Compliance for 2023: What does the future hold? | ABA Banking Journal-TheFM
With uncertainty the rule, the best advice is to have banks’ change-management processes ready for whatever comes.
By Carl Pry, CRCM, CRP
The older we get, the faster time seems to fly by. It seems like just last week we were thinking of what to expect in the compliance world for 2022. As it turned out, quite a bit happened, even though we did not really have any major new regulations introduced. There was no TRID-type event that took up a great deal of time and effort to digest and implement, for instance. But we saw much in the way of guidance, interpretations, reports and enforcement actions that informed us on new trends in the regulatory world. New leadership at the agencies are fully up to speed, and their ideas are being implemented. We can certainly read these tea leaves to make course corrections within our compliance programs in 2023.
Whatever is on the plate for the newest Congress after the mid-term elections, it seems unlikely we will see a major piece of financial legislation in 2023. A mixed Congress may make it less likely we will see full marijuana legalization, but hope springs eternal for some sort of cannabis banking legislation. Regardless of the political makeup of Congress, consumer protection-style laws can find their way to fruition, so the legislative process may not grind to a complete halt.
We did see some important proposed and final regulations introduced in 2022, including Dodd-Frank Act Section 1071 rules, Community Reinvestment Act reform, and the beneficial owner rules under the Bank Secrecy Act, among others. We can hope (expect?) to see activity on some or all of these in 2023, but even if we don’t, the proposals provide roadmaps for banks to use to prepare for changes.
But the one surefire prediction for 2023 is something unexpected will happen, and since you cannot prepare for that, the best advice is to have the bank’s change management processes ready for whatever comes. But there is plenty to anticipate for 2023.
Expected regulatory activity
Dodd-Frank Act 1071. This one has been a long time coming, as in more than 10 years. Section 1071 will create a new subpart in Regulation B to require lenders to collect and disclose information on lending to women- and minority-owned businesses. This promises to make for busy times for compliance officers, commercial lenders, and technology staff to implement the new requirements.There are a few issues to be resolved in the final regulation, including the threshold for reporting, the precise definition of a “small business” and what data points will need to be collected and submitted. But perhaps the biggest mystery of 1071 is what we will call it, as “1071” does not really have a ring to it. That refers to the section of the Dodd-Frank Act where it came from, and it will be a Regulation B rule. Will we call it “Commercial HMDA,” since that is what it most resembles (even though it will be in Reg. B rather than Reg. C)? Will we call it the “Commercial Loan Application Register,” or CLAR? Or will someone more creative come up with something catchier? We’ll just have to wait and see.
Final revised CRA regulations. This has been another long and winding road, with many bumps along the way (including final OCC regulations that were subsequently withdrawn). But in May 2022, the OCC, Federal Reserve, and FDIC finally issued a joint proposed rule to modernize the CRA, making it more relevant to the way retail banking is conducted in the 21st century. The proposal would significantly impact the CRA obligations for large banks (which in the proposal means banks with more than $2 billion in assets). The obligations of small banks would be largely unchanged from today. (“Intermediate” banks fall somewhere in the middle).
While there are hopes for a final interagency regulation to be issued in 2023, the timing of a final rule is uncertain. And, since CRA modernization involves a major overhaul of outdated rules, we may be discussing it again when we gaze into 2024’s crystal ball.
BSA beneficial owner requirements. The Corporate Transparency Act was passed in 2020 as part of the National Defense Authorization Act. Under the CTA, a “reporting company” must report certain beneficial ownership information to the Financial Crimes Enforcement Network. A final rule was issued in September to implement this requirement, which will become effective Jan. 1, 2024. Reporting companies will have until Jan. 1, 2025 to file reports with FinCEN on their beneficial owners and/or control person(s). This is the first of three rulemakings to implement the CTA.
The second rule will be the so-called “access rule,” which will set forth protocols for financial institutions and law enforcement to access the recently-created federal beneficial ownership database. A proposal should be imminent. In October, the acting director of FinCEN stated that that FinCEN expects “to issue it in the near term.” If this does occur, it would be reasonable to expect a final rule sometime in 2023.
We would then wait for the final shoe (three shoes?) to drop: If companies must report beneficial owner information to a federal database and banks will have access to the federal database, does that mean banks will not have to collect what would seem to be duplicate information anymore? After all, that was the hope when the CTA was passed by Congress. However, it does not seem likely it will turn out that way, although we won’t know until we see a proposed regulation. FinCEN has stated it expects revisions to the BSA’s Customer Due Diligence rule to address this issue “no later than one year after the effective date of the reporting rule—as required by the CTA.” This would be no later than Jan. 1, 2025. So we won’t have resolution of this important question in 2023.
