Change is the only constant and banks’ processes must be fine-tuned to detect all that happens in a rapidly-transforming regulatory environment.
by Carl Pry, CRCM, CRPTrying to predict what will happen in the banking compliance world is always a fool’s errand. You never know for sure what’s going to happen—could anyone have predicted the failures of three larger banks in 2023 and the resulting attention on liquidity and FDIC insurance, for example? Life in general is unpredictable, but fortunately in the compliance world we have a few fairly reliable indicators we can monitor to take an educated guess at upcoming events, such as regulatory agendas and announcements. As well, the agencies these days (to their credit) are more transparent in what they see as important (artificial intelligence and algorithms, cryptocurrency, fair lending, and fees, to name but a few), so we can safely count on additional guidance, commentary and perhaps new rules and regulations to be issued in these areas.
Hurry up and wait
We are currently in a time where a few rules and issues are uncertain because of ongoing litigation. We’re all awaiting the U.S. Supreme Court’s ruling on the funding structure of the Consumer Financial Protection Bureau (CFPB), which is expected sometime in the summer. More relevant to our attention is a potential delay, until after the Court’s ruling, of the requirements of the CFPB’s Small Business Lending Data Collection final rule in Regulation B (from Dodd-Frank Act Section 1071), and whether there will be any changes to the rule. At this point it is unknown when and what will happen, but it is highly unlikely that the rule will go away entirely. The implementation date has been pushed back (although we don’t yet know how far), and/or some data fields required by the rule may change, but banks would be wise to use any additional time to continue to plan how they will comply, both from an operational and technological perspective, as well as dealing with the cultural changes the rule will unleash. Any extra time can also be used to evaluate what the first year of data shows.
Similarly, there is uncertainty surrounding the CFPB’s 2022 revisions to its Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) examination procedures, which assert that the CFPB can use “unfairness” to prohibit discrimination across all bank operations. Depending on how ongoing litigation on this issue turns out, banks may have to start planning for examinations where their decision-making processes outside of lending are evaluated to consider who is impacted (or excluded altogether). There are additional issues to be worked out here, including how “discrimination” will be defined and how the standard will be enforced (among many others). But for now, we’re in a holding pattern.
Preparing for new final rules already issued
Primary in this category is the long-awaited update to Community Reinvestment Act (CRA) regulations issued this past October. The new rules mean big changes for banks classified as large banks (meaning $2 billion or more in assets), while intermediate-sized banks (from $600 million to less than $2 billion) will see more moderate changes to their CRA compliance efforts. Small banks (less than $600 million) would see practically no changes at all unless they opt in to some of the new requirements. While the rule’s effective date is likely to be in early or mid-2024, compliance will be required beginning in 2026, with data reporting requirements (for those banks that fall under those requirements) at the beginning of 2027. That’s not far away when considering the magnitude of the changes the new regulation imposes. There will likely be more information coming from the agencies to help us figure out all the intricacies of the new rule, but affected banks should already be planning for the changes.
Awaiting new rules
While there were relatively few new final rules issued in 2023 (again looking at you, CRA), there were a number of proposals and pre-proposal activities issued where further advancement is expected in 2024. This means our change management processes must be on full alert to make sure we are aware of what changes and when, and to determine the applicability to the bank of any new rules or guidance. Among the regulations and guidance on which we should see movement in 2024:
Open banking rule. In October 2023 the CFPB issued a proposed rule under Dodd-Frank Act Section 1033 to facilitate what it calls “open banking,” which would give consumers more control over their financial data, and would offer protections against companies misusing consumer data. Some form of a final regulation is expected in 2024. The rule will ensure consumers can obtain their personal financial data from their bank (likely at no cost—see the later discussion on fees in general), as well as providing consumers with a legal right to grant third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts.
There are a number of issues that must be addressed in a final regulation, including the precise definition of the types of entities and information covered, how covered data will be provided to consumers and third parties, how shared data can be used, and whether there are any meaningful exceptions. But in any case, banks will need all the time they can get to determine what they must make available and how, as well as what disclosure of information will mean to consumers. For example, will customers question why you have the data you are providing to them, and what you’ve been doing with it? And will customers use the data to take their deposits elsewhere?
