The FDIC’s Guidance on ITMs: Use Only As Directed
On August 9, 2024, the FDIC released a Financial Institution Letter (“FIL”) offering limited guidance on the use of interactive teller machines or ITMs. Specifically, the FDIC addressed the question of whether an ITM would be considered a remote service unit (“RSU”), which a bank may establish without approval, or a branch, which requires approval under Section 18(d) of the FDI Act.
The guidance states that an ITM would require approval as a branch unless:
- The ITM is an automated, unstaffed banking facility owned or operated by, or operated exclusively for, the bank, which is equipped to enable existing customers to initiate an interactive session with remotely located bank personnel; and
- To the extent that bank personnel have the ability to remotely assist the customer with the operation of the ITM to perform core banking functions, customers must also be able to perform such transactions without the involvement of bank personnel and must have the sole discretion to initiate and terminate interactive sessions with bank personnel
It seems, essentially, that an ITM will require a branch application unless it functions primarily as an ATM, with any interactive assistance from bank personnel being 1) unnecessary for core banking functions, 2) provided by remotely-located bank employees, and 3) initiated and terminated by the customer.
The guidance further states “This FIL relates exclusively to the applicability of section 18(d)’s branch establishment requirements to state nonmember banks.” This is an important part of the guidance, because it places substantial limits on how it can be used and clarifies that ITMs and branches are not fully interchangeable for all purposes. It also leaves several questions unanswered, so banks should be careful not to read too much into this FIL.
First, of course, this guidance can only be used by state nonmember banks. Because this is not interagency guidance, banks regulated by agencies other than the FDIC should probably consult their regulators directly.
Additionally, the FDIC does not discuss how the rules about branch closings would apply to ITMs, which leaves open questions like:
- Would closing an ITM be considered a branch closure?
- What would be the appropriate process if a bank wants to place a brick-and-mortar branch at a location that currently has an ITM, or within 1,000 feet of an ITM? Would the brick-and-mortar branch require an application for a new branch?
- What would be the process for a bank that wants to close a brick-and-mortar branch and replace it with an ITM? Would this be considered a branch closure?
Similarly, for signage purposes, it’s probably clear that FDIC signage will be required if the ITM is taking insured deposits. It seems like an ITM would likely be in the category of “ATMs and like devices” that are considered “digital deposit taking channels” requiring the new digital sign, but clarifying guidance would be useful in this area as well.
Finally, although an ITM may be a ‘branch’ for purposes of whether an application is required, it may not be considered a branch for other purposes, such as the Community Reinvestment Act (“CRA”). Because branch locations are the basis for determining a bank’s CRA assessment areas, treating ITMs as branches for CRA purposes could have significant consequences for banks. The CRA defines a branch as “a staffed banking facility approved as a branch.” The FDIC guidance indicates that ITMs may need to be “approved as a branch,” but it is unclear whether ITMs would be considered “staffed” because of the interactive features available. Until we have further guidance on this question, it may be worthwhile for banks to include a review of potential CRA consequences when determining whether and where to place ITMs.
Because the guidance is explicitly limited only to whether a branch application is required to establish a new ITM, banks should avoid extrapolating too much from this guidance, continue to be cautious about using ITMs and, when in doubt, contact regulators for additional guidance. As always, Compliance Alliance will continue to monitor developments in this area, and provide updates as they come available. If you have any further questions, do not hesitate to let us know.
Evaluating Valuations: Interagency Guidance on Reconsiderations of Value
On July 26, 2024, regulators published the final Interagency Guidance on Reconsiderations of Value of Residential Real Estate Valuations.
The Guidance applies to all valuations used in credit transactions secured by a single 1-4 residential property. It outlines, in very general terms, the process by which a financial institution may request reconsideration of an appraisal or other valuation in order to identify and resolve potential deficiencies or inaccuracies, although the guidance does focus specifically on the potential for discriminatory bias to affect valuations, a fair lending concern that the agencies have also raised in other areas, such as the recent guidance on the use of automated valuation models.
The Guidance focuses on a few key features that the regulators recommend including in ROV policies and procedures:
Link to the consumer complaint process. When a consumer complaint is received relating to a residential property valuation, banks should consider whether an ROV could resolve the complaint and have procedures set up to obtain the ROV if appropriate.
- Inform consumers. Banks should ensure that consumers are notified of the valuation and the bank’s process for bringing potential deficiencies in the valuation to the bank’s attention in time for them to avail themselves of that process and raise their concerns with the bank. Notices to consumers should be clear and easy to understand, giving them specific information on the steps to take to request an ROV – what information to submit, when and where to submit it, and what to expect next.
- Involve the appropriate stakeholders. Banks should have processes in place to ensure that requests for reconsiderations of value, regardless of how they are received, are routed to the appropriate personnel for review and further action. Additionally, when an ROV is obtained, the bank takes appropriate measures. Of course, this will require ensuring that the bank’s underwriters and others managing the loan application receive the revised valuation, but it may also be worthwhile to involve other departments such as compliance and vendor management, so that issues and trends can be identified and managed.