Automated valuation method (AVM) rules. The Dodd-Frank Act added Section 1125 to the Financial Institutions Reform, Recovery and Enforcement Act and mandated the OCC, Federal Reserve, FDIC, NCUA, CFPB and FHFA issue a joint rule to strengthen oversight of AVMs, which are less formalized property valuations produced by algorithms. This new regulation must:
- Ensure a high level of confidence in the estimates
- Protect against data manipulation
- Avoid conflicts of interest
- Require random sample testing and reviews
- Account for other factors deemed “appropriate” by the agencies.
Regarding this last item, the regulators are concerned that while AVMs “have the potential to contribute to lower costs and shorter turnaround times in the performance of property valuations,” they also “could digitally redline certain neighborhoods and further embed and perpetuate historical lending, wealth, and home value disparities.” In February the CFPB published an outline of proposals and alternatives under consideration, which included “a requirement that covered institutions establish policies, practices, procedures and control systems to ensure that their AVMs comply with applicable nondiscrimination laws.” This would mandate AVM quality control standards to ensure compliance with Regulation B and the FHA. The outline stated the bureau is considering a “principles-based option,” which would allow banks to set their own standards, or a “prescriptive option,” with a more detailed set of requirements. We can reasonably expect a proposed regulation in 2023.
Seasoned qualified mortgages. In 2020, the bureau created a new category of qualified mortgages known as “seasoned” QMs within Regulation Z’s ability-to-repay rule. The rule provided that loans that were ineligible for QM classification upon origination (or QMs that were higher-priced loans when originated) could become QMs provided they have a good payment history over a 36-month “seasoning period.” This rule became effective March 1, 2021, and it was not retroactive, meaning the first loans eligible to be considered seasoned QMs would have been originated in March 2021, or later (meaning they could become seasoned QMs on March 1, 2024 or later).
Shortly before the rule became effective, the CFPB issued a statement saying, “The Bureau is considering whether to initiate a rulemaking to revisit the Seasoned QM Final Rule.” This signaled the new bureau leadership’s uncertainty about the rule. In a June blog post, CFPB Director Rohit Chopra stated the bureau will be reviewing the QM rule’s seasoning provisions. We may well see some modifications to these provisions in 2023.
Personal financial data rights. Mandated by another provision (1033) of the Dodd-Frank Act (see a pattern here?), the CFPB will “specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Banks that offer consumer deposit accounts or credit cards will be included within the definition of “data providers.”
In October the bureau issued an outline of the proposals and alternatives under consideration for this rulemaking. The eventual regulation will, in the bureau’s words, provide “[c]lear data rights for consumers [that will]have the potential to give individuals more bargaining leverage” by addressing “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
Information covered under the rule is expected to include several broad categories:
- Periodic statement information covering transactions that have settled
- Information on certain types of prior transactions and deposits that have not yet settled
- Information regarding prior transactions not typically shown on periodic statements or online account portals
- Online banking transactions that the consumer has set up but that have not yet occurred
- Account identity information
- Other information such as consumer reports; fees assessed on consumer accounts; bonuses, discounts, and incentives given to consumers and security breaches that exposed a consumer’s identity or financial information.
The rules will prescribe how and when information must be made available both directly to the consumer as well as to third parties, as well as obligations of third parties’ collection, use and retention of consumer information. As this outline is the very first step in the regulatory process, we may see a proposal but likely not a final regulation in 2023.
Credit card rules. The bureau promised to review the Credit Card Accountability Responsibility and Disclosure Act rules on “enforcement immunity and inflation provisions when imposing penalties on customers.” The bureau has elsewhere stated their concerns around credit card penalty rates and whether some adjustments were needed to the maximums permitted by rule. We may see some proposals to limit these types of fees and perhaps provide some additional consumer protections in the credit card market.
Instant payment systems. There has been recent concern about the increase in fraud seen in various payment systems that operate outside the normal Regulation E framework, such as Venmo, Zelle, ApplePay and others. Payments can be made through apps on a consumer’s cell phone. What happens when an unauthorized transfer is made? Who bears the liability? Should the bank bear the ultimate cost for transactions for which it has limited (or no) information? The underlying laws and regulations governing these situations are unclear at present. There is a push to clarify the responsibilities and liabilities for funds transfers conducted through these new technologies, and this is an area to watch in 2023.
