CFPB Executive Summary on Overdraft Lending Fees

NASCUS Summary re: CFPB Executive Summary on Overdraft Lending Fees
December 2024

The Consumer Financial Protection Bureau issued a final rule that amends Regulation Z and E to ensure that extensions of overdraft credit offered by very large financial institutions adhere to consumer protections required of similarly situated products unless an exception applies.  The final rule will take effect on October 1, 2025.

Summary

Under the Final Rule, Regulation Z will generally apply to all consumer overdraft credit provided by very large institutions unless it is provided at or below the institution’s costs and losses related to the overdraft credit.  The overdraft fee rule applies to banks/credit unions with more than $10 billion in assets.

The rule defines “overdraft credit” as credit that includes consumer credit extended by a financial institution to pay a transaction from a checking or other transaction account (other than a prepaid account) held at the financial institution when a consumer has insufficient or unavailable funds in the account.

In addition, the final rule updates two regulatory exceptions from the definition of finance charge.

  1. The rule updates an exception that provides that a charge for overdraft is not a finance charge if the financial institution has not previously agreed in writing to pay items that overdraw an account. The rule updates this exception by limiting it to only overdraft credit that is provided at or below costs and losses.
  2. The final rule updates a related exception that provides that a charge imposed in connection with an overdraft credit feature is not a finance charge, if the charge does not exceed the charge for a similar transaction account without a credit feature. The rule updates this provision by clarifying what is and is not a comparable charge.

The rule applies additional requirements to covered overdraft credit offered by a very large financial institution.  The final rule also:

  • Prohibits compulsory use of preauthorized transfers
  • Requires covered overdraft credit to be structured as a separate credit account
  • Applies CARD Act provisions to hybrid debit-credit cards
  • The new rule will provide institutions the following options with regard to overdraft fees:
    • Cap the overdraft fee at $5: This is amount is considered to be sufficient enough to cover the estimated costs associated with administrating a courtesy pay program.
    • Cap the fee at an amount that covers costs and losses: Allows institutions to see the costs based on the actual costs/losses related to the service.
    • Treat overdraft like other loans; require terms disclosure: Allows institutions to gain a profit from providing the service. This would require institutions to: (i) provide consumers the option of opening an overdraft line of credit; (ii) provide consumers with account opening disclosures; (iii) provide consumers with periodic statements and (iv) provide consumers with the option to pay automatically or manually.
  • The Bureau issued an Executive Summary of the final rule that can be found here, https://files.consumerfinance.gov/f/documents/cfpb_executive-summary-overdraft-lending-final-rule_2024-12.pdf. NASCUS summary is in progress.

The rule will take effect on October 1, 2025.

Agencies Issue Guidance on Elder Financial Exploitation
December 18, 2024

On December 4, 2024, the six federal banking agencies and the state financial regulators issued a statement titled “Interagency Statement on Elder Financial Exploitation” to provide supervised institutions examples of risk management and other practices that can be effective in identifying, preventing, and responding to elder financial exploitation (EFE).

FinCEN previously issued a financial trend analysis specific to EFE. NASCUS summarized the analysis here. Additionally, the US Department of Treasury’s 2024 National Money Laundering Risk Assessment described EFE as a growing money laundering threat.

The Agencies’ statement and accompanying Appendices provide a list of resources issued by federal and state agencies on the topic of EFE. This does not replace previous guidance on this topic but is meant to raise awareness and provide strategies to supervised institutions for combating EFE.

Included in the statement are nine examples of risk management and other practices that supervised institutions can consider adopting as they work to combat EFE.  These examples are not new and are addressed in previous guidance.

  1. Governance and Oversight
    • Policies and procedures to better protect account holders and the institution;
    • Enhance or create risk-based policies, internal controls, employee codes of conduct, ongoing transaction monitoring, and complaint management processes.
  2. Employee Training
    • Identifying red flags for different types of exploitation;
    • Proactive approaches for detecting and preventing EFE; and
    • Detailing actions for employees to take when they have concerns
  3. Using Transaction Holds and Disbursement Delays
    • Implementing policies and procedures in conjunction with state law and regulations when there is a suspected case of EFE
  4. Using Trusted Contacts
    • Establish policies and procedures that enable account holders to designate one or more trusted contacts that employees can contact when EFE is suspected
    • Develop clear and effective processes for when and how to disclose account holder information while also maintaining confidentiality
  5. Filing SARs Involving Suspected EFE
    • Consider filing SARs voluntarily for suspected EFE cases that do not meet the mandatory SAR filing requirements
    • Consider how to detect and identify possible red flag indicators of EFE
  1. Reporting to Law Enforcement, Adult Protective Services (APS), and/or Other Entities, as appropriate
    • Implement a policy for reporting to appropriate authorities if the state is a mandatory reporting state;
    • For institutions not in a mandatory reporting state, the institutions could develop processes for voluntarily reporting to relevant state or local authorities; and
    • Consider establishing procedures for referring potential victims of EFE to the Department of Justice’s National Elder Fraud Hotline (833.372.8311), FTC, the FBI’s IC3, USPIS, Social Security Administration, and other agencies.
  2. Providing Financial Records to Appropriate Authorities
    • Develop a process for expediting supporting information and documentation to law enforcement agencies.
  3. Engaging with Elder Fraud Prevention and Response Networks
    • Consider partnerships with various networks, community education, etc.
  4. Consumer Outreach and Awareness
    • Consider various means of consumer outreach, information on trending scams and ways to avoid them, and potential training for consumers on what to look for in various scams.

Appendix A: Elder Financial Exploitation Resources from Government Agencies

  • Appendix A includes an extensive list of reports, research, and recommendations from the agencies as well as a list of federal resources for supervised institutions that may be shared with consumers.

NCUA Letter to Credit Unions 24-CU-03
Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices

NASCUS Legislative and Regulatory Affairs Department
December 10, 2024

The NCUA Board has issued its third letter to credit unions of 2024, LTCU 24-CU-03 Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices.

