CFPB Releases Proposed Regulation of Payday Loans
In a long anticipated move, the Consumer Financial Protection Bureau (CFPB) proposed a rule to regulate so-called "debt traps" by requiring lenders to take additional steps to ensure consumers have the ability to repay certain types of small loans and placing limits on reborrowing or refinancing.
What happened
The new 12 CFR Part 1041 would generally cover two categories: loans with a term of 45 days or less and loans with a term greater than 45 days for which the lender charges a total, all-in annual percentage rate (APR) that exceeds 36 percent, including add-on charges, and either collects payment by accessing the consumer's deposit account or paycheck, or secures the loan by holding title to the consumer's vehicle as collateral.
All lenders—including banks, credit unions, and nonbanks—would be subject to the proposed requirements for any loan covered by the proposal.
The Bureau would establish a "full-payment test" under which lenders would be required to determine whether the borrower can afford the full amount of each payment when it is due and still meet basic living expenses (such as food and utilities) and major financial obligations. To do this, lenders would need to verify the amount of income that a consumer receives after taxes from employment, government benefits, or other sources. A check of a consumer's credit report (to verify the amount of outstanding loans and required payments) would also be necessary.
Specific to payday and single payment auto title loans, lenders would need to determine that a borrower has sufficient income to repay the loans and to meet major financial obligations and basic living expenses during the term of the loan—and for 30 days after paying off the loan or paying the loan's highest payment.
Installment loans with a balloon payment require lenders to ensure the borrower can make all payments when due, including the balloon payment, plus major financial obligations and basic living expenses during the term of the loan and for a 30-day period after making the highest payment.
The CFPB also proposed additional restrictions on loans, making it more difficult for borrowers to reborrow or refinance the same debt. For example, a borrower may not rollover a loan within 30 days of paying off a previous short-term debt. Lenders could only offer a similar short-term loan if a borrower can demonstrate that his or her financial situation during the term of the new loan would be "materially improved" relative to what it was since the prior loan was made. The same conditions would apply for a third loan and even for borrowers who successfully justified a second and third loan; the Bureau capped borrowers at three loans in succession, putting in place a mandatory 30-day "cooling off" period.
Similar limits were placed on high-cost installment loans. Lenders would not be permitted to refinance the loan into a loan with similar payments unless a borrower demonstrated that his or her financial situation during the term of the new loan would be materially improved relative to the prior 30 days. A refinancing offer could only be made if it would result in "substantially smaller" payments or substantially lower the total cost of the consumer's credit, the CFPB said.
Certain loans could avoid the full-payment test, in what the Bureau dubbed the "principal payoff option." These loans would allow borrowers to take out up to $500 and repay the debt in either a single payment or with up to two extensions where the principal is paid down at each step. Lenders would be prohibited from taking an auto title as collateral or structuring the loan as open-end credit.
This option would necessitate specific disclosures from lenders, who would also be barred from offering these types of loans to consumers with outstanding short-term or balloon-payment loans or who have been in debt on short-term loans more than 90 days in a rolling 12-month period. Only two extensions of the loan could be offered by the lender and only if the borrower pays off at least one-third of the principal with each extension.
Two other longer-term loan options were included in the CFPB's proposal. Lenders could offer loans that generally meet the parameters of the National Credit Union Administration's "payday alternative loans" program, with interest rates capped at 28 percent and an application fee no more than $20. Alternatively, lenders would be allowed to offer loans that are payable in roughly equal payments with terms not to exceed two years and an all-in cost of 36 percent or less, not including a reasonable origination fee, as long as the lender's projected default rate is 5 percent or less. The Bureau said lenders would be limited in the amount of either type of loan they could make per consumer, per year.
Lenders would also be restricted in the number of repeated, unsuccessful withdrawal attempts to collect payment from consumers' accounts, pursuant to the Bureau's proposal, and mandated to provide written notice before attempting to debit the consumer's account for any loan covered by the proposed rule.
Notice would generally be delivered at least three days before the withdrawal attempt, the CFPB said, and would include information about timing, amount, and channel of the forthcoming withdrawal. Withdrawals for a different amount, through a different channel, or at a different time would require additional notice. Withdrawal attempts would be capped at two straight unsuccessful attempts (including a debit returned unpaid or declined due to insufficient funds). Lenders would then need to obtain new and specific authorization from the borrower to make additional debits from the account.
The Bureau may end up expanding the proposed rule. Accompanying the proposal was a request for information (RFI) with the CFPB, announcing an inquiry into other potentially high-risk loan products and "risky" practices not specifically covered by the proposed rule. The Bureau asked for information about high-cost, longer-duration installment loans and open-end lines of credit, where the lender does not take a vehicle as collateral or gain account access. Comments about the sales and marketing practices of credit insurance, debt suspension or debt cancellation agreements, and other add-on products as well as practices such as loan churning, default interest rates, teaser rates, prepayment penalties, and late-payment penalties are also being sought by the agency.
