaction. The supervisory alert letter recommends that banks should clearly disclose the amount of any NSF fees and how NSF fees may be charged in connection with the processing of payment transactions to avoid exposure to claims by consumers or regulatory criticism that a bank’s NSF policies are confusing or deceptive. Click here for a copy of the supervisory alert letter.

Nutter Notes:  The supervisory alert letter notes that standard disclosures in deposit account agreements or fee schedules provided to banks by vendors of forms, for example, may not clearly or accurately explain a bank’s actual NSF fee practices. In particular, some disclosures may not describe how the same processed transaction may trigger multiple NSF fees. According to the supervisory alert letter, disclosures that one NSF fee will be charged “per item” or “per transaction” may be insufficient to describe to a consumer that, when a transaction has been declined and an NSF fee has been charged, a merchant seeking payment may represent the same transaction again causing another NSF fee to be charged. Exacerbating the problem, bank information systems are often unable to distinguish between new payment transactions and represented transactions. In addition, banks are obligated under automated clearinghouse rules to process payment entries that are received, even if a third party submits the same entry multiple times. A bank that receives a valid automated clearinghouse entry is required by automated clearinghouse rules to process the payment or return the entry to the sender, and a sender may re-submit a returned entry up to two more times. As a result, a bank may be required to handle an automated clearinghouse entry up to three times if there are insufficient funds on deposit to cover the payment, potentially resulting in up to three NSF fees per returned entry.

2. Federal Reserve Publishes Guidance for Community Banks on Partnering with Fintechs

The Federal Reserve has released a paper detailing how community banks can partner with third-party financial technology (“fintech”) companies to access innovative technologies and services. The paper published on September 9, titled “Community Bank Access to Innovation through Partnerships”, provides an overview of the banking and fintech landscape, discusses benefits and risks of bank/fintech partnerships, and key considerations for engaging in these partnerships based on the experiences bankers shared with Federal Reserve staff. For example, the paper describes how some bankers cautioned against rushing new fintech products to market to remain competitive, and warns of the reputation risk associated with introducing a new product that may not meet the standards a bank’s customers have come to expect. The paper also emphasizes the need to ensure that customer-facing interfaces include appropriate disclosures to avoid exposing the bank to potential consumer claims or regulatory criticism for unfair or deceptive acts or practices. The paper recognizes that bank/fintech partnerships offer community banks opportunities to reach new or broader customer segments that a bank might not be able to reach through traditional or established channels. Click here for a copy of the Federal Reserve’s paper on fintech partnerships.

Nutter Notes:  The Federal Reserve’s paper discusses three broad categories of fintech partnerships. The first is “operational technology partnerships,” in which a community bank incorporates third-party technology into its own processes or infrastructure to enhance the bank’s processes, monitoring capabilities, or technical infrastructure. Examples of operational technology partnerships include automating aspects of the loan origination process, enhancing fraud detection, and providing more reliable customer authentication. The second category of fintech partnerships is “customer-oriented partnerships,” which involves a community bank engaging a third-party to enhance customer-facing aspects of the bank’s business, and the bank continues to interact directly with its customers. Examples include fintech-provided online account opening tools, goal-based savings applications, and platforms that simplify person-to-person electronic payments. The third category is “front-end fintech partnerships,” in which technology developed by a fintech relies on a community bank’s infrastructure to allow the fintech to deliver banking products or services directly to the end-using customer—sometimes referred to as “Banking-as-a-Service.” The potential benefits of these types of partnerships include increased deposit collection, diversification of existing lending portfolios, and generating additional non-interest income, such as transaction fees.

3. CFPB Releases Proposed Rule on Reporting Requirements for Small Business Lending

The CFPB has released a proposed rule that would implement Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which mandates that lenders, including banks, collect and report credit application data for small businesses, including women-owned and minority-owned small businesses. The proposed rule issued on September 1 would add a new Subpart B to the CFPB’s Equal Credit Opportunity Act rule (Regulation B), that would require banks and other small business lenders to collect and report the amount and type of small business credit applications received and credit extended, the race, ethnicity and sex of the small business owners, and several key elements of the price of the credit offered. Data collected under the proposed rule generally would be made available to the public, similar to reported Home Mortgage Disclosure Act (HMDA) data. Comments on the proposed rule will be due within 90 days after it is published in the Federal Register, which is expected shortly. Click here for a copy of the proposed rule.