The NCUA has shown an increased focus on consumer protection in recent years. The Agency notes it is issuing this letter to highlight the risks associated with certain overdraft and NSF fee practices while providing resources to assist credit unions in managing and mitigating these risks. The letter also describes how the Agency will approach such fees from a supervisory perspective and further outlines its expectations of credit unions in responding to the associated risks.

Background

In 2022 the NCUA requested information about federal credit union overdraft programs, policies, and procedures, and in 2023 and 2024 examiners expanded the review of federal credit union overdraft programs and evaluated adjustments credit unions made to their programs to address risk and potential harm to members. Additionally, examinations of federal credit unions in 2023 and 2024 identified the presence of certain overdraft and NSF fee practices that “may create heightened risk exposure.”

Unanticipated Overdraft Fees

Unanticipated overdraft fees occur when a credit union assesses overdraft fees on transactions that a member would not expect would give rise to such fees. The letter further addresses several types of overdraft and NSF fees and cautions against such policies that permit these fees as they would likely violate the Federal Trade Commission Act (FTC Act) and the Consumer Financial Protection Act of 2010 (CFPA) as unfair or deceptive practices.

  • Authorize Positive, Settle Negative Overdraft Fees
  • Multiple NSF Representment Fees

Returned Deposited Item Fees

A Returned Deposited Item (RDI) is a check deposited into a member’s account that is returned to the member because the check could not be processed against the originator’s account.

Other Overdraft or NSF Practices

Some additional practices highlighted by the Agency that may present heightened risk include:

  • High or no daily limits on the number of fees assessed;
  • Insufficient or inaccurate fee disclosures; and
  • Ordering transactions to maximize fees

Risk Management Principles

If a credit union provides overdraft programs or charges NSF fees the NCUA states, the credit union should:

  • Closely analyze all aspects of the credit union’s overdraft and NSF fee practices, including opt-in disclosures, website advertising, and other information provided to members specific to overdraft and NSF;
  • Review recent regulatory developments regarding unanticipated overdraft and NSF fees;
  • Consider member impact;
  • Track and analyze related member-complaint activity;
  • Monitor and take action to mitigate reputation, consumer compliance, third-party, and legal risk; and
  • Consult legal counsel regarding consumer compliance responsibilities and associated risks.

It is important to highlight that the NCUA specifically states in the letter, “Mitigation strategies should include discontinuing policies related to charging overdraft, NSF, and other related fees that members cannot reasonably anticipate and avoid.”

NCUA’s Supervisory Approach

While the NCUA states they do not expect credit unions to stop offering overdraft programs to assist members, it will continue to review credit union overdraft programs. If examiners identify violations of laws or regulations due to unanticipated fee practices, the agency will evaluate appropriate supervisory or enforcement actions, including restitution to harmed consumers.

The letter also states that the NCUA will recognize efforts to self-identify and correct violations noting that examiners will generally not cite or pursue action if a credit union has self-identified and fully corrected issues before the start of an examination.

LTCU 24-CU-03 applies to federally-insured credit unions, including federally-insured state-chartered credit unions (FISCUs). It is important for FISCUs to also work with their appropriate state supervisory authority when evaluating overdraft and NSF practices.

NASCUS Summary re: CFPB Executive Summary on Personal Financial Data Rights Final Rule

Nov 2024

The Bureau issued a proposed rule and request for comments in October 2023 regarding implementation of Section 1033, pertaining to consumers’ personal financial data rights, under the Consumer Financial Protection Act (CFPA).  The Bureau issued a finalized rule in October 2024.

The Bureau’s Executive Summary can be found here.

Summary

The final rule requires data providers to make covered data regarding covered financial products and services available to consumers and authorized third parties in an electronic form, subject to a number of requirements. The rule also sets forth criteria a third party must satisfy in order to be an authorized third party, including certifying it will satisfy certain obligations regarding the collection, use and retention of covered data.

Covered Entities: Data Providers

The rule defines data providers as those that control and possess covered data concerning a covered consumer financial product or service obtained from the data provider.  That would include financial institutions, card issuers or any other person that controls or possesses information concerning a covered consumer financial product or service.  Depository Institutions that hold total assets at or below the Small Business Administration (SBA) size standard is not required to comply with the final rule.

Covered Consumer Financial Products/Services

Under the final rule, a “covered consumer financial product or service” can be one or more of the following:

  • Regulation E accounts
  • Regulation Z credit card accounts
  • Facilitation of payments from a Regulation E account or Regulation Z credit card excluding products/services that merely facilitate first party payments.

Making Covered Data Available

The final rule requires a data provider make available to a consumer or authorized third party, upon request, covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider.  Data providers are prohibited from taking steps to evade the requirements, including actions that are likely to make covered data it provides unusable or are likely to prevent, interfere with, or materially discourage a consumer or third party from accessing covered data.

Covered Data is defined as:

  • Transaction information
  • Account balance information
  • Information to initiate payment to or from a Regulation E account
  • Terms and conditions
  • Upcoming bill payment information
  • Basic account verification information

The following information does not fall into the category of “covered data” and data providers are not required to provide this information:

  • Confidential commercial information
  • Information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conduct
  • Information required to be kept confidential by any other provision of law
  • Any information that the data provider cannot retrieve in the ordinary course of its business with respect to that information.

Data Access Requirements

The final rule requires a data provider to receive requests for covered data in electronic form from consumers and third parties and to make covered data available in electronic form in response to the requests. The rule does not require a data provider use any particular technology to satisfy these requirements.  However, the rule does impose the following requirements regarding how a data provider must be able to receive such requests and make covered data available in response to them:

  • Standardized format – covered data must be made available in a standardized and machine-readable format.
  • Commercially reasonable performance – data provider’s interface for receiving requests from and making covered data available to authorized third parties must perform at a commercially reasonable level.
  • Access caps – data provider must not unreasonably restrict the frequency with which it receives or responds to requests for covered data through its data interface. Any frequency restrictions must be applied in a manner that is non-discriminatory and consistent with the reasonable written policies and procedures that the data provider establishes and maintains pursuant to the final rule.
  • Access credentials – data provider must not allow a third party to access covered data using credentials that a consumer uses to access data electronically.
  • Security program – a data provider must apply an information security program that satisfies the applicable rules under the Gramm-Leach Bliley Act. If the data provider is not subject to Gramm-Leach Bliley, the program must satisfy the Federal Trade Commission’s Standards for Safeguarding Customer Information.

