Due Diligence Before Getting Into Crypto
The Federal Reserve Board (FRB) recently issued letter SR 22-6 regarding the engagement in crypto-asset-related activities by FRB-supervised financial institutions, including those with less than $10 billion in assets. The FRB encourages financial institutions that have questions to submit them via the FRB’s website.
Letter SR 22-6 provides that FRB-supervised financial institutions engaging or seeking to engage in crypto-asset-related activities should notify their lead supervisory point of contact at the Federal Reserve prior to engaging in any crypto-asset-related activity, to ensure that the activity desired is legally permissible, and if any filings are required under state or federal laws. State member banks are also encouraged to notify their state regulator prior to engaging in any crypto-asset-related activity.
Prior to engaging in these crypto-asset-related activities, financial institutions should ensure they have adequate systems in place to identify, measure, monitor, and control the risks associated with these crypto-asset-related activities on an ongoing basis. These systems should cover operational risk, financial risk, legal risk, compliance risk, and any other risk necessary to ensure the activities are conducted in a manner that is consistent with safe and sound banking practices and in compliance with applicable laws, including consumer protection statutes.
The FRB gives examples of operational risk, such as, the risks of new and evolving technologies; the risk of hacking, fraud, and theft; and the risk of third-party relationships. The FRB indicates that the compliance risks include compliance with the Bank Secrecy Act, anti-money laundering requirements, and sanctions requirements.
Crypto-asset-related activities present potential opportunities to financial institutions, their customers, and the overall financial system; however, these activities may pose risks related to safety and soundness, consumer protection, and financial stability, including the following:
- Technology and operations: The technology underlying these emergent crypto-assets is still evolving, and these are thought to pose risks similar to cybersecurity. These risks are enhanced when the technology underlying these crypto-assets involves open, permissionless networks
- Financial stability: Certain types of assets, such as stablecoins, if embraced by large numbers of people, could pose risks to financial stability including through disruptions in the payment systems.
- Anti-money laundering and countering of financing of terrorism: The somewhat anonymous nature of crypto-assets can be used to facilitate money laundering and finance criminal activity. Some crypto-assets have limited transparency, making it difficult to identify and track ownership, which has been a criticism of these assets by various government entities whose responsibility it is to reduce and prevent money laundering and other financial crimes.
- Consumer protection and legal compliance: Crypto-assets pose consumer risks such as a) price volatility, b) misinformation, c) fraud, d) theft and e) loss. In addition, financial institutions engaging in crypto-asset-related activities face potential legal and consumer compliance risks stemming from a range of issues, including a) uncertainty regarding the legal status of certain crypto-assets, b) potential exposure arising out of losses by consumers, c) operational failures, d) relationships with crypto-asset service providers; e) and limited legal precedent regarding how crypto-assets would be treated in varying contexts, including loss or bankruptcy.
FDIC Updates RMS and Compliance Manuals
The Federal Deposit Insurance Corporation (FDIC) has been busy updating exam related materials, with multiple updates to the Risk Management Manual of Examination Policies (RMS Manual), specifically the sections on Capital and Examination Planning. The RMS Manual provides FDIC examiners information relating to examination activities and supervisory practices. It also promotes consistency in examination activities, which center on evaluating an institution’s capital, assets, management, earnings, liquidity, sensitivity to market risk, and adherence to laws and regulations. The RMS Manual had most recently been updated in March 2022 with updates to Section 1.1 Basic Examination Concepts and Guidelines and Section 4.1 Management.
The FDIC has also recently updated the Consumer Compliance Examination Manual, specifically the section related to the Telephone Consumer Protection Act (TCPA). The Consumer Compliance Examination Manual is a primary resource and reference tool for FDIC compliance examination staff to use in support of conducting Consumer Compliance and Community Reinvestment Act examinations and other supervisory activities. This manual incorporates examination policies, procedures, and guidance. The Consumer Compliance Manual had most recently been updated in June 2022 with updates to II-1.1 Overview of Consumer Compliance Examinations, II-4.1 Pre-Exam Planning, II-5.1 Review and Analysis, II-6.1 Communicating Findings, II-8.1 Investigations and Visitations, and VII-1.1Unfair, Deceptive, and Abusive Practices.
Risk Management Manual of Examination Policies – Section 21.1 Examination Planning
In August 2022 the examiner instructions found RMS Manual Section 21.1 Examination Planning were enriched by providing an update on identifying those examination activities to be used for off-site review and those which are better suited for an on-site review. Further, these updates incorporated best practices for requesting examination information from financial institutions.
