Amended Military Lending Act goes into effect on October 3; CFPB releases updated exam procedures

Today, September 30, 2016, the Consumer Financial Protection Bureau (CFPB) identified the updated exam procedures it will use to audit lenders who do business with military personnel. According to CFPB Director Richard Cordray, “[t]he updated exam procedures…will help ensure that servicemembers and their families are dealt with in a fair and safe manner when attempting to access credit.” Specifically, the requirements prohibit interest rates above 36 percent MAPR, mandatory waivers of consumer protection laws and mandatory allotments.

In its press release, the CFPB vows to strictly monitor financial institutions, their compliance programs and their “overall efforts to follow the rule’s requirements.” Evaluating everything from staff training to loan implementation, the CFPB will use the new rules to prevent substantial consumer harm. The updated Military Lending Act rules go into effect on October 3 for creditors. Credit card companies must be prepared to comply with the new rules by October 3, 2017.

Pawnbrokers make up a segment of the financial services industry that will be affected by these new rules under the Military Lending Act. Attorney, Jackie Mallett recently hosted a webinar discussing the amended rules and how they will affect the pawn industry. View the webinar in its entirety here

Compliance Management, Consumer Lending and Services, Depository Institutions, Fair Lending, Federal Regulatory, Non-Depository Institutions

Public and private sectors agree: Investment needed in banks’ cybersecurity

The Federal Reserve (the Fed) recently announced that it will participate in a study to determine how effective the central bank is at overseeing cybersecurity practices in the financial industry. The Fed’s Office of Inspector General (OIG) will be conducting the internal audit and plans to release the findings in the fourth quarter of this year.

The announcement comes on the heels of congressional inquiry into the Fed’s security practices in light of the attempted theft of $951 million from a Federal Reserve Bank of New York account held by Bangladesh Bank, the South Asian country’s central bank. While the N.Y. Fed successfully blocked 30 transactions that would have totaled an $850 million withdrawal, five transactions totaling $101 million were successful.

The OIG study will be the first public report to detail how strictly the central bank holds the financial industry to the regulations that are in place to protect from hackers and other criminals. “The growing sophistication and volume of cybersecurity threats presents a serious risk to all financial institutions,” according to the OIG. Mary Jo White, Chair of the Securities and Exchange Commission, described attacks like the one against the N.Y. Fed as the biggest risk currently facing the financial industry.

This sentiment seems to be echoed by the private sector as well. An international survey conducted by Kaspersky Lab and B2B International found that among businesses around the globe, protection from cyberattacks ranked amongst their highest priorities. Of the 5,500 businesses surveyed, 41 percent have invested in an in-house solution for protecting their financial transactions and 45 percent use a bank-provided solution.

While the investment rate is prolific, firms’ confidence in their ability to thwart an attacker is not so widespread. The most confident sector — the telecommunications industry — reported confidence with their fraud security at a 70 percent rate.  Only 67 percent of financial institutions reported their confidence in the same. Forty-seven percent of the firms surveyed indicated that their protections needed improvement.

Looking at the financial industry specifically, 48 percent of the respondents “admitted what they do to address the problem can be described as ‘mitigation’ rather than ‘prevention.’”  One of the largest concerns for banks – (38 percent of the organizations surveyed agreed it’s a problem for them) is distinguishing an attack from normal customer activity.  

Depository Institutions, Federal Regulatory, Non-Depository Institutions

FDIC under fire following recent string of data breaches

A recent data breach at the Federal Deposit Insurance Corporation (FDIC) is just one of many that have occurred in the past several months. The banking regulator is now under fire for its responses following a slew of breaches involving more than 10,000 sensitive and private data records. The FDIC was questioned about the breaches on May 12, 2016, during a hearing held by the House of Representatives Subcommittee on Oversight. Representatives criticized the FDIC, suggesting that it handled the incidents too slowly, did not notify Congress in a timely manner and failed to provide requested documents.

The FDIC was also criticized for failing to notify its employees who were affected by the breaches. It is estimated that the personal data of approximately 160,000 people have been impacted by these breaches, which occurred between October 30, 2015, and the present. The information includes names, bank account numbers and, possibly, social security numbers. According to Republican Representative Barry Loudermilk, chair of the subcommittee, the FDIC has still not notified any of these employees that their private information may have been compromised.

Evidence shows that at least seven recent breaches were caused by former employees as they were leaving the FDIC. The FDIC maintains that these breaches occurred inadvertently, but Congress is skeptical that the breaches were not intentional. One case is allegedly the subject of a criminal investigation. While the FDIC has indicated that it is completing a “top to bottom review” of its technology information policies, it appears that Congress will continue to apply pressure to the FDIC related to its response and handling of these breaches. According to Rep. Loudermilk in the subcommittee’s press release, the American people “have good reason to question whether their private banking information is properly secured by the FDIC.”  