The rule also prohibits data providers from imposing any fees or charges on a consumer or third party in connection with receiving an electronic request for access to covered data.

Denial of Data Access

A data provider does not violate the general obligation to make covered data available by denying a consumer or third-party access to its data interface if the following two conditions are met:

  • Granting access would be inconsistent with policies/procedures reasonably designed to comply with (i) safety and soundness standards of the data provider’s prudential regulator or (ii) other applicable laws and regulations regarding risk management.
  • The denial is reasonable, meaning it must be directly related to a specific risk of which the data provider is aware and must be applied in a consistent and non-discriminatory manner.

A data provider can deny access to a third party if:

  • The third party does not present any evidence that its data security practices are adequate to safeguard the covered data; or
  • The third party does not make the following information available to the data provider and readily identifiable to members of the public: it’s legal name; any assumed name it is using while doing business with the consumer; a link to its website; its Legal Entity Identifier (LEI) and contact information a data provider can use to inquire about the third party’s data security and compliance practices.

Responding to Requests

  • The rule requires a data provider to make covered data available through its interface to a consumer when it receives information sufficient to authenticate the identity of the consumer and identify the scope of the data requested.
  • The final rule requires a data provider to make covered data available through its interface to a third party when it receives information sufficient to authenticate the identity of the consumer who authorized the third party to access covered data; authenticates the third party’s identity; documents that the third party has followed the authorization procedures and identified the scope of the data requested.
  • A data provider is not required to make covered data available in response to a request when:
  • The data are withheld because an exception applies
  • The data are not in the data provider’s control or possession
  • The data provider receives the request when its data interface is not available
  • The request is from a third party and the consumer’s authorization is no longer valid
  • The data provider has not received information sufficient to trigger the obligation to make covered data available in response to the request.
  • A data provider must provide a reasonable method for a consumer to revoke a third party’s authorization to access the consumer’s covered data, provided the method does not violate the prohibition against evasion.

Making Information About the Data Provider Readily Identifiable

The rule requires data providers to make certain information readily identifiable to members of the public and available in both human-readable and machine-readable formats.  This includes the data provider’s legal name, any assumed name it is using while doing business with the consumer, a link to its website, its LEI, contact information that enables a consumer or third party to receive answers to questions about accessing covered data pursuant to the final rule, and documentation sufficient for a third party to electronically access covered data pursuant to the final rule.

In addition, each month, the data provider must disclose to the public certain information about its data interface’s response rate to authorized third party requests for covered data in the previous calendar month.

Policies, Procedures and Recordkeeping for Data Providers

The final rule requires a data provider to have written policies/procedures that are reasonably designed to ensure the data provider:

  • Creates a record for covered data in its control or possession, what covered data are not made available to authorized third parties through the data provider’s interface pursuant to an exception and the reasons the exception applies.
  • Creates certain records when it denies an authorized third party’s request for access to the data provider’s interface or a request for information and provides certain information regarding the denial.
  • Accurately makes covered data available to an authorized third party through its data interface.
  • Retains records to reflect compliance with the final rule

A data provider must periodically review these policies and procedures and update them as appropriate.  Policies and procedures must be appropriate to the size, nature, and complexity of the data provider’s activities.

Authorized Third Parties, Authorization Procedures, and Authorization Disclosures

  • The final rule requires a data provider to make covered data available to the consumer about whom the data pertains or to an authorized third party.
  • To become an authorized third party, a third party must seek access to covered data from a data provider (on behalf of a consumer) and must follow the authorization procedures set out in the final rule. Specifically, the third party must:
  • Provide the consumer with an authorization disclosure
  • Provide a statement to the consumer in the authorization disclosure certifying that the third party agrees to certain obligations
  • Obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
  • The authorization disclosure must include the following:
  • The name of the third party
  • The name of the data provider that controls or possesses the covered data that the third party seeks to access
  • A brief description of the product/service the consumer has requested and a statement that the third party will collect, use and retain the consumer’s data only as reasonably necessary to provide that product/service to the consumer
  • The categories of data that will be accessed
  • A statement certifying that the third party agrees to certain obligations set forth in the final rule
  • A brief description of the expected duration of data collection and a statement that collection will not last longer than one year after the consumer’s most recent reauthorization
  • A description of the method that the consumer may use to revoke authorization

Third Party Obligations

 

Third parties are required to provide a statement to a consumer certifying that the third party will satisfy the following obligations:

  • The third party will limit its collection, use and retention of covered data to what is reasonably necessary to provide the consumer’s requested product/service.
  • The third party will limit the duration of collection of covered data (per authorization) to a max period of one year. To continue collection, a new consumer authorization must be obtained.
  • The third party will have written policies/procedures that are reasonably designed to ensure that covered data are accurately received from a data provider and accurately provided to another third party, if applicable.
  • The third party will apply an information security program to its systems for the collection, use and retention of covered data. This would be Gramm-Leach Bliley in most cases.  However, if the third party is not subject to the Gramm-Leach-Bliley Act, the program would be required to comply with the Federal Trade Commission’s Standards for Safeguarding Customer Information.
  • The third party will ensure that consumers are informed about the third party’s access to covered data.
  • The third party will provide the consumer with a method to revoke the third party’s authorization.
  • Third party must have written policies/procedures that are reasonably designed to ensure retention of records that are evidence of compliance with the final rule for a reasonable period of time.

Use of Data Aggregators

The final rule allow data aggregators to perform customer authorization procedures on behalf of third parties seeking access to customer data.  However, the third party seeking the authorization remains responsible for compliance with the authorization procedures.

Data processors engaged in this process on behalf of a third party are required to certify to the consumer that it will satisfy the third party obligations required under the final rule.

Effective and Compliance Dates

The final rule will become effective 60 days after publication in the Federal Register.  However, compliance with the rule is not required at that time.  A data provider must determine which compliance date is applicable based on its status as a depository or non-depository institution and its size (measured either by total assets for depository institutions or by total receipts for non-depository institutions).

