Check Fraud Tools Are Everywhere
For some reason, the first thing I thought of when selecting todayâs topic was Smokey Bearâs famous quote: âOnly YOU can prevent forest fires.â Forest fires are not check fraud. Admittedly, it is not a perfect analogy and saying âyou can do a lot to prevent check fraud and respond to itâ does not have the same ring to it. As everyone reading this knows, check fraud is a hot issue. FinCEN has noted significant upticks each of the last couple of years, and Iâm sure all of our members have seen this issue pop up; we certainly get many questions about it on the Compliance Hub Hotline. Our member banks have a number of resources available to help with check fraud issues, and we want to make sure everyone knows exactly what is available.
Over the last year, we have put out two webinars on check fraud. There is our âHow to Deal with Fraudulent Checksâ webinar from May 2023 and our âA Closer Look Into Altered Checksâ webinar from October 2023. If watching webinars isnât your thing, each of our webinars has a desk manual that lays out the content in writing and provides legal/regulatory citations to the relevant information.
We have a number of articles related to this subject as well. The feature article of our November 2023 ACCESS Magazine was âBreaching Confusion on Breaches of Warranty.â Our June 2023 ACCESS Magazine feature article was âThe Midnight Deadline and Presentment Warranties.â We also have a prior newsletter article on the latter subject as well.
When dealing with a check fraud or forgery claim our âAffidavit for Check Forgeryâ tool may be useful. Our Regulation CC Toolkit may also be useful here, particularly with establishing any holds on questionable checks.
Last year, FinCEN issued an alert about the check fraud surge. This alert provides red flags to assist banks in meeting their BSA obligation to identify and report suspicious activity. The alert encourages banks to share information under the safe harbor authorized by Section 314(b) of the USA PATRIOT Act; refer to FinCENâs Section 314(b) page for additional information.
The United States Postal Inspection Service published Tips & Prevention on scams, an information page on check fraud, and a brochure banks can send to their customers, titled âDonât Be a Victim of a Check Scam.â It also provides forms to report fraud.
The ABA offers a Check Fraud Claim Directory of contact information for banks needing to file a check warranty breach claim with another bank. It may be helpful when attempting to communicate with larger banks. To access the directory, a bank must participate by providing its fraud contacts but banks do not need to be an ABA member.
Check service providers commonly offer products and services designed to mitigate check fraud. Banks can contact their provider about whether these sorts of potential features are offered.
Remember, âyou can do a lot to prevent check fraud and respond to it.â
CFPB Wins at Supreme Court
Last week, the United States Supreme Court issued its long-awaited decision on the challenge to the CFPBâs funding mechanism, which posed an existential threat to the agency. In short, the Court ruled that the CFPBâs funding does not violate the U.S. Constitutionâs Appropriations Clause. Given that several of the CFPBâs recent rulemaking were delayed awaiting the Supreme Courtâs decision, though, your next thought may naturally be, âwell whatâs next?â
Shortly after the ruling, the CFPB issued a statement about the decision, saying that â[T]he CFPB is here to stay.â And that âThis ruling upholds the fact that the CFPBâs funding structure is not novel or unusual, but in fact an essential part of the nationâs financial regulatory system, providing stability and continuity for the agencies and the system as a whole.â In essence, the CFPB claims that itâs not going anywhere.
The day following the ruling, the CFPB held a virtual press conference to address industry uncertainty. The CFPB noted that multiple rules are still under challenge in different courts, including the payday lending rule, credit card late fee rule, and, the one everyone asks about, the Section 1071 small business lending rule. The CFPB indicated it would file for motions to lift stays for any matter that was paused in anticipation of the Supreme Court decision, meaning the agency intends to get the implementation of these rules back on its schedule. However, the CFPB also noted that in each of the stayed matters, opposing parties have raised arguments aside from the constitutional argument the Supreme Court just ruled on, and they will need to resume litigation efforts to fight these matters on the merits. Additional rulings in these outstanding cases could further impact the compliance dates or ultimate requirements for the rules, but whether that will happen remains to be seen. The CFPB also noted in its press conference that it anticipated a favorable outcome from the Supreme Court and that it is âfiring on all cylindersâ and expanding its enforcement department.
