Banks' Federal Regulators Update COVID-19 CRA Guidance
By Aaron Kouhoupt, McGlinchey Stafford, PLLC
On March 8, 2021, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (the "Agencies"), updated their earlier guidance for Community Reinvestment Act ("CRA") considerations in response to the coronavirus pandemic. The update includes five new FAQs that are designed to clarify how a financial institution's response to COVID-19 should be analyzed during a CRA examination.
First, the Agencies clarified that the following activities are not eligible for CRA consideration:
- Processing and servicing activities for Paycheck Protection Program ("PPP") loans originated by the institution
- Any PPP loans rescinded or returned under the Small Business Administration's safe harbor
- Allowing a low- or moderate-income (“LMI”) individual to make withdrawals from an IRA, as allowed by the CARES Act, or to draw on a home equity line of credit ("HELOC") during the draw period
Next, the Agencies clarified activities that are eligible for CRA consideration:
- PPP loan programs will be considered when evaluating flexible or innovative lending programs
- PPP loans of over $1 million that are made in LMI geographies or in distressed or underserved metropolitan middle-income geographies will be considered
- Waiving of ATM, savings withdrawal, overdraft fees, and early withdrawal penalties for certificates of deposit, are cited as examples of retail services responsive to the needs of LMI individuals
- Allowing LMI individuals to draw from HELOCs, even though the HELOCs are in a repayment period, may be considered a "flexible lending practice" and receive consideration
Finally, in recognition of the limitations of in-person opportunities due to the pandemic, the Agencies announced a willingness to give CRA consideration to services offered virtually if the services relate to providing financial services and have the primary purpose of community development. Examples include financial literacy programs or first time home buyer education sessions targeted to LMI individuals.
These FAQ's provide valuable insight for consideration by institutions when considering CRA activities. CRA examinations are crucial, carrying the potential of severe penalties, including substantive business restrictions, for failure to receive a "satisfactory" rating. Understanding which activities qualify, and – as importantly – which do not qualify for credit is an important aspect of overall CRA compliance.
A Deluge of Private Flood Insurance Q & A’s
By Emily Honsa Hicks, McGlinchey Stafford PLLC
Delivering on the commitment made in the July 2020 Proposed Questions and Answers to the Private Flood Insurance Final Rule, the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Farm Credit Administration, and National Credit Union Administration (the “Agencies”), have drafted 24 new questions and answers about the Private Flood Insurance Rule. The Notice and Request for Comment was published in the Federal Register on March 18, 2021, and comments on the proposal must be submitted within 60 days of that date.
The new proposed questions and answers surrounding the acceptance of flood insurance policies issued by private insurers would be added to the existing Interagency Questions and Answers, which are widely used by the lending industry to address compliance issues. They fall within three broad categories— 9 questions surrounding mandatory acceptance, 4 questions surrounding discretionary acceptance, and 11 questions surrounding general compliance.
- The answer to Current Q&A 2 would be expanded to state that a lender may, at its discretion and subject to applicable State law, require flood insurance for property outside of Special Flood Hazard Areas for risk management purposes as a condition of a loan being made.
- Proposed new Q&A Applicability 11 would clarify that an automatic extension of a credit facility agreed upon by borrower and lender in the original loan agreement would not constitute a triggering event.
- A number of proposed new Q&A’s surround detached structures.
- Proposed new Q&A Coverage 3 would explain that mandatory flood insurance on a designated loan needs to be in place on the closing date.
- If adopted, the reorganization and renumbering of the questions may affect existing citations or references in documents.
BSA/AML Examination Manual Updates
By Ross Benson and Aaron Kouhoupt, McGlinchey Stafford, PLLC
On February 25, 2021 the FFIEC updated the Bank Secrecy Act/Anti-Money Laundering Examination Manual (“Manual”) to include one new section and revisions to three others. The update emphasizes the need for examiners to utilize a risk based, institution specific approach when examining institutions.