The five possible compliance dates and applicable thresholds are provided below:

  • April 1, 2026
    • Applicable to depository institutions with at least $250 billion in total assets (based on an average of Q3 2023 through Q2 2023 call report submissions)
    • Applies to non-depository institutions that generated at least $10 billion in total receipts (based on calendar year 2023 or 2024)
  • April 1, 2027
    • Applicable to depository institutions with at least $10 billion in total assets but less than $250 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions).
    • Applicable to non-depository institutions that did not generate $10 billion or more in total receipts in both calendar year 2023 and 2024.
  • April 1, 2028
    • Applicable depository institutions with at least $3 billion in total assets but less than $10 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions).
    • Not applicable to non-depository institutions
  • April 1, 2029
    • Applicable to depository institutions with at least $1.5 billion in total assets but less than $3 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions.)
    • Not applicable to non-depository institutions
  • April 1, 2030
    • Applicable depository institutions with less than $1.5 billion in total assets but more than $850 million in total assets (based on an average of Q3 2023 through Q 2 2024 call report submissions).
    • Not applicable to non-depository institutions

NCUA Summary Letter to Credit Unions 24-CU-02
Board of Director Engagement in Cybersecurity Oversight

NASCUS Legislative and Regulatory Affairs Department
October 22, 2024

The NCUA Board has issued its second letter to credit unions of 2024, LTCU 24-CU-02 Board of Director Engagement in Cybersecurity Oversight. The letter specifically addresses credit union boards and CEOs and urges credit union boards to prioritize cybersecurity as a top oversight and governance responsibility.  

In light of the growth and sophistication of information security threats such as “malvertising” and the importance of safeguarding information, the NCUA details four key areas boards of directors should focus on:

  • Training;
  • Approval Information Security Program;
  • Oversight of Operational Management; and
  • Incident Response Planning and Resilience

Provide for Recurring Training

The NCUA discusses the need for credit union boards to engage in ongoing education about current cybersecurity threats, trends, and best practices. The letter lists various NCUA resources including web-based training and written guidance. It also discusses the board’s role in ensuring a credit union’s employees receive regular cybersecurity education and emphasizes the importance of a “security-minded culture” to mitigate risk.

Approval of Information Security Program

The letter also reminds directors they must approve and review, at least annually, a comprehensive information security program that meets the requirements of NCUA Part 748.

Oversight of Operational Management

The letter also addresses the board’s responsibility for overseeing a credit union’s management team, placing a key focus on the following cybersecurity areas:

  • Third-Party Due Diligence
  • Embedding Cybersecurity and Operational Resilience into Organizational Culture
  • Resources
  • Vulnerability/Patch Management and Threat Intelligence
  • Audit Function
  • Reporting
  • Protecting and Management Backups; and
  • Membership Education

Incident Response Planning and Resilience

The letter discusses the importance of union boards ensuring resilience planning is consistent with the NCUA’s Cyber Incident Notification Rule and requirements, while allowing the credit union to operate effectively during a cyber attack.

LTCU 24-CU-02 states that resilience planning should include the following:

  • Internal and External Communication between the board, members, and regulators.
  • Insurance Considerations that evaluate cybersecurity insurance policies ensuring adequate coverage for potential incidents.
  • Identify an Incident Response Team of key personnel prepared to take immediate action in the event of a cyber incident.
  • Conduct regular Tabletop Exercises to simulate cyber incident scenarios.

 Finally, the letter encourages boards to consult the NCUA’s cybersecurity resources page for additional information.

National Credit Union Administration: Fair Hiring in Banking

NASCUS Legislative and Regulatory Affairs Department
October 4, 2024

On September 19, 2024, the NCUA Board unanimously approved a final rule codifying Section 205(d) of the Federal Credit Union Act (FCUA) and incorporating the NCUA’s Second Chance Interpretive Ruling and Policy Statement (IPRS) 19-1 and the Fair Hiring in Banking Act (FHBA) into Section 752 of the agency’s regulations. The Federal Credit Union Act (FCUA) generally prohibits, except with the Board’s written consent, any person who has been convicted of or has a program entry for certain criminal offenses involving dishonesty or breach of trust, from participating in the affairs of an insured credit union.

The preamble to the final rule states the rule will “expand career opportunities for individuals to work and volunteer at insured credit unions.”

Summary

Section 752.1 – What is Section 205(d) of the FCUA?

Section 752.1 describes the requirements of Section 205(d) of the FCUA including:

  • Paragraph (a) describes the requirements of Section 205(d)
  • Paragraph (b) clarifies that insured credit unions must make a reasonable and documented inquiry regarding an applicant’s history, and at a minimum, a credit union should establish a screening process to obtain information about convictions and program entries from applicants. Paragraph (b) also provides that insured credit unions are permitted to make conditional offers of employment to prospective applicants.
  • Paragraph (c) addresses the need for a consent application and establishes the standard for an application’s approval.

Section 752.2 – Who is covered by Section 205(d)?

  • Institution Affiliated Parties (IAPs)
  • Volunteer and de-facto employees

Section 752.3 – Which offenses qualify as “covered” offenses under Section 205(d)?

The following constitutes a covered offense under section 205(d):

  • A conviction or program entry must have been for a criminal offense involving dishonesty or breach of trust:
    • “An offense under which an individual directly or indirectly cheats or defrauds or wrongfully takes property belonging to another in violation of a criminal statute.”
    • This also includes an offense that federal, state, or local law defines as “dishonest” or for which dishonesty is an element of the offense.
  • The term does NOT include a misdemeanor criminal offense committed more than one year before the date on which a person files a waiver application, excluding any period of incarceration or an offense involving the possession of controlled substances.
  • “Breach of trust” refers to “a wrongful act, use, misappropriation, or omission concerning any property or fund that has been committed to a person in a fiduciary or official capacity, or the misuse of one’s official or fiduciary position to engage in a wrong act, use, misappropriation, or omission.”

Section 752.4 – What constitutes a conviction under Section 205(d)?

