This survey summarizes several recent developments affecting bank deposits and payment systems. These include amendments to regulations of the Federal Deposit Insurance Corporation (“FDIC”) concerning brokered deposits, changes to fraud screening requirements for electronically authorized debits to consumer accounts issued by Nacha, and payments-related consent orders and enforcement actions by the Consumer Financial Protection Bureau (“CFPB”) and the Federal Trade Commission (“FTC”).
In a final rule published in January 2021, the FDIC amended its brokered deposit regulations to modernize its approach in response to technological innovations in the banking industry.
The FDIC’s brokered deposit regulations implement Section 29 of the Federal Deposit Insurance Act (“Section 29”), which was enacted as part of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989. In the final rule amending the brokered deposit regulations (“Final Rule”), the FDIC sought to enact what it characterized as “a new framework that reflects technological and other changes in the banking industry over the past three decades” that still remains “consistent” with the Federal Deposit Insurance Act.
The Final Rule revises the definition of “deposit broker” to expand upon the term’s statutory definition. Section 29 defines “deposit broker” to include “any person engaged in the business of placing deposits, or facilitating the placement of deposits, of third parties with insured depository institutions or the business of placing deposits with insured depository institutions for the purpose of selling interests in those deposits to third parties[.]” As the FDIC noted in the Final Rule, the prior version of the brokered deposit regulations closely conformed to the statutory definition. Under the Final Rule, however, the FDIC set forth a four-part definition of “deposit broker” to provide greater clarity to industry participants. Under the revised deposit broker regulations, a “deposit broker” may include:
(A) Any person engaged in the business of placing deposits of third parties with insured depository institutions; (B) Any person engaged in the business of facilitating the placement of deposits of third parties with insured depository institutions; (C) Any person engaged in the business of placing deposits with insured depository institutions for the purpose of selling those deposits or interests in those deposits to third parties; and (D) An agent or trustee who establishes a deposit account to facilitate a business arrangement with an insured depository institution to use the proceeds of the account to fund a prearranged loan.
The revised regulations further clarify that “[a] person is engaged in the business of placing deposits of third parties if that person receives third party funds and deposits those funds at more than one insured depository institution.” Similarly, “[a] person is engaged in the business of facilitating the placement of deposits” when they do so with respect to deposits “at more than one insured depository institution.”
As noted in the preamble to the Final Rule, the “facilitation” prong of the definition does not relate to activities where the relevant person places deposits “on behalf of its customers with insured depository institutions.” Instead, the FDIC stated that facilitation results from a person “[h]aving a certain level of influence over account opening, or retaining a level of control over the movement of customer funds after the account is open.” Accordingly, under the Final Rule, a person “is engaged in the business of facilitating the payment of deposits” if the person “has legal authority” to close the account and transfer its funds, is “involved in negotiating or setting rates, fees, terms, or conditions” for the account, or “engages in matchmaking activities.” The Final Rule further elaborates that “matchmaking activities” occur when a person “proposes deposit allocations at, or between, more than one bank based upon both the particular deposit objectives of a specific depositor or depositor’s agent, and the particular deposit objectives of specific banks[.]” Matchmaking activities do not, however, include “deposits placed by a depositor’s agent with a bank affiliated with the depositor’s agent.” The FDIC noted in the preamble that it considered services by an affiliated intermediary to be “administrative in nature” because of “the direct relationship between the person placing the deposits and the bank.” By contrast, deposits directly placed by affiliated third parties otherwise meeting the definition of “deposit broker” would not qualify for this exemption.
The Final Rule expands the “primary purpose exception” by codifying and clarifying certain FDIC agency guidance that had been issued following the enactment of Section 29. Section 29 provides that the term “deposit broker” does not include “an agent or nominee whose primary purpose is not the placement of funds with depository institutions.” The Final Rule essentially restates this statutory provision, but also outlines thirteen “[b]usiness relationships . . . designated as meeting the primary purpose exception[.]” The FDIC noted in the Final Rule that several of its staff advisory opinions “interpreted the primary purpose exception as applying to certain third parties engaged in certain business arrangements.” Accordingly, the FDIC in the Final Rule sought “to streamline the process for determining whether an agent or nominee meets the primary purpose exception” by incorporating some arrangements that it previously approved in advisory opinions as part of a “bright-line test for the exception.”
Some designated business exceptions, but not all, require the person seeking an exception to provide notice to the FDIC. The FDIC created two new exceptions to the “deposit broker” definition. The first exception applies when “[l]ess than 25 percent of the total assets” of an agent’s assets under administration are placed with depository institution. The second exception applies when agents place deposits in “transactional accounts that do not pay any fees, interest, or other remuneration to the depositor[.]” A person seeking either of these exceptions “must notify the FDIC through a written notice that the third party will rely upon” the applicable exception. Eleven other exceptions enumerated in the Final Rule would not require notice to the FDIC, however. These exceptions relate to property management services, cross-border clearing services, mortgage servicing, title company services, “like-kind” exchanges of property, funds placed by broker-dealers or futures commission for required reserves, collateral to secure credit card loans, health savings accounts, tax-deferred tuition savings programs, tax-advantaged retirement accounts, and funds to be delivered to government program beneficiaries. Finally, persons that meet the “deposit broker” definition, but do not qualify for a designated exception, may submit an application to the FDIC for determination of whether the person’s “primary purpose” is the placement or facilitation of placement of deposits.
The Final Rule took effect on April 1, 2021, and full compliance with the revised brokered deposit regulations was required on January 1, 2022.