Additionally, the CFPB has issued informal guidance and will issue an interim final rule regarding the extension of the 1071 small business lending rule compliance dates. Based on the 290 days between the initial preliminary injunction issued in the Rio Bank/TBA lawsuit and the Supreme Court ruling, the CFPB extended the compliance dates from the original dates. For Tier 1 institutions, the compliance date is extended from October 1, 2024 to July 18, 2025, with the initial filing required by June 1, 2026. For Tier 2 institutions, the compliance date is extended from April 1, 2025, to January 16, 2026, with the initial filing required by June 1, 2027. For Tier 3 institutions, the compliance date is extended from January 1, 2026 to October 18, 2026, with the initial filing required by June 1, 2027.
Time to Review Your Third-Party Relationships⌠Again!
Understanding regulator expectations on managing third-party relationships just got a little bit easier. Earlier this month, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released “Third-Party Risk Management: A Guide for Community Banks,” presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices. Let’s break it down.
Risk Management
The Guide underscores the need for comprehensive initial risk assessments tailored to the third party and emphasizes governance practices, such as oversight mechanisms and documentation procedures. Recognizing the varied nature of third-party relationships and the differences in risks for community banks is essential. Banks should tailor their risk management practices according to their size, complexity, and risk profile, and periodic assessments should gauge the risks of each partnership. Effective risk management requires the active involvement of bank personnel with the requisite expertise at each phase of risk management.
Five-Stage Life Cycle
The Guide lays out a five-stage life cycle for risk management of third-party relationships:
Planning. Planning is paramount because it enables a bank to proactively identify and mitigate risks associated with a proposed relationship. Key considerations include:
- Assessing legal and compliance requirements applicable to the prospective activities.
- Evaluating whether the anticipated benefits outweigh the potential costs and risks.
- Determining the extent of interaction the third party will have with customers.
Due Diligence and Third-Party Selection. Adequate due diligence requires evaluating a third party’s ability to perform activities as expected and adhere to the bank’s policies and legal requirements. The Guide recommends an examination of the third party’s available resources and expertise, past performance, and utilization of technologies that may introduce greater risk. To assess the suitability of a third-party relationship, it is advised that banks examine various sources of information, such as audited financial statements and relevant policies and procedures. Additionally, banks should examine consumer complaints, strategic plans, training programs, audit reports, and insurance coverage to ensure a comprehensive risk assessment strategy.
Contract Negotiation. Banks need to align contract terms with their strategic objectives, regulatory requirements, and risk management policies. Contracts should set forth each partyâs responsibilities and include governance and escalation protocols, address data access rights, and assess potential scenarios for breach of contract.
Ongoing Monitoring. Continuous monitoring of third-party activities is necessary for ensuring compliance with contractual requirements and facilitating timely adjustments to risk management practices.
Termination. Although termination of a third-party relationship may become necessary, the Guide encourages banks to carefully consider the potential impact of termination during the planning phase to minimize costs and disruptions, especially for higher-risk activities. Considerations include assessing the effects of termination on bank operations and compliance with applicable laws and regulations, determining access to bank systems or information granted to the third party, and ensuring access to data for compliance with BSA requirements and other recordkeeping obligations. The Guide suggests leveraging resources such as third-party contract terms, transition plans, and strategies to minimize disruption to customer accounts and operations.
The Intersection of Commercial Lending and Consumer Protections
Compliance officers are quick to dismiss commercial loans as almost burdenless compared to consumer transactions. They worry about the alphabet soup of consumer compliance regulations, with âconsumerâ being the operative word. Commercial loans donât involve consumers; therefore, there is no need to worry about consumer regulations, right? Wrong.
If I had to guess, Iâd say most of your minds went to the Equal Credit Opportunity Act (ECOA) or its implementing regulation, Regulation B, as you read the opening paragraph. Just like with consumer applications, denying a commercial application requires Regulation Bâs adverse action notice, so it is often thought of as a consumer regulation but it clearly applies in the commercial context. It would help if you also kept in mind that the rules on denying on a prohibited basis also apply in the commercial context and that the ever-dreaded 1071 rule also resides in Regulation B and is specifically directed at commercial credit.
Another obvious example of consumer rules applying to commercial credit is flood insurance. Commercial credit secured by a structure in a flood zone is subject to flood insurance rules just like consumer credit, with the notable exception being that there is an exemption from the escrow requirement.
Some banks are surprised to learn that the Servicemembers Civil Relief Act (SCRA) applies to commercial loans. The SCRA provides certain financial protections to servicemembers and, in some cases, their spouses, dependents, and other persons subject to the obligations of servicemembers. The SCRAâs protections apply to obligations contracted before entering military service, and no distinction is made between consumer and commercial credit, so donât be so quick to SCRA when dealing with a servicememberâs business loan.