Section 752 does not cover arrests or pending cases not brought to trial.

Section 752.5 – What constitutes a pretrial diversion or similar program under Section 205(d)?

The term “pretrial diversion or similar program” (program entry) refers to a program characterized by a suspension or eventual dismissal or reversal of charges or criminal prosecution upon agreement by the accused to restitution, drug or alcohol rehabilitation, anger management, or community service.

Section 752.6 – What are the types of consent applications that can be filed?

According to the final rule, the NCUA will accept applications from:

  • An individual; or
  • An insured credit union applying on behalf of an individual
    • An individual or insured credit union may file applications at separate times. Applications must be filed with the appropriate NCUA field office.
  • A waiver is no longer needed if:
    • It has been seven years or more since the offense occurred (measured from the date of offense, not the date of disposition); or
    • The person was incarcerated, and it has been five years or more since the person was released; or
    • The person committed the offense before age 21, and it has been more than 30 months since the sentencing occurred (the date the court imposed the sentence.)

Section 752.7 – When may an application be filed?

Applications must be filed when an adult or minor treated as an adult is convicted by a court of competent jurisdiction for a Covered Offense or when such person has a program entry regarding the offense.

Section 752.8 – What is the de minimis exemption?

De minimis exemptions have been expanded to include (but are not limited to):

  • An individual has been convicted of, or has program entries for, no more than two covered offenses.
  • Increasing the requirement that the offense be punishable by a term of one year or less to three years or less.
  • For “bad check criteria,” increasing the aggregate total face value of all NSF checks across all convictions or program entries related to NSF checks from $1000 or less to $2000 or less.
  • Excluding a new category of lesser offenses, including using a fake ID, shoplifting, trespassing, or driving with an expired license or tag, if one year or more has passed since the applicable conviction or program entry.

Section 752.9 – How does an individual or credit union file an application?

Forms and instructions can be found on NCUA’s website at www.ncua.gov. An application must be filed with the appropriate field of office Director.

Section 752.10 – How will the NCUA evaluate an application?

The ultimate determination in assessing an application is:

  • Whether the person has demonstrated their fitness to participate in the conduct of the affairs of an insured credit union; and
  • Whether the person’s affiliation or participation in the conduct of the affairs of the credit union may constitute a threat to the safety and soundness of the credit union, the interests of its members, or threaten to impair public confidence in the credit union.

The final rule details a number of additional evaluating factors for individualized assessments. For state-chartered, federally insured credit unions, the NCUA will consider the opinion or position of the state regulator.

Section 752.11 – What will the NCUA do if the application is denied?

If an application is denied, the NCUA will inform the applicant in writing that the application has been denied and summarize or cite the relevant considerations specified in 752.10. The denial will also notify the applicant of the right to request reconsideration from the field office or to file an appeal with the NCUA Board and will include the applicable filing deadlines and time frames for Agency response.

Amendments to §701.14 on Change in Official or Senior Executive Officer in Credit Unions that are Newly Chartered or are in Troubled Condition

The changes to 701.14 include:

  • Clarifying when notice is required by specifying that a credit union must provide notice when adding or replacing any member of its board of directors or committees, employing any person as a senior executive of the credit union, or changing the responsibilities of a board member, committee member, or a senior executive officer so that the person would assume a different position;
  • Increase the amount of time for NCUA to initially review a notice after its receipt from 10 calendar days to 15 calendar days;
  • Specify the Regional Director and ONES Director communications under 701.14 may be done through email and
  • Explicitly state the notice of disapproval will identify the reason(s) for the denial.

National Credit Union Administration: Simplification of Share Insurance Rules

NASCUS Legislative and Regulatory Affairs Department
October 4, 2024

On September 19, 2024, the NCUA Board unanimously approved a final rule amending its share insurance regulations. The rule simplifies the regulations by establishing a “trust accounts” category. The changes also increase consistency between the FDIC’s Federal deposit insurance rules and the NCUA’s share insurance rules.

The final rule is effective December 1, 2026, except for a handful of amendments, including recordkeeping, are effective October 30, 2024.

Summary

The final rule amendments include, (1) merging the revocable and irrevocable trust categories into one category, (2) applying a simpler common calculation method to determine insurance coverage for funds held by revocable and irrevocable trusts, and (3) eliminating certain requirements found in the current rules for revocable and irrevocable trusts.

Merger of Revocable and Irrevocable Trust Categories

The final rule amends §745.4 of the NCUA’s regulations, which currently applies only to revocable trust accounts. The amendment establishes a new “trust accounts” category that includes both revocable and irrevocable trust accounts with funds deposited at a Federally Insured Credit Union (FICU). The final rule defines funds that will be included in this category as:

  1. Informal revocable trust funds (e.g., payable-on-death accounts, in-trust-for accounts, and Totten trust accounts);
  2. Formal revocable trust funds, defined as funds held pursuant to a written revocable trust agreement under which funds pass to one or more beneficiaries upon the grantor’s death; and
  3. Irrevocable trust funds, e.g., funds held under an irrevocable trust established by written agreement or by statute.

The merger of the two categories eliminates §745.4(h) – (i), simplifying the amount of share insurance coverage upon the death of a formal revocable trust owner. Coverage for both irrevocable and formal revocable trusts will fall under the same category and share insurance coverage will remain the same.

Calculation of Coverage

The final rule utilizes a streamlined calculation to determine the amount of share insurance coverage for funds in both trust account categories. The adopted calculation is already used by the NCUA to calculate coverage for revocable trusts that have five or fewer beneficiaries. The final rule will provide coverage for trust funds at each FICU up to a total of $1,250,000 per grantor. This means each grantor’s insurance limit will be $250,000 per beneficiary up to a maximum of five beneficiaries.

Aggregation of Funds

The final rule aggregates a grantor’s revocable and irrevocable trust accounts for purposes of share insurance coverage. For example, all revocable and irrevocable trusts held for the same grantor at the same FICU will be aggregated, and the grantor’s insurance limit will be determined by the number of eligible and unique beneficiaries identified among all of their trust accounts.  Share insurance coverage for “trust accounts” will remain separate from the coverage provided for other funds held in non-trust accounts.

