The FDIC has issued the March 2022 edition of Consumer Compliance Supervisory Highlights which includes a description of some of the most significant consumer compliance issues identified by FDIC examiners during consumer compliance examinations conducted in 2021.
The issues described in the report consist of the following:
- Regulation E liability protections. Examiners found the following instances of consumers being targeted for fraud:
- Customers of a bank that used a third party service provider (TPSP) to manage its deposit accounts were contacted by someone posing as a representative of the bank’s fraud department who sought the consumers’ account verification codes. Believing they were communicating with the TPSP (working on the bank’s behalf) about unauthorized activity, the consumers provided their two-factor authentication codes which were used by the scammer to steal money from the consumers’ accounts. The bank had attempted to limit its liability through a disclosure in its account agreement that stated neither the bank nor the TPSP would ever request the authentication code. The FDIC concluded that Regulation E’s liability protections for unauthorized electronic fund transfers (EFTs) apply even if a consumer is deceived into giving someone his or her authentication credentials and that banks cannot limit Regulation E consumer protections through account disclosures.
- Consumers provided their account credentials for fraudulent EFTs through a money payment platform (MPP) such as Cash App, Zelle, or Venmo. When a MPP entered into an agreement with a consumer, the agreement extended to the bank holding the consumer’s account. The bank, as the account holding institution, was held responsible under Regulation E. In addition, the MPP, through whose platform the EFT was made, was also held responsible because it was considered a “financial institution” under Regulation E.
The FDIC’s recommendations for mitigating risk include (1)reviewing account agreements and disclosures (including those with MPPs) to ensure they do not attempt to limit consumers’ rights under Regulation E, and (2) implementing effective fraud detection and prevention measures, such as monitoring geographic data, spending patterns, merchant data, and IP addresses, to help detect potential fraudulent activity. (In June 2021, the CFPB issued Electronic Fund Transfer FAQs which it amended in December 2021 to address similar unauthorized use issues.)
- Automated overdraft programs. Examiners identified Section 5 (UDAP) violations in connection with the implementation by some banks of conversions of overdraft programs from a static limit to a dynamic limit. Examiners found that banks had engaged in deceptive acts and practices by failing to disclose sufficient information about the change from a static limit to a dynamic limit. Key changes that banks failed to disclose (and which examiners deemed material) included:
- Replacement of the fixed amount with an overdraft limit that could change as frequently as daily;
- The possibility that the new overdraft limit could be higher or lower, at times, than the fixed amount to which the customer was accustomed; and
- The suspension of the overdraft limit when it falls to zero and how such a change could result in transactions being returned to merchants and other third parties due to insufficient funds.
The FDIC’s recommendations for mitigating risk include (1) providing clear and conspicuous information to existing customers so they have advance notice of how a change from a fixed overdraft limit to a dynamic limit will affect them, (2) disclosing changes in overdraft limits in real time to consumers, and (3) explaining that the dynamic limit is established based on algorithms, or a set of rules, that weigh numerous variables and customer behaviors, how the limit (including frequency) can change, and how the limit can be suspended or reduced to zero when eligibility criteria are no longer met. (The CFPB has made overdraft practices a continuing focus of criticism.)
- Re-presentment of unpaid transactions. Examiners identified consumer harm when banks charged multiple NSF fees for the re-presentment of unpaid transactions. Some disclosures and account agreements indicated that one NSF fee would be charged “per item” or “per transaction.” These terms were not clearly defined and the disclosures did not explain that the same transaction could result in multiple NSF fees if re-presented. The FDIC indicates that the failure to disclose material information about re-presentment practices and fees can be deceptive and also potentially unfair and notes that it has required banks to provide additional restitution beyond what was agreed to class action settlements.
The FDIC’s recommendations for mitigating risk include (1) eliminating NSF fees, and (2) declining to charge more than one NSF fee for the same transaction, regardless of whether the item is represented.
- Fair lending. The following findings were made in matters referred by the FDIC to the Department of Justice:
- A bank had a practice of using the Cohort Default Rate (CDR) to determine who could apply for private student loan debt consolidation and refinance loans. In general, the CDR cutoffs resulted in the disproportionate exclusion of people who attended historically Black colleges and universities (HBCUs) from applying for credit, as certain HBCUs had CDRs that were above the bank’s cutoff. Although the bank’s use of the CDR to determine school-specific eligibility requirements was a neutral policy, the policy had a disparate impact on the prohibited basis of race, because the graduates of HBCUs were disproportionally Black.
- There was reason to believe that another bank had engaged in a pattern or practice of illegal credit discrimination on the prohibited basis of race by redlining in certain markets in the bank’s lending areas. This finding was based on an evaluation of the bank’s HMDA data and lending activity in majority-Black census tracts and an analysis of the bank’s branching and marketing and outreach in those areas.
The FDIC’s recommendations for mitigating risk include (1) reviewing any requirements or other criteria used to screen potential applicants to ensure there is no discriminatory impact, (2) understanding the bank’s reasonably expected market area, and the demographics of the geographies within that area, and (3) evaluating the methods by which the bank obtains loan applications, including any marketing or outreach efforts and branches.