NCUA Recent Member Business Lending Rule Casts Doubt on the Classification of Certain Loans6/11/2018 The Economic Growth Act (EGA) signed by President Trump on May 24, 2018 provided credit unions with some regulatory relief. The National Credit Union Administration (NCUA) followed this up by removing certain loans from the definition of a “member business loan” (MBL). While this is good news for credit unions desiring an expansion of the MBL cap, NCUA’s June 2018 Final Rule creates a legal/regulatory limbo for non-owner-occupied residential rental properties.
Prior to the EGA, the Federal Credit Union Act (FCUA) defined an MBL as “any loan, line of credit, or letter of credit, the proceeds of which will be used for a commercial, corporate or other business investment property or venture, or agricultural purpose but does not include an extension of credit that is fully secured by a lien on a 1-to 4- family dwelling that is the primary residence of a member.” [Emphasis added] Under this definition, non-owner-occupied rental properties were deemed to be MBLs. Interestingly, commenters to the NCUA’s March 2016 final MBL rule supported this definition because they “indicated they would experience significant regulatory relief [as] certain MBLs, such as loans secured by a 1- to 4-family residential property that is not the member’s primary residence, will no longer be subject to full commercial lending safety and soundness requirements.” But I digress. The EGA removed the words “primary residence of a member” from the definition, and provided that nothing would “preclude the National Credit Union Administration from treating an extension of credit that is fully secured by a lien on a 1- to 4-family dwelling that is not the primary residence of a member as a member business loan.” Instead, NCUA issued a final rule amending Part 723 to exclude “all [Emphasis added] extensions of credit that are fully secured by a lien on a 1- to 4- family dwelling regardless of the borrower’s occupancy status.” What NCUA failed to do, however, was amend the definition of a “commercial loan,” which still excludes “…loans secured by a 1- to 4-family residential property (whether or not it is the borrower's primary residence)…” So how are rental property loans classified and underwritten if they are now neither commercial loans or MBLs? Regulation Z provides some guidance, but it is not complete. Regulation Z applies to most consumer credit transactions. Section 1026.3(a) excludes “business, commercial, agricultural, or organizational credit” from coverage, defined as “an extension of credit primarily for a business, commercial or agricultural purpose.” Pursuant to the Commentary to §1026.3(a)(5), if a property is one unit and the owner intends to occupy the rental property for more than 14 days in the coming year, the property is considered occupied, and any credit is extended “to acquire, improve, or maintain [the] rental property that is or will be owner-occupied within the coming year” will be considered consumer credit. The EGA closed the gap between what you may have considered an MBL because it may not have been treated as a “primary residence.” Now, under both regulations, these loans would be considered consumer loans requiring the TILA-RESPA Integrated Loan Disclosures (loan estimate and closing disclosure). However, the Commentary to §1026.3(a)(4) provides that non-owner-occupied rental property, regardless of the number of housing units, is deemed to be for a business purpose. Prior to the EGA, this was consistent with the MBL rule, which also classified such loans as MBLs (subject to the MBL cap), because it was not the primary residence of the member. Now, neither Regulation Z nor the MBL rule will apply. I have seen it written the advantage to this is credit unions can now write these as residential loans, as banks have done for small businesses, but these are not residential loans. How should non-owner occupied loans secured by a 1- to 4- family residential property used for investment purposes be classified in your credit union’s loan portfolio if they are not MBLs or commercial loans under the NCUA definitions, but classified as commercial loans under Regulation Z? How are these types of loans to be included in a policy or underwritten? These types of loans resemble commercial loans rather than residential ones. We won’t know for sure what examiners will expect until something is done by NCUA to re-write either the definition of a commercial loan, or the treatment of an MBL. Until then, examiners will likely see a lot of inconsistencies in credit union practices, with no clear guidance as to how these loans should be treated. Veronica Madsen PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018
1 Comment
If you think your financial institution does not have to comply with the European Union’s General Data Protection Regulation because you don’t serve any EU residents, not only would you would be very wrong, this mistake could be very costly.