Others. The CFPB stated it is in the process of reviewing a “host of rules” it inherited from other agencies such as the Federal Reserve and FTC, stating “[m]any of these rules have now been tested in the marketplace for many years and are in need of a fresh look.” One such rule specifically called out by the bureau was the Fair Credit Reporting Act, where the bureau may identify possible enhancements and changes in business practices.
For some of these rules, it is not clear that the bureau will be pursuing the traditional formal regulatory process, which involves proposals, notice-and-comment periods, and then final rules. Chopra announced the bureau’s plans to move away from overly complicated and tailored rules, stating that “[c]omplexity creates unintended loopholes, but it also gives companies the ability to claim there is a loophole with creative lawyering.” Rather, the bureau may provide less formal guidance in the form of advisory opinions, consumer financial protection circulars, interpretive rules and bulletins. Banks will need to monitor closely for any of these less-formal rulemakings.
Awaiting new regulations certainly is not the only thing on compliance professionals’ minds. Regulators have emphasized several critical areas over the past few years, and there is every expectation this will continue. In any or all of these, we can expect more commentary from agency leadership, formal or informal guidance and clarification and/or continued enforcement.
Fair lending. No surprise here. Fair lending promises to continue its status as ammong the (if not the most) dominant compliance concerns into 2023. In late 2021, Kristin Clarke, assistant attorney general for the Civil Rights Division stated that fair lending is “one of the most significant issues of our time,” and action is needed due to “widespread practice[s]” in the lending industry. The CFPB’s most recent annual Fair Lending Report to Congress discussed the bureau’s focus on fair lending supervision efforts related to “mortgage origination and pricing, small business lending, student loan origination work, policies and procedures regarding geographic and other exclusions in underwriting, and on the use of artificial intelligence (AI) and machine learning models.” The bureau has a strong history of doing what it says it is going to do, and there is no reason to suspect this will be any different in 2023.
- Redlining: in late 2021, the DOJ announced its “Combating Redlining Initiative,” a collective effort between the DOJ, CFPB and the OCC. In the announcement, Attorney General Merrick Garland stated, “We will spare no resource to ensure that federal fair lending laws are vigorously enforced and that financial institutions provide equal opportunity for every American to obtain credit.” CFPB Fair Lending Director Patrice Ficklin also stated the bureau intends to take “fresh approaches” to redlining enforcement. This is not a short-term initiative. The agencies promise to keep redlining front and center for the foreseeable future. Recent enforcement actions have borne this out.
- Fannie Mae/Freddie Mac fair lending data: In August, the FHFA, the regulator of Fannie Mae and Freddie Mac, announced that beginning March 1, 2023, it “will require servicers to obtain and maintain fair lending data on their loans, and for this data to transfer with servicing throughout the loan term.” This data will include the borrowers’ age, race, ethnicity, gender and preferred language.The inclusion of the preferred language requirement follows a May FHFA announcement that lenders will be required to use the Supplemental Consumer Information Form to collect the preferred language as part of the application process (also required beginning March 1, 2023). The purpose of this collection is “so lenders can better understand borrower needs during the home buying process,” and so the industry can “more fully respond to the nation’s growing diversity.” This is yet another sign of the expanding interest of various federal agencies in fair lending issues.
- Appraisal bias: The Interagency Task Force on Property Appraisal and Valuation Equity Action Plan was published in March, proposing “the most wide-ranging set of reforms ever put forward to advance equity in the home appraisal process.” The task force, made up of 14 separate federal regulatory agencies (including all the banking regulators), was established by the president in 2021 to address racial bias in home lending and appraisals, and recommend actions to root out inequity. It will take several years to fully implement those of the many recommendations that are acted upon, but it is clear there will be impacts to both the appraisal industry itself as well as to lenders who rely on appraisals in real estate loans. This will be an issue to watch for several years.
Artificial intelligence, algorithms, and “big data.” This topic has become quite popular with the agencies over the past few years, and it’s clear we’re only at the beginning of sorting this all out. There are many aspects of this issue to follow, but one of the key terms thrown about is “digital redlining,” which is a form of discrimination where lenders restrict access to credit or offer credit on unequal terms because of applicants’ digital footprints. Banks typically utilize these new technologies in in marketing, fraud detection, and credit criteria.
