Regulatory Compliance Weekly Roundup: Aug. 4, 2023

Week in Review: July 31 - Aug. 4

While the weather may have been cooler this week, the action in the regulatory compliance world has stayed hot! Here's a quick rundown of some of the recent news coming out of the NCUA, CFPB, and more.

NCUA

Late last week, the NCUA issued Letter to Credit Unions 23-CU-06: Importance of Contingency Funding Plans. Attached to this letter is the Addendum to the 2010 Interagency Statement on Funding and Liquidity Risk Management on the Importance of Contingency Funding Plans. This guidance issued by the NCUA, FDIC, OCC and the Federal Reserve reminds financial institutions of the importance of robust contingency funding plans that plan for a wide range of scenarios.

The guidance encourages financial institutions to incorporate the discount window as part of their contingency funding plans and should maintain operational readiness to use it. For credit unions, the guidance highlighted the Central Liquidity Facility as another valuable backup liquidity source. While not mentioned in the guidance specifically, credit unions should also remember that they have access to the Bank Term Funding Program, which was established this spring in the aftermath of the high-profile bank failures.

The Guidance can be found here.

CFPB

CFPB's week started off with a roadblock. Months ago, two bank trade associations and a Texas bank filed suit against the CFPB over one of the Bureau's rules requiring financial institutions to collect certain data for small business lending. On Monday, a Texas federal district court issued an injunction, ruling that the CFPB could not enforce the rule against that Texas bank or any members of the plaintiff trade associations. In the ruling, the Court noted that the constitutionality of the CFPB's funding structure is being challenged in the Supreme Court, and that issue should be resolved before the CFPB can enforce this rule.

The Supreme Court is set to hear arguments in that case on Oct. 3. You can read more about the ruling here.

The CFPB also published a blog post late last week analyzing three cashflow proxies as predictors of delinquency. The post evaluated how high accumulated savings, regular savings and no overdrafts, and paying bills on time could be used to predict serious delinquency and loan repayment ability.

While CFPB acknowledges the shortcomings of their analysis (small sample size and self-reported data) and states that additional research is needed, they note that their "results suggest that using cashflow data may improve underwriting," and that "using positive cashflow data in underwriting may improve access to credit for populations with historically low credit scores."

When we take a step back and look at this post in the context of other CFPB speeches and actions, we start to see a picture of where they might be going. Director Chopra has spoken about his "open banking" vision of the future where consumers can leverage technology to more easily facilitate the sharing of their financial data between companies. In that world, a consumer could quickly and easily authorize data on their deposit history and other cashflow activities to be shared with lenders. If that is the case, and CFPB believes that underwriting based on credit scores impacts certain populations disproportionately, could they require cashflow analysis to be used in the underwriting process? It's not hard to imagine.

You can check out the blog post here.

FFIEC

On Wednesday, the FFIEC announced that it had updated six sections of its BSA/AML Examination Manual. In a press release, the Federal Reserve notes that there “were no changes to the regulatory requirements covered by these sections.”

Of the six sections that were updated, the one that will pertain most to credit unions is Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity, which covers procedures for 314(a) and 314(b) information sharing. In this update, the manual adds language regarding what information must be shared when you have a 314(a) positive match, including name, account number, dates of matched transactions, and any identifying information, such as SSN, DOB, etc. The regulation that applies here -- 31 CFR 1010.520 -- spelled these items out as pieces of information an FI was required to share "in the manner and in the time frame specific in FinCEN's request."

However, previous versions of the exam manual explicitly stated that when an FI had a positive 314(a) match, they were to report that there was a positive match, but stated that “no details should be provided to FinCEN other than the fact that the financial institution has a match.” Now the manual states that an FI must report positive matches and can choose to provide information in addition to a positive match, while listing those pieces of information above that must be reported.

I would encourage credit union BSA officers to use this examination manual when updating their BSA policies and procedures. While 314(a) screening is done every two weeks, you may go years without an actual positive 314(a) match. It's a good practice to make sure your procedures line up with the examination manual, even if you rarely must implement them.

The new manual sections can be found here.

FCC

We don't cover the Federal Communication Commission all that much here on the REGular blog, but they are currently engaged in rulemaking involving robocalls, robotexts, and consumer opt-out processes that could impact many businesses. Those of us who were in the credit union world back in 2015 may remember when the FCC issued a Telephone Consumer Protection Act (TCPA) Order that included a very broad definition of an autodialer. In addition, this order clarified that consumers may revoke their consent to receive autodialed calls or texts using any reasonable means. In other words, businesses could not require customers to use an exclusive channel or means to revoke consent.

The current Notice of Proposed Rulemaking by the FCC attempts to strengthen this right to revoke consent in four ways: (1) prohibiting requirements to use of specific words or methods to revoke consent; (2) requiring a 24-hour turnaround time to implement the revocation of consent; (3) ensuring one revocation stops all robocalls and robotexts from a specific entity; and (4) allowing consumers to stop robocalls and robotexts from their wireless service provider.

The proposed rules would create something of a "perfect storm" for possible TCPA liability. If customers can use any "reasonable" method or language to revoke consent to receive robocalls or robotexts, businesses cannot require members to opt out through specific channels, and businesses who get an opt out must process it for all communication channels within 24 hours, you could see how a bad-faith actor could exploit this system.

Credit union trade associations and others have urged the FCC to reconsider this new structure. You can read more from CUNA and NAFCU.