The EU GDPR, which took effect on May 25, will impact every U.S. business that processes the “personal data” from EU residents. The regulation focuses on the processing of the data, not the location of the business. What Does the EU GDPR Require? The EU GDPR requires entities that process the data of EU residents to obtain specific consent to do so (unless an exception applies). It also provides EU residents with the “right to be forgotten,” allowing such individuals the right to request the deletion of their data. To carry out these requirements, the regulation requires entities to create data protection policies and, when the entity requires the monitoring of data subjects “on a large scale” (an undefined term), the appointment of a data protection officer. The regulation requires also entities to notify the EU regulators no later than 72 hours after the entity becomes aware of the "accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to” personal data, unless harm to a data subject is unlikely. Notice must be provided to data subjects only when a breach results in a high risk to their respective rights and freedoms. What is “Personal Data” and What is Required for Processing? “Personal data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Processing of personal data is lawful only if one of the following applies:
If one of these lawful purposes does not apply, the entity must first obtain the individual’s specific consent before his/her personal data can be processed. How Must Consent Be Obtained? Consent must be specific, and the request for consent must be separate from any other written text. The language used must be “clear and plain.” The data subject also has the right to withdraw this consent at any time, in a manner as easy as it was to provide it. What is the Right to Be Forgotten? EU residents have the right to request the deletion of their data without undue delay when one of the following applies:
Your financial institution’s record retention requirements will override an EU resident’s request to delete his/her information, but information not required to be retained for a specific length of time will have to be deleted upon request. What are the Penalties for Non-Compliance? The penalties for non-compliance with the GDPR violations are significant. Fines up to €20 million (approximately $25 million) or 4 percent of global annual turnover in the previous financial year, whichever is higher, will be assessed against entities found to have inadequately safeguarded EU resident personal data. Will a Financial Institution’s Privacy Policy Comply with the GDPR? No. Regulation P requires an opt-out for sharing information with non-affiliated third parties for marketing purposes, with exceptions for affiliates and those with whom the institution has a joint marketing agreement. The GDPR requires consent from EU residents before any information can be processed. Therefore, the privacy notice provided to members/customers will be insufficient to comply with the GDPR. What Must a Credit Union Do to Prepare and Comply? 1. Amend existing security policies to include the GDPR requirements. 2. Appoint a data protection officer, or at least someone who is familiar with the information obtained and processed, as well as the GDPR requirements. 3. Create an online privacy policy that, among other provisions, outlines the use of the website, the information obtained on it (e.g., whether cookies are used, etc.), provides visitors to the site and members/customers the right to request the deletion of data (subject to the financial institution's record retention requirements), and refers to the privacy policy as the “U.S. Privacy Policy” to make the distinction between the privacy policy for U.S. and EU residents. 4. Create a cookie notice on your website. This notice cannot be a general “by using this site, you agree to the use of cookies.” It must be specific and allow the visitor to choose whether to agree to their use. You may not think you have EU residents as members/customers, but you do not control who visits your website. 5. Create a specific consent form for the processing of EU resident personal data (e.g., for marketing purposes, etc.) for EU resident members/customers. Existing EU resident members/customers are not grandfathered, which means consent must be obtained or existing members/customers as well as new ones. 6. Amend marketing plans to ensure EU residents are not included in any mass mailings or email campaigns until their individual consent forms are signed. 7. Review and amend third-party contracts for all third parties that collect and process data on behalf of the financial institution. Contracts should be amended to provide specifically how data is protected, as well as the requirements and responsibilities for incident response notification. Can a financial institution take a security interest in a consumer’s existing account through the use of a cross-collateralization clause when the consumer takes out a loan as a covered borrower under the Military Lending Act (MLA)? The answer to this question may depend on who you ask. Some will say “yes,” and others “no.”
The MLA was enacted in 2007, and expanded in 2015 (2015 MLA), to protect servicemembers and their dependents from lending-related abuses related to tax anticipation loans, vehicle title loans, payday loans, and consumer loans covered under Regulation Z. Both iterations of the MLA permit creditors to take a security interests in funds deposited after the extension of credit in an account established in connection with the consumer credit transaction [See Section 232.8(e)(3) of the 2015 MLA]. The attorneys who say “yes” are relying on guidance provided by the Department of Defense (DoD) Interpretive Rule issued on August 26, 2016. These DoD interpretations, presented in a question and answer format, provide as follows: 18. Does the limitation in §232.8(e) on a creditor using a check or other method of access to a deposit, savings, or other financial account maintained by the covered borrower prohibit a creditor from exercising a statutory right to take a security interest in funds deposited within a covered borrower’s account? Answer: No. Under certain circumstances federal or state statutes may grant creditors statutory liens on funds deposited within covered borrowers’ asset accounts. For example, under 12 U.S.C. 1757(11) federal credit unions may “enforce a lien upon the shares and dividends of any member, to the extent of any loan made to him and any dues or charges payable by him.” … Therefore, §232.8(e) does not impede a creditor from exercising a statutory right to take a security interest in funds deposited in an account at any time, provided that the security interest is not otherwise prohibited by applicable law and the creditor complies with the MLA regulation, including the limitation on the MAPR to 36 percent. In a legal action with a covered borrower, it is certainly helpful to have the DoD on your side with regard to a claim the financial institution took an illegal security interest in accounts opened before an MLA was issued. However, it must be noted that in the opening paragraphs of the Interpretive Rule, the DoD makes clear “this interpretive rule does not substantively change the regulation implementing the MLA, but rather merely states the Department’s preexisting interpretations of an existing regulation.” If the regulation is unchanged, does this Interpretive Rule really permit a security interest in an existing account? If you believe it does, here is where the proverbial wheels begin to fall off the argument. Section 232.7(a) of the 2015 MLA includes a preemption provision related to existing state of Federal laws. Specifically, Section 232.7(a) states the 2015 MLA will preempt a state or Federal law, rule or regulation to the extent any such law, rule or regulation provides protection to a covered borrower greater than those provided by the MLA. The DoD’s preexisting interpretation - not included in the MLA or the DoD’s implementing regulation – regarding a federal credit union’s statutory lien under the Federal Credit Union Act actually benefits the creditor, not the covered borrower. Therefore, the MLA provisions will override any state or federal law, rule or regulation to the contrary. Still not convinced taking a statutory lien in an existing account involving a covered borrower with an MLA loan is okay based on the DoD guidance? Ask yourself this question: Would the law or a contrary interpretation that does not have the force of law win the day in court when a servicemember sues your financial institution for taking a security interest in an account opened before an MLA loan was approved? So what does your financial institution do with this if you haven’t changed the language of your loan agreements. The following options can be taken:
Until the statutory language of the MLA that specifically exempts statutory liens from the security interest and preemption provisions is enacted, it may take a lawsuit to answer this question. It appears, in my opinion, that the DoD guidance does not provide sufficient comfort to support the argument that a security interest in existing accounts would survive a legal challenge. Have a regulatory question? Email me at vmadsen@esteecompliance.com. Veronica Madsen PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2018 Because internal fraud losses are not slowing down, credit unions will need to demonstrate to examiners that they have an adequate prevention program in place.