On the marketing front, the CFPB in August issued an interpretive rule on the so-called “time and space” exception. This rule clarifies when digital marketers are and are not exempt from the Consumer Financial Protection Act. And it defines digital marketers. The rule provides an exception for fair lending and/or UDAAP violations when advertising is delivered via traditional advertising channels, such as radio, television and newspapers. In these cases, the operator merely provides time and space for the message, and has no influence over who sees any particular message. On the other hand, digital channel operators that, due to the vast amounts of consumer data at their disposal, can customize the audience and/or content of a message based on hundreds of attributes, would not fall under the exception.
But what about the providers of advertising messages, including banks? Advertisers that engage in “targeted marketing” are subject to fair lending and UDAAP risk if they customize the intended audience of a message. In Chopra’s words, such digital marketing techniques “helped advertisers limit the audience for ads and enabled advertisers to target specific groups of people to the exclusion of protected classes.”
Machine learning and sophisticated algorithms are increasingly being used to underwrite credit applications as well. A March CFPB blog post commented on the bureau’s “focus on the widespread and growing reliance on machine learning models throughout the financial industry and their potential for perpetuating biased outcomes,” and that the CFPB “will be closely examining companies’ reliance on automated decision-making models and any potential discriminatory outcomes.”
The agencies in March issued a joint request for information seeking input on financial institutions’ use of AI-based models and tools for various purposes, as well as whether it would be helpful to provide additional clarification on using AI when providing services to customers (yes, please).
This is an issue that impacts not just the financial services industry. In October, the White House issued its “Blueprint for an AI Bill of Rights.” This proposed framework contained five principles guiding the design, use and deployment of automated systems to protect the public as the use of such digital technologies increases:
- Ensure systems are safe and effective.
- Implement proactive protections against algorithmic discrimination (digital redlining).
- Incorporate built-in privacy protections, including providing the public control over how data is used and ensuring that the data collection meets reasonable expectations and is necessary for the specific context in which it is being collected.
- Provide notice and explanation as to how an automated system is being used, as well as the resulting outcomes.
- Ensure the public is able to opt out from automated systems in favor of a human alternative and has access to a person who can quickly help remedy problems.
The blueprint stated these principles should be incorporated into policies governing such digital systems in many areas, and specifically mentioned housing, credit and financial services. We can certainly anticipate much more in this area in 2023 and beyond.
UDAAP focus on fees. The term “junk fees” was brought to the forefront of the banking industry by a CFPB press release and request for information back in January 2022. Determining what precisely makes a fee a “junk” fee was not well defined, as the bureau lumped hotel resort fees and concert service fees in with fees normally charged by banks. However, the bureau did specifically call out credit card late fees, and overdraft and nonsufficient funds (NSF) fees in their press release. The bureau stated it will “craft rules, issue industry guidance, and focus supervision and enforcement resources to achieve this goal” in order “to reduce these kinds of junk fees.”
In October, the White House issued The President’s Initiative on Junk Fees and Related Pricing Practices, where the President “called on all agencies to reduce or eliminate hidden fees, charges, and add-ons for everything from banking services to cable and internet bills to airline and concert tickets.”
A little more clarity was offered as to what constitutes a “junk fee” here, including the following examples of bank scenarios:
- Exploitative or predatory fees: for example, “[b]ank overdraft fees, which greatly exceed the bank’s cost of credit, and surprise ‘termination fees’ are leading examples.”
- Fraudulent fees: “[A]n example is advertising a ‘no fee’ bank account that in practice carries significant fees.”
Credit card late payment fees were mentioned here as well, as an example of a category where fees labeled “junk” fees appear to make up significant fee revenue.
The CFPB on the same day issued guidance to help banks avoid charging such fees on deposit accounts, suggesting that overdraft fees could be considered an “unfair” practice (read: UDAAP) even if the fees are in compliance with other laws and regulations (such as Regulation DD, Truth in Savings). According the bureau, “overdraft fees assessed by financial institutions on transactions that a consumer would not reasonably anticipate are likely unfair.” So-called “pay-to-pay” fees charged as part of collection efforts were also mentioned. (See Reassessing Overdraft Programs in the May–June 2022 issue.)