To read the CFPB's proposal, click here.
To read the RFI, click here.
Why it matters
After multiple reports—on auto title loans and the impact of payday loans on bank fees, among others—and actions against payday lenders, the CFPB's proposed rule came as no surprise. While consumer advocates praised the proposed rule, it generated an equal amount of criticism. Chairman of the U.S. House of Representatives Financial Services Committee Jeb Hensarling (R-Texas) expressed concern that for struggling Americans, "the struggle just got harder," asking in a statement, "How many are going to lose this only option they may have? How many are going to have their utilities cut off or are going to lose their jobs because they can't get money to repair their car and go to work? … It's sheer arrogance to believe this Washington rule will help them."
back to top
FFIEC Warns of Cyber Attacks
The Federal Financial Institutions Examination Council (FFIEC) reiterated the importance of banks protecting themselves from cyber attacks in a newly issued statement, urging financial institutions to "actively manage the risks associated with interbank messaging and wholesale payment networks" in light of recent attacks.
What happened
This latest statement from the FFIEC, whose members include the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee—is consistent with earlier versions: cybersecurity is important. In the wake of recent attacks against interbank networks and wholesale payment systems, including those that allowed hackers to nab almost $1 billion earlier this year, the FFIEC decided to issue this statement. It does not contain new regulatory expectations but appeals for more time and attention in protecting certain key areas of banking operations.
"Financial institutions should review their risk management practices and controls over information technology (IT) and wholesale payment systems networks, including authentication, authorization, fraud detection, and response management systems and processes," according to this latest statement. "The FFIEC members emphasize that participants in interbank messaging and wholesale payment networks should conduct ongoing assessments of their ability to mitigate risks related to information security, business continuity, and third-party provider management."
What else can banks do to protect themselves? The FFIEC statement suggests that institutions review their risk management practices (including services provided to clients), refer to prior FFIEC guidance on regulatory expectations for IT risk management, and review and adhere to the technical guidance issued by payments and settlement networks for managing and controlling risks to critical systems.
The recent attacks have demonstrated the capacity to compromise a financial institution's wholesale payment origination environment, bypassing information security controls, as well as obtain and use valid operator credentials, utilize malware to disable security logging and reporting to conceal and delay detection of fraudulent transactions, and transfer stolen funds across multiple jurisdictions quickly to avoid recovery.
To avoid being the next victim, the FFIEC statement said institutions should use multiple layers of security controls to establish several lines of defense, including the following:
- Conduct ongoing information security risk assessments. Financial institutions should "[i]dentify, prioritize, and assess the risk to critical systems, including threats to applications that control various system parameters and other security and fraud prevention measures," as part of an ongoing information security risk assessment program. A close eye should be kept on third-party service providers, the Council noted, with effective risk management controls in place, regular testing of their security controls to stimulate risk scenarios, and a contractual obligation in place to provide security incident reports when issues arise that may affect the institution.
- Perform security monitoring, prevention, and risk mitigation. Intrusion detection systems and antivirus protection should be up-to-date, with firewalls properly configured and reviewed periodically. After a baseline environment has been established, system alerts should be monitored to detect anomalous behavior. Due diligence must be conducted on third-party software and services, with penetration testing and vulnerability scans performed as necessary, and vulnerabilities managed based on risk (such as implementing patches for applications or systems).
- Protect against unauthorized access. The FFIEC reminded banks to limit the number of credentials with elevated privileges, especially administrator accounts. Access rights should be reviewed periodically with "stringent" expiration periods for unused credentials and the prompt termination of unused or unwarranted credentials. Authentication rules or multifactor authentication protocols are important and financial institutions need to change default passwords and settings on a regular basis and ensure that secure connections are used when systems are remotely accessed.
- Implement and test controls around critical systems regularly. The FFIEC advised institutions to "[t]est the effectiveness and adequacy of controls periodically," with test results reported to senior management and—if appropriate—the Board of Directors. Other suggestions for controls included an adequate password policy, encrypting sensitive data in transit and in certain circumstances, at rest, and conducting backups of important files, with the backed-up data stored offline.
- Manage business continuity risk. Banks must validate that their business continuity planning "supports the institution's ability to quickly recover and maintain payment processing operations," the FFIEC said, with testing performed and coordination with other industry players.
