Noteworthy Sixth Circuit Court of Appeals Rulings for Financial Institutions in August 20199/19/2019 The Sixth Circuit Court of Appeals released two opinions of import to financial institutions in late August 2019.
In the first case, Karla Brintley v. Aeroquip Credit Union; Belle River Community Credit Union, Karla Brintley, who is blind, sued the two credit unions under Article III of the Americans with Disabilities Act and Michigan state law for failure to make their respective websites accessible to blind individuals. Thus far, all of the cases filed against credit union for ADA noncompliance have been dismissed for a lack of standing due to the fact the plaintiffs have all been non-members of each credit union defendant. The credit unions at the district court level had filed motions to dismiss because, as a non-member, Brintley did not have standing to sue under Title III. The District Court rejected the credit unions’ motions to dismiss the case, but the Sixth Circuit overturned this ruling and dismissed both suits. Though the decision represented a victory for the credit union industry in the Sixth Circuit Court states of Kentucky, Michigan, Ohio and Tennessee, it was a narrow one and represents a shift in the way these cases have been decided. According to the Court, “...if she had claimed an interest in joining one of the credit unions, she would have been on the same footing as a sighted individual engaged in the same [membership] inquiry. But no, that is not her position. She has not conveyed any intent to join either credit union.” Relying on Griffin v. Dep’t of Labor Fed. Credit Union, 912 F.3d 649, 653 (4th Cir. 2019), without “a connection between the plaintiff and the defendant,” Brintley lacked the requisite standing to sue. Had Brintley merely expressed an interest in becoming a member and taken steps to become eligible for membership, the credit unions would have lost these cases. Additionally, the concurring opinion is both instructive and concerning regarding the membership issue. The concurring judge wrote separately “to make clear that my concurrence is based only on Brintley’s failure to sufficiently allege that the websites contained information or services that she could use, and not on the proposition that a non-member or non-eligible person is per se unable to challenge the accessibility of a credit union’s website.” What does this mean? Standing in future ADA-related website lawsuits could be met by membership-eligible non-members who merely allege an interest in joining the credit union. It may be more expensive to keep fighting these cases than it would be to make the credit union websites ADA compliant. In the second case, Michael L. Scott; Linda A. Larkin v. First Southern National Bank, the plaintiffs sued the bank for, among other things, violating the Fair Credit Reporting Act (FCRA) by willfully and/or negligently failing to fully and timely investigate plaintiffs’ complaints of inaccurate reporting of credit information to credit reporting agencies, as well as tortiously interfering with plaintiff’s business relationships by deliberately reporting false credit information. The District Court granted the bank’s motion for summary judgment, which the Sixth Circuit affirmed. The plaintiffs had a number of loans with the bank, including a construction loan and a line of credit. The plaintiffs’ credit line with the bank was set to mature while their request to renew itwas pending, so the bank agreed to accept interest-only payments. However, the bank failed to extend the maturity date, and after the plaintiffs failed to make the interest payments for two months, the bank’s computer system generated automated delinquency notices. The plaintiffs obtained financing elsewhere for their construction project, and used some of the proceeds to completely pay off the bank. Plaintiffs obtained an attorney who submitted a letter to the bank that their credit report continued to show a delinquency even though no money was owed to the bank, and a second letter five months later that the issue was not resolved. The bank submitted an additional correction to the credit reporting agencies, and the plaintiffs filed their lawsuit. The Sixth Circuit ruled the district court properly dismissed this claim because the plaintiffs never notified a consumer reporting agency regarding their dispute, which is “a prerequisite for prevailing on their FCRA claims.” The bank’s duty to investigate the dispute was never triggered because the furnisher (i.e., the bank) must have received a notice from a credit reporting agency – not the plaintiffs – that the credit information was disputed. The district court was also ruled to have correctly dismissed the tortious interference claim because it arose from the bank’s reporting incorrect information to the credit reporting agencies, and the FCRA preempts state law that relates to a furnisher’s submission of credit information to these agencies. The Court held the FCRA preempts both state statutory and state common law (i.e., lawsuit) claims. The moral of this story is important for all financial institutions: Filing successful FCRA claims, as well as successfully getting such lawsuits dismissed, requires in-depth knowledge of the FCRA and how it protects both consumers and furnishers of credit information. Veronica Madsen PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2019
0 Comments
On August 28, 2019, the Eleventh Circuit Court of Appeals published its opinion in Regions Bank v. Legal Outsource PA regarding whether a guarantor is considered an “applicant” under the Equal Credit Opportunity Act (ECOA). The Eleventh Circuit handles federal appeals arising from cases tried in Alabama, Georgia and Florida.
