Credit Card Statements and E-Sign in the Time of COVID
By C/A Staff
In this new era of the global COVID-19 pandemic, E-Sign has become both a hot topic and lifeline for many banks and customers that have had to close their lobbies or whose customers have not been able to come into the bank. E-Sign disclosure and consent are generally required any time the bank is giving federally required disclosures to a consumer, including any Reg Z disclosures, like account opening disclosures and periodic statements.
On June 3, 2020, however, the CFPB released a statement related to E-Sign and credit card disclosures required under Reg Z (https://files.consumerfinance.gov/f/documents/cfpb_e-sign-credit-card_statement_2020-06.pdf). This statement from the CFPB was in response to COVID-19 and the unique burdens that banks and other creditors are experiencing at this time. In particular, creditors have noted a large increase in customers wanting to take advantage of electronic records rather than paper documents. This has led to a sharp increase in incoming call volume for creditors trying to help customers get signed for electronic statements. Credit card creditors have noted that the E-Sign consent requirements in particular have resulted in increased call length, dropped calls, and multiple calls with the same customer to complete the E-Sign consent process. As a result, the CFPB has decided that because of the burden of the E-Sign consent requirement in relation to the benefit for consumers to obtain electronic records rather than paper documents during the current COVID-19 outbreaks, the CFPB will provide some flexibility in the E-Sign consent requirements. The CFPB will not take enforcement action against a bank when it comes to the E-Sign consent requirements, as long as the bank, over the phone, is able to obtain verbal consent to provide disclosures electronically and confirms verbally over the phone that the customer is able to access and open those disclosures.
The bank should be sure to be able to document that the customer was asked those two questions over the phone, and received a verbal 'yes' from the customer. That could be through a recording of the phone conversation, through notes made by the bank employee on the phone with the customer, or through some other means of documentation under the bank’s internal policy that the bank would be able to provide to an examiner when asked during an exam. Banks should also be mindful of any state law requirements regarding recording phone calls. Some states require that both parties consent to the phone call, so it would be best practice to notify the customer that the call may be recorded and to obtain a verbal consent to recording the phone conversation from the customer.
That being said, it's still generally best practice to get E-Sign consent whenever possible before sending a customer electronic documents. The spirit and intent of the E-Sign Act is to be sure that the customer is actually able to receive the documents that the bank is sending in the manner that the bank is sending the documents. As a practical matter, it would behoove the bank to be sure that the customer can receive the documents the bank is sending. As such, the bank would want to be sure to thoroughly weigh the costs and benefits of the potential relief from the CFPB versus the potential repercussions or long term issues with customers potentially not receiving disclosures from the bank before making any changes, even if they are temporary, to the bank’s internal policy.
Unemployment Income and Qualified Mortgage
by C/A Staff
The COVID-19 pandemic has brought waves of people filing new claims for unemployment benefits each week. As we emerge from this health crisis, we will undoubtedly be dealing with the pandemic’s effects for some time. Because of the rise in unemployment claims, it may be worthwhile to review the use of unemployment benefits when qualifying for a mortgage.
As a general rule, a lender cannot originate a dwelling-secured loan before it makes a reasonable and good faith determination that the applicant will be able to repay the loan. The ability-to-repay (“ATR”) regulation gives us a safe harbor in the form of the Qualified Mortgage. Regulators created multiple types of Qualified Mortgages and placed certain restrictions on the terms of each. If lenders meet these conditions, the loan is presumed to comply with the ATR rules. Our ATR/QM Matrix shows the different options and criteria. Lenders may use this checklist to confirm a loan satisfies the requirements for a General Qualified Mortgage. Small creditors may use this checklist to confirm they are making a Qualified Mortgage.
When making a Qualified Mortgage, a lender must use Appendix Q to Regulation Z to confirm the applicant’s current or reasonably expected income. The lender uses the criteria in Appendix Q to establish that at the time of closing the loan, the applicant’s total monthly debt does not exceed 43 percent of his or her total monthly income. When outlining the applicant’s income that the lender can reasonably expect during the loan, Appendix Q’s watchwords are “stability” and “predictability.” Before it may count an income stream, the lender must be able to document that the income stream has existed for some time and that it is reasonable to conclude that it will continue.
For unemployment income, Appendix Q says that the lender must document that the unemployment income has existed for two years, and have reasonable assurance that this income will continue. As unemployment benefits in most states last only up to 26 weeks, this requirement will eliminate counting unemployment benefits for most borrowers. There are, however, times when lenders may count unemployment income when making a Qualified Mortgage.