First, the Manual contains a new introduction, “Assessing Compliance with BSA Regulatory Requirements.” This section instructs examiners to undertake a risk based approach to determine whether any other specific Bank Secrecy Act (“BSA”) requirements should be reviewed in addition to a review of an institution's BSA/AML program. This testing should scrutinize the institution's actual practices and not focus solely on its written policies and procedures. “Other” requirements to consider may include, for example, reporting or recordkeeping requirements involving the BSA.
In addition, the FFIEC updated the Manual's Customer Identification Program (“CIP”), Currency Transaction Reporting (“CTR”), and CTR Exemption sections. These revised sections instruct examiners to specifically determine whether an institution's internal controls are designed to mitigate and manage money laundering and other illicit activity risks. To this end, the Manual underscores the importance of compliance with CIP requirements. However, it reiterates that isolated or technical violations of the CIP rule, or minor deviations from CIP policies, procedures, or processes should not automatically result in a finding that a covered financial institution has an inadequate CIP program. Furthermore, examiners are instructed to review how an institution utilizes its internal controls to comply with CTR requirements. For example, examiners should consider concepts such as dual control and segregation of duties as they relate to an institution's CTR and CTR Exemption obligations. Moreover, the examiner should factor in the overall size and complexity of the institution's organizational structure as part of their examination process.
Although these updates do not impose new BSA/AML obligations, they provide a useful roadmap for institutions to follow when reviewing their BSA/AML programs. Institutions need to carefully review their programs to ensure the risk posture, policies, practices, controls, and risk assessments are adequately developed, tested commensurate with the size and complexity of the institution to ensure compliance.
Federal Reserve Board Issues Supervisory Guidance on Board of Directors’ Effectiveness
By Martha Mahoney, McGlinchey Stafford, PLLC
On February 26, 2021, the Board of Governors of the Federal Reserve System issued Supervisory Guidance (SR 21-3/CA 21-1), establishing effectiveness standards for boards of directors (“boards”) of large financial institutions (“firms”).
The guidance (“SR 21-3”) focuses on a board’s performance of its core responsibilities in describing the following five (5) key attributes of an effective board:
- Sets clear, aligned, and consistent direction regarding the firm’s strategy and risk appetite.
- Directs senior management to provide directors with information that is sufficient in scope, detail, and analysis to enable the board to make sound, well-informed decisions and consider potential risks.
- Oversees and holds senior management accountable for effectively implementing the firm’s strategy, consistent with its risk appetite, while maintaining an effective risk management framework and system of internal controls.
- Through its risk and audit committees, assesses and supports the stature and independence of the firm’s independent risk management and internal audit functions.
- Considers whether the board’s composition, governance structure, and practices support the firm’s safety and soundness and the ability to promote compliance with laws and regulations, based on factors such as the firm’s asset size, complexity, scope of operations, risk profile, and other changes that occur over time.
The Federal Reserve Board intends to use SR 21-3 in informing its assessment of the governance and controls at all firms subject to the large financial institution rating system.
SR 21-3 applies to all domestic bank holding companies and savings and loan holding companies with total consolidated assets of $100 billion or more (excluding U.S. intermediate holding companies of foreign banking organizations established pursuant to the Federal Reserve’s Regulation YY), and systemically important nonbank financial companies designated by the Financial Stability Oversight Council for supervision by the Federal Reserve.
CFPB Rescinds Policy Statement on Abusive Acts or Practices
By Eric Mogilnicki and Uttara Dukkipati, Covington & Burling LLP
On March 11, 2021, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) rescinded a policy statement on the meaning and enforcement of the prohibition on “abusive” acts and practices in the Dodd-Frank Act. The January 2020 “Statement of Policy Regarding Prohibition on Abusive Acts or Practices” had expressed the Bureau’s view that the “abusive” prohibition should be used sparingly, and not serve as the basis for civil money penalties where there has been a good faith effort to comply with the law. The new statement states that the prior policy was “inconsistent with the bureau’s duty to enforce Congress’s standard” and “undermined deterrence,” and that rescinding the policy “will better serve the CFPB’s objective to protect consumers from abusive practices.” This decision was “[b]ased on its review of, and experience applying, the Policy Statement.” The press release accompanying the rescission explained the Bureau will consider “good faith, company size and all other factors it typically considers as it uses its prosecutorial discretion.”