- Ensure consistency. The process by which a bank evaluates whether an ROV is merited should be as consistent and objective as possible. Staff evaluating appraisals should be thoroughly trained on the criteria the bank considers relevant and ROV decisions should be well-documented.
One difficult question many banks are considering is how to handle the cost for ROVs. The finalized guidance states that banks should “establish guidelines for when a second appraisal could be ordered and who assumes the cost,” but it gives little direction on how banks should be assigning that cost. Particularly where there is an indication of discriminatory bias in an appraisal, however, there may be concerns that requiring borrowers to pay twice to obtain one valid, reliable appraisal could raise both UDAAP and fair lending concerns, so it is not clear that it would be permissible to automatically pass the cost of a second appraisal on to loan applicants. While there is not a clear answer on how the cost can best be assigned, lenders should ensure that the ROV process they put in place to combat discrimination in appraisals does not lead to other fair lending risks. As always, feel free to reach out to Compliance Hub’s Hotline if you have any other questions or concerns.
The FDIC Signage Requirements: Clear, Conspicuous, Continuous Displays
As the end of the year draws closer, banks continue to work on making sure they are prepared to meet the new requirements for FDIC signage, which will be mandatory as of January 1, 2025. Here are some highlights from the Q&A recently posted by the FDIC to assist banks working on understanding the requirements and updating policies.
The final compliance date is January 1, 2025. No changes were required to be fully implemented on the initial April 1, 2024 effective date because the new rule created a transitional period from April to January, during which insured financial institutions can comply with the rule by complying with either the prior requirements or the future requirements.
Once the rule becomes fully effective on January 1, the digital sign must be displayed on the bank’s initial page or home page, landing or login pages, and any page where a customer may transact with deposits, like a page where a customer can remotely deposit a check or move funds between two FDIC-insured accounts. It should not be displayed on a page that transacts with a non-deposit account, such as a page that allows customers to move funds from a deposit account to a non-deposit account. For purposes of FDIC signage, the term “non-deposit products” does not cover credit products or safe deposit boxes.
On screens or pages where the digital sign is required, it cannot be dismissed by the user; it must be displayed continuously. Displaying the digital sign in the footer of the bank’s website does not meet the “clear and conspicuous” requirement, so on pages where the digital logo is required, it must be displayed somewhere outside the footer. If the digital sign does not fit on the expected screen size, as for mobile applications that may be used on handheld devices, the sign can be scaled, “wrapped,” or “stacked” to fit the screen, but it must still be continuously displayed clearly and conspicuously. The digital sign is not required on embedded third-party pages that transact with the customer’s bank account. The digital sign may link to the FDIC’s BankFind tool, but this is not required.
Non-deposit disclosures must state that non-deposit products are not insured by the FDIC, are not deposits, and may lose value. These disclosures should be displayed clearly and conspicuously on pages that interact with both deposit and non-deposit products. Displaying the disclosures in the footer of the bank’s webpage again does not meet the clear and conspicuous requirement. When designing pages that offer options to transact with both deposit and non-deposit products, banks should be careful to ensure the non-deposit disclosures are provided and that the FDIC digital sign is not placed in close proximity to non-deposit products.
Despite its name, the digital sign is not required on advertisements, even digital advertisements, so digital and social media advertisements are not required to display the FDIC digital sign. Advertisements in all media will continue to use the “Member FDIC” disclosure or the traditional FDIC logo.
The ATM requirements are for ATMs that accept deposits; machines that just dispense cash would not be ATMs for these purposes. The exact requirements for an ATM that does accept deposits will depend on whether the ATM also offers access to non-deposit products, such as investment accounts (again, not credit products). For now, an ATM that allows access to deposit products and does not offer access to non-deposit products can meet the requirements by either displaying a physical sign posted to the ATM or by displaying the FDIC digital sign clearly, conspicuously, and continuously on the home page, each transaction screen, and any screen relating to deposits. If the ATM also offers access to non-deposit products, each ATM page or screen relating to non-deposit products must clearly, conspicuously, and continuously display the non-deposit disclosures.
ATMs that are put into service after January 1, 2025 will be required to display the digital sign rather than have a posted sign, but the rule will not retroactively apply to ATMs put into service prior to January 1 even though they continue to be used after that date.
Banks looking for additional information on how the rule changes apply to them can also check out the FDIC’s presentation slide decks from webinars about the changes. As always, Compliance Alliance’s Hotline is also available to answer our members’ questions about this and any other compliance concerns you may have.
Third-Party Relationships Still in the Spotlight
On July 25, 2024, the Federal Reserve, the FDIC, and the OCC issued a “Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services.” The Statement reiterates regulator focus on third party relationships, particularly fintech partnerships. It seems to be responding to the increasing number of fintech companies providing brokered deposit services, including the headline-making failures of some fintech companies operating in this space. These failures have resulted in substantial consumer harms, according to the regulators, making these types of relationships a likely future focus of regulatory action and scrutiny moving forward.