Eligible Beneficiaries

The final rule uses a single definition to determine beneficiary eligibility. As proposed, it will exclude from the calculation of share insurance coverage beneficiaries who would obtain an interest in a trust only if one or more named beneficiaries are deceased.

Removal of the Appendix to Part 745

The final rule removes the appendix to part 745, which provides examples of share insurance coverage. Instead, the NCUA plans to update its “Your Insured Funds” brochure to reflect the amendments to part 745.

Mortgage Servicing Accounts

Under the final rule, accounts maintained by a mortgage servicer in an agency, custodial, or fiduciary capacity, which consist of payments of principal and interest, will be insured for the cumulative balance paid into the account to satisfy principal and interest obligations to the lender, whether paid directly by the borrower or by another party, up to the limit of the standard maximum share insurance amount SMSIA per mortgagor. Mortgage servicers’ advances of principal and interest funds on behalf of delinquent borrowers will be insured up to the SMSIA per mortgagor, consistent with the coverage rules for payments of principal and interest collected directly from borrowers.

Liquidations

The changes to the final rule also provide NCUA with additional flexibility in determining share insurance coverage in instances where a credit union is liquidated by merging the requirements for revocable and irrevocable trusts. The changes reduce time in identifying beneficiaries and eliminate the need to review multiple differing requirements for coverage.

NASCUS Summary re: CFPB Proposed Rule/Request for Comments on Remittance Transfers under the Electronic Fund Transfer Act (Regulation E)
12 CFR Part 1005

The Consumer Financial Protection Bureau (CFPB) proposes a narrowly tailored amendment to certain remittance transfer disclosure requirements in the remittance rule in Regulation E to ensure consumers sending a remittance transfer have information about the types of inquiries that may be most efficient to direct to the CFPB and the State agency that licenses or charters their remittance transfer provider.

Comments must be received by November 4, 2024 and the proposal can be found here.

Summary

The Electronic Fund Transfer Act (EFTA) provides a basic framework for rights, protections, liabilities and responsibilities of consumers and providers in electronic fund transfer systems and remittance transfers.  Section 919 of the EFTA requires remittance transfer providers to make certain disclosures to senders of remittance transfers.  Under the current rule, remittance transfer providers are required to make disclosures including a statement about the rights of the sender regarding the resolution of errors and cancellation; the contact information of the remittance transfer provider; and a statement that the sender can contact the State agency that licenses or charters the remittance transfer provider with respect to the remittance transfer and the Consumer Financial Protection Bureau for questions/complaints about the remittance transfer provider.

The CFPB proposes amending the disclosure requirements and corresponding model forms to direct a remittance sender to contact the State licensing agency and the CFPB if the sender has unresolved problems with the remittance transfer or complaints about the remittance transfer provider.  According to the Bureau, this amendment is intended to make the process more efficient by making it clear who should be the initial point of contact in each situation.

In addition, the CFPB proposes to make remittance transfer provider’s contact information more prominent and easier to locate by consumers.  The proposed rule would update the remittance transfer provider contact information in the header of the model forms by adding the remittance transfer provider phone number and website.  The proposal would also update the model forms for receipts and combined disclosures.

Comments Requested

The CFPB seeks comment on whether the proposed changes will provide helpful information to senders and what, if any, impact these proposed changes may have on consumers, remittance transfer providers, and State licensing agencies.

Financial Crimes Enforcement Network Summary

Financial Trend Analysis: Mail Theft-Related Check Fraud: Threat Pattern & Trend Information

NASCUS Legislative and Regulatory Affairs Department
September 11, 2024

FinCEN’s latest Financial Trend Analysis focuses on mail theft-related check fraud incidents based on data collected from February 27 to August 31, 2023. FinCEN previously issued an alert addressing a surge in nationwide mail theft-related check fraud schemes targeting the U.S. mail on February 27, 2023.  The trend analysis examined BSA reports filed with the key term  “FIN-2023-MAILTHEFT” provided in the alert.  During the review period, FinCEN received 15,417 BSA reports related to mail theft-related check fraud associated with more than $688 million in transactions, including actual and attempted transactions.

Summary

FinCEN’s analysis details three primary outcomes from perpetrators after stealing checks from the U.S. Mail.

  1. Perpetrators altered and deposited checks;
  2. Perpetrators used stolen checks to create counterfeit checks; and
  3. Perpetrators fraudulently signed and deposited checks.

The analysis also found that banks filed 88 percent of all mail theft-related check fraud reports with 44 percent of filings submitted by the largest banks. Small to medium-sized banks filed the majority of reports.  The analysis found that credit unions and securities firms combined only 1,767 reports or 11.5 percent of the total reports filed during the review period.

The analysis also identified that checks were most frequently altered and negotiated after theft.  Counterfeiting of stolen checks was next on the list of frequent theft, with stolen checks utilized as a template to produce counterfeits. Finally, the third most common outcome was perpetrators fraudulently signing and depositing checks. According to the reports analyzed altered checks accounted for 44 percent of BSA reports, counterfeit checks accounted for 26 percent, and fraudulently signed checks were 20 percent.

Criminals primarily utilized methods that avoided human contact, including depositing checks via remote deposit capture (RDC) or at ATMs and opening accounts online rather than in person.

Check Manipulation Methodologies Identified

The analysis also identified several methodologies used to alter, counterfeit, or fraudulently sign checks that ranged in levels of sophistication.

Unsophisticated Methodologies

  • Fraudulently endorsing a check without modifying any information on the check
  • Altering the payee or dollar amount without washing the check; and
  • Third-party payment with no check modifications: attempting to make the check appear as though the intended party signed it over to them

Moderately Sophisticated Methodologies

  • Check washing
  • Selling information from a stolen check online: dark web marketplaces or line forums
  • Using compromised check information to create counterfeit checks; and
  • Stealing newly ordered checks from the mail.

Sophisticated Methodologies

  • New account fraud: fraudsters opening new accounts, typically online, specifically designed to negotiate stolen checks
  • Mail theft-related check fraud as part of a larger scam, mainly romance and employment scams
  • Insider involvement: sophisticated operations have enlisted insider assistance at financial institutions or the USPS.