CFPB Issues Rule Clarifying ECOA’s Prohibition of Sex-Based Discrimination
By Eric Mogilnicki and Lucy Bartholomew, Covington & Burling LLP
On March 9, 2021, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued an interpretive rule clarifying that the Equal Opportunity Credit Act (“ECOA”) and its implementing regulation, Regulation B, prohibit discrimination based on sexual orientation and gender identity. The CFPB made clear that this prohibition also extends to “actual or perceived nonconformity with traditional sex- or gender-based stereotypes, and discrimination based on an applicant’s social or other association.” Specifically, the Bureau found that, under ECOA and Regulation B:
- (1) “sexual orientation discrimination and gender identity discrimination necessarily involve consideration of sex”;
- (2) “an applicant’s sex must be a ‘but for’ cause of the injury, but need not be the only cause”; and
- (3) “discrimination against individuals, and not merely against groups, is covered.”
Bureau Proposes Delay of QM Rule Until Late 2022
By Eric Mogilnicki and Graves Lee, Covington & Burling LLP
On March 3, 2021, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) released a Notice of Proposed Rulemaking that would delay the compliance date of a December 2020 final rule on qualified mortgages under Regulation Z’s Ability-to-Repay/Qualified Mortgage Rule (“QM Rule”). The QM Rule generally requires lenders to make a reasonable, good faith estimate of a borrower’s ability to repay a residential mortgage loan according to its terms. However, lenders extending loans that are “Qualified Mortgages” (“QMs”) under the Rule enjoy certain protections from liability. The Bureau’s December 2020 final rule made a number of amendments to the definition of a General QM, which is one class of QMs. The final rule took effect on March 1, 2021, and provides for a compliance date of July 1, 2021. However, under this proposal, the Bureau would delay compliance for the final rule until October 1, 2022. In its press release announcing the proposal, Bureau Acting Director David Uejio pointed to the financial impacts of the pandemic on homeowners and stated that “[a]t a time when so many consumers are struggling and at risk of losing ground, particularly Black and Hispanic consumers, we need to do all we can to help people stay in their homes and to ensure the availability of responsible, affordable mortgages.” Comments on the proposal are due April 5, 2021.
Illinois Enacts "All-in" APR Calculation and 36% Rate Limitation, Repeal of Small Consumer Loans
By Daniel J. Laudicina, Hudson Cook, LLP
On March 23, 2021, Illinois Governor Pritzker signed S1792, which includes the Illinois Predatory Loan Prevention Act, into law. The new law imposes sweeping changes to the rate authority on consumer purpose transactions subject to Illinois law. In particular, the law limits rates on "loans" (as that term is defined by the Predatory Loan Prevention Act) to 36% and requires creditors to calculate the APR using the military APR calculation required under federal law. Any loan violating the rate cap is null and void and the lender will have no right to collect, attempt to collect, receive, or retain any principal, fee, interest, or charges related to the loan.
The law broadly defines "loan" to mean "money or credit provided to a consumer in exchange for the consumer's agreement to a certain set of terms, including, but not limited to, any finance charges, interest, or other conditions." The term "loan" expressly includes closed-end and open-end credit, retail installment sales contracts, motor vehicle retail installment sales contracts, and any transaction conducted via any medium whatsoever, including, but not limited to, paper, facsimile, Internet, or telephone. The law expressly excludes commercial loans from coverage.