Fair Credit Reporting Act changes. In September 2023, the CFPB announced it will start a rulemaking process to significantly expand the reach of the Fair Credit Reporting Act (FCRA). This has been long anticipated; it has been clear from CFPB pronouncements over the last few years that the bureau feels strongly that increased regulation is needed in this area, and we will soon see what they have in mind. One issue likely to become part of the revised regulation is a mandate that consumer reporting agencies remove medical bills from credit reports. While current rules allow banks to obtain and use medical information in certain circumstances, new amendments are likely to entirely prohibit creditors from considering medical bills for underwriting decisions, among other things.
Even more expansive changes are in store. The bureau is considering broadening the definition of “consumer reporting agency” to encompass data brokers and “consumer report” to include consumer-identifying information (such as name, address, social security number, etc.), which could ultimately limit the disclosure or sale of this data without a permissible purpose. At the heart of this is the definition of so-called “data brokers”—meaning firms that sell or share reports containing consumers’ payment history, income, criminal records, and possibly consumer-identifying information—as consumer reporting agencies themselves. Other possibilities include strengthening the process to obtain a consumer’s written permission to obtain a credit report; narrowing the definition of “legitimate business need,” the FCRA’s catch-all permissible purpose to use consumer report information; and determining that certain types of targeted marketing activities that do not directly share information with a third party are subject to the FCRA, and that marketing is not a permissible purpose for using consumer report information.
While we’re not likely to see final regulations in 2024, we can expect to see a proposed rule. We’ll then have a clearer idea of what the new requirements will mean, but until then it’s a good idea to do an inventory of the types of information (including consumer-identifying information) received from third parties (credit bureaus or otherwise), and nail down exactly what’s done with that data. That way, it will be easier to determine what new restrictions may apply to those practices.
Customer due diligence rules under the Bank Secrecy Act. FinCEN’s rulemaking process under the Anti-Money Laundering Improvement Act of 2020, including the Corporate Transparency Act (CTA), has been a slow-moving story. At first, we all were excited about the possibility that the CDD rule (that became effective in 2018), requiring financial institutions to determine any beneficial owners and control persons of business customers, might somehow go away, to be replaced by a process where businesses report their information directly to the federal government. But alas, that doesn’t seem to be in the cards; rather, it appears we’ll have some sort of parallel process where businesses are required to report their information to a government database, and financial institutions will still need to collect information from their customers to satisfy CDD rule obligations. In the future, banks will have some form of access to that database to compare against the information they’ve collected.
The first piece of this puzzle was finalized in late 2022. A final rule was issued pursuant to the CTA establishing the beneficial owner reporting requirement for “reporting companies.” The rule became effective on Jan. 1, 2024. Companies created in 2024 have 90 days after creation to submit their beneficial owner Information, or BOI, report to FinCEN. Companies created in 2025 or after have 30 days after creation to submit their BOI report to FinCEN. For companies created before 2024, reporting is required by Jan. 1, 2025. Commercial customers may not be aware of these new requirements, and those that are aware of the requirements may need some assistance understanding what the requirements are and how to submit the required form.
We’re now waiting for the other shoe to drop. We have the final reporting rule but the CTA also requires FinCEN to revise the CDD rule. We’re waiting for FinCEN to propose revisions to the CDD rule to explain the interplay between the reporting rule requirement and how banks would utilize this information to comply with their CDD responsibilities under the BSA. FinCEN has stated that proposed regulations are forthcoming, and sometime in 2024 is the target date for their issuance.
Debit card interchange fees. In October 2023, the Federal Reserve issued a proposal to lower the maximum interchange fee that a large debit card issuer (with at least $10 billion in assets) can receive for a debit card transaction. The rule would also establish a regular process for updating the maximum fee amount every other year going forward. This is the so-called “Durbin Amendment” that was part of the Dodd-Frank Act, and is now the Federal Reserve’s Regulation II.
