January 2023 Newsletters

Subscriptions, Negative Options, and Regulation E

On our compliance hotline, we hear daily from banks who have customers interested in exercising their Regulation E right to dispute errors. Most of the time, these errors take the form of unauthorized Electronic Fund Transfers, and these transactions often are the result of the customer unknowingly signing up for a subscription which will continually debit their account. When many consumers dispute these transactions, they’re completely unaware that they’ve even signed up for anything. In a recent circular, the Consumer Financial Protection Bureau (CFPB) targeted these sort of tactics by the sellers of subscription services, warning of violations of the Consumer Financial Protection Act.

The CFPB issued a circular last week stating that companies which offer subscription services with a negative option must comply with applicable federal consumer financial protection laws. Negative options refer to a situation in which a seller interprets a person’s silence or failure to cancel as a continued acceptance of the initial offer. According to the CFPB, negative option programs include subscription services that automatically renew unless the consumer cancels the service and trial programs that charge reduced fees for the trial period and begin charging a higher fee automatically after trial period.

Companies, including banks, risk violations of the Consumer Financial Protection Act (CFPA) if they: a) do not disclose the terms of their subscription services clearly and conspicuously, b) do not obtain informed consent, or c) make it difficult beyond reason for consumers to cancel services. These three are explained in a little more detail below.

1. a) Failure to disclose material terms of the negative option. Companies risk violating the CFPA when they misrepresent or do not disclose information that a consumer is likely to rely on when making a decision about whether or not to enroll in a negative option service. This information includes the total of all charges and whether the charges will continue unless the consumer cancels the service.
2. b) Failure to obtain informed consent. Companies should ensure that consumers actually agree to the terms of a negative option program. According to the CFPB, companies were found to have engaged in UDAAPs when they misrepresented or failed to disclose that they were offering negative option programs. The result was that consumers did not understand that they were enrolling in services which would continue to charge their account.
3. c) Mislead or hinder consumers wishing to cancel. This is commonly done by requiring consumers to navigate a complicated process for cancelling subscriptions, such as having to talk to multiple customer service agents or speak to an agent for a long time before cancelling the service.

This circular is the latest effort from the CFPB to focus on behaviors in the marketplace that they deem harmful to consumers. Financial institutions may benefit from the positive effects this could have on Regulation E disputes, but banks should also be aware of any potential problems with subscription services banks offer to customers. Reach out to us on the Hotline to discuss any potential Regulation E implications, potential problems with subscription services, or anything else compliance related.

Servicemember Identity Theft & Red Flags

When it comes to dealing with members of the U.S. Armed Forces, it seems that there are often special considerations, and the world of identity theft is no exception, due to the increased risk for those individuals. Servicemembers along with veterans and their family members are significantly more likely to be victims of identity theft, with nearly 50,000 instances of identity theft happening each year to these groups. Common servicemember activities, such as frequent relocation, searches for places to live, spousal employment searches, and utility connections may increase the risk of identity theft for servicemembers and their families.

Identity theft can result in fraudulent extensions of credit and delinquencies showing up on a servicemember’s credit report, which has the possibility of affecting the servicemember’s security clearance. Many enlisted servicemembers and all officers are subjected to a review of their credit history and ability to meet their financial obligations in order to obtain and maintain a required security clearance. Even after this initial review of a servicemember’s credit history, the financial status of servicemembers’ security clearances is continuously evaluated. Identity theft can, not only negatively impact a servicemember’s career, making it difficult to obtain or maintain a security clearance, it also fundamentally undermines the readiness of our military and threatens national security.

According to the FTC, servicemembers are 22% more likely than non-servicemembers to report that a new extension of credit, such as a credit card, was opened by a fraudster/identity thief using the servicemember’s stolen information. Likewise, servicemembers are 76% more likely to report that the misuse of their existing account was due to some form of identity theft. Servicemembers are also three times more likely to report that money was taken directly from their accounts, due to identity theft.

Financial institutions are on the front lines, so to speak, and have a part to play in preventing identity theft. Banks are required to have procedures in place to identify Red Flags, or suspicious activities that may suggest fraud or identity theft. These procedures will vary based on a myriad of factors such as an institution’s size, but they should be able to identify signs of potential identity theft in an institution’s day-to-day operations. The Red Flags Program should be able to detect identity theft when it occurs and specify a plan of action for when these Red Flags are detected. In addition, the Red Flags Program should be regularly monitored to make sure the institution is staying current on newer threats. Financial institutions are also required to have programs that ensure customer information remains confidential and prevents unauthorized access to customer information. Further, banks who collect information from consumers that establish eligibility for credit, insurance, employment, or other purposes, must properly dispose of the information.

Compliance Alliance can help improve an institution’s Red Flags Program, both with  webinar training on Red Flags, and a Red Flags Toolkit that contains nearly 20 Red Flags related tools. Our toolkit contains such tools as checklists, risk assessments, and a sample policy (identified as “Red Flags Identity Theft Prevention Program”), and we’re also available on the hotline to answer any identity theft related questions you may have.

Freezing and Unfreezing HELOCs

Because Reg. Z only permits freezing a HELOC in limited circumstances and imposes specific requirements on the bank it’s important to be familiar with the regulatory requirements.