Risk Management Manual of Examination Policies – Section 2.1 Capital
In August 2022 Section 2.1 Capital of the RMS Manual was updated to include a new capital planning section and revised instructions for those institutions that have adopted the Current Expected Credit Losses (CECL) methodology or the Community Bank Leverage Ratio (CBLR) capital framework.
Consumer Compliance Exam Manual – Telephone Consumer Protection Act
In August 2022 the FDIC updated its Consumer Compliance Examination Manual to include revisions to Chapter VIII-5.1 Telephone Consumer Protection Act. This section was updated to conform to requirements for telemarketers a) to no longer allow the use of the “established business relationship” to avoid getting consumer consent, b) to obtain prior express written consent from consumers before making calls with an auto dialer or that contain a message made with a pre-recorded or artificial voice, and c) to require telemarketers to provide an automated, interactive “opt-out” mechanism during each of the calls made with an auto dialer or contain a message made with a pre-recorded or artificial voice, so that consumers can immediately tell the telemarketer to stop.
Reg E: Credit? Investigate? Both?
It’s fair to say that the error resolution procedures found in § 1005.11 could be a little more detailed or more clearly written, and as a result there would be less confusion than there currently is. It’s a familiar story: your customer contacts you on Wednesday letting the bank know they discovered unauthorized charges on their account two days earlier, on Monday, and would like to dispute these charges. Since the customer contacted the bank within two business days of discovering the error as allowed under § 1005.6, so the bank is looking at most of the liability if the disputed transactions are determined to be errors.
At this point financial institutions will begin their error resolution procedures and begin their investigation. But what is an investigation? What is the bank required to do? What may the bank do if they choose? Regulation E does not provide a lot of guidance for how to investigate, other than to say a financial institution’s review of its own records satisfies the requirements if the transaction concerns a transfer to or from a third party and there is no agreement between the institution and the third party. Because of the minimal guidance provided in the regulation and commentary, some banks keep investigations in-house, while some use a third-party to handle the investigations.
Third party investigations normally cost the bank some nominal fee, regardless of the outcome of the investigation. Depending on the outcome the bank may be looking at just a loss of the investigation cost, or both a loss of the investigation cost and the cost to provide the customer with a credit for the unauthorized charges.
The two things banks ask at this point are: 1) Can we pass this investigation cost onto the customer? and 2) Can we just give the customer a credit without investigating the matter?
Passing on the cost
It is our interpretation that banks may not pass along the investigation costs to the customer because the bank is required by Regulation E to conduct an investigation if the customer makes disputes a charge. If the bank were to try and impose a fee for this investigation, the customer would not be under any obligation to pay this fee, as the bank is required to investigate and credit the customer’s account, even if no fee is paid. There is also an element of UDAAP, as a question of fairness to the customer in that charging them for investigations could discourage legitimate disputes, knowing if no error is found, the customer would lose both whatever they lost in the transaction as well as the investigation fee.
Credit without investigation
According to the Reg E commentary a financial institution may make a final correction to an account in without investigation but must comply with all other applicable requirements of § 1005.11. It’s unclear exactly what the bank may skip in 1005.11 if there will not be an investigation conducted, as the requirements in 1005.11(c),(d), and (e) would all seem not to apply. Section (a) is merely a definitions section, so perhaps the remaining part of 1005.11(b) is the only applicable part. However, 1005.11(b) pertains to the requirements of the notice from the customer and not necessarily responsibilities for the bank. The conservative interpretation of this section provides that the bank may provide a credit but that some minimal level of investigation should be done, such as simply reviewing the bank’s records. For example, the bank could review their records and note the file that the customer’s assertion of error was not contradicted by the bank’s records, and that a notice of a determination of error was communicated to the customer in accordance with 1005.11(d).
Objection! Confidential DOL Data Sought by FOIA
The U.S. Department of Labor (DOL) recently published a Notice of a Freedom of Information Act (FOIA) request seeking the disclosure of employee diversity data submitted by federal contractors. The data sought are Type 2 Consolidated EEO-1 Reports submitted between 2016 and 2020. These EEO-1 reports consist of a demographic data categorized by race/ethnicity, sex and job category, and are required to be submitted to the DOL annually by federal contractors. The Department of Labor suspects that the EEO-1 reports and information contained therein may be protected from disclosure under a FOIA exemption and is inviting objections via this Notice.