- Enhance training and participate in information sharing. Regular, mandatory information security awareness training programs need to be held across the financial institution, the Council urged, including topics such as how to identify and prevent successful phishing attempts. Banks should also incorporate information sharing with other financial institutions and service providers into risk mitigation strategies, such as the Financial Services Information Sharing and Analysis Center.
Why it matters
The FFIEC used this latest guidance to reemphasize the importance of continued risk mitigation techniques related to cyber attacks. Although some banks have already considered their risk management practices in light of the attacks earlier this year, the FFIEC outlined specific steps for financial institutions to consider when evaluating their interbank messaging and wholesale payment networks, including security monitoring and control testing, protection against unauthorized access, and participation in industry information sharing forums.
back to top
Leveraging Government's Brief, Midland Pushes for Cert
Capitalizing on the government's position in its brief to the U.S. Supreme Court, Midland Funding filed a supplemental brief in support of its quest to have the justices overturn a Second Circuit Court of Appeals opinion presenting significant problems for financial institutions.
What happened
Last May, a three-judge panel refused to find that the National Bank Act (NBA) preempted state law usury claims against an assignee of a national bank in Madden v. Midland Funding LLC.
New York resident Saliha Madden originally opened a credit card account with a national bank, Bank of America. In 2006, the credit card program was consolidated into another national bank that later sold Madden's $5,000 debt on the account to Midland Funding, LLC, a debt purchaser. Affiliate Midland Credit Management handled collection efforts and sent Madden a letter in November 2010 seeking to collect payment on her debt and stating that an interest rate of 27 percent per year applied.
Madden filed a putative class action suit alleging that Midland Funding had engaged in abusive and unfair debt collection practices in violation of the Fair Debt Collection Practices Act (FDCPA) and charged a usurious rate of interest in violation of New York state law, which prohibits interest rates in excess of 25 percent per year.
The defendants responded with a motion for summary judgment, arguing that as an assignee of a national bank, the plaintiff's claims against them were preempted by the NBA, which permits a bank to charge interest at the rate of the state where it is located and provides the exclusive cause of action for usury claims against national banks. Delaware—where FIA is incorporated—allows banks to charge interest above 25 percent, so the defendants' rate was legal, they told the court.
A district court judge agreed that the NBA preempted any state law usury claims but the Second Circuit reversed.
"Because neither defendant is a national bank nor a subsidiary or agent of a national bank, or is otherwise acting on behalf of a national bank, and because application of the state law on which Madden's claim relies would not significantly interfere with any national bank's ability to exercise its powers under the NBA, we reverse the District Court's holding that the NBA preempts Madden's claims," the court wrote.
Midland filed a writ of certiorari to the U.S. Supreme Court. The justices invited the Solicitor General to weigh in on the petition, and the government advocated against taking the case. However, the government also told the Court the Second Circuit reached the incorrect conclusion, wrongly interpreting the NBA.
Responding with a supplemental brief to the justices, Midland argued that the government's stance actually confirmed the need for further judicial review. The Solicitor General's brief stated that the Second Circuit decision "is incorrect" and "reflects a misunderstanding of Section 85 [of the NBA] and of this Court's precedents," Midland noted.
Section 85 carries with it the power to assign loans to others, the government wrote, and applying state usury laws that prevent an assignee from charging certain rates would "significantly impair" this power. "In so concluding, the government reaffirms that the Section 85 power 'should be understood to incorporate the understandings that (a) sale of loans is an integral aspect of usual banking practice, and (b) a loan that was valid when made will not be rendered usurious by the transfer,'" Midland argued, quoting the government's brief. "The government's reading of Section 85 thus matches petitioners' reading to a T."
The Solicitor General further told the justices that nothing in the NBA suggests that Congress intended to limit the national banks' Section 85 power by authorizing states to regulate the terms on which loans originated by national banks could be assigned to other entities, and Midland added the "government thus agrees with petitioners that application of state usury laws 'would 'prevent or significantly interfere'' with the national banks' exercise of those powers and is preempted."
"Aside from the case caption, therefore, there is hardly any aspect of the Second Circuit's decision with which the government agrees," Midland wrote. The government also did not contest the broad implication of the decision below, which the petitioner said "has already begun to inflict severe consequences on secondary markets essential to the operation of the national banking system and to the availability of consumer credit."
Midland cited to a study published after the first round of briefing before the Court that the Second Circuit's decision has had a "significant impact" on the volume of loans issued to higher-risk borrowers in the three states that make up the Second Circuit. The study found that while loan volume has increased generally by 124 percent in other jurisdictions, it has fallen by 48 percent within the Second Circuit.