The limited number of circumstances in which a bank may freeze a HELOC are for the most part listed in Regulation Z in 12 CFR § 1026.40(f)(3)(vi),with few exceptions. The regulation lists the following six circumstances:

1. The value of the dwelling that secures the HELOC declines significantly below the dwelling’s value at the time the HELOC was opened
2. The bank believes that the consumer will be unable to repay the HELOC due to a significant change in the consumer’s financial circumstances
3. The consumer is in default of any material obligation under the agreement
4. The bank is precluded by government action from imposing the Annual Percentage Rate (APR) in the HELOC agreement
5. The priority of the bank’s security interest is adversely affected by government action such that the value of the security interest is less than 120% of the HELOC
6. The bank is notified by its regulator that additional advances would be an unsafe and unsound practice

Although each of the above six circumstances could be further discussed in their own right, the two we hear about most often are the first two listed above, so we’ll discuss those two in greater detail.

In the first circumstance, the value of the dwelling has declined significantly below its appraised value. While a “significant” is determined on a case-by-case basis, the commentary states that when the value of the dwelling declines so much that the initial difference between the credit limit and available equity is reduced by 50%, this is considered to be a “significant decline.”

In the second circumstance, the bank has a reasonable belief that the borrower will be unable to repay the HELOC due to a significant change in the borrower’s financial circumstances. The commentary provides the following two conditions for this second circumstance to apply:

1. There must be a material change in the financial circumstances of the borrower, such as a significant decrease in the borrower’s income.

1. The bank must have a reasonable belief that above change will prevent the borrower from meeting the repayment obligations of the HELOC. While the commentary does not specify what must occur to rise to the level of “reasonable belief”, it does specify that a bank does not need to rely on specific evidence, such as failure to pay other debts. Regardless, a bank would want to be sure to document what occurred that formed their belief.

Once a HELOC is frozen, it is the responsibility of the bank to unfreeze/reinstate it as soon as reasonably possible once the circumstance that caused the freeze no longer exists. A bank has two options in which it can meet this responsibility:

1. The bank can monitor the line to determine whether the circumstance that permitted the freeze still exists. The commentary states that the monitoring frequency depends on the nature of the circumstance that permitted the freeze in first place. While this guidance makes clear that some freezes will require more frequent checks than others, as far as specific diligence requirements, a lot is open to interpretation. Because the regulation does not provide clear guidelines as to monitoring, banks may prefer the second option.
2. The bank can shift the duty to the consumer to request reinstatement of credit privileges. A bank can accomplish this by including a provision in the original freeze notice that the bank is requiring the consumer to request reinstatement of credit privileges.

For an example of notices banks can provide when freezing and reinstating a HELOC which has been subject to a freeze, check out our HELOC Suspension or Freeze Notice and our HELOC Reinstatement Letter. If you have any additional questions about HELOCs freezes or reinstatements, feel free to reach out to us on the hotline.

Secure 2.0 Act: Changes to RMDs and More

On December 29, 2022, the SECURE 2.0 Act of 2022 became law as part of the Consolidated Appropriations Act of 2023 (see p. 817 for SECURE 2.0), ushering in another round of retirement reforms, some of which go into effect immediately, and some of which have an effective date of some point in the future.

Required Minimum Distributions (RMDs)

The most discussed provision is the change to the age requirements for the Required Minimum Distributions (RMDs). As you may recall, the RMD age was changed from 70 ½ to 72 in 2019 by the SECURE Act.

Under the current law, if the account owner turned 72 in 2022, they were required to take an RMD in 2022 by April 1, 2023. However, if the account owner turns 72 in 2023, they are not required to take an RMD in 2023, as the RMD age has been increased to 73, effective January 1, 2023. Those who turn 73 in 2023 will have taken their first RMD in 2022, when they turned 72, so this change should really affect those turning 72 in 2023.

For those turning 72 in 2023, no RMD will be required in 2023. Next year, when they turn 73 in 2024, they’ll be required to take their first RMD by April 1, 2025, as a person’s first RMD is not required to be taken until April 1 of the year after they reach the required age.

It is important to note that if a person reached 73 in 2024 their first RMD would need to be taken by April 1, 2025 (for tax year 2024) and they’d also need to take a second RMD by December 31, 2025 (for tax year 2025). The RMD age is increasing again in ten years from 73 to 75, effective January 1, 2033.

Another change effective January 1, 2023 for Required Minimum Distributions is the penalty for NOT taking an RMD is decreasing from 50% of the RMD amount to 25% of the RMD amount or 10% of the RMD amount if corrected within the allowed correction window.

Catch Up Limits

Another provision we’ve been getting questions about is the selective increase in catch-up limits. Effective January 1, 2025, the SECURE Act increases these limits to the greater of $10,000 or 50% more than the regular catch-up amount in 2025 for individuals who have attained ages 60, 61, 62 and 63. The current catch-up limits for those 50 or older is $7,500 for employer plans and $3,500 for SIMPLE plans.

In total the SECURE 2.0 Act portion of the Consolidated Appropriations Act is about 130 pages long and contains nearly 100 provisions which enact some sort of change or another. Not all the changes made by the SECURE 2.0 Act will be relevant for every financial institution, but the change to the Required Minimum Distributions will certainly have widespread effects on retirement accounts held by financial institutions.