Financial loss due to internal fraud continues to be a problem despite increased examiner focus on the issue in 2017. According to the National Credit Union Administration’s NCUA Report, from 2012 to September 2016, fraud-related losses cost the National Credit Union Share Insurance Fund $146.8 million. It is no surprise that internal controls and fraud prevention are among NCUA’s supervisory priorities for 2018. NCUA Prohibition Orders were issued in 11 of the 12 months of 2017, prohibiting 46 individuals across 24 states from participating in the affairs of any federally insured financial institution. These individuals pleaded guilty to such crimes as mail fraud, grand theft, misappropriation of funds, bank fraud, money laundering, racketeering and embezzlement. The total restitution amount published in the prohibition orders for 2017 totaled $39,494,437.60. This amount is larger than the asset size of 2,344 of the 5,757 credit unions in the United States as of the third quarter of 2017, which represents just over 40 percent of the total number of credit unions, according to the Credit Union National Association’s “U.S. Credit Union Profile, Third Quarter 2017.” Internal fraud loss is not showing any signs of slowing down. In January 2018 alone, four individuals in four states received prohibition orders with a total restitution amount published totaling $1,067,595.82. Why is internal fraud continuing to occur, despite well-publicized cases of prosecutions and lengthy prison sentences? The short answer? Opportunity due to weak internal controls. In its published supervisory priorities for 2018, NCUA states its examiners expect federal and federally insured credit unions to establish “a strong system of internal controls and a comprehensive approach to managing fraud risk. Examiners will continue to evaluate the adequacy of credit union internal controls, as well as overall efforts to prevent and detect fraud.” In practical terms, what does a strong system of internal controls look like? As the NCUA Report provides, some of the measures that should be taken to deter insider fraud include the following:
Understanding how fraudsters operate provides additional insight into the prevention and detection of internal fraud. For example, employees may engage in fraudulent transactions through dormant accounts changed to an “active” status unbeknownst to the real account holder. Fraudulent memberships are sometimes established in the names of family members, with loan proceeds deposited into the fictitious accounts later taken by the thief when the fraudulent loans for these “members” are approved. An effective internal control structure would also include a review of membership cards, loan files (including interest rates and terms that may be much more favorable than the rest of loans in the portfolio, exceptions, refinancings and extensions), dormant accounts, as well as other areas in which operational weaknesses have been exploited by actual fraudsters. It is a very positive sign that the regulator is taking notice and addressing this issue. However, due to the lengthy exam cycle by the time an examiner uncovers the abuse, it is often too late. NCUA advises credit union employees who suspect potential fraud or abuse to notify a supervisor, audit department and/or the examiner. Unfortunately, some credit unions do not have the appropriate staffing that engages in regular auditing, and often the best internal control structure on paper is ineffective when the fraud is being committed by the very leaders who are in charge of ensuring its success. Credit union staff are required to file mandatory Suspicious Activity Reports under the Bank Secrecy Act as appropriate. Whenever insider fraud is suspected (regardless of the amount), credit union staff also can report suspected fraud to NCUA’s toll-free fraud hotline at 800.827.9650. This hotline is available to report suspected fraudulent or illegal activity by credit union employees, officials and members in federally insured credit unions. All reports to the line are confidential. Many resources for learning more about internal fraud are available, including NCUA’s Office of Small Credit Union Initiatives’ (now the Office of Credit Union Resources and Expansion) eight-part YouTube video series on fraud prevention and “Internal Controls and Accounting Tips for Small Credit Unions” webinars and other training for boards of directors and supervisory committees. Veronica Madsen ESTEE Compliance LLC PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC. © 2015 |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2018
Categories |
RSS Feed
Proudly powered by Weebly