The Fed says costs incurred by these large debit card issuers have declined dramatically since the rule’s introduction in 2011, yet the fee cap has remained the same. The proposal would lower the cap from its current rate of 21 cents and .05% of the transaction, plus a one-cent fraud prevention adjustment, to 14.4 cents and .04% per transaction, plus a 1.3 cents fraud prevention adjustment. If finalized the change would be effective June 30, 2025. Just as when the original rule was put in place, feedback from the banking industry has been almost universally negative, but yet the rule was put in place anyway. Large debit card issuers should be on the alert to determine whether fee income in this area will be cut even more.
Automated Valuation Model (AVM) rules. Originally mandated by the Dodd-Frank Act, in June 2023 the agencies issued a joint proposal to implement quality control standards concerning AVMs used by mortgage originators and secondary market issuers. The rules will require institutions that engage in certain mortgage-related credit decisions or make securitization determinations to adopt quality control standards (meaning policies, practices, procedures, and controls) to ensure a high level of confidence that estimates produced by AVMs are fair and nondiscriminatory. Lenders will need to protect against data manipulation and avoid conflicts of interest by conducting random sample testing and reviews, as well as ensuring compliance with applicable nondiscrimination laws (such as the Equal Credit Opportunity Act and the Fair Housing Act). This has a strong relation to appraisal bias, but the precise requirement of how to do this (for example, whether this is a direct responsibility of the lender or can be done by the AVM provider or third-party provider) will ideally be delineated in the final regulation, which is expected in 2024.
Reconsideration of value guidance. Keeping with the property valuation theme, in June 2023 the agencies issued proposed interagency guidance relating to reconsideration of value, or ROV, requests for residential real estate valuations. The proposed guidance advises institutions on policies that would afford consumers an opportunity to introduce evidence that was not previously considered in the original appraisal, and addresses deficiencies in such valuations due to errors or omissions, valuation methods, assumptions, or other factors. Of course, bias on the part of the appraiser is a primary concern here, but it is not the only reason an ROV may be requested. In addition, the CFPB has been quite public about its position that consumers should have the ability to question the appraised value of the property.
At this point it is clear that the agencies expect banks to have some sort of ROV process to address concerns on the part of the borrower. But final guidance will ideally provide clearer direction on how ROV requests overlap with appraisal independence requirements, since it is a basic tenet of appraisal compliance that the lending function and appraisal function be independent. How can an ROV request be handled without sacrificing that independence? The proposed guidance provides examples of ROV policies, procedures, control systems, and complaint processes to address deficient valuations; once final guidance is issued, we’ll know more fully how these systems are expected to function.
It is also worthy of mention that in early 2023, HUD Secretary Marcia Fudge announced that HUD is creating a process that people seeking FHA financing can use to request a review of their appraisal if they believe the results may have been affected by racial bias. According to the announcement, this effort “represents the first step to solidify the processes that lenders must follow when a borrower requests a review if concerns arise around unlawful discrimination in residential property valuations.” In addition to providing an example of what this process may look like, a companion proposal provided guidance for obtaining a second appraisal when material deficiencies are documented and the appraiser is unwilling to resolve them.
Credit card penalty fees. In February 2023, the CFPB issued a proposal under Regulation Z to ensure that late fees charged on credit cards are “reasonable and proportional” to the late payment as required under the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act). Under the proposal, the safe harbor dollar amount for late fees (currently $30) would be lowered to $8 for any missed payment, and the higher safe harbor dollar amount for late fees for subsequent violations of the same type (currently $41) would be eliminated. The automatic annual inflation adjustment for the immunity provision amount would also be eliminated. As well, the maximum late fee amount would be capped at 25 percent of the required minimum payment (the maximum is currently 100 percent).
As expected, these proposed limits were met with pushback from the industry, so it will be interesting to see what the limits eventually are when the final rule is issued, which is expected sometime in 2024. But that might not be the end of additional credit card changes. That same proposal requested comment on “whether the proposed changes should apply to all credit card penalty fees, whether the immunity provision should be eliminated altogether, whether consumers should be granted a 15-day courtesy period, after the due date, before late fees can be assessed, and whether issuers should be required to offer autopay in order to make use of the immunity provision.” We’ll have to see what else the bureau has in mind that will impact the credit card market.