Appendix A to the analysis includes mapping of BSA report subjects and branch location activity by state. It also identifies areas where mail check fraud was the most prominent.

Financial Data Transparency Act Joint Data Standards
Federal Banking Agencies

NASCUS Legislative and Regulatory Affairs Department
September 6, 2024 

The OCC, FRB, FDIC, NCUA, CFPB, FHFA, CFTC, SEC, and Treasury (Agencies) have issued a proposed rule establishing data standards for certain information collections submitted to the Agencies. The proposed rule is required by the Financial Data Transparency Act (FDTA) of 2022. The proposal would promote interoperability of financial regulatory data across the Agencies through the establishment of data standards for identifiers of legal entities and other common identifiers.

Comments on the proposed rule are due October 21, 2024.

Summary

Section 5811 of the FDTA amends subtitle A of the Financial Stability Act (FSA) of 2010 by adding a new section 124. The new section directs the federal agencies to jointly issue regulations establishing data standards for:

  1. Certain collections of information reported to each Agency by financial entities under each Agency’s jurisdiction, and;
  2. The data collected from the Agencies on behalf of the Financial Stability Oversight Council (FSOC)

Collection of Information

The proposal would establish joint standards for collections of information reported to each agency. The FDTA does not define “collections of information” and references the Paperwork Reduction Act (PRA) definition, defined as “obtaining, causing to be obtained, soliciting, or requiring the disclosure to third parties or the public, of facts or opinions by or for an agency, regardless of form or format, calling for either –

  • Answers to identical questions posed to, or identical reporting or recordkeeping requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the United States; or
  • Answers to questions posed to agencies, instrumentalities, or employees of the United States which are to be used for general statistical purposes.

The proposal indicates that the PRA definition is widely understood by the Agencies and by public stakeholders and that all approved and pending PRA collection of information have been categorized and are accessible to the Agencies and the public.

Legal Entity Identifier

Section 124 requires the joint standards to include “a common nonproprietary legal entity identifier that is available under an open license for all entities required to report to” the Agencies. The Proposal would establish International Organization for Standardization (ISO) 17442 – Financial Services – the Legal Entity Identifier (LEI) as the legal entity identifier joint standard. The LEI is a global, 20-character, alphanumeric identifier standard that uniquely identifies a legal entity. The LEI is nonproprietary and is made publicly available by the Global LEI Foundation under an open license, free of charge to any interested user.

The proposal rule notes that it would not impose any requirements that any particular entity obtain an LEI and incur the associated costs; such requirements would be determined by the Agency-specific rulemakings.

Other Common Identifiers

In addition to the LEI, the proposed rule would identify the following identifiers in the joint standards:

  • UPI and CFI. For swaps and securities-based swaps, the proposal would identify ISO 4914 – Financial services — Unique product identifier (UPI) as a standard. The UPI already is used in the derivatives markets.3 For other types of financial instruments, the Proposal would identify ISO 10962 – Securities and related financial instruments — Classification of financial instruments (CFI) code.
  • FIGI. For an identifier of financial instruments, the proposal would establish the Financial Instrument Global Identifier (FIGI) as the standard. The FIGI is an international identifier for all classes of financial instruments including, but not limited to, securities and digital assets. It is a nonproprietary identifier available under an open license globally. The FIGI also is intended to fill a gap for asset classes that do not normally have a global identifier, including loans.
  • Date. For date fields, the proposal would establish the date as defined by ISO 8601 using the Basic format option as the standard. The order of the elements used to express date and time in ISO 8601 is year, month, day, hour, minutes, seconds, and milliseconds. For example, September 27, 2022 at 6 p.m. is represented as 2022-09-27 18:00:00.000. The Agencies mention that consistent representation of dates may help facilitate data integration and interoperability across diverse collections.
  • State. For identification of a state, possession, military “state” of the United States of America, or a geographic directional, the Proposal would require the US Postal Service Abbreviations, as published in Appendix B of Postal Addressing Standards, Mailing Standards of the United States Postal Service. The Agencies mention that, compared to alternative numeric state codes, this proposed standard is both human- and machine-readable and is more widely used.
  • Countries. The proposal would establish the country codes with the code(s) for subdivisions, as appropriate, as defined by the most recent version of Geopolitical Entities, Names, and Codes (GENC). GENC is the US government’s implementation of the ISO 3166 international country code standard and reflects requirements unique to US foreign policy.
  • Currencies. The proposal would establish the alphabetic currency code as defined by ISO 4217 Currency Codes. The Agencies mention that these internationally recognized codes are widely implemented used, and incorporated into many other data standards, and this standard would support interoperability, enable clarity, and reduce errors.

Data Transmission and Schema and Taxonomy Format Standards

The Proposal would set forth four properties for the data transmission and schema and taxonomy formats used by the Agencies. Specifically, the Agencies propose that the schema and taxonomy formats will, to the extent able:

  • Render data fully searchable and machine-readable;
  • Enable high-quality data through schemas, with accompanying metadata documented in machine-readable taxonomy or ontology models, that clearly define the semantic meaning of the data, as defined by the underlying regulatory information collection requirements, as appropriate;
  • Ensure that a data element or data asset that exists to satisfy an underlying regulatory information collection requirement be consistently identified as such in associated machine-readable metadata; and
  • Be nonproprietary or available under an open license.

The Proposal states that establishing the joint standards as a list of principles rather than any specific data transmission or schema formats will provide the Agencies with flexibility in selecting their data transmission or schema format data standards while promoting interoperability and allowing for adaptability to new technological developments. For example, the existing data transmission and schema formats associated with the Call Report, including XML and XBRL, satisfy these principles and would be compliant.

The Proposal notes that final standards established pursuant to this rulemaking will be adopted later for certain collections of information in separate rulemakings by the Agencies or through other actions taken by the Agencies. Regulated financial entities should begin to consider how they would comply with the proposed joint standard and identify any potential compliance problems with the standards identified in the Proposal.