Appendix Q tells us, “this requirement may apply to seasonal employment.” There are fields of employment where it is customary for employees to be laid off at certain times of the year or between contracts. In jobs featuring consistent unemployment, such as construction or contracting, where shutdowns are frequent, or other seasonal employment may also create a situation where these workers consistently supplement their overall income with unemployment benefits. In these cases, a lender may consider the unemployment income, as long as it can demonstrate the consistency and predictability Appendix Q requires.
Compliance Alliance offers many tools to help you navigate the ATR and Qualified Mortgage rules in our ATR QM Toolkit. We also provide a webinar to help train your team. As always, feel free to contact us on the Hotline, with any specific questions.
Remittance Transfers
by C/A Staff
With the new Regulation E (Reg E) Remittance Transfer Final Rule becoming effective on July 21, 2020, our Members have been asking many questions on how they would be affected. The most commonly asked questions related to the new safe harbor thresholds and the compliance dates that the Banks needed to update their policies by. The first thing to note in the Final Rule is that the safe harbor threshold to be considered a “Remittance Transfer Provider” was increased from 100 to 500 or fewer remittance transfers in the calendar year. The section of the Reg E that is being modified is:
(i) Safe harbor. For purposes of paragraph (f)(1) of this section, a person is deemed not to be providing remittance transfers for a consumer in the normal course of its business if the person:
(A) Provided 100 500 or fewer remittance transfers in the previous calendar year; and
(B) Provides 100 500 or fewer remittance transfers in the current calendar year.[1]
This means that some Banks that were previously considered “Remittance Transfer Providers” would be covered under the new safe harbor as long as the Banks have provided 500 or fewer remittance transfers in both the previous and current calendar years. For Banks covered under the new thresholds and deciding to stop providing disclosures for remittance transfers, the Banks are not required by Reg E or the Final Rule to provide a change in terms notice to its customers. However, Banks are also not prohibited from sending a notice if they wish to inform their customers of these newly adopted changes.
Assuming the Bank exceeds the thresholds for the safe harbor, the Bank would be subject to the disclosure rules of Reg E. With the temporary exception for allowing estimates going away on July 21, 2020, the Bank would have to modify its Reg E procedures depending on whether the Bank qualifies for the two new exceptions that would permit the Bank to continue to use estimates. The first exception is if the Bank made 500 or fewer remittance transfers to the designated recipient’s institution in the prior calendar year and cannot determine the exact amount of the covered third-party fees at the time of disclosures. The second is if the Bank made 1000 or fewer transfers in the prior calendar year to the country for which the designated recipients of those transfers were received in the country’s local currency and the Bank cannot determine the exact exchange rate for that particular transfer.
The Final Rule is providing a transition period to adopt these new changes. The length of the transition period is a “reasonable period of time” not to exceed six months. Consequently, Banks would be required to comply with these newly issued changes by January 21, 2021 at the latest. This same “reasonable period of time” applies to Banks in the future as well when they eventually exceed the safe harbor thresholds in the future from the date that Banks make the 501st Remittance Transfer in the second consecutive year.
Three’s a Crowd: Third-Party Risk Management
C/A Staff
Little did the OCC know that when they issued their Bulletin 2020-10 back in early March 2020 they were looking into the future, right at the risks resulting from COVID-19. Bulletin 2020-10 discussed third-party relationships and frequently asked questions to supplement prior Bulletin 2013-29. The OCC attempted to clarify its existing guidance to reflect evolving industry trends.
COVID-19 brought third-party risk management under a microscope. During a time of crisis, it is imperative banks know who their critical suppliers are and that they remain proactive in monitoring them for risk, and ensuring they are complying with business continuity plans. OCC Bulletin 2020-10 emphasized a need for risk management, but also a need for periodically assessing existing third-party relationships to determine whether the nature of the activity performed constituted as a critical activity. It aims to assist organizations in understanding the topics that arise within an effective third-party risk management program. Just because the bank relies on third parties does not diminish its responsibility to perform activities in a safe and sound manner. But it is important to remember, all third-party management must be commensurate with the level of risk and complexity of its third-party relationships.
