Compliance Blog

Sometimes, I think I can predict the future. For example, I know that tomorrow morning my seven-year-old son will wake up at some ridiculously-early time of day. This happens basically every morning – he’s out of his bedroom before 6am despite the fact that my wife and I have repeatedly asked him to try to get more sleep and will often send him back to his room to wait until a more acceptable time. Okay, maybe that’s not really “predicting the future” so much as it’s just recognizing a pattern of behavior and knowing that it’s likely to continue.

Knowing what has happened in the past may help you predict what is likely to occur in the future – this is true in compliance as well. For example, the Consumer Financial Protection Bureau (CFPB or bureau) periodically publishes their Supervisory Highlights – a document which describes violations of federal laws or regulations that CFPB examiners have observed while supervising financial institutions. Often, the violations described in those publications will come up again later in the form of enforcement actions or agency guidance. For example, in March 2023 the bureau published their Winter 2023 Supervisory Highlights, which focused on “junk fees.” In that document, the bureau noted that examiners found potential violations of the prohibition on unfair, deceptive and abusive acts or practices (UDAAP) when institutions where charging “multiple NSF fees for the same transaction” because the transaction had failed more than once due to lack of funds. That violation came up again three months later when the CFPB brought an enforcement action against Bank of America, ultimately assessing a $60 million civil money penalty for that same behavior. 

Recently, the CFPB published its Summer 2023 edition of Supervisory Highlights. Credit unions may want to be become familiar with the potential violations described in the publication – like a crystal ball, this publication could show compliance professionals where examiners are likely to apply scrutiny and what violations may form the enforcement actions of tomorrow. Let’s do a review:

Charging NSF and Transfer Fees for the Same Transactions

The CFPB notes that “[e]xaminers found unfair acts or practices due to institutions’ assessment of both nonsufficient funds (NSF) and line of credit transfer fees on the same transaction.” Some institutions allow a consumer to link a line of credit to their share account so that, if an overdraft occurs, a transfer is made from the line of credit to cover it. This seems to be acceptable to the bureau. However, in situations where the line of credit did not have enough funds to cover the overdraft, the transfer wouldn’t go through and an NSF fee would be charged. That also seems to be acceptable. The real issue seems to be that when an NSF fee was charged, if that fee caused the account to become negative, then some institutions would permit a transfer from the line of credit to cover the amount of the fee and would charge a transfer fee and interest. Thus, the CFPB found potential UDAAP violations where institutions are charging transfer fees for funds transferred specifically to cover other fees, such as NSF fees. The bureau described this practice as an unfair act or practice. This seems to be another instance of the bureau objecting to multiple fees being charged due to one transaction, like the “multiple NSF fees” issue discussed above.

Cancelling Automatic Loan Payments When One Payment Remained Due

According to the CFPB, some auto loan servicers had a policy of requiring a final loan payment to be made manually, and thus prohibited making the final payment via automatic transfer. While this may have been disclosed at the time the loan was made, the CFPB says some servicers “did not provide any additional communication to consumers before the final payment was required.” When only one payment was left, the servicers would cancel the automatic payments, which would result in some consumers missing their final payment and being assessed late fees. According to the bureau, cancelling automatic payments without additional notice or reminders was an unfair act or practice.

Cross-Collateralization – Requiring Consumers to Pay Other Debts to Redeem Vehicles

Some credit unions use cross-collateralization clauses, which the bureau describes as “clauses allowing [credit unions] to use the vehicle to secure other unrelated unsecured debts [members] owe to the [credit union].” On this particular topic, the CFPB noted that some auto servicers, when servicing a delinquent auto loan with a cross-collateralization clause, would repossess the vehicle and accelerate all of the debts owed, including those other “unrelated unsecured debts.” When a borrower tried to recover his or her vehicle, the servicer told them they would have to pay the amounts of all the accelerated debts to get the vehicle back, rather than just the delinquent auto loan. The bureau described this practice as both unfair and abusive.

Handling Frivolous or Irrelevant Direct Disputes

Under Regulation V, credit unions have a duty to investigate direct disputes – i.e. disputes received directly from a member about credit reporting data the credit union has furnished about them. Section 1022.43(f) states that a furnisher (such as a credit union) is not required to investigate a direct dispute if the furnisher has “reasonably determined that the dispute is frivolous or irrelevant.” That section does, however, require the furnisher to provide a notice to the consumer within 5 business days after making the determination that the dispute is frivolous or irrelevant. The notice informs the consumer that the determination was made and must also provide the reasons for the determination and any information required to investigate the dispute.

The CFPB’s Supervisory Highlights notes that some furnishers determined a dispute was frivolous or irrelevant and merely decided not to investigate further, without providing the notice required in section 1022.43(f). Other furnishers provided the notice but stated that an entire unredacted copy of the consumer’s credit report was required to investigate the dispute, where the CFPB claims less information would have sufficed.

Information Technology Practices

As we blogged about last year, the CFPB announced in an August 2022 Consumer Financial Protection Circular that insufficient data security practices could amount to a UDAAP violation. Now the bureau is following-up on that proclamation by describing some of the data-security-focused UDAAP violations its examiners have observed.

The CFPB states that some institutions engaged in unfair acts or practices by “failing to implement adequate information technology security controls that could have prevented or mitigated cyberattacks.” Specifically, the Bureau called out weak password management policies, inadequate controls for log-in attempts, and the failure to implement multi-factor authentication as examples of these “unfair” data security practices.

Finally, there were additional acts or practices described in the Supervisory Highlights related to fair lending and mortgage origination and servicing, which will be discussed in an upcoming post in the Compliance Blog. Stay tuned as we continue to peer into the CFPB’s crystal ball.

Compliance Blog Mentions: 

📣 Sessions are open now! Join NAFCU's BSA School On-Demand and/or Risk Management Seminar On-Demand to unlock comprehensive training from anywhere.