NASCUS Summary re: CFPB Advisory Opinion on TILA/Reg Z Protections for Homes Sales Financed Under Contracts for Deed

12 CFE Part 1026

The Consumer Financial Protection Bureau (CFPB) issued an advisory opinion that affirms the current applicability of TILA and its implementing regulations (under Regulation Z) to transactions in which a consumer purchases a home under a “contract for deed.”

The advisory opinion is effective as of August 23, 2024 and can be found here.

Summary

  • TILA protects consumers engaged in credit transactions by requiring creditors to disclose information about the costs and terms of the credit and where the credit is secured by the consumer’s dwelling, provides additional protections. The CFPB previously identified certain contracts for deed as consumer credit under the Consumer Financial Protection Act (CFPA).  This opinion clarifies how the CFPB understands the current application of TILA and Regulation Z to contracts for deed.

Characteristics of Contracts for Deed

  • A contract for deed is a type of home loan that has key features. In a typical contract for deed, the homebuyer agrees to make periodic payments to the home seller and the seller retains the deed to the property until the loan is paid in full.  Loan terms vary but often range from 5 to 30 years and may include balloon payments.  Properties are often purchased “as is” without inspection or appraisal.  During repayment, the buyer has the exclusive right to occupy the home and often assumes many of the responsibilities of homeownership, including paying for taxes, insurance, home maintenance and repairs.
  • Such contacts also contain a “forfeiture clause” that can be triggered if the borrower fails to meet the terms of the contract. When this clause is triggered, the seller retakes possession of the property and the buyer forfeits the entire investment (including downpayment, principal payments and any increase in home equity).  Forfeiture clauses can be activated by a missed payment or breaches unrelated to payment status (such as when a borrower fails to pay taxes, is unable to obtain or maintain insurance, or does not make improvements to the property within a specified timeframe).  Some states restrict forfeiture and require foreclosure, others have allowed “virtually unrestricted use of forfeiture clauses.”

Application of the term “debt” to contracts for deed

  • TILA’s definition of credit includes the typical contract for deed. Regulation Z defines “credit” as the right granted by a creditor to a debtor to defer payment of a debt or to incur debt and defer it payment.  The opinion states that this understanding of “debt” applies to contracts for deed.
  • In typical “contract for deed” transaction, a debt is created by the buyer receiving exclusive possession of the property, along with certain ownership obligations, at the outset of the in exchange for the obligation to repay the agreed upon value of the property over time. In exchange for these rights granted in property, the purchaser agrees to complete payment on a deferred basis.  The contractual obligation to repay the agreed upon value of the property according to the terms of the contract constitute a debt under TILA.  Where the property acquired under a contract for deed is purchased by a consumer primarily for personal, family or household purposes, the transaction is considered closed-end consumer credit union Regulation Z.
  • In addition, several provisions of TILA and Regulation Z apply specifically to credit transactions secured by the consumer’s dwelling or by real property. Under TILA, a “residential mortgage loan” includes “any consumer credit transaction that is secured by a mortgage, deed of trust, or other equivalent consensual security interest on a dwelling or on  residential real property that includes a dwelling, other than an open-ended consumer credit transaction.

TILA Creditors

  • For a transaction to be covered by TILA, the seller must be a creditor. Whether or not a seller should be considered a creditor turns on whether the creditor extends credit; the characteristics of the credit and the frequency with which the seller engages in such transactions.
  • According to the CFPB, the following must be satisfied for the seller to be considered a creditor:
  • The credit extended must be either subject to a finance charge or payable by a written agreement in more than four installments
  • The obligation must be initially payable to the person, either on the face of the note or contract or by agreement when there is no note or contract, in order for that person to be considered a creditor
  • The creditor is a person that regularly extends credit. In general, when a person extends consumer credit more than 25 times, or more than 5 times for transactions secured by a dwelling (in the preceding calendar year) that person is a creditor under TILA.

NASCUS Summary re: Interagency Guidance on Reconsiderations of Value for Residential Real Estate Valuations
12 CFR Chapter X

The Fed, CFPB, FDIC, NCUA and OCC issued final guidance that highlights risks associated with highlights risks associated with deficient residential real estate valuations and describes how financial institutions may incorporate reconsiderations of value (ROV) processes and controls into established risk management functions.  The final guidance also provides examples of policies and procedures that a financial institution may choose to implement to help identify, address, and mitigate the risk of discrimination impacting residential real estate valuations.

The guidance became effective on July 26, 2024 and can be found here

Summary

The guidance is intended to highlight risks associated with deficient residential real estate valuations, describe how financial institutions may incorporate ROV processes and controls into risk management functions, and provide examples of ROV policies and procedures that institutions may choose to implement.  Prior to this issuance, the agencies had not (collectively) issued guidance specific to the ROV process.

The regulatory framework permits financial institutions to implement reconsideration of value (ROV) policies, procedures and control systems that allow consumers to provide and the financial institution to review, relevant information that may not have been considered during the appraisal or evaluation process.

A reconsideration of value (ROV) request made by the financial institution to the appraiser or other preparer of the valuation report encompasses a request to reassess the report based upon deficiencies or information that may affect the value conclusion.  The financial institution may request a ROV because of the financial institution’s valuation review activities or after consideration of information received from a consumer through a complaint or request to the loan officer or other lender representative.

A reconsideration of value (ROV) request may include consideration of comparable properties not previously identified, property characteristics, or other information about the property that may have been incorrectly reported or not previously considered, which may affect the value conclusion.  To resolve deficiencies, including those related to potential discrimination, financial institutions can communicate relevant information to the original preparer of the valuation, and, when appropriate, request an ROV.

Financial institutions are advised to capture consumer feedback regarding potential valuation deficiencies through existing complaint resolution processes.

Appropriate policies, procedures, and control systems can adequately address the monitoring, escalating, and resolving of complaints including a determination of the merits of the complaint and whether a financial institution should initiate an ROV.  The guidance provides a list of examples of risk-based ROV related policies, procedures, control systems and complaint resolution processes that identify, address, and mitigate the risk of deficient valuations, including valuations that involve prohibited discrimination.