In November 2018, Nacha (formerly known as the National Clearing House Association) amended its rules concerning fraud prevention requirements for electronically authorized debits to consumer deposit accounts. Such automated clearing house (“ACH”) payments are given the standard entry class (SEC) code “WEB” and are known under the Nacha Operating Rules as “WEB Debit Entries.”
Prior to adoption of the WEB Debit Rule, the Nacha Operating Rules required Originators of WEB Debit Entries (i.e., the payees who initiate such payments with the consumer’s authorization) to establish and implement commercially reasonable (A) fraudulent transaction detection systems to screen WEB Debit Entries; (B) methods of authentication to verify the identity of the Receiver (the depositor of the consumer deposit account that will be debited) of a WEB Debit Entry; and (C) procedures to verify that the routing number used in the WEB Debit Entry is valid.
The WEB Debit Rule amended this rule to explicitly identify account validation as a required part of an Originator’s “commercially reasonable fraudulent transaction detection system.” While the Nacha Operating Rules do not define “validate,” additional guidance posted to Nacha’s website clarifies the meaning of “validate”:
At a minimum, the Originator must use a commercially reasonable means to determine that the account number to be used for the WEB debit is for a valid account—that is, that the account to be used is a legitimate, open account to which ACH entries may be posted at the [consumer’s bank].
The rule change does not require Originators to validate that the consumer who authorizes the payment is the owner or an authorized user of the account.
The Web Debit FAQs provide the following examples of methods one could use to satisfy the validation requirement:
The account validation rule was originally scheduled to become effective on January 1, 2020, but Nacha postponed the effective date until March 19, 2021. The WEB Debit FAQs state that “[a]s of the effective date, originating WEB debit entries with first use of new account numbers would not be in compliance with the Rule if the fraudulent transaction detection system does not include an account validation component.” However, Nacha issued additional guidance which states that due to the impact of COVID-19 on organizations’ staffing and resources, “Nacha will not enforce this rule for an additional year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions.”
In March 2021, the CFPB filed a complaint in the U.S. District Court for the Northern District of Illinois against BrightSpeed Solutions, Inc. and its former CEO Kevin Howard. The complaint alleged that BrightSpeed acted as a third-party payment processor for certain “high-risk” telemarketing businesses, and processed remotely created checks for such businesses. The FTC’s Telemarketing Sales Rule prohibits telemarketers from creating remotely created payment orders, including remotely created checks, and prohibits any person from providing substantial assistance or support to any telemarketer when that person “knows or consciously avoids knowing” that the telemarketer is engaged in any act or practice that violates that prohibition. The complaint alleged that BrightSpeed and Howard violated the Telemarketing Sales Rule and by doing so, committed unfair acts and practices in violation of section 1031 of the Consumer Financial Protection Act (“CFPA”). While the defendants negotiated a settlement in principle with the CFPB in June 2021, they could not raise the funds necessary to implement it, so the matter remains pending as of this writing.
In December 2020, Omni Financial of Nevada, Inc. entered into an administrative consent order with the CFPB regarding installment loan repayment practices. The CFPB found that Omni violated the Military Lending Act by requiring repayment of loans to members of the military by military allotment. The CFPB also found that Omni violated the Electronic Fund Transfer Act’s (“EFTA”) prohibition against requiring that consumers preauthorize electronic fund transfers as a condition of receiving credit. The CFPB further found that the violations of the EFTA constituted violations of the CFPA. The consent order required Omni to pay a $2.175 million civil money penalty and imposed injunctive relief to stop ongoing violations and prevent future violations.
On December 22, 2020, Discover Bank, The Student Loan Corporation, and Discover Products, Inc. entered into an administrative consent order with the CFPB concerning student loan servicing practices. Among many other violations of law not addressed here, the CFPB found that the respondents withdrew automatic payments on student loans without proper authorization by withdrawing higher amounts than specified in billing statements, not providing advance notice to consumers of the amount to be withdrawn, and withdrawing the same payments twice. In addition, the CFPB found that the respondents cancelled or failed to withdraw automatic payments without notice to consumers. The CFPB found these practices to be unfair acts and practices in violation of the CFPA and violations of the EFTA and Regulation E. The CFPB also found that the EFTA violations also constituted a violation of section 1036(a)(1)(A) of the CFPA.
The consent order requires the respondents to pay at least $10 million in consumer redress and a $25 million civil money penalty and contains requirements to prevent future violations.
On December 21, 2020, Envios de Valores La Nacional Corp. (“La Nacional”) entered into an administrative consent order with the CFPB. The CFPB found that La Nacional violated the EFTA and the CFPB’s Remittance Transfer Rule by failing to properly honor cancellation requests, failing to develop and maintain required policies and procedures for error resolution, failing to investigate and make error determinations, failing to provide consumers with written reports of its investigation findings, failing to refund certain fees and taxes, failing to treat international bill pay services as remittance transfers, failing to disclose the appropriate currency on prepayment disclosures and receipts, failing to use the term “transfer fees” or a substantially similar term in certain disclosures, and issuing receipts that failed to disclose the date on which remittance transfers would be available for pick-up.
The consent order requires La Nacional to adopt a compliance plan to ensure that its remittance transfer acts and practices comply with all applicable federal consumer financial laws and the consent order. The order also requires La Nacional to pay a civil money penalty of $750,000.
As discussed in a previous Annual Survey, the FTC filed suit against LendingClub Corporation in April 2018 for, among other things, initiating unauthorized ACH payments. In July 2021, LendingClub entered into a consent order with the FTC to resolve all matters in the action. Under the consent order, LendingClub has agreed to pay $18 million as equitable monetary relief.