It is not news that regulators see excessive reliance on brokered deposits as a safety and soundness concern. The Joint Statement does reiterate that concern, but also emphasizes other risks, including UDAP, AML/CFT, and misrepresentation of FDIC insurance. Here are a few major takeaways from the Joint Statement:
- Banks accepting brokered deposits remain responsible for compliance with all requirements that apply to deposit accounts, including AML/CFT, Reg DD, and Reg E. A bank may have a third party perform these functions, but when it does so, the bank must ensure that its oversight program ensures that the third party meets the requirements that apply to the bank. Particularly with new business models and technology-based services, third party oversight should be a comprehensive and rigorous program that monitors the third party’s stability as well as the bank’s ability to continue to meet its regulatory requirements in the event of sudden and unforeseen third-party failure.
- Third party fintech relationships require multi-pronged oversight. The Joint Statement references the agencies’ more general guidance on managing third party relationships, which can be instructive for any third-party relationships. What the Joint Statement makes clear is that appropriate oversight of fintech partners should be multi-faceted and comprehensive. Fintech partnerships should include detailed and enforceable contract provisions, rigorous due diligence, ongoing auditing, and contingency planning to address potential operational disruption (including business failure by the third party).
- While brokered deposit arrangements can facilitate rapid growth in deposits, they may increase risks to the bank as well. Banks must accurately report brokered deposits and establish plans for managing the associated risks, including unexpected deposit withdrawals and liquidity risk. Banks should also ensure that they are operationally prepared to manage a higher volume of deposit accounts as well as the risk that comes with having a significant percentage of the bank’s deposits dependent on a single vendor.
- Banks should review fintech partners’ advertising to ensure that it does not misrepresent any aspect of FDIC insurance. The guidance expresses substantial concern that depositors may be led to mistakenly believe that these third parties are insured financial institutions or that depositors may be confused about how their access to their deposit depends on a third party that may not be as stable and trustworthy as an FDIC-insured bank.
While the prospect of increasing deposits is appealing particularly where a third party is at hand to perform a lot of the related work that would normally have to be done by the bank, banks should be wary of related risks. When embarking on these partnerships, it is essential that banks invest in the development of a comprehensive third-party risk management strategy that is appropriately tailored to the risk, the specific third party, and the terms of the relationship.
The New AVM Rule Addresses a Trifecta of Top Regulator Concerns
Regulators released the final version of the new rule covering the use of automated valuation models or AVMs, which requires that lenders using AVMs ensure their models are reliable, secure, and nondiscriminatory. The finalized version does not contain significant changes from the proposed rule released in June 2023. This rule comes on the heels of a recent rule about reconsiderations of value, a CFPB fair lending suit against an appraiser and lender, and regulatory guidance about the use of artificial intelligence in loan decisioning, indicating that these areas continue to be high on regulators’ lists of concerns.
AVMs are computerized models used to determine the value of a property. The new rule will apply when lenders use AVMs to assess the value of a consumer’s principal dwelling for the purpose of making a credit decision. It will also apply to ‘covered securitization determinations,’ which will include GSEs using AVMs in determining whether to waive an appraisal as well as determinations regarding structuring, preparing disclosures for, or marketing mortgage-backed securitizations.
When using AVMs for this purpose, the rule requires the implementation of quality control standards designed to accomplish five goals:
- Ensure a high level of confidence in the estimates produced;
- Protect against the manipulation of data;
- Seek to avoid conflicts of interest;
- Require random sample testing and reviews; and
- Comply with applicable nondiscrimination laws.
While the new rules state that the quality control standards should be appropriately tailored to the size, complexity, and risk profile of the institution as well as the transactions for which it uses AVMs, it does not contain a small creditor exemption. The 190 pages of the rule also provide limited guidance on what these goals should look like in practice or how they can be adjusted for smaller banks. The rule’s 12-month implementation period is also a fairly short time for banks to develop robust programs for AVM quality control.
It appears that the last two items – sample testing and nondiscrimination – are the most likely to present challenges to small banks. The guidance does not set standards for sample testing and reviews, which will likely lead to some confusion among banks regarding what would be an adequate sample size, what is required for a review, and what standards should be met for an AVM to “pass” the testing. The fifth goal, ensuring nondiscrimination, presents overlapping concerns in that smaller banks will be lending in smaller volumes and smaller geographic areas, which will make it more difficult to identify fair lending issues in AVMs.
The agencies did recognize in the guidance that a standard setting organization (SSO) and third-party testing would likely be useful in this context but declined to take further action toward encouraging the development of such an organization.
What the rule does make clear is that regulators continue to be concerned about third party oversight, computerization, and fair lending, particularly as it affects access to housing. Taken together with other recent guidance and regulatory actions, it certainly seems that this will continue to be an area of regulator focus to which banks should pay specific attention as part of their compliance management.