In recommending against certiorari, the Solicitor General made two arguments. First, the government questioned the depth of the circuit conflict on the question presented, distinguishing some of the cases relied upon by Midland. But the petitioner countered that "any concern about the shallowness of the conflict here is swamped by the sheer importance of the question presented and the fundamental errors in the Second Circuit's decision," with the contrary authority more than sufficient to trigger Supreme Court review.
The government also delineated vehicle problems with the case itself, but given the need to clarify the law, Midland told the justices there was no reason to let the issue pass by.
"This is the rare case where resolving the question presented is as straightforward as it is important," Midland concluded. "The government's unqualified recognition that the Second Circuit decision was incorrect only strengthens the case for further review. And the impact of the Second Circuit's decision on the national banking system and the availability of consumer credit can no longer seriously be disputed. Given the fundamental errors in the Second Circuit's approach, the significance of the question presented, and the circuit conflict on that question, this Court should grant the petition for certiorari."
To read Midland's supplemental brief in Midland Funding LLC v. Madden, click here.
Why it matters
In its supplemental brief, Midland noted that the Court routinely grants review where the government takes the position that the decision below was incorrect but nonetheless recommends a denial of certiorari, particularly where "there can be no serious doubt that this case is sufficiently important to warrant one of the scarce spots on the Court's docket, because it presents a question that is critical to the functioning of the national banking system and to the availability of consumer credit." The justices could weigh in on the cert petition before the term ends in June. In the meantime, marketplace lenders continue to face uncertainty in the Second Circuit.
back to top
Payment Processor Hit With CFPB Action
A payment processor and two executives were the subject of a new Consumer Financial Protection Bureau (CFPB) action, with the Bureau charging that the defendants enabled their clients to make unauthorized withdrawals from consumer accounts.
What happened
Intercept Corporation, president Bryan Smith, and chief executive officer Craig Dresser "turned a blind eye" to red flags of potential fraud or law-breaking by clients, the CFPB alleged, such as enforcement actions by federal and state authorities, high rates of returned payments because of unauthorized withdrawals, insufficient funds, or invalid or closed accounts.
On behalf of its clients—which include payday lenders, auto title lenders, debt collectors, and sales financing companies, among others—Intercept transmits electronic funds transfers through the Automated Clearing House (ACH). But the defendants processed payments for their clients "without adequately investigating, monitoring, or responding to red flags" indicating that some clients were deceiving consumers or breaking the law, the Bureau alleged in its North Dakota federal court complaint.
Many of Intercept's clients ran up annual return rates of 20 to 40 percent for network transactions (well above the 1.5 percent industry average) and the defendants made "little effort" to determine why the rates were so high, the CFPB said. Instead, the defendants continued to process transactions, helping process what the Bureau estimated at "millions of dollars" of unauthorized and illegal charges from consumer accounts.
Enforcement actions against some of their clients did not motivate the defendants to investigate, the CFPB noted, even when the Federal Trade Commission sued a customer in 2012 for illegal withdrawals from consumer accounts. Another client received a cease and desist order from the Georgia Attorney General but Intercept responded with an internal e-mail that it "seems as though the more information we ask for, the more information we receive that I would prefer not knowing!!!" the Bureau said.
The defendants also ignored repeated complaints from consumers as well as warnings from banks. In some instances, the defendants switched banks to help process payments for clients when the initial bank expressed concern in lieu of addressing the red flags, the CFPB said. Over a six-year period from 2008 to 2014, the defendants switched between eight different banks to keep client transactions moving, sometimes processing through three different banks at the same time, the Bureau alleged.
Intercept's application process was "perfunctory," the CFPB added, and although the defendants' stated procedure was to review Better Business Bureau (BBB) ratings and complaints, the "standard practice was not to investigate or follow up with clients" over poor BBB ratings to determine whether or not clients were engaged in illegal behavior. In one e-mail, an Intercept executive responded to an "F" rating of a payday lending client by writing, "My first thought about the BBB is that isn't every payday lender rated an F? I don't think this is unusual."
"Defendants have performed only perfunctory due diligence regarding the legitimacy and legality of their clients' underlying transactions and have ignored indicia of fraud or illegality revealed through even their minimal due diligence," according to the CFPB's complaint. "By providing these clients with access to the banking system and the means to extract money from consumers' bank accounts, Defendants have played a critical role in this unlawful conduct."
Alleging violations of Dodd-Frank Wall Street Reform and the Consumer Protection Act's prohibition on unfair, deceptive, or abusive acts or practices, the Bureau seeks monetary and injunctive relief as well as penalties.
To read the complaint in CFPB v. Intercept Corporation, click here.
Why it matters
"Companies cannot turn a blind eye to wrongdoing when they process payments from consumer banking accounts on behalf of clients that are breaking the law," CFPB director Richard Cordray said in a statement about the action.
back to top