It has not yet been determined if EEO-1 reports and information are exempt from disclosure, as the matter has been contested among federal contractors, the DOL, FOIA requesters, and the courts. It is argued that FOIA Exemption 4 which protects the disclosure of confidential commercial information is the authority by which these EEO-1 reports and information are exempted.
Because whether this exemption applies has not yet been determined, the DOL is requesting that any who filed Type 2 Consolidated EEO-1 Reports as federal contractors at any time from 2016-2020, and object to the disclosure of these EEO-1 Reports or information, submit those objections by October 19, 2022. The original notice required objections by September 19 but was extended to October 19 to accommodate numerous contractors who requested an extension, and to clarify for some federal contractors whether they’re covered by this request.
Financial institutions that do not consider themselves to be federal contractors need not object to this Notice, but those that consider themselves to be federal contractors who choose to object should do so by October 19, 2022.
This notice suggests the DOL may choose to disclose the EEO-1 reports of any federal contractors who submitted EEO-1 reports 2016-2020 and do not object to their disclosure by October 19, 2022. Objections may be submitted online through the DOL’s Submitter Notice Response Portal, via email to [email protected] or by mail.
Questions posed by the Department of Labor in the Notice to be considered:
- What specific information from the EEO-1 Report does the contractor consider to be a trade secret or commercial or financial information?
- What facts support the contractor’s belief that this information is commercial or financial in nature?
- Does the contractor customarily keep the requested information private or closely-held? What steps have been taken by the contractor to protect the confidentiality of the requested data, and to whom has it been disclosed?
- Does the contractor contend that the government provided an express or implied assurance of confidentiality? If no, were there express or implied indications at the time the information was submitted that the government would publicly disclose the information?
- How would disclosure of this information harm an interest of the contractor protected by Exemption 4 (such as by causing foreseeable harm to the contractor’s economic or business interests)?
Investigating Frivolous Disputes
More than 200 million American consumers have files with at least one of the credit bureaus. Although there are only three main credit bureaus, there are more than 15,000 furnishers of information to the credit bureaus. The Federal Trade Commission (FTC) estimates that 20% of Americans have a verifiable error on their credit report, and consumer-reported data indicates that errors could be even more common than FTC estimates. Errors or inaccuracies on a credit report are problematic because they can lead to a consumer being refused employment, unable to open bank accounts or denied loans.
Because of the importance of having accurately reported credit information, it is vital to consumers that they have an opportunity to correct these errors or inaccuracies. To achieve this, the Fair Credit Reporting Act (FCRA) provides consumers different ways to dispute the accuracy of information on their credit report, directly or indirectly.
In a direct dispute a consumer may dispute the accuracy of the information directly with the furnisher of the information. In an indirect dispute: a consumer may dispute the information with the credit bureau and have the bureau refer the dispute to furnisher. Furnishers have the authority to consider direct disputes frivolous, not investigate, and send a notice to the consumer of this determination. Credit reporting agencies (e.g., credit bureaus) have the authority to consider indirect disputes frivolous, and not refer them to furnishers.
Some furnishers have argued that they also have the authority to consider indirect disputes frivolous and may ignore the referrals and neither investigate nor provide notice to either the credit bureau or the consumer. However, in a recent posting on their website, the CFPB indicates this is not the case, and that the furnisher has an obligation to investigate based on the text of the FCRA, as detailed below.
First, according to the CFPB, the text of the FCRA is clear and unambiguous. The Fair Credit Reporting Act does not contain any language that exempts a furnisher from investigating frivolous disputes simply because they are forwarded by credit bureaus. If the drafters of the FCRA wanted to allow for this exemption, they would have included it in the text of the law, in the view of the CFPB.
Second, consumers are entitled under the FCRA to be informed about the result of their dispute and to be informed of the options available. When the FCRA discusses the idea that not all disputes need to be investigated, the FCRA still requires that the consumer be notified and informed of additional information that would be necessary for the dispute to be investigated. If furnishers were allowed to ignore disputes referred to them by credit bureaus, then the consumers who submitted those disputes would fail to be informed about the result of their dispute and would not be told what is necessary for the dispute to be investigated. If a consumer files a dispute, there must be communication to the consumer regarding that dispute.
Third, in the view of the CFPB, the FCRA provides protection to furnishers from needing to investigate frivolous disputes since the statute allows credit bureaus to filter out frivolous disputes which prevents them from being forwarded to furnishers. Since the credit bureaus are able to screen out frivolous disputes, in the opinion of the CFPB, there is not a reason to allow furnishers to also reject disputes they consider to be frivolous.