FDIC official sign and advertising statement. In late 2022, the FDIC issued a proposed rule “to modernize the use of the FDIC official sign and advertising statement,” reflecting increased use of “digital channels, such as bank websites and mobile applications, through which depositors are increasingly handling their banking needs.” The changes will also reflect the FDIC’s desire to more clearly differentiate between products that are insured from those that are uninsured. A final regulation is expected to clarify expectations around digital displays of the FDIC advertising statement on websites and mobile apps, including clear notifications on relevant pages where uninsured products are offered.
Mortgage servicing rules. In June 2023, CFPB Director Chopra stated in a blog post that the bureau is considering whether to streamline its mortgage servicing rules, located principally in the Real Estate Settlement Procedures Act (RESPA). This furthers an effort by the bureau, begun in September 2022, where it requested input from the public on mortgage refinance and forbearance standards and sought feedback on ways to reduce risks for borrowers who experience disruptions in their ability to make mortgage payments. Commenters referred to the “paperwork treadmill,” along with other difficulties encountered when trying to secure assistance when in trouble. The bureau stated it “will propose streamlining only if it would promote greater agility on the part of mortgage servicers in responding to future economic shocks while also continuing to ensure they meet their obligations for assisting borrowers promptly and fairly.” Any proposed rule is likely to address servicing fees, credit reporting, and LEP borrowers, among other issues. It will be interesting to see whether it chooses to act by making the process a bit easier for all involved.
Possible changes to construction loan disclosures. Early in 2023, the CFPB sought public comment on possible alternative mortgage disclosures for construction loans, stating a consumer’s understanding of construction loans would be improved if disclosures were more specifically tailored to these types of transactions. This was an acknowledgment that the TILA-RESPA Integrated Disclosure (TRID) rules within Regulation Z are somewhat of a square peg in a round hole when it comes to construction loans. Those banks who make construction loans would surely agree, and would welcome any sort of clarity and/or customization of the forms to address the many peculiarities in construction lending. While nothing seems imminent, it would be a welcome revision to the TRID rules should it happen.
Areas of continued regulatory focus
There are several issues within the banking industry that continue to generate intense interest from the agencies, and there is no reason to suspect this will lessen in 2024. Within this category are the following topics:
Continued intense focus on fair lending issues. While certainly not a new development in compliance circles, certain specific issues continue to have the agencies’ (as well as the Department of Justice’s) full attention now, and will continue into the foreseeable future.
Appraisal bias. As referenced above through impending AVM regulations and ROV guidance, how properties are valued continues to be a concern to be addressed in various ways in the coming months and years. The Property Appraisal and Valuation Equity (PAVE) task force issued its Action Plan in March 2022, and it included a multitude of recommendations that would impact both the appraisal and mortgage lending industries. Thus far we’ve not seen much action in the way of new rules and regulations, but that may change in 2024.
Within the past two years, the banking agencies have sent two letters to the Appraisal Foundation (the body that oversees appraisers), urging it to further revise its Ethics Rule applicable to appraisers to include a detailed and explicit statement of federal prohibitions against discrimination under FHA and ECOA. It is the agencies’ opinion that the first attempt to make appraisers more aware did not go far enough. This may be one of several additional requirements appraisers must eventually follow, such as enhanced anti-bias training and efforts to better diversify the appraisal profession. Any such changes must be monitored by lenders to ensure the appraisers they engage meet any new requirements imposed by this self-regulatory body.
We can also expect more commentary, guidance, and/or recommendations, if not proposed regulation, around detecting and preventing bias in appraisals that lenders use. The CFPB has opined several times that a lender’s use of a biased appraisal would constitute a potential violation of Regulation B; HUD feels the same way about the application of the FHA.
Redlining. Attention to geographic lending patterns also promises to continue to be front and center within fair lending enforcement circles in 2024. Banks must continue to be diligent in assessing their lending footprints (whether called a Reasonably Expected Market Area, or REMA, service area, lending area, trade area, or otherwise) to ensure there are no indicators of redlining.