Banks, savings banks, savings and loan associations, and credit unions chartered under the laws of the United States are exempt from the rate limitations. However, the law states that it applies to the person who holds, acquires, or maintains, directly or indirectly, the predominant economic interest in the loan. The law also applies to any person or entity who markets, brokers, arranges, or facilitates the loan and holds the right, requirement, or first right of refusal to purchase loans, receivables, or interests in the loans. Finally, the law applies to any person or entity where the totality of the circumstances indicate that the person or entity is the lender and the transaction is structured to evade the requirements of the law.
Illinois also repealed provisions of the Consumer Installment Loan Act that authorized and regulated so called "small consumer loans" (loans of $4,000 or less with APRs in excess of 36%). Illinois law no longer authorizes these loans. In addition, the new law repealed authority under the Consumer Installment Loan Act for lenders to charge a documentary fee of $25 on each loan. Consumer Installment Loan Act lenders are no longer permitted to charge documentary fees or any other prepaid finance charges in connection with loans made under the Consumer Installment Loan Act.
These changes to the law are effective immediately. However, the new law applies only to loans made or renewed on and after the effective date. Loans made in accordance with Illinois law in effect prior to these changes remain valid.
California Office of Administrative Law Approves Revisions to CCPA Regulations
By Webb McArthur, Hudson Cook, LLP
On March 15, 2021, the Office of the Attorney General of California announced that the California Office of Administrative Law approved revisions to the California Consumer Privacy Act regulations. The revisions include the following changes, effective immediately:
- Providing Notice of Right to Opt Out Offline. A business selling personal information collected from consumers in the course of interacting with consumers offline must inform consumers of their right to opt out of the sale of their personal information by an offline method. The revisions provide illustrative examples of such offline notice.
- Use of Opt-Out Button. Businesses are allowed to use a unique button that would allow consumers to opt out of the sale of their personal information. The button is to be used in addition to, and not in lieu of, posting the notice of right to opt out. Where a business posts a "Do Not Sell My Personal Information" link, the button would need to be placed to the left of that link. Further, the button itself would need to link to the same website that the "Do Not Sell My Personal Information" link targets.
- Providing Opt-Out Methods that are Easy and Require Minimal Steps. Business' opt-out methods must be easy for consumers to execute and involve minimal steps. The revisions add illustrative examples, including that the method take no more steps than an opt-in process, that consumers may not be required to click through reasons why not to submit an opt-out request, and that consumers should not be required to scroll through certain material before locating the opt-out mechanism.
- Requesting Proof of Authorized Agency. A business may require an authorized agent to provide proof of its agency and permit the business to request information from the consumer.
The CCPA provides California residents with certain rights with regard to their personal information and imposes related requirements on certain businesses in California. Regulated businesses should consult the current and complete text of the law and regulations. Additional information on the CCPA and the regulations is provided on the OAG's website.
Virginia Governor Signs Nation's Second Comprehensive Consumer Data Privacy Law
By Chris Capurso & Webb McArthur, Hudson Cook, LLP
On March 2, 2021, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act ("VCDPA"). By enacting the VCDPA, Virginia becomes the second state nationwide to implement a comprehensive consumer data privacy law, after California with the California Consumer Privacy Act ("CCPA"). While the VCDPA is similar to the CCPA in many respects, the law has a different scope and different obligations. Accordingly, impacted businesses must review the VCDPA’s coverage and exemptions carefully, and, if subject to the VCDPA, will need to set up different business rules to comply with this new law. The VCDPA will become effective on January 1, 2023.
Under the VCDPA, consumers have the following rights:
- to confirm whether or not a controller is processing personal data;
- to access their personal data;
- to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for processing the personal data;
- to delete personal data provided by or obtained about them;
- to obtain a portable copy of personal data that they previously provided to the controller; and
- to opt out of the processing of personal data for (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
The VCDPA imposes different obligations depending on whether the business is a controller (the person that determines the purpose and means of processing personal data) or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is acting as a controller or a processor when engaging in any personal data processing.
The Virginia attorney general has exclusive authority to enforce the VCDPA. The attorney general may seek civil penalties of up to $7,500 for each violation of the VCDPA, in addition to injunctive relief.