Third-party relationships are any business arrangement between a bank and another entity, by contract or otherwise. “Business arrangements” are broad in scope and are used synonymously with the term third-party relationships. This can include outsourced products and services, independent consultants, networking arrangements, merchant payment processing, joint ventures, referral arrangements, (are you out of breath yet?) appraisers and appraisal management companies, professional service providers and a multitude of other business arrangements. Banks need to conduct in-depth due diligence and ongoing monitoring of each of their third-party service providers that support critical activities. The bank may need to use alternative means in order to receive all the information it seeks regarding a third-party provider.
Everyone knows what risks can arise from third-party relationships: reputational, operational, business continuity and resilience, information security and privacy, strategic, regulatory, and financial risks to name a few. Risk-mitigating controls must be in place so that risk-based decisions can be ascertained. It is important banks consider a comprehensive, data-driven way to control risk through third-party relationships. But also, banks need to assure that any third-party contracts are actually meeting the bank’s needs. Organizations need to be confident in the services being outsourced and that they are secure and resilient.
Mature third-party risk management programs have adopted a three-tier structure of first, second and third lines of defense. Implementation of these tiers will vary by each institution, but the overall concept remains the same: starting at the business or business unit level, this program is aimed at preventing risk exposure and protecting the organization. The COVID-19 pandemic has exposed issues within many companies, particularly a lack of visibility into their third-party relationships. Thorough third-party risk management processes, particularly those referencing the OCC’s 2020-10 Bulletin, will assist stakeholders with access to the business and operations with meeting their program’s standards (and any regulatory expectations).
Financial Services for Hemp Related Businesses
By C/A Staff
What does the passing of the 2018 Farm Bill and the 2019 USDA Interim Final Rule relating to hemp mean for financial institutions? =
It means that banks can provide financial services for hemp related businesses if conditions are met, a United States Department of Agriculture (USDA) approved plan for monitoring and regulating the domestic production of hemp is implemented, the hemp is within the concentration limits set forth under the bill, and the bank’s Bank Secrecy Act and Anti-Money Laundering Program (BSA/AML) is designed to comply with regulatory requirements.
Confusion has always surrounded hemp, as it was deemed illegal for being in the same family or part of the same plant as marijuana. But hemp is a different variety of the cannabis plant and does not contain the same chemical compounds found in marijuana, which provide a psychological “high.”
Often, banks are reluctant to provide financial services for hemp-related businesses because it is associated with the cannabis plant, and because it was once on the list of controlled substances. It is important to understand the difference between the two varieties of the plants so banks can make a sound decision when it comes to providing financial services for these types of businesses. Hemp can be used for manufacturing, production, or medicinal purposes. It is no longer a federal violation to produce hemp, provided it contains no more than a 0.3% concentration of tetrahydrocannabinol, or THC, and follows the domestic hemp production regulatory program required to facilitate the legal production.
It is also important to note that the 2018 Farm Bill includes not only hemp, but hemp derivatives such as CBD or cannabidiol. Marijuana, however, is still a controlled substance under federal law. The Agriculture Improvement Act of 2018, more commonly known as the 2018 Farm Bill, was signed into law on December 20, 2018 removing hemp as a Schedule I controlled substance under the Controlled Substance Act. The bill directed the USDA and the U.S. Attorney General to regulate the production of hemp and the interim final ruled issued on October 31, 2019 provided guidance for establishing a regulatory program. The interim final rule also provides guidance for establishing a federal license to produce hemp in states and tribal territories that do not maintain USDA-approved plans.
It is critical that banks are aware of the conditions which allow for the legalized production of domestic hemp. Prior to providing financial services to hemp related businesses, banks must first determine that their state has submitted for approval, a plan for the regulation and monitoring of domestic hemp production or that it complies with the amended section 297C of the Agricultural and Marketing Act. Banks should also look closely at the guidance issued by FinCEN which provides risk considerations associated with hemp related businesses.
In addition to risk considerations, banks should implement risk assessments that will aid in monitoring and reporting obligations. A bank’s BSA/AML Program should be commensurate with its size and complexity, and must be strong enough to handle the risk associated with this type of business. Policies and procedures under the program must address customer due diligence and enhanced due diligence and must identify how the bank will comply with regulatory requirements of hemp related businesses (e.g.: what information and documentation will be collected to ensure compliance with the THC limits). Unlike banking marijuana related businesses, the bank does not have an obligation to submit marijuana related suspicious activity reports (SAR), however, the obligation is still in place for suspicious or illegal activity. Finally, banks should work with their board of directors and legal counsel to determine risks, benefits, and approval of financial services.