Fair lending oversight. Oversight of fair lending activities may also expand in 2024. Among others, in April 2023 the Federal Housing Finance Authority (FHFA), the regulator of Fannie Mae, Freddie Mac, and the Federal Home Loan Banks, issued a proposal that would codify several existing practices and programs relating to its fair lending oversight requirements for those entities. In what form that oversight will take is unknown at this point, but if nothing else it signifies the increasing attention federal regulatory agencies are placing on fair lending issues. More of the same can be expected as time goes on.
ECOA applicability. One interesting development to watch in the courts in 2024 is the application of ECOA itself. In early 2023 a federal District Court ruled that ECOA applied only to “applicants” for credit (as that is the term specified in the statute) and therefore not to “prospective applicants” within the context of advertising. This issue has been simmering for a few years, and later in 2023 the CFPB issued a Statement of Interest in another case stating that ECOA (and Regulation B) applies “to any aspect of a credit transaction,” and therefore covers every aspect of a borrower’s dealings with a creditor. While this shouldn’t portend any major re-interpretation of the reach of ECOA, it will be very interesting to see how this issue evolves as it winds its way through the courts.
Adverse action notices. In the category of transactional compliance with Regulation B, banks can expect scrutiny of their adverse action notices, particularly if they utilize any sort of artificial intelligence (AI), models, or algorithms in their decisioning. This reflects guidance issued in September 2023 by the CFPB stating that creditors that they must disclose specific reasons for adverse action, even if consumers may be surprised, upset, or angered to learn their credit applications were being graded on data that may not intuitively relate to their finances (which may have been utilized in an automated model). The guidance specifies that creditors are not absolved from Regulation B’s requirement to specifically and accurately inform consumers of the reasons for denial because the use of predictive decision-making technologies in their underwriting models makes it difficult to pinpoint the specific reasons for such adverse actions.
As the use of such automated decision-making models increases, expect this type of scrutiny to continue in 2024.
Artificial intelligence, models, and algorithms. Speaking of AI and algorithms, adverse action notices are but the tip of the iceberg when it comes to attention to AI’s impact on the banking industry. Numerous issuances on the risks (as well as the benefits) to the financial services industry of AI, algorithms, and use of so-called nontraditional data were published in 2023 (as in prior years), and more can be expected in 2024. A Joint Statement from the CFPB, DOJ, Federal Trade Commission (FTC), and Equal Employment Opportunity Commission (EEOC) is especially noteworthy, as it reaffirmed their commitment to protect the public from bias in automated systems and artificial intelligence (AI). CFPB Director Chopra published comments stating the bureau will continue to collaborate with other agencies to enforce federal consumer financial protection laws, regardless of whether the violations occur through traditional means or advanced technologies. Further, the privacy protections in the proposed open banking rule could have implications for data used to train AI models.
Banks would be well-served to continue their focus on how these new technologies are utilized within their operations, but especially within marketing and credit functions, to understand how pervasive their use is, so that they can better understand and articulate the risks involved, but also to take steps to properly mitigate them. The agencies use terms such as “digital redlining” and “algorithmic discrimination” in their publications; we can count on examinations and enforcement addressing these topics continuing into the foreseeable future.
Other areas of focus
Fees. Attention on fees has been a theme for a few years now, with the President’s Junk Fees Initiative being front and center. As time has gone on, we’ve slowly been seeing guidance on what precisely would constitute a “junk” fee in the agencies’ eyes, meaning what fees should not be assessed at all, and for those fees that are assessed, how high a charge would be considered too high? Last March the administration convened a gathering of state legislative leaders to discuss fees, that in the administration’s view are “unnecessary, unavoidable, or surprise charges” that obscure true prices and are often not disclosed upfront. The same day, the CFPB published a special issue of its Supervisory Highlights focusing on fees in deposit accounts and the auto, mortgage, student, and payday loan servicing markets, which contained many examples of fees of which the administration is critical.
A related issuance came from the bureau in October 2023 in the form of an Advisory Opinion on consumers’ requests for information regarding their accounts with large institutions under Dodd-Frank Act section 1034(c). Director Chopra asserts that institutions should not charge excessive fees when trying to manage their finances.
There is no reason to expect attention to fees will wane in 2024; to the contrary, we can likely expect even more scrutiny. Banks would be wise to continue vigilance on fee structures, with the goal of “transparency and full disclosure in pricing,” to quote a phrase commonly heard by regulators when discussing this topic.