NSF fees were again called out specifically by both the CFPB and FDIC in late 2022. The FDIC issued supervisory guidance that serves as a warning to banks, stating that charging customers multiple NSF fees on re-presented unpaid transactions may increase regulatory scrutiny and litigation risk. Lack of clear disclosure of banks’ practices here was emphasized, and banks were encouraged to review their practices and disclosures. The bureau’s bulletin targeted so-called “surprise” depositor fees: “blanket policies of charging returned deposited item fees to consumers for all returned transactions irrespective of the circumstances or patterns of behavior on the account are likely unfair,” and thus UDAAP.
Surely more will come on this issue, but banks have clearly been put on notice to examine their fee disclosures and practices, and prepare for questions during compliance exams. (For more information, see To Fee or Not to Fee, in the Sept.–Oct. 2022 issue of Bank Compliance Magazine.)
Longer-term evolving issues
Banking certainly isn’t what it was even just a few years ago, and a look at some of the topics of recent regulatory guidance indicate that we have some new issues to think about. How these develop over time is an open question, but at the very least we should start to think about how these may impact compliance requirements in the future.
Crypto issues. It’s a challenge enough to even understand what bitcoin and other digital assets are—how do they work, how do you make money, what are the risks, etc.—much less figure out the compliance implications if your bank decides to offer them to customers. Many bankers think this isn’t an issue they will have to deal with for some time. But it is surprising how many banks (even small community banks) are starting to think seriously about whether they want to take the plunge, either by directly offering these products or by partnering with a third party. Consumers are increasingly demanding access to these types of investments and some banks are experiencing deposit runoffs as a result.
The agencies began dipping their toes into the crypto water in late 2021 by issuing a joint statement summarizing their efforts thus far to evaluate key risks and the applicability of existing regulations and guidance, with promises of further safety and soundness, as well as consumer protection guidance. In late 2022, the White House issued a comprehensive framework on the development of digital assets, and called on federal regulators to “provide innovative U.S. firms developing new financial technologies with regulatory guidance, best-practices sharing, and technical assistance.” This followed a March executive order implementing a “whole-of-government” strategy for coordinating a comprehensive approach toward responsible innovation. The DOJ and Financial Stability Oversight Council have also weighed in on various aspects of digital asset liability, regulation and risk management. Be sure to monitor these developments closely to be ready with an answer to the question: “We want to offer digital assets—what are the rules?” (For more information, see Crypto Compliance: Crypto is here, so what’s compliance to do? in the Nov.–Dec. 2022 issue of Bank Compliance Magazine.)
Environmental, social, and governance (ESG).
This is a broad umbrella of risks and opportunities that impact a company’s ability to create long-term value. Several have been the focus of the agencies recently:
Climate change (environmental). At present, assessing climate change risk is an issue only the largest of U.S. banks must contend with. But like most other compliance issues, it’s inevitable that soon enough it will be something all banks will need to consider. Climate change considerations in the banking industry are not brand new; serious discussions about this occurred in 2019 and earlier. In 2021, the White House issued an “Climate-Related Financial Risk” executive order and later discussed a “comprehensive, government-wide strategy to measure, disclose, manage and mitigate the systemic risks climate change poses.”
One of the pillars of this “whole-of-government” (there’s that term again) strategy is to promote resilience of the U.S. financial system to climate-related financial risks. For more information, see The Increasingly Hot Topic of Climate Change in the Sept.–Oct. 2021 issue of Bank Compliance Magazine.
The FSOC in 2021 issued a report directing financial regulators to take steps to mitigate climate-related risks related to the financial system. The OCC, Federal Reserve, and FDIC have all announced various plans and frameworks for safe and sound management of exposures to climate-related financial risks. What any eventual requirements may look like is for now unknown, but this is another issue to watch closely in the years to come.
Diversity, equity and inclusion (social). This refers to a larger context of how an organization affects its people and communities. Building a sound policy and practice of diversity within a bank’s workforce as well as outside parties, and even the board of directors, is increasingly an issue attracting agency attention. While there are no firm laws or regulations here (at least yet), it is a best practice for banks to invest in these efforts and keep a watchful eye on future regulatory guidance.
That’s a lot of topics, and again we can be sure there will be new developments we can’t even predict today. But as always, it is wise to continuously monitor new developments and be at the ready to respond in kind.
CARL PRY, CRCM, CRP, is managing Director for Treliant LLC in Washington, D.C., where he advises clients on a wide variety of compliance, fair lending, corporate treasury and risk management issues. He also serves on the ABA Bank Compliance magazine editorial advisory board. Reach him via email at [email protected] or by telephone at (440) 320-4662.