HMDA has an explicit exception for commercial credit: âThe requirements of [HMDA] do not apply to ⌠[a] closed-end mortgage loan or open-end line of credit that is or will be made primarily for a business or commercial purpose.â However, the exception goes on to note that it applies unless the credit meets the definition of a home purchase loan, refinancing, or home improvement loan under HMDA. Hence, the exception is much narrower than it seems at first glance. Banks need to remember the potential transactional reporting requirements that may apply when they have business credit secured by a dwelling.
Everyone knows that Regulation Z primarily focuses on consumer credit. Commercial credit is specifically exempted. However, two provisions may apply to credit cards issued for business purposes. First, credit cards can be issued, regardless of their purpose, only in response to an application, oral or written request, or as a substitute for or renewal of an existing card. Second, the regulation has provisions specifically applicable to the unauthorized use of a credit card where a card issuer provides ten or more credit cards for use by the employees of an organization.
The most common questions on the Compliance Hub Hotline about Regulation CC involve consumer check deposits. The regulation sets forth the requirements for banks to make funds deposited into transaction accounts available according to certain time schedules and disclose their funds availability policies to customers. The regulation applies to both consumer and commercial accounts, so remember that the next time a commercial customer comes in to make a check deposit.
Always question what you think you know in compliance and when youâre having doubts, please feel free to reach out to us on the Compliance Hub Hotline.
TCPA and Banks
Marketing is the lifeblood of the banking industry. How to reach customers, when to reach customers, incentivize customers, and generate new sales and leads is a non-stop part of the industry. With people living their lives increasingly online, foot traffic has continued to decrease year over year, so banks are forever looking for new ways to connect with prospective clients. In the marketing-driven world, regulators and lawmakers alike have established restrictions on the ways in which marketing businesses, like banks, may engage with consumers.
The Telephone Consumer Protection Act (TCPA) emerged in response to growing concerns about invasive and unsolicited telemarketing practices that were becoming increasingly common in the late 1980s and early 1990s in the United States. As complaints about these intrusive telemarketing tactics mounted, Congress recognized the need to protect consumers from these unwanted communications. The TCPA was passed in 1991 to address these concerns and regulate various aspects of telemarketing, automated calls, and fax communications. It aimed to regulate telemarketing calls and specific practices, granting the Federal Communications Commission (FCC) regulatory authority under the law.
Over the years, the FCC implemented various rules under the TCPA, including establishing do-not-call lists and creating a national Do-Not-Call registry in 2003 to cover most telemarketers. The regulations also targeted reducing hang-up calls and dead air by imposing restrictions on autodialers and requiring Caller ID transmission. The FCC updated its rules in 2012, requiring explicit consent for automated calls and providing an opt-out mechanism for consumers. Further revisions in 2019 and 2021 introduced exemptions for reassigned telephone numbers, eliminated opt-out notices for fax advertisements with prior consent, and implemented exemptions for certain types of calls made by financial institutions.
Financial institutions, including banks and credit unions, fall under the purview of the TCPA regulations, subject to enforcement by regulatory bodies such as the FDIC, the Federal Reserve, the OCC, and the NCUA, not the FCC. Under section 8 of the Federal Deposit Insurance Act, these agencies can enforce compliance, issue cease and desist orders, restitution, and impose civil money penalties for TCPA violations. Declaratory rulings by the FCC serve as guidance for interpreting and applying TCPA regulations in specific scenarios. However, violations are cited based on the TCPA and its implementing rules rather than on these rulings. Violators may be fined up to $51,744 per violation, and each call may be considered a separate violation.
There is the closely related Telemarketing Sales Rule (TSR). This rule issued by the FTC affects the Telemarketing and Consumer Fraud and Abuse Prevention Act. This legislation gives the FTC and state attorneys general law enforcement tools to combat telemarketing fraud, gives consumers added privacy protections and defenses against unscrupulous telemarketers, and helps consumers tell the difference between fraudulent and legitimate telemarketing. A question that occasionally comes up on hotline is whether TSR applies to banks. In short, no, it does not. Banks fall outside of the FTCâs jurisdiction and, therefore, they are not subject to TSR.
If you have any questions or concerns about the TCPA or TSR, please feel free to contact the Compliance Hub hotline. You may also find our TCPA Cheat Sheet useful!