Overdraft and non-sufficient funds (NSF) issues. Attention to overdraft fees will certainly continue. Much was published in 2023 by several agencies, including reports of larger banks drastically changing their overdraft and NSF fee practices (including reducing fees), and many discontinuing overdraft fees altogether. The CFPB has also mentioned several times that they are considering regulating overdraft plans as “consumer credit” under Regulation Z, although nothing formal to that effect has been issued yet. If this happened, it would be a major change in how overdraft plans are handled, so we’ll certainly keep a close eye on that possibility.
Additional guidance on repeat NSF fees and so-called “authorized positive, settled negative” (APSN) overdraft fees has sent a clear signal to banks to monitor whether these situations are occurring, and to determine whether disclosures may need to be strengthened or whether the bank needs to eliminate the fee.
Reminder: “Seasoned qualified mortgages,” or QMs, classification begins March 1. One issue to keep an eye on early in 2024 is the CFPB’s actions (if any) on the so-called “Seasoned QM” rule. Part of Regulation Z’s Ability-to-Repay (ATR) standard, this provision allows for certain mortgage loans originated outside of the rule’s QM criteria to become later become QMs by virtue of having three years of good payment history. This provision was effective March 1, 2021, and was not retroactive, meaning only loans originated on that date or thereafter could be eligible to later become seasoned QMs (but again only after three years). That date is now approaching, meaning some banks will have loans in their portfolios that newly become “safe harbor” QMs on the three-year anniversary of origination.
The only potential fly in the ointment here is a statement made by the bureau in early 2021, where it stated that the “Bureau is considering whether to initiate a rulemaking to revisit the Seasoned QM Final Rule.” That hasn’t happened yet (and hopefully at this late date will not), but it is an issue to keep an eye on, as various lenders have been preparing for some loans to gain this valuable status soon.
Crypto: A topic to watch
With the evolution of the financial services business to a more digital model, we can expect increased regulatory interest in the risks that new technologies present. Chief among these is cryptocurrencies and related crypto assets. It is not a matter of if, but rather when, retail banks embrace these products and offer them to their customers; in fact, it is already happening in a number of places (whether directly or through third parties). Consumers want to take advantage of the latest and greatest, and when returns on traditional products stagnate, banks face the risk of deposit runoff if they don’t keep up.
Within the past few years, there have been multiple issuances and warnings from various agencies about the risks of crypto assets, including from the White House. The OCC, Federal Reserve and FDIC in April 2023 issued a joint statement regarding their concerns about liquidity, safety and soundness, consumer protection and other compliance risks to banks tied to crypto assets. And the Securities and Exchange Commission (SEC) has taken steps to enhance consumer protections for cryptocurrency assets by proposing to implement measures under the Investment Advisors Act of 1940 to address how client assets are safeguarded. It seems to be only a matter of time before the banking regulators address this gap in oversight of new product offerings, both from a safety and soundness as well a consumer protection standpoint. Banks thinking taking the plunge into crypto should monitor this situation carefully.
While plenty is known about what is coming in 2024, let’s end where we began: There always seem to be a few developments that take us all by surprise, and we look back and think how we could never have anticipated that event. Change is the only constant, and banks’ processes must be fine-tuned to detect all that happens in a rapidly-changing regulatory environment.
Carl Pry, CRCM, CRP, is senior advisor for Treliant LLC in Washington, D.C., where he advises clients on a wide variety of compliance, fair lending, corporate treasury and risk issues. He serves as chair of the editorial advisory board for ABA Bank Compliance magazine. Reach him via email at [email protected].
ABA Member Resources
- Webinar Series: 2024 Regulatory Updates and Compliance Challenges Webinar Series
- ABA Certification: Certified Enterprise Risk Professional
- ABA Training: Introduction to Enterprise Risk Management
- ABA Events: Risk Management Schools
- ABA Certificate: Operational Risk Management
- ABA Resources: Reference Guide to Regulatory Compliance
- Certified Enterprise Risk Professional Certification and Training
- Certified Regulatory Compliance Manager Certification and Training