Nutter Notes:  The small business lending data collection and reporting requirements under the CFPB’s proposed rule would apply to covered financial institutions, including banks, that originated at least 25 credit transactions that would be “covered credit transactions” to small businesses under the proposed rule in each of the two preceding calendar years. The proposed rule would define “small business” by reference to the definitions set out in the Small Business Act and Small Business Administration (SBA) regulations. However, rather than using the SBA’s size standards for defining a small business, the CFPB’s proposed definition would provide that a business is a small business if and only if its gross annual revenue is $5 million or less during the preceding fiscal year. The proposed rule would define “covered credit transaction” to be a transaction that meets the definition of business credit under the CFPB’s existing Regulation B. The proposed rule would require that covered financial institutions collect data on a calendar-year basis and report their data to the CFPB by June 1 of the following year.

4. OFAC Warns of Potential Liability for Facilitating Ransomware Payments

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has released an updated advisory on potential risks and risk management practices related to ransomware payments, warning that banks and others could be subject to penalties for facilitating payments to malicious cyber actors. The advisory issued on September 21 reminds banks that their sanctions compliance programs should account for the risk that a ransomware payment may involve an OFAC Specially Designated National (SDN) or other blocked person, or a person covered by comprehensive country or region embargoes. According to the advisory, OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a bank may be held civilly liable for facilitating a ransomware payment to an SDN, for example, even if the bank did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC. The advisory also states that OFAC may consider the existence, nature, and adequacy of a sanctions compliance program as a factor when OFAC determines an appropriate enforcement response to an apparent violation of U.S. sanctions laws or regulations. Click here for a copy of the OFAC advisory.

Nutter Notes:  The OFAC advisory notes that ransomware attacks recently have become more focused, sophisticated, costly, and common. According to FBI data, reported ransomware cases increased by nearly 21% and associated losses increased by approximately 225% from 2019 to 2020. According to the advisory, OFAC has designated a number of malicious cyber actors as SDNs under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions. The advisory also notes that when considering enforcement action, OFAC will take into account the reporting of a ransomware attack to appropriate U.S. government agencies and the nature and extent of a person’s cooperation with OFAC, law enforcement, and other relevant agencies, including whether an apparent violation of U.S. sanctions is voluntarily self-disclosed. In the case of ransomware payments that may be subject to OFAC administered sanctions, OFAC will consider whether a company, including a bank, reported the incident as soon as possible to law enforcement or other relevant U.S. government agencies, such as the Cybersecurity and Infrastructure Security Agency or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection. Voluntary self-disclosure of involvement in a ransomware payment is a significant mitigating factor in determining an enforcement response, according to the advisory.

5. Other Developments: Marijuana Businesses and Community Reinvestment Act

Amendment to National Defense Authorization Act Addresses Marijuana Banking

The U.S. House of Representatives adopted an amendment to the National Defense Authorization Act on September 21 that includes the language of the SAFE Banking Act, which would create protections for banks that provide financial services to state-licensed marijuana-related businesses, if it became law. The Senate is expected to consider a similar measure. Click here for the text of the bill including the amendment.

Nutter Notes:  The SAFE Banking Act would prevent any federal banking agency from prohibiting a depository institution (or its service providers) from, or penalizing a depository institution (or its service providers) for, providing a financial service to a marijuana business or a service provider of a marijuana business that operates in compliance with state law.

OCC Issues Proposed Rule to Rescind Its 2020 Community Reinvestment Act Rule

The OCC proposed a rule on September 8 that would rescind the agency’s 2020 Community Reinvestment Act (CRA) rule, and replace it with a rule based on the 1995 CRA rules that were jointly adopted by the OCC, the Federal Reserve, and the FDIC. The proposed rule would apply to all national banks and all federal and state savings associations. Comments on the proposed rule are due by October 29, 2021. Click here for a copy of the proposed rule.

Nutter Notes:  In May 2020, the OCC unilaterally amended its CRA regulation to clarify and expand the activities that qualify for CRA credit and modernize its CRA rules governing the establishment of geographic assessment areas. However, the OCC later reversed course, announcing in July 2021 that it will join the FDIC and the Federal Reserve in a joint CRA rulemaking to “strengthen and modernize” regulations implementing the CRA.

Nutter Bank Report
Nutter Bank Report is a monthly electronic publication of the Banking and Financial Services Group of the law firm of Nutter McClennen & Fish LLP. Chambers and Partners, the international law firm rating service, after interviewing our clients and our peers in the profession, has ranked Nutter’s Banking and Financial Services practice among the top banking practices in the nation. Visit the U.S. rankings at The Nutter Bank Report is edited by Matthew D. Hanaghan. Assistance in the preparation of this issue was provided by Heather F. Merton. The information in this publication is not legal advice. For further information, contact:

Thomas J. Curry

Tel: (617) 439-2087

Kenneth F. Ehrlich

Tel: (617) 439-2989

Michael K. Krebs

Tel: (617) 439-2288

This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.

More Publications >


Get the latest from Nutter >


Back to Page