Legal Outsource PA, a law firm wholly owned by Charles Phoenix, defaulted on a Regions Bank loan that triggered the default of a loan and mortgage Regions issued to Periwinkle Partners, LLC, an entity wholly owned by Phoenix’s wife, Lisa Phoenix. In the Regions Bank actions to enforce its rights under the loan and mortgage, Lisa Phoenix filed a counterclaim that Regions discriminated against her and Charles based on their marital status by demanding Charles Phoenix and Legal Outsource guarantee the Periwinkle loan. The district court ruled Lisa Phoenix’s counterclaims failed because she lacked standing, as a guarantor is not an “applicant” under the ECOA entitled to anti-discrimination protections. The Eleventh Circuit affirmed this decision. Phoenix argued Regulation B § 202.2(e), which implements the ECOA, provides the term “applicant” includes guarantors, and §202.7(d)(1) prohibits the signature of a spouse, other than a joint applicant, on any credit instrument if the applicant independently qualified as creditworthy. The appeals court reasoned the “applicant” under the ECOA is defined as “any person who applies to a creditor directly for…credit, or applies to a creditor indirectly by use of an existing credit plan for an amount exceeding a previously established credit limit.” The court ruled it did not need to defer to the Regulation B definition because the statute’s definition is unambiguous. This ruling differs from the Sixth Circuit Court of Appeals decision in RL BB Acquisition, LLC v. Bridgemill Commons Dev. Grp, which held the definition of “applicant” under the ECOA was ambiguous and, therefore, deferred to the Consumer Financial Protection Bureau’s interpretation under Regulation B that guarantors are “applicants.” The Sixth Circuit handles federal appeals arising from cases tried in Kentucky, Michigan, Ohio and Tennessee. This case could go to the U.S. Supreme Court. Why? Not only are the appeals courts split, this issue already was tried before the Supreme Court. On March 22, 2016, the Court upheld the Eight Circuit Court of Appeals decision in Hawkins v. Community Bank of Raymore that spousal guarantors could not bring a discrimination claim against creditors under the ECOA because the guarantors did not qualify as “applicants.” However, the Supreme Court’s decision was 4-4, which means the issue is only affirmed and precedential in the Eighth Circuit. The Eighth Circuit handles federal appeals arising from cases tried in Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota and South Dakota. While we can speculate as to how a full court would rule, it remains to be seen whether a writ of certiorari will be filed to appeal this Eleventh Circuit decision. Veronica Madsen PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2019 The Eleventh Circuit Court of Appeals released its opinion in Federal Deposit Insurance Corporation v. R. Charles Louderman, Sr., et al on July 22, 2019. The court upheld the District Court for the Northern District of Georgia’s decision finding the directors of the shuttered Buckhead Community Bank jointly and severally liable for negligence.
The Federal Deposit Insurance Corporation (FDIC) closed a failing Georgia bank in 2009 after it suffered millions of dollars in losses due to bad loans. After the FDIC was receiver of the failed bank, the agency sued the directors and officers for negligence and gross negligence for approving ten risky loans resulting from the failure to conduct proper research. The District Court awarded the FDIC nearly $5 million in damages. The directors were unsuccessful in advancing their arguments that the District Court should have apportioned the director liability because not all of the directors attended the board meetings where the loans were presented and approved. Aside from Georgia law precluding such an argument, the Bank’s quorum-approval policy allowed the Directors’ Loan Committee members “to act as agents for each other.” The policy required unanimous consent for loans to be approved, and at no time did any member - present or absent from the meeting - object to the approval of the loans at issue. As the court stated, “...the absent members, by not exercising their veto power, allowed the quorum to speak for them.” Lending credence to the negligence claim was the fact that the loan packet information was unreliable. For one of the loans at issue, the loan packet included an appraisal for the land, with the incorrect assumption the land had been rezones at the time of the appraisal. Another loan packet failed to include information related to creditworthiness, but did contain irrelevant information the applicant belonged to a country club. What can be learned from this case? First, a review of the board policies is in order to determine whether actions taken by those present at meetings can negatively impact those not present when important decisions are made. Second, loan packets should be audited/reviewed before they are presented to the board committee for approval, ensuring all board members receive the information in a sufficient amount of time before the approval vote. Third, board members must be actively engaged by carefully reviewing all submitted information, asking questions, and ensuring all policy requirements have been met before approving any request. Veronica Madsen PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018 The courts deciding issues under the Telephone Consumer Protection Act (TCPA) in 2018 did little to provide greater clarity on how callers can effectively avoid liability for telephone calls and text messages to consumers. Until the Federal Communications Commission (FCC) issues another TCPA Order in light some of these court decisions, Congress passes amendments to the law, and/or the U.S. Supreme Court addresses the conflicting decisions of the various appeals courts, compliance with the TCPA will depend on where you do business.