Depository Institutions, Federal Regulatory, Legal Developments

Announcing our Cybersecurity Law blog

Readers of the Financial Services Law blog are invited to visit our newly-launched Cybersecurity Law blog, an online resource featuring news, information and legal analysis on current cybersecurity and data breach issues. Articles and posts, authored by Bricker & Eckler attorneys, share in-depth insights and legal implications on topics that have both local and global significance.  

We encourage you to subscribe to the blog via FeedBurner to have frequent updates sent directly to your inbox. Additionally, be sure to visit the blog and bookmark the site for easy reference. 

Compliance Management, Consumer Lending and Services, Depository Institutions, Fair Lending, Federal Regulatory, Federal Regulatory, Legal Developments, Non-Depository Institutions, State Regulatory

Who are your bedfellows, and why? The CFPB wants to know

Last week, Bricker & Eckler had the opportunity to speak at the annual conference of the American Association of Residential Mortgage Regulators (AARMR). Most of the regulators and many mortgage lenders were in attendance. The subject was intended to be compliance standards in digital marketing; however, during the question and answer session, the subject quickly changed to questions about the legality of marketing service agreements (MSAs).

Several companies made a big splash last week when they publicly announced that they would no longer allow MSAs, given the Consumer Financial Protection Bureau’s (CFPB) recent actions related to the Real Estate Settlement Procedures Act (RESPA). Thus, the issue of how to craft a lawful MSA that can withstand regulatory scrutiny is on everyone’s mind.

MSAs are often forced upon lenders by unscrupulous real estate agents and brokers, as MSAs are the key to making more money without having to even sell a house. It goes something like this: “Pay me money, and I will refer business to you. I know there is a law that prevents this, but let’s create a way to get around that law. If not, I’ll do business with a lender that will....”

This point was brought home by the National Association of Realtors’ D.A.N.G.E.R Report. The report speaks to “marginal agents destroy[ing] reputations” through unethical conduct and poor training. How perceptive? Real estate brokers putting lenders in situations where they are forced to “pay to play” is one of those unethical issues that create headaches for all lenders, large and small. Real estate agents insisting on expedited closings and ignoring RESPA and Truth in Lending Act (TILA) timing requirements are other issue that plagues lenders.

A lender’s compliance management program is supposed to provide oversight of these issues. But, it is virtually impossible for a financial institution to know everything that may be a factor in its employees’ efforts to obtain business or close a loan. These dangers will be even more problematic after October 3, 2015, when the TILA-RESPA Integrated Disclosure (TRID) becomes effective.

Back to the question: Is a mass exodus from MSAs necessary in order to be RESPA-compliant? Probably not. Is it time for lenders to review the rationale behind MSAs and update policies, procedures, agreements and codes of conduct? Absolutely. The time is now, and there truly is urgency to perform an immediate and thorough evaluation of marketing agreements. For some companies, the risk analysis and review may help determine that MSAs should be forbidden. For other companies, the facts and methods of documenting marketing services may be found to be compliant and safe.

The evaluation of these issues reside in the need for robust compliance efforts for RESPA, TILA, licensing and vendor management and control. So, the answer to the uncertainties of MSAs really resides in the details about how and why a financial institution may find itself “in bed” with a real estate firm. Now is the time to think and to act.

Consumer Financial Protection Bureau, Depository Institutions, Federal Regulatory

Are you ready? Here come the new Ohio Mortgage Broker Act rules

Lenders of all sizes should take notice: Ohio’s rules are about to change. The Ohio Division of Financial Institutions (DFI) filed the final version of the Ohio Mortgage Broker Act (OMBA) rules on July 20, 2015. The new rules will become effective on January 4, 2016.

This should give mortgage brokers, mortgage bankers, credit union service organizations, loan originators and third-party processors and underwriters adequate time to make the operational changes necessary for compliance. Many of the changes were made in order to meet the minimum standards set by the Secure and Fair Enforcement for Mortgage Licensing Act of 2008. Here are just a few of the highlights:

  • Third-party processing and underwriting companies and nonprofit organizations will be able to apply for a letter of exemption beginning around November 1.
  • Mortgage bankers will be able to originate USDA loans and Federal Home Loan Bank of Cincinnati loans under the authority of their letters of exemption.
  • Registrants and licensees will be allowed to place their NMLS numbers on advertisements in lieu of their Ohio numbers.
  • There will be no separate test to become an operations manager.
  • DFI will be able to accept some federal forms in lieu of similar state forms.
  • No fines or make-up courses will be required for continuing education violations that occurred before 2010.
  • New objective and specific criteria will be used to evaluate an individual’s financial responsibility to be a loan originator.

Deputy Superintendent Bob Niemi and members of DFI will entertain questions about the new rules during a panel discussion at the Midwest Financial Services Regulatory and Compliance Conference on August 20, 2015, in Columbus, Ohio. A booklet containing the new OMBA rules will be available at the conference. This event will feature many engaging speakers on a variety of hot topics, including Richard Cordray, director of the Consumer Financial Protection Bureau. For more information or to register, click here.

For more information, please contact Jackie Mallett at 614.227.4816.

Depository Institutions, Ohio Division of Financial Institutions, State Regulatory