What is an “Automated Telephone Dialing System”? Perhaps the area of greatest confusion and risk of liability lies with the issue of how an automated telephone dialing system (ATDS) is defined. The FCC 2015 Order interpreted an ATDS to include equipment that has the potential ability to dial randomly or sequentially, including by the modification of equipment or adding software to provide these capabilities in the future. A number of entities, including ACA International, requested judicial review of the 2015 Order. On March 16, 2018, the D.C. Circuit Court of Appeals in ACA International v. FCC rejected the FCC’s 2015 interpretation of an ATDS. The court ruled it is unreasonable to conclude a smartphone qualifies as an ATDS “because they have the inherent ‘capacity’ to gain ATDS functionality by downloading an app.” The focus, the court ruled, should be on “how much is required to enable the device to function as an autodialer.” In response to this decision, the FCC sought the following comment on TCPA interpretations:
Comment had ended on June 28, 2018, but the FCC reopened its comment call after the Ninth Circuit Court of Appeals expanded its interpretation of an ATDS in its Marks v. Crunch San Diego, LLC decision dated September 20, 2018. In this case, gym operator Crunch was alleged to have violated the TCPA by sending promotional text messages using an ATDS without consent. The Ninth Circuit ruled the TCPA’s language was “ambiguous on its face” regarding whether the phrase “using a random or sequential number generator” modifies both “store” and “produce.” The court interpreted the TCPA to mean an ATDS is “not limited to devices with the capacity to call numbers produced by a ‘random or sequential number generator’ but also includes devices with the capacity to stored numbers and to dial store numbers automatically.” Note: The Ninth Circuit covers Arizona, California, Idaho, Nevada, Montana, Oregon and Washington. As a result of the Marks decision, the FCC requested comment on the following questions:
This comment period ended on October 24, 2018. On October 30th, the Ninth Circuit denied the defendant’s Petition for Rehearing En Banc. Crunch has 90 days to submit a Petition for Writ of Certiorari with the Supreme Court. Given the different appellate court rulings on the ATDS definition, it is highly likely this issue will go before the U.S. Supreme Court regardless of how the FCC rules. For example, on June 26, 2018, the Third Circuit Court of Appeals in Dominguez v. Yahoo ruled in light of the D.C. Circuit’s ACA International decision, a plaintiff must prove a phone system has the present capacity (and not the potential capacity) to generate random and sequential telephone numbers and dial those numbers. In Dominguez, the consumer received approximately 27,800 text messages in 17 months from Yahoo on his used smartphone alerting him to Yahoo emails he was receiving. Because the prior owner of the phone had enrolled the number in Yahoo’s text messaging notification system, Yahoo responded to his request to stop the messages that the service could only be stopped if the former owner of the phone disabled it himself. The court ruled Yahoo’s Email SMS Service did not have the present capacity to function as an ATDS. Note: The Third Circuit Court of Appeals covers Delaware, New Jersey, Pennsylvania and the Virgin Islands. On June 29, 2018, the Second Circuit Court of Appeals in King v. Time Warner Cable sided with the ACA International decision that the term “capacity” means a device’s present functions, and remanded the case back to the District Court to determine whether TWC’s systems had the ability to perform the functions of an ATDS when it made the calls to King. King, the plaintiff and a customer of Time Warner Cable (TWC), agreed to receiving telephone calls, including automated messages. King sued TWC after receiving over 150 automated voice message collection calls for another customer who had owned her cell phone number, even after requesting the calls cease. Note: The Second Circuit Court of Appeals covers Connecticut, New York and Vermont. Who is the “Called Party”? The ACA International Court affirmed the 2012 Seventh Circuit Court of Appeals decision in Soppet v. Enhanced Recovery Company, LLC that the “’called party’ means the person subscribing to the called number at the time the call is made.” While neither King nor Dominguez were the intended parties called or texted, neither case addressed the meaning of the “called party” as an issue. Revocation of Consent In 2018, the courts treated the issue of consent revocation differently as well. After receiving a number of calls with prior express consent, the plaintiff in McMillion v. Rash Curtis & Associates told the defendant: “I told you guys to stop called [sic] me, but you guys keep calling me…I asked you nicely to stop calling and that I didn’t have anything that you needed at the moment but if I do come across it I’ll definitely give you guys a call. But you guys are not supposed to be calling me.” The U.S. District Court for the Northern District of California on February 2, 2018 denied the defendant’s argument that revocation of consent must “clearly express his or her desire not to receive further calls,” and held in that service of a legal complaint operates as revocation as a matter of law. However, the U.S. District Court for the Northern District of Ohio ruled on April 30, 2018 in Barton v. Credit One Financial that the plaintiff could not orally revoke consent when the contract specifically required a revocation in writing. The court held the plaintiff could not “unilaterally alter the terms of the agreement to claim that his oral revocation of consent was valid.” The FCC’s 2015 Order provides a different standard. The order provides revocation must be reasonable, which is determined by the totality of the circumstances. Callers cannot may not designate a method of opting out in ways that make it difficult or impossible to revoke consent. The D.C. District Court in ACA International held callers “have every incentive to avoid TCPA liability by making clearly-defined and easy-to-use opt-out methods.” On March 28, 2018, the U.S. District Court for the District of New Jersey ruled in Rando v. Edible Arrangements that the Plaintiff’s efforts were not reasonable. Edible Arrangements instructed consumers to reply “STOP” to cease future text messages. The Plaintiff instead texted: (1) “Take my contact info off please”; (2) “I want to confirm that I have been removed off your contacts”; (3) “I asked to be removed from this service a few times. Stop the messages ; and (4) “Again I want to stop this service thank you.” On October 26, 2018, the Ninth Circuit ruled in Epps v. Earth Fare, Inc. that the plaintiff’s attempt to stop text messages from the defendant with texts such as “I would appreciate if we discontinue any further texts” and “Thank you but I would like the texts messages to stop can we make that happen” were not reasonable because it was communicated to just text “Stop.” Congressional Action Both the U.S. House of Representatives and the U.S. Senate have drafted legislation amending the TCPA. The “Stopping Bad Robocalls Act” (H.R. 6026 and S. 3078), would add a new definition of “robocall” in place of an ATDS. The new term would include devices that making calls using “numbers stored on a list” (in addition to dialing random or sequential numbers). The new definition clarifies robocalls do not include using equipment where “substantial additional human intervention” is required to place the call. The bills would also require the FCC to establish a nationwide database of reassigned telephone numbers. Voice providers would have to ensure information is accurate and prevent calls from connecting where caller ID verification cannot be made. The bills would also extend the statute of limitations for FCC enforcement of TCPA violations from 1 year to 4 years. It remains to be seen whether either bill will pass out of committee to a full vote. Veronica Madsen PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018 The Consumer Financial Protection Bureau has amended Regulation Pto implement changes to the Gramm-Leach-Bliley Act regarding the conditions under which financial institutions—including credit unions—need not provide annual privacy notice to consumers.
The final rule provides an exception to the requirement to provide an annual notice to “customers,” as defined in Regulation P §1016.3(i), herein referred to as “members.” To qualify for the annual privacy notice exception, the following two conditions must be met:
However, credit unions that choose to take advantage of the annual notice exception must still provide any opt-out disclosures required under the FCRA, if applicable, though they are not required annually. Credit unions can provide these disclosures through other methods, for example, through their initial privacy notices in most circumstances. When the Exception No Longer AppliesUnder the final rule, when the exceptions are no longer met, an annual privacy notice must be provided. The timing of the required annual notice differs, depending on whether the change that causes the credit union to no longer qualify for the annual notice exception also triggers a requirement under Regulation P to deliver a revised notice. Section 1016.8 requires credit unions to provide revised notices to members before nonpublic personal information is shared with a nonaffiliated third party if their sharing would be different from what was described in the initial notice delivered. After delivering the revised notice, the credit union must also give the member a “reasonable opportunity” to opt out of any new information sharing beyond the Regulation P exceptions before the new sharing occurs. When an annual notice is required, it must be provided ‘‘at least once in any period of 12 consecutive months.’’ A credit union may define the 12-consecutive-month period but must apply it to the customer on a consistent basis. When the annual notice requirement is triggered, credit unions must deliver the annual notice within 100 days after the change that caused the exception to be lost. The final rule provides an example for when a credit union must provide an annual notice after it no longer meets the exception. The example assumes that a credit union changes its policies or practices effective April 1 of year one and defines the 12-consecutive-month period as a calendar year. The regulation states the credit union must provide an annual notice by December 31 of year two if the credit union was required to provide a revised notice prior to the change and provided that revised notice on March 1 of year one in advance of the change. The credit union must provide an annual notice by July 9 of year one if the credit union was not required to provide a revised notice prior to the change. When the credit union once again meets the exception after having to provide annual notices, the annual notice would no longer be required. Alternative Delivery Method Effectively Eliminated Previously under Regulation P, credit unions using the alternative delivery method were required to mail annual notices to members who requested them by telephone. Credit unions were also required to include a clear and conspicuous statement of availability at least once a year on an account statement, coupon book, or a notice or disclosure the credit union issued under any provision of law. The final rule has eliminated the alternative delivery method for providing the annual privacy notice. Credit unions that meet the conditions to use the alternative delivery method will also meet the conditions of the annual privacy notice exception. Credit unions that qualify for the new annual notice exception may still choose to post privacy notices on their websites, and/or deliver privacy notices to members upon request. Such activities will not affect the eligibility for the new exception. This final rule became effective on Sept. 17, 2018. The Economic Growth, Regulatory Relief, and Consumer Protection Act (SB 2155), among other regulatory relief provisions, amended the 2015 Home Mortgage Disclosure Act to provide partial exemptions from the collection and reporting of the expanded 2015 HMDA data points.
While the law lowers the number of institutions reporting sensitive financial information of mortgage loan applicants, it does not go far enough in that it does not address the issue of keeping certain HMDA data points from being made public. Given the ongoing data security concerns at the Consumer Financial Protection Bureau, the privacy issue must be addressed in a manner that goes much further than what the CFPB proposed in its July 5 statement. SB 2155 Amendments to 2015 HMDA Rule In part, the 2015 HMDA rule added 25 new data points on the loan/application register for both closed-end and open-end lines of credit. This rule requires reporting of the new HMDA data points for mortgage-lending institutions that originated at least 25 closed-end mortgage loans or at least 500 open-end lines of credit in each of the two preceding calendar years (i.e., calendar years 2018 and 2019). SB 2155 amends the exemption threshold for both closed-end mortgage loans and open-end lines of credit to fewer than 500 such loans and lines of credit in the preceding calendar year. Note: The current CFPB HMDA summary provides the open-end lines of credit exemption will be reduced to 100 such lines of credit beginning on Jan. 1, 2020, unless the CFPB takes “further action.” SB 2155 appears to make this 500 open-end lines of credit exemption threshold permanent. Under SB 2155, for mortgage lenders meeting the closed-end mortgage loans or open-end lines of credit reporting exemption, the requirements of HMDA §304(b)(5) and (6) will not apply. What this means is that mortgage lenders meeting the closed-end and open-end thresholds will not have to record and report the new HMDA data points, but must still record and report the original 21 HMDA data points on the LAR, which are as follows:
CFPB Proposal Regarding Privacy of HMDA Data Also anticipated is the final HMDA rule proposed by the CFPB in September 2017 regarding the data that will be made available to the public beginning in 2019 for mortgage lenders that exceed the exemption thresholds provided by SB 2155.
The loan amount, age of the applicant, the applicant’s debt-to-income ratio and the property value each would be disclosed as a range or an interval. Loan amounts would be reported in intervals of $10,000 as opposed to the nearest $1,000. Data Security Concerns More will need to be done to protect non-public personal information from being disseminated to the public, as there continue to be data security concerns at the CFPB. For example, the October 2017 Audit of the CFPB’s Information Security Program conducted by the Office of Inspector General found the agency did not mandate the use of personal identity verification credentials for its privileged and non-privileged users, which “poses an increased risk of unauthorized access to the CFPB’s information systems.” Additionally, CFPB “has not ensured that background checks are completed for contractor personnel performing IT work.” The OIG’s January 2018 Audit of the CFPB’s Encryption of Data on Mobile Devices found “the CFPB has not been able to provide a full accounting of all laptops that have been assigned to users since the establishment of the agency.” In his April 11, testimony presenting the “2018 Semi-Annual Report of the Bureau of Consumer Financial Protection” to Congress, then CFPB Director Mick Mulvaney told lawmakers that the CFPB had suffered 240 data security "lapses" and another 800 "incidents.” Though none have been deemed a major security breach, concerns remain regarding whether the sensitive financials of mortgage loan applicants and home buyers should be transmitted, stored and shared. Until greater consumer protections are provided, we will have to settle for fewer institutions reporting this data. Veronica Madsen is CEO at ESTEE Compliance, LLC in the Detroit area. Note: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018 NCUA Recent Member Business Lending Rule Casts Doubt on the Classification of Certain Loans6/11/2018 The Economic Growth Act (EGA) signed by President Trump on May 24, 2018 provided credit unions with some regulatory relief. The National Credit Union Administration (NCUA) followed this up by removing certain loans from the definition of a “member business loan” (MBL). While this is good news for credit unions desiring an expansion of the MBL cap, NCUA’s June 2018 Final Rule creates a legal/regulatory limbo for non-owner-occupied residential rental properties.
Prior to the EGA, the Federal Credit Union Act (FCUA) defined an MBL as “any loan, line of credit, or letter of credit, the proceeds of which will be used for a commercial, corporate or other business investment property or venture, or agricultural purpose but does not include an extension of credit that is fully secured by a lien on a 1-to 4- family dwelling that is the primary residence of a member.” [Emphasis added] Under this definition, non-owner-occupied rental properties were deemed to be MBLs. Interestingly, commenters to the NCUA’s March 2016 final MBL rule supported this definition because they “indicated they would experience significant regulatory relief [as] certain MBLs, such as loans secured by a 1- to 4-family residential property that is not the member’s primary residence, will no longer be subject to full commercial lending safety and soundness requirements.” But I digress. The EGA removed the words “primary residence of a member” from the definition, and provided that nothing would “preclude the National Credit Union Administration from treating an extension of credit that is fully secured by a lien on a 1- to 4-family dwelling that is not the primary residence of a member as a member business loan.” Instead, NCUA issued a final rule amending Part 723 to exclude “all [Emphasis added] extensions of credit that are fully secured by a lien on a 1- to 4- family dwelling regardless of the borrower’s occupancy status.” What NCUA failed to do, however, was amend the definition of a “commercial loan,” which still excludes “…loans secured by a 1- to 4-family residential property (whether or not it is the borrower's primary residence)…” So how are rental property loans classified and underwritten if they are now neither commercial loans or MBLs? Regulation Z provides some guidance, but it is not complete. Regulation Z applies to most consumer credit transactions. Section 1026.3(a) excludes “business, commercial, agricultural, or organizational credit” from coverage, defined as “an extension of credit primarily for a business, commercial or agricultural purpose.” Pursuant to the Commentary to §1026.3(a)(5), if a property is one unit and the owner intends to occupy the rental property for more than 14 days in the coming year, the property is considered occupied, and any credit is extended “to acquire, improve, or maintain [the] rental property that is or will be owner-occupied within the coming year” will be considered consumer credit. The EGA closed the gap between what you may have considered an MBL because it may not have been treated as a “primary residence.” Now, under both regulations, these loans would be considered consumer loans requiring the TILA-RESPA Integrated Loan Disclosures (loan estimate and closing disclosure). However, the Commentary to §1026.3(a)(4) provides that non-owner-occupied rental property, regardless of the number of housing units, is deemed to be for a business purpose. Prior to the EGA, this was consistent with the MBL rule, which also classified such loans as MBLs (subject to the MBL cap), because it was not the primary residence of the member. Now, neither Regulation Z nor the MBL rule will apply. I have seen it written the advantage to this is credit unions can now write these as residential loans, as banks have done for small businesses, but these are not residential loans. How should non-owner occupied loans secured by a 1- to 4- family residential property used for investment purposes be classified in your credit union’s loan portfolio if they are not MBLs or commercial loans under the NCUA definitions, but classified as commercial loans under Regulation Z? How are these types of loans to be included in a policy or underwritten? These types of loans resemble commercial loans rather than residential ones. We won’t know for sure what examiners will expect until something is done by NCUA to re-write either the definition of a commercial loan, or the treatment of an MBL. Until then, examiners will likely see a lot of inconsistencies in credit union practices, with no clear guidance as to how these loans should be treated. Veronica Madsen PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018 If you think your financial institution does not have to comply with the European Union’s General Data Protection Regulation because you don’t serve any EU residents, not only would you would be very wrong, this mistake could be very costly.
The EU GDPR, which took effect on May 25, will impact every U.S. business that processes the “personal data” from EU residents. The regulation focuses on the processing of the data, not the location of the business. What Does the EU GDPR Require? The EU GDPR requires entities that process the data of EU residents to obtain specific consent to do so (unless an exception applies). It also provides EU residents with the “right to be forgotten,” allowing such individuals the right to request the deletion of their data. To carry out these requirements, the regulation requires entities to create data protection policies and, when the entity requires the monitoring of data subjects “on a large scale” (an undefined term), the appointment of a data protection officer. The regulation requires also entities to notify the EU regulators no later than 72 hours after the entity becomes aware of the "accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to” personal data, unless harm to a data subject is unlikely. Notice must be provided to data subjects only when a breach results in a high risk to their respective rights and freedoms. What is “Personal Data” and What is Required for Processing? “Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Processing of personal data is lawful only if one of the following applies:
If one of these lawful purposes does not apply, the entity must first obtain the individual’s specific consent before his/her personal data can be processed. How Must Consent Be Obtained? Consent must be specific, and the request for consent must be separate from any other written text. The language used must be “clear and plain.” The data subject also has the right to withdraw this consent at any time, in a manner as easy as it was to provide it. What is the Right to Be Forgotten? EU residents have the right to request the deletion of their data without undue delay when one of the following applies:
Your financial institution’s record retention requirements will override an EU resident’s request to delete his/her information, but information not required to be retained for a specific length of time will have to be deleted upon request. What are the Penalties for Non-Compliance? The penalties for non-compliance with the GDPR violations are significant. Fines up to €20 million (approximately $25 million) or 4 percent of global annual turnover in the previous financial year, whichever is higher, will be assessed against entities found to have inadequately safeguarded EU resident personal data. Will a Financial Institution’s Privacy Policy Comply with the GDPR? No. Regulation P requires an opt-out for sharing information with non-affiliated third parties for marketing purposes, with exceptions for affiliates and those with whom the institution has a joint marketing agreement. The GDPR requires consent from EU residents before any information can be processed. Therefore, the privacy notice provided to members/customers will be insufficient to comply with the GDPR. What Must a Credit Union Do to Prepare and Comply? 1. Amend existing security policies to include the GDPR requirements. 2. Appoint a data protection officer, or at least someone who is familiar with the information obtained and processed, as well as the GDPR requirements. 3. Create an online privacy policy that, among other provisions, outlines the use of the website, the information obtained on it (e.g., whether cookies are used, etc.), provides visitors to the site and members/customers the right to request the deletion of data (subject to the financial institution's record retention requirements), and refers to the privacy policy as the “U.S. Privacy Policy” to make the distinction between the privacy policy for U.S. and EU residents. 4. Create a cookie notice on your website. This notice cannot be a general “by using this site, you agree to the use of cookies.” It must be specific and allow the visitor to choose whether to agree to their use. You may not think you have EU residents as members/customers, but you do not control who visits your website. 5. Create a specific consent form for the processing of EU resident personal data (e.g., for marketing purposes, etc.) for EU resident members/customers. Existing EU resident members/customers are not grandfathered, which means consent must be obtained or existing members/customers as well as new ones. 6. Amend marketing plans to ensure EU residents are not included in any mass mailings or email campaigns until their individual consent forms are signed. 7. Review and amend third-party contracts for all third parties that collect and process data on behalf of the financial institution. Contracts should be amended to provide specifically how data is protected, as well as the requirements and responsibilities for incident response notification. Can a financial institution take a security interest in a consumer’s existing account through the use of a cross-collateralization clause when the consumer takes out a loan as a covered borrower under the Military Lending Act (MLA)? The answer to this question may depend on who you ask. Some will say “yes,” and others “no.”
The MLA was enacted in 2007, and expanded in 2015 (2015 MLA), to protect servicemembers and their dependents from lending-related abuses related to tax anticipation loans, vehicle title loans, payday loans, and consumer loans covered under Regulation Z. Both iterations of the MLA permit creditors to take a security interests in funds deposited after the extension of credit in an account established in connection with the consumer credit transaction [See Section 232.8(e)(3) of the 2015 MLA]. The attorneys who say “yes” are relying on guidance provided by the Department of Defense (DoD) Interpretive Rule issued on August 26, 2016. These DoD interpretations, presented in a question and answer format, provide as follows: 18. Does the limitation in §232.8(e) on a creditor using a check or other method of access to a deposit, savings, or other financial account maintained by the covered borrower prohibit a creditor from exercising a statutory right to take a security interest in funds deposited within a covered borrower’s account? Answer: No. Under certain circumstances federal or state statutes may grant creditors statutory liens on funds deposited within covered borrowers’ asset accounts. For example, under 12 U.S.C. 1757(11) federal credit unions may “enforce a lien upon the shares and dividends of any member, to the extent of any loan made to him and any dues or charges payable by him.” … Therefore, §232.8(e) does not impede a creditor from exercising a statutory right to take a security interest in funds deposited in an account at any time, provided that the security interest is not otherwise prohibited by applicable law and the creditor complies with the MLA regulation, including the limitation on the MAPR to 36 percent. In a legal action with a covered borrower, it is certainly helpful to have the DoD on your side with regard to a claim the financial institution took an illegal security interest in accounts opened before an MLA was issued. However, it must be noted that in the opening paragraphs of the Interpretive Rule, the DoD makes clear “this interpretive rule does not substantively change the regulation implementing the MLA, but rather merely states the Department’s preexisting interpretations of an existing regulation.” If the regulation is unchanged, does this Interpretive Rule really permit a security interest in an existing account? If you believe it does, here is where the proverbial wheels begin to fall off the argument. Section 232.7(a) of the 2015 MLA includes a preemption provision related to existing state of Federal laws. Specifically, Section 232.7(a) states the 2015 MLA will preempt a state or Federal law, rule or regulation to the extent any such law, rule or regulation provides protection to a covered borrower greater than those provided by the MLA. The DoD’s preexisting interpretation - not included in the MLA or the DoD’s implementing regulation – regarding a federal credit union’s statutory lien under the Federal Credit Union Act actually benefits the creditor, not the covered borrower. Therefore, the MLA provisions will override any state or federal law, rule or regulation to the contrary. Still not convinced taking a statutory lien in an existing account involving a covered borrower with an MLA loan is okay based on the DoD guidance? Ask yourself this question: Would the law or a contrary interpretation that does not have the force of law win the day in court when a servicemember sues your financial institution for taking a security interest in an account opened before an MLA loan was approved? So what does your financial institution do with this if you haven’t changed the language of your loan agreements. The following options can be taken:
Until the statutory language of the MLA that specifically exempts statutory liens from the security interest and preemption provisions is enacted, it may take a lawsuit to answer this question. It appears, in my opinion, that the DoD guidance does not provide sufficient comfort to support the argument that a security interest in existing accounts would survive a legal challenge. Have a regulatory question? Email me at vmadsen@esteecompliance.com. Veronica Madsen PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018 Because internal fraud losses are not slowing down, credit unions will need to demonstrate to examiners that they have an adequate prevention program in place.
Financial loss due to internal fraud continues to be a problem despite increased examiner focus on the issue in 2017. According to the National Credit Union Administration’s NCUA Report, from 2012 to September 2016, fraud-related losses cost the National Credit Union Share Insurance Fund $146.8 million. It is no surprise that internal controls and fraud prevention are among NCUA’s supervisory priorities for 2018. NCUA Prohibition Orders were issued in 11 of the 12 months of 2017, prohibiting 46 individuals across 24 states from participating in the affairs of any federally insured financial institution. These individuals pleaded guilty to such crimes as mail fraud, grand theft, misappropriation of funds, bank fraud, money laundering, racketeering and embezzlement. The total restitution amount published in the prohibition orders for 2017 totaled $39,494,437.60. This amount is larger than the asset size of 2,344 of the 5,757 credit unions in the United States as of the third quarter of 2017, which represents just over 40 percent of the total number of credit unions, according to the Credit Union National Association’s “U.S. Credit Union Profile, Third Quarter 2017.” Internal fraud loss is not showing any signs of slowing down. In January 2018 alone, four individuals in four states received prohibition orders with a total restitution amount published totaling $1,067,595.82. Why is internal fraud continuing to occur, despite well-publicized cases of prosecutions and lengthy prison sentences? The short answer? Opportunity due to weak internal controls. In its published supervisory priorities for 2018, NCUA states its examiners expect federal and federally insured credit unions to establish “a strong system of internal controls and a comprehensive approach to managing fraud risk. Examiners will continue to evaluate the adequacy of credit union internal controls, as well as overall efforts to prevent and detect fraud.” In practical terms, what does a strong system of internal controls look like? As the NCUA Report provides, some of the measures that should be taken to deter insider fraud include the following:
Understanding how fraudsters operate provides additional insight into the prevention and detection of internal fraud. For example, employees may engage in fraudulent transactions through dormant accounts changed to an “active” status unbeknownst to the real account holder. Fraudulent memberships are sometimes established in the names of family members, with loan proceeds deposited into the fictitious accounts later taken by the thief when the fraudulent loans for these “members” are approved. An effective internal control structure would also include a review of membership cards, loan files (including interest rates and terms that may be much more favorable than the rest of loans in the portfolio, exceptions, refinancings and extensions), dormant accounts, as well as other areas in which operational weaknesses have been exploited by actual fraudsters. It is a very positive sign that the regulator is taking notice and addressing this issue. However, due to the lengthy exam cycle by the time an examiner uncovers the abuse, it is often too late. NCUA advises credit union employees who suspect potential fraud or abuse to notify a supervisor, audit department and/or the examiner. Unfortunately, some credit unions do not have the appropriate staffing that engages in regular auditing, and often the best internal control structure on paper is ineffective when the fraud is being committed by the very leaders who are in charge of ensuring its success. Credit union staff are required to file mandatory Suspicious Activity Reports under the Bank Secrecy Act as appropriate. Whenever insider fraud is suspected (regardless of the amount), credit union staff also can report suspected fraud to NCUA’s toll-free fraud hotline at 800.827.9650. This hotline is available to report suspected fraudulent or illegal activity by credit union employees, officials and members in federally insured credit unions. All reports to the line are confidential. Many resources for learning more about internal fraud are available, including NCUA’s Office of Small Credit Union Initiatives’ (now the Office of Credit Union Resources and Expansion) eight-part YouTube video series on fraud prevention and “Internal Controls and Accounting Tips for Small Credit Unions” webinars and other training for boards of directors and supervisory committees. Veronica Madsen ESTEE Compliance LLC PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2015 |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2018
Categories |
RSS